1. Categories of data subject

Individual customers, guests and personnel of the Customer

2. Types of Personal Data

Anonymized CCTV data, gender, age, postcode, and customer type

3. Purposes of processing

Providing demographic statistics & maps of usage within the Customer’s facilities or event space

4. Security measures for Personal Data

The Provider shall implement appropriate Technical and Organisational measures as defined in Section 6 of this Schedule to ensure a level of security appropriate to the risk, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

5. Third Party processors (Sub-processors) of Personal Data

Approved sub-processors of Personal Data

Sub-Processor Nola Technologies Pty Ltd

Types of Personal Data Anonymized CCTV data

Country of Sub Processor Australia

Data Processing Agreements in Place Data Processing Agreement 1/10/2024, International Data Transfer Agreement 1/10/2024

Data Anonymisation and Encryption:

Implement data anonymisation techniques to ensure that personal data cannot be linked back to an identifiable individual before processing.

Use strong encryption algorithms to protect data in transit and at rest.

Access Control:

Implement role-based access controls (RBAC) to ensure that only authorised personnel can access the data processing systems.

Use multi-factor authentication (MFA) for accessing systems that process or store sensitive data.

Data Backup and Recovery:

Regularly backup data to secure, encrypted storage solutions to prevent data loss.

Develop and test a data recovery plan to restore any lost data in a timely manner.

Network Security:

Deploy firewalls, intrusion detection systems(IDS), and intrusion prevention systems (IPS) to protect against unauthorised access and cyber threats.

Regularly update and patch network devices and software to mitigate vulnerabilities.

Monitoring and Logging:

Implement system monitoring to detect and respond to security incidents or anomalies.

Maintain logs of access to and actions on data processing systems, ensuring that logs are securely stored and analysed regularly.

Data Processing Policies and Procedures:

Adhere to: Information Security policy, Encryption and Key management policy and IT Policy covering data processing activities, including data anonymisation, access control, data transfer, andbreach response.

Regularly review and update these policies to reflect changes in regulations or operational practices.

Training and Awareness:

Provide regular training to employees on data protection principles, the importance of protecting personal data, and specific responsibilities under the DPA.

Raise awareness about potential data protection risks and the measures in place to mitigate them.

Data Protection Impact Assessments (DPIAs):

Conduct DPIAs for processing activities that are likely to result in a high risk to individuals’ rights and freedoms, particularly for new projects or technologies.

Use DPIAs to identify and mitigate risks in collaboration with Newport Live.

Vendor Management:

Assess and select vendors who comply with GDPR and UK data protection regulations or meet relevant data adequacy rating, especially those who may have access to or process the data on behalf of TwinLabs.

Include data protection requirements in contracts with vendors and conduct regular audits to ensure compliance.

Incident Response and Notification:

Establish an incident response plan to address data breaches or security incidents promptly.

Notify the Customer without undue delay after becoming aware of a personal data breach, in accordance with GDPR requirements.