ABOUT
DATA PROTECTION AND PRIVACY
How we protect your data
OUR PRIVACY POLICY
INTRODUCTION
Lynx-Eyed Chartered Accountants (LECA) is committed to data protection and data privacy. This Policy outlines how LECA deals with personal data. The Policy applies globally and ensures that data is collected, stored, processed and deleted as prescribed by international legal frameworks and aligned to our partners expectations and trust in us.
SCOPE OF THIS POLICY
The Policy applies to all LECA staff irrespective of role, seniority or geographic location from the start of their employment and after the end of their employment at LECA. This Policy also applies to external stakeholders of LECA including our clients, suppliers, potential and dismissed employees, visitors to LECA website and anyone who performs services on behalf of LECA anywhere in the world from the start of the relationship between LECA and the partner and after the end of the relationship.
This Policy applies to all data collected, stored and processed by LECA. Personal data is any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. This can include in particular:
Lynx-Eyed Chartered Accountants is incorporated in the Islamic Republic of Afghanistan. As there is no standalone Data Protection Law in Afghanistan and the right to privacy of data and communication is protected by the Constitution, LECA complies with the articles of the Constitution.
In order to embed a robust process of protecting personal data, LECA has adopted and implemented the Personal Data Protection Law and Federal Decree Law No. 45 of 2021 regarding the Protection of Personal Data of the United Arab Emirates (UAE), which constitutes an integrated framework to ensure the confidentiality of information and protect the privacy of individuals in UAE and outside it. In jurisdictions other than UAE, this Policy shall apply unless it contradicts with local legislation in which case each matter shall be reviewed and addressed individually.
Lynx-Eyed Chartered Accountants (LECA) is committed to data protection and data privacy. This Policy outlines how LECA deals with personal data. The Policy applies globally and ensures that data is collected, stored, processed and deleted as prescribed by international legal frameworks and aligned to our partners expectations and trust in us.
SCOPE OF THIS POLICY
The Policy applies to all LECA staff irrespective of role, seniority or geographic location from the start of their employment and after the end of their employment at LECA. This Policy also applies to external stakeholders of LECA including our clients, suppliers, potential and dismissed employees, visitors to LECA website and anyone who performs services on behalf of LECA anywhere in the world from the start of the relationship between LECA and the partner and after the end of the relationship.
This Policy applies to all data collected, stored and processed by LECA. Personal data is any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. This can include in particular:
- Name
- Physical address
- Email address
- Telephone number
- Passport or ID card
- Date of birth
- Fingerprints
Lynx-Eyed Chartered Accountants is incorporated in the Islamic Republic of Afghanistan. As there is no standalone Data Protection Law in Afghanistan and the right to privacy of data and communication is protected by the Constitution, LECA complies with the articles of the Constitution.
In order to embed a robust process of protecting personal data, LECA has adopted and implemented the Personal Data Protection Law and Federal Decree Law No. 45 of 2021 regarding the Protection of Personal Data of the United Arab Emirates (UAE), which constitutes an integrated framework to ensure the confidentiality of information and protect the privacy of individuals in UAE and outside it. In jurisdictions other than UAE, this Policy shall apply unless it contradicts with local legislation in which case each matter shall be reviewed and addressed individually.
PRINCIPLES OF PERSONAL DATA PROCESSING
COLLECTION AND PROCESSING OF PERSONAL DATA
LECA shall only collect data to perform its duties before staff and partners. In accordance with legislation, LECA can process personal information, so long as there are grounds to do so and this must be disclosed to the data subject. The following processing conditions shall apply to personal data collected and process by LECA:
Any unauthorised collection, processing, storage of personal data is strictly prohibited. Any data collected, processed, stored by LECA staff that was not authorised as part of his/her duties or does not comply with the above principles of personal data processing shall be deemed unauthorised.
LECA staff are prohibited from using personal data for commercial and private purposes, disclose it to unauthorised individuals and third parties inside and outside LECA.
LECA does not publish personal data in the public domain without the consent of the individual concerned.
In some cases, the personal data that we collect will also include special categories of data, such as diversity related information (including data about racial and ethnic origin, political opinions, religious beliefs and other beliefs of a similar nature, trade union membership and data about sexual life and sexual orientation), or health data and data about alleged or proven criminal offenses in each case where permitted by law.
- Data shall only be collected and processed upon consent provided by the individual whose data is being collected and processed.
- The data shall only be collected in a fair and legal manner.
- The data shall only be collected in the amount that is required for the intended purpose and shall not be excessive.
- The data shall be collected for a specific purpose that has been defined prior to data collection. The purpose shall be stated, and legitimate and cannot be changed after the data has been collected.
- The data subject shall be informed how the data is to be used and managed and shall be collected directly from the subject.
- All personal data shall be treated as strictly confidential, shall not be shared with third parties or for any purposes other than intended and shall be secure from loss or damage and access to it shall be limited to authorised individuals.
- Personal data shall be retained for a period that is necessary and no longer in a way that the subject can be identified. In some cases, data maybe be kept on file for longer periods if there is sufficient reason to do and, in such cases, data shall be kept in line with the above principles until it is decided to delete the data.
- All data shall be up-to-date, complete and accurate, otherwise data shall be deleted.
COLLECTION AND PROCESSING OF PERSONAL DATA
LECA shall only collect data to perform its duties before staff and partners. In accordance with legislation, LECA can process personal information, so long as there are grounds to do so and this must be disclosed to the data subject. The following processing conditions shall apply to personal data collected and process by LECA:
- Counterparty due diligence where procedures are required to be performed in order to evaluate the risks of engaging with a counterparty, performing services for the counterparty and receive services from a counterparty;
- Performance of a contract and fulfilment of obligations under a contract;
- In order to comply with a legal obligation, such as keeping records for tax purposes or providing information to a public body or law enforcement agency;
- As part of subscriptions to newsletters and news/update mailings;
- As part of submission of feedback, requests, queries and job applications via LECA website, email or in hard copy;
- For the purposes of processing incidents reported by internal and external stakeholders;
- Collection of research data through surveys, questionnaires and other forms of data collection for the purposes of developed an anonymised research output;
- Administration tasks such as talent recruitment, staff travel and visa arrangements;
- Personal data shall be processed where it is in LECA’s legitimate interest in running a lawful business to do so in order to further that business, so long as it doesn’t outweigh interests of the data subjects;
- Explicit consent given by the data subject. In such instances specific permission to process some personal information shall be requested and processed only if consent is given. The consent can be withdrawn by the data subject at any time by notifying the LECA staff who collected the information in writing.
- To offer information and/or services to individuals who visit LECA website or offer information about employment opportunities.
- To prevent fraud or criminal activity and to safeguard LECA IT systems.
- To customise individuals’ online experience and improve the performance usability and effectiveness of LECA’s online presence.
- To conduct, and to analyse, LECAs marketing activities.
- To meet LECA’s corporate and social responsibility obligations.
- To exercise fundamental rights including the freedom to conduct a business and right to property.
Any unauthorised collection, processing, storage of personal data is strictly prohibited. Any data collected, processed, stored by LECA staff that was not authorised as part of his/her duties or does not comply with the above principles of personal data processing shall be deemed unauthorised.
LECA staff are prohibited from using personal data for commercial and private purposes, disclose it to unauthorised individuals and third parties inside and outside LECA.
LECA does not publish personal data in the public domain without the consent of the individual concerned.
In some cases, the personal data that we collect will also include special categories of data, such as diversity related information (including data about racial and ethnic origin, political opinions, religious beliefs and other beliefs of a similar nature, trade union membership and data about sexual life and sexual orientation), or health data and data about alleged or proven criminal offenses in each case where permitted by law.
DATA SECURITY
LECA makes reasonable effort to ensure that data is protected from unauthorized loss, misuse, alteration, or destruction. However, despite best efforts, data security cannot be guaranteed against all possible threats. To the best of LECA’s ability access to data shall be limited to authorised persons only and confidentiality shall be preserved by those individuals.
RIGHTS OF INDIVIDUALS
TRANSFER OF PERSONAL DATA
Any transfer of personal data outside LECA shall be conducted with the written consent of the data subject.
Upon receipt of consent from the data subject, data shall be transferred only to entities and jurisdictions which have implemented high quality data protection internal policies and legislation, respectively.
The recipient of the data shall agree to the data protection practices which are at least equivalent or better than the provisions of this Policy.
Personal data shall be transferred in cases where this is required by legislation. Data subject’s interests shall be protected to the extent possible in the context of legal requirements to obtain, process, transfer, disclose and store data.
DATA PROTECTION CONTROL
Compliance with data protection requirements is monitored continuously which is the responsibility of every individual at LECA. Regular data protection audits shall be carried out by Internal Audit to verify the performance of monitoring and control procedures over data protection.
COMPLIANCE
Compliance to this Policy is the responsibility of every employee of LECA at all times. Failure to comply with the provisions of this Policy shall be reported by suspecting individuals to management of LECA immediately and logged into the non-compliance log to be reviewed by the Risk and Compliance Officer.
Instances of non-compliance shall be investigated by the Risk and Compliance Officer and appropriate disciplinary actions shall be taken. Individuals reporting non-compliance shall be protected from retaliation for reporting such instances and any cases of retaliation shall result in disciplinary actions.
Any questions or queries regarding this Policy and its provisions shall be directed to info@leca.af.
APPROVAL
This policy has been approved by executive management of LECA on 31 January 2025.
LECA makes reasonable effort to ensure that data is protected from unauthorized loss, misuse, alteration, or destruction. However, despite best efforts, data security cannot be guaranteed against all possible threats. To the best of LECA’s ability access to data shall be limited to authorised persons only and confidentiality shall be preserved by those individuals.
RIGHTS OF INDIVIDUALS
- Access - the right to obtain information on the categories of personal data being processed, the purpose of the processing, the decisions made upon automated processing, entities with whom the personal data is shared.
- Data portability - the right to receive personal data in a structured and machine-readable format.
- Rectification and erasure - the right to rectify inaccurate personal data and the right to delete personal data and be forgotten.
- Restriction of processing - the right to restrict and stop the processing of data where it is inaccurate or there is an objection to the purpose of the processing.
- Processing - the right to object to automated decisions made by automated processing of personal data.
TRANSFER OF PERSONAL DATA
Any transfer of personal data outside LECA shall be conducted with the written consent of the data subject.
Upon receipt of consent from the data subject, data shall be transferred only to entities and jurisdictions which have implemented high quality data protection internal policies and legislation, respectively.
The recipient of the data shall agree to the data protection practices which are at least equivalent or better than the provisions of this Policy.
Personal data shall be transferred in cases where this is required by legislation. Data subject’s interests shall be protected to the extent possible in the context of legal requirements to obtain, process, transfer, disclose and store data.
DATA PROTECTION CONTROL
Compliance with data protection requirements is monitored continuously which is the responsibility of every individual at LECA. Regular data protection audits shall be carried out by Internal Audit to verify the performance of monitoring and control procedures over data protection.
COMPLIANCE
Compliance to this Policy is the responsibility of every employee of LECA at all times. Failure to comply with the provisions of this Policy shall be reported by suspecting individuals to management of LECA immediately and logged into the non-compliance log to be reviewed by the Risk and Compliance Officer.
Instances of non-compliance shall be investigated by the Risk and Compliance Officer and appropriate disciplinary actions shall be taken. Individuals reporting non-compliance shall be protected from retaliation for reporting such instances and any cases of retaliation shall result in disciplinary actions.
Any questions or queries regarding this Policy and its provisions shall be directed to info@leca.af.
APPROVAL
This policy has been approved by executive management of LECA on 31 January 2025.
