QistasChain

Data Protection Policy

Last Updated: April 1, 2025

1. Introduction

QistasChain is committed to protecting the personal data of our users in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. This Data Protection Policy outlines our comprehensive approach to data protection and privacy.

2. Data Protection Principles

We adhere to the following data protection principles:

  • Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and in a transparent manner
  • Purpose Limitation: We collect personal data for specified, explicit, and legitimate purposes
  • Data Minimization: We limit personal data collection to what is necessary
  • Accuracy: We ensure personal data is accurate and kept up to date
  • Storage Limitation: We retain personal data only as long as necessary
  • Integrity and Confidentiality: We process personal data securely
  • Accountability: We take responsibility for complying with these principles

3. Data Protection Officer (DPO)

We have appointed a Data Protection Officer who is responsible for:

  • Monitoring compliance with data protection laws
  • Advising on data protection obligations
  • Providing advice on Data Protection Impact Assessments
  • Cooperating with supervisory authorities
  • Acting as a contact point for data subjects

Our DPO can be contacted at dpo@qistaschain.com.

4. Data Subject Rights

We respect and uphold the rights of data subjects under the GDPR, including:

4.1 Right to Information

We provide clear information about how we process personal data through our Privacy Policy and other communications.

4.2 Right of Access

Data subjects have the right to obtain confirmation as to whether their personal data is being processed and to access that data.

4.3 Right to Rectification

Data subjects have the right to have inaccurate personal data rectified and incomplete data completed.

4.4 Right to Erasure ("Right to be Forgotten")

Data subjects have the right to request the deletion of their personal data under certain circumstances.

4.5 Right to Restriction of Processing

Data subjects have the right to request the restriction of processing of their personal data under certain circumstances.

4.6 Right to Data Portability

Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format.

4.7 Right to Object

Data subjects have the right to object to the processing of their personal data under certain circumstances.

4.8 Rights Related to Automated Decision Making and Profiling

Data subjects have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal or similarly significant effects.

5. Data Protection Impact Assessments (DPIA)

We conduct Data Protection Impact Assessments when processing is likely to result in a high risk to the rights and freedoms of individuals. Our DPIA process includes:

  • Systematic description of the processing operations
  • Assessment of necessity and proportionality
  • Assessment of risks to the rights and freedoms of data subjects
  • Measures to address those risks

6. Data Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data
  • Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
  • Ability to restore access to personal data in a timely manner in the event of an incident
  • Regular testing and evaluation of security measures
  • Access controls and authentication procedures
  • Staff training on data protection and security

7. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the relevant supervisory authority within 72 hours, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals
  • Notify affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms
  • Document all breaches, including facts, effects, and remedial actions taken

8. Data Processors

When we engage data processors, we:

  • Select processors that provide sufficient guarantees of GDPR compliance
  • Enter into data processing agreements that meet GDPR requirements
  • Monitor processor compliance with data protection obligations

9. International Data Transfers

When transferring personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as:

  • Adequacy decisions by the European Commission
  • Standard Contractual Clauses
  • Binding Corporate Rules
  • Other appropriate safeguards as permitted by the GDPR

10. Records of Processing Activities

We maintain records of our processing activities, including:

  • Name and contact details of the controller, representative, and DPO
  • Purposes of the processing
  • Categories of data subjects and personal data
  • Categories of recipients
  • International transfers and safeguards
  • Retention periods
  • Security measures

11. Data Protection Training

We provide regular data protection training to our staff, including:

  • GDPR principles and requirements
  • Data subject rights
  • Data breach procedures
  • Security measures
  • Role-specific training for staff handling sensitive data

12. Blockchain-Specific Data Protection Measures

Given the unique characteristics of blockchain technology, we implement additional measures to address data protection challenges:

  • Storing personal data off-chain whenever possible
  • Using encryption and hashing techniques for on-chain data
  • Implementing privacy-enhancing technologies
  • Providing clear information about the immutable nature of blockchain data

13. Contact Information

For questions about our Data Protection Policy or to exercise your data protection rights, please contact:

Data Protection Officer
Email: dpo@qistaschain.com
Address: [Your Physical Address]