Skip to content

Internal Data Protection Policy

Last updated: August 1, 2025

This Internal Data Protection Policy defines how Ponta Oy ("Ponta", "we", "us") ensures compliance with data protection laws, including the General Data Protection Regulation (GDPR), across all operations—particularly within the ads.ponta.co platform.

This policy applies to all employees, contractors, and partners who process or have access to personal data through our systems.

1. Data Protection Principles

We are committed to processing personal data in accordance with the following GDPR principles:

  • Lawfulness, Fairness & Transparency
  • Purpose Limitation
  • Data Minimization
  • Accuracy
  • Storage Limitation
  • Integrity & Confidentiality (Security)
  • Accountability

2. Data Roles and Responsibilities

Data Controller

Ponta Oy is the Data Controller for all data collected and processed via ads.ponta.co.

Data Protection Officer (DPO)

If legally required, a designated DPO will oversee compliance. For now, the CTO or assigned Privacy Lead is responsible.

All Staff

  • Must complete GDPR training.
  • Are responsible for protecting any personal data they access.
  • Must report data breaches immediately.

3. Data Handling Guidelines

All staff must: - Access personal data only as needed for their role. - Avoid storing personal data locally unless explicitly authorized. - Use secure file-sharing methods and strong passwords. - Never share login credentials or customer data informally. - Anonymize or pseudonymize data where appropriate.

4. Technical and Organizational Measures (TOMs)

We implement the following TOMs to ensure security:

  • HTTPS enforced on all services
  • Role-based access control (RBAC)
  • Two-factor authentication for administrative interfaces
  • Audit logs of sensitive operations
  • Regular data backups and recovery testing
  • Encryption of personal data at rest and in transit

5. Data Retention and Deletion

  • Retention periods are defined per data type (see RoPA).
  • Once data is no longer needed, it must be securely deleted.
  • Users have the right to request deletion (“right to be forgotten”).

6. Data Subject Rights

All team members must understand and respect the rights of users under GDPR:

  • Right to access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object

Requests must be forwarded immediately to the Privacy Lead at privacy@ponta.co.

7. Breach Notification

All suspected or confirmed data breaches must be reported within 24 hours to the internal Privacy Lead.

We will assess whether the breach must be reported to the Data Protection Authority within 72 hours, and to affected users if necessary.

8. Training and Audits

  • Staff will receive initial and annual data protection training.
  • Internal audits will be conducted regularly to assess compliance.
  • Contractors must also be trained or demonstrate GDPR awareness.

9. Review and Updates

This policy is reviewed at least annually or in response to regulatory or operational changes.

Contact

Questions or concerns about this policy should be directed to:

Privacy Lead
Ponta Oy
Email: privacy@ponta.co