Abacus← Back to Home

Legal

Sensitive Data Handling Policy

Abacus Wealth Tech, Inc.

1. Purpose and Scope

This Policy sets out how Abacus handles special categories of personal data (also called “sensitive personal data”) and, where applicable, criminal-offence data, in accordance with the GDPR and applicable national law. It applies to all employees, contractors, and third parties who access or process such data on behalf of Abacus.

2. Definitions

For purposes of this Policy:

  • “Special categories of personal data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a person’s sex life or sexual orientation.
  • “Criminal offence data” means personal data relating to criminal convictions and offences or related security measures (where applicable under national law).
  • “Processing”, “controller”, “processor”, “data subject” and “personal data” have the meanings given in the GDPR.

3. Policy Statement

Abacus will: (i) process special-category and criminal-offence data lawfully, fairly, and transparently, and only where a valid legal basis and (where required) a specific Article 9 or national-law condition applies; (ii) limit processing to what is necessary for specified, explicit, and legitimate purposes; (iii) apply enhanced technical and organisational measures to protect such data from unauthorised access, loss, or misuse; and (iv) respect data-subject rights and ensure appropriate oversight, audit, and training.

4. Lawful Bases and Conditions for Processing

a. Special categories of personal data

Abacus will only process special-category data where both: a lawful basis under Article 6 GDPR applies (e.g., legal obligation, vital interests, public interest, contract, legitimate interests, or consent); and a specific condition under Article 9 GDPR or applicable national law is met, such as:

  1. explicit consent of the data subject for one or more specified purposes;
  2. employment, social-security, or social-protection obligations;
  3. vital interests of the data subject or another person where the data subject is incapable of giving consent;
  4. substantial public interest based on Union or Member State law;
  5. preventive or occupational medicine, medical diagnosis, or provision of health or social care;
  6. public-health purposes; or
  7. archiving, research, or statistics under Article 89(1).

b. Criminal offence data

Where we process criminal-offence data, we will do so only under the conditions and safeguards required by Article 10 GDPR and applicable national law (for example, specific Schedule-1 conditions and an Appropriate Policy Document in some jurisdictions).

c. Documentation

We will document, for each processing activity involving sensitive data: (i) the categories of data processed; (ii) the purposes; (iii) the Article 6 lawful basis and Article 9 (and, where relevant, national-law) condition relied upon; and (iv) the main safeguards, including access controls, security measures, retention, and data-subject rights handling.

5. Data Minimization and Purpose Limitations

  1. Special-category and criminal-offence data will be collected only where strictly necessary to achieve a clearly defined purpose and will not be reused for incompatible purposes.
  2. Wherever possible, we will use pseudonymisation, anonymisation, or aggregated data rather than identifiable sensitive data, particularly for analytics, research, or reporting.

6. Access Control and Security

  1. Access to sensitive data is restricted to individuals with a documented need-to-know for their role and is governed by role-based access controls.
  2. Sensitive data must be stored in systems with enhanced security, including (as appropriate): encryption at rest and in transit, strong authentication, logging and monitoring of access, network segmentation, and secure backup.
  3. Physical records containing sensitive data must be kept in secure locations (e.g., locked cabinets or restricted rooms) with access limited to authorised personnel.
  4. Devices and media storing sensitive data must be protected against loss and theft and securely wiped or destroyed at end of life.

7. Retention and Deletion

  1. Retention periods for special-category and criminal-offence data will be limited to what is necessary for the purposes for which the data were collected and any applicable legal or regulatory requirements.
  2. At the end of the retention period, sensitive data will be securely deleted or irreversibly anonymised in line with Abacus’ data-retention schedule and destruction standards.

8. Data Subject Rights

  1. Data subjects have the rights of access, rectification, erasure, restriction, objection, and portability, and additional protections for special-category data under the GDPR.
  2. Requests involving sensitive data will be handled under our standard data-subject rights procedures, taking into account any legal limitations (for example, where erasure would seriously impair public-interest research or legal obligations).

9. Data Sharing and International Transfers

  1. Sensitive data will only be shared with third parties where necessary, subject to appropriate data-processing agreements and confidentiality obligations.
  2. Any transfer of sensitive data to third countries or international organisations will comply with GDPR Chapter V (e.g., adequacy decisions, Standard Contractual Clauses, or other approved safeguards) and, where relevant, any additional conditions for special-category data.

10. DPIAs and High-Risk Processing

  1. Processing operations involving large-scale or systematic processing of sensitive data, or other high-risk activities, must be assessed through a Data Protection Impact Assessment (DPIA) before they begin.
  2. The DPIA must identify risks to data subjects and document measures adopted to mitigate those risks, including specific safeguards for special-category data.

11. Training and Awareness

  1. Personnel who handle sensitive data must receive regular, role-appropriate training on GDPR, this Policy, and related procedures (incident response, rights requests, secure handling).
  2. Managers are responsible for ensuring that staff understand and apply this Policy in their day-to-day work.

12. Breach Response Roles and Responsibilities

  1. Any personal-data breach involving special-category or criminal-offence data must be reported immediately in accordance with our Data Breach Response Procedure.
  2. We will assess the likelihood and severity of risk to data subjects and, where required, notify the competent supervisory authority (and affected individuals) within the timelines set by law.

13. Roles and Responsibilities

The Abacus privacy lead oversees compliance with this Policy and advises on processing of sensitive data, DPIAs, and safeguards. All personnel must report suspected non-compliance or incidents involving sensitive data to their direct manager without delay.

14. Review and Updates

This Policy will be reviewed at least annually, and whenever there are significant changes to law, guidance, or Abacus’ processing of special-category or criminal-offence data.