​General Data Protection Policy 

For Handling Personal Data 


Data Collection Policy

Data Sources 

Personal Data must be collected only from the Data Subject unless one of the following applies: 

  • The nature of the business purpose necessitates the collection of Personal Data from other persons or bodies (e.g., Job references, Criminal record checks, etc.). 

  • The collection of data must be carried out under emergency circumstances to protect the vital interests of the Data subject or to prevent serious loss or injury to another person. 

If Personal Data is collected by an entity other than the Data Subject, the Data Subject must be informed of the collection unless one of the following applies: 

  • The Data Subject has received the required information by other means 

  • The information must remain confidential due to a legal non-disclosure agreement 

  • A national law expressly provides for the collection, processing, or transfer of the Personal Data 

Where it has been determined that notification to a Data Subject is required, notification should occur promptly, but in no case later than: 

  • One calendar month from the first collection or recording of the Personal Data 

  • The first communication with the Data Subject 

  • The time of disclosure, if disclosed to another recipient 


Data Subject Consent 

Personal Data must only be obtained by lawful and fair means, and where appropriate with the knowledge and consent of the individual concerned. Where a need exists to request and receive the consent of an individual before the collection, use, or disclosure of its data, Orchestra will seek such consent. The DPO, in cooperation with other relevant business representatives, shall obtain and document the Data Subject’s consent, when necessary. 


Data Subject Notification 

Orchestra services or entities will, when required by applicable law or contract, or where appropriate, will provide the Data Subjects with information as to the purpose of the processing of their data. When the Data Subject is asked to give consent to the processing of Personal Data and when any Personal Data is collected from the Data Subject, all appropriate disclosures will be made, unless one of the following applies: 

  • The Data Subject already has the information 

  • A legal exemption applies to the requirements for disclosure and/or consent  

The disclosures may be given electronically or in writing using a form approved by the DPO, and the associated receipt should be retained, or registered along with the date, content, and method of disclosure. 


Privacy Notices on the WEB 

Each website provided and/or controlled by Orchestra will include an online ‘Privacy Notice’ and an online ‘Cookie Notice’ fulfilling the requirements of applicable law; when necessary. 

Privacy Policy