Effective Date: 30^th January 2025

Review Intervals: 6 months or as required
Approved by: Luke McFarland

1. Introduction

McFarland Consulting and Advisory ("the Company") is committed to protecting the privacy and security of personal data in compliance with international data protection regulations, including but not limited to:

• General Data Protection Regulation (GDPR) (EU)
• Health Insurance Portability and Accountability Act (HIPAA) (US)
• Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada)

This policy outlines our practices regarding data collection, storage, processing, sharing, and the rights of data subjects.

2. Scope

This policy applies to:

• All employees, contractors, and third-party vendors handling data on behalf of McFarland Consulting and Advisory.
• All personal data collected, processed, or stored by the Company, regardless of geographic location.

3. Data Collection Practices

3.1 Types of Data Collected

We may collect and process the following categories of personal data:

• Identifiers: Name, email, phone number, address, IP address.
• Professional Data: Job title, employer, business contact details.
• Financial Data: Payment information (processed securely via PCI-compliant methods).
• Health Data (if applicable under HIPAA): Only with explicit consent and necessary safeguards.
• Technical Data: Cookies, device information, browsing behavior (with consent).

3.2 Lawful Basis for Processing

We process personal data based on:

• Consent (explicitly obtained where required).
• Contractual necessity (to fulfill services).
• Legal obligation (to comply with regulations).
• Legitimate interest (balanced against individual rights).

4. Data Storage and Security

4.1 Data Retention

Personal data is retained only as long as necessary for the purposes collected, in accordance with legal requirements.

4.2 Security Measures

We implement industry-standard safeguards, including:

• Encryption (in transit and at rest).
• Access controls (role-based permissions).
• Regular security audits and vulnerability assessments.
• Data minimization and anonymization where possible.

5. Data Processing and Sharing

5.1 Third-Party Processors

We engage only with vendors who comply with applicable data protection laws under Data Processing Agreements (DPAs).

5.2 International Data Transfers

Where data is transferred outside the EU/EEA, we ensure adequacy via:

• Standard Contractual Clauses (SCCs).
• Privacy Shield (where applicable).
• Binding Corporate Rules (BCRs).

5.3 Disclosure to Authorities

Data may be disclosed if legally required, with prior assessment of proportionality and necessity.

6. Data Subject Rights

Individuals have the right to:

• Access: Request a copy of their personal data.
• Rectification: Correct inaccurate or incomplete data.
• Erasure ("Right to be Forgotten"): Request deletion under certain conditions.
• Portability: Receive their data in a structured, machine-readable format.
• Restriction of Processing: Limit how their data is used.
• Objection: Opt out of processing for direct marketing or legitimate interests.
• Withdraw Consent: At any time (where processing is consent-based).

Requests can be submitted to: [Insert Contact Email/Form]
We respond within 30 days (or as required by law).

7. Breach Notification

In the event of a data breach posing a risk to individuals, we will:

• Notify affected parties and relevant authorities (e.g., ICO under GDPR) within 72 hours.
• Take immediate steps to mitigate harm.

8. Policy Governance

• Owner: [Data Protection Officer/Compliance Team]
• Review: Annual review or as regulations change.
• Training: Mandatory for employees handling personal data.

9. Contact Information

For privacy-related inquiries or complaints:
Email: [privacy@mcfarland-consulting.com]
Ph: +61 491 276 765

Supervisory Authority:
Individuals may lodge complaints with their local data protection authority (e.g., ICO, CNIL).

© McFarland Consulting and Advisory – This policy is proprietary and confidential. Unauthorized distribution is prohibited.