Last Updated: January 2025

1. Introduction

Rayyan Consulting and Business Company LTD ("Rayyan Consulting," "we," "our," or "us") is committed to protecting the personal data of our clients, website visitors, and business partners. This Data Protection & GDPR Compliance Policy outlines our practices regarding the collection, use, storage, and protection of personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) for EU/EEA individuals.

While Rayyan Consulting is based in Cameroon, we recognize the importance of international data protection standards and voluntarily align our practices with GDPR principles for all individuals we serve.

2. Data Protection Principles

We adhere to the following data protection principles:

• Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and in a transparent manner.
• Purpose Limitation: We collect data for specified, explicit, and legitimate purposes and do not process it in ways incompatible with those purposes.
• Data Minimization: We only collect personal data that is adequate, relevant, and limited to what is necessary.
• Accuracy: We take reasonable steps to ensure personal data is accurate and kept up to date.
• Storage Limitation: We retain personal data only as long as necessary for the purposes for which it was collected.
• Integrity and Confidentiality: We implement appropriate security measures to protect personal data against unauthorized access, loss, or destruction.
• Accountability: We are responsible for and can demonstrate compliance with these principles.

3. Legal Basis for Processing (GDPR)

For individuals in the EU/EEA, we process personal data based on one or more of the following legal bases:

3.1 Consent

Where you have given clear consent for us to process your personal data for a specific purpose. You may withdraw consent at any time.

3.2 Contract Performance

Where processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract.

3.3 Legal Obligation

Where processing is necessary to comply with legal requirements, such as customs regulations, tax laws, or court orders.

3.4 Legitimate Interests

Where processing is necessary for our legitimate interests or those of a third party, and your interests and fundamental rights do not override those interests.

4. Your Rights Under GDPR

If you are in the EU/EEA, you have the following rights regarding your personal data:

4.1 Right of Access

You have the right to request a copy of the personal data we hold about you and information about how we process it.

4.2 Right to Rectification

You have the right to request correction of inaccurate personal data or completion of incomplete data.

4.3 Right to Erasure ("Right to be Forgotten")

In certain circumstances, you have the right to request deletion of your personal data, including when:

• The data is no longer necessary for its original purpose
• You withdraw consent (where consent was the legal basis)
• You object to processing and there are no overriding legitimate grounds
• The data was unlawfully processed

4.4 Right to Restrict Processing

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of data or object to processing.

4.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller, where technically feasible.

4.6 Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

4.7 Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, that significantly affect you.

4.8 Exercising Your Rights

To exercise any of these rights, please contact our Data Protection contact at privacy@rayyanconsulting.com. We will respond to your request within 30 days.

5. International Data Transfers

5.1 Transfers Outside the EU/EEA

As a company based in Cameroon, personal data collected from EU/EEA individuals may be transferred to and processed in Cameroon. When we transfer personal data outside the EU/EEA, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Binding Corporate Rules (where applicable)
• Consent from the data subject for specific transfers
• Transfers necessary for contract performance

5.2 Third-Party Transfers

We may share personal data with third parties in various countries as part of our services. We ensure all third parties provide adequate protection for personal data and are bound by appropriate contractual obligations.

6. Data Security Measures

We implement appropriate technical and organizational measures to protect personal data, including:

6.1 Technical Measures

• Encryption of data in transit (SSL/TLS)
• Secure password policies and access controls
• Regular security updates and patches
• Firewall and intrusion detection systems
• Regular backup procedures

6.2 Organizational Measures

• Staff training on data protection
• Access limited to authorized personnel on a need-to-know basis
• Confidentiality agreements with employees and contractors
• Regular review of security procedures
• Incident response procedures

7. Data Breach Notification

7.1 Internal Procedures

We have procedures in place to detect, investigate, and report personal data breaches. In the event of a breach:

1. The breach will be contained and assessed
2. An investigation will be conducted to determine scope and impact
3. Remedial actions will be implemented
4. Documentation will be maintained

7.2 Notification to Authorities

For breaches affecting EU/EEA individuals that are likely to result in a risk to rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach.

7.3 Notification to Data Subjects

If a breach is likely to result in a high risk to individuals' rights and freedoms, we will notify affected individuals without undue delay.

8. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law. Specific retention periods are outlined in our Privacy Policy.

When personal data is no longer needed, we will securely delete or anonymize it.

Contact Information

For data protection inquiries or to exercise your rights:

Supervisory Authority

If you are in the EU/EEA and believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority (Data Protection Authority).