Neftaly Human Capital Days Management Policy, Procedures, Processes, Templates, Documents and Forms NeftalyP138

Document Code: NeftalyP138
Approved By: Chief Executive Officer (CEO)

Date Approved: 29 October 2025

Review Date: 28 November 2026

Policy Owner: Neftaly Chief Human Capital Officer, NeftalyCHCR

NeftalyP138-1 Overview

NeftalyP138-1-1 The Neftaly Human Capital Days Management Policy (NeftalyP138) establishes the framework for managing, scheduling, and recording all official, special, and leave days within Neftaly Human Capital. This includes public holidays, annual leave, sick leave, special observance days, and any other organization-recognized days. Effective days management ensures operational efficiency, fairness, and compliance with labor regulations.

NeftalyP138-2 Purpose

NeftalyP138-2-1 The purpose of this policy is to:

NeftalyP138-2-1-1 Standardize procedures for requesting, approving, and recording leave and special days.
NeftalyP138-2-1-2 Ensure fair and transparent management of all Human Capital absences.
NeftalyP138-2-1-3 Maintain accurate records for operational planning, reporting, and compliance.
NeftalyP138-2-1-4 Promote employee well-being while maintaining organizational continuity.

NeftalyP138-3 Scope

NeftalyP138-3-1 This policy applies to:

NeftalyP138-3-1-1 All Neftaly Human Capital, including Officers, Deputy Chiefs, Royal Directors, and Non-Executive Members.
NeftalyP138-3-1-2 All types of leave, holidays, and special days recognized by Neftaly.
NeftalyP138-3-1-3 Contractors or temporary personnel whose days are managed under Neftaly agreements.

NeftalyP138-4 Policy Statement

NeftalyP138-4-1 Neftaly is committed to fair, transparent, and efficient management of all leave and special days. All Human Capital are entitled to utilize recognized days according to policy and procedures, and must follow approval and recording protocols to ensure organizational operations are not disrupted.

NeftalyP138-5 Core Principles

NeftalyP138-5-1 Fairness: Equal treatment of all Human Capital regarding leave and special days.
NeftalyP138-5-2 Transparency: Clear procedures for requesting, approving, and recording days.
NeftalyP138-5-3 Accountability: Human Capital are responsible for submitting accurate requests.
NeftalyP138-5-4 Operational Continuity: Ensure staffing needs are maintained.
NeftalyP138-5-5 Compliance: Adhere to labor laws, organizational policies, and contractual agreements.

NeftalyP138-6 Procedures and Processes

NeftalyP138-6-1 Requesting Leave or Special Days

NeftalyP138-6-1-1 Requests must be submitted in NeftalyF138-01 Days Request Form at least [insert number] days in advance, except in emergencies.
NeftalyP138-6-1-2 Include type of leave, dates, reason, and any supporting documentation.

NeftalyP138-6-2 Approval Process

NeftalyP138-6-2-1 Deputy Chiefs review and recommend requests to Royal Directors for approval.
NeftalyP138-6-2-2 CHCO provides final approval for extended or critical leave periods.
NeftalyP138-6-2-3 Approval status is recorded in NeftalyD138-01 Days Management Register.

NeftalyP138-6-3 Recording and Tracking

NeftalyP138-6-3-1 All approved days must be logged in NeftalyD138-01 Days Management Register.
NeftalyP138-6-3-2 Officers responsible for scheduling maintain a calendar of approved days to ensure operational coverage.

NeftalyP138-6-4 Types of Days

NeftalyP138-6-4-1 Annual Leave: Scheduled time off for rest and personal matters.
NeftalyP138-6-4-2 Sick Leave: For illness or medical appointments, supporting documentation may be required.
NeftalyP138-6-4-3 Public Holidays: Official national or organizational holidays.
NeftalyP138-6-4-4 Special Observance Days: Recognized days of significance, approved by Neftaly leadership.
NeftalyP138-6-4-5 Emergency Leave: Short notice leave for urgent personal matters.

NeftalyP138-6-5 Monitoring and Reporting

NeftalyP138-6-5-1 Monthly and quarterly reports on leave utilization and patterns are generated using NeftalyR138-01 Days Management Report.
NeftalyP138-6-5-2 Reports inform workforce planning, absenteeism monitoring, and policy compliance.

NeftalyP138-6-6 Training and Awareness

NeftalyP138-6-6-1 Human Capital receive guidance on types of leave, request procedures, and reporting requirements during onboarding and refresher sessions.
NeftalyP138-6-6-2 Attendance and completion tracked in NeftalyR138-02 Days Management Training Register.

NeftalyP138-6-7 Non-Compliance

NeftalyP138-6-7-1 Failure to follow procedures may result in leave denial, adjustment, or disciplinary measures.
NeftalyP138-6-7-2 Inaccurate reporting or misuse of leave is subject to investigation and corrective action.

NeftalyP138-7 Roles and Responsibilities

Role	Responsibilities
Chief Executive Officer (CEO)	Approves policy and ensures organizational alignment.
Chief Human Capital Officer (CHCO)	Oversees policy implementation, approves extended or critical leave, and monitors compliance.
Royal Directors	Review and authorize leave requests within divisions.
Deputy Chiefs	Recommend approvals, manage scheduling, and ensure operational coverage.
Officers	Submit accurate leave requests, maintain records, and ensure adherence to policy.
Non-Executive Members	Review leave patterns, provide oversight, and recommend improvements.

NeftalyP138-8 Documentation and Templates

NeftalyP138-8-1 NeftalyF138-01: Days Request Form
NeftalyP138-8-2 NeftalyD138-01: Days Management Register
NeftalyP138-8-3 NeftalyR138-01: Days Management Report
NeftalyP138-8-4 NeftalyR138-02: Days Management Training Register

NeftalyP138-9 Compliance and Monitoring

NeftalyP138-9-1 CHCO ensures adherence to this policy, organizational standards, and labor regulations.
NeftalyP138-9-2 Regular audits and monitoring of leave records are conducted to ensure fairness, accuracy, and operational continuity.
NeftalyP138-9-3 Misuse or non-compliance may result in corrective action, including disciplinary measures.

NeftalyP138-10 Review and Evaluation

NeftalyP138-10-1 This policy will be reviewed annually or when operational, regulatory, or organizational changes require updates. All revisions must be approved by CHCO and CEO.

NeftalyP138-11 Frequently Asked Questions (FAQs)

What is the official title of NeftalyP137?
Human Capital Data Governance and Management Policy v3.1
Who is the policy owner of NeftalyP137?
Chief Human Resources Officer (CHRO) with executive oversight
When was NeftalyP137 last revised?
*[Current Date – 6 months] – Check Policy Portal for exact date*
What is the revision cycle for NeftalyP137?
Annual review, with ad-hoc updates for regulatory changes
Where is the authoritative copy of NeftalyP137 stored?
Neftaly Policy Portal (policy.saypro.com/hc/p137)
How do I request a printed copy of NeftalyP137?
*Submit SP-HC-FRM-001 (Document Access Request)*
Is NeftalyP137 available in multiple languages?
Yes, core policy available in 12 languages; translations are certified
What laws does NeftalyP137 primarily address?
*GDPR, CCPA, POPIA, LGPD, PDPA, and 40+ local regulations*
Does this policy apply to contractors and temporary staff?
Yes, all worker categories with personal data in Neftaly systems
What happens during policy review periods?
Stakeholder consultation, impact assessment, version drafting
1.2 Policy Scope & Applicability
11. What data categories does NeftalyP137 cover?
– All employee/worker PII, SPI, performance, compensation, health data
Does NeftalyP137 cover candidate data?
Yes, from point of application through archival
Are alumni/former employee data covered?
Yes, under “Data Subject” definition, Section 2.1
Does this policy apply to employee family member data?
Yes, for benefits, emergency contacts, dependents
What geographical scope does NeftalyP137 have?
Global applicability, with country-specific appendices
Are there any data types explicitly excluded?
Publicly available data not processed by Neftaly; anonymized analytics
Does this cover social media monitoring data?
Yes, if collected for employment purposes
Are union member data covered differently?
Yes, with additional protections per collective agreements
How does this policy interact with BYOD (Bring Your Own Device)?
Covered under Mobile Device Policy with P137 overlay
Does P137 apply to paper/physical records?
Yes, equally to digital records
1.3 Policy Principles & Philosophy
21. What are the 7 core principles of data processing?
– Lawfulness, Fairness, Transparency, Purpose Limitation, Data Minimization, Accuracy, Storage Limitation, Integrity/Confidentiality
How is “Privacy by Design” implemented?
Mandatory in all system development via SDLC checkpoints
What is Neftaly’s stance on employee monitoring?
Permitted with proportionality, transparency, and lawful basis
How does the policy define “legitimate interest”?
*Defined in Appendix A-3 with balancing test requirements*
What constitutes “explicit consent” under this policy?
Freely given, specific, informed, unambiguous, revocable – documented
How is data minimization practiced in hiring?
Only essential data collected; CV screening limited to role requirements
What is the “purpose limitation” principle?
Data collected for specified purposes only, not further processed
How is transparency achieved with employees?
Privacy notices at all touchpoints; accessible policy portal
What does “accountability” mean for managers?
Responsibility for team data compliance; audit trail maintenance
How are conflicting legal requirements handled?
Legal department determines hierarchy; documented exceptions
1.4 Governance & Oversight
31. Who sits on the Data Governance Council?
– CHRO, DPO, CIO, Legal Counsel, Compliance Officer, Employee Rep
What are the DPO’s responsibilities under P137?
Policy monitoring, advice, DSAR handling, breach coordination
How often does the Governance Council meet?
Quarterly, with emergency sessions for breaches
What authority does the DPO have?
Direct reporting to CEO; veto on non-compliant processing
Who approves policy exceptions?
Policy Exemption Committee (CHRO, DPO, Legal)
What’s the escalation path for policy concerns?
Manager → DPO → Governance Council → Audit Committee
How are policy violations reported?
Ethics hotline, manager chain, direct to DPO
What metrics measure policy effectiveness?
Breach incidents, DSAR response times, audit findings
Who represents employee interests in governance?
*Elected Employee Data Representative (rotating 6-month term)*
How are third-party auditors involved?
Annual SOC2 audit; biennial external privacy audit
1.5 Compliance & Legal Framework
41. What’s the penalty for non-compliance?
– Disciplinary action up to termination; potential personal liability
How does P137 handle cross-border transfers?
Standard Contractual Clauses; Binding Corporate Rules
What are the record-keeping requirements?
*All processing activities logged for 6+ years*
How are regulatory changes incorporated?
*90-day review and update cycle from enactment*
What’s the process for regulatory inquiries?
Legal team lead; DPO support; documented response protocol
How are data protection impact assessments triggered?
High-risk processing; new technologies; systematic monitoring
What constitutes “high-risk” processing?
Large-scale SPI processing; automated decision-making; profiling
How are data subject rights balanced with business needs?
Case-by-case assessment with DPO consultation
What insurance covers data protection risks?
Cyber liability insurance $10M coverage
How are conflicting international laws resolved?
Most restrictive standard applies; Legal department determination
1.6 Training & Awareness
51. Who must complete P137 training?
– All employees; contractors with data access
What training is required for managers?
*Annual 3-hour “Data Stewardship for Leaders”*
How is training completion tracked?
LMS integration; completion prerequisite for system access
What’s the consequence of missing training?
System access suspended until completed
Are there role-specific training modules?
Yes: HR, IT, Marketing, Managers, Executives
How often is training refreshed?
Annual mandatory refresh; quarterly updates for changes
What languages is training available in?
24 languages with localization examples
Is there advanced certification available?
Yes: “Neftaly Data Guardian” certification program
How are new hires trained on P137?
*Day 1 e-learning; Day 30 classroom session*
Where can I find quick reference guides?
Policy Portal > Resources > Quick Cards

SECTION 2: PROCEDURES – OPERATIONAL EXECUTION (120 FAQs)
2.1 Data Collection Procedures
61. What’s the procedure for collecting new hire data?
– *SP-HC-PROC-010: Digital onboarding forms only; validation within 24h*
How do we collect emergency contact information?
*Form SP-HC-FRM-015 with annual reconfirmation requirement*
What’s the process for collecting diversity data?
Optional self-identification; separate from hiring decisions
How are employee surveys administered?
Anonymous by default; identifiable only with explicit consent
What’s the procedure for collecting biometric data?
*SP-HC-PROC-011: Specific consent; security purpose only*
How do we handle “opt-in” consent for marketing?
Separate checkbox; not tied to employment terms
What’s the process for background check authorization?
Pre-adverse action notice; candidate consent form required
How are interview notes collected and stored?
Structured templates; retained for 2 years; candidate access
What’s the procedure for collecting expense data?
Limited to business purposes; receipts anonymized where possible
How are social media profiles collected for recruitment?
Only public professional profiles; documented in ATS
2.2 Data Access & Use Procedures
71. What’s the manager access request procedure?
– *SP-HC-PROC-045: Form SP-HC-FRM-012 + business justification*
How do IT staff access production HR data?
Tiered access; DPO approval; all actions logged
What’s the process for analytics team data access?
Anonymized datasets only; production data requires DPO waiver
How is data used for organizational planning?
Aggregated reports only; no individual identification
What’s the procedure for compensation analysis?
Masked identifiers; limited analyst access; results aggregated
How do we use data for succession planning?
Talent profile data; manager + HRBP access only
What’s the process for workforce reporting?
Standard report catalog; no ad-hoc downloads without approval
How is data used in mergers/acquisitions?
Virtual data room; limited data sets; time-bound access
What’s the procedure for legal discovery requests?
*Legal hold process SP-HC-PROC-600; DPO involvement*
How do researchers access data for studies?
Ethics committee review; fully anonymized; publication review
2.3 Data Quality & Maintenance
81. What’s the data validation procedure for new entries?
– *System validations + manual spot-check (5% sample)*
How often is employee data verified?
Annual self-verification campaign; manager confirmation
What’s the process for correcting inaccurate data?
Employee request via SSP; HR verification within 3 days
How are data quality metrics monitored?
Monthly dashboard: completeness, accuracy, timeliness
What’s the procedure for merging duplicate records?
IT + HR coordination; audit trail; employee notification
How is historical data accuracy maintained?
*Read-only after 90 days; correction via amendment record*
What’s the process for data standardization?
Controlled vocabularies; dropdowns vs free text
How are free-text fields quality controlled?
Quarterly review; standardization where possible
What’s the procedure for mass updates?
Change control board approval; pre/post validation
How is third-party data quality ensured?
Vendor SLA requirements; quarterly quality audits
2.4 Data Sharing & Disclosure
91. What’s the procedure for sharing data with benefits providers?
– Encrypted secure transfer; monthly reconciliation
How is payroll data shared with finance?
Limited data sets; role-based access; monthly audit
What’s the process for government reporting?
Designated reporting officer; legal review before submission
How is data shared during due diligence?
Anonymized where possible; data room with watermarks
What’s the procedure for reference checks?
Employee consent form; HR-only response; standardized format
How do we share data with unions?
Collective agreement terms; aggregated where possible
What’s the process for academic verifications?
Third-party verification service; employee initiated
How is data shared for global mobility?
Immigration team only; encrypted; retention per visa terms
What’s the procedure for court-ordered disclosures?
Legal team evaluates scope; minimal compliance
How do we share data with employees themselves?
SSP full access; DSAR for additional requests
2.5 Data Retention & Destruction
101. Where is the retention schedule located?
– *SP-HC-DOC-101 in Document Repository*
What’s the procedure for annual data purging?
Automated workflow; DPO confirmation; certificate of destruction
How are legal holds implemented?
System flag; suspension of retention clock; custodian assigned
What’s the process for media destruction?
Shred-All service; monthly collection; certificate provided
How is electronic data securely deleted?
*3-pass overwrite; verification; deletion log*
What’s the procedure for archive retrieval?
*Form SP-HC-FRM-200; business case; DPO approval*
How are backup tapes managed?
*Encrypted; offsite; 90-day rotation; annual destruction*
What’s the process for contractor data deletion?
*30 days post-contract end; vendor certification required*
How is data preserved for departing employees?
*90-day hold then archive; manager access removal immediate*
What’s the procedure for system decommissioning data?
Data extraction validation; secure migration; certified destruction
2.6 Security & Protection Procedures
111. What’s the password policy for HR systems?
– *12 characters; MFA; 90-day rotation; no reuse*
How is sensitive data encrypted?
*AES-256 at rest; TLS 1.3 in transit*
What’s the procedure for lost devices?
Immediate remote wipe; security incident report
How are paper records secured overnight?
Locked cabinets; clean desk policy; nightly security check
What’s the process for secure printing of HR documents?
Follow-me printing; PIN release; immediate collection
How is email encryption used for HR data?
Automatic for external emails; manual for internal with SPI
What’s the procedure for screen privacy?
Privacy filters mandatory for open offices
How are meetings with sensitive data conducted?
Private rooms; screen not visible to door; documents collected
What’s the process for secure video conferences?
Password protection; waiting room; no recording without consent
How is physical access to HR offices controlled?
Badge access; visitor log; escort required
2.7 Incident Response Procedures
121. What constitutes a data incident?
– Unauthorized access, alteration, loss, destruction, disclosure
What’s the immediate response procedure?
*Contain -> Assess -> Notify per SP-HC-PROC-500*
Who must be notified within the first hour?
Line manager, IT Security, DPO
What information is collected initially?
What, who, when, where, how many records
How is containment achieved?
Access revocation; system isolation; evidence preservation
What’s the assessment timeline?
Preliminary within 4h; full within 24h
When are regulators notified?
72 hours if risk to rights and freedoms
When are affected individuals notified?
Without undue delay if high risk
What’s the post-incident review process?
Root cause analysis; corrective actions; process updates
How are incidents tracked and reported?
Central incident register; quarterly board reporting
2.8 Third-Party Management
131. What’s the vendor assessment procedure?
– Security questionnaire; site audit for high risk
What clauses are mandatory in vendor contracts?
Data protection; audit rights; breach notification; termination
How are vendors monitored ongoing?
Quarterly compliance reports; annual reassessment
What’s the procedure for vendor offboarding?
Data return/deletion certification; access revocation
How are sub-processors managed?
Prior approval required; equal liability
What’s the process for cloud service assessment?
Cloud Security Alliance questionnaire; data location mapping
How are offshore vendors assessed?
Enhanced due diligence; data transfer mechanisms
What’s the procedure for vendor breaches?
Notification within 24h; joint response plan
How are vendor employees screened?
Background checks per data access level
What’s the process for vendor performance reviews?
Quarterly SLA review; security compliance check
2.9 Audit & Monitoring Procedures
141. What’s the internal audit schedule?
– Annual comprehensive; quarterly spot checks
Who conducts internal audits?
Internal Audit department + DPO representative
What’s the scope of a typical audit?
Policy compliance, access logs, data quality, incident response
How are audit findings addressed?
*30-day corrective action plan; follow-up verification*
What’s the procedure for ad-hoc audits?
Management or DPO request; scope defined upfront
How is system access monitored?
Real-time alerts for unusual patterns; monthly review
What’s the process for log review?
Automated analysis; manual sampling; annual comprehensive review
How are compliance metrics reported?
Monthly dashboard to management; quarterly to board
What’s the procedure for regulator audits?
Legal team lead; document production protocol
How are audit trails preserved?
*Immutable logging; 7-year retention*
2.10 Special Processing Procedures
151. What’s the procedure for automated decision-making?
– Human review option; explanation provision; bias testing
How is profiling conducted?
Transparency notice; opt-out option; manual override
What’s the process for psychological assessments?
Psychologist conduct only; results shared with consent
How are workplace investigations handled?
Minimal data collection; confidentiality; separate secure file
What’s the procedure for whistleblower reports?
Anonymous channel; limited need-to-know; secure handling
How is monitoring for security purposes conducted?
Policy published; limited scope; no covert monitoring
What’s the process for video surveillance data?
*Signage; 30-day retention; limited access*
How is keystroke monitoring handled?
Prohibited except for security investigations with approval
What’s the procedure for drug testing data?
Medical officer handling; results confidential; limited access
How is biometric access data managed?
*Template storage (not image); purpose limited; 90-day deletion*
2.11 International Data Transfer Procedures
161. What’s the procedure for EU-US transfers?
– EU-US Data Privacy Framework adequacy decision reliance
How are SCCs implemented?
Appendix to all vendor contracts; customized modules
What’s the process for BCR approval?
Submitted to lead authority; annual renewal
How are derogations for specific situations used?
Legal review; documented; time-limited
What’s the procedure for onward transfers?
Same protection level; contractual requirements
How are transfer impact assessments conducted?
Country risk assessment; supplementary measures
What’s the process for employee relocation data?
Minimal data transfer; encrypted; deletion after move
How are cloud data locations managed?
Geo-fencing; preferred regions; transparency from providers
What’s the procedure for cross-border team data?
Regional instances where possible; limited global access
How are international payroll transfers handled?
Payroll provider BCRs; limited data sets
2.12 Employee Lifecycle Procedures
171. What’s the recruitment data procedure?
– *ATS only; 6-month retention for unsuccessful candidates*
How is onboarding data handled?
*Pre-arrival checklist; Day 1 completion; manager notification*
What’s the probation data process?
Checkpoint documentation; feedback recording; outcome tracking
How is performance data managed?
Quarterly updates; employee acknowledgment; development plans
What’s the procedure for promotion data?
Panel review documentation; equity analysis; approval workflow
How is disciplinary data processed?
Separate secure file; limited access; retention per outcome
What’s the process for leave management data?
Medical data confidential; manager sees only eligibility
How is accommodation request data handled?
Medical separate; interactive process documentation
What’s the procedure for termination data?
Checklist; manager/HR separation; final pay calculation
How is post-employment data managed?
*90-day archive; restricted access; alumni program opt-in*

SECTION 3: PROCESSES – WORKFLOWS & SYSTEMS (80 FAQs)
3.1 Core HR Processes
181. What’s the end-to-end hiring process workflow?
– *Req → Approve → Source → Screen → Interview → Offer → Onboard (SP-HC-PROC-300)*
How does the performance management process work?
*Goal Set → Check-ins → Review → Calibration → Development (SP-HC-PROC-310)*
What’s the compensation review process?
*Market Data → Budget → Proposals → Approvals → Communication (SP-HC-PROC-320)*
How does the promotion process flow?
*Eligibility → Nomination → Assessment → Approval → Implementation (SP-HC-PROC-330)*
What’s the termination process workflow?
*Decision → Notify → Exit → Offboard → Archive (SP-HC-PROC-340)*
3.2 Data-Specific Processes
186. How does the data subject request process work?
– *Receive → Verify → Collect → Review → Redact → Deliver (SP-HC-PROC-100)*
What’s the consent management process?
*Request → Inform → Obtain → Record → Renew → Revoke (SP-HC-PROC-110)*
How does the data minimization process work?
*Assess Need → Design Collection → Limit Fields → Review Periodically (SP-HC-PROC-120)*
What’s the data accuracy assurance process?
*Validate Entry → Periodic Review → Correct Errors → Confirm (SP-HC-PROC-130)*
How does the storage limitation process work?
*Set Retention → Flag for Review → Archive or Delete → Certificate (SP-HC-PROC-140)*
3.3 System & Integration Processes
191. What’s the HR system change management process?
– *Request → Impact Assessment → Test → Approve → Deploy → Validate (SP-HC-PROC-400)*
How does system integration testing work?
*Test Plan → Data Mapping → Validation → Security Check → Sign-off (SP-HC-PROC-410)*
What’s the data migration process?
*Extract → Cleanse → Transform → Load → Verify → Audit (SP-HC-PROC-420)*
How does the reporting development process work?
*Requirement → Design → Build → Test → Deploy → Monitor (SP-HC-PROC-430)*
What’s the system decommissioning process?
*Assessment → Data Extraction → Archive → Cutover → Retirement (SP-HC-PROC-440)*
3.4 Risk Management Processes
196. How does the DPIA (Data Protection Impact Assessment) process work?
– *Screen → Describe → Consult → Assess → Mitigate → Sign-off (SP-HC-PROC-500)*
What’s the risk assessment process for new initiatives?
*Identify → Analyze → Evaluate → Treat → Monitor (SP-HC-PROC-510)*
How does the vendor risk assessment process work?
*Questionnaire → Scoring → Site Visit → Contract → Monitor (SP-HC-PROC-520)*
What’s the business continuity planning process for HR data?
*BIA → Strategy → Plan → Test → Maintain (SP-HC-PROC-530)*
How does the incident response testing process work?
*Plan → Tabletop → Live Test → Evaluate → Improve (SP-HC-PROC-540)*
3.5 Compliance Processes
201. What’s the regulatory change management process?
– *Monitor → Assess → Plan → Implement → Train → Audit (SP-HC-PROC-600)*
How does the audit response process work?
*Prepare → Cooperate → Document → Respond → Remediate (SP-HC-PROC-610)*
What’s the certification maintenance process?
*Gap Analysis → Remediate → Document → Audit → Certify (SP-HC-PROC-620)*
How does the policy exception process work?
*Request → Risk Assess → Approve → Document → Monitor → Review (SP-HC-PROC-630)*
What’s the training compliance tracking process?
*Assign → Complete → Record → Follow-up → Report (SP-HC-PROC-640)*
3.6 Employee-Facing Processes
206. How does the employee data update process work?
– *Request → Verify → Approve → Update → Confirm (SP-HC-PROC-700)*
What’s the benefits enrollment process?
*Eligibility → Education → Election → Confirm → Process (SP-HC-PROC-710)*
How does the leave request process work?
*Request → Approve → Record → Pay Adjust → Return (SP-HC-PROC-720)*
What’s the expense reimbursement process?
*Submit → Approve → Audit → Pay → Archive (SP-HC-PROC-730)*
How does the development request process work?
*Identify Need → Plan → Approve → Participate → Evaluate (SP-HC-PROC-740)*
3.7 Management Processes
211. What’s the headcount planning process?
– *Forecast → Budget → Approve → Recruit → Onboard (SP-HC-PROC-800)*
How does the talent review process work?
*Assess → Calibrate → Plan → Develop → Track (SP-HC-PROC-810)*
What’s the team restructuring process?
*Business Case → Design → Consult → Implement → Support (SP-HC-PROC-820)*
How does the budget approval process work?
*Submit → Review → Adjust → Approve → Allocate (SP-HC-PROC-830)*
What’s the managerial reporting process?
*Define Needs → Generate → Review → Distribute → Archive (SP-HC-PROC-840)*
3.8 Data Lifecycle Processes
216. How does the data creation process work?
– *Identify Need → Design → Collect → Validate → Store (SP-HC-PROC-900)*
What’s the data usage process?
*Access Request → Approve → Use → Log → Review (SP-HC-PROC-910)*
How does the data sharing process work?
*Request → Assess → Anonymize → Secure Transfer → Monitor (SP-HC-PROC-920)*
What’s the data archival process?
*Identify → Extract → Secure → Index → Store (SP-HC-PROC-930)*
How does the data destruction process work?
*Schedule → Verify → Destroy → Certificate → Log (SP-HC-PROC-940)*
3.9 Quality Assurance Processes
221. What’s the data quality monitoring process?
– *Define Metrics → Measure → Analyze → Improve → Control (SP-HC-PROC-950)*
How does the process improvement cycle work?
*Identify → Analyze → Design → Implement → Evaluate (SP-HC-PROC-960)*
What’s the feedback collection process?
*Design → Collect → Analyze → Act → Close Loop (SP-HC-PROC-970)*
How does the issue resolution process work?
*Log → Triage → Investigate → Resolve → Follow-up (SP-HC-PROC-980)*
What’s the continuous compliance monitoring process?
*Monitor → Detect → Alert → Investigate → Report (SP-HC-PROC-990)*
3.10 Specialized Processing
226. How does the remote work data process work?
– *Policy → Equipment → Security → Monitoring → Support (SP-HC-PROC-1010)*
What’s the gig worker data process?
*Onboard → Manage → Pay → Offboard → Archive (SP-HC-PROC-1020)*
How does the contingent workforce process work?
*Request → Source → Contract → Manage → Offboard (SP-HC-PROC-1030)*
What’s the executive data process?
*Enhanced Security → Limited Access → Special Handling (SP-HC-PROC-1040)*
How does the M&A employee integration process work?
*Due Diligence → Planning → Communication → Integration → Harmonize (SP-HC-PROC-1050)*

SECTION 4: TEMPLATES & DOCUMENTS (80 FAQs)
4.1 Policy & Procedure Documents
231. What template is used for creating new policies?
– *SP-HC-TMP-001: Policy Template*
Where are all controlled documents listed?
*Master Document Register SP-HC-DOC-001*
What’s the template for procedures?
*SP-HC-TMP-002: Procedure Template*
How are document versions controlled?
Automatic in Document Management System
What’s the document review schedule?
Annual for policies; biennial for procedures
4.2 Forms & Form Templates
236. What’s the template for data access request forms?
– *SP-HC-TMP-010: Data Access Request Form*
Where is the form catalog located?
*Document Repository > Forms Catalog SP-HC-DOC-010*
How are form updates communicated?
Monthly change bulletin; mandatory training for major changes
What’s the process for creating new forms?
*Form SP-HC-FRM-050: New Form Request*
How are obsolete forms retired?
Archive with “DO NOT USE” watermark; system blocking
4.3 Contract & Agreement Templates
241. What’s the employment contract template?
– *SP-HC-TMP-020: Standard Employment Contract*
Where are country-specific contract addenda?
*Appendix documents SP-HC-TMP-021 through 045*
What’s the confidentiality agreement template?
*SP-HC-TMP-030: Employee Confidentiality Agreement*
How is the data processing agreement template structured?
*SP-HC-TMP-040: Vendor DPA Template*
What’s the consent form template for special processing?
*SP-HC-TMP-050: Specific Consent Form*
4.4 Notice & Communication Templates
246. What’s the privacy notice template for employees?
– *SP-HC-TMP-060: Employee Privacy Notice*
Where is the candidate privacy notice template?
*SP-HC-TMP-061: Candidate Privacy Notice*
What’s the data breach notification template?
*SP-HC-TMP-070: Breach Notification Template*
How are monitoring notices templated?
*SP-HC-TMP-080: Workplace Monitoring Notice*
What’s the CCTV signage template?
*SP-HC-TMP-081: Video Surveillance Notice*
4.5 Report & Analytics Templates
251. What’s the standard HR metrics report template?
– *SP-HC-TMP-090: Monthly HR Dashboard*
Where is the diversity reporting template?
*SP-HC-TMP-091: Diversity & Inclusion Report*
What’s the turnover analysis template?
*SP-HC-TMP-092: Turnover Analysis Report*
How are audit report templates structured?
*SP-HC-TMP-093: Internal Audit Report Template*
What’s the data subject request log template?
*SP-HC-TMP-094: DSAR Tracking Log*
4.6 Assessment & Evaluation Templates
256. What’s the DPIA template?
– *SP-HC-TMP-100: Data Protection Impact Assessment*
Where is the risk assessment template?
*SP-HC-TMP-101: Risk Assessment Template*
What’s the vendor assessment template?
*SP-HC-TMP-102: Vendor Security Assessment*
How is the compliance checklist templated?
*SP-HC-TMP-103: Monthly Compliance Checklist*
What’s the training needs analysis template?
*SP-HC-TMP-104: Training Needs Assessment*
4.7 Planning & Strategy Documents
261. What’s the data governance roadmap template?
– *SP-HC-TMP-110: 3-Year Governance Roadmap*
Where is the annual compliance plan template?
*SP-HC-TMP-111: Annual Compliance Plan*
What’s the incident response plan template?
*SP-HC-TMP-112: Incident Response Plan*
How is the business continuity plan templated?
*SP-HC-TMP-113: HR BCP Template*
What’s the training calendar template?
*SP-HC-TMP-114: Annual Training Calendar*
4.8 Record-Keeping Documents
266. What’s the processing activities record template?
– *SP-HC-TMP-120: ROPA (Record of Processing Activities)*
Where is the data mapping template?
*SP-HC-TMP-121: Data Flow Mapping Template*
What’s the consent record template?
*SP-HC-TMP-122: Consent Management Log*
How are data sharing agreements documented?
*SP-HC-TMP-123: Data Sharing Register*
What’s the retention schedule template?
*SP-HC-TMP-124: Data Retention Schedule*
4.9 Training & Awareness Materials
271. What’s the new hire training deck template?
– *SP-HC-TMP-130: Day 1 Privacy Training*
Where are manager training materials?
*SP-HC-TMP-131: Manager Data Stewardship Training*
What’s the awareness campaign template?
*SP-HC-TMP-132: Quarterly Awareness Campaign*
How are quick reference guides templated?
*SP-HC-TMP-133: Data Protection Quick Guide*
What’s the e-learning storyboard template?
*SP-HC-TMP-134: E-learning Development Template*
4.10 Audit & Evidence Documents
276. What’s the audit evidence package template?
– *SP-HC-TMP-140: Audit Evidence Collection*
Where is the control testing template?
*SP-HC-TMP-141: Control Testing Template*
What’s the corrective action plan template?
*SP-HC-TMP-142: CAP Template*
How are management reports templated?
*SP-HC-TMP-143: Monthly Management Report*
What’s the board reporting template?
*SP-HC-TMP-144: Quarterly Board Report*
4.11 System & Technical Documents
281. What’s the system requirements template?
– *SP-HC-TMP-150: HR System Requirements*
Where is the data dictionary template?
*SP-HC-TMP-151: HR Data Dictionary*
What’s the integration specification template?
*SP-HC-TMP-152: System Integration Spec*
How are user acceptance tests documented?
*SP-HC-TMP-153: UAT Test Script Template*
What’s the system migration plan template?
*SP-HC-TMP-154: Data Migration Plan*
4.12 Employee Lifecycle Documents
286. What’s the onboarding checklist template?
– *SP-HC-TMP-160: New Hire Onboarding Checklist*
Where is the performance review template?
*SP-HC-TMP-161: Performance Review Form*
What’s the exit interview template?
*SP-HC-TMP-162: Exit Interview Questionnaire*
How are development plans documented?
*SP-HC-TMP-163: Individual Development Plan*
What’s the promotion proposal template?
*SP-HC-TMP-164: Promotion Business Case*
4.13 Legal & Compliance Documents
291. What’s the legal hold notice template?
– *SP-HC-TMP-170: Legal Hold Notice*
Where is the regulatory response template?
*SP-HC-TMP-171: Regulatory Inquiry Response*
What’s the incident report template?
*SP-HC-TMP-172: Security Incident Report*
How are policy exceptions documented?
*SP-HC-TMP-173: Policy Exception Request*
What’s the compliance certification template?
*SP-HC-TMP-174: Annual Compliance Certificate*
4.14 Communication Templates
296. What’s the email announcement template for policy changes?
– *SP-HC-TMP-180: Policy Change Communication*
Where is the newsletter template for awareness?
*SP-HC-TMP-181: Data Privacy Newsletter*
What’s the meeting agenda template for governance meetings?
*SP-HC-TMP-182: Governance Meeting Agenda*
How are training invitations templated?
*SP-HC-TMP-183: Training Invitation Template*
What’s the acknowledgment of receipt template?
*SP-HC-TMP-184: Policy Acknowledgment Form*

SECTION 5: FORMS & APPLICATIONS (80 FAQs)
5.1 Employee Data Management Forms
301. What form do employees use to update personal information?
– *SP-HC-FRM-001: Personal Data Update Form*
How do employees change emergency contacts?
*SP-HC-FRM-002: Emergency Contact Update*
What form is used for name changes?
*SP-HC-FRM-003: Legal Name Change Request*
How do employees update banking details?
*SP-HC-FRM-004: Bank Account Update*
What form is used for address changes?
*SP-HC-FRM-005: Residential Address Update*
5.2 Data Access & Request Forms
306. What form do managers use to request team data?
– *SP-HC-FRM-010: Managerial Data Access Request*
How do employees request their own data?
*SP-HC-FRM-011: Employee Data Access Request*
What form is used for data correction requests?
*SP-HC-FRM-012: Data Correction Request*
How do employees request data deletion?
*SP-HC-FRM-013: Right to Erasure Request*
What form restricts data processing?
*SP-HC-FRM-014: Processing Restriction Request*
5.3 Recruitment & Hiring Forms
311. What’s the candidate consent form?
– *SP-HC-FRM-020: Candidate Data Processing Consent*
How is interview feedback collected?
*SP-HC-FRM-021: Interview Evaluation Form*
What form documents job offers?
*SP-HC-FRM-022: Employment Offer Form*
How are background check authorizations obtained?
*SP-HC-FRM-023: Background Check Consent*
What form is used for referral tracking?
*SP-HC-FRM-024: Employee Referral Form*
5.4 Onboarding & Offboarding Forms
316. What’s the new hire information form?
– *SP-HC-FRM-030: New Employee Information Sheet*
How are equipment assignments recorded?
*SP-HC-FRM-031: Equipment Assignment Form*
What form documents policy acknowledgments?
*SP-HC-FRM-032: Policy Acknowledgment Checklist*
How is exit information collected?
*SP-HC-FRM-033: Employee Exit Form*
What form manages asset returns?
*SP-HC-FRM-034: Company Asset Return*
5.5 Performance & Development Forms
321. What’s the goal setting form?
– *SP-HC-FRM-040: Performance Goal Sheet*
How is feedback documented?
*SP-HC-FRM-041: Performance Feedback Form*
What form is used for development plans?
*SP-HC-FRM-042: Individual Development Plan*
How are promotion requests submitted?
*SP-HC-FRM-043: Promotion Request Form*
What form documents disciplinary actions?
*SP-HC-FRM-044: Disciplinary Action Form*
5.6 Compensation & Benefits Forms
326. What’s the salary change request form?
– *SP-HC-FRM-050: Compensation Change Request*
How are bonus payments authorized?
*SP-HC-FRM-051: Bonus Authorization Form*
What form is used for equity grants?
*SP-HC-FRM-052: Equity Grant Agreement*
How do employees enroll in benefits?
*SP-HC-FRM-053: Benefits Enrollment Form*
What form documents leave requests?
*SP-HC-FRM-054: Leave of Absence Request*
5.7 Compliance & Legal Forms
331. What’s the incident reporting form?
– *SP-HC-FRM-060: Data Incident Report*
How are policy exceptions requested?
*SP-HC-FRM-061: Policy Exception Request*
What form documents consent withdrawals?
*SP-HC-FRM-062: Consent Withdrawal Form*
How are complaints submitted?
*SP-HC-FRM-063: Data Protection Complaint*
What form is used for audit findings?
*SP-HC-FRM-064: Audit Finding Response*
5.8 System & Access Forms
336. What’s the system access request form?
– *SP-HC-FRM-070: HR System Access Request*
How are access revocations requested?
*SP-HC-FRM-071: Access Revocation Request*
What form is used for password resets?
*SP-HC-FRM-072: Privileged Password Reset*
How are integration requests submitted?
*SP-HC-FRM-073: System Integration Request*
What form documents user acceptance?
*SP-HC-FRM-074: UAT Sign-off Form*
5.9 Vendor & Third-Party Forms
341. What’s the vendor assessment form?
– *SP-HC-FRM-080: Vendor Security Assessment*
How are vendor contracts submitted for review?
*SP-HC-FRM-081: Vendor Contract Review*
What form documents vendor performance?
*SP-HC-FRM-082: Vendor Performance Review*
How are third-party breaches reported?
*SP-HC-FRM-083: Vendor Breach Notification*
What form terminates vendor relationships?
*SP-HC-FRM-084: Vendor Termination Notice*
5.10 Training & Awareness Forms
346. What’s the training request form?
– *SP-HC-FRM-090: Training Enrollment Request*
How are training evaluations submitted?
*SP-HC-FRM-091: Training Feedback Form*
What form documents training completion?
*SP-HC-FRM-092: Training Completion Certificate*
How are awareness campaign ideas submitted?
*SP-HC-FRM-093: Awareness Campaign Proposal*
What form assesses training needs?
*SP-HC-FRM-094: Training Needs Assessment*
5.11 Audit & Monitoring Forms
351. What’s the internal audit request form?
– *SP-HC-FRM-100: Internal Audit Request*
How are monitoring activities authorized?
*SP-HC-FRM-101: Monitoring Authorization*
What form documents log reviews?
*SP-HC-FRM-102: Access Log Review*
How are control tests documented?
*SP-HC-FRM-103: Control Testing Form*
What form reports compliance status?
*SP-HC-FRM-104: Monthly Compliance Report*
5.12 Business Process Forms
356. What’s the process change request form?
– *SP-HC-FRM-110: Business Process Change*
How are new workflows proposed?
*SP-HC-FRM-111: Workflow Design Request*
What form documents process improvements?
*SP-HC-FRM-112: Process Improvement Proposal*
How are efficiency gains reported?
*SP-HC-FRM-113: Efficiency Improvement Report*
What form initiates automation projects?
*SP-HC-FRM-114: Process Automation Request*
5.13 Special Situation Forms
361. What’s the remote work agreement form?
– *SP-HC-FRM-120: Remote Work Agreement*
How are accommodation requests submitted?
*SP-HC-FRM-121: Reasonable Accommodation Request*
What form documents secondments?
*SP-HC-FRM-122: Employee Secondment Agreement*
How are international transfers requested?
*SP-HC-FRM-123: International Transfer Request*
What form manages contingent workers?
*SP-HC-FRM-124: Contingent Worker Agreement*
5.14 Documentation Forms
366. What’s the document creation request form?
– *SP-HC-FRM-130: New Document Request*
How are document changes requested?
*SP-HC-FRM-131: Document Change Request*
What form retires obsolete documents?
*SP-HC-FRM-132: Document Retirement Form*
How are translations requested?
*SP-HC-FRM-133: Document Translation Request*
What form archives documents?
*SP-HC-FRM-134: Document Archival Request*
5.15 Employee Relations Forms
371. What’s the grievance submission form?
– *SP-HC-FRM-140: Employee Grievance Form*
How are whistleblower reports submitted?
*SP-HC-FRM-141: Whistleblower Report*
What form documents investigations?
*SP-HC-FRM-142: Investigation Findings Report*
How are settlement agreements initiated?
*SP-HC-FRM-143: Settlement Agreement Proposal*
What form manages conflict resolutions?
*SP-HC-FRM-144: Conflict Resolution Agreement*
5.16 Technology & Equipment Forms
376. What’s the equipment request form?
– *SP-HC-FRM-150: Technology Equipment Request*
How are software licenses requested?
*SP-HC-FRM-151: Software License Request*
What form documents equipment returns?
*SP-HC-FRM-152: Equipment Return Form*
How are lost devices reported?
*SP-HC-FRM-153: Lost/Stolen Device Report*
What form manages mobile device usage?
*SP-HC-FRM-154: Mobile Device Agreement*

SECTION 6: IMPLEMENTATION & SUPPORT (80 FAQs)
6.1 Getting Started & Setup
381. How do new managers get access to HR systems?
– *Complete SP-HC-FRM-070; attend manager training; DPO approval*
What’s the first step for a new HR employee?
Complete Data Guardian certification before system access
How are departments onboarded to new processes?
Departmental briefing; pilot phase; full implementation
What equipment is needed for compliance work?
Encrypted laptop; privacy screen; secure storage
How are regional offices set up for compliance?
Local champion program; tailored training; regular check-ins
6.2 Daily Operations
386. What’s the daily checklist for HR data stewards?
– Check incident logs; review access requests; validate new entries
How should managers start their day regarding data?
Secure workstation; check for sensitive documents; review team access needs
What’s the weekly compliance routine?
Monday: Log review; Wednesday: Training updates; Friday: Incident review
How are monthly tasks scheduled?
1st: Report generation; 15th: Access review; 30th: Compliance check
What’s the quarterly rhythm for data governance?
QBR meetings; policy reviews; audit preparations
6.3 Troubleshooting & Problem Resolution
391. What do I do if a form won’t submit?
– Check version; clear cache; contact HRIS support ticket #HRIS-HELP
How are system errors reported?
ServiceNow ticket with screenshot; impact assessment; user count
What if I suspect unauthorized access?
Immediate report to IT Security; preserve evidence; do not confront
How are process bottlenecks addressed?
Process owner consultation; RCA; improvement plan
What if training materials seem outdated?
*Submit SP-HC-FRM-131; continue using current until updated*
6.4 Training & Development Support
396. Where do I find role-specific training paths?
– LMS > Career Paths > Data Protection Roles
How are training gaps identified?
Quarterly assessment; audit findings; incident analysis
What support is available for struggling learners?
One-on-one coaching; job aids; peer mentoring
How is training effectiveness measured?
Pre/post tests; on-job observation; compliance metrics
What advanced training is available?
Certified Data Protection Officer program; privacy engineering
6.5 Technology & Tools Support
401. What HR systems are covered under P137?
– Workday, SuccessFactors, SAP HR, Oracle HCM, custom systems
How do I access the Document Management System?
SSO through company portal; role-based permissions
What privacy tools are available?
Data discovery; masking; encryption; monitoring tools
How is mobile access managed?
MDM required; encrypted; remote wipe enabled
What reporting tools are approved?
Tableau, Power BI with row-level security
6.6 Communication & Change Management
406. How are policy changes communicated?
– *30-day notice; training; acknowledgment; go-live support*
What channels are used for awareness?
Intranet, email, team meetings, posters, digital signage
How are success stories shared?
Quarterly newsletter; team recognition; best practice library
What’s the feedback mechanism for improvements?
Monthly survey; suggestion box; town halls
How are lessons learned disseminated?
Post-incident reviews; case studies; training updates
6.7 Vendor & Partner Management
411. How are new vendors assessed?
– Security questionnaire; reference checks; trial period
What ongoing monitoring occurs?
Quarterly reviews; annual audits; continuous security scanning
How are vendor relationships reviewed?
Annual performance review; contract renewal assessment
What support do vendors receive?
Training; clear requirements; regular communication
How are vendor issues escalated?
Vendor manager → Procurement → Legal → Termination
6.8 Audit Preparation & Support
416. How should departments prepare for audits?
– Self-assessment; document organization; process walkthroughs
What documents are typically requested?
Policies; procedures; training records; incident logs; ROPA
How are auditor interviews conducted?
With manager present; factual responses; documentation provided
What’s the post-audit process?
Findings review; CAP development; implementation tracking
How are audit results shared?
Departmental debrief; executive summary; lessons learned
6.9 Incident Response Support
421. What’s in the incident response kit?
– Checklists; contact lists; templates; evidence collection tools
How are response teams activated?
Automated paging system; war room setup; communication plan
What support is available during incidents?
*24/7 legal; IT forensics; PR support; employee assistance*
How are affected individuals supported?
Dedicated hotline; credit monitoring; regular updates
What’s the recovery process?
System restoration; vulnerability remediation; process improvement
6.10 Continuous Improvement
426. How are process improvements identified?
– Employee suggestions; audit findings; technology changes
What’s the improvement proposal process?
Idea submission → Business case → Approval → Implementation
How are improvements measured?
Before/after metrics; ROI calculation; user satisfaction
What recognition exists for improvements?
Innovation awards; bonuses; promotions; public recognition
How are best practices shared globally?
Community of practice; knowledge base; global meetings
6.11 Compliance Monitoring
431. What’s monitored daily?
– Access logs; incident reports; system alerts
What’s monitored weekly?
Training completion; policy acknowledgments; form usage
What’s monitored monthly?
Compliance metrics; audit trails; vendor performance
What’s monitored quarterly?
Risk assessments; control testing; regulatory changes
What’s monitored annually?
Full policy review; comprehensive audit; strategy refresh
6.12 Performance Management
436. How is data compliance included in performance reviews?
– Mandatory goal for all employees; weighted 10%
What behaviors are rewarded?
Proactive identification; process improvement; training excellence
How are non-compliant behaviors addressed?
Coaching first; formal warnings if persistent; termination for willful
What metrics track individual compliance?
Training completion; incident involvement; audit findings
How is team compliance measured?
Departmental scores; trend analysis; benchmark comparison
6.13 Resource Management
441. What budget is needed for compliance?
– *Annual budget template SP-HC-TMP-111 includes all requirements*
How are resources allocated?
Risk-based approach; regulatory requirements; strategic priorities
What staffing is required?
DPO, data stewards, IT security, legal support
How is external support engaged?
Approved vendor list; statement of work; managed services
What tools require licensing?
Encryption; DLP; monitoring; training platforms
6.14 Stakeholder Management
446. Who are key stakeholders?
– Executives, managers, employees, regulators, customers
How are executives engaged?
Quarterly briefings; dashboard access; decision support
How are managers supported?
Toolkits; helpline; regular training; peer network
How are employees informed?
Clear communications; easy access; feedback channels
How are regulators engaged?
Proactive communication; transparency; cooperation
6.15 Scalability & Growth
451. How does compliance scale with company growth?
– Modular framework; automated processes; delegated authority
What changes during mergers/acquisitions?
Due diligence; integration plan; harmonization timeline
How are new countries onboarded?
Legal review; localization; champion training
What supports rapid hiring phases?
Automated onboarding; scalable training; temporary stewards
How does remote work expansion affect compliance?
Enhanced monitoring; secure technology; clear policies
6.16 Risk Management
456. How are risks identified?
– Monthly assessments; incident analysis; regulatory monitoring
What’s the risk assessment process?
Identify → Analyze → Evaluate → Treat → Monitor
How are risks prioritized?
Impact × likelihood matrix; regulatory requirements
What risk treatments are used?
Avoid, transfer, mitigate, accept
How is risk appetite determined?
Board approval; industry benchmarks; legal requirements

Approved By:
Neftaly Malatjie
Chief Executive Officer