|2||4-12-2017||Draft version II|
|3||12-12-2017||Draft version III|
- PDPA: Personal Data Protection Act;
- GDPR: General Data Protection Regulation;
- Personal data: any data relating to an identified or identifiable natural person;
- Data Subject: the person to whom personal data relates;
- Processor: the person who processes personal data on behalf of the Processing Officer, without being subject to its direct authority;
- Process/processing: all actions or series of actions performed on Personal Data, whether automated or not, such as collecting, recording, structuring, storing, adjusting or modifying, retrieving, consulting, using, publishing by transfer, distribution of or otherwise making available, coordinating or combining, blocking, deleting or destroying;
- Website: the websites under ditt.nlen www.ditt.shop;
- Social Media: The Processing Officer uses the following accounts:
The personal data of which the Processing Officer determines the purpose and means of processing:
|Personal Data||Personal data category|
|Name||A1. Name and address details|
|Address||A1. Name and address details|
|Place of residence||A1. Name and address details|
|Education||A14. Training and education|
|Organisation name||A15. Profession and occupation|
|Function||A15. Profession and occupation|
|Department||A15. Profession and occupation|
|Business e-mail||A15. Profession and occupation|
|Work performance||A15. Profession and occupation|
|Billing address||A20. Company information (COC)|
|IP address private||A21. Digital address data|
|IP address business||A21. Digital address data|
|MAC address mobile private||A21. Digital address data|
|MAC address mobile business||A21. Digital address data|
|Authorization level systems||A21. Digital address data|
|Telephone number, fixed private||A22. Telephone number|
|Telephone number, fixed business||A22. Telephone number|
|Telephone number, mobile private||A22. Telephone number|
|Telephone number, mobile business||A22. Telephone number|
|Phone call data||A22. Telephone number|
|Private account number||A23. Banking details|
|Date of birth||A3. Personal characteristics|
|Place of birth||A3. Personal characteristics|
|Marriage date||A3. Personal characteristics|
|Content phone call||A3. Personal characteristics|
|Gender||A4. Physical data|
|Location data lease car||A5. Living habits|
|Surveillance images||B1. Race or ethnic origin|
|E-mail data private||B11. Various|
|E-mail data business||A24. E-mail data|
|Surfing behaviour internet||B11. Various|
|E-mail address private||B11. Various|
|Failure data||B7. Health|
|Reintegration data||B7. Health|
|Medical data||B7. Health|
|Table 1: Personal Data|
The ‘A’ in the above overview under the Category personal data stands for ‘General’ and ‘B’ for ‘Special. The processing of special Personal Data may require additional security measures. For a complete overview of all Personal Data, please refer to the Register of Processing activities of the Processing Manager.
2. Collection and use of Personal Data
The Processing Officer collects Personal Data from Data Subjects, in particular from Data Subjects when:
the relevant Data Subject work performed for The Processing Officer, and personal data provided in the context thereof.
the relevant Data Subject relating to a contact person of a Client who provides personal data in the context of the implementation of an agreement.
the relevant Data Subject relating to a contact person of a Supplier who provides personal data in the context of the implementation of an agreement.
the relevant Data Subject relating to an online visitor of the Website or Social Media of The Processing Officer, who has passed on personal data online (for example by contacting with a request for information on the services or products of The Processing Officer or by placing an order with The Processing Officer).
The Processing Officer uses this personal data for the purpose for which the Data Subject has provided The Personal Data to the Processing Officer:
If the Data Subject performs workfor the Processing Officer, The Processing Officer processes the personal data in the context of (labour) legislation. The basis for this processing is a statutory obligation on the one hand and necessity for the execution of a (labour) agreement on the other.
If the Data Subject is involved, on behalf of a Client,in the event of an agreement between the Processing Officer and the Client, the Processing Officer will only process the personal data in order to implement that agreement. The processing is necessary for managing the legitimate business interest of the Processing Officer.
If the Data Subject is involved, on behalf of a Supplier,in the event of an agreement between the Processing Officer and the Supplier, the Processing Officer will only process the personal data in order to implement that agreement. The processing is necessary for managing the legitimate business interest of the Processing Officer.
If the Data Subject, as an online visitor of the Website or Social Mediaof The Processing Officer, requests information about services and products, The Processing Officer processes the personal data to attend to that request.If the Data Subject places an order, The Processing Officer processes the personal data to complete that order. Processing takes place only after indisputable consent from the Data Subject, or if the processing is necessary for the implementation of an agreement.
In addition, The Processing Officer may use the personal data to inform the Data Subject about the products or services of The Processing Officer, that could be of interest to the relevant Data Subject. If the Data Subject objects to this, he/she can unsubscribe via the unsubscribe option offered.
The Processing of Personal Data is subdivided into 4 categories and per category there are purposes and a legal basis:
|1. Ditt Personnel||a. Performing HRM administration|
b. Salary processing
c. Handling absenteeism and reintegration
|a. Legal obligation (Article 52 of the General Law on State Taxes)|
b. Necessary for implementation of the agreement
c. Legal obligation
|2. Client contact persons||a. Performing financial administration|
b. Informing the client about services
c. Client information management
|a. Legal obligation (Article 52 of the General Law on State Taxes)|
b. Justified interest
|3. Supplier contact persons||Purchase||Justified interest|
|4. Online visitors||Marketing||a. Consent|
b. Justified interest
For a detailed overview, reference is made to the Register of Processing Activities of The Processing Officer.
3. Transfer to external parties
The Processing Officer shall not pass on the personal data of its Data Subjects to external parties, unless:
The Processing Officer is required by Law to pass on personal data to competent authorities.
5. Changes to/deletion of personal data
The Data Subject has the right to access, correct, supplement, delete and protect his/her personal data, in accordance with the provisions of Article 36 PDPA and Articles 15 through 22 of the GDPR.
If the Data Subject wishes to make use of one of these rights, or if the Data Subject has questions about the protection of personal data by The Processing Officer, the Data Subject can reach Ditt. B.V. at 0546 633000, Zandhuisweg 2, 7665 SH, Albergen,.
With each newsletter to theData Subjectan opt-out option is included.
6. Storage period
Ditt B.V. does not store personal data of the Data Subjects for longer than necessary, and complies with statutory retention periods such as the fiscal retention requirement of 7 years. This applies in particular to Data Subjects who:
- perform work for Ditt B.V;
- contact person on behalf of a Client of The Processing Officer
- contact person on behalf of a Supplier of The Processing Officer
The Processing Officer retains personal data for a period of 3 months after the last visit of the Website or Social Media, unless The Processing Officer responsible for the processing is required to keep personal data for a longer period on the basis of a statutory provision.
The Processing Officer has taken appropriate technical and organizational measures to protect the personal data of Data Subjects against loss or unlawful processing, including:
- Encryption (encoding) of digital files with personal data;
- The use of the latest security techniques;
- Two factor authentication;
- Periodically evaluate security risks using penetration tests and/or security scans.
- The use of a ‘Protocol for reporting data breaches (Annex 1)’.
Annex 1 – Protocol notification of data breaches
This protocol describes the steps within Ditt B.V. (hereinafter referred to as Ditt) that must be taken in the event of a data breach in accordance with the obligation to report data breaches of the Personal Data Protection Act (PDPA). The obligation to report data breaches is an amendment to the PDPA whereby Article 34a has been added to that Act and took effect on 1 January 2016. From 25 May 2018, the PDPA will be revoked by operation of Law and the General Data Protection Regulation will be enforced. The GDPR also includes a notification obligation for data breaches and in anticipation of this development, Chapter 5 is included in this protocol.
1.Scope of the obligation to report data breaches
If there is a breach of the security of personal data as referred to in Section 13 of the PDPA which leads to a considerable chance of serious adverse consequences (1) or has serious adverse consequences for the protection of personal data (2), this is qualified as a data breach. In that case, a notification must be submitted to the Authority for Personal Data.
1.1. Cause and consequence
There must be a ‘breach of data’ (1)and the breach must result in an unintentional or unlawful destruction, loss, modification or unauthorized access to processed personal data (2). A mere shortcoming or vulnerability in security is therefore not a data breach (only a cause without consequences). This is a data breach if Ditt can not reasonablyexcludethat a breach of security has resulted in unlawful processing.
1.2. Originated data breaches
Data breaches can originate from (non-exhaustive summary):
- Cyber crime: hacking, identity fraud, malware contamination;
- technical failure (ICT failures);
- human failure (too simple passwords/providing username/password);
- calamity (fire, flooding);
- lost USB or laptop;
- sending e-mail with all e-mail addresses in the ‘to-window’.
2.1. Investigation and assessment of whether there is a data breach involved
This discovery will be disclosed to the IT Support Manager (and in its absence to the Executive Board), who will then proceed to assess whether there is a data breach involved. The IT Support Manager, in collaboration with the System Management Assistant, investigates the incident. Attention is hereby paid to the following aspects:
- what is the nature of the data breach (special or sensitive data must by definition be reported);
- what is the cause of this occurred incident;
- is there a failure to comply with or a shortcoming in the security procedures;
- is Ditt B.V responsible.
2.2. If the incident is indeed a data breach
Within 2 days, but no later than 72 hours, the executive Board will, after discovery, organize a report to the Dutch Data Protection Authority. In addition, the IT Support Manager will maintain an overview of all data breaches within Ditt. For each data breach, the overview will indicate the facts and data of the nature of the infringement. A data breach is retained in the summary for at least 1 year. After reporting the data breach, Ditt will receive an acknowledgement of receipt from the Dutch Data Protection Authority. The Dutch Data Protection Authority will contact Ditt B.V. if, after a report, there would be a reason to undertake further action. In particular, the origin of the report will be verified, and Ditt B.V. may receive instructions from the Data Protection Authority.
2.3. Report to the Data Subject?
If it is established that a data breach must be reported to the Dutch Data Protection Authority, then it must be also be assessed whether a data breach must also be reported to the Data Subject. The Data Subjects are those whose personal data are involved in an infringement. In the case of Ditt B.V. the Data Subjects are generally the persons who perform work for Ditt B.V., contact persons of Clients, contact persons of Suppliers and visitors of the Website and Social Media of Ditt.
A Data Subject must also be informed of the infringement without delay. If the infringement is unlikely to have an adverse effect on the privacy of the Data Subject, or if the technical protection measures (for example encryption) that have been taken provide sufficient protection, reporting of the data breach to the data subject may be omitted.
3.Assignments, responsibilities and competences
- Every employee or processor of Ditt who, directly or indirectly, bears knowledge of a data breach, is obliged to report this immediately to the IT Support Manager, and in its absence, to the Management Board;
- The IT Support Manager is responsible for investigating the incident;
- The IT Support Manager is responsible for assessing whether a data breach must be reported to the Dutch Data Protection Authority, or whether a data breach must be reported to the Data Subject;
- The Executive Board is responsible for reporting data breaches to the Dutch Data Protection Authority;
- The IT Support Manager is responsible for retaining a summary of all data breaches that fall under the obligation to report, for at least 1 year;
- The Executive Board is responsible for taking measures aimed at the prevention, recovery and suppression of unlawful situations.
- The System Management Assistant analyses the reports of data breaches annually and, if necessary, proposes an improvement plan to prevent data breaches.
- The IT Support Manager assesses at least once a year, whether the procedure and the implementation of this protocol still correspond with each other. If they do not correspond with each other, it will be assessed whether the procedure must be updated or whether employees must be instructed on the correct application of the protocol.
5.Reporting data breaches under the GDPR
Under the GDPR, the requirements become stricter and this Protocol will have to be adapted. In summary, the following applies under the GDPR:
- If Ditt has become aware of a data breach, it must report this immediately, where possible within 72 hours, to the Dutch Data Protection Authority. If this is not possible, the delay will have to be explained. The duty to report does not apply if it is unlikely that the infringement involves a high risk for the rights and freedoms of natural persons (Article 33 GDPR).
- The Data Subject must also be informed of the infringement if it is probable that the breach will result in a high risk to his/her rights and freedoms, so that he/she can take the necessary precautionary measures. Both the nature of the infringement and recommendations on how to limit possible negative consequences must be reported to him/her (Article 34 of the GDPR).
- A notification to the Data Subject is not necessary when measures have been taken in accordance with the GDPR and these have been applied to the personal data concerned. The data is, for example, pseudonymised, so that the person who receives the data can not find out to which persons the data relates. A notification can also be omitted if measures were taken afterwards by the Processing Officer to ensure that high risks for the rights and freedoms of the Data Subject are unlikely to occur or the communication requires disproportionate effort. In the latter case, the Data Subjects must be informed in another, equally effective manner, for example by means of a public announcement (Article 34 GDPR).
- The GDPR specifies what must be described in the notification to the Dutch Data Protection Authority and, in any case, any possible involved parties. It could occur that not all information is provided simultaneously. In that case it is possible to provide the information in steps (Article 33 GDPR).
- The Processing Officer is also obliged under the GDPR, to document all breaches, including the facts about the infringement, the consequences and the corrective measures taken (Article 33, section five of GDPR). As a result, the Dutch Data Protection Authority is able to check compliance with the GDPR.
The Processor is the person who processes the data on behalf of Ditt B.V. The processor processes personal data in accordance with the instructions and under the ultimate responsibility of Ditt B.V.