Cookie- en Privacyverklaring

Privacy Policy

 

Changes

VersionDateRemarks
11-12-2017Draft version
24-12-2017Draft version II
312-12-2017Draft version III
4.21-12-2017Final version

Ditt B.V. reserves the right to review this Privacy Policy from time to time in order to adjust to legal and other developments. You should therefore regularly consult the Privacy Regulations so that you are aware of any changes.

 

Definitions

  1. PDPA: Personal Data Protection Act;
  2. GDPR: General Data Protection Regulation;
  3. Personal data: any data relating to an identified or identifiable natural person;
  4. The Processing Officer: determines the purpose and the means for the processing of personal data. In the context of this Privacy Policy, the Processing Officer is: Ditt B.V., Zandhuisweg 2, 7665 SH, Albergen, 0546 633000;
  5. Data Subject: the person to whom personal data relates;
  6. Processor: the person who processes personal data on behalf of the Processing Officer, without being subject to its direct authority;
  7. Process/processing: all actions or series of actions performed on Personal Data, whether automated or not, such as collecting, recording, structuring, storing, adjusting or modifying, retrieving, consulting, using, publishing by transfer, distribution of or otherwise making available, coordinating or combining, blocking, deleting or destroying;
  8. Website: the websites under ditt.nlen www.ditt.shop;
  9. Social Media: The Processing Officer uses the following accounts:

 

Social MediaLinkPrivacy Policy
Twitter:https://twitter.com/Ditt_nlhttps://twitter.com/en/privacy

 

Instagram:https://www.instagram.com/ditt_nl/https://nl-nl.facebook.com/help/instagram/155833707900388/?helpref=hc_fnav

 

LinkedIn:https://www.linkedin.com/company/17925319/

 

https://www.linkedin.com/legal/privacy-policy?_l=nl_NL
Pinterest:https://nl.pinterest.com/dittnl/https://policy.pinterest.com/en/privacy-policy

 

Issuu: https://issuu.com/skeppdesignbuildhttps://issuu.com/legal/privacy

 

Facebook:https://www.facebook.com/Dittofficemakers/https://www.facebook.com/about/basics/nl?gclid=EAIaIQobChMIyYn2u9_31wIVbbvtCh2pcQytEAAYASAAEgJzxPD_BwE

 

1. General

1.1.

This Privacy Policy describes how the Processing Officer handles or processes the personal data of its Data Subjects.

1.2.

The personal data of which the Processing Officer determines the purpose and means of processing:

Personal DataPersonal data category
NameA1. Name and address details
AddressA1. Name and address details
Place of residenceA1. Name and address details
EducationA14. Training and education
Organisation nameA15. Profession and occupation
FunctionA15. Profession and occupation
DepartmentA15. Profession and occupation
Business e-mailA15. Profession and occupation
Work performanceA15. Profession and occupation
Billing addressA20. Company information (COC)
IP address privateA21. Digital address data
IP address businessA21. Digital address data
MAC address mobile privateA21. Digital address data
MAC address mobile businessA21. Digital address data
Authorization level systemsA21. Digital address data
Telephone number, fixed privateA22. Telephone number
Telephone number, fixed businessA22. Telephone number
Telephone number, mobile privateA22. Telephone number
Telephone number, mobile businessA22. Telephone number
Phone call dataA22. Telephone number
Private account numberA23. Banking details
Date of birthA3. Personal characteristics
Place of birthA3. Personal characteristics
Marriage dateA3. Personal characteristics
Content phone callA3. Personal characteristics
GenderA4. Physical data
Location data lease carA5. Living habits
Surveillance imagesB1. Race or ethnic origin
E-mail data privateB11. Various
E-mail data businessA24. E-mail data
Surfing behaviour internetB11. Various
E-mail address privateB11. Various
Failure dataB7. Health
Reintegration dataB7. Health
Medical dataB7. Health
Table 1: Personal Data

 

The ‘A’ in the above overview under the Category personal data stands for ‘General’ and ‘B’ for ‘Special. The processing of special Personal Data may require additional security measures. For a complete overview of all Personal Data, please refer to the Register of Processing activities of the Processing Manager.

 

2. Collection and use of Personal Data

2.1.

The Processing Officer collects Personal Data from Data Subjects, in particular from Data Subjects when:

2.1.1.

the relevant Data Subject work performed for The Processing Officer, and personal data provided in the context thereof.

2.1.2.

the relevant Data Subject relating to a contact person of a Client who provides personal data in the context of the implementation of an agreement.

2.1.3.

the relevant Data Subject relating to a contact person of a Supplier who provides personal data in the context of the implementation of an agreement.

2.1.4.

the relevant Data Subject relating to an online visitor of the Website or Social Media of The Processing Officer, who has passed on personal data online (for example by contacting with a request for information on the services or products of The Processing Officer or by placing an order with The Processing Officer).

2.2.

The Processing Officer uses this personal data for the purpose for which the Data Subject has provided The Personal Data to the Processing Officer:

2.2.1.

If the Data Subject performs workfor the Processing Officer, The Processing Officer processes the personal data in the context of (labour) legislation. The basis for this processing is a statutory obligation on the one hand and necessity for the execution of a (labour) agreement on the other.

2.2.2.

If the Data Subject is involved, on behalf of a Client,in the event of an agreement between the Processing Officer and the Client, the Processing Officer will only process the personal data in order to implement that agreement. The processing is necessary for managing the legitimate business interest of the Processing Officer.

2.2.3.

If the Data Subject is involved, on behalf of a Supplier,in the event of an agreement between the Processing Officer and the Supplier, the Processing Officer will only process the personal data in order to implement that agreement. The processing is necessary for managing the legitimate business interest of the Processing Officer.

2.2.4.

If the Data Subject, as an online visitor of the Website or Social Mediaof The Processing Officer, requests information about services and products, The Processing Officer processes the personal data to attend to that request.If the Data Subject places an order, The Processing Officer processes the personal data to complete that order. Processing takes place only after indisputable consent from the Data Subject, or if the processing is necessary for the implementation of an agreement.

2.3.

In addition, The Processing Officer may use the personal data to inform the Data Subject about the products or services of The Processing Officer, that could be of interest to the relevant Data Subject. If the Data Subject objects to this, he/she can unsubscribe via the unsubscribe option offered.

2.4.

The Processing of Personal Data is subdivided into 4 categories and per category there are purposes and a legal basis:

Category processingPurposeBasis
1.     Ditt Personnela. Performing HRM administration

b. Salary processing

 

c. Handling absenteeism and reintegration

a. Legal obligation (Article 52 of the General Law on State Taxes)

b. Necessary for implementation of the agreement

 

c. Legal obligation

2.     Client contact personsa. Performing financial administration

b. Informing the client about services

c. Client information management

a. Legal obligation (Article 52 of the General Law on State Taxes)

b. Justified interest

3.     Supplier contact personsPurchaseJustified interest
4.     Online visitorsMarketinga. Consent

b. Justified interest

For a detailed overview, reference is made to the Register of Processing Activities of The Processing Officer.

 

3. Transfer to external parties

3.1.

The Processing Officer shall not pass on the personal data of its Data Subjects to external parties, unless:

3.1.1.

the transfer is made to a processor appointed by the Processing Officer for the purposes listed in this Privacy Policy, with which processor The Processing Officer has concluded an agreement that ensures that the processor offers sufficient guarantees regarding technical and organisational security measures with regard to the processing operations to be carried out; or

3.1.2.

The Processing Officer is required by Law to pass on personal data to competent authorities.

 

4. Cookies

4.1.

The Processing Officer uses so-called ‘cookies’. The Cookie and Privacy Statement of the Processing Officer that can be found here [www.ditt.nland www.ditt.shop] contains further information about the use of cookies, including the purposes for which The Processing Officer uses cookies.

 

5. Changes to/deletion of personal data

5.1.

The Data Subject has the right to access, correct, supplement, delete and protect his/her personal data, in accordance with the provisions of Article 36 PDPA and Articles 15 through 22 of the GDPR.

5.2.

If the Data Subject wishes to make use of one of these rights, or if the Data Subject has questions about the protection of personal data by The Processing Officer, the Data Subject can reach Ditt. B.V. at 0546 633000, Zandhuisweg 2, 7665 SH, Albergen,.

5.3.

With each newsletter to theData Subjectan opt-out option is included.

 

6. Storage period

6.1.

Ditt B.V. does not store personal data of the Data Subjects for longer than necessary, and complies with statutory retention periods such as the fiscal retention requirement of 7 years. This applies in particular to Data Subjects who:

  1. perform work for Ditt B.V;
  2. contact person on behalf of a Client of The Processing Officer
  3. contact person on behalf of a Supplier of The Processing Officer

6.2.

The Processing Officer retains personal data for a period of 3 months after the last visit of the Website or Social Media, unless The Processing Officer responsible for the processing is required to keep personal data for a longer period on the basis of a statutory provision.

 

7. Security

7.1.

The Processing Officer has taken appropriate technical and organizational measures to protect the personal data of Data Subjects against loss or unlawful processing, including:

  • Encryption (encoding) of digital files with personal data;
  • The use of the latest security techniques;
  • Two factor authentication;
  • Periodically evaluate security risks using penetration tests and/or security scans.
  • The use of a ‘Protocol for reporting data breaches (Annex 1)’.

 

The current Privacy Policy was updated on 1 January 2018

 

Annex 1 – Protocol notification of data breaches

This protocol describes the steps within Ditt B.V. (hereinafter referred to as Ditt) that must be taken in the event of a data breach in accordance with the obligation to report data breaches of the Personal Data Protection Act (PDPA). The obligation to report data breaches is an amendment to the PDPA whereby Article 34a has been added to that Act and took effect on 1 January 2016. From 25 May 2018, the PDPA will be revoked by operation of Law and the General Data Protection Regulation will be enforced. The GDPR also includes a notification obligation for data breaches and in anticipation of this development, Chapter 5 is included in this protocol.

 

1.Scope of the obligation to report data breaches

If there is a breach of the security of personal data as referred to in Section 13 of the PDPA which leads to a considerable chance of serious adverse consequences (1) or has serious adverse consequences for the protection of personal data (2), this is qualified as a data breach. In that case, a notification must be submitted to the Authority for Personal Data.

 

1.1.      Cause and consequence

There must be a ‘breach of data’ (1)and the breach must result in an unintentional or unlawful destruction, loss, modification or unauthorized access to processed personal data (2). A mere shortcoming or vulnerability in security is therefore not a data breach (only a cause without consequences). This is a data breach if Ditt can not reasonablyexcludethat a breach of security has resulted in unlawful processing.

 

1.2.      Originated data breaches

Data breaches can originate from (non-exhaustive summary):

  • Cyber crime: hacking, identity fraud, malware contamination;
  • technical failure (ICT failures);
  • human failure (too simple passwords/providing username/password);
  • calamity (fire, flooding);
  • lost USB or laptop;
  • sending e-mail with all e-mail addresses in the ‘to-window’.

 

2.Notifications

A data breach can be discovered by an employee or a processor[1]of Ditt.

 

2.1.      Investigation and assessment of whether there is a data breach involved

This discovery will be disclosed to the IT Support Manager (and in its absence to the Executive Board), who will then proceed to assess whether there is a data breach involved. The IT Support Manager, in collaboration with the System Management Assistant, investigates the incident. Attention is hereby paid to the following aspects:

  1. what is the nature of the data breach (special or sensitive data must by definition be reported);
  2. what is the cause of this occurred incident;
  3. is there a failure to comply with or a shortcoming in the security procedures;
  4. is Ditt B.V responsible.

 

2.2.      If the incident is indeed a data breach

Within 2 days, but no later than 72 hours, the executive Board will, after discovery, organize a report to the Dutch Data Protection Authority. In addition, the IT Support Manager will maintain an overview of all data breaches within Ditt[2]. For each data breach, the overview will indicate the facts and data of the nature of the infringement. A data breach is retained in the summary for at least 1 year. After reporting the data breach, Ditt will receive an acknowledgement of receipt from the Dutch Data Protection Authority. The Dutch Data Protection Authority will contact Ditt B.V. if, after a report, there would be a reason to undertake further action. In particular, the origin of the report will be verified, and Ditt B.V. may receive instructions from the Data Protection Authority.

 

2.3.      Report to the Data Subject?

If it is established that a data breach must be reported to the Dutch Data Protection Authority, then it must be also be assessed whether a data breach must also be reported to the Data Subject. The Data Subjects are those whose personal data are involved in an infringement. In the case of Ditt B.V. the Data Subjects are generally the persons who perform work for Ditt B.V., contact persons of Clients, contact persons of Suppliers and visitors of the Website and Social Media of Ditt.

 

A Data Subject must also be informed of the infringement without delay. If the infringement is unlikely to have an adverse effect on the privacy of the Data Subject, or if the technical protection measures (for example encryption) that have been taken provide sufficient protection, reporting of the data breach to the data subject may be omitted.

 

3.Assignments, responsibilities and competences

  1. Every employee or processor of Ditt who, directly or indirectly, bears knowledge of a data breach, is obliged to report this immediately to the IT Support Manager, and in its absence, to the Management Board;
  2. The IT Support Manager is responsible for investigating the incident;
  3. The IT Support Manager is responsible for assessing whether a data breach must be reported to the Dutch Data Protection Authority, or whether a data breach must be reported to the Data Subject;
  4. The Executive Board is responsible for reporting data breaches to the Dutch Data Protection Authority;
  5. The IT Support Manager is responsible for retaining a summary of all data breaches that fall under the obligation to report, for at least 1 year;
  6. The Executive Board is responsible for taking measures aimed at the prevention, recovery and suppression of unlawful situations.

 

4.Internal control

  1. The System Management Assistant analyses the reports of data breaches annually and, if necessary, proposes an improvement plan to prevent data breaches.
  2. The IT Support Manager assesses at least once a year, whether the procedure and the implementation of this protocol still correspond with each other. If they do not correspond with each other, it will be assessed whether the procedure must be updated or whether employees must be instructed on the correct application of the protocol.

 

5.Reporting data breaches under the GDPR

Under the GDPR, the requirements become stricter and this Protocol will have to be adapted. In summary, the following applies under the GDPR:

 

  • If Ditt has become aware of a data breach, it must report this immediately, where possible within 72 hours, to the Dutch Data Protection Authority. If this is not possible, the delay will have to be explained. The duty to report does not apply if it is unlikely that the infringement involves a high risk for the rights and freedoms of natural persons (Article 33 GDPR).
  • The Data Subject must also be informed of the infringement if it is probable that the breach will result in a high risk to his/her rights and freedoms, so that he/she can take the necessary precautionary measures. Both the nature of the infringement and recommendations on how to limit possible negative consequences must be reported to him/her (Article 34 of the GDPR).
  • A notification to the Data Subject is not necessary when measures have been taken in accordance with the GDPR and these have been applied to the personal data concerned. The data is, for example, pseudonymised, so that the person who receives the data can not find out to which persons the data relates. A notification can also be omitted if measures were taken afterwards by the Processing Officer to ensure that high risks for the rights and freedoms of the Data Subject are unlikely to occur or the communication requires disproportionate effort. In the latter case, the Data Subjects must be informed in another, equally effective manner, for example by means of a public announcement (Article 34 GDPR).
  • The GDPR specifies what must be described in the notification to the Dutch Data Protection Authority and, in any case, any possible involved parties. It could occur that not all information is provided simultaneously. In that case it is possible to provide the information in steps (Article 33 GDPR).
  • The Processing Officer is also obliged under the GDPR, to document all breaches, including the facts about the infringement, the consequences and the corrective measures taken (Article 33, section five of GDPR). As a result, the Dutch Data Protection Authority is able to check compliance with the GDPR.

 

[1]The Processor is the person who processes the data on behalf of Ditt B.V. The processor processes personal data in accordance with the instructions and under the ultimate responsibility of Ditt B.V.

 

[2]A Register of Data Breaches has also been added to the Register of Processing Activities at Ditt.