In the course of its activities, ETAP processes commercial and personal data from a variety of sources. This policy involves the processing of personal data by ETAP. The personal data of several categories of identifiable individuals will be processed, such as employees, customers and suppliers, website users, subscribers and other stakeholders.
ETAP understands the importance of the protection of personal data and the concerns on the part of its personnel, customers (contacts), suppliers (contacts) and other individuals it is in contact with in respect of the processing of their personal data ETAP always carefully considers the protection of personal data in the various personal data processing operations.
Several individuals within the organisation may have access to the personal data of its employees (the term employees is understood to mean: managers and everyone working for ETAP, including self-employed service providers and consultants, temporary personnel such as temps, interns, students with part-time jobs, volunteers, former employees) and of other individuals (customers and suppliers) during the performance of their duties. Each of these people within ETAP is bound by this policy on the protection of personal data.
Applicable data protection legislation imposes obligations on ETAP with respect to the way in which it must process data. Furthermore legislation covers rights for individuals whose data is processed to give them more control over their own personal data.
This policy provides an overview of the general obligations the company and its personnel must comply with under data protection legislation. Compliance with this policy is important for the following reasons:
- Compliance with data protection legislation is a legal obligation and not respecting said obligations may lead to liability, sanctions and penalties.
- Compliance with data protection legislation leads to better and more efficient processing of personal data.
- Compliance with data protection legislation forms the basis for a relationship of mutual trust between ETAP and its business relations, consumers and staff.
2. Scope of application
This policy applies to ETAP who processes personal data and includes the guidelines any processing of personal data must satisfy, whether or not it is carried out fully or partially by automated means and which form part of a structured file or which will form part of a structured file.
This policy is drawn up in such a way that it involves a uniform minimum standard for the protection of personal data applicable to all the companies within the ETAP GROUP. This policy will apply within the group unless other compelling data protection legislation applies, imposing stricter obligations and conditions.
3. Contact point for the protection of personal data
The company has appointed an officer, assisted by a team, to ensure implementation of and compliance with data protection legislation and this policy.
The data protection officer is Petra Vervoort, HR Manager, and is available by e-mail at email@example.com or by telephone on 03/310 02 12. To exercise your rights, please refer to Article 8 of this policy.
The applicable data protection legislation has its own terminology and involves an abstract matter. Below are some definitions to allow you to better understand the terminology and, by extension, this policy.
a. Data protection legislation
Different legislations may apply depending on the concrete case of application where personal data is processed.
In addition to European regulations, specific national data protection legislation is also applicable, such as the Act of 8 December 1992 on the protection of privacy with regard to the processing of personal data and the Act of 13 June 2005 on electronic communications.
b. Personal data
Personal data refers to all information about an identified or identifiable natural person, also called the data subject. A person shall be considered identifiable where a natural person can be identified, directly or indirectly, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
c. Processing officer
The processing officer is a natural or legal person (e.g., a company), public authority, agency or any other body, which alone or jointly with others determines the purposes and means of the processing of personal data.
For example, ETAP is a legal person in charge of processing personal data of its employees as part of its HR management.
The processor is a natural or legal person, public authority, agency or any other body, which processes personal data on behalf of and solely on the instructions of the processing officer.
e. The processing of personal data
The processing of personal data implies any operation or set of operations with respect to personal data or sets of personal data, whether or not by automatic means (e.g., software), such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, deletion or destruction.
An example of the processing of personal data is when the organisation collects and stores contact details for its customers’ contacts in the organisation’s Client Relationship Management software system or in a paper customer file.
A file is any structured set of personal data accessible in accordance with certain criteria, whether centralised, decentralised or disseminated on functional or geographical grounds.
Hence this implies both electronically structured files by means of the use of software or Cloud applications, and paper files, insofar as said files are organised in a logical manner and are structured by being linked to individuals or are linked to individuals based on criteria.
5. Applicable principles for the collection and processing of personal data
In addition to using their own language, data protection laws contain a number of basic principles that every processing officer must respect in order to comply with these regulations. In case of doubt about the application of these principles in a concrete case, do not hesitate to contact Petra Vervoort for further information and in accordance with the procedure described in Article 7.
Data protection legislation requires that personal data be processed in accordance with the various basic principles and ensuing conditions.
Data protection legislation requires that personal data be processed in a way that is lawful and adequate vis-à-vis the data subject.
In order to lawfully process personal data, a legal basis must always exist. Personal data can in theory only be processed if:
- The data subject has given permission. The organisation will at least inform the data subject in advance about the purpose for which their consent is requested, which personal data will be collected for the processing, the right to withdraw their consent, the possible consequences for the data subject as part of the automated individual decision-making and profiling, and the transfer to third countries.
- Processing is necessary for the performance of an agreement to which the data subject is a party or in order to enable action to be taken at the request of the data subject prior to the conclusion of an agreement.
- Processing is necessary to satisfy a legal obligation imposed on the organisation.
- Processing is necessary to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the organisation acting as processing officer.
- Processing is necessary to protect the legitimate interests of the organisation as processing authority or of a third party, except where the fundamental rights and freedoms of the data subject with regard to the protection of their personal data outweigh said interests.
If, for a particular processing purpose, you have given your consent to the organisation to process your data for that purpose, you may withdraw that consent at any time. The organisation will then stop processing your data, for which you have given your consent, and will inform you of the possible consequences of the withdrawal of your consent.
If the organisation processes your personal data for other purposes and invokes different legal grounds for doing so, it will still be able to process your personal data.
The organisation ensures that it always invokes at least one of the above-mentioned legal bases when processing personal data. Should you have any questions about the applicable legal basis relied upon by the organisation, you can always contact it in accordance with the procedure set forth in Article 7.
Some categories of personal data are of a sensitive nature and data protection legislation therefore provides for a stricter regime for the special categories of personal data (also referred to as ‘sensitive personal data’). This involves data on race or ethnic background, political convictions, religious or philosophical beliefs, or membership in a trade union, and processing of genetic data, biometric data in view of the unique identification of an individual, or data on health, or data on a person’s sexual behaviour or sexual orientation. Information relating to criminal offences or convictions also represents a special category.
In principle, it is prohibited to process this sensitive personal data, unless the organisation can invoke one of the exceptions. In a specific, very limited number of cases, the organisation must process sensitive personal data, in which case the data subject will be informed in advance. For these specific purposes, the organisation will inform the data subject in advance in detail about the specific purposes and the basis for the processing. For further information on the processing of sensitive personal data by the organisation, please do not hesitate to contact us in accordance with the procedure as described in Article 7 of this policy.
b. Proper conduct
The organisation ensures that personal data will be processed:
- For specific, expressly described and justified purposes and will not be further processed for purposes that are not compatible with the initial purpose for which the data was collected. The organisation will always communicate the purposes clearly before initiating processing operations.
- To an extent limited to what is necessary for the purposes for which the data was collected. Where possible, the organisation will anonymise or pseudonymise the data in order to limit the impact on the data subject as much as possible. This implies that the name or identifier will be replaced so that it is difficult or even impossible to identify an individual.
- Limited in time and insofar as needed for the specific purpose.
- Accurately and the data will be updated where necessary. The organisation will take all reasonable measures to delete or improve personal data, taking into account the purposes for which it is processed.
The organisation processes personal data, which in principle it has received directly from the data subject. The organisation that processes the data subject’s personal data, will always inform the data subject of the following:
- Identity of processing officer and contact details.
- Contact details for data protection officer, if one was appointed.
- Processing purposes and legal basis.
- In the event that the processing of personal data is based on a legitimate interest, an explanation of this interest.
- (Categories of) recipients of personal data.
- Transfer of personal data to third countries (outside the EU) or international organisations (+ on what basis).
- Retention of personal data or the criteria on the basis of which the retention period is determined.
- Data subject’s rights (including the right to withdraw consent).
- Right to file a complaint with the supervisory authority.
- Clarification if the provision of personal data constitutes a contractual or legal obligation.
- The logic behind automated decision-making processes and potential legal consequences for the data subject.
- In the event that the organisation receives personal data from a third party, it is to clearly inform the data subject of the categories of personal data it has received from said third party and will also reveal said third party to the data subject.
In the event that the data subject already has all information, the organisation will not needlessly inform the data subject of the processing of their personal data.
In the event that the organisation processes personal data for other purposes that are not compatible with the purposes for which the personal data was initially collected (the new purpose does not seem to be described in the initial information memorandum and the data subject cannot assume that their personal data will also be processed for this new purpose), the organisation will take all necessary measures to process this personal data lawfully and will inform the data subject accordingly.
The organisation can provide the information both collectively and individually and will always ensure that it is drawn up in understandable and simple language.
Special legislation may contain exceptions or impose additional requirements for the provision of information to data subjects with which the organisation must comply. These compelling legal provisions will prevail over this policy.
d. Confidentiality and integrity
The organisation will take the required technical and organisational measures to ensure that the processing of personal data always takes place with suitable guarantees in order for data to be protected against unauthorised access or unlawful processing and against accidental loss, destruction or damage. When selecting the appropriate security measures, the organisation has taken into account the nature, context, purpose and scope of the processing, the possible risks involved in the processing of personal data, the costs of implementing the measures and the current technology.
These measures apply to physical access to personal data, access to personal data by computers, servers, networks or other IT hardware and software applications and databases. In addition to the technical and organisational measures, the company's employees, who have access to personal data in the performance of their duties, are subject to various obligations to safeguard the confidentiality and integrity of personal data and as listed in Article 9 of this policy.
The organisation will organise training courses for employees who, in the performance of their duties, will process personal data on behalf of the organisation. Employees may only process personal data on the instructions of the organisation or if the law requires them to do so. The organisation will also implement access rights so that employees only have access to the data they need in the performance of their job. Employees who have access to personal data will sign a confidentiality agreement.
The organisation will ensure that third parties who receive personal data from the organisation will comply with applicable data protection legislation and this policy.
A general summary of technical and organisational security measures introduced by the group of companies can be found under point 13.
6. Transfer of personal data
In some cases, the organisation may be forced to pass on your personal data to third-party recipients, both within and outside the organisation's group of companies. In any case, personal data will only be transferred on a need-to-know basis to those recipients who carry out the processing for specific purposes. The organisation will at all times take the necessary security measures during transfer and with respect to recipients to ensure the confidentiality and integrity of personal data.
Transfer to third parties can take various forms as described in further detail below.
a. Transfer within the organisation's enterprise group
The transfer of personal data within the organisation's enterprise group is considered to be a transfer to a third party. As a result, this transfer can only take place once the organisation has complied with the various principles and obligations under data protection legislation. This implies, inter alia, that the data subjects must be informed of the transfer and the reason for said transfer and that the transferring organisation can rely on a legal basis (consent of the data subject, execution of an agreement, legitimate interest, etc.) for such a transfer. The organisation must also comply with the other principles as listed under Article 5 of this policy during further processing.
b. Transfer to processors
The organisation can request a third party, a processor, to process personal data only on behalf of and on the instructions of the organisation. The processor may not process this personal data for their own purposes that are independent of the purposes for which the organisation calls on the processor.
The organisation may choose to work with these processors, who provide services at the request of the organisation for, inter alia, travel agencies, rental services, medical and other professional advisers, etc.
The organisation will only call upon processors and provide them with personal data once they have concluded agreements with processors that satisfy legal requirements. The GDPR prescribes, inter alia, that the agreement must include a clause stating that the processor can only process the personal data on the instructions of the organisation; that the processor must assist the organisation at its request; that data must remain confidential, etc.
A component of this processor's agreement also covers the security measures the processor must implement before processing personal data and must maintain throughout the processing in order to safeguard the confidentiality and integrity of the data.
The organisation will take the necessary measures if it finds that its processors are not complying with their obligations under the agreement.
A standard processor contract is available from Petra Vervoort, HR manager.
c. Transfer to third countries – outside the European Economic Area
It is also possible that the organisation will pass on your personal data to parties established in third countries, i.e., countries outside the European Economic Area (i.e., the European Union, Norway, Iceland and Liechtenstein).
Such a transfer is possible if the country in which the recipient is located provides sufficient legal safeguards for the protection of your personal data and if the European Commission has assessed this as being adequate. In other cases, the organisation has concluded a model contract with the recipient to provide protection similar to that provided in Europe.
In cases where this has not been done or is not possible, the organisation can always transfer the personal data of the data subject, provided that the latter’s consent has been obtained, within the boundaries of the data subject's relationship with the organisation. Therefore, in order to allow for transfers and hence processing even in these cases, the organisation will, where appropriate, ask the data subject whether this occasional transfer to third countries can be agreed to.
In the event that further information or a copy of the safeguards attached to these international transfers of personal data is required, the procedure as set out in Article 8 may always be followed.
7. Retention period of personal data
The organisation will not retain your personal data for longer than is necessary for the specific purpose for which the data was collected. After expiry of the retention period, the organisation will remove or anonymise the personal data. The organisation will anonymise the data should it wish to use it for statistical purposes. The organisation may nonetheless retain the personal data for a longer period of time for dispute management, investigations or archiving purposes.
8. Rights of the data subjects
Data protection legislation provides for various rights for data subjects with respect to the processing of personal data in order to allow data subjects to continue to exercise sufficient control over the processing of their personal data.
Through its current policy, the organisation already tries to provide as much information as possible to data subjects in order to be as transparent as possible with regard to the processing of personal data. This general policy should nonetheless be read in conjunction with more specific information memorandums that provide further information about the organisation’s specific processing purposes.
The organisation understands that the data subject may have further questions or may require clarifications with respect to the processing of their personal data. The organisation therefore understands the importance of these rights and will comply with them taking into account legal limitations when exercising said rights. The various rights will be further described below.
a. Right of access/Perusal
The data subject has the right to obtain confirmation from the organisation as to whether or not their personal data will be processed. In the affirmative, the data subject may request access to their personal data.
The organisation will inform the data subject of the following:
- processing purposes;
- relevant categories of personal data;
- recipients or categories of recipients to whom personal data is provided;
- transfer to recipients in third countries or international organisations;
- where possible, period during which personal data is expected to be stored, or if this proves to be impossible, criteria to determine that period;
- that the data subject has the right to request the organisation to improve or delete personal data, or to limit the processing of their personal data, as well as the right to object to said processing;
- that the data subject has the right to file a complaint with a supervisory authority;
- in the event that the personal data is not collected from the data subject, all available information on the source of said data;
- the existence of automated decision-making, including profiling, and useful information on the underlying logic of said decision-making and the importance and expected consequences of said processing for the data subject.
The organisation also provides a copy of the personal data being processed. In the event that the data subject requests additional copies, the organisation can charge a reasonable fee.
b. Right to improvement
In the event that the data subject establishes that the organisation is in possession of incorrect or incomplete personal data, the data subject is always entitled to report this to the organisation in order for the necessary steps to be taken to correct or supplement this data. It is the data subject’s responsibility to provide correct personal data to the organisation.
c. Right to oblivion
The data subject can request the deletion of their personal data if the processing is not in accordance with data protection legislation and within the limits of the law (Art. 17 GDPR).
d. Right to limitation of processing
The data subject can request to limit processing if
- the accuracy of the personal data has been questioned and to check accuracy for the period;
- processing is unlawful and the data subject does not wish to delete the data;
- the organisation no longer needs the data, but the data subject asks not to remove it as they need it to exercise or substantiate a legal claim;
- the processing is objected to pending the submission of legitimate interests, which outweigh the interests of the data subject.
e. Right to portability
The data subject has the right to receive the personal data they have provided to the organisation in a structured, valid and machine-readable form. The data subject has the right to transfer this personal data (directly through the organisation) to another processing officer. This is possible if the processing is based on the data subject’s consent and on processing by automated means.
f. Right of objection
In the event that personal data is processed for direct marketing purposes (including profiling), the data subject can always object to the processing.
The data subject can also object to the processing due to a specific situation involving the data subject. The organisation will cease processing, unless it invokes compelling legitimate grounds for processing, which outweigh the interests of the data subject or which are connected with the exercise of or substantiation of a legal claim.
g. Automated individual decision-making
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which has a legal impact on them or which otherwise significantly affects them, such as the evaluation of personal aspects relating to the performance of their work, reliability, creditworthiness, etc.
This right not to be subject to such automated decision-making does not apply if the decision is allowed based on a compelling legal provision.
The data subject cannot invoke this right either if the decision is necessary for the conclusion or execution of the agreement between the data subject and the organisation or is based on the data subject’s express consent. In the latter two cases, the data subject is entitled to human intervention by someone within the organisation and has the right to express their point of view and challenge the automated decision.
h. Right of withdrawal of consent
If, for a specific processing purpose, you have given your consent to the organisation to process your data, you may withdraw that consent at any time by sending an email.
i. Procedure for the exercise of rights and other provisions
The data subject can exercise their rights by sending an email to Petra Vervoort, HR manager at firstname.lastname@example.org or by contacting her by telephone on 03/310 02 12. The organisation may ask the data subject to identify themselves to ensure that it is effectively the data subject who has requested to exercise their rights.
Should you have any questions about the application of the principles or (legal) obligations on the part of the organisation, do not hesitate to contact Petra Vervoort, HR manager at email@example.com or by contacting her by telephone on 03/310 02 12.
In theory, the organisation will respond to the data subject’s request within a month. If this is not the case, the organisation will inform the data subject why the request has not been acted upon or cannot be followed up in time. The organisation will do its utmost to inform the recipients of the data subject's personal data about the exercise of the rights of improvement, deletion or restriction of processing by the data subject.
9. Data subject’s responsibilities
The organisation expects its employees to respect this policy and to ensure that this is complied with by those for which they are responsible.
It is of crucial importance that employees understand the aims of this policy and become familiar with them in order for them to be able to comply with the provisions in this policy. Employees must therefore:
- Seek advice from their supervisor, or from the data protection officer in the event of any doubt about the application of this policy or about compliance with data protection legislation in the performance of their duties.
- Only process personal data as required for the performance of their duties/on behalf of the organisation.
- Follow training on the confidential processing of personal data and the general principles and obligations resulting from data protection legislation.
- Provide assistance to the data protection officer.
- Not store copies of personal data on the desktop or personal media when centralised and secure storage of the organisation exists, as the retention of own files or copies may lead to incorrect personal data and higher risks of infringement.
- Immediately inform the data protection officer if they become aware of a potential or effective violation of personal data or data protection legislation.
All entities, which form part of the organisation’s group of companies ensure that this policy is complied with. Anyone with access to personal data processed by the organisation must comply with this policy. Non-compliance with this policy may lead to disciplinary measures/sanctions, such as a warning, dismissal or any other sanction permitted by law, without prejudice to the right to bring civil or criminal claims.
11. Audit and review
The organisation reserves the right to adjust and review this policy if it deems it necessary and in order to continue to comply with legal obligations and/or recommendations by the competent supervisory data protection authority.
The organisation informs the individual/department in charge of data protection when it is unable to comply with this policy due to compelling legal provisions, imposed on the organisation.
12. Entry into force
This policy shall apply as of 25 May 2018.
13. Technical and organisational security measures
- Safety directive
- Raising awareness among staff by providing information and training
- Procedure for reporting physical/technical incidents (in 2018)
- Disciplinary consequences after non-compliance with one of the measures
- Back-up system
- Measures after fire, break-in or water damage or physical/technical incidents
- Access control (physical and logical)
- Password policy
- User ID policy
- Login system, access detection and analysis
- Network security
- Monitoring, inspection and maintenance of the systems
- Encryptie van persoonsgegevens
- Pseudonomisation of personal data