Human Protection International
5026 SP TILBURG
Tel: +3113 3033000
This includes the following types of personal data:
•Employee personal data
•Patient personal data
•Client personal data
A.3. TERMS AND CONCEPTS USED
B. LEGAL FRAMEWORK
B.1. General Data Protection Regulation
The usage ("processing") of personal data by Human Protection International became subject to the General Data Protection Regulation per 25 May 2018. As of that day, GDPR has replaced other applicable legislative acts with regard to personal data.
GDPR applies to:
•“automated” processing of personal data, "automated" being shorthand for processing data through the use of computers or other electronic devices, including smartphones, tablets, digital cameras, or via servers.
Frequently found examples include creating a customer database, sending and receiving email, gathering data via a website or app, making camera recordings, or documenting employee data; and
•processing personal data on paper as part of a “structured whole” (in a searchable file).
An example of the latter would be the administration of personnel records in physical folders. Based on GDPR, Human Protection International has been assigned certain responsibilities with regard to the processing of personal data in its role as a “responsible party”. Based on GDPR, persons concerned and data concerned (the “relevant parties”) are granted certain rights and obligations with regard to the processing of their data. This policy describes those rights and obligations in general terms.
B.2. OTHER SPECIFIC LEGISLATION AND REGULATION
In certain specific situations, such as the usage of employee personal data, medical data, or judicial data, additional legislation and regulation may be applicable.
C. BASIC CONCEPTS
In general, personal data should be handled “with care”. This means that Human Protection International employees performing their daily activities must take care to ensure that privacy legislation stipulated by GDPR is taken into account.
C.2. GATHERING, RECEIVING, AND INTERNALLY USING PERSONAL DATA
When gathering/creating personal data, receiving personal data from external parties and further processing that data internally within Human Protection International, Human Protection International assesses whether, and to what extent, personal data may be used.
At least the following issues are taken into when making that assessment (Appendix 1 lists the terms and concepts referred to):
•Does the data involve “specific personal data”? Then this data may only be gathered, received, and processed based on legal exceptions. If the specific personal data may be processed under relevant legislation, this personal data should be treated with the utmost care.
•Does the data involve children (individuals aged 15 or younger)? Then this data should also be treated with the utmost care. The data is also subject to additional regulations.
•Are the “legal grounds” for gathering, receiving, and using the data? All types of processing (any type of usage) must be legally grounded.
•What are the objectives to whose ends the personal data is gathered, received, and processed? These objectives must be clear.
•Is it necessary that personal data is gathered, received, or processed in order to accomplish the established objectives? If the established objectives or compatible objective do not require the personal data to be processed, then the data should not be gathered, received, or processed.
•Does the company make use of “exclusively automated individual decision-making”, including profiling, which has legal consequences for the parties involved or significantly affects those persons in another manner? This is only permissible under particular circumstances.
Where necessary, Human Protection International applies a privacy assessment in order to answer the questions listed above.
C.3. PROCESSING OVERVIEW
Human Protection International maintains an internal overview of the various processing instances for which Human Protection International can be designated the responsible party. Human Protection International can be designated the “processor” or “handler” of certain personal data, an overview of the processing instances for which Human Protection International can be designated the processor or handler is also kept.
Employees of It Fits Human Protection keep all personal data confidential, and only use this data as it pertains to their activities for Human Protection International. To enter into a written agreement with Human Protection International to this end.
C.5. DATA QUALITY
Personal data is kept accurate, complete, and up-to-date as best as possible.
C.6. PRIVACY BY DESIGN AND BY DEFAULT
When developing (new) products or services, including IT systems, the concepts of “privacy by design” and “privacy by default” are applied whenever possible.
Privacy by design is shorthand for safeguarding personal data whenever possibly, for example by pseudonymising data, as well as ensuring data minimisation and compliance with privacy legislation and regulations.
Privacy by default is shorthand for ensuring that, in principle, only necessary personal data is used, considering the amount of personal data, the way in which data is used, data storage periods, and data accessibility. Measures must ensure that, in principle, no personal data can be made available to an unlimited public, e.g. via the internet, without the intervention of an employee of Human Protection International.
C.7. PIAs (PRIVACY IMPACT ASSESSMENTS) AND PRIVACY ASSESSMENTS
When using high risk personal data, at least including large-scale use of specific personal data, automated individual decision-making, including profiling, which has legal consequences for the parties involved or significantly affects those persons in another manner, or large-scale systematic monitoring of a public space, a privacy impact assessment (PIA) is implemented.
New projects which involve the processing of personal data must meet a privacy assessment in order to establish whether they meet privacy regulations.
The DPF is involved in the implementations of PIAs and privacy assessments.
C.8. EXTERNAL USAGE OF PERSONAL DATA
In principle, Human Protection International only uses personal data for their own purposes.
In certain cases, it may be necessary to transfer personal data to external parties. When transferring personal data to external parties, the following considerations must be made with regard to the possibility and limit conditions of doing so:
•Can the external party be designated a “processor” who only acts on behalf of Human Protection International where the reception and usage of personal data is concerned? Then Human Protection International and said external party enter into a processor-agreement, which stipulates how personal data should be used by said external party. Such parties are not allowed to us the personal data supplied by Human Protection International for their own objectives.
•Can the external party be designated a “responsible party” – e.g. an insurance company under contract with Human Protection International? Then it should first be determined whether the transfer of personal data to this external party is in compliance with established objectives, which personal data is required, and whether there are grounds for the transfer of data. Where possible, the applicability of the transfer of personal data is defined through establishing agreements.
•With regard to the processing of relevant personal data, can the external party be designated a responsible party in tandem with Human Protection International? Then the agreements regarding personal data is documented in a contract between Human Protection International and the other responsible party.
•Is the external party a government agency? In principle, Human Protection International only transfers personal data to government agencies Human Protection International is legally obligated to do so. In certain specific situations, however, Human Protection International may be required to transfer personal data to a government agency even if there is no legal requirement. An example would be the transfer of data on an individual to the police in case Human Protection International were to file for a criminal report against this individual. No more than the required data is transferred.
C.9. TRANSFER TO NON-EEA COUNTRIES
If personal data is transferred to a country outside the European Economic Area (“EEA” – which includes all countries in the European Union, Norway, Iceland, and Lichtenstein) which do not offer a suitable level of privacy protection, measures are taken to ensure this transfer becomes legally possible.
C.10. SECURITY AND DATA LEAKS
Personal data must be secured appropriately in both technical and organisational terms, while taking into account the nature of the data, the risks associated with using the personal data, the costs of security, and technological status. To this end, Human Protection International has implemented a security policy.
In case of any data leaks involving personal data, these leaks are reported to the Dutch Personal Data Authority and any persons involved where necessary. Exceptional circumstances may occur which result in no report being filed.
C.11. RETAINING PERSONAL DATA
Personal data is not retained for longer than is necessary to accomplish the objectives for which the data was gathered. Where appropriate, a retention policy or protocol is implemented.
C.12. RIGHTS OF INDIVIDUALS
The persons related to relevant personal data may exert certain rights with regard to their personal data towards Human Protection International.
These rights include:
•Being provided with an overview of relevant personal data in an accessible format.
•Being provided with information regarding the usage of relevant personal data by Human Protection International.
•Being provided with a copy of relevant personal data.
•In certain cases, to be provided with relevant personal data in the form of a structured, common, and electronically readable format and, by request, having the aforementioned sent to another “responsible party”.
•Requesting corrections of incorrect data and supplementations of incomplete data.
•In certain cases, requesting the removal of relevant personal data.
•In certain cases, requesting “restrictions” of relevant personal data.
•In certain cases, to formally object to processing of relevant personal data.
•In the usage of personal data for direct marketing objectives, individuals may always object and have this type of usage halted.
•In principle, to rescind any earlier offered permission.
•In order to file a complaint with the Dutch Personal Data Authority.
In certain cases, Human Protection International may deny a request, for example if an individual were to request the deletion of certain personal data which is legally subject to an ongoing retention period. Human Protection International will notify individuals if this is the case. Where applicable, a protocol with regard to handling requests by individuals is implemented.
C.13. INFORMING INDIVIDUALS
Where necessary, individuals are notified with regard to the use of their personal data, e.g. by way of privacy statements.
C.14. PROTOCOLS / GUIDELINES / BEHAVIOURAL CODES
When using personal data that is fundamental in nature or undertaking any other activity which significantly impacts a person’s privacy, these processes are documented in a protocol, guideline, or behavioural code which explains how to deal with data and privacy.
C.15. TRAINING AND AWARENESS
Human Protection International attempts to create as much awareness as possible with respect to dealing with personal data. Where appropriate, training sessions are provided in order to inform employees.
C.16. DATA PROTECTION FUNCTIONARY ("PPF")
Human Protection International has assigned a "Data Protection Functionary" ("DPF"). The DPF is (at least) the go-to for questions about the usage of personal data (both for Human Protection International employees and relevant parties), offers advice on planned PIAs and oversees compliance in that respect, offers support for projects which involve the use of personal data, and internally monitors the usage of personal data by Human Protection International. The assigned DPF is Mara van der Ven, board member.
If any relevant individual has a complaint about the use of their personal data, they may file a complaint indicating so with Human Protection International. To that end, a point of contact is assigned, either per category of individuals or of personal data where appropriate. The DPF is notified of such complaints.
If the complainant and the point of contact (with the assistance of the DPF) are unable to mutually resolve the complaint, the individual may escalate the complaint to the manager of the point of contact or to the DPF. If neither manager nor DPF are able to resolve the complaint submitted by the complainant, the complaint may be escalated to management.
If management is unable to resolve the complaint, the individual concerned may decide to request court proceedings or to ask the Dutch Personal Data Authority to mediate. All complaints are registered in the assigned system.
Specific complaints mechanisms, such as those for employees or consumers, supersede the complaints mechanism specified in this article.
APPENDIX 1 – TERMS AND CONCEPTS
Personal data: any data (information) relating to an identified or identifiable individual.
Exclusively automated individual decision-making: a form of decision-making regarding a relevant party which is established through automated means only, meaning no human agency is involved in this decision-making.
Specific personal data: this term indicates the following types of data:
a. relating to health,
b. relating to race or ethnicity,
c. relating to religion or philosophy,
d. relating to sexual behaviour or orientation,
e. relating to political opinion,
f. relating to union membership,
g. relating to genetic characteristics,
h. relating to biometrical characteristics used for identification.
The social security number (or national insurance number, or similar) and data on crime on criminal justice are defined as specific personal data which may only be used in case of exceptions specified in GDPR.
Responsible party: the “responsible party” is whichever party decides what should happen to the personal data and how this should be accomplished (deciding the “ends and the means”).
Relevant party: a “relevant party” is an individual connected to the personal data.
Processing: “processing” is defined as any action involving the personal data. Such actions include: gathering, recording, ordering, structuring, storing, editing or altering, requesting, using, providing through transfer, disseminating, combining, guarding, deleting, or destroying.
Legal basis/grounds: any instance of processing of personal data requires one of the following grounds (also known as legal grounds):
a. informed, freely given, and specific consent,
b. a requirement for the preparation for or implementation of an agreement with or on behalf of an relevant party,
c. a requirement for meeting the legal obligations placed on the responsible party,
d. a requirement for protecting the vital interests of the relevant party (or other individual),
e. a requirement for fulfilling a task of general importance or a task in context of the performance of public authority vested in the responsible party, or
f. a requirement for a justified interest of the responsible party or a third party superseding the interest of the relevant party.