This includes the following types of personal data:
- Personal data of consumers (customers)
- Personal data of employees
- Personal data of website visitors of FLON International B.V.
- Personal data of app users
- Personal data of (employees of) suppliers
A.3. TERMS USED
- LEGAL FRAMEWORK
GENERAL DATA PROTECTION REGULATION
On the use (“processing”) of personal data by FLON International B.V. The General Data Protection Regulation applies as of 25 May 2018. From that day on, the AVG will replace the Dutch Personal Data Protection Act (“Wbp”).
The GDPR applies to:
“automated” processing of personal data, “automated” is, in short, processing via a computer or other electronic device such as a smartphone, tablet, digital camera or via a server. Common examples include building customer databases, sending and receiving emails, collecting data through a website or an app, taking camera shots, capturing employee data;
processing personal data on paper in an “ordered whole” (in a searchable file).
An example of the latter is the physical folder administration of personnel files.
FLON International B.V. pursuant to the GDPR, as a “controller”, has certain obligations regarding the processing of personal data. The persons whose data are involved (the “data subjects”) have certain rights under the GDPR with regard to the processing of their personal data. This policy describes in general terms what those obligations and rights are.
B.2. OTHER SPECIFIC LAWS AND REGULATIONS
In certain specific situations, such as for the use of personal data of employees, medical data or criminal personal data, additional laws and regulations may apply.
- BASIC PRINCIPLES
In general, personal data must be handled “carefully”. Employees at FLON International B.V. therefore, when using personal data in their day-to-day work, remember to respect the privacy rules of the GDPR.
C.2. COLLECTION, RECEIVING AND INTERNAL USE OF PERSONAL DATA
When collecting / creating personal data, receiving personal data from external parties and further internal processing thereof within FLON International B.V., FLON International B.V. an assessment was made as to whether this is allowed, and if so, how far the use can go.
At least the following questions are taken into account (Appendix 1 explains the terms used):
Does it concern “special personal data”? Then these may only be collected, received and processed on the basis of a legal exception. If the special personal data may be processed, extra care must be taken with these personal data.
Does it concern personal data of children (persons under the age of 16)? In that case, extra care must be taken with the data and additional rules apply.
Is there a “basis / legal basis” for collecting, receiving and using the personal data? There must be a ground / legal basis for every processing (every type of use).
For what purposes are the personal data collected, received and processed? The purposes must be clear.
Is it necessary to collect, receive and further process the personal data for the determined purposes? If it is not necessary for those purposes or for compatible purposes, then the data should not be collected, received or processed.
Is “exclusively automated individual decision-making”, including profiling, used which has legal effects on the persons concerned or which otherwise significantly affects the persons? This is only allowed under certain conditions. Where necessary, FLON International B.V. a privacy test to answer the above questions.
C.3. PROCESSING OVERVIEW
FLON International B.V. maintains an internal overview of the various processing operations for which FLON International B.V. can be regarded as responsible. If FLON International B.V. can be regarded as a “processor” of certain personal data, an overview is also kept of the processing operations for which FLON International B.V. can be regarded as a processor.
Employees at FLON International B.V. keep the personal data secret and only use it in the context of their work for FLON International B.V .. They commit themselves to this in writing to FLON International B.V ..
C.5. DATA QUALITY
Personal data is kept accurate, complete and up-to-date as much as possible.
C.6. PRIVACY BY DESIGN AND BY DEFAULT
When developing (new) products or services, including IT systems, “privacy by design” and “privacy by default” are used as much as possible.
In summary, privacy by design means that where possible, the protection of personal data is taken into account, for example by pseudonymising data, and that data minimization and compliance with privacy rules are ensured.
In summary, privacy by default means ensuring that only necessary personal data are used as a starting point, given the amount of personal data, the way in which they are used, the period within which they are stored and their accessibility. The measures must ensure that the personal data as a starting point cannot be used without an employee of FLON International B.V. is made available to an unlimited public, for example on the internet.
C.7. PIAs (PRIVACY IMPACT ASSESSMENTS) AND PRIVACY KEYS
When using personal data with a high risk, such as in any case large-scale use of special personal data, of automated individual decision-making, including profiling, which has legal consequences for the persons concerned or which otherwise significantly affects the persons or of the systematic monitoring of a public space on a large scale, a privacy impact assessment (PIA) is carried out.
In new projects where personal data are processed, a privacy test is done to determine whether the privacy rules are being complied with.
The DPO is involved in the performance of the PIA and the privacy test.
C.8. EXTERNAL USE OF PERSONAL DATA
The starting point is that FLON International B.V. only uses the personal data for himself.
In certain cases, however, it may be necessary to pass on personal data to external parties. When passing on the personal data to external parties, it must be considered whether this is possible and, if so, under what conditions:
Can the external party be regarded as a “processor” who exclusively acts on behalf of FLON International B.V. when receiving and using personal data? Then agreements are made in a processor agreement with such a party about how they handle the personal data. Such parties are not allowed to use the personal data for their own purposes.
Can the external party itself be regarded as “responsible” – for example the insurer of FLON International B.V.? It must then be tested whether the transfer of personal data to this external party corresponds with the established purposes, which personal data are necessary for this and whether there is a basis for the transfer of the data. Where possible, agreements are made about the exchange of personal data.
Can the external party be regarded as the controller together with FLON International B.V. for the relevant processing of personal data? Then the agreements about the personal data are recorded in an agreement between FLON International B.V. and the other responsible. Is the external party a government agency? As a starting point, FLON International B.V. only pass on personal data to government authorities when it is legally obliged to do so. In certain specific situations, FLON International B.V. however, it is also necessary to pass on personal data to a government agency if there is no legal obligation. An example of this is the transmission of data about a person to the police such as FLON International B.V. file a report against this person. No more data is passed on than necessary.
C.9. TRANSFER OUTSIDE THE EEA
If personal data is transferred to a country outside the European Economic Area (“EEA”), (the EEA consists of the countries of the European Union, Norway, Iceland and Liechtenstein), where there is no adequate level of privacy protection, measures will be taken to to make that transfer legally possible.
C.10. SECURITY AND DATA Leakage
Personal data must be technically and organisationally secured in an appropriate manner, taking into account the nature of the personal data, the risks of the use of the personal data, the costs of security and the state of the art. FLON International B.V. applies a security policy for this.
If data breaches occur involving personal data, these will be reported, if necessary, to the Dutch Data Protection Authority and the persons involved. There may be special circumstances under which reporting does not take place.
C.11. STORE PERSONAL DATA
Personal data is not kept longer than is necessary for the purposes for which it was collected. Where applicable, a retention policy and / or protocol is drawn up.
C.12. RIGHTS OF THE PERSONS
The persons whose personal data are involved may have certain rights towards FLON International B.V. with regard to their personal data. exercise.
It concerns the following rights:
- Receive an overview in an understandable form of the personal data.
- Receive information about the use of personal data by FLON International B.V.
- Receive a copy of the personal data.
- In certain cases, to obtain the data in a structured, commonly used and machine-readable form and to have it forwarded to another “controller” upon request.
- Correction of incorrect data and addition of incomplete data.
- In certain cases, request the deletion of their personal data.
- In certain cases to request “restriction” of their personal data.
- In certain cases to object to the processing of their personal data.
- When using personal data for direct marketing purposes, the person may always object and that use will be discontinued.
- As a starting point to withdraw consent once given.
- To submit a complaint to the Dutch Data Protection Authority.
In certain cases, FLON International B.V. decline a request, for example if the person requests the deletion of certain personal data but they still need to be kept for the purpose of a legal obligation FLON International B.V. then let the person know. Where applicable, a protocol is created for dealing with the individuals’ requests.
C.13. INFORMING PERSONS
Where necessary, the persons are informed about the use of their personal data, for example by means of privacy statements.
C.14. PROTOCOLS / GUIDELINES / CODES OF CONDUCT
When using personal data of a radical nature or another activity that significantly affects the privacy of the persons, a protocol, guideline and / or code of conduct is drawn up as a starting point, which specifies how the data and privacy are handled.
C.15. TRAINING AND “AWARENESS”
FLON International B.V. tries to create as much “awareness” as possible about how personal data should be handled. Where applicable, training courses are provided to inform employees.
C.16. DATA PROTECTION OFFICER (“FG”)
FLON International B.V. has a “Data Protection Officer” (“DPO”). The DPO serves (at least) as a source of information for questions about the use of personal data (both for employees of FLON International BV and the parties involved), provides advice on PIAs to be carried out and supervises compliance thereof, supports projects involving personal data are used and internally monitors the use of the personal data by FLON International BV.
If a person whose personal data is involved has a complaint about the use of his or her personal data, the person can submit a complaint about this to FLON International B.V .. A contact point is designated for this, where applicable per category of persons or personal data. The DPO will be informed of the complaint. If the complainant and the contact point (with the help of the DPO) are unable to resolve the complaint mutually, the person can escalate the complaint to the contact point manager or to the DPO. If the manager or the DPO is unable to handle a complaint with the complainant, the complaint can be escalated to management. If management cannot handle the complaint, the person could decide to ask the judge to make a decision or ask the Dutch Data Protection Authority for mediation. Specific complaints regulations, such as for employees or consumers, take precedence over this complaints procedure.
APPENDIX 1 – TERMS
Personal data: this is data (information) relating to an identified or identifiable person.
Only automated individual decision-making: this is decision-making about the data subject that is exclusively made automatically, so without a human being involved in that decision-making.
Special personal data: are the following types of personal data:
- about health,
b. about a person’s race or ethnic background,
c. about someone’s religion or beliefs,
d. about someone’s sexual behavior or orientation,
e. about someone’s political opinions,
f. about a person’s union membership,
g. genetic characteristics,
h. biometric features intended to identify someone.
The BSN and criminal data are also special personal data that may only be used if an exception applies in the GDPR. Responsible party: the “controller” is the party who determines what happens with the personal data and how this is done (he determines the “purpose and means”).
Data subject: a “data subject” is a person to whom the personal data relates.
a “processing” is an action with the personal data. This includes: collecting, recording, organizing, structuring, storing, updating or changing, retrieving, consulting, using, providing by means of forwarding, distribution, combining, blocking, deleting or destroying. Legal basis / legal basis: for any processing with personal data, one of the following grounds (also known as “legal grounds”) is required: informed, free and specific consent,
- because it is necessary for the preparation or performance of an agreement with or for the benefit of the data subject,
- because it is necessary to comply with a legal obligation incumbent on the controller,
- because it is necessary to protect the vital interests of the data subject (or another person),
- because it is necessary for the performance of a task carried out in the public interest or a task in the exercise of official authority vested in the controller, or
- because it is necessary for a legitimate interest of the controller or a third party that takes precedence over the interest of the data subject.