AVG Beleid / GDPR Policy
Omdat AMDAX zowel Nederlandse als internationale klanten bedient, hebben we onze juridische documenten in het Engels opgesteld. Binnen AMDAX is Engels het uitgangspunt als het om juridische communicatie gaat – de Engelse contracten zijn dus leidend. Indien u vragen heeft over een van de documenten, staan we altijd voor u klaar om deze te beantwoorden – uiteraard (ook) in het Nederlands.
In the performance of its work, AMDAX collects certain personal information about individuals, for example about its customers, employees, partners and suppliers.
This policy describes how this personal information is collected, processed and stored and how it complies with the relevant legislation and regulations and with the data protection standards set by AMDAX.
This policy ensures that AMDAX:
This policy helps protect AMDAX against data security risks such as:
Everyone who works at or for AMDAX has a responsibility to ensure that data collection, processing and retention are done properly. Everyone within AMDAX who comes into contact with personal data must guarantee that the processing is in line with this policy and the data protection principles.
The EU General Data Protection Regulation 2016/679 (hereafter GDPR), which has direct effect in the Netherlands, describes how companies such as AMDAX may and must collect, process and store personal data. These rules apply regardless of whether the data is processed electronically, on paper or in another way.
This privacy policy is in line with the definitions used in the GDPR policy.
Personal data is defined in the GDPR as ‘all information about an identified or identifiable natural person’. The starting point is that a person is considered identifiable if a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as a name, an identification number, location data, an online identifier or one or more elements that are characteristic for the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
In the GDPR, the processing of personal data is understood to mean: ‘an adjustment or a whole of adjustments with regard to personal data or a whole of personal data, whether or not carried out via automated processes, such as collecting, recording, organizing, structuring, storing, updating or modify, request, consult, use, provide by means of forwarding, distributing or otherwise making available, aligning or combining, shielding, deleting or destroying data ‘.
The person concerned is the person to whom a personal data relates.
The controller is a natural or legal person, a government agency, a service or other body that determines, alone or together with others, the purpose of and means for processing personal data; when the objectives and means for this processing are established in EU or national law, they can determine who the controller is or the criteria for designating it.
The processor is a natural or legal person, a government agency, a service or another body that processes personal data for the controller.
To comply with laws and regulations, the following principles regarding the processing of personal data must be met:
Personal data may only be processed if at least one of the following conditions is met:
If the basis for ‘consent’ is chosen, AMDAX must be able to demonstrate that the person concerned has given this permission, for example by means of a written record. The consent must be given by the person concerned in a free, specific, informed and unambiguous manner.
Permission to process personal data can be withdrawn by the data subject. Such a withdrawal has no retroactive effect. The processing must be stopped after withdrawal of the permission, unless the processing can be based on another basis as referred to in the list above.
Transparent information about processing. AMDAX provides the person concerned with the following information:
The above information is provided in writing or by other means, including, if appropriate, electronic means.
The data subject has the right to obtain information from AMDAX about whether or not they are processing personal data concerning him and, if that is the case, to have access to those personal data and the following information:
When personal data is transferred to a third country or an international organization, the data subject has the right to be informed of the appropriate safeguards in accordance with the GPC regarding the transfer.
AMDAX provides the data subject with a copy of the personal data that is being processed at the request of the person concerned. If the person concerned requests additional copies, AMDAX may charge a reasonable fee based on the administrative costs. If the person concerned submits his request electronically, and does not request another method of delivery, the information is provided in a conventional electronic form.
The Annex – Procedure for rights of data subjects contains a procedure with regard to the processing of requests from data subjects with regard to the rights that the data subjects have under the GDPR.
AMDAX only collects and processes personal data for specific, explicitly described and justified purposes. AMDAX will not use the personal data for a purpose other than the predetermined purpose, unless the use is compatible with the original purpose for which the data was collected. Whether or not there is compatibility depends on:
AMDAX only processes personal data to the extent that this is necessary for processing purposes. This means that AMDAX only uses the personal data that is necessary to achieve the goal. Subsidiarity is also taken into account: if the goal can also be achieved through another way, with less infringement of privacy, AMDAX will use this other way.
The GDPR requires AMDAX to take reasonable measures to ensure that the data is accurate and correct. The more important the personal data is, the more effort is required from AMDAX to ensure accuracy. It is AMDAX’s responsibility to take reasonable measures to ensure that the data is as accurate and accurate as reasonably possible. To this end, they take the following measures:
The data subject can also request AMDAX to rectify it with regard to incorrect personal data without delay. Taking into account the purposes of the processing, the data subject has the right to complete incomplete personal data.
The Annex – Procedure for rights of data subjects contains a procedure with regard to the processing of requests from data subjects with regard to the rights that the data subjects have under the GDPR.
AMDAX stores the personal data in a form that makes it possible to identify the data subjects no longer than is necessary for the purposes for which the personal data is processed.
The person concerned can also request AMDAX to delete his personal data. AMDAX must then delete the personal data without unreasonable delay, for example when the personal data is no longer needed for the purposes for which it was collected or otherwise processed.
The Annex – Procedure for rights of data subjects contains a procedure with regard to the processing of requests from data subjects with regard to the rights that the data subjects have under the GDPR.
By taking appropriate technical or organizational measures, AMDAX must process the personal data in such a way that adequate security is guaranteed, and that they are protected against, inter alia, unauthorized or unlawful processing and against accidental loss, destruction or damage. AMDAX has taken various measures to this end.
The following general guidelines with regard to data processing apply within AMDAX:
Employees protect the data by taking reasonable precautions and following the following guidelines:
This section describes the protection measures that AMDAX has taken with a view to protecting personal data.
When the data is stored electronically, the data must be protected against unauthorized access, accidental deletion of data and malicious hacking of the electronic storage location. The following assumptions apply to electronic storage:
In the context of access security, in particular authentication (who is it?) And authorization (what is the person allowed to do) play an important role. The authentication and authorization of every employee must be recorded, so that when the employee leaves the company, his rights can be withdrawn to the relevant systems.
All data must be protected with a combination of login and a strong password, which is periodically changed and that is not shared with unauthorized persons.
When the data is stored on an external carrier (such as a CD or a USB stick), this carrier must be stored in a closed cupboard (with lock). If the external data carriers are no longer used, they must be destroyed or formatted. When formatting, the carrier must be formatted several times, because the data can still be reconstructed when formatting once.
All servers and computers are protected with security software, virus scanners, anti-malware and / or a firewall. All software, including browsers, virus scanners and operating systems are held up to date.
Data must always be stored on designated disks / servers, and may only be uploaded to AMDAX approved cloud computing servers, (managed) hosting parties or third-party software.
Systems that are ‘end-of-support’ or ‘end-of-life’ are being replaced by AMDAX for other systems. In this way it is prevented from working with systems for which support is no longer available and where the security is not maintained.
Personal information may be lost due to natural disasters, accidents, equipment failure or intentional acts. To mitigate this risk, backups are made of all relevant data.
The frequency of the backups must be appropriate for the data that is being backed up. The retention period of the backups and the location of storage of the backup are also important. The retention period must be appropriate for the data that is being backed up. For the storage location, the backup is not stored in the same location where the original data was stored.
Data stored on paper is stored in a place where unauthorized persons cannot view, reproduce or take the papers.
The following principles apply to paper storage:
AMDAX does not, in principle, process special categories of personal data as referred to in the GDPR. Special categories of personal data include a person’s race or ethnic origin, political views, religious or philosophical beliefs, union membership, and genetic data, biometric data for the unique identification of a person, or data on health, or data relating to health to a person’s sexual behaviour or sexual orientation.
If special personal data is nevertheless processed, this will only be done under the following condition (s):
AMDAX has established the following procedure for the timely and effective handling of information security incidents and security vulnerabilities as soon as they are reported.
The lessons learned from the incidents handled are used to structurally improve security where possible.
If a follow-up procedure following an information security incident includes legal measures (civil or criminal), the evidence is collected, stored and presented in accordance with the rules for evidence established for the relevant jurisdiction. The management board will take on these tasks and, if necessary, call in external expertise for this.
Following an information security incident, the management of AMDAX assesses the risks for those involved. It is also considered whether the incident must be reported to the person(s) involved and / or the relevant supervisor. For this, see the ‘personal data breach’ section.
Under the GDPR there is a ‘personal data breach’ in the event of a security breach that accidentally or unlawfully leads to the destruction, loss, alteration or unauthorized disclosure of or unauthorized disclosure access to data transmitted, stored or otherwise processed.
If an infringement involving personal data has taken place, AMDAX will report this without unreasonable delay and, if possible, no later than 72 hours after it has been informed of it, to the Dutch Data Protection Authority (and also to the AFM if the infringement also qualifies as an ‘incident’ ‘in accordance with AMDAX’s incident policy), unless it is unlikely that the personal data breach would pose a risk to the rights and freedoms of natural persons.
Whether the personal data breach constitutes a risk to the rights and freedoms of natural persons depends on the following factors:
If the report to the Dutch Data Protection Authority does not take place within 72 hours, AMDAX provides a good explanation for the delay.
The notification shall at least describe or communicate the following:
If the personal data breach is likely to pose a high risk to the rights and freedoms of natural persons, AMDAX shall immediately inform the data subject of the personal data breach.
The communication to the person concerned contains a description, in clear and simple language:
The communication to the data subject is not required if one of the following conditions is met:
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) may also oblige AMDAX to report the data subject infringement to the data subject.
The following procedure is used within the organization of AMDAX with regard to a personal data breach:
Determination of the infringement by:
If AMDAX uses processors, an attempt will always be made to make agreements about reporting data breaches that occur at a processor. The starting point here is that the processor provides AMDAX with all information about the security incident, after which the (possible) report will be made by AMDAX.
AMDAX also outsources the processing of personal data to processors. AMDAX ensures that these processors offer sufficient guarantees with regard to technical and organizational security measures with regard to the processing of personal data.
AMDAX enters into a processor agreement with each processor, stating that the processing is done in accordance with the GDPR, that the processor has implemented sufficient technical and organizational security measures, and that the processor informs AMDAX of any information security incidents.
The agreement is recorded in writing (or in another, equivalent form).
Because AMDAX uses one or more processors, it is possible that data will be transferred to countries outside the Netherlands. Within the European Union and the European Economic Area, the level of data protection is the same, and personal data can be transferred without any problems, provided that all other legal obligations are met by AMDAX and the processor.
Data traffic with countries outside the European Union and the European Economic Area is only permitted by law if that country guarantees an adequate level of protection. The European Commission has published a list of countries that offer an adequate level of protection. One of the countries on the list is the United States, but only for transfer of data on the basis of the ‘EU-US privacy shield ‘. Companies in the US can be certified under the privacy shield since August 1, 2016, after which they are entered in a register. Every certified company in the US is deemed to have an appropriate level of protection for the duration of the certification.
Data traffic with countries without an adequate level of protection is only possible under certain conditions as stated in the GDPR, for example with the express consent of the person(s) involved.
Under the GDPR, those involved have various options for standing up for themselves when their personal data is processed. AMDAX has set up various procedures so that requests from various people exercising their rights can be responded to correctly.
Under the GDPR, the parties involved have the following rights:
A data subject can request AMDAX in various ways (for example, verbally, by telephone or by mail) to inspect the personal data of this data subject.
It must first be verified whether the person making the request is actually the person concerned, for example by asking for (a copy of) proof of identity.
If the person can prove that he is indeed the person concerned, AMDAX will provide the following information in writing and in a safe manner to the person concerned:
It is important that only data from the requesting data subject is shared, and not data from others.
The data subject can also request AMDAX to view the personal data that is processed from him / her. AMDAX then provides the data subject with a copy of the personal data that is being processed. If the person concerned requests additional copies, AMDAX may charge a reasonable fee based on the administrative costs. If the person concerned submits his request electronically and does not request another arrangement, the information is provided in a conventional electronic form (if possible and / or necessary also secured).
AMDAX responds as quickly as possible, but no later than 1 month to the request of the person concerned. If it takes more time to collect the data, AMDAX must make this known to the data subject.
A data subject can request AMDAX in various ways (for example, verbally, by telephone or by email) to rectify and supplement the personal data that AMDAX processes of the data subject.
It must first be verified whether the person making the request is actually the person concerned, for example by asking for (a copy of) proof of identity.
The data subject must be clearly asked which information is incorrect and / or incomplete and how this information must be corrected and / or supplemented.
The changes must be clearly written and submitted to the person concerned for assessment and signature.
If the person concerned has signed the rectification and / or supplement, the document must be added to the file of the person concerned and the data must be adjusted in accordance with the signed document.
If AMDAX has also provided incorrect or incomplete personal data to third parties, AMDAX must also pass on the adjusted or supplemented data to this organization (s). If a person asks for it, AMDAX must also tell which organizations have been informed in this way.
AMDAX responds as quickly as possible, but no later than 1 month to the request of the person concerned. If it takes more time to collect the data, AMDAX must make this known to the data subject.
A data subject can object to AMDAX in various ways (for example, verbally, by telephone or by mail) against the processing of the personal data that AMDAX processes of the data subject.
It must first be verified whether the person making the request is actually the person concerned, for example by asking for (a copy of) proof of identity.
The data subject must be asked specifically against which processing of personal data the data subject objects.
Unless AMDAX has compelling justified grounds for the processing that outweigh the interests, rights and freedoms of the data subject, AMDAX must stop the processing against which the data subject objects. As long as it is not clear whether the grounds of AMDAX weigh more heavily, AMDAX may not process the relevant data. AMDAX must then set a processing limit. If the person concerned objects to the processing of personal data for direct marketing, AMDAX must stop this immediately.
If AMDAX has also provided personal data to third parties, AMDAX must inform these organizations that the data subject has objected to the processing of his / her personal data. If a person asks for it, AMDAX must also tell which organizations have been informed in this way.
AMDAX responds as quickly as possible, but no later than 1 month to the request of the person concerned. If it takes more time to collect the data, AMDAX must make this known to the data subject.
A data subject can submit a request to AMDAX in various ways (for example verbally, by telephone or by mail) to limit the processing of the personal data that AMDAX processes of the data subject.
It must first be verified whether the person making the request is actually the person concerned, for example by asking for (a copy of) proof of identity.
The data subject has the right to obtain from AMDAX the restriction of the processing if one of the following elements applies:
If AMDAX has also provided the personal data to other parties, then these organizations must be informed that the use of the data is limited and that this other party must also limit the processing. If a person asks for it, AMDAX must also tell which organizations have been informed in this way.
AMDAX responds as quickly as possible, but no later than 1 month to the request of the person concerned. If it takes more time to collect the data, AMDAX must make this known to the data subject.
A data subject can indicate to AMDAX in various ways (for example verbally, by telephone or by e-mail) that he / she wishes to make use of the right to data portability . The right to data portability means that people have the right to receive the personal data that AMDAX has from them, for example to be able to easily transfer the data to another supplier. Data subjects can also request that data be transferred directly to another organization (if this is technically possible).
It must first be verified whether the person making the request is actually the person concerned, for example by asking for (a copy of) proof of identity.
The data subject must be specifically asked with regard to which personal data he / she makes the request for data portability . The right of the person concerned only relates to digital data (not physical files) that AMDAX processes with the permission of the person concerned or that are processed to carry out an agreement with the person concerned. In addition, only data that customers have provided to AMDAX (directly or by using the services / products of AMDAX) needs to be made available. The right to data portability does not relate to derived data that AMDAX itself has generated, such as a profile that AMDAX has drawn up of the data subject. However, the data subject has the right to view this data (see “right to view”).
AMDAX provides the data in a structured, commonly used and machine-readable format.
AMDAX responds as quickly as possible, but no later than 1 month to the request of the person concerned. If it takes more time to collect the data, AMDAX must make this known to the data subject.
A data subject can submit a request to AMDAX in various ways (for example, verbally, by telephone or by e-mail), which means that the personal data that AMDAX processes of the data subject must be deleted.
It must first be verified whether the person making the request is actually the person concerned, for example by asking for (a copy of) proof of identity.
The data subject must be specifically asked with regard to which personal data he / she requests the change of data . The request can be submitted when:
AMDAX must comply with the request of the person concerned unless:
If AMDAX has also provided the personal data to other parties, these organizations must be informed that the person concerned has requested that the data be deleted and that this other party must also delete the data. If a person asks for it, AMDAX must also tell which organizations have been informed in this way.
AMDAX responds as quickly as possible, but no later than 1 month to the request of the person concerned. If it takes more time to collect the data, AMDAX must make this known to the data subject.
The person concerned has the right not to be subjected to a decision based solely on automated processing, including profiling, which has legal consequences for him or that otherwise affects him to a considerable extent. If the person concerned invokes this right, this means that AMDAX must take a new decision in which a person has assessed the data.
A person concerned can make a request to AMDAX in various ways (for example, verbally, by telephone or by e-mail) regarding the right to a human gaze.
It must first be verified whether the person making the request is actually the person concerned, for example by asking for (a copy of) proof of identity.
The person concerned must be asked specifically with regard to which decision AMDAX has taken, he / she makes the request. If AMDAX has to honor the request, AMDAX takes a new decision in which a person has assessed the data.
AMDAX responds as quickly as possible, but no later than 1 month to the request of the person concerned. If it takes more time to collect the data, AMDAX must make this known to the data subject