Introduction

In the performance of its work, AMDAX collects certain personal information about individuals, for example about its customers, employees, partners and suppliers.

This policy describes how this personal information is collected, processed and stored and how it complies with the relevant legislation and regulations and with the data protection standards set by AMDAX.

Why this policy?

This policy ensures that AMDAX:

• Complies with laws and regulations regarding the protection of personal data;
• Protects the rights of customers, employees, partners and suppliers;
• Is transparent in the way in which it stores and processes personal data;
• The risk of an infringement with regard to personal data mitigates as much as reasonably possible.

Data protection risks

This policy helps protect AMDAX against data security risks such as:

• The risk of a breach of trust, for example because the data has been unlawfully made public;
• The risk that the rights of a data subject are not respected, for example the right to view or change (or have changed) their own data;
• The risk of reputation damage, for example because hackers have successfully gained unlawful access to privacy-sensitive information.

Responsibilities

Everyone who works at or for AMDAX has a responsibility to ensure that data collection, processing and retention are done properly. Everyone within AMDAX who comes into contact with personal data must guarantee that the processing is in line with this policy and the data protection principles.

Data processing

The EU General Data Protection Regulation 2016/679 (hereafter GDPR), which has direct effect in the Netherlands, describes how companies such as AMDAX may and must collect, process and store personal data. These rules apply regardless of whether the data is processed electronically, on paper or in another way.

Definitions

This privacy policy is in line with the definitions used in the GDPR policy.

• personal data

Personal data is defined in the GDPR as ‘all information about an identified or identifiable natural person’. The starting point is that a person is considered identifiable if a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as a name, an identification number, location data, an online identifier or one or more elements that are characteristic for the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

• processing

In the GDPR, the processing of personal data is understood to mean: ‘an adjustment or a whole of adjustments with regard to personal data or a whole of personal data, whether or not carried out via automated processes, such as collecting, recording, organizing, structuring, storing, updating or modify, request, consult, use, provide by means of forwarding, distributing or otherwise making available, aligning or combining, shielding, deleting or destroying data ‘.

• person involved 

The person concerned is the person to whom a personal data relates.

• controller 

The controller is a natural or legal person, a government agency, a service or other body that determines, alone or together with others, the purpose of and means for processing personal data; when the objectives and means for this processing are established in EU or national law, they can determine who the controller is or the criteria for designating it.

• processor 

The processor is a natural or legal person, a government agency, a service or another body that processes personal data for the controller.

Principles regarding the processing of personal data

To comply with laws and regulations, the following principles regarding the processing of personal data must be met:

• The personal data must be processed in a manner that is lawful, proper and transparent with regard to the data subject (“legality, fairness and transparency“);
• The personal data must be collected for specified, explicit and legitimate purposes and may not be further processed in a way incompatible with those purposes (“purpose limitation“);
• The personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed (“minimum data processing“);
• The personal data must be correct and, if necessary, updated; all reasonable measures must be taken to immediately delete or correct the personal data that are incorrect in view of the purposes for which they are processed (“correctness“);
• The personal data must be kept in a form that makes it possible to identify the data subjects no longer than is necessary for the purposes for which the personal data is processed (‘storage restriction‘);
• By taking appropriate technical or organizational measures, personal data must be processed in such a way that adequate security is guaranteed, and that they are protected against, inter alia, unauthorized or unlawful processing and against accidental loss, destruction or damage (“integrity and confidentiality“).

Regularity

Personal data may only be processed if at least one of the following conditions is met:

• The data subject has given permission for the processing of his personal data for one or more specific purposes;
• The processing is necessary for the implementation of an agreement to which the data subject is party, or to take measures at the request of the data subject prior to the conclusion of an agreement;
• The processing is necessary in order to comply with a legal obligation that lies with the controller;
• The processing is necessary to protect the vital interests of the data subject or another natural person;
• The processing is necessary for the performance of a task in the public interest or a task in the context of the exercise of public authority assigned to the controller;
• The processing is necessary for the protection of the legitimate interests of the controller or of a third party, except where the interests or fundamental rights and fundamental freedoms of the data subject that outweigh the protection of personal data outweigh those interests, in particular when person is a child.

If the basis for ‘consent’ is chosen, AMDAX must be able to demonstrate that the person concerned has given this permission, for example by means of a written record. The consent must be given by the person concerned in a free, specific, informed and unambiguous manner.

Permission to process personal data can be withdrawn by the data subject. Such a withdrawal has no retroactive effect. The processing must be stopped after withdrawal of the permission, unless the processing can be based on another basis as referred to in the list above.

Transparency

Transparent information about processing. AMDAX provides the person concerned with the following information:

• The identity and contact details of AMDAX;
• The processing purposes for which the personal data are intended, as well as the legal basis for the processing;
• The recipients or categories of recipients of the personal data;
• If applicable, the intention to transfer the personal data to a third country or an international organization.
• The period during which the personal data will be stored, or if that is not possible, the criteria for determining that period;
• Information about the data subject’s right to request AMDAX to inspect and rectify or erase the personal data or limit the processing concerning him, as well as the right to object to the processing and the right to data transferability;
• That the person concerned has the right to lodge a complaint with a supervisory authority; and
• Whether the provision of personal data is a legal or contractual obligation or a necessary condition for concluding an agreement, and whether the data subject is obliged to provide the personal data and what the possible consequences are if this data is not provided.

The above information is provided in writing or by other means, including, if appropriate, electronic means.

Right of inspection of the person concerned

The data subject has the right to obtain information from AMDAX about whether or not they are processing personal data concerning him and, if that is the case, to have access to those personal data and the following information:

• The processing purposes;
• The categories of personal data concerned;
• The recipients or categories of recipients to whom the personal data have been or will be provided, in particular recipients in third countries or international organizations;
• If possible, the period during which the personal data is expected to be stored, or if that is not possible, the criteria to determine that period;
• That the person concerned has the right to request AMDAX to correct or delete personal data, or to limit the processing of personal data concerning him, and to object to such processing; and
• That the person concerned has the right to lodge a complaint with a supervisory authority; and
• If the personal data is not collected from the data subject, all available information about the source of that data.

When personal data is transferred to a third country or an international organization, the data subject has the right to be informed of the appropriate safeguards in accordance with the GPC regarding the transfer.

AMDAX provides the data subject with a copy of the personal data that is being processed at the request of the person concerned. If the person concerned requests additional copies, AMDAX may charge a reasonable fee based on the administrative costs. If the person concerned submits his request electronically, and does not request another method of delivery, the information is provided in a conventional electronic form.

The Annex – Procedure for rights of data subjects contains a procedure with regard to the processing of requests from data subjects with regard to the rights that the data subjects have under the GDPR.

Purpose limitation

AMDAX only collects and processes personal data for specific, explicitly described and justified purposes. AMDAX will not use the personal data for a purpose other than the predetermined purpose, unless the use is compatible with the original purpose for which the data was collected. Whether or not there is compatibility depends on:

• The relationship between the purposes for which the data was collected and the purposes of further processing;
• The context in which the data was collected and the reasonable expectations of the parties involved with regard to further use;
• The nature of the data and the impact of further processing on the data subjects; and
• The safeguards applied by the controller to ensure fair processing and to prevent inappropriate consequences for data subjects

Minimum data processing

AMDAX only processes personal data to the extent that this is necessary for processing purposes. This means that AMDAX only uses the personal data that is necessary to achieve the goal. Subsidiarity is also taken into account: if the goal can also be achieved through another way, with less infringement of privacy, AMDAX will use this other way.

Correctness

The GDPR requires AMDAX to take reasonable measures to ensure that the data is accurate and correct. The more important the personal data is, the more effort is required from AMDAX to ensure accuracy. It is AMDAX’s responsibility to take reasonable measures to ensure that the data is as accurate and accurate as reasonably possible. To this end, they take the following measures:

• The data is stored in as few different places as possible. That way it is easier to maintain the data;
• Employees will use every opportunity to update the data, for example in (daily) contact with the customer;
• If inaccuracies are found in the data, the data must be adjusted accordingly. For example, if a customer or supplier is no longer available on the telephone number known to AMDAX, it will be removed from the database and / or replaced by a correct telephone number.

The data subject can also request AMDAX to rectify it with regard to incorrect personal data without delay. Taking into account the purposes of the processing, the data subject has the right to complete incomplete personal data.

The Annex – Procedure for rights of data subjects contains a procedure with regard to the processing of requests from data subjects with regard to the rights that the data subjects have under the GDPR.

Storage restriction

AMDAX stores the personal data in a form that makes it possible to identify the data subjects no longer than is necessary for the purposes for which the personal data is processed.

The person concerned can also request AMDAX to delete his personal data. AMDAX must then delete the personal data without unreasonable delay, for example when the personal data is no longer needed for the purposes for which it was collected or otherwise processed.

The Annex – Procedure for rights of data subjects contains a procedure with regard to the processing of requests from data subjects with regard to the rights that the data subjects have under the GDPR.

Integrity and confidentiality

By taking appropriate technical or organizational measures, AMDAX must process the personal data in such a way that adequate security is guaranteed, and that they are protected against, inter alia, unauthorized or unlawful processing and against accidental loss, destruction or damage. AMDAX has taken various measures to this end.

General guidelines

The following general guidelines with regard to data processing apply within AMDAX:

• The only people who have access to personal data are those who need it to perform their work.

Employees protect the data by taking reasonable precautions and following the following guidelines:

• Employees use a strong password and do not share their password with others. A strong password contains the following elements:
  • At least 1 capital letter;
  • At least 1 lowercase letter;
  • At least 1 digit;
  • At least 1 symbol;
  • At least 8 characters;
• Employees do not provide data to unauthorized persons, both within and outside the AMDAX organization;
• Employees periodically update the data if it appears that they are no longer correct. If the data is no longer used, it must be deleted.

Appropriate protection measures

This section describes the protection measures that AMDAX has taken with a view to protecting personal data.

Electronic storage of data

When the data is stored electronically, the data must be protected against unauthorized access, accidental deletion of data and malicious hacking of the electronic storage location. The following assumptions apply to electronic storage:

• Access security

In the context of access security, in particular authentication (who is it?) And authorization (what is the person allowed to do) play an important role. The authentication and authorization of every employee must be recorded, so that when the employee leaves the company, his rights can be withdrawn to the relevant systems.

All data must be protected with a combination of login and a strong password, which is periodically changed and that is not shared with unauthorized persons.

When the data is stored on an external carrier (such as a CD or a USB stick), this carrier must be stored in a closed cupboard (with lock). If the external data carriers are no longer used, they must be destroyed or formatted. When formatting, the carrier must be formatted several times, because the data can still be reconstructed when formatting once.

• Management of technical vulnerabilities

All servers and computers are protected with security software, virus scanners, anti-malware and / or a firewall. All software, including browsers, virus scanners and operating systems are held up to date.

Data must always be stored on designated disks / servers, and may only be uploaded to AMDAX approved cloud computing servers, (managed) hosting parties or third-party software.

Systems that are ‘end-of-support’ or ‘end-of-life’ are being replaced by AMDAX for other systems. In this way it is prevented from working with systems for which support is no longer available and where the security is not maintained.

• Continuity management

Personal information may be lost due to natural disasters, accidents, equipment failure or intentional acts. To mitigate this risk, backups are made of all relevant data.

The frequency of the backups must be appropriate for the data that is being backed up. The retention period of the backups and the location of storage of the backup are also important. The retention period must be appropriate for the data that is being backed up. For the storage location, the backup is not stored in the same location where the original data was stored.

Paper storage of data

Data stored on paper is stored in a place where unauthorized persons cannot view, reproduce or take the papers.

The following principles apply to paper storage:

• If the papers are not used, they must be kept in a closed cupboard (with a lock);
• If paper data is no longer used, it must be destroyed with the paper shredder or discarded in lockable trash bins for confidential documents, the contents of which are removed and destroyed by a specialized company.
• At the end of the working day, every employee must store confidential papers.

Special personal data

AMDAX does not, in principle, process special categories of personal data as referred to in the GDPR. Special categories of personal data include a person’s race or ethnic origin, political views, religious or philosophical beliefs, union membership, and genetic data, biometric data for the unique identification of a person, or data on health, or data relating to health to a person’s sexual behaviour or sexual orientation.

If special personal data is nevertheless processed, this will only be done under the following condition (s):

• AMDAX has explicitly requested permission from the person concerned;
• The data has been explicitly made public by the person concerned;
• An exception as included in the GDPR is met

Information security incidents

AMDAX has established the following procedure for the timely and effective handling of information security incidents and security vulnerabilities as soon as they are reported.
The lessons learned from the incidents handled are used to structurally improve security where possible.

If a follow-up procedure following an information security incident includes legal measures (civil or criminal), the evidence is collected, stored and presented in accordance with the rules for evidence established for the relevant jurisdiction. The management board will take on these tasks and, if necessary, call in external expertise for this.

Following an information security incident, the management of AMDAX assesses the risks for those involved. It is also considered whether the incident must be reported to the person(s) involved and / or the relevant supervisor. For this, see the ‘personal data breach’ section.

Infringement in connection with personal data

Under the GDPR there is a ‘personal data breach’ in the event of a security breach that accidentally or unlawfully leads to the destruction, loss, alteration or unauthorized disclosure of or unauthorized disclosure access to data transmitted, stored or otherwise processed.

Report to the Dutch Data Protection Authority

If an infringement involving personal data has taken place, AMDAX will report this without unreasonable delay and, if possible, no later than 72 hours after it has been informed of it, to the Dutch Data Protection Authority (and also to the AFM if the infringement also qualifies as an ‘incident’ ‘in accordance with AMDAX’s incident policy), unless it is unlikely that the personal data breach would pose a risk to the rights and freedoms of natural persons.

Whether the personal data breach constitutes a risk to the rights and freedoms of natural persons depends on the following factors:

• The type of infringement (for example, unlawful access or loss of data);
• The nature, sensitivity and amount of personal data;
• Simple identification of individuals (how easy it is to identify a natural person from the data);
• The severity of consequences for individuals;
• Special characteristics of the individual (children and vulnerable groups entail a higher risk); and
• The number of people affected.

If the report to the Dutch Data Protection Authority does not take place within 72 hours, AMDAX provides a good explanation for the delay.

The notification shall at least describe or communicate the following:

• The nature of the personal data breach, where possible specifying the categories of data subjects and personal data records involved and, approximately, the number of data subjects and personal data records involved;
• The name and contact details of a contact point where more information can be obtained;
• The likely consequences of the personal data breach;
• The measures proposed or taken by AMDAX to address the personal data breach, including, where appropriate, the measures to limit any adverse effects thereof.

Communication to the person(s) involved

If the personal data breach is likely to pose a high risk to the rights and freedoms of natural persons, AMDAX shall immediately inform the data subject of the personal data breach.

The communication to the person concerned contains a description, in clear and simple language:

• The nature of the personal data breach
• The nature of the personal data breach, where possible specifying the categories of data subjects and personal data records involved and, approximately, the number of data subjects and personal data records involved;
• The name and contact details of a contact point where more information can be obtained;
• The likely consequences of the personal data breach;
• The measures proposed or taken by AMDAX to address the personal data breach, including, where appropriate, the measures to limit any adverse effects thereof.

The communication to the data subject is not required if one of the following conditions is met:

• AMDAX has taken appropriate technical and organizational protection measures and these measures have been applied to the personal data covered by the personal data breach, in particular those that make the personal data incomprehensible to unauthorized persons, such as encryption;
• AMDAX has taken retrospective measures to ensure that the high risk to the rights and freedoms of those involved is unlikely to occur;
• The communication would require disproportionate efforts. In that case, a public announcement or similar measure replaces data subjects with the same effectiveness.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) may also oblige AMDAX to report the data subject infringement to the data subject.

Procedure for the infringement of personal data.

The following procedure is used within the organization of AMDAX with regard to a personal data breach:

Determination of the infringement by:

• An employee: every employee who suspects an infringement with regard to personal data must immediately report this to the management;
• A customer: a customer sends a message or contacts us by telephone. The person at AMDAX who receives the report from the customer must immediately report this to the management;
• A third party: a third party sends a message or contacts us by telephone. The person at AMDAX who receives the report from the third party must immediately report this to the management;
• The management (and possibly a third party involved) investigate the scope and technical aspects of the infringement:
  • Which breach of security measures has occurred and when?
  • Which part of the IT system is involved and / or which equipment. Possibly: where is the equipment lost / stolen?
  • Which data is (possibly) involved?
  • What are the (expected) consequences of the incident?
• The management (and possibly a third party involved) ensure that measures are taken to restore security;
• AMDAX keeps an overview of the infringement (facts, data and communication regarding the infringement) in the administration of AMDAX. Other internal security incidents are also recorded internally, regardless of whether the infringement is reported to the supervisor and / or the person(s) involved.

If AMDAX uses processors, an attempt will always be made to make agreements about reporting data breaches that occur at a processor. The starting point here is that the processor provides AMDAX with all information about the security incident, after which the (possible) report will be made by AMDAX.

Data processing outsourcing

Enable processors

AMDAX also outsources the processing of personal data to processors. AMDAX ensures that these processors offer sufficient guarantees with regard to technical and organizational security measures with regard to the processing of personal data.

AMDAX enters into a processor agreement with each processor, stating that the processing is done in accordance with the GDPR, that the processor has implemented sufficient technical and organizational security measures, and that the processor informs AMDAX of any information security incidents.

The agreement is recorded in writing (or in another, equivalent form).

International data traffic

Data traffic within the EU

Because AMDAX uses one or more processors, it is possible that data will be transferred to countries outside the Netherlands. Within the European Union and the European Economic Area, the level of data protection is the same, and personal data can be transferred without any problems, provided that all other legal obligations are met by AMDAX and the processor.

Data traffic outside the EU

Data traffic with countries outside the European Union and the European Economic Area is only permitted by law if that country guarantees an adequate level of protection. The European Commission has published a list of countries that offer an adequate level of protection. One of the countries on the list is the United States, but only for transfer of data on the basis of the ‘EU-US privacy shield ‘. Companies in the US can be certified under the privacy shield since August 1, 2016, after which they are entered in a register. Every certified company in the US is deemed to have an appropriate level of protection for the duration of the certification.

Data traffic with countries without an adequate level of protection is only possible under certain conditions as stated in the GDPR, for example with the express consent of the person(s) involved.

Annex – Procedure for rights of data subjects

Under the GDPR, those involved have various options for standing up for themselves when their personal data is processed. AMDAX has set up various procedures so that requests from various people exercising their rights can be responded to correctly.

Under the GDPR, the parties involved have the following rights:

• Right to view: that is the right of those involved to view the personal data that AMDAX processes about them.
• Right to rectification and addition: the right to change the personal data that AMDAX processes.
• Right to object: the right to object to the data processing.
• Right to limit processing: the right to have less data processed.
• Right to data portability : the right to transfer personal data
• Right to forget: the right to be ‘forgotten’.
• Right with regard to automated decision-making and profiling: the right to a human view of decisions.

Right to view

A data subject can request AMDAX in various ways (for example, verbally, by telephone or by mail) to inspect the personal data of this data subject.

It must first be verified whether the person making the request is actually the person concerned, for example by asking for (a copy of) proof of identity.

If the person can prove that he is indeed the person concerned, AMDAX will provide the following information in writing and in a safe manner to the person concerned:

• The processing purposes;
• The categories of personal data concerned;
• The recipients or categories of recipients to whom the personal data have been or will be provided, in particular recipients in third countries or international organizations;
• If possible, the period during which the personal data is expected to be stored, or if that is not possible, the criteria to determine that period;
• That the data subject has the right to request AMDAX that personal data be rectified or deleted, or that the processing of personal data concerning him is restricted, and the right to object to such processing;
• That the person concerned has the right to lodge a complaint with a supervisory authority;
• If the personal data is not collected from the data subject, all available information about the source of that data;
• The existence of automated decision-making, including profiling referred to in the GDPR, and, at least in those cases, useful information about the underlying logic, as well as the importance and the expected consequences of that processing for the data subject.

It is important that only data from the requesting data subject is shared, and not data from others.

The data subject can also request AMDAX to view the personal data that is processed from him / her. AMDAX then provides the data subject with a copy of the personal data that is being processed. If the person concerned requests additional copies, AMDAX may charge a reasonable fee based on the administrative costs. If the person concerned submits his request electronically and does not request another arrangement, the information is provided in a conventional electronic form (if possible and / or necessary also secured).

AMDAX responds as quickly as possible, but no later than 1 month to the request of the person concerned. If it takes more time to collect the data, AMDAX must make this known to the data subject.

Right to rectification and supplementation

A data subject can request AMDAX in various ways (for example, verbally, by telephone or by email) to rectify and supplement the personal data that AMDAX processes of the data subject.

It must first be verified whether the person making the request is actually the person concerned, for example by asking for (a copy of) proof of identity.

The data subject must be clearly asked which information is incorrect and / or incomplete and how this information must be corrected and / or supplemented.

The changes must be clearly written and submitted to the person concerned for assessment and signature.

If the person concerned has signed the rectification and / or supplement, the document must be added to the file of the person concerned and the data must be adjusted in accordance with the signed document.

If AMDAX has also provided incorrect or incomplete personal data to third parties, AMDAX must also pass on the adjusted or supplemented data to this organization (s). If a person asks for it, AMDAX must also tell which organizations have been informed in this way.

AMDAX responds as quickly as possible, but no later than 1 month to the request of the person concerned. If it takes more time to collect the data, AMDAX must make this known to the data subject.

Right to object

A data subject can object to AMDAX in various ways (for example, verbally, by telephone or by mail) against the processing of the personal data that AMDAX processes of the data subject.

It must first be verified whether the person making the request is actually the person concerned, for example by asking for (a copy of) proof of identity.

The data subject must be asked specifically against which processing of personal data the data subject objects.

Unless AMDAX has compelling justified grounds for the processing that outweigh the interests, rights and freedoms of the data subject, AMDAX must stop the processing against which the data subject objects. As long as it is not clear whether the grounds of AMDAX weigh more heavily, AMDAX may not process the relevant data. AMDAX must then set a processing limit. If the person concerned objects to the processing of personal data for direct marketing, AMDAX must stop this immediately.

If AMDAX has also provided personal data to third parties, AMDAX must inform these organizations that the data subject has objected to the processing of his / her personal data. If a person asks for it, AMDAX must also tell which organizations have been informed in this way.

AMDAX responds as quickly as possible, but no later than 1 month to the request of the person concerned. If it takes more time to collect the data, AMDAX must make this known to the data subject.

Right to limit processing

A data subject can submit a request to AMDAX in various ways (for example verbally, by telephone or by mail) to limit the processing of the personal data that AMDAX processes of the data subject.

It must first be verified whether the person making the request is actually the person concerned, for example by asking for (a copy of) proof of identity.

The data subject has the right to obtain from AMDAX the restriction of the processing if one of the following elements applies:

• Data may be incorrect: if the person concerned indicates that AMDAX uses incorrect personal data, AMDAX may not use this data as long as AMDAX has not yet verified that the data is correct.
• The processing is unlawful: AMDAX is not allowed to process certain data, but the data subject does not want AMDAX to delete the data. For example, because he wants to request the data later.
• Data is no longer needed: AMDAX no longer needs the personal data for the purpose for which AMDAX has collected them, but the data subject still needs the personal data for legal action. For example a legal procedure in which he is involved.
• The person concerned objects: Does someone object to the processing of his personal data? AMDAX must then stop processing this data, unless AMDAX invokes compelling justified grounds for the processing that outweigh the interests, rights and freedoms of the data subject. As long as it is not clear whether the grounds of AMDAX weigh more heavily, AMDAX may not process the data.

If AMDAX has also provided the personal data to other parties, then these organizations must be informed that the use of the data is limited and that this other party must also limit the processing. If a person asks for it, AMDAX must also tell which organizations have been informed in this way.

AMDAX responds as quickly as possible, but no later than 1 month to the request of the person concerned. If it takes more time to collect the data, AMDAX must make this known to the data subject.

Right to data portability

A data subject can indicate to AMDAX in various ways (for example verbally, by telephone or by e-mail) that he / she wishes to make use of the right to data portability . The right to data portability means that people have the right to receive the personal data that AMDAX has from them, for example to be able to easily transfer the data to another supplier. Data subjects can also request that data be transferred directly to another organization (if this is technically possible).

It must first be verified whether the person making the request is actually the person concerned, for example by asking for (a copy of) proof of identity.

The data subject must be specifically asked with regard to which personal data he / she makes the request for data portability . The right of the person concerned only relates to digital data (not physical files) that AMDAX processes with the permission of the person concerned or that are processed to carry out an agreement with the person concerned. In addition, only data that customers have provided to AMDAX (directly or by using the services / products of AMDAX) needs to be made available. The right to data portability does not relate to derived data that AMDAX itself has generated, such as a profile that AMDAX has drawn up of the data subject. However, the data subject has the right to view this data (see “right to view”).

AMDAX provides the data in a structured, commonly used and machine-readable format.

AMDAX responds as quickly as possible, but no later than 1 month to the request of the person concerned. If it takes more time to collect the data, AMDAX must make this known to the data subject.

Right to forget

A data subject can submit a request to AMDAX in various ways (for example, verbally, by telephone or by e-mail), which means that the personal data that AMDAX processes of the data subject must be deleted.

It must first be verified whether the person making the request is actually the person concerned, for example by asking for (a copy of) proof of identity.

The data subject must be specifically asked with regard to which personal data he / she requests the change of data . The request can be submitted when:

• The personal data is no longer necessary for the purpose for which the data was collected and there is no other reason to store this personal data;
• The purpose for processing the personal data is based on the consent of the data subject and the data subject who withdraws consent;
• The person concerned objects to the processing and AMDAX has no compelling reasons to process the data;
• The personal data has been processed unlawfully;
• The personal data must be deleted in order to comply with a legal obligation laid down in Union or Member State law.

AMDAX must comply with the request of the person concerned unless:

• AMDAX processes the data because there is a legal obligation to do that.
• AMDAX processes the data to exercise public authority or a (statutory) task in the public interest.
• AMDAX processes the data for a public interest task in the field of public health.
• The data is necessary for legal proceedings.

If AMDAX has also provided the personal data to other parties, these organizations must be informed that the person concerned has requested that the data be deleted and that this other party must also delete the data. If a person asks for it, AMDAX must also tell which organizations have been informed in this way.

AMDAX responds as quickly as possible, but no later than 1 month to the request of the person concerned. If it takes more time to collect the data, AMDAX must make this known to the data subject.

Law with regard to automated decision making and profiling

The person concerned has the right not to be subjected to a decision based solely on automated processing, including profiling, which has legal consequences for him or that otherwise affects him to a considerable extent. If the person concerned invokes this right, this means that AMDAX must take a new decision in which a person has assessed the data.

A person concerned can make a request to AMDAX in various ways (for example, verbally, by telephone or by e-mail) regarding the right to a human gaze.

It must first be verified whether the person making the request is actually the person concerned, for example by asking for (a copy of) proof of identity.

The person concerned must be asked specifically with regard to which decision AMDAX has taken, he / she makes the request. If AMDAX has to honor the request, AMDAX takes a new decision in which a person has assessed the data.

AMDAX responds as quickly as possible, but no later than 1 month to the request of the person concerned. If it takes more time to collect the data, AMDAX must make this known to the data subject