This includes the following types of personal data:
- Personal Data of employees
- Personal Data of suppliers (employees)
- Personal data of (employees of) clients (companies)
- Personal data of visitors to business premises
- Personal data of website visitors of Alrec
- Personal information from app users
A. 3. Phrases used
B. Legal framework
B. 1. General Data Protection Regulation
The GDPR will apply on all uses of personal data by Alrec from the 25th of May 15, 2018 and onwards.
The GDPR applies to:
- The Automated” processing of personal data, “automated” is in short the processing via a computer or other electronic device such as a smartphone, tablet, digital camera or via a server.
Common examples for us are sending and receiving emails, gathering data through a website or an app like Symfonia, making camera recordings (of people), capturing employee data;
- The On-paper processing of personal data In an “ordered whole” (in a searchable file).
An example of the latter is the physical administration folders of personnel files.
Alrec is GDPR “responsible” for certain obligations relating to the processing of personal data. The persons whose data it is going to store have, based on the GDPR, certain rights in relation to the processing of their personal data. This policy defines in general terms the obligations and rights.
B. 2. Other specific laws and regulations
Additional laws and regulations may apply in certain specific situations, such as the use of personal data of employees, medical data or personal data on criminal law.
C. Basic Principles
C. 1. General
In general, it is necessary to deal with personal data carefully. Employees of Alrec therefore, when using personal data during their daily work, must ensure that the privacy rules of the GDPR are respected.
This means that, in principle, we only process personal data that is important for carrying out work.
C. 2. Collection, receiving and internal use of personal data
With the collection/creation of personal data, the receiving of personal data from external parties and the further internal processing within Alrec, Alrec will decide if it is legal, and if so, how that personal data will be used.
The following questions are considered when collecting / creating personal data (in Appendix 1 the concepts used are explained):
- Is it about “Special Personal Data”*? This may only be collected, received and processed on the basis of a legal exception. If the special personal data may be processed, this personal data must be treated with caution. Therefore, if there is a request for proof of identity, the Social Security number should be protected unless there is a legal exception.
- Is it about personal data of Children (a person under 16)? The data should also be handled with caution and additional rules apply.
- Is there a “Basis/legal basis”** to collect, receive and use the personal data? There must be a basis/legal basis for each processing (every type of use).
- For which Purpose is the personal data collected, received and processed? The purpose must be clear.
- Is it Necessary to collect, receive and further process the personal data for the purposes set? If it is not necessary for those purposes or for compatible purposes, the data should not be collected, received or processed.
- Is “Only automated individual decision-making”***, including profiling, which has legal effects on the persons concerned or which affects the persons in a different way been used? This is only legal under certain conditions.
C.3. Overview of Processing
We maintain a document of the data processing activities for which Alrec is responsible. In this we will define for each data stream, what data we process and why. For a new data stream, for example, using a new administration tool, we will create a new overview.
Employees of Alrec will keep all personal data confidential and will use it only during their work for Alrec.
New employees will sign this in their employment contract.
Existing employees should adhere to this policy.
C.5. Quality of data
Personal data is kept accurate, complete and up-to-date as much as possible. If there is any personal data not necessary for the job, it is deleted.
C.6. Privacy by Design and by Default
When developing (new) products or services, including IT systems, the use of “privacy by design” and “Privacy by default” is used as much as possible.
Privacy by Design Where possible, the protection of personal data is considered, for example by anonymizing data, data minimisation and compliance with the privacy rules are ensured.
Privacy by Default In summary, it is ensured that only necessary personal data is used as a starting point, given the amount of personal data, the way in which is it used, the period within which it is stored and the accessibility. The measures should ensure that personal data is not public or accessible without involvement and approval of an Alrec employee.
C.7. PIAs (Privacy Impact assessments) and privacy tests
In the use of high-risk personal data, such as large-scale use of special personal data, of automated individual decision-making, including profiling, which has legal effects on the persons concerned or which affects the persons in a different way or the Systematic monitoring of a large-scale public space, a privacy impact assessment (PIA) is carried out.
C.8. External use of personal data
The starting point is that Alrec uses the Personal data only for internal use.
However, in certain cases it may be necessary to transmit personal data to external parties. When passing on the personal data to external parties, it is necessary to weigh up whether that is possible and, if so, under what conditions:
- Is the external party to be considered a Processor” Exclusively acting on behalf of Alrec when receiving and using personal data? Then, in a processing contract, agreements are made with such party about how they handle the personal data. Such parties may not use the personal data for their own purposes.
- Is the external party itself to be considered as Responsible” – for example, the insurer of Alrec? Then it is necessary to assess whether the passing on of personal data to this external party corresponds to the established purposes, which personal data are required and whether there is a basis for passing on the data. Where possible, agreements shall be laid down on the exchange of personal data.
- Is the external party responsible for the processing of personal data in question Together with Alrec? Then the agreements on personal data are recorded in an agreement between the Alrec employee and the other responsible party.
- Is the external party A Public authority? As a starting point, Alrec will supply personal data to public authorities only if it is legally required to do so. In certain specific situations, however, it is also necessary to pass on personal data to a public authority if there is no legal obligation. An example of this is the passing on of information about a person to the police as the police have requested information in relation to a specific investigation. Only data necessary for the investigation will be provided.
C.9. Transfer to outside EEA
If personal data is passed to a country outside the European Economic Area (“EEA”), (the EEA consists of the countries of the European Union, Norway, Iceland and Liechtenstein), where there is no adequate level of protection for privacy, measures must be taken to make that transfer legally possible.
C. 10. Security and data leaks
Personal data must be technically and organisationally secured in an appropriate manner, considering the nature of the personal data, the risks associated with the use of personal data, the cost of security and the nature of current technology.
If data leakage occurs where personal data is involved, it is to be reported to the authority on personal data and the persons concerned,. This is done via the Datalek protocol. There may be special circumstances under which notification does not occur. In order to prevent data leakage, we deal very carefully with all types of personal data we process.
C. 11. Storing personal data
Personal data is no longer retained other than is necessary for the purposes for which it was collected. Where appropriate, a retention policy and/or storage protocol shall be established.
C. 12. Rights of the persons
Persons for whose data is collected may be subject to certain rights in relation to their personal data that Alrec uses.
These rights are:
- To receive an overview in an intelligible form of the personal data.
- To receive information on the use of personal data by Alrec.
- To receive a copy of the personal data.
- In certain cases, to obtain the data in a structured, common and machine-readable form and to have it transmitted to another “responsible person” on request.
- Correction of incorrect data and completion of incomplete data.
- In certain cases, to request removal of their personal data.
- In certain cases, to request “limitation” of their personal data.
- In certain cases, to object to the processing of their personal data.
- When using personal data for direct marketing purposes, the person may always oppose and then use is discontinued.
- As a starting point for revoking a given authorization once again.
- To lodge a complaint with the data protection authority.
In certain cases, Alrec can reject a request, for example, if the person requests removal of certain personal data, but which still must be kept for the purpose of a legal obligation. Alrec will let the individual know. Where applicable, a protocol is created for dealing with requests from individuals.
C. 13. Contact Persons
The persons are informed where necessary about the use of their personal data, for example by means of privacy statements. For example, to enter prospect information in (Alrec’s intranet platform), the person concerned must first have given unambiguous consent.
The pre-collection of an email address is therefore prohibited. However, if there is permission to call or email the person, this, of course, is allowed. This includes obtaining a business card or prior contact with the person.
C. 14. Protocols/guidelines/codes of conduct
A protocol, directive and/or Code of conduct shall be drawn up as a starting point for the use of personal data of a substantial nature or of any other activity which intervenes significantly on the privacy of the persons. This includes the control of old personal data that individuals carry out themselves.
Alrec employs a process for managing complaints with regard to data. If a person raises an issue about the use of his or her personal data, the person concerned may lodge a formal complaint with Alrec. A contact point shall be designated for this purpose, where applicable by category of persons or personal data.
However specific legal complaint regulations will overrule this system.
Appendix 1 – Concepts
Personal data– This is data (information) related to an identified or identifiable person. Including: name, telephone number, email address and Social Security number.
***Only automated individual decision-making: This is decision-making about the person which is automated, so without a human being involved in that decision-making process.
*Special Personal Data: Includes the following types of personal data:
B. Racial or ethnic background,
C. Belief or beliefs,
D. Sexual behavior or orientation,
E. Political opinions,
F. Membership of a trade union,
G. Genetic characteristics,
H. Biometric characteristics intended to identify someone.
The Social Security number and criminal data also apply as a special person which may only be used if there is an exception in the GDPR.
Responsible: The “responsible” is the party who determines what happens to the personal data and how that happens (it determines the “purpose and the means”).
Person concerned: A “Data subject” is a person to whom the personal data relates.
Processing: “Processing” is an act of personal data. This includes: collecting, capturing, organizing, structuring, storing, updating or modifying, retrieving, consulting, using, providing by sending, distributing, combining, shielding, Erase or Destroy.
**Basis/Legal basis: For each processing of personal data, one of the following foundations (also called “legal bases”) is required:
- Informed, free and specific consent,
B. It is necessary for the preparation or execution of an agreement with, or for, the benefit of the person concerned,
C. It is necessary to comply with a legal obligation that is applicable to the responsible rest,
D. It is necessary to protect the vital interests of the data subject (or any other person)
- It is necessary for the performance of a task of general interest, or of a task in the exercise of public authority entrusted to the responsible.
F. It is necessary for a legitimate interest of the person responsible or a third party who is in favour of the interests of the person concerned.