DPA policy

1. Definitions

In these regulations will be understood, in addition to the General Data Protection Regulation, under:

a. DPA - Dutch Data Protection Authority: government organ that supervises the processing of Personal Data;

b. GDPR: General Data Protection Regulation 2016/679;

c. Concerned person: the person to whom personal data concerns or his lawful representative;

d. Third party: any person not being the Concerned person, Responsible for processing, Processor or any person that is authorised under the authority of the Responsible for processing or the Processor to process Personal Data;

e. Passing on: processing of Personal Data whereby Personal Data will be passed on to third-party countries, being countries outside the European Economic Area;

f. Violation in connection with Personal Data: a violation of the security that by accident or in an illegal manner leads to the destruction, the loss, the changing, the unauthorised provision of or the unauthorised access to processed data;

g. Recipient: the person to whom or to which Personal Data will be provided;

h. Personal Data: all information over an identified or identifiable natural person;

i. Privacy officer: the person that has been appointed by the Responsible for processing, to advise on the one hand about compliance with the GDPR and other hand supervise within the organisation the application of and compliance with the GDPR, not being a functionary for the protection of data in the sense of article 37 and further GDPR;

j. Permission of the Concerned person: each free, specific, informed and unequivocal expression of the will with which the Concerned person by a declaration or unequivocal act, accepts the processing of Personal Data concerning him;

k. LIGDPR: Law Implementing the General Data Protection Regulation; 

l. Processor: a third party that, in the commission of the Responsible for processing, processes Personal Data on behalf of the Responsible for processing;

m. Processing: each act or each entirety of acts regarding Personal Data, whether or not executed via automated processes, including in any case the collecting, recording, organising, structuring, storing, updating or changing, retrieving, consulting, use, provide by means of forwarding, distributing or in another manner making available, bringing together, shielding off, erasing or destroying of data;

n. Responsible for processing: Formula Air or the companies belonging to its holding, determine(s) the purpose and the means of the processing.

2. Scope and purpose of regulations

2.1 These regulations are applicable to all Personal Data of customers, relations, employees and other Concerned persons that will be processed by or on behalf of Formula Air

2.2 These regulations have the purpose:

a. To comply with the obligations from the GDPR;

b. To protect the privacy of a Concerned person of whom Personal Data will be processed against unauthorised or illegal processing;

c. To prevent that Personal Data will be processed for another purpose than the purpose for which it has been collected;

d. To safeguard the rights of a Concerned person.

3. Purpose of the processing of Personal Data

3.1 Personal Data is processed for the following reasons:

a. Execution of the daily activities at Formula Air and contacts and communication (including the newsletter) with customers, suppliers and colleagues;

b. Management of the (personnel) administration;

c. To comply with lawful obligations, including fiscal obligations and obligations to keep data;

d. The ability to take decisions for the benefit of extension of contract, salary mutations (linking with job performance assessments, etc.);

e. Making payments;

f. Collecting information for policy purposes;

g. In case of calamities, to be able to inform a third party stated by the employee;

h. To give transparency, insight in who the persons behind Formula Air are.

3.2 Personal Data will not be processed in a manner irreconcilable with these purposes.

4. Processing of Personal Data

4.1 No other Personal Data will be processed than:

a. Name, first names, phone number and similar data referred to for communication (among others: name, phone number to be called in case of need), CV data (work experience, education), gender, marital state, copy diploma, citizen service number (BSN), date in service, type contract, photo, allocated company assets (including mobile phone, laptop, lease auto, access badge, key), job assessment data, payroll related data (including gross wages, net expenses compensations, over-time) as well as bank account number (IBAN) and e-mail address of or on behalf of the Concerned person;

b. Photos made of company location or personnel events where one or more employees are included. This image material can be used on the website or will be used in the personnel magazine or newspaper for customers;

c. Type and number of the identity document, as well as the expiration date of this document or copy of the identity document;

d. Nationality and place of birth in case of personnel administration; e. Specifically for job applicants: assessment data, CV data, salary (current desired), immigration status (authorised to work within the EU).

4.2 Personal Data will be only processed insofar at least one of the terms and conditions has been complied with:

a. The Concerned person has given permission for the processing of his Personal Data for one or more specific purposes;

b. The processing is necessary for the execution of an agreement whereby the concerned person is a party;

c. The processing is necessary to comply with a lawful obligation that rests on the Responsible for processing;

d. The processing is necessary to protect the vital interests of the Concerned person or another natural person;

e. The processing is necessary for the fulfilment of a task of general interest;

f. The processing is necessary for taking care of the justified interests of the Responsible for processing.

4.3 Personal Data will be collected as much as possible from the Concerned person. In addition, Personal Data can be obtained from recruitment bureaus, temp organisations, and social media including LinkedIn, via the internal/external network (colleagues, etc.).

5. Processing of special categories of Personal Data

5.1 Processing of Personal Data which evidence race, ethnic origin, political views, religious and/or philosophical convictions, or the membership of a union, is forbidden. Processing of genetic or biometric data with a view on the identification of a person, or data about somebody’s health, sexual nature or sexual behaviour, is also forbidden.

5.2 Article 5.1 is not applicable when one of the terms and conditions below has been complied with:

a. The Concerned person has given explicit permission for the processing of the Personal Data for certain purposes;

b. The processing is necessary for the execution of obligations and exercise of specific rights of the Responsible for processing or the Concerned person in the area of labour, social security the social protection laws.

c. The processing is necessary for the protection of the vital interests of the concerned person if the Concerned person is physically or legally not able to give his permission;

d. The processing concerns Personal Data that obviously has been made public by the concerned person;

e. The processing is necessary for the underpinning of a legal claim;

f. The processing is necessary to reasons of heavy weighing general interest;

g. The processing is necessary for preventive or work-related medicine or for the assessment of the ability to work of an employee.

6. Processing of Personal Data concerning criminal convictions and facts punishable by law

6.1 Formula Air processes no Personal Data concerning criminal convictions and facts punishable by law or related security measures, unless the Concerned person has given thereto explicit permission.

7. Processing register

7.1 Formula Air maintains a register of the processing activities that take place under its responsibility. That register contains the following data:

a. The name and contact data of the Responsible for processing and, in a prevalent case, of the privacy officer;

b. The processing purposes;

c. A description of the categories of Concerned persons and Personal Data;

d. The categories of recipients to whom the Personal Data have been or will be provided;

e. If applicable, passing on of Personal Data to a third-party country or international organisation, including the naming of that third-party country or international organisation;

f. If applicable, the involved processors;

g. If possible, the envisaged terms within which the data must be erased;

h. If possible, a general description of the technical and organisational security measures.

7.2 Article 7.1 part a, c, d and h conform to article 30 section 2 of the GDPR which is equally applicable to the processing activities that Processor executes for Responsible for processing.

8. Provision of Personal Data

8.1 The Personal Data of a Concerned person will only be provided to:

a. Those persons, including third parties, that on behalf of or in commission of the Responsible for processing, manage or are charged with the processing of Personal Data or that therein are necessarily involved;

b. Others, in the instances as referred to article 6 under a (unequivocal permission), c (lawful obligation of the Responsible for processing) and d (vital interest of the Concerned person), or article 5 (compatible use) under b GDPR, insofar the stipulations in article 3.1 of these Privacy regulations will be complied with;

c. Others, in the instances as referred to article 6 under e and f GDPR, insofar the stipulations in article 3.1 of these Privacy regulations will be complied with and it concerns only Personal Data as referred to in article 4 of these regulations. For the provision of the Personal Data, the resolution thereto has been communicated to the Concerned person and he has been able, during a reasonable term, to exercise the right of objection as referred to in article 14 of these Privacy regulations;

d. To entities affiliated with Formula Air executing those tasks of intern management;

e. Others, where it concerns the employees of the office to who are responsible for processing outsourced debts of the Concerned person for collection.

9. Security and secrecy

9.1 The Responsible for processing shall ensure suitable technical and organisational measures for the prevention of loss or illegal processing of Personal Data. These measures warrant, taking into account the state of technique and the costs of the execution, a suitable level of security, in view of the risks that the processing and the nature of the data to be protected, bring along. The measures are also aimed at preventing unnecessary collection and further processing of Personal Data.

9.2 Any person that is involved in the execution of these Privacy regulations and thereby gets the disposition over Personal Data of which he knows or reasonably can suspect the confidential character and for whom not already applies an obligation to secrecy concerning Personal Data, based on profession, function or prescription by law, is obliged to secrecy thereof. This does not apply, if any prescription by law obliges him to disclosure or from his task in the execution of these regulations derives the necessity to disclosure.

10. Obligation to report data leaks

10.1 The Responsible for processing shall in accordance with article 33 GDPR, notify the Dutch Data Protection Authority without unreasonable delay but no later than within 72 hours, of a violation in connection with Personal Data, unless it is not likely that the violation in connection with Personal Data contains a risk for the rights and liberties of the Concerned person.

10.2 The Responsible for processing shall in accordance with article 33 GDPR, notify the Concerned person without delay of the violation as referred to in article 10.1, if the violation likely contains a high risk for the rights and liberties of natural persons.

10.3 The Responsible for processing applies a data leaks protocol, to establish whether there is an instance of a data leak and or this must be reported. The data leaks protocol is available on application.

11. How do employees deal with Personal Data of customers and suppliers and colleagues

11.1 Complaints: data linked to complaints will be stored until 6 months after processing of the complaint. Thereafter, this will be removed.

11.2 Newsletters: these will be sent to external parties that have given us permission thereto.

11.3 Contact by phone: no more Personal Data of the customer or supplier will be processed than is strictly necessary.

12. Privacy officer

12.1 The Responsible for processing appoints a privacy officer. It concerns no functionary for the protection of data in the sense of art. 37 GDPR but a general coordinator for the compliance with these regulations and the privacy legislation.

12.2 The privacy-officer fulfils in particular the following tasks:

a. To inform and advise the Responsible for processing, Processor and/or employees about their obligations based on the GDPR and other data protection stipulations;

b. To ensure compliance with the GDPR or other data protection stipulations;

c. To provide advice if so asked, regarding the protection of data effect assessment and to ensure the execution thereof;

d. Acting as contact point for the Dutch Data Protection Authority.

13. Information duty

13.1 The Responsible for processing informs Concerned person about the processing of his Personal Data, prior to the collection of the Personal Data or, if the data originates from third parties, prior to the moment of recording.

13.2 The Responsible for processing informs Concerned person in accordance with article 13 and 14 GDPR, about the Personal Data that will be processed, with which purpose that takes place and to whom the data will be provided.

14. Rights Concerned person(s): viewing, correction, removal and objection

14.1 Each Concerned person has the right to view their Personal Data in accordance with article 15 GDPR. The Concerned person that makes use of this right, must provide proof of ID.

14.2 The Responsible for processing provides the Concerned person with a copy of the Personal Data that will be processed. If the Concerned person requests extra copies, then the Responsible for processing can ask for compensation of the (reasonable) costs.

14.3 If the Responsible for processing questions the identity of the requestor, then he will ask as soon as possible the requestor to provide further data in writing concerning his identity or to present a valid identity document. By this request, the term will be suspended until the moment that the requested proof has been provided.

14.4 The Responsible for processing does not have to give suit to the request of Concerned person, if the request is obviously unfounded, or of an extravagant nature.

14.5 On a request to viewing, the Responsible for processing must respond in writing within four weeks after he has received this request. Depending on the complexity of the request and the number of requests, that term can, if necessary, still be extended with another two months. The Concerned person will be notified within four weeks after receipt of the request, of such an extension.

14.6 If the Concerned person requests the Responsible for processing for improvement, addition, removal or limitation of the Personal Data, because certain recorded data is incorrect or incomplete for the purpose or the purposes of the processing, or would not be relevant, or would have been processed in violation of these regulations or otherwise in violation of a prescription by law, then the Responsible for Processing will take a decision about this, without unreasonable delay after Concerned person has submitted this request.

14.7 The Responsible for processing shall ensure that a decision on improvement, addition, removal or shielding will be executed as soon as possible.

14.8 When the processing of Personal Data takes place based on that processing:

a. is necessary for the proper fulfilment of a public law task executed by the Responsible for processing task, or;

b. is necessary for a justified interest of the Responsible for processing or a third party, then the Concerned person can, in accordance with article 21 GDPR, file an objection with the Responsible for processing against the processing of the data, based on his reasons connected to his specific situation. The Responsible for processing must assess within four weeks after receipt of the objection, whether the objection is justified. If that is the case, then the processing of Personal Data shall immediately be terminated.

14.9 If a decision regarding a request to viewing, a decision as stated in section 6 and the assessment as stated in section 8 of this article, is not to the satisfaction of the Concerned person, then the Concerned person can request, in accordance with article 79 GDPR, in writing to the District court, to order the Responsible for processing to take the desired decision after all.

14.10 When the processing of Personal Data takes place based on that processing for direct marketing purposes of the Responsible for processing, then the Concerned person can also object against the processing of the data in accordance with article 21 GDPR. If Concerned person makes use of this right, then the processing of Personal Data for this purpose shall immediately be terminated.

15. Passing on to third party countries

15.1 Responsible for processing passes on Personal Data from the Netherlands to other countries and/or organisations within the European Economic Area.

15.2 Responsible for processing does not pass on Personal Data to countries outside the European Economic Area, unless there is an instance of a suitable level of protection. A suitable level of protection will be safeguarded by means of:

a. a decision of adequacy by the European Commission;

b. binding company prescriptions approved by the Dutch Data Protection Authority;

c. a certifying mechanism approved by the Dutch Data Protection Authority;

d. a code of conduct approved by the Dutch Data Protection Authority;

e. standard stipulations approved by the European Commission;

f. passing on based on the EU-VS privacy shield.

15.3 Responsible for processing can, notwithstanding article 15.2 of these regulations, pass on Personal Data to countries and/or organisations outside the European Economic Area, in case of the following specific situations:

a. with explicit permission of the Concerned person;

b. if necessary for the execution of an agreement whereby the Concerned person is a party;

c. because of heavy weighing reasons of general interest;

d. underpinning of a legal claim;

e. vital interest of the Concerned person;

f. passing on from a public register.

16. Supervisor

16.1 The supervising authority of the main seat of nosiness of Responsible for processing, acts as leading supervisor for the cross-border processing of Personal Data. Based on article 51 GDPR, the Dutch Data Protection Authority shall supervise the processing of Personal Data by Responsible for processing.

16.2 In deviation of article 16.1 of these regulations, each supervising authority is authorised to treat complaints submitted to it, if the subject of the complaint is only related to an establishment in its member state, or only has material consequences for Concerned person in its member state.

17. Storage terms

17.1 Personal Data will not be stored any longer in a form that makes it possible to identify the Concerned person, than necessary for the realisation of the purposes for which they will be processed, unless lawful minimum storage terms apply.

17.2 In deviation of the stipulations in article 15.1 of these Privacy regulations, Personal Data may be stored longer, insofar it will be kept with a view on archiving in the general interest, scientific or historic research, or statistical purposes and the Responsible for processing has taken measures in order to ensure that the Personal Data will be used solely for these purposes. When those purposes can be realised by further processing that does not or not any longer allow the identification of Concerned persons, then they must be realised thus. Also, the Responsible for processing shall, in the framework of proportionality and necessity, limit the processing to a minimum.

18. Complaints

18.1 If the Concerned person is of the opinion that the stipulations of these Privacy regulations are not complied with by the Responsible for processing, then he or she must turn to the Privacy officer Oliver Bartmann (oliver.bartmann@formula-air.com).

18.2 On each complaint submitted in writing, Formula Air shall take a decision within 4 weeks.

18.3 In instances in which these Privacy regulations do not provide, the Responsible for processing shall decide.

18.4 If the submitted complaint will not or only partially be honoured, then the Concerned person can turn to the Dutch Data Protection Authority, or to the competent court.

19. Coming into force and quotation title

19.1 These regulations can be referred to as Privacy regulations Formula Air and come into force on 25-5-2018. Annually, before 1 January, insofar necessary, an evaluation shall take place and the regulations shall, if necessary, be modified.

19.2 These Privacy regulations replace possible previous versions.

 

Exhibit 1: Flow schedule concerning data leak
(articles 33 and 34 GDPR)

1) Is this a data leak/In case of doubt, consult the Privacy Officer

Is there a violation related to personal data/no data leak/data leak/report directly to PO

2) Should I report the leak to the DPA?

Only when it is likely that the violation contains a risk for rights and liberties of the concerned persons For instance: sensitive data has been leaked.
N – you don’t have to report a data leak to DPA
Y- you must report a data leak to DPA

3) Should I report the leak to the concerned person?

Do organisational and technical Means of Protection offer sufficient protection?
Y – you don’t need to report the data leak to the concerned person

Have sufficient security and protection measures been taken?
Y – you don’t need to report the data leak to the concerned person

Would reporting to the concerned person require a disproportionate effort?
Y – no obligation to inform, public announcement
N – you must report the data leak without delay within 72 hours to the concerned person

Data protextion policy - Exibit 1.png