Data Security and Protection Policy

1. PURPOSE

1.1. To define the requirements of the EU General Data Protection Regulation (GDPR) and the Dutch Data Protection Act (Uitvoeringswet Algemene verordening gegevensbescherming, UAVG) as they apply to the operations of Evelors Solutions BV.

1.2. To provide a clear framework defining the rights, obligations, and responsibilities of individuals and entities within Evelors Solutions BV concerning data protection, privacy, and information security.

1.3. To establish a structured mechanism for defining, assigning, and executing data protection responsibilities within Evelors Solutions BV, ensuring accountability and compliance with relevant European and Dutch legislation.

2. SCOPE

2.1. This Policy delineates the parameters governing the handling of personal information within Evelors Solutions BV. It encompasses all instances of personal information processing conducted either directly by Evelors Solutions BV or on its behalf. This includes, but is not limited to, personal data accessed or utilised by Evelors Solutions BV staff, contractors, consultants, and other relevant personnel engaged in various activities within the consultancy firm.

2.2. The breadth of personal data handled under this Policy spans various formats, including electronic, hard copy, voice recordings, and verbal communications. For clarity on the types of data covered by this Policy, refer to Section 4.

 3. LEGISLATIVE GUIDANCE

3.1. This Policy is meticulously crafted based on the extensive guidance published by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP), the regulatory body overseeing data protection regulations in the Netherlands. The guidance encompasses detailed directives pertaining to compliance with the EU General Data Protection Regulation (GDPR) — known in the Netherlands as the Algemene Verordening Gegevensbescherming (AVG) — and offers comprehensive insights into the nuances of data protection practices.

3.2. The Policy takes into account the AP’s authoritative guidance concerning the right of access, which delineates the procedures and obligations surrounding Data Subject Access Requests (DSARs). By adhering to these guidelines, Evelors Solutions BV ensures transparency, accountability, and fairness in handling individuals’ requests for accessing their personal data.

3.3. In alignment with the European Data Protection Board (EDPB) and the AP’s commitment to safeguarding privacy rights, this Policy reflects current codes of practice pertaining to the deployment of surveillance cameras. It addresses the ethical and legal considerations involved in capturing and processing personal information through surveillance technologies, ensuring that Evelors Solutions BV upholds the highest standards of privacy protection while utilising such systems.

 4. DEFINITIONS

Personal data: Refers to information about natural persons that enables their direct or indirect identification. This includes sensitive data and criminal convictions. Pseudonymised data, although less identifiable, is still considered personal data. Truly anonymised data is exempt from GDPR regulations. Deceased individuals’ information, as well as data about companies or public authorities, does not fall under personal data. Personal data may encompass the individual’s:

  • Name (including initials);
  • Identification number;
  • Location data;
  • Online identifier, such as a username;
  • Additionally, it may involve factors unique to the individual’s physical, physiological, genetic, mental, economic, cultural, or social identity.

Processing: In relation to personal data, means any operation or set of operations which is performed on personal data or on sets of personal data (whether or not by automated means, such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction).

Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller (here, Evelors Solutions BV).

Data Subject: The identified or identifiable living individual to whom personal data relates.

Special Category Data: The GDPR defines special category data as:

  • Personal data revealing racial or ethnic origin;
  • Personal data revealing political opinions;
  • Personal data revealing religious or philosophical beliefs;
  • Personal data revealing trade union membership;
  • Genetic data;
  • Biometric data (where used for identification purposes);
  • Data concerning health;
  • Data concerning a person’s sex life; and
  • Data concerning a person’s sexual orientation.

Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed.

5. DATA PROTECTION PRINCIPLES

5.1. Article 5 of the GDPR mandates that Evelors Solutions BV, its employees, and other parties handling personal information must adhere to and demonstrate compliance with data protection principles. These principles outline that personal data should:

  • Be processed lawfully, fairly, and transparently in relation to individuals;
  • Be collected for specified, explicit, and legitimate purposes, and not further processed in a manner incompatible with those purposes;
  • Be adequate, relevant, and limited to what is necessary for the purposes for which they are processed;
  • Be accurate and kept up to date, with steps taken to rectify inaccuracies without delay;
  • Be retained only for as long as necessary for the purposes for which they are processed;
  • Be processed securely, with appropriate measures in place to prevent unauthorised access, loss, destruction, or damage.

5.2. Evelors Solutions BV adheres to a strict Policy ensuring that all personal data processing is conducted in a safe, secure, ethical, and transparent manner. Procedures are in place to facilitate data subjects in exercising their rights, including:

  • Protecting individuals’ rights regarding the processing of personal information;
  • Developing, implementing, and maintaining data protection policies, procedures, and training to comply with data protection laws;
  • Recording and evidencing consent at the time it is obtained;
  • Implementing robust Complaints Procedures and Data Incident Reporting policies to address breaches or complaints about data protection;
  • Storing and disposing of all personal information in accordance with the Information Retention Policy;
  • Providing individuals with concise, transparent, easily accessible information about their personal data in clear and plain language;
  • Maintaining records of processing activities.

 6. ROLES AND RESPONSIBILITIES

 6.1. Chief Executive Officer:

  • Designated individual responsible for overseeing the implementation of data protection policies and procedures;
  • Ensures compliance with data protection laws and regulations;
  • Acts as the primary point of contact for data protection queries and AP;
  • Monitors data protection training and awareness programmes for all staff.

6.2. Senior Management:

  • Provides leadership and support for the implementation of data protection policies;
  • Allocates resources for the effective execution of data protection measures;
  • Approves and reviews data protection policies and procedures on a regular basis;
  • Supports the Chief Executive Officer in ensuring compliance with legal requirements.

6.3. Employees:

  • Responsible for understanding and adhering to data protection policies and procedures;
  • Ensure that personal data is handled securely and in accordance with data protection laws;
  • Report any data breaches, incidents, or security concerns to the Chief Executive Officer or designated authority promptly;
  • Collect, store and process any personal data in accordance with this Policy;
  • Participate in data protection training and awareness programmes provided by the company.

6.4. IT Department:

  • Implements technical measures to ensure the security, confidentiality, and integrity of personal data;
  • Manages access controls and encryption mechanisms to protect sensitive information;
  • Conducts regular audits and assessments of IT systems to identify and address vulnerabilities;
  • Collaborates with the Chief Executive Officer to address data security incidents and breaches.

6.5. Human Resources Department:

  • Manages employee data and ensures compliance with data protection regulations in all HR processes;
  • Implements procedures for handling and storing employee records securely;
  • Provides training and guidance to employees on data protection best practices;
  • Collaborates with the Chief Executive Officer to address data protection concerns related to employee data.

6.6. Legal Department:

  • Provides legal advice and guidance on data protection and privacy matters;
  • Reviews contracts and agreements to ensure compliance with data protection laws;
  • Assists in conducting privacy impact assessments for new projects or initiatives;
  • Represents the company in legal proceedings related to data protection issues.

6.7. Data Subjects:

  • Individuals whose personal data is processed by Evelors Solutions BV;
  • Have the right to access, rectify, and erase their personal data as per data protection laws;
  • Should notify Evelors Solutions BV of any changes or updates to their personal information;
  • May exercise their rights by contacting the Chief Executive Officer or designated authority.

7. DATA GOVERNANCE

7.1. Employee Personal Data Handling:

Evelors Solutions BV prioritises the protection of its employees’ personal data. In accordance with EU GDPR, Evelors Solutions BV has implemented policies that do not rely on consent as the sole legal basis for obtaining or processing employee personal information. Its policies have been meticulously updated to ensure that employees are fully informed about how Evelors Solutions BV handles their data and the reasons behind it.

7.2. Privacy Notice:

The Privacy Notice serves as a comprehensive guide outlining the procedures followed by Evelors Solutions BV when collecting personal information. This information is collected to fulfil its legal, regulatory, statutory, and contractual obligations, as well as to provide its members, international partners, customers, and stakeholders with relevant information. Whether regarding its products and services or matters of public interest, the Privacy Notice of Evelors Solutions BV ensures transparency in our data collection practices.

7.3. Data Storage and Retention:

Information and records pertaining to data subjects are stored securely within systems, ensuring restricted access limited to authorised personnel only. Evelors Solutions BV adheres to stringent data retention policies, storing information for only as long as necessary or as mandated by both GDPR and Dutch statutory requirements:

  • Fiscal Records: Retained for 7 years to comply with the Dutch Tax Administration (Belastingdienst) requirements;
  • Personnel Files: Generally retained for 2 years following the termination of employment, unless specific documents require longer retention for tax purposes;
  • Disposal: Proper disposal methods are employed once data is no longer required.

7.4. Data Accuracy and Maintenance:

Maintaining accurate data is paramount at Evelors Solutions BV. It takes proactive measures to ensure the information remains up to date by periodically requesting data subjects to verify the accuracy of their information and update any changes accordingly.

7.5. Audits and Monitoring:

Evelors Solution BV conducts regular internal audits, independently overseen by its outsourced IT provider, to assess compliance with data protection measures. Its compliance monitoring processes are robust, ensuring that the controls in place effectively safeguard data subjects and their information in accordance with legal requirements.

7.6. Training and Awareness:

Evelors Solutions BV is dedicated to fostering a culture of data protection awareness among its staff. Its comprehensive staff awareness programme includes:

  • Annual refresher training sessions covering data protection, records management, information security, and cyber security, delivered through both in-person and virtual group sessions;
  • Regular updates and alerts on emerging information security risks to keep employees informed;
  • Access to data protection and information security policies, procedures, checklists, and supporting documents to facilitate adherence to best practices.

By prioritising ongoing training and awareness initiatives, Evelors Solutions BV empowers its employees to fulfil their data protection responsibilities effectively and ethically.

8. COLLECTING PERSONAL DATA

8.1. Lawfulness, Fairness, and Transparency:

The collection of personal data shall adhere to the principles of lawfulness, fairness, and transparency. Evelors Solutions BV shall ensure that the processing of personal data is conducted lawfully, with fairness to the data subject, and in a transparent manner.

8.2. Lawfulness of Processing:

Personal data shall be processed lawfully, based on one or more of the following legal bases:

  • Consent: Processing is based on the explicit consent of the data subject for specific purposes;
  • Contractual Necessity: Processing is necessary for the performance of a contract to which the data subject is a party or for taking pre-contractual steps at the request of the data subject;
  • Legal Obligation: Processing is required to comply with legal obligations imposed on Evelors Solutions BV under European Union and/or Dutch law;
  • Vital Interests: Processing is necessary to protect the vital interests of the data subject or another natural person;
  • Public Interest: Processing is carried out in the public interest or in the exercise of official authority vested in Evelors Solutions BV;
  • Legitimate Interests: Processing is necessary for the legitimate interests pursued by Evelors Solutions BV or a third party, provided that such interests do not override the fundamental rights and freedoms of the data subject, particularly if the data subject is a child.

For the processing of special categories of personal data, Evelors Solutions BV shall adhere to the lawful bases and exceptions outlined in Article 9 of the GDPR and the Dutch GDPR Implementation Act (Uitvoeringswet Algemene verordening gegevensbescherming or UAVG), along with meeting one of the special category conditions for processing.

 9. TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES

9.1. Evelors Solutions BV recognises the importance of safeguarding personal data when transferring it to third countries outside the European Economic Area (EEA) in compliance with the General Data Protection Regulation (GDPR). In the context of its global operations, particularly with offices located in London, Toronto, and Tallinn, Evelors Solutions BV implements the following measures:

  • Adequacy Decisions: Evelors Solutions BV conducts an assessment of the data protection laws and regulations in the third countries where personal data is transferred to ensure that they provide an adequate level of protection comparable to the standards set forth in the GDPR;
  • Standard Contractual Clauses (SCCs): Where necessary, Evelors Solutions BV enters into legally binding agreements, such as the EU SCCs approved by the European Commission, with the recipients of personal data in third countries to ensure appropriate safeguards for data protection;
  • Binding Corporate Rules (BCRs): Evelors Solutions BV may adopt BCRs, which are internal rules for international data transfers within the corporate group, subject to approval by the relevant data protection authorities;
  • Consent: In certain circumstances, where none of the aforementioned safeguards are applicable, Evelors Solutions BV obtains explicit consent from data subjects for the transfer of their personal data to third countries;
  • Data Subject Rights: Data subjects are informed about the transfer of their personal data to third countries and provided with relevant information regarding the safeguards implemented to protect their data privacy rights;
  • Ongoing Monitoring: Evelors Solutions BV regularly reviews and monitors the adequacy of data protection measures in third countries to ensure continued compliance with GDPR requirements and promptly addresses any identified risks or concerns.

By implementing these measures, Evelors Solutions BV ensures that transfers of personal data to third countries are conducted in accordance with the GDPR’s principles of lawfulness, fairness, and transparency, while upholding the rights and protections afforded to data subjects.

10. DATA PROTECTION BY DESIGN AND DEFAULT

10.1. Evelors Solutions BV recognises the importance of embedding data protection principles into our systems, processes, and practices from the outset. Data protection by design and default ensures that privacy considerations are integrated into the development and implementation of its products, services, and operations.

10.2. Data protection by design entails incorporating privacy features into the design of systems and processes to minimise the risk of privacy breaches and enhance data security.

10.3. Data protection by default involves configuring systems and processes to ensure that the highest level of data protection is the default setting, requiring no additional action by the user.

10.4. Evelors Solutions BV commits to integrating data protection by design and default principles across all stages of its operations, including product development, service delivery, and internal processes.

10.5. Evelors Solutions BV conducts Data Protection Impact Assessments (DPIAs) to identify and mitigate privacy risks associated with new projects, initiatives, or system implementations, in accordance with Article 35 of the GDPR.

10.6. Evelors Solutions BV’s development teams follow best practices for data minimisation, ensuring that only necessary personal data is collected, processed, and retained.

10.7. Evelors Solutions BV implements privacy-enhancing technologies (PETs) and encryption mechanisms to safeguard personal data throughout its lifecycle.

10.8. Evelors Solutions BV provides training and awareness programmes to educate employees about their responsibilities regarding data protection by design and default.

10.9. Evelors Solutions BV regularly reviews and updates its data protection policies, procedures, and technical measures to adapt to evolving regulatory requirements and technological advancements.

10.10. Feedback mechanisms are established to solicit input from stakeholders, including data subjects, regarding the effectiveness of our data protection measures.

10.11. Evelors Solutions BV promotes a culture of privacy and accountability, encouraging employees to proactively identify and report potential privacy risks or compliance gaps.

10.12. Evelors Solutions BV’s Chief Executive Officer is responsible for overseeing the implementation of data protection by design and default principles and ensuring compliance with relevant laws and regulations.

10.13. Regular audits and assessments are conducted to verify adherence to data protection by design and default requirements, with findings reported to senior management for review and action.

10.14. Any identified deficiencies or non-compliance issues are promptly addressed through corrective measures and process improvements.

10.15. Evelors Solutions BV is committed to upholding the highest standards of data protection by integrating privacy considerations into its business practices. By adopting a proactive approach to data protection by design and default, Evelors Solutions BV aim to enhance trust, transparency, and accountability in its interactions with data subjects and stakeholders.