PROTOCOL REPORTING DATA LEAKS

PROTOCOL REPORTING DATA LEAKS

Considerations:

CalmActiva attaches importance to the proper security of its (electronic) systems in which personal data is stored and processed

Nevertheless, it can never be completely prevented that a data breach will take place

CalmActiva is obliged under the General Data Protection Regulation (GDPR) to report (serious) data leaks to the Dutch Data Protection Authority and to the data subjects.

CalmActiva wishes to comply with its legal obligations

CalmActiva has therefore formulated a policy to act as adequately as possible in the unlikely event of a data breach

1 -  Definition data breach

A data breach occurs when there is a breach of security that accidentally or unlawfully leads to the destruction, loss, alteration or the unauthorized disclosure of or access to data transmitted, stored or otherwise processed.

2 - Internal responsible persons reporting data leaks

CalmActiva has appointed internal data breach controllers who are responsible  for reporting a data breach.

  1. 1.These responsible persons are: Dirk Verburg, telephone number: 0624523564; email address: info@calmactiva.com. nl and if he is not reachable Yvo Langhoor, telephone number: 0650589123; e-mail address: linfo@calmactiva.com, hereinafter referred to as:‘internal responsible".
  2. If possible, the person who discovered the data breach simultaneously ensures that the leaked data is immediately erased remotely or made inaccessible.
  3. Internal notification when a data breach is discovered
Anyone who discovers a data breach at CalmActiva will report this immediately to the internal responsible person. If possible, the person who has discovered the data breach will simultaneously ensure that the leaked data is immediately erased remotely or made inaccessible.

4 - Investigation by the internal manager

The internal responsible examines, among other things:

whether personal data has been lost or can be used unlawfully who or which departments within the organization are involved in the data breach or whether a processor is involved in the incident

5 - Combating data breach

The internal controller will stop the data breach if this is still possible and will also take the necessary measures to combat the data breach as effectively as possible.

6 - Determining the consequences of a data breach

The internal controller investigates the possible consequences of the data breach on the basis of the nature and extent of the data that have been leaked and determines what the adverse consequences may be for the data subjects.

7 - Cooperation in the provision of data regarding the data breach The discoverer/reporter of the data breach offers full cooperation to the internal responsible person by answering the following questions as quickly and as accurately as possible (in writing):

  • what happened (description of the incident))
  • did it happen by accident or was it caused by malicious intent (think hacked data) when did it happen (date and time)p)
  • when was it discovered?
  • what kind of data (registers) have been leaked are the data encrypted, and if so howe?
  • could the data be remotely erased or made inaccessible, and if so, what are the possible consequences for those involvedn?
  • which group(s) of people is/are affected by this (for example: students, patients, premium members) how many people are (approximately) affected by thisn?
  • is there also data from persons in other EU countries affected by the data breach?
  • have technical and/or organizational measures been taken as a result of the incident?

8 - Availability of staff after discovery of data breach

The person in charge of the department from which the data breach took place as well as the discoverer of the data breach and anyone who, based on their position or knowledge, is able to take organizational and/or technical measures to limit the consequences of the data breach, adhere to the 1st Available 24 hours after discovery of the data breach for consultation with the internal responsible person or any experts designated by him and for carrying out assigned work as a result of the data breach if necessary.

9 - Decision on notification of data breaches

  1. The internal responsible will decide as soon as possible, but in any case within 60 hours after the discovery of the data breach - whether or not in consultation with the responsible of the department from which the data breach was discovered and/or experts designated by him - whether the data breach should be are reported to the Dutch Data Protection Authority and/or the data subjects.
  2. In principle, a data breach is always reported to the Dutch Data Protection Authority, unless it is unlikely that the data breach poses a risk to the rights and freedoms of the data subjects.
  3. The notification of the data breach is accompanied by an answer to the questions as described in section 7.
  4. A data breach that has been reported to the Dutch Data Protection Authority is also reported to the data subjects if it poses a high risk to the rights and freedoms of natural persons, unless appropriate measures have been taken in the meantime to avert the high risk.

10 - Notification of data leaks to the Dutch Data Protection Authority and/or data subjects

  1. If necessary, the internal controller is responsible for reporting to the Dutch Data Protection Authority and/or the data subject(s).
  2. Notification must be made as soon as possible after the discovery and at the latest within 72 hours after the discovery of the data breach.
  3. Any employee other than the internal controller is not allowed to report the (possible) data breach to the Dutch Data Protection Authority and/or the data subject(s).
  4. If an employee does not agree with the decision of the internal controller regarding whether or not to report the data breach to the Dutch Data Protection Authority and/or the data subject(s), he can make his grievances known to the management.

If requested to do so, an employee will fully cooperate with the controller in order to be able to inform the affected persons in accordance with Article 34 of the GDPR about the data breach.

5.

11 - Consequences of data breach notification

If the data breach has negative consequences for those involved, the internal controller will do everything possible to limit these consequences as much as possible.

1.

  1. Depending on the nature and scope of the data breach for data subjects, the internal controller determines: how data subjects are informed (including in any case notifications are made of which types of personal data have been affected, what the possible consequences are, what measures Calma Activa takes and how the data subjects themselves can prevent or limit the damage)

what aftercare those involved receive

which actions are necessary in the interest of the organization

If a data breach has occurred - regardless of whether it has been reported or not - adequate technical and/or organizational measures will be taken as soon as possible to prevent future similar data leaks.

3.

12 - Keeping records of data leaks

The internal controller keeps a register of all data breaches, in which all data surrounding the data breach is registered, such as:

  • a description of the incident date and time of the data breach
  • date and time of discovery of the data breach?
  • description of the type of personal data leaked
  • description of the category(ies) of data subjects affected
  • description of number of people involved (approximate)
  • whether data of persons in other EU countries has also been leaked