DATA LEAK REPORTING PROTOCOL
DATA LEAK REPORTING PROTOCOL
Considerations:
CalmActiva attaches importance to good security of its (electronic) systems in which personal data is stored and processed.
Nevertheless, it is never possible to completely prevent a data leak from occurring
CalmActiva is obliged under the General Data Protection Regulation (GDPR) to report (serious) data breaches to the Dutch Data Protection Authority and to the data subjects.
CalmActiva wishes to comply with its legal obligations
CalmActiva has therefore formulated a policy to act as adequately as possible if a data leak does occur.
1 - Definition of data breach
A data breach occurs when a breach of security occurs leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
2 - Internal data breach reporting responsibilities
CalmActiva has appointed internal data breach processing officers who are responsible for reporting a data breach.
- 1.These persons responsible are: Dirk Verburg, telephone number: 0624523564; e-mail address: info@calmactiva.com. nl and if he cannot be reached Yvo Langhoor, telephone number: 0650589123; e-mail address: linfo@calmactiva.com, hereinafter referred to as: ' internal responsible'.
- If possible, the person who discovered the data breach shall simultaneously ensure that the leaked data is immediately deleted remotely or made inaccessible.
- Internal notification upon discovery of a data breach
4 - Investigation by the internal responsible person
The internal manager investigates, among other things:
whether personal data has been lost or could be used unlawfully who or which departments within the organization are involved in the data breach whether a processor is involved in the incident
5 - Combating data leaks
The internal controller will stop the data leak if this is still possible and will also take the necessary measures to combat the data leak as effectively as possible.
6 - Determining the consequences of a data breach
The internal controller investigates the possible consequences of the data breach based on the nature and extent of the data that has been leaked and determines what the adverse consequences may be for those involved.
7 - Cooperation in providing information about the data breachThe discoverer/reporter of the data breach shall fully cooperate with the internal controller by answering the following questions (in writing) as quickly and as well as possible:
- what happened? (description of the incident)
- was it accidental or was it caused by malicious intent (think hacked data)? when did it happen? (date and time)
- when was it discovered?
- what data(registers) have been leaked? is the data encrypted, and if so, how?
- Could the data be remotely erased or made inaccessible, and if so, was this done? What are the possible consequences for data subjects?
- Which group(s) of people are affected by this? (for example: students, patients, premium members) How many people are affected (approximately)?
- Has the data of persons in other EU countries also been affected by the data breach?
- Could technical and/or organizational measures already be taken in response to the incident?
8 - Availability of staff after discovery of data breach
The person responsible for the department from which the data breach occurred, as well as the person who discovered the data breach and anyone who, based on their position or knowledge, is able to take organizational and/or technical measures to limit the consequences of the data breach, shall remain available for consultation with the internal person responsible or any experts designated by him during the first 24 hours after the data breach has been discovered, and for carrying out any work assigned to him as a result of the data breach, if necessary.
9 - Decision on data breach notification
- The internal controller shall decide as soon as possible, but in any case within 60 hours of discovering the data breach - whether or not in consultation with the controller of the department from which the data breach was discovered and/or experts designated by him - whether the data breach should be reported to the Dutch Data Protection Authority and/or the data subjects.
- In principle, a data breach is always reported to the Dutch Data Protection Authority, unless it is unlikely that the data breach poses a risk to the rights and freedoms of the data subjects.
- The notification of the data breach is accompanied by answers to the questions as described in section 7.
- A data breach that has been reported to the Dutch Data Protection Authority will also be reported to the data subjects if it poses a high risk to the rights and freedoms of natural persons, unless appropriate measures have been taken in the meantime to avert the high risk.
10 - Notification of data breaches to the Dutch Data Protection Authority and/or data subjects
- If necessary, the internal controller shall ensure that the data is reported to the Dutch Data Protection Authority and/or the data subject(s).
- Notification must be made as soon as possible after discovery and at the latest within 72 hours after discovery of the data breach.
- No employee other than the internal person responsible is permitted to report the (possible) data breach to the Dutch Data Protection Authority and/or the data subject(s) themselves.
- If an employee does not agree with the decision of the internal controller regarding whether or not to report the data breach to the Dutch Data Protection Authority and/or the data subject(s), he can make his grievances known to the management.
If requested, an employee shall provide the controller with all cooperation necessary to inform affected persons of the data breach in accordance with Article 34 GDPR.
5.
11 - Consequences of reporting data leaks
If the data breach has negative consequences for those involved, the internal person responsible will do everything possible to limit these consequences as much as possible.
1.
- Depending on the nature and scope of the data breach for data subjects, the internal controller determines: how data subjects are informed (including at least the notification of which types of personal data have been affected, what the possible consequences are, what measures Calma Activa is taking and how data subjects can prevent or limit the damage themselves)
what aftercare those involved receive
what actions are necessary in the interest of the organization
If a data breach has occurred - regardless of whether it has been reported or not - adequate technical and/or organizational measures will be taken as soon as possible to prevent similar data breaches in the future.
3.
12 - Maintaining a register of data leaks
The internal controller maintains a register of all data breaches, in which all data surrounding the data breach is recorded, such as:
- a description of the incident date and time of the data breach
- date and time of discovery of the data breach?
- description of the type of personal data leaked
- description of the category(ies) of data subjects affected
- description of number of persons involved (approximate)
- or whether data from persons in other EU countries have also been leaked