12 minute read
This privacy policy contains the approach, responsibilities and related procedures regarding data protection.
DeltaBlue values privacy and is therefore committed to protect the (personal) data of all its stakeholders. To demonstrate compliance to the latest regulations, such as GDPR, we have implemented ISO 27001 and set up an information security management system (ISMS).
This privacy policy is part of a set of information security guidelines and procedures and does not intend to stand on its own or contradict other DeltaBlue policies.
DeltaBlue values privacy and is therefore committed to protect the (personal) data of all its stakeholders. To demonstrate compliance to the latest regulations, such as GDPR, we have implemented ISO 27001 and set up an information security management system (ISMS).
This privacy policy is part of a set of information security guidelines and procedures and does not intend to stand on its own or contradict other DeltaBlue policies.
GDPR | EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016, or the European General Data Protection Regulation ("GDPR"), defines the rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. |
---|---|
Controller | is defined as a natural or legal person who (either alone, jointly or together with other persons) determines the purpose(s) “for which” and the manner “in which” any personal data is or will be processed |
Processor | is defined as a natural or legal person (other than an employee of the controller) who processes personal data on behalf of the controller. |
Processing | is defined as any operation or a set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
Personal Data | is defined as any information relating to an identified or identifiable natural person. An identifiable natural person is the one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person |
Data Subject | is defined as a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person |
Data Breach | means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or, or access to, personal data transmitted, stored or otherwise processed |
DPA | Data Processing Agreement ("DPA") is a contract between the controller and the processor. It regulates the particularities of data processing – such as its scope and purpose – as well as the appropriate technical and organisational measures and the relationship between the controller and the processor. |
Supervisory Authority | is an independent public authority which is established by a Member State to monitor and enforce the national and/or local application of GDPR. |
DeltaBlue wants to continue being an organisation that cares about the privacy of people and their data and creates a culture and environment that is resilient to any accidental and deliberate personal data infringement occurring.
With all privacy and data protection efforts in place and envisioned, the achievement of the following objectives is paramount to DeltaBlue:
DeltaBlue processes personal data from customers, employees and suppliers, both as Controller and as Processor, on a daily basis. Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or, or access to, personal data transmitted, stored or otherwise processed, can lead to, among other things:
Every company is obliged to process personal data in accordance with the data processing principles as described in the GDPR. DeltaBlue has put the appropriate organisational and technical measures in place to assure compliance with these principles and ensures continues evaluation of these measures.
Therefore, it is also important for every employee dealing with personal data to be aware of the data processing principles. In addition DeltaBlue employees and stakeholders involved should only process personal data after analysis and application of the following six principles.
DeltaBlue should assure that:
Every individual (“data subject”) has the possibility to exercise the freedoms and rights as described in the GDPR. DeltaBlue has the obligation to respond in a timely manner to data subject requests and to make sure that the legal deadlines are met.
Therefore, it is also important for every employee dealing with personal data to be aware of the data processing principles. In addition DeltaBlue employees and stakeholders involved should only process personal data after analysis and application of the following six principles.
The data subject rights explained:
Requests to exercise the right of access, correction and erasure can be submitted through the Security officer.
There is a personal data breach whenever there is breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data or if the data is made unavailable and this unavailability has a significant negative effect on individuals. Examples of a data breach are: accidental disclosure of e-mail addresses, loss of laptop, theft of a database, password leakage, etc…
In line with the data protection principles of storage limitation and accuracy, it is required to set out clear data retention periods for the personal data being processed by DeltaBlue. Processes have been adjusted to make sure data is never stored longer than necessary to perform our services.
DeltaBlue guarantees implementation of the appropriate technical and organisational measures to ensure a level of security appropriate to the risk and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
If you want to find out which measures and security controls have been implemented, we have prepared an Assurance statement which is available upon request.
As a controller DeltaBlue has the obligation to ensure that it only uses processors providing appropriate guarantees to implement appropriate technical and organisational measures in such manner that processing will meet the requirements of the GDPR and ensure protection of the rights of the data subjects. Following this, a due diligence shall be conducted before a contract with a new processor is signed. A contract (DPA) with the processor shall include the clauses on personal data processing, in which the appropriate instructions on how to process personal data is given to the processor, as well as, appropriate technical and organisational measures are agreed upon.
In order to guarantee confidentiality and careful handling of personal data, all individuals working for DeltaBlue must ensure that personal data that is being processed happens in line with this policy and the data protection principles. Therefore employees, contractors and other stakeholders involved have the responsibility to:
The Management of DeltaBlue is jointly responsible for this privacy policy.