- Crystal Colloidals B.V. attaches great importance to the proper security of its (electronic) systems in which personal data are stored and processed.
- nevertheless, it can never be fully prevented that a data leak will occur
- Crystal Colloidals B.V. is obliged under the terms of the General Data Protection Regulation (AVG) to report (serious) data breaches to the Dutch Data Protection Authority and to those involved.
- Crystal Colloidals B.V. wishes to comply with its legal obligations
- Crystal Colloidals B.V. has therefore formulated a policy to act as adequately as possible in the unlikely event of a data leak.
1 - Definition of data breach
A data breach occurs when there is a breach of security that results in the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, data transmitted, stored or otherwise processed.
2 - Internal responsible for reporting data breaches
- Crystal Colloidals B.V. has appointed an internal data controller who is responsible for reporting a data breach.
- The person responsible is the Management Department, whose first contact is Cade Howe, telephone number: 0475-785447; e-mail address: email@example.com , hereinafter referred to as the 'internal manager'.
3 - Internal notification upon discovery of a data breach
- Anyone who discovers a data breach at Crystal Colloidals B.V. will immediately report it to the internal manager.
- If possible, the person who discovered the data leak shall at the same time ensure that the leaked data is immediately and remotely deleted or made inaccessible.
4 - Investigation by the internal manager
The internal manager examines, among other things:
- whether personal data has been lost or may be unlawfully used
- Who or which departments within the organisation are involved in the data breach
- whether a processor is involved in the incident
5 - Fighting a data breach
The internal responsible party stops the data leak if it is still possible and furthermore takes the necessary measures to combat the data leak as best as possible.
6 - Determining the consequences of a data breach
The internal manager investigates the possible consequences of the data leak on the basis of the nature and extent of the data leaked and establishes what the adverse consequences may be for those involved.
7 - Cooperation in the provision of data breach information
The discoverer/reporter of the data leak shall cooperate fully with the internal responsible party by answering the following questions as quickly and as well as possible (in writing):
- what happened? (description of the incident)
- Was it accidental or caused by malicious intent (e.g. hacked data)?
- When did it happen? (date and time)
- when was it discovered?
- what kind of data(records) have been leaked?
- Is the data encrypted, and if so, how?
- Could the data be remotely erased or made inaccessible, and if so, was this done?
- What are the possible consequences for those involved?
- which group(s) of people is (are) affected? (e.g. pupils, patients, premium members)
- How many persons are affected (approximately)?
- Are data of persons in other EU countries also affected by the data breach?
- Have technical and/or organisational measures already been taken as a result of the incident?
8 - Availability of staff after discovery of data breach
The person responsible for the department from which the data leak occurred, as well as the person who discovered the data leak and anyone who, on the basis of their position or knowledge, is able to take organisational and/or technical measures to limit the consequences of the data leak will be available during the first 24 hours after discovery of the data leak for consultation with the internal manager or any experts appointed by him or her and, if necessary, for the performance of work ordered as a result of the data leak.
9 - Decision on data breach notification
- The internal manager shall decide as soon as possible, but in any event within 60 hours of the discovery of the data leak - whether or not in consultation with the manager of the department from which the data leak was discovered and/or experts appointed by him - whether the data leak must be reported to the Authority for the Protection of Personal Data and/or to the parties involved.
- In principle, a data leak is always reported to the Personal Data Authority, unless it is unlikely that the data leak involves a risk to the rights and freedoms of those involved.
- The notification of the data breach is accompanied by answers to the questions as described in section 7.
- A data leak that has been reported to the Authority for the Protection of Personal Data shall also be reported to those involved if it represents a high risk to the rights and freedoms of natural persons, unless suitable measures have meanwhile been taken to avert the high risk.
10 - Reporting of data breaches to the Authority for the Protection of Personal Data and/or those involved
- If necessary, the internal manager shall ensure notification to the Authority for the Protection of Personal Data and/or to the data subject(s) concerned.
- Notification shall be made as soon as possible after the discovery and no later than 72 hours after the discovery of the data leak.
- Any employee other than the internal responsible party is not permitted to report the (possible) data leak to the Authority for the Protection of Personal Data and/or the person concerned.
- If an employee disagrees with the decision of the internal manager on whether or not to report the data breach to the Personal Data Authority and/or the data subject(s), he can make his grievances known to the management.
- If requested, an employee shall fully cooperate with the responsible party in order to be able to inform the affected persons of the data leak in accordance with Article 34 of the AVG.
11 - Consequences of reporting data breaches
- If the data breach has negative consequences for those involved, the internal responsible party will make every effort to limit these consequences as much as possible.
- Depending on the nature and extent of the data breach for those involved, the internal responsible party decides:
- The manner in which the parties involved will be informed (including, in any case, the kinds of personal data that have been affected, the possible consequences, the measures that Crystal Colloidals B.V. will take, and the ways in which the parties involved can prevent or limit the damage themselves).
- what kind of aftercare those involved will receive
- which actions are necessary in the interest of the organisation
- If a data breach has occurred - whether or not it has been reported - adequate technical and/or organisational measures will be taken as soon as possible to prevent future similar data breaches.
12 - Maintaining the data breach register
The internal manager keeps a register of all data breaches, in which all data surrounding the data breach is recorded, such as:
- a description of the incident
- Date and time of the data breach
- Date and time of discovery of the data breach
- description of the type of personal data leaked
- Description of the category(ies) of data subjects affected
- Description of the number of persons involved (approximate)
- whether data of persons in other EU countries have also been leaked
- whether the incident has been reported to the Authority for the Protection of Personal Data and, if so, the date and time of the report
- whether the incident has been reported to those involved and, if so, the date and time of the report
- how those involved have been informed
- the consequences of the data breach, including, if possible, date and time
- what technical and/or organisational measures have been taken after the data breach, stating the date and time