Differences

This shows you the differences between two versions of the page.

--- operations:policy:privacy_regulations [2023-12-14 11:30] – ↷ Links adapted because of a move operation hpoort
+++ operations:policy:privacy_regulations [2024-07-02 07:35] (current) – hpoort
@@ Line 1: / Line 1: @@
 ====== Privacy Regulations  ======
-The Privacy Regulations are a company wide document that governs how FritsJurgens deals with GDPR-qualifying personal data. It is one of the policies governed by the [[:operations|Operations circle]].
+The Privacy Regulations are a company-wide document that governs how FritsJurgens deals with GDPR-qualifying personal data. It is one of the policies governed by the [[: operations|Operations circle]].
-{{:flags:nl.png?20&nolink|}} Privacyreglement
+{{:flags:nl.png?20&nolink|}} //Privacyreglement//
 ----
-FIXME
+This policy is based on the General Data Protection Regulation (GDPR: [[https://autoriteitpersoonsgegevens.nl/over-de-autoriteit-persoonsgegevens|link)]], which took effect on 25-05-2018.
-Naar dit reglement wordt verwezen vanuit:
+This are the privacy regulations for the protection of personal privacy in the context of personal registration and apply to the services provided by FritsJurgens.
-  - [[https://fritsjurgens.sharepoint.com/:w:/r/sites/support/_layouts/15/Doc.aspx?file=2023%20FritsJurgens%20-%20Toestemmingsverklaring%20personeel.docx|De toestemmingsverklaring personeel]]
-  - Website (of op de website moet een variant komen met alleen het publieke gedeelte)
-  - Diverse wiki-pagina's
-Wat moet hier in komen te staan:
+Responsible publisher: FritsJurgens © 05-12-2023. All rights reserved. No part of this publication may be reproduced, stored in an automated database, or disclosed in any form or manner without prior written consent from the responsible publisher.
-  * Volgens de samenvatting:
-    * Alle medewerkers van FritsJurgens zijn gebonden zich te houden aan dit privacyreglement.
-    * Alle medewerkers van FritsJurgens zijn tot geheimhouding verplicht, ook na beëindiging van het dienstverband bij FritsJurgens.
-    * Dat gegevens alleen geregistreerd, verwerkt en gedeeld mogen worden met toestemming van de betrokkene.
-    * Welke persoonsgegevens geregistreerd worden en welke gegevens met andere partijen gedeeld mogen worden.
-      * Dit laatste moet een volledige opsomming zijn, met naam en toenaam van de externe partijen
-      * Betreffende gegevens van medewerkers
-        * We registeren:
-          * Voor salaris: NAW, Burgerservicenummer, contractgegevens zoals: functie/salarisschaal/salaris, een kopie ID-bewijs en de ondertekende loonheffingsverklaring.
-          * In geval van ziekteverzuim: NAW, Burgerservicenummer, salaris, aard van het ziekteverzuim, re-integratievoortgang
-          * Voor de interne communicatie: Naam, functie, zakelijk e-mailadres, zakelijk telefoonnummer, rooster en taken.
-          * Voor bedrijfsactiviteiten: dieetwensen en allergieën.
-          * Voor noodgevallen: contactgegevens voor noodgevallen
-        * In verband met dienstverband delen we gegevens met:
-          * Salarisadministratie (Mulderij & Partners): voor de salarisadministratie. Zij gebruiken het online-salarisadministratiepakket Loket.nl. De salarisadministratie geeft de wettelijk vereiste gegevens ook door aan de Belastingdienst.
-          * Pensioenfonds (ASR): uitsluitend voor de initiële aanmelding bij hen (jijzelf geeft hen daarna de toestemming om je gegevens te verwerken en door te geven aan de salarisadministratie; hiervoor zijn zij de gegevensverwerker).
-          * Evt. Ziekteverzuimverzekeraar (deze hebben we nu niet): Dit betreft persoonsgegevens zoals NAW, BSN, Salaris en ziekteverzuimpercentage.
-          * Arbodienst: De arbodienst krijgt inzage in de aard van het ziekteverzuim.
-          * Evt. Verzuimbegeleiding (Alpina@Work): Met de verzuimbegeleidingsorganisatie wordt gecommuniceerd over de re-integratievoortgang ingeval van langdurige ziekte.
-          * Accountant (Afier): De accountant heeft inzage in en krijgt een kopie van de gehele boekhouding waar o.a. de salarisadministratie deel van is.
-        * In verband met de werkzaamheden delen we gegevens met:
-          * IT-partner (MatenICT), softwareleveranciers (Microsoft, Zoho, <del>2DAYSMOOD</del>, Holaspirit): je naam en je zakelijke contactgegevens.
-          * Collega's: Onder collega's worden alle medewerkers en stagiaires binnen FritsJurgens verstaan. Via het administratiepakket kunnen alle medewerkers beschikken over de werkroosters en zakelijke contactgegevens van alle collega's. Het gaat hierbij om naam, functie, zakelijk mailadres, zakelijk telefoonnummer, werkrooster en rollen.
-          * Organisator bedrijfsuitjes: naam, dieetwensen en allergieën (indien deelname).
-          * Onderaannemers en bij FritsJurgens gedetacheerden: worden beschouwd als externe collega's. De administratie zorgt dat deze externe collega’s kunnen beschikken over de zakelijke contactgegevens van de medewerkers waar zij mee te maken hebben.
-          * Klanten: uitsluitend naam, functie, zakelijk mailadres en werkrooster.
-          * Website: de naam en functie van de medewerker.
-          * Noodcontact: Dit betreft de contactgegevens van een of enkele personen waar in geval van noodsituaties contact mee gezocht moet worden.
-      * Betreffende gegevens van potentiële klanten en netwerkcontacten:
-        * We registreren:
-          * Naam, zakelijke contactgegevens, vraag en rol binnen het bedrijf waar we contact mee hebben
-          * Alle communicatie (e-mails, chats, telefoonnotities)
-          * Alle overige informatie die we door deze klanten zelf aangeboden krijgen, inclusief zoekgedrag op onze website en media-uitingen
-          * Bedrijfsgegevens inclusief dat wat we door dataverrijking vanuit publiekelijk toegankelijke internetbronnen kunnen vinden
-          * FIXME
-        * We gebruiken:
-          * Deze gegevens voor marktanalyse
-          * Nieuwsbrieven alleen indien aangemeld
-          * FIXME
-        * We delen:
-          * Naam, zakelijke contactgegevens en vraag met de dealer in de regio of het toepassingsgebied van de klant (na toestemming)
-          * FIXME
-      * Betreffende gegevens van werkelijke klanten:
-        * Naam, adres en zakelijke contactgegevens
-        * Van bedrijven: BTW-nummer indien in EU, betalingsgegevens, contractgegevens
-        * FIXME
+===== 1. Definitions  =====
+In this policy, the following terms are defined:
+^ Term   ^ {{:flags:nl.png?20&nolink|}}Nederlandse term               ^ Definition  ^
+^ Privacy                      | //privacy//                          | The right of individuals to protect personal privacy concerning recording and providing personal data.  |
+^ FritsJurgens                 | FritsJurgens                         | Each of the companies under [[operations:fritsjurgens_b.v._address|the FritsJurgens holding.]]  |
+^ Data Subject                 | //betrokkene//                       | The individual whose data is processed. This includes employees, network contacts, customers, debtors, and suppliers.  |
+^ Data Controller              | //verwerkingsverantwoordelijke//     | The entity determining the purpose of processing personal data; within FritsJurgens, this is the management.  |
+^ Processor                    | //verwerker//                        | The entity authorized to process personal data; within FritsJurgens, this includes the administration and employees, including hired external subcontractors.  |
+^ Processor Supervisor         | //bewerker//                         | The entity processing personal data under the authority of the data controller.  |
+^ Recipient                    | //ontvanger//                        | Someone who receives personal data.  |
+^ Personal Data                | //persoonsgegevens//                 | All information that can be traced back to an identified natural person.  |
+^ Health Data                  | //health data//                      | Personal data related to a person's physical or mental health, including healthcare data provided.  |
+^ Processing of Personal Data  | //verwerking van persoonsgegevens//  | Any action involving personal data, including but not limited to collecting, recording, organizing, storing, updating, modifying, retrieving, consulting, using, disseminating, or destroying data.  |
+^ Consent                      | //toestemming//                      | Demonstrable agreement of the data subject to the intended data processing, provided through signature, checkbox + signature on a consent form, data submission by the data subject who has previously consented to recorded data, or written consent such as email or WhatsApp message.  |
+^ Confidentiality              | //geheimhouding//                    | Every employee of FritsJurgens who has access to the personal data of employees and customers is obliged to maintain confidentiality. This obligation also applies after termination of employment.  |
+Throughout the policy, for some words, the Dutch translation is given in italics, to clarify.
+===== 2. Scope  =====
+  - This policy applies to all paper files, all digital files, and unwritten information within FritsJurgens, as well as its associated data exchange and processing.
+  - FritsJurgens processes information in the following categories:
+    * [[operations:policy:privacy_regulations:fields_per_category#personal_data|Personal data]] such as name, address and contact details
+      * for personel also date of birth and social security number (//burgerservicenummer, BSN//)
+    * [[operations:policy:privacy_regulations:fields_per_category#background_data|Background data]] such as work history, skillset and personal network
+    * [[operations:policy:privacy_regulations:fields_per_category#contract_data|Contract data]] such as employment contracts, permission forms, purchase and sales contracts, and review reports
+    * [[operations:policy:privacy_regulations:fields_per_category#proces_data|Process data]] such as date of entry, software usage logs, complaints registration, reports of data breaches, incident reports
+  - This policy applies within FritsJurgens and relates to the processing of personal data of:
+    * [[operations:policy:privacy_regulations:fields_per_subject#accounts|Potential customers and network contacts]] (individuals associated with companies in their professional capacity only).
+    * [[operations:policy:privacy_regulations:fields_per_subject#customers|Contacts of actual customers]] and other debtors.
+    * [[operations:policy:privacy_regulations:fields_per_subject#vendors|Contacts of suppliers]], including subcontractors and other companies.
+    * [[operations:policy:privacy_regulations:fields_per_subject#employees|Employees]], including interns and indirectly hired workforce.
+    * [[operations:policy:privacy_regulations:fields_per_subject#relations|Employee's relations]] such as emergency contact and family composition.
+===== 3. Purpose  =====
+  - The purpose of collecting and processing personal data is to have the necessary information for conducting market analysis, sending newsletters (if subscribed), and managing personnel and the company's functioning.
+  - The data of potential customers and network contacts are collected and processed for:
+    - Market analysis.
+    - Sending newsletters (if subscribed).
+    - Referrals.
+  - The data of debtors (i.e. customers), are collected and processed for:
+    - Executing and communicating about provided orders.
+    - Invoicing and receiving payment.
+    - Discussing potential new orders.
+  - The data of creditors (i.e. suppliers and subcontractors), are collected and processed for:
+    - Executing and communicating about provided orders.
+    - Paying invoices and accounting for payments.
+    - Discussing deliveries or services.
+  - The data of employees are collected and processed for:
+    - Making and executing an employment or internship agreement.
+    - Conducting payroll administration.
+    - Collaborating as colleagues.
+    - Being prepared for emergencies.
+  - The data of employee's relations are collected and processed for:
+    - Communicating in case of emergencies.
+    - Implementing 'attentive employership' (e.g. Sinterklaas gifts, baby shower gifts).
+===== 4. Representation  =====
+The subject whose personal data are recorded may be represented:
+  * If younger than sixteen years: by their parent or guardian (such as name and age of employee's children);
+  * If under legal restrictions: by their official representative (curator, mentor, //bewindvoerder//).
+===== 5. Responsibility for maintenance and liability  =====
+  - The management is responsible for ensuring the proper processing and management of personal data and can be held liable for it, except in case of force majeure.
+===== 6. Access to data  =====
+Access to the data is restricted to employees having certain roles grouped in so-called circles of accountability, which roles makes the data processing essential:
+^ Role             ^ Purpose                      ^ Access  ^
+| People & Culture recruiting   | responsible for recruitment  | all data of applicants, read skillsets of employees  |
+| People & Culture contracting  | responsible for contracting  | all data of employees  |
+| Hero's           | working in a team            | read role/name/schedule of employees  |
+| BD               | responsible for regions      | all data of contacts and customers  |
+| Sales            | responsible for sales        | all data of customers  |
+| Marketing        | responsible for marketing    | all data of contacts  |
+| Support          | support other roles          | all data managed by the roles requiring support  |
+| Operations       | ultimate responsibility      | all, if required only  |
+===== 7. Sharing data  =====
+  * Regarding employment, we share data with:
+    * Payroll administration //salarisadministratie// ([[https://mulderijenpartners.nl/wp-content/uploads/Privacyverklaring.pdf|Mulderij & Partners]]): for payroll administration. They use the online payroll administration package [[https://www.loket.nl/privacy-statement/|Loket.nl]]. The payroll administration also provides the legally required information to the Tax Authorities.
+    * Pension Fund //pensioenfonds// ([[https://www.asrnederland.nl/privacyverklaring|ASR]]): exclusively for the initial registration with them (you subsequently permit them to process and transmit your data to the payroll administration; they are the data processor for this).
+    * Possible Sick Leave Insurance //ziekteverzuimverzekering// (currently not applicable): This includes personal data such as Name, Address, Citizen Service Number //BSN//, Salary, and sick leave percentage.
+    * Occupational Health Service //arbodienst// ([[https://www.alpinawork.nl/privacyreglement/|Alpina@Work]]): The occupational health service has insight into the nature of sick leave.
+    * Possible Absence Guidance //verzuimbegeleiding// ([[https://www.alpinawork.nl/privacyreglement/|Alpina@Work]]): Communication with the absence guidance organization involves reintegration in case of prolonged illness.
+    * Accountant ([[https://afier.com|Afier]]): The accountant has access to and receives a copy of the entire administration, including the payroll administration.
+  * For work-related activities, we share data with:
+    * IT partner ([[https://MatenICT.nl|MatenICT]]), software suppliers ([[https://privacy.microsoft.com/nl-nl/privacystatement|Microsoft]], [[https://www.zoho.com/privacy.html|Zoho]], [[https://www.holaspirit.com/privacy|Holaspirit]]): your name and business contact details. All data is hosted within the EU.
+    * Colleagues i.e. all employees and interns within FritsJurgens. Through the administration package, all employees have access to all colleagues' work schedules and business contact details. This includes name, position, business email address, business phone number, work schedule, and roles.
+    * Organizer of company outings: name, dietary preferences, and allergies (if participating).
+    * Subcontractors and FritsJurgens seconded employees: considered external colleagues. The administration ensures that these external colleagues have access to the business contact details of the employees they are dealing with.
+    * Customers: only name, position //functietitel//, business email address, and work schedule.
+    * Website: the name and function/position of the employee.
+    * Emergency contact: This involves the contact details of one or more individuals who should be contacted in emergencies and with whom only the nature of the emergency is shared.
+===== 8. Processing special personal data  =====
+This privacy regulation explicitly does **not** cover any personal data that is classed as 'special'. This means that within FritsJurgens any data classed as such, such as medical data or information about religion or political preference, may not be handled in any way.
+===== 9. Rights of the data subject  =====
+FritsJurgens conforms to the legal requirements giving the data subject at least the following rights:
+  * When the data subject has given consent for the processing of their data, the management must be able to prove that this has consent has been given.
+  * The data subject has [[operations:policy:privacy_regulation:withdraw_consent|the right to withdraw their consent]] at any time.
+  * The data subject has [[operations:policy:privacy_regulation:port_personal_data|the right to data porting]].
+  * The data subject has [[operations:policy:privacy_regulation:delete_personal_data|the right to be forgotten]].
+  * The data subject has [[operations:policy:privacy_regulation:access_personal_data|the right to access]].
+  * The data subject has [[operations:policy:privacy_regulation:rectify_personal_data|the right to rectification and supplementation]].
+===== 10. Data protection  =====
+  - FritsJurgens has the legal obligation to take both organisational measures (see below) and [[it:policy:technical_data_protection|technical measures]] (see link).
+  - Paper files (i.e. contracts only) are kept under personal guard of the roles responsible for contracting, signage or administration, until they are scanned and digitally archived after which they are shredded.
+  - Digital files are stored on the [[it:software:sharepoint|Microsoft SharePoint]] environment only (including OneDrive local cache).
+  - Devices used to access Microsoft SharePoint are protected by at least password to the security standards set by our IT partner [[https://matenict.nl|MatenICT]].
+  - Personal data is stored in the dedicated applications only (see the [[it:policy:it_where_to_save_documents|IT policy on where to save data]]), but name and function (only) of employees may end up in any of the [[it:software|software packages]] used throughout the organization.
+  - When sensitive personal data is to be sent, [[it:howto:sending_sensitive_data|appropriate protection measures]] should be taken.
+  - All online data is stored within the EU only.
+  - Whenever anyone within FritsJurgens finds out about breach of security or an actual breach, the [[it:policy:protocol_datalekken|Protocol data leaks]] is to be followed.
+  - Any breach in relation to personal data is registered in the data leak register of FritsJurgens.
+===== 11. Data retention  =====
+Different documents have different retention periods:
+| Destroying paper files                         | 1 day after the digital scan has been properly archived. |
+| Destroying digital files                       | FIXME  |
+| Destroying access logbook                      | 5 years after mutation date.  |
+| Destroying email archive                       | FIXME  |
+| Destroying digital calendars                   | 5 years after the end of the fiscal year.  |
+| Destroying personnel file                      | 2 years after termination of employment.  |
+| Destroying payroll administration              | 7 years after the end of the fiscal year.  |
+| Destroying financial information (debtors)     | 7 years after the end of the fiscal year.  |
+| Destroying list of destroyed files             | 20 years after destruction.  |
+| Destroying digital backups                     | 5 years after backup date.  |
+| Destroying after approved destruction request  | 3 months after the request.  |
+| Destroying job application letter and CV       | 4 weeks after completion of the job application process, or one year for open applications.  |
+===== 12. Complaints procedure  =====
+The data subject can file a complaint with the management about data processing. This can be done in writing via [[info@fritsjurgens.com]].
+===== 13. Change log  =====
+  * Any future changes of this policy will be approved by the management and presented in a meeting for all employees.
+  * Changes become effective no sooner than four weeks after having been announced to all involved.
+  * This policy becomes effective per FIXME 01-01-2024
+  * The policy is available on this wiki page or in print through the reception of FritsJurgens.
+==== 14. References  ====
+  * These privacy regulations are referred to from: [[https://fritsjurgens.sharepoint.com/:w:/r/sites/support/_layouts/15/Doc.aspx?file=2023%20FritsJurgens%20-%20Toestemmingsverklaring%20personeel.docx|De toestemmingsverklaring personeel]]
+  * A similar regulation is found on [[https://www.fritsjurgens.com/fritsjurgens-privacy-statement|The website]]
+  * Various wiki pages