Company Statement | General Data Protection Regulation
The General Data Protection Regulation will come into effect on 25 May 2018. From that date onwards, all EU Member States will be subject to the same privacy law. In the Netherlands, the GDPR will be replacing the provisions of the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens, Wbp).
The implementation of the GDPR within our organisation is now almost complete. As a result, we feel that it is vital to inform you about what the introduction of the new privacy legislation may mean for you and about the way in which your personal data are processed.
What are the key changes?
The GDPR sets out how companies should process personal data, such as those of our clients and employees. The new privacy regulation strengthens and extends the privacy rights of data subjects, giving them more opportunities to represent their own interests in relation to the processing of their personal data. This means that any organisation that registers personal data will be subject to more requirements, and will need to demonstrate compliance with the law.
Approach taken by Vanbreda Risk & Benefits
We are of course highly committed to upholding the privacy of our clients, so all our processes and procedures are continually aligned to that purpose. In this way, we ensure that we are in compliance with applicable laws and that the privacy of your personal data is guaranteed.
Below is an outline of the steps we have already undertaken and what you can expect from us in the near future.
We process various categories of personal data of our customers. For that reason, we will be creating a data processing register. Among other things, this register will list:
- what personal data we process;
- for what purpose we process the relevant personal data;
- whether we have processed any special personal data or data relating to criminal convictions or offences;
- the parties we share these personal data with (such as insurance companies);
- how long we will retain these data.
Lawfulness of processing
We are only permitted to process your personal data if there is a legitimate reason to do so. In many cases, the performance of an agreement will constitute such a legitimate reason, for example when we carry out work on our clients’ behalf. In addition, we are permitted to process data to comply with our statutory obligations; for example, under tax law, the Financial Supervision Act (Wet financieel toezicht), or the Pensions Act (Pensioenwet).
Personal data have to be processed in a lawful, proper and transparent manner. For that reason, we have drawn up a privacy statement with information about the categories of personal data we process, for what purpose we process them, on what legal basis we do so and for how long we keep such data in our records. In addition, the register contains the contact details of our Compliance Officer and lists the remedies available if you object to the way in which we process your personal data. You can find the most current version of this statement here.
Data subjects’ rights
Under the GDPR, people will be afforded more opportunities to represent their own interests in relation to the processing of their personal data, such as the right of access or the right to data portability. We have procedures and instructions in place to ensure that we can respond to your request within the prescribed response times, should you choose to exercise one of these rights.
Security measures for systems
Vanbreda Risk & Benefits’ application and data platform is hosted by an external SaaS provider. We have arranged appropriate Service Levels with this provider in the field of data protection and security. Our SaaS provider holds the relevant certification in this regard.
Special procedures have been put in place that govern access to our applications and data, such as a login process via a VPN tunnel and a solid security access policy. All applications and data can only be accessed by way of these procedures. As such, any direct access to the databases is restricted. The rights to use the individual applications and to access data are allocated to employees on the basis of their job title according to fixed procedures. All requests and mutations are logged and reviewed.
Needless to add, our entire environment is protected by anti-virus and spam tools.
Procedure for email with special personal data and data breaches
Ensuring the security of your personal data is our highest priority. For that reason, we ensure that emails containing collections of special or other personal data are sent in a secure manner. Documents containing such data are also password protected. In this way, we prevent these data from being read or accessed by unauthorised persons.
If, despite these conscientious and diligent procedures, personal data nevertheless end up in the hands of someone who is not authorised for access (for example, due to human error), our internal data breach procedures ensure an adequate response to such incidents. Our employees are already familiar with this procedure. Naturally, such data breaches will be recorded and reported to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), if necessary.
We have processing agreements in place with our processors. A processor is a party who carries out processing activities on our behalf, such as the providers of the systems that we use. The mutual agreements that we have in place with such parties are laid down in the processing agreement. This method allows us to ensure that the privacy of your personal data is guaranteed.
In principle, we do not conclude processing agreements with our clients. There is no need for that – after all, in the vast majority of cases, we do not act as a processor. Please read this article for more information on the subject.
We also do not conclude processing agreements with insurance companies. This because insurance companies, like ourselves, qualify as controllers under the GDPR. Two controllers are not required to conclude processing agreements with one another.
We appreciate that the GDPR is a hot topic on everybody’s mind and that you would especially like to know whether we are GDPR compliant. Please rest assured that we will be fully compliant with the requirements in force by 25 May. In most cases, concluding a processing agreement is not required, as we do not qualify as a processor vis-à-vis our clients but rather as a controller. As such, we will be unable to sign or return copies of any processing agreements sent to us by clients for signature: such contracts are not applicable to our relationship and are consequently not required.
Should you still have any questions for us after reading this statement, please contact our Compliance Officer, Marieke Bleijenberg. She will be happy to answer any questions that you may have.
+31 (0)88 - 273 32 41