NIS Consulting values the right to privacy and is committed to ensuring that the acquisition, processing and use of all personal data shall be conducted in a secure, ethical and transparent manner in accordance with applicable law.
This Policy is the basis for all personal data privacy and sets out the data security of NIS consulting with regard to governance and principles regarding the following:
Processing and handling personal data of current, past and future employees, customers, suppliers, or other third parties
Storing personal data on physical files (e.g. paper) or in an electronic form (e-mail or documents created using software applications)
This policy shall apply together with other policies and procedures.
Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
The natural or legal person, a public authority, a service or other body that, alone or with others, determines the purposes and means of processing personal data.
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
Identified or identifiable natural person to whom the processed personal data relates;
Any information relating to an identified or identifiable natural person ('the data subject(s)'); understood by identifiable, is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location information, an online identifier or one or more factors characterising the genetic, physical, physiological, psychological, economic, cultural or social identity of that natural person;
Any processing or set of processing that is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, deletion or destruction;
A natural or legal person, public authority, agency or other body to whom the personal data are disclosed;
Sensitive personal data
Personal data consisting of information about his/her ethnic origin, political and philosophical beliefs, religious beliefs, trade union membership and positions in trade unions, physical or mental health, sexual orientation, administrative or criminal convictions, social security documents, national register number, bank account number, any or all of which may facilitate identity theft.
- SUMMARY OF RESPONSIBILITIES
HR or the DPO will oversee the general application of this policy;
- Recommendations for adapting this policy in the event of a change in legislation or context
- Collaborate with the legal department, IT, HR and other functions in the context of data privacy;
- Develop and provide communication and training
- Advise management on data privacy;
- In the event of significant compliance issues and mitigation plans, as well as the implications of privacy legislation, escalate to management level
- DESCRIPTION OF THE POLICY
- Processing of personal data
NIS consulting takes the following appropriate steps to guarantee privacy security:
All personal data is processed in accordance with applicable local laws, professional standards and all applicable local policies, in particular respecting the legal rights of the relevant person.
Where required by Applicable Legislation, the relevant persons will receive information about the purposes of the processing, the identity of the controller, the recipients or categories of recipients of the personal data, and other information necessary to ensure that the processing of personal data is in line with the standards set out in this policy.
Where initiated through applicable legislation, consent will be requested if this is necessary for the processing of personal data of the relevant data subjects.
Additional measures will be applied to sensitive personal data. Specifically:
- Sensitive personal data should not be collected if this is not necessary for the purposes for which the data was collected or processed,
- Access should be limited to the necessary persons,
- Requests for explicit permission should be made where necessary
- Processing principles
NIS Consulting processes personal data in line with applicable legislation and in accordance with the following data protection principles
Legality, honesty and transparency: processing personal data in a lawful, fair and transparent manner.
Limitation of purpose: personal data will only be processed for the purpose specified at the time of collection. Changes to the purpose are only possible to a limited extent and will, in general, require permission.
Data minimisation: processing of personal data that is adequate and relevant to the purposes for which we process the data. Any processing of personal data will be limited to what is necessary to achieve the purposes. Where the purpose allows and where expenditure is proportionate to the achievement, anonymised or pseudonymised data will be used. Personal data will not be collected pro-actively and will not be kept for future purposes, unless this is necessary or permitted under applicable legislation.
Accuracy: incorrect or incomplete data will be destroyed, modified or completed.
Storage restrictions: personal data will not be kept longer than is necessary for the purposes of processing. Data that is no longer needed after the expiry date of legal or business processes will be deleted. Personal data will not be kept any longer than is necessary for the purposes for which the personal data is processed. Data that is no longer needed after the expiration of legal or business process related periods will be deleted. There may be an indication that information needs to be protected in certain cases. If this is the case, we will keep that data until the dispute is legally resolved.
Integrity and confidentiality: personal data will be processed in such a way as to ensure necessary data security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using any necessary technical and organisational measures.
- Legal basis
Applicable Legislation requires NIS Consulting to be transparent about the legal grounds or justification for processing personal data. Below, are the most important legal justifications that apply to our processing of personal data:
Necessary for the execution of a contract
Legal obligation to be fulfilled by NIS Consulting
- Sharing of data
Personal data may need to be disclosed to other necessary persons (so called "third party recipients").
NIS Consulting shall disclose the personal data to third party recipients only if it is certain an adequate level of data protection exists. In all cases, access and transfer of personal data should be limited to individuals on a need-to-know basis. Third party recipients act under a binding obligation to process data only for the agreed purposes and to protect personal data by applying measures similar to those mentioned in this policy.
- Cross-border transfer of personal data
Personal data may need to be transferred to countries outside of the European Economic Union that do not provide the necessary protection level for personal data.
- Data retention
Personal data may not be stored any longer than necessary for the purposes for which the data was collected. The exact period will depend on the purpose for which we keep the data. In addition, there are laws and regulations that apply and which establish a minimum retention period for personal data.
- Rights of the Data Subject
Data subjects have the right to:
Obtain information on whether or not personal data is being processed and, if it is being processed, gain access to their personal data and information relating to the processing;
Correct and complete incorrect personal data and the right to inform the recipients of the personal data about the rectification;
Object to the processing of personal data based on specific grounds and the right to object at any time to the use of personal data for direct marketing purposes;
In the case of an automated decision, to obtain human intervention, to give an opinion, to obtain an explanation of the automated decision and to contest the decision; and
In the case of consent to the processing of personal data, the right to revoke the consent at any time, without the revocation affecting the lawful processing based on consent to the revocation.
Under certain circumstances, data subjects shall also have the right to
Have personal data removed;
Limit the processing of personal data, and in the case of limitation, limit the processing to mere storage;
Provide personal data.
Personal data will be processed on a strictly “need-to-know basis”. This means that personal data will only be processed, and employees will only have access to personal data, when appropriate and necessary for the type and scope of the task in question. It is prohibited for employees to use personal data for their own personal or commercial purposes, to disclose personal data to unauthorised persons, or to make them available in any other form.
Appropriate technical, physical and organisational measures reasonably designed to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised access or any other unlawful forms of processing must be implemented. Access to personal data is limited to authorised recipients on a ‘need-to-know' basis. In addition, the maintenance of an information security policy in proportion to the identified risks linked to processing should be in place. Security programmes must be constantly adapted to mitigate operational risks and protect personal data, taking into account industry accepted practices.
- Communication, awareness, training