- Introduced "Pension Scheme & Benefits" detailing secondary employment benefits and pension specifics. - Created "Roles & Accountabilities" outlining the Holacracy role structure and responsibilities within Respellion. - Added "Security" section covering GDPR compliance and workplace safety protocols. - Established "Spending and Contracting" policy detailing expense categories and submission processes. - Documented "Who We Are" to define Respellion's identity, services, and operational model under Holacracy and ISO 9001.
5.9 KiB
title, category, source_files, summary, tags, related_topics, status_notes, ai_context
| title | category | source_files | summary | tags | related_topics | status_notes | ai_context | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Security | Security |
|
Working with personal data under the GDPR (what counts as processing and as personal data, ordinary vs special vs sensitive categories, and the BSN rules), plus a placeholder for BHV/evacuation and RI&E procedures. |
|
|
|
"GDPR" and the Dutch "AVG" are the same regulation. "BSN" = Burgerservicenummer = Dutch Citizen Service Number / national identification number. The QMS quality policy in who-we-are.md commits to "security by design", which this section operationalizes for personal-data handling. The BHV/evacuation subsection is an unfilled placeholder in the source material and should not be treated as authoritative guidance. |
Security
This section covers data protection (GDPR) and workplace safety (BHV/evacuation, RI&E).
Working with Personal Data: Understanding the GDPR
In providing our services, we frequently work with personal data. Under the General Data Protection Regulation (GDPR), this is referred to as "processing." But what does this actually mean? And what exactly constitutes personal data?
The GDPR came into effect on May 25, 2018. This is a European regulation that governs the processing of personal data. The GDPR has significant implications for our organization because we constantly work with the personal data of individuals.
When does the GDPR apply?
The GDPR applies to the processing of personal data. The GDPR does not apply to the data of deceased individuals.
First, you must determine if the actions you perform with data constitute "processing." According to the GDPR, processing is any operation or set of operations performed on personal data. Common operations include: collecting, recording, storing, altering, retrieving, consulting, using, disclosing, erasing, and destroying data.
In practice, this means that almost any handling of personal data is considered "processing" under the GDPR.
What is personal data?
The GDPR defines personal data as any information relating to an identified or identifiable natural person. This means information that is directly about an individual or can be traced back to that individual. Data about organizations is not considered personal data under the GDPR.
Examples of Personal Data
There are many types of personal data. Obvious examples include a person's name, address, and place of residence. However, telephone numbers and postal codes combined with house numbers are also personal data.
Indirect personal data can also exist. This refers to data that, when combined with other information, reveals something about an individual or can be traced back to them.
Ordinary Personal Data. Examples include names, file numbers, or contact details. Ensure that access to or viewing of this data is restricted only to individuals for whom it is necessary for their role.
Special Categories of Personal Data. Sensitive data such as a person's race, religion, health, criminal record, and biometric data (e.g., fingerprints) are referred to as special categories of personal data. Processing special categories of personal data is prohibited unless a specific legal exception applies. Consult your designated privacy officer if you use or intend to use this type of data.
Sensitive Personal Data. Some data may not be classified as "special category" by definition but is sensitive enough to warrant extra precautions. This includes data concerning:
- Electronic communications
- Location data
- Financial data (such as income or purchasing behavior)
- Citizen Service Numbers (BSN) / National Identification Numbers
Genetic personal data is also sensitive because it provides unique information about an individual's physiology or health, and/or the health of their family members, making the information particularly delicate. For instance, Citizen Service Numbers (BSN) may only be used for purposes prescribed by law. It is not permitted to process or use these numbers for other purposes. Exercise extreme caution when handling such data. Ensure that this data is stored in secure applications and not in unsecured files on local or shared drives.
BSN: Citizen Service Number (Burgerservicenummer)
A national identification number is a unique number established by law. In the Netherlands, the most well-known national identification number is the Citizen Service Number (BSN). These numbers may only be used for purposes prescribed by law. Processing them for purposes other than those legally specified is not permitted.
Examples of Dutch laws regulating the use of the BSN include the General Provisions for Citizen Service Number Act (Wet algemene bepalingen burgerservicenummer), the Use of Citizen Service Number in Healthcare Act (Wet gebruik burgerservicenummer in de zorg), and the Personal Identification Numbers in Education Act (Wet persoonsgebonden nummers in het onderwijs).
BHV & Evacuation Plan, RI&E
Placeholder. Evacuation and safety procedures (BHV, evacuation plan, and the Risk Inventory & Evaluation / RI&E) are not yet documented in the source material. This subsection should be completed with the actual procedures before being relied upon.
Related Topics
- Who We Are — the ISO 9001 QMS and its "security by design" quality policy, which this data-protection guidance puts into practice.
- Spending and Contracting — use of 1Password and shared accounts, relevant to storing sensitive data securely.