1. General information
Symphony Solutions BV (hereinafter referred to as “SSBV”, “Company” or “we”) with a registered office at Laarderhoogtweg 25, 1101 EB, Amsterdam, The Netherlands, processes personal data in accordance with the General Data Protection (hereinafter referred to as GDPR). SSBV takes care of the privacy of the data subjects by respecting their right for privacy, observance of the principles and provisions for the protection of personal data and their legal processing, using numerous technical and organizational controls, measures and mechanisms which are continuously being upgraded.
Data Controller and Data Processor: Symphony Solutions BV
Data Protection Officer (DPO): Aleksandar Gacevski, Mykola Zaika
Direct DPO Contact: email@example.com
Regulatory Body/Authority: Autoriteit Persoonsgegevens
Address: PO Box 93374, 2509 AJ, DEN HAAG
Phone number: +31708888500
2. Applicable regulation
- The General Data Protection Regulation, EU 2016/679 (GDPR)
SSBV continually strives to follow the principles of the GDPR that are based on legitimate processing of personal data, processing that has a definite purpose, avoiding over-processing/excessive processing, whilst maintaining integrity of personal data and ensure their secrecy and disclosure to unauthorized persons.
3. Reason for creation of this Policy
- is aware of the importance of the GDPR and protecting the privacy of data subjects
- has implemented numerous technical and organizational measures and controls in order to maintain the established level of protection of personal data / personal identifiable information
- is consciously relating to the obligation to protect personal data in cases where it is in the role of data controller, processor and sub-processor
- that it is open and transparent to the data subjects whose data are being processed
- has undertaken multiple protective measures with other Controllers, Processors and Sub-Processors
- continuously raises awareness among its staff regarding the processing of personal data
- acts proactively in terms of protecting the privacy of the data subjects by the principle ‘Privacy by Design’ that the GDPR promotes.
4. Definitions and terms used in this Policy
Privacy is a fundamental human right that implies protection against unnecessary disclosure of one’s identity. Privacy is closely linked to one’s physical security and freedom.
Personal Data / Personal Identifiable Information (PD or PII) is information that refers to an identified natural person or identifiable natural person or natural person that can be identified as a person whose identity can be determined directly or indirectly, based on only unique ID number of the citizen or based on one or more characteristics specific to his physical, mental, economic, cultural or social identity. The following categories of data are considered to be treated as personal: name, surname, address, date of birth, citizen’s ID number, ID card number, passport number, photo ID, telephone number, email address and other data through which you can directly or indirectly reveal the person’s identity.
Processing of personal data means an operation or set of operations performed on personal data by manual, automated, electronic or other means, such as: collection, recording, organizing, structuring, storing, adapting or changing, retrieving, consulting, use, disclosure by transferring, posting or otherwise making available, combining, blocking, deleting or destroying.
A data subject is a natural person whose personal data is processed by SSBV.
A data processing agreement (DPA) is a legally binding document to be entered into between the controller and the processor in writing or in electronic form. It regulates the particularities of data processing – such as its scope and purpose – as well as the relationship between the controller and the processor.
Controller of personal data (Data Controller / Controller) is a natural or legal person, body of state authority or other body, which independently or together with others determines the purposes and the manner of personal data processing. SSBV has in some cases the role of Data Controller (for example: staff, applicants).
Processor of personal data (Data Processor / Processor) is a natural or legal person or a government authority which processes personal data on behalf of the Data Controller. The data processor processes the data in accordance with the applicable legislation, as well as in accordance with the guidelines and instructions obtained in the DPA signed with the Controller. In case of existence of a sub-processor, the Processor is obliged to inform the Controller, and to conclude with the sub-processor a DPA where the rights and obligations of the Processor are transferred/shared in relation to the Controller. SSBV in some cases acts as a data processor (for example: clients’ PII where in this case clients are data controllers).
Sub-processor of personal data (Sub-Processor) is a natural or legal person or authorized state agency that processes personal data on behalf of data processor and the data controller. The Sub-Processor shall process the data in accordance with the applicable legislation, as well as in accordance with the guidelines and instructions obtained in the DPA concluded with the Processor. SSBV in some cases acts as a sub-processor of personal data.
Data Protection Officer (DPO) is a person appointed by SSBV in order to implement and continuously maintain the level of compliance of SSBV with the regulations in the field of data protection. The DPO reports directly to the highest management body of SSBV. The DPO should have relevant knowledge in the field of personal data protection, act independently and act as part of a team of DPOs. In order to allow the DPO to act and deliver its opinion in a timely manner, DPO should be involved in SSBV’s activities in a timely manner (for example, involved in projects, information risk analysis, recruitment process in coordination with HR and other processes that are in any way connected to processing of personal data).
Special categories of personal data (sensitive data) are personal data that reveal racial or ethnic origin, political, religious, philosophical or other beliefs, union membership, and data on human health, including genetic data, biometrics data or data relating to sex life.
Data registry is a structured set of personal data that is accessible according to specific criteria, whether centralized, decentralized or disseminated on a functional or geographical basis.
Authorized staff are staff/personnel engaged by the Controller who has authorized access to documents containing PII and who have access to information systems where PII is being processed.
The General Data Protection Regulation, EU 2016/679 (GDPR or Regulation) is a European legal framework whose primary purpose is to enhance and unify the protection of privacy, personal data and their complete processing. It is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also refers to the transfer of personal data outside the EU and EEA areas.
Dutch data protection authority (Autoriteit Persoonsgegevens) is a regulatory body of state authority whose role is to ensure the right of privacy of data subjects.
A data protection impact assessment (DPIA) is a privacy-related impact assessment whose objective is to identify and analyze how data privacy might be affected by certain actions or activities.
Direct marketing is any form of communication made in any way for the purpose of sending advertising, marketing or propaganda material that is directed directly to a particular subject of personal data.
Cookies are text files that the web browser has stored in the user’s device and are used by websites to authenticate, preserve the information / preferences for the website, other information on browsing and to another which can help the web browser while accessing certain web servers.
5. Legal basis and purposes for processing PII
Under GDPR, there are six different legal bases under which personal data can be processed. SSBV uses a few of them, and these are briefly described below:
SSBV will collect and process data subjects PII with the statement of consent as legal ground only in situations when a contract or service agreement cannot be used as such (for example, job applicants). Such consent can be revoked at any point of time by the data subject by using minimal effort.
Performance or preparation of a contract / service agreement
In case personal data is required to fulfil a legal contract / service agreement with the data subject or to take necessary steps at the request of those concerned prior to entering into the contract, explicit consent is not required. This also applies to cases when SSBV signs a legal contract with a client for the provision of our IT and Consultancy services and solutions and the data subjects’ personal data is necessary to complete the contract.
When SSBV acts as Data Controller, it is required to collect and process the data subject’s personal data in order to comply with legal obligations such as the EU member state’s employment or taxation legislation. Examples of those purposes are tax and financial documents and health and safety protocols.
If processing specific personal data is in the legitimate interest of SSBV and a proportionality assessment determines that it is not overridden by the interests or fundamental rights and freedoms of the data subject, then this may be defined as a lawful basis for processing. Possible uses are monitoring, access control (for safety purposes), conducting background criminal checks of personnel, storing the feedback of interviews with applicants (to maintain quality and consistence of our recruitment process) and cookies on the website (to analyze website usability).
6. Processing of personal data within SSBV
Depending on the situation, SSBV can have the role of a Data Controller, Data Processor or Sub-Processor.
In each of the cases above, the processing of personal data must have an appropriate legal basis for processing.
SSBV always aims to minimize/narrow the set/amount of processed personal data regardless of the purpose of processing.
DPIA will be conducted in cases when there is a potential risk of compromised processing of PII.
6.1 SSBV as a Data Controller
In cases where SSBV acts as a Controller, SSBV collects personal data directly from the data subjects and then structures them into appropriate data sets. Each data set contains information on the legal basis of the processing, the purposes of the processing, categories of personal data processed, information on the data transfers, information on data retention. Examples of data sets where SSBV is in the role of Controller are data set of employees, private entrepreneurs, engaged persons, contractors, business associates, applicants, interns, visitors, individuals writing via our online contact form etc. The data we collect using these channels can be stored on SSBV’s servers but also cloud services like Amazon, Azure or Google Cloud.
In most cases the legal basis for processing these data subjects’ PII is binding service agreement / contract or a consent.
When SSBV collects personal data for specific purposes or on-time activities (for example: marketing activities, trainings for externals), SSBV needs from each data subject to collect consent for processing of personal data. Such consent should contain all mandatory elements according to the GDPR.
The collected PII is organized and stored into data registry containing multiple data sets.
The default retention period for the PII of applicants (most often included in a form of CV) is 2 years, unless we have permission from the data subject to keep his/her PII in order to get in contact for other openings.
The default retention period for the PII of visitors and data subjects who contact us via online forms is 1 year.
6.2 SSBV as a Data Processor
SSBV has the role of Data Processor in cases when it processes PII of data subjects on behalf of other Controllers. Most often, the purpose of processing is the realization of contractual obligations between the Controller (usually a client) and SSBV. The manner of processing is regulated within the service agreement or by signing a separate DPA between such Controller and SSBV.
SSBV is committed to providing equal level of protection for the PII regardless of its role.
6.3 SSBV as a Sub-Processor
SSBV has the role of a sub-processor in cases when it processes the PII of data subjects from other Controllers and Processors, on behalf of the Controller, the Processor or the data subjects. The purpose of such processing is usually the realization of contractual obligations between the Controller / Processor and SSBV. The manner of processing is regulated within the service agreement or by signing a separate DPA between the Controller / Processor and SSBV. SSBV is committed to providing equal protection and treatment for each PII regardless of its role.
7. Security of information systems and securing the processing of PII
Article 32 from the GDPR is all about security of processing. SSBV is committed to ensuring an appropriate level of information security by following the principle of providing confidentiality, integrity and availability to all information assets including the PII.
The information security objectives are set out as one of the Company’s strategic directions as SSBV is ISO 27001 certified company. Some of the controls aimed to protect valuable Company’s assets, including the PII are:
- Personnel security
- Access control
- Asset management
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
- Internal audits
8. Staff processing PII on behalf of SSBV
Before commencing their work with SSBV and starting processing PII on behalf of the Company, all staff are required to:
- sign a labor contract or a service agreement
- sign a Non-Disclosure Agreement (NDA)
- sign a Data Processing Agreement (DPA)
- comply with all the internal policies and procedures
- undergo trainings related to information security and protection of PII
Besides this, training related to information security and protection of privacy is organized for staff on an ongoing basis.
9. Transferring PII
When transferring personal data, SSBV acts in accordance with Article 46 of the Regulation.
When acting as the Controller, SSBV may transfer personal data to entities in countries inside EU / EEA and in third countries when there is secured an appropriate level of data protection but not lower than that SSBV has. When in the role of Controller, SSBV may transfer personal data to entities in EU / EEA member states as well as to third countries (outside of EU / EEA). Every such transfer of personal data is regulated by a DPA.
When acting as the Processor, SSBV may transfer personal data to entities in countries EU / EEA and in third countries (outside of EU / EEA) when there is secured an appropriate level of data protection, but not lower than that the Controller and SSBV have. Transferring data to third countries, SSBV may only perform in cases when that is being previously agreed with the Controller through a DPA. In such a case, the Controller is obliged to notify the subjects of personal data about the transfer which carries the data to the Processor and sub-Processor. When in the role of Processor, SSBV transfers personal data to entities in EU / EEA member states as well as to third countries (outside of EU / EEA). Every such transfer of personal data is also governed by a separate DPA.
When acting as a sub-Processor, SSBV may transfer personal data to entities in countries EU / EEA and in third countries (outside of EU / EEA) when there is secured an appropriate level of data protection, but not lower than that the Controller and Processor has. Transferring data to third countries SSBV may only perform in cases when that is being previously agreed with the Controller through a DPA. In such a case, Controller and Processor are obliged to notify the data subjects in relation to the transfer performed by the data to sub-processors. SSBV, when acting as a Sub Processor, transfers personal data to entities in EU / EEA member states as well as to third countries (outside of EU / EEA). Each transfer of personal data where SSBV is a sub-processor is governed by a separate DPA.
10. Data Retention
SSBV and its staff are fully aware of the GDPR principles and of the obligations related to data retention. The Company manages multiple data sets that are organized in the form of a Data Registry.
Depending on the purpose of processing and as well as on the obligations arising between the Controller and the data subjects, each data set may have a different retention period.
Upon fulfillment of the purpose of processing or after the expiry of the retention period of the PII whether SSBV is in the role of Controller, Processor or Sub-Processor, the records containing PII shall be destroyed in accordance with SSBV’s Data Retention Policy or according to a defined retention schedule with the Controller (most often a client of SSBV) in a manner that does not allow the PII to be further used or reconstructed. This applies not only to personal data stored in digital/electronic form but also to PII stored as hard copy documents.
11. Data subject rights
One of the main objectives of SSBV regarding processing of PII is to be proactive and transparent to the data subjects as possibly can. In regard to this the Company has established Procedure for exercising data subject rights.
The rights of data subjects with regard to their privacy and legality of processing their PII are according to Articles 13, 14 and 15 of the Regulation and are the following
- Right to object to incompliances on data processing
- Right for correction of personal data
- Right to restrict processing
- Data portability
- Right to access personal data
Such request may be addressed directly to the DPO’s email where will be further processed.
12. Profiling, machine learning and automated decision making
SSBV does not perform profiling, machine learning nor automated decision making on data subjects for any purpose.
13. Direct marketing
SSBV may conduct direct marketing only to data subjects who have given their consent for this specific purpose.
Cookies are small text files placed on user’s device by our web server via user’s browser. Cookies may stay on user`s computer after finish browsing of a page, close the browser or shut down a computer.
All web browsers can be configured to decline cookies or clear them upon request. This will not affect user`s browsing experience (since SSBV is not using them to personalize user`s experience, track shopping or involve users in any marketing-related activities).
15. Breach notification
In case of a security incident linked to the compromise, loss or disclosure of personal data to unauthorized persons, SSBV, if it owns contact details of the data subjects involved in the breach, shall directly inform the data subjects and/or other concerned parties about the incident.
In case the compromised personal data is inherited from another Controller, SSBV shall inform that Controller about the breach not later than 72 hours after SSBV became aware of the incident.
If there is a large-scale data breach, SSBV shall deliver a public announcement or an appropriate posting on its website or other public media, not later than 72 hours after SSBV became aware of the incident.
This obligation is also very often included in the DPAs signed between SSBV and the Controllers / Processors.
Symphony Solutions BV