3. Commitment to personal data protection
4. Roles and responsibilities
5. Set-up of data protection approach
5.1 Personal data protection framework
5.1.1 Laws and regulations
5.1.2 Data processing principles
5.2 Concrete measures
5.2.1 Technical and organisational security measures
5.2.2 Third parties and data processor agreements (PA)
5.2.3 Records of processing activities (RPA)
5.2.4 Data protection impact assessment (DPIA)
6. Changes to this policy
Figure 1: set-up roles and responsibilities
Figure 2: set-up of data protection approach
01/10/2020 – BIRD Group vzw
Employees’ personal data (applicants (present and past), current employees (full-time, part-time and temporary), former employees, external employees, interns and contractors;
Shareholders’ and partners’ personal data;
On-site visitors’ personal data;
Website visitors’ personal data;
Suppliers and customers contact persons’ personal data.
Controller is defined as a natural or legal person who (either alone, jointly or together with other persons) determines the purpose(s) “for which” and the manner “in which” any personal data is or will be processed
Data subject is defined as a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
DPA Data Protection Authority
DPIA Data Protection Impact Assessment as defined in the GDPR
DPO Data Protection Officer as defined in the GDPR and local regulations, and is officially registered with the Supervisory Authority (also known as Data Protection Authority, hereinafter: “DPA”)
PA Processing agreements as defined in the GDPR
Personal data is defined as any information relating to an identified or identifiable natural person. An identifiable natural person is the one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or, or access to, personal data transmitted, stored or otherwise processed
Privacy responsible Data Protection Officer as defined in the GDPR and local regulations, but is not officially registered with the DPA
Processing is defined as any operation or a set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor is defined as a natural or legal person (other than an employee of the controller) who processes personal data on behalf of the controller. BIRD has for all relations with processor a valid processing agreement
RPA Records of Processing Activities as defined in the GDPR
Special categories of data is defined as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation (art. 9). Data relating to criminal convictions or offences is also sensitive (art. 10)
3. Commitment to personal data protection
BIRD wants to continue being an organization that cares about the privacy of people and their data and creates a culture and environment that is resilient to any accidental and deliberate personal data infringement occurring.
With all privacy and data protection efforts in place and envisioned, the achievement of the following objectives is paramount to BIRD:
Protection of confidential and privacy-sensitive information
Respect and protect the fundamental rights and freedoms of all data subjects
Ensure transparency, confidentiality and integrity of the processed personal data
Compliance with existing laws and regulations
BIRD processes personal data from customers, employees and suppliers on a daily basis. Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or, or access to, personal data transmitted, stored or otherwise processed, can lead to, among other things:
A breach of the trust of customers and employees of BIRD
Damage for customers and/or suppliers with claims for damages as a result
Reputational damage to BIRD
Violation of legislation
4 Roles and responsibilities
In order to guarantee confidentiality and careful handling of personal data, all individuals working for BIRD must ensure that personal data that is being processed happens in line with this policy and the data protection principles. Therefore employees, contractors and other stakeholders involved have the responsibility to:
Identify personal data processing activities and the risks that accompany the processing of personal data
Only process the data necessary to achieve a predefined purpose
Execute the proposed measures by BIRD and follow up on the changes in the policies and
Informing the privacy responsible on major changes in the entity
Inform the privacy responsible if any doubts and/or questions arise
Know BIRD’s vision on privacy and recognize what this means for his/her responsibilities
For questions relating to privacy and data protection, BIRD has appointed a Data Protection Officer which you can reach at firstname.lastname@example.org.
5 Set-up of data protection approach 5.1 Personal data protection framework
In this section the relevant privacy data protection laws and regulations, the personal data protection principles and BIRD procedures and policies are being explained.
5.1.1 Laws and regulations
EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016, or the European General Data Protection Regulation (GDPR), defines the rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. In addition, the GDPR foremost protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
5.1.2 Data processing principles
Every company is obliged to process personal data in accordance with the data processing principles as described in the GDPR. BIRD has put the appropriate organizational and technical measures in place to assure compliance with these principles and ensures continues evaluation of these measures.
Therefore, it is also important for every employee dealing with personal data to be aware of the data processing principles. In addition, BIRD employees and stakeholders involved should only process personal data after analysis and application of the following six principles.
220.127.116.11 Lawfulness, fairness and transparency
BIRD should assure that personal data is collected and further processed in a lawful, fair and transparent manner.
Irrespectively of the personal data collected, whether it is direct or indirect, personal data processing by BIRD needs to be based on one of the legal grounds listed under the GDPR, namely:
Consent of the data subject should be informed explicit, specific and unambiguous e.g. to use pictures of data subjects on BIRD website;
Legitimate interest pursued by BIRD could be used as legal basis, unless such interest is overridden by the interests for fundamental rights and freedoms of the data subject;
Performance of the contract to which the data subject is a party or in order to take steps (at the request of the data subject) prior to entering into a contract e.g. employment contract;
Legal obligation to which BIRD is a subject;
Vital interest of the data subject e.g. in case of accident at work, BIRD as employer may
provide the name of the employee to the hospital;
Public interest e.g. performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the personal data is disclosed.
Personal data processing shall not have an adverse impact on the data subjects concerned, unless the EU or national law states otherwise. BIRD intends to only handle data subject’s data in ways he/she would reasonably expect, or BIRD can explain why any unexpected processing is justified.
The data subjects, whose personal data is collected directly or indirectly, must be informed in a timely manner about the processing, unless the EU or national law states otherwise.
Transparent processing is about being clear and honest with people about BIRD intentions and the purposes of processing.
18.104.22.168 Purpose Limitation
BIRD should assure that personal data is only processed for specific, explicit and legitimate purposes. If afterwards the personal data is processed for a new purpose, incompatible with the initial one, the data subject concerned is duly informed and has to provide his/her consent or is allowed to object to such processing e.g. collected samples should only be tested for the specified test.
22.214.171.124 Data minimization
BIRD should only gather personal data which is adequate, relevant and limited to what is necessary to achieve the purposes for which it is processed. When possible, personal data should be pseudonymised or anonymised e.g. remove the name of the sample and add an identifier, which is then listed on a separate document.
BIRD should assure that personal data is kept accurate and up to date throughout its lifecycle (from the collection to the destruction / deletion).
126.96.36.199 Storage limitation
BIRD should assure that personal data is no longer kept than necessary to meet the legitimate business purposes for which the personal data was collected and in compliance with BIRD data retention procedure in the Record of Processing Activites, unless EU or national laws state otherwise.
188.8.131.52 Integrity and confidentiality
BIRD protects personal data in a way that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.
The accountability principle requires BIRD to take responsibility for what it does with personal data and how it complies with the other principles.
Please find in this section an overview of the BIRD policies in place. This list is not exhaustive and is subject to change:
An overview of the importance BIRD attaches to privacy and personal data protection and serves as a guide for all BIRD stakeholders.
184.108.40.206 Internal privacy statement
The internal privacy statement explains which data is being processed from internal and external employees and contractors, the purpose and the legal grounds to do so.
220.127.116.11 External privacy statement
An external privacy statement (such as the consent forms when signing up for membership) provides information about the personal data that BIRD collects through its website and contact form, and the purposes for and legal bases on which BIRD processes that personal data.
18.104.22.168 Cookie statement
The cookie statement provides information about what cookies are, which cookies BIRD applies and how BIRD uses them on its website.
Please find in this section an overview of the BIRD procedures in place. This list is not exhaustive and is subject to change.
22.214.171.124 Data subject rights
Every individual has the possibility to exercise the freedoms and rights as described in the GDPR. BIRD has the obligation to respond in a timely manner to data subject requests and to make sure that the legal deadlines are met.
When dealing with a data subject request for exercising his/her rights, please consult the DPO at email@example.com.
The data subject rights explained:
a) Right to information
Data subject always has the opportunity to request his/her personal data (including processing purposes, categories of personal data, estimated retention period) and to be informed about what happens with the data collected from data subject.
b) Right to access
Data subject has the right to access their personal data.
c) Right to rectification, erasure, restriction and objection
Data subject is entitled to have incorrect personal data corrected or completed. Under certain circumstances, the data subject has the right to have their personal data removed from any files. Moreover, the data subject has the right to object to or ask for the restriction of the processing of your personal data. However, that in certain cases the processing of the personal data is necessary to comply with legal obligations or to be able to execute contractual obligations. In that case, compliance with those obligations will prevail over the data subject’s right to object or restriction or erasure. Therefore, BIRD will evaluate case by case whether or not the request can be complied with.
d) Right to data portability
Data subject has the right to receive their personal data, processed by BIRD in a structured, commonly used and machine-readable format and/or to transmit those data to another controller.
e) Right not to be subjected to automated individual decision-making including profiling
Data subject has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects on the data subject or similarly significantly affects the data subject.
f) Right to lodge a complaint
If, at any time, the data subject is of the opinion that BIRD infringes his/her privacy, the data subject has the right to lodge a complaint with:
The Belgian supervisory authority: Gegevensbeschermingsautoriteit Drukpersstraat 35, 1000 Brussel +32 (0)2 274 48 00
+32 (0)2 274 48 35
126.96.36.199 Data breach
Any possible personal data breach, even if the impact is minimal, must immediately be reported to firstname.lastname@example.org and the DPO.
There is a personal data breach whenever there is breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data or if the data is made unavailable and this unavailability has a significant negative effect on individuals. Examples of a data breach are: accidental disclosure of e-mail addresses, loss of laptop, theft of a database, password leakage, etc.
Please read the procedure on the handling of a data breach. When there exists any doubt on a possible data breach, please contact the DPO at email@example.com.
188.8.131.52 Data retention
In line with the data protection principles of storage limitation and accuracy, it is required to set out clear data retention periods for the personal data being processed by BIRD.
184.108.40.206 Maintaining the registry of processing activities
In line with all the data protection principles, it is required to keep the record of processing activities accurate and thus ensure the quality of the record.
Please read the procedure on maintaining the records of processing activities.
220.127.116.11 Data protection impact assessment (DPIA)
Where a type of processing in particular makes use of new technologies and/or is likely to result in a high risk to the rights and freedoms of natural persons, BIRD should, prior to the processing, carry out an assessment of the impact on the person(s) involved. This is also called a data protection impact assessment (DPIA) (see also under section 5.2.4).
18.104.22.168 Legitimate interest balancing test
When a new processing activity is based on the legitimate interest of BIRD the organization will need to do an assessment in order to make sure that that interest does not override the rights and freedoms of the data subject(s) involved.
5.2 Specific measures
Therefore, it is in general very important for BIRD employees and partners to:
Always minimize the processing of personal data in terms of: nature, quantity, access and retention;
Evaluate new/changed procedures or systems in which personal data is processed in order to take appropriate technical and organizational measures in advance including Privacy by Design and Privacy be default;
Have technical and organizational security controls with different access privileges based on a “need to know” (and not “nice to know”).
Please consult DPO via firstname.lastname@example.org when having questions or assistance is needed.
5.2.1 Technical and organizational security measures
BIRD guarantees implementation of the appropriate technical and organizational measures to ensure a level of security appropriate to the risk and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
22.214.171.124 Security measures (and IT Security)
BIRD acknowledges its responsibility to ensure an appropriate level of security with regard to the information you provide. Therefore, BIRD has implemented various measures in order to protect the personal data against loss, alteration, accidental or unlawful destruction, unauthorized disclosure of, or access to the personal data. On organizational level measures are taken such as the limitation of access to the premises. While on technical level firewalls and encryption is in place, personal passwords are used and verified and verification requirements regarding access to personal data on a ‘need-to-know’-basis are provided.
126.96.36.199 Data use and disclosure
When personal data is accessed, disclosed or transferred, the risk of loss, corruption or theft arises.
Some measures, please note that these measures are not exhaustive:
need it for executing their work;
Avoidance of creating any unnecessary additional data sets;
Personal data should not be shared informally;
Personal data should not be disclosed to unauthorized people, either within the company
When working with personal data, employees should ensure the screens of their
computers are always locked when left unattended;
Personal data sent by email or being transferred electronically to external parties must be
encrypted or protected by other appropriate technical and organizational security
Every opportunity should be taken to ensure personal data is reviewed and, if needed,
updated (e.g. by confirming a business’ contact details when they call or meet);
BIRD employee must not take any personal information away from BIRD premises except when prior consent is obtained. Any employee taking records off site must ensure that
appropriate technical and organizational measures are taken to protect it.
188.8.131.52 Data storage
When personal data is stored on paper, it should be kept in a secure place where unauthorized people cannot see or access it.
Do not print when not needed;
When not required, the paper or files should be kept in a locked drawer or filing cabinet;
Employees should make sure paper and printouts are not left where unauthorized people
could see them, like on a printer;
Data printouts should be shredded and disposed of securely when no longer required.
When personal data is stored electronically, it must be protected from unauthorized access, accidental deletion and malicious hacking attempts. In addition, personal data should only be stored on designated and secure drivers and servers and should only be uploaded to approved cloud computing services.
5.2.2 Third parties and data processor agreements (DPA)
As a controller BIRD has the obligation to ensure that it only uses processors providing appropriate guarantees to implement appropriate technical and organizational measures in such manner that processing will meet the requirements of the GDPR and ensure protection of the rights of the data subjects. Following this, a due diligence shall be conducted before a contract with a new processor is signed. A contract with the processor shall include the clauses on personal data processing, in which the appropriate instructions on how to process personal data is given to the processor, as well as, appropriate technical and organizational measures are agreed upon.
Personal data transfer to the processors or the third parties who are based or are processing personal data outside the EEA needs to be:
Justified (lawfulness of the transfer);
Compliant with personal data processing principles;
Secure (appropriate personal data protection level shall be ensured).
In order to ensure appropriate personal data protection level, BIRD shall:
Check whether the country to which personal data is transferred is covered by an adequacy decisions approved by the EU Commission. If the country is covered, the transfer of
personal data is allowed;
If the transfer is directed to a third party in the USA and if the third party is certified under
the Privacy Shield (i.e. adequacy decision between the USA and the EU);
If the country is not covered by an adequacy decision, Standard Contractual Clauses shall be signed between BIRD and the third party who is processing personal data outside the
5.2.3 Records of processing activities (ROPA)
BIRD is required to maintain a records of processing activities under its responsibility according to the GDPR. That record contains an overview of all processing activities, purpose of processing, categories of data subjects, categories of personal data, recipients, transfers to countries outside the EEA, retention periods and a description of the organizational and technical security measures.
5.2.4 Data protection impact assessment (DPIA)
In the case that a processing activity, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, BIRD should prior to the processing, carry out an assessment of the impact on the protection of personal data.
When any doubt exist that the current processing of personal data might constitute a high risk to the rights and freedoms of natural persons, please contact email@example.com.
Processing of personal data starts with building awareness. Being in the loop on what personal data is, which personal data is being processed and for which purposes are key. Depending on the type of personal data (esp. special categories of data) might need some extra attention. Next to this, it is important to follow the BIRD privacy and data protection policies in order to be compliant with the personal data protection principles as well as being able to respond to data subject requests in an appropriate way.
It is the task of BIRD to ensure regular communication towards all BIRD stakeholders, as well as inform them in case of any changes to the personal data protection framework conditions (laws and regulations, principles, policies and procedures). Awareness sessions and e- learnings are methods to actively educate all stakeholders on data protection and its effects.
6 Changes to this policy
If you have any questions with regard to the content of this policy, the processing of personal data or the exercise of data subject rights in relation to this data processed by BIRD, you can contact firstname.lastname@example.org.