EU GDPR Control
How we are compliant
Conduct an information audit to determine what information you process and who has access to it.
We have carried out an information audit to determine which information it processes, how it processes this information, who has access to it and what security measures have been implemented to safeguard the confidentiality, integrity and availability of this data. This has been recorded in its processing registry (article 30 registry). Moreover, We have carried out a Data Protection Impact Assessment where it has considered the purposes of the processing, what kind of data they process, who has access to it within the organization, any third parties (and where they are located) that have access, what they are doing to protect the data (e.g. encryption), and when they plan to erase it.
Have a legal justification for your data processing activities.
We have determined what legal basis it relies on for processing different types of personal data and recorded this in its processing registry. Where we relies on consent, it has ensured it complies with the additional consent requirements as set out by the GDPR. Where we relies on legitimate interest, We have carried out a legitimate interest test, considering the necessity and proportionality of its data processing activities and balancing the rights and freedoms of the data subjects against the legitimate interests We have in data processing. Only when the results of the balancing test show that our legitimate interests take precedence over the rights and freedoms of the data subject in a particular case, this data is processed by us.
We have written and published an extensive privacy notice, which details the types of processing activities that we carry out, with regards to which data, who has access to it both internally and externally, and how this data is safeguarded. We make this privacy notice available through our website at all times and is available in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Take data protection into account at all times, from the moment you begin developing a product to each time you process data.
We have implemented data protection by design and by default. We take data protection and privacy into account in the operational day-to-day as well as with any projects that we undertake. Data protection and privacy are integral parts of any planning process and all staff members are regularly trained on data protection and privacy issues. We have implemented appropriate technical and organizational measures to protect data and ensure its confidentiality, integrity and availability. The security measures we implement are chosen on the basis of an extensive risk assessment. We have ensured that we adhere to the data processing principles outlined in article 5 of the GDPR by considering these in our Data Protection Impact Assessment. We carry out regular data deletion exercises in line with our internal data retention policy as well as on the basis of any legal obligation.
Encrypt, pseudonymize, or anonymize personal data wherever possible.
We recognise that encryption is one of the best measures to ensure data protection and has therefore opted to use cloud-applications for its daily operations as well as data storage where encryption is enforced by default. This includes encryption at rest as well as in transit.
Create an internal security policy for your team members, and build awareness about data protection.
We have formulated an information security policy which has been made available to all of our employees using our compliance-management platform Naq. Moreover, our employees have been required to accept the terms within this information security policy by signing the document within Naq. Our information security policy includes guidance about email security, passwords, two-factor authentication, device encryption, and VPNs. All personnel and contractors who have access to personal data have received training on security and GDPR requirements. This training is repeated throughout the year.
Have a process in place to notify the authorities and your data subjects in the event of a data breach.
We have formulated a Data Breach Notification Policy using our compliance-management platform Naq. This policy details exactly the steps any team member must take to ascertain whether the data subjects or data protection authorities must be notified, in which timeframe and in which manner. Moreover, we track all security incidents within the Naq platform, where we manage these incidents to determine if a data breach has occurred as a result of a security incident.
Designate someone responsible for ensuring GDPR compliance across your organisation
Sign a data processing agreement with any third parties that process data on your behalf
Any third parties that process data on our behalf are recorded within the Naq platform and within our data processing registry. Moreover, the Naq platform records details of public Data Processing Agreements (if a third-party publishes a Data Processing Agreement publicly). If no such Data Processing Agreement exists, the Naq platform generates a Data Processing Agreement and sends this to the third-party processor which is then signed by us and a responsible individual within the third-party. The Naq platform also sends out security questionnaires to ensure that all suppliers are conforming to the requirements laid out in the GDPR.
Appoint a representative within one of the EU member states if your organisation is outside of the EEA
We are registered in the EEA.
Make it easy for customers, employees and other data subjects to carry out their rights under the GDPR (Access, rectification, erasure, restriction, objection, portability)
By filling out the form at the top of this page, customers, employees and other data subjects can carry out their rights under the GDPR. All such requests are managed within the Naq platform to ensure we meet all requirements laid out in the GDPR. We will ensure that you receive a reply to your request within 30 days of receipt.