GDPR

THE GENERAL DATA PROTECTION REGULATION

The General Data Protection Regulation (GDPR or AVG in Dutch) entered into force on 25 May 2018. By means of the following FAQs you will learn all about this upcoming legislative amendment and what this means for you and your organization.

GDPR

What is the GDPR?
The GDPR is the General Data Protection Regulation. On 25 May 2018, this – European – privacy legislation will replace the Dutch Personal Data Protection Act (Wbp). The GDPR is stricter than the Wbp. For example, organizations that process personal data are better controlled and more attention is paid to the rights of the persons whose data are processed.

What does GDPR mean?
The abbreviation GDPR stands for General Data Protection Regulation. The AVG is the Dutch version of the GDPR.

What are the consequences of the introduction of the GDPR for Softbrick and its customers?
Softbrick complies with the Personal Data Protection Act and, since the introduction of the GDPR in 2016, has carefully examined and acted on any adjustments to procedures. Complying with applicable laws and regulations is obviously a fixed and important part of Softbrick.

Personal data

What is meant by the processing of personal data?
The processing of personal data includes the following: collecting, recording, organizing, storing, updating, modifying, retrieving, consulting, using, providing by means of forwarding, distribution or any other form of posting, merging, connecting and the shielding, deleting or destroying of data.

What is a Processing Agreement?
A processing agreement specifies which data Softbrick may handle. It also states how long, when and under what conditions that data may be processed.

The responsibility for concluding the agreement lies with both parties, i.e. both the ‘controller’ and the ‘processor’. Softbrick has a processing agreement that complies with the regulations in the GDPR. This can be provided for you on request.

We already have an agreement with Softbrick. To what is this processing agreement connected?
The processing agreement is added to the existing agreement as an appendix.

Does Softbrick have a more extensive document in which all this is described in detail?
Yes, the Softbrick Information Security Policy document describes the measures that Softbrick takes to prevent improper use of data and you can find out what happens if a data leak occurs. This document is added standard to the Processing Agreement. If you want to know more, you can of course contact us.

Responsibilities

Who is responsible when? And for what?
The GDPR mentions controllers and processors. When you provide us with data (personal data) you are the ‘controller’. Softbrick is then the ‘processor’. The provision and processing of the data must be laid down in an agreement (the processing agreement). In the role of controller, you must demonstrate that you have taken the correct technical and organizational measures to protect the personal data. You must also do this in the role of processor.

Who is the data subject?
In the context of Softbrick WFM, the data subjects are your staff. The data of your workforce are stored and processed within the Softbrick software package.

What changes with the arrival of the GDPR with regard to the data subject?
With the introduction of the GDPR, the privacy rights of the data subject are further strengthened and expanded. For our system the new ‘right to be forgotten’ is important. This means that you (under certain conditions) have to delete the personal data of the data subject if the data subject requests this. On the website of the Dutch Data Protection Authority you will find under which conditions this should take place.

Who has access to your personal data within Softbrick and what happens to this?
See the processing agreement for this information.

Measures

Are your employees aware of the GDPR?
Our employees are regularly trained in the field of information security and guidance is provided continuously. Once every quarter, a random sample is checked to see whether our employees are aware of the current regulations and also act accordingly.

Is Softbrick tested on the GDPR?
Yes, the certification procedure for the international information security standard ISO 27001 includes the regulations from the GDPR. After the initial audit, Softbrick is tested annually against this standard.

Does Softbrick have procedures in case of a data leak?
From the General Data Protection Regulation (and previously from the Data Protection Act) there is a duty to report data leaks. Based on this, Softbrick has a procedure that prescribes how to act in the event of a data leak. All our employees are aware of this procedure.

How does Softbrick protect my data?
We use encryption for this. For electronic transport, Softbrick WFM uses SSL-based encryption. For physically transporting data, we use encrypted USB sticks. In addition, all PCs and laptops within Softbrick are equipped with encryption.

How can Softbrick help us to act in accordance with the GDPR?
Softbrick started preparing for the GDPR in 2016 and ensures that both the organization and the software comply with the legislation. If you have any questions about this, you can always ask them by sending an e-mail: privacy@softbrick.nl, or by calling us at 0345 47 32 59.