1.1 Context of the General Data Protection Regulation (‘GDPR’)
The General Data Protection Regulation no. 679/2016, replaces the EU Directive of 1995 on data protection and replaces the legislation of each Member State, prepared according to the Directive 95/46/EC on data protection. Its aim is to protect the ‘rights and freedoms’ of natural persons and to ensure that personal data is processed only after the purpose of processing has been brought to their attention and, whenever possible, that data is processed with their explicit consent.
1.2 Scope of application – General information
Material scope – The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
Territorial scope – The GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
‘GDPR’ – General Data Protection Regulation, 679/2016
‘Main establishment’ – the central establishment of the controller (the place where the unit management/controller takes the main decisions on the purpose and means of its data processing activities). The main establishment of a processor in the EU shall be its administrative office.
‘Personal data’ – means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘Special categories of personal data’ – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership and the processing of genetic data, biometric data for the unique identification of a natural person, health data or data on the sexual life or sexual orientation of a natural person.
‘Controller’ – unit that determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
‘Processor’ – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
‘Data subject’ – any living person who is the subject of personal data held by the controller.
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
‘Data record system’ means any structured set of personal data accessible according to specific criteria, whether centralized, decentralized or distributed according to functional or geographical criteria;
2.1. The board of directors and the management of Bittnet Group S.A., based in Bucharest, at B-dul Timisoara nr 26, Plaza Romania Offices, Et 1, district 6, Bucharest, undertakes to comply with all relevant EU and Member State laws on personal data and the protection of the ‘rights and freedoms’ of persons whose information the controller collects and processes, in accordance with the General Data Protection Regulation (GDPR).
2.2. GDPR compliance is described herein and by other relevant policies, such as the Data Protection Policy (PIMS) together with the related processes and procedures.
2.3. The GDPR shall be applied by any person within BNET, processing personal data, including any person within BNET, processing the personal data of patients, employees, providers and partners, as well as any other personal data that BNET processes, from any source.
2.4. The Data Protection Officer is in charge of the annual review of the Register of Data Processing Activities on any changes to BNET’s activities (determined by changes in the data mapping register) and any additional requirements identified by data protection impact assessments. This register shall be available upon demand of the supervisory authority.
2.5. This policy applies to all employees/staff members (and stakeholders) within BNET, such as outsourced providers. Any breach of the GDPR will be considered in accordance with BNET’s disciplinary policy and may also be deemed a misdemeanor, in which case the matter will be reported to the competent authorities, as soon as possible.
2.6. The partners and any third parties working with or for BNET, who have or may have access to personal data, are expected to have read, understood and to comply with this policy. In order to access personal data held by BNET, any third party shall be required to sign a non-disclosure agreement.
3.1 BNET acts as data controller in the GDPR context.
3.2 The company management and all employees with management or supervisory roles within the BNET are responsible for developing and encouraging information management practices within the company; the responsibilities are set out in the individual job descriptions.
3.3 The controller shall appoint the Data Protection Officer (DPO), ensuring that, if this person is an employee, none of the tasks assigned to him or her generates a conflict of interest and that this person has the appropriate moral qualities, knowledge and experience to take responsibility for continued compliance with the personal data protection policy throughout the unit. The controller shall prepare the job description and detailed duties for the Data Protection Officer (DPO).
3.4. The Data Protection Officer (DPO) shall be in charge of and supervise that:
3.4.1 The Controller prepares and enforces this policy under the GDPR provisions.
3.4.2 The Controller manages the security and risks of policy compliance.
3.5 The Data Protection Officer has specific duties for procedures, such as the procedure to request access for the data subject and acts as the first point of contact for employees/staff members requesting clarifications on any matter of data protection compliance.
3.6 All employees of the Controller, who process personal data, shall be required to comply with data protection legislation.
3.7 The BNET training policy establishes specific requirements for the training and awareness of its own staff in relation to specific roles with respect to data protection.
3.8 BNET employees/partners shall ensure that the personal data they have provided to the controller is accurate and up to date.
The processing of personal data must be carried out in accordance with the data protection principles set out in Article 5 of the GDPR. The BNET policy and procedures are designed to ensure compliance with the principles.
4.1 Personal data must be processed lawfully, fairly and in a transparent manner.
Lawful – a legal basis is identified before personal data can be processed. This/these comprise/s the processing requirement(s) (e.g. written consent of the data subject).
Fair– in order for the processing to be fair, the data controller must make certain information available to data subjects as practically as possible. This applies if personal data have been obtained directly from data subjects or other sources.
‘Transparency’ – the Controller shall emphasize that privacy notices are understood and accessible. The information must be communicated to the data subject in an intelligible form, using clear and simple/accessible language.
The specific information to be provided to the data subject must include at least:
4.1.1 The identity and contact details of the controller and, as applicable, of the controller’s representative;
4.1.2 the contact details of the Data Protection Officer;
4.1.3 The purpose of the processing for which the personal data is intended, as well as the legal ground for processing;
4.1.4 the period for which the personal data will be stored;
4.1.5 the existence of the rights to request access, rectification, deletion or objection to the processing and the requirements (or lack thereof) to exercise said rights, such as its effect on the lawfulness of prior processing;
4.1.6 the personal data categories in question;
4.1.7 the recipients or categories of recipients for the personal data, as applicable;
4.1.8 where applicable, that the controller intends to transfer personal data to a recipient in a third country and the level of protection granted to said data;
4.1.9 any additional information necessary to ensure proper processing.
4.2 Personal data may only be collected for specific, explicit and legitimate purposes
The data obtained for the specified purposes shall not be used for a purpose other than that which has been officially notified to the supervisory authority as part of the controller’s processing register.
The personal data should be adequate, relevant and limited to what is necessary for the processing purposes.
4.3.1 The Data Protection Officer shall ensure that the controller does not collect information that is not strictly necessary for the purpose for which it was obtained.
4.3.3 The Data Protection Officer shall ensure that, annually, all methods of data collection are reviewed by the internal audit to ensure that the data collected are still adequate, relevant and limited.
4.4 The inaccurate personal data, considering the purposes of its processing, shall be deleted or rectified, immediately (‘accuracy’).
4.4.1 The data stored by the controller must be reviewed and updated, as appropriate.
4.4.2 The Data Protection Officer shall be in charge of ensuring that all staff members are trained in the importance of collecting and maintaining accurate data.
4.4.3 The data subject shall ensure that the data held by the controller is accurate and up to date. Completion of a registration form or an application by a data subject shall include a statement that the data contained therein is correct at the time of submission.
4.4.4 The employees/patients/others should be required to notify the controller to allow the proper update of personal records. The controller shall ensure that any notice of changes is recorded and operated.
4.4.5 The Data Protection Officer shall ensure that appropriate procedures and policies are in place to keep personal data accurate and up-to-date, taking into account the volume of data collected, the potential speed of change and any other relevant factors.
4.4.6 At least once a year, the Data Protection Officer shall examine the stored data of all data subjects processed by BNET in the data inventory and shall identify any data that is no longer needed in the context of the registered purpose. This data shall be securely deleted/destroyed in accordance with the procedure for securely deleting/destroying storage media.
4.4.7 The Data Protection Officer shall be in charge of responding to requests for rectification from data subjects within one month (Data Access Request Procedure). It can be extended for another two months, for complex requests. If BNET decides not to comply with the request, the Data Protection Officer should respond to the data subject to explain his/her reasoning and to inform him/her of their right to lodge a complaint with the supervisory authority and to seek redress.
4.4.8 The Data Protection Officer shall be in charge of taking appropriate measures, in the event that third party organizations have received inaccurate or outdated personal data, informing them that such data is inaccurate and/or expired and should not be used; The Data Protection Officer shall also be in charge of submitting any correction of personal data to the third party, if necessary.
4.5 Personal data must be stored in a form which allows identification of the data subject only for as long as is necessary for processing.
4.5.1 If personal data is stored beyond the date of processing, it shall be minimized/encrypted/pseudonymized to protect the identity of the data subject in the event of a data breach.
4.5.2 Personal data shall be stored in accordance with the record keeping procedure and, in the event that the retention period has been exceeded, this data must be securely destroyed.
4.5.3 The Data Protection Officer must specifically approve any storage of data that exceeds the retention periods defined in the record keeping procedure and must ensure that it is justified clearly and in accordance with legal data protection requirements. The approval herein shall be made in writing.
4.6 Personal data must be processed in a manner that ensures adequate security.
The Data Protection Officer shall carry out a risk assessment, taking into account all the circumstances of the processing operations performed by the controller. In determining the nature of the processing security, the data protection officer must take into account the extent of any damage or loss that could be caused to the data subjects in the event of a security breach.
In assessing the appropriate technical measures, the data protection officer shall take into account, at least, the following:
Attention should be paid to the risks posed by data processing, which may lead to harm to individuals whose data is being processed.
4.7 Responsibility in the management/governance of the personal data processing activity.
The GDPR includes provisions that promote the responsibility and management/ governance of the personal data processing activity. They complement the transparency requirements of the GDPR and are demonstrated by the implementation of data protection policies, the implementation of technical and organizational measures, as well as the adoption of techniques such as data protection from the time of design, by conducting impact assessments on data protection, infringement notice procedures and incident response plans.
5.1 The data subjects have the following rights with regard to the processing of data and the recording of such data:
5.1.1 To request access to the information held and regarding those to whom it was disclosed.
5.1.2 To object to processing that could cause damage or injury.
5.1.3 To object to processing for direct marketing purposes.
5.1.4 To be informed about the automated individual decision-making process, including profiling.
5.1.5 The data subject has the right not to be subject to a decision based solely on automatic processing, including profiling, which has legal effects concerning the data subject or similarly affects him or her to a significant extent.
5.1.6 To claim compensation in the event of damage as a result of any GDPR breach.
5.1.7 To take measures to rectify, block, delete, including the right to be forgotten or to destroy inaccurate data.
5.1.8 To ask the supervisory authority to assess whether a provision of the GDPR has been breached.
5.1.9 The data subject has the right to receive personal data concerning him or her which he or she has provided to the controller in a structured, commonly used and automatically readable format and has the right to transmit this data to another controller without obstacles from the controller to whom the personal data were provided.
5.1.10 The data subject has the right to object to the creation of profiles without the existence of a consent.
5.2 BNET shall ensure that the persons concerned can exercise these rights:
5.2.1 The data subjects may submit requests for access to data, according to the Procedure for requesting the access of the data subject; this procedure also describes how BNET will ensure that its response to the data access request complies with GDPR requirements.
5.2.2 The data subjects have the right to lodge a complaint with BNET regarding the processing of their personal data; the requests from the data subjects and the way in which the complaints have been resolved shall be made in accordance with the complaint procedure.
6.1 By the consent of the data subject with regard to the processing of personal data, the controller means any manifestation of free, specific, informed and unambiguous will of the data subject by which he/she accepts the processing, by an unequivocal statement or action. The data subject can withdraw the consent at any time.
6.2 By giving consent, the controller understands that the data subject has been fully informed about the processing of personal data, that he or she is in an appropriate state of mind to do so and has been obtained without exerting pressure on him or her. Consent obtained under pressure or based on misleading information shall not constitute a valid basis for processing.
6.3 There must be active communication between the parties to demonstrate active consent. Consent cannot be inferred from a lack of response to a communication. The controller must be able to demonstrate that he/she has obtained consent for the processing operation.
6.4 For sensitive data, explicit written consent of the data subjects must be obtained, unless there are legal grounds for alternative processing.
6.5 In most cases, consent for the processing of personal and sensitive data is usually obtained by the controller using standard consent statements.
7.1 All employees/staff members shall ensure that any personal data held by the controller and for which he/she is in charge is kept secure and is not disclosed, in any way, to a third party, unless such third party has been specifically authorized to receive this information and entered into a non-disclosure agreement.
7.2 Any personal data must be accessible only to those who need to use it and access can only be granted in accordance with the Access Control Policy. All personal data must be processed and stored securely.
7.3 Care must be taken that the PC screens and terminals are visible only to the authorized employees/personnel of the controller. All employees/staff members are required to enter into an acceptable use agreement before being allowed access to organizational information of any kind, which details the rules regarding the time when the screen enters ‘idle’, ‘lock’) mode.
7.4 Records in physical format may not be left in locations where they may be accessed by unauthorized personnel and may not be removed from the premises without explicit (written) consent. As soon as the physical records are no longer required for everyday customers, they must be safely destroyed in accordance with a certain procedure.
7.5 Personal data may only be deleted or deleted in accordance with the record keeping procedure. Physical records that have expired must be shredded and disposed of as ‘confidential waste’.
7.6 The ‘off-premises’ processing of personal data poses a higher potential risk than the loss, theft or damage of personal data. The staff must be specifically authorized to process data outside the premises.
8.1 The controller must ensure that personal data is not disclosed to unauthorized third parties, which include family members, friends, government agencies and, in certain circumstances, the police. All employees/staff members should be careful when asked to disclose another person’s personal data to a third party and will be required to undergo specific training to enable them to effectively manage such risks. It is important to take into account whether or not the disclosure of information is relevant to the operation of the controller.
8.2 The GDPR allows certain disclosures without consent, as long as the information is requested for one or more of the following purposes:
8.2.1 – to protect national security;
8.2.2 – to prevent or detect crime, including for detention or prosecution of offenders;
8.2.3 – to fulfil regulatory functions (includes health, safety and welfare of persons at the workplace);
8.2.4 – to prevent serious injury to a third party;
8.2.5 – to protect the vital interests of the individual, it refers to the situations of ‘life and death’.
8.3 All requests to provide data for one of these reasons must be supported by adequate supporting documents and any such disclosure must be specifically authorized by the Data Protection Officer.
9.1 The controller shall not keep personal data in a form that allows the identification of data subjects, for a longer period than necessary, in relation to the purpose(s) for which the data was originally collected.
9.2 The controller may store data for longer periods if personal data will be processed exclusively for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, subject to the implementation of technical measures, and appropriate organizational arrangements for the protection of the rights and freedoms of the data subject.
9.3 The retention period for each category of personal data will be set out in the record keeping procedure, together with the criteria used to establish this period, including the legal obligations of the controller who must retain the data.
9.4 Data retention procedures and data deletion procedures will apply in all cases and for all types of data subjects.
9.5 Personal data must be securely deleted in accordance with the sixth principle of the GDPR – processed in an appropriate manner to maintain security, thus protecting the ‘rights and freedoms’ of data subjects. Any deletion of data will be done in accordance with the deletion procedure.
10.1 All transfers of data from the European Economic Area (EEA) to non-European Economic Area countries (referred to in the GDPR as ‘third countries’) are illegal, unless there is an ‘adequate level of protection of the fundamental rights of data subjects’. The transfer of personal data outside the EEA is prohibited, unless one or more of the specified guarantees or exceptions apply:
10.1.1 Adequacy decision
The transfer of personal data to a third country or international organization may take place when the Commission has decided that the third country, territory or one or more specified sectors of that third country or international organization concerned provide an adequate level of protection. Transfers made under these conditions do not require special authorizations. Countries that are members of the European Economic Area (EEA) but not the EU are accepted as fulfilling the requirements for an adequacy decision.
A list of countries that currently meet the Commission’s adequacy requirements is published in the Official Journal of the European Union: http://ec.europa.eu/justice/dataprotection/international-transfers/adequacy/index_en.htm
10.1.2 Privacy Shield
Assessment of adequacy by the data controller
When assessing adequacy, the data transfer controller in the UK should take into account the following factors:
10.1.3 Mandatory corporate rules
BNET may adopt approved mandatory corporate rules for data transfer outside the EU. This requires the submission to the competent supervisory authority for approval of the rules on which BNET is trying to base itself.
10.1.4 Standard contract terms
BNET may adopt approved standard contractual clauses for the transfer of data outside the EEA. If BNET adopts the standard agreement terms approved by the competent supervisory authority, then there is an automatic recognition of the adequacy.
In the absence of an adequacy decision, the transfer of personal data to a third country or to an international organization shall take place only under the following conditions:
11.1 The Controller is required to develop a Data Processing and DATA MAPPING Record System, as part of its strategy to address risks and opportunities in its GDPR compliance project. The record keeping system for data processing and mapping activities refers to processes that use personal data:
11.2 The controller is aware of any risks associated with the processing of certain types of personal data.
11.2.1 The controller assesses the level of risk for processing the personal data of the data subjects. Data protection impact assessments (DPIA) are carried out taking into account the diversity of the data processed, the categories of internal risk and that concerning the transfer to third parties and/or the processing by proxies.
11.2.2 The controller must manage any risks identified by the risk assessment to reduce the likelihood of non-compliance with this policy.
11.2.3 Given the nature, scope, context and purposes of the processing, where a type of processing, in particular one based on the use of new technologies, is likely to pose a high risk to the rights and freedoms of natural persons, the controller carries out, before processing, an assessment of the expected processing impact on the protection of personal data. A single assessment may address a set of similar processing operations that pose similar high risks.
11.2.4 If the result of the DPIA reveals that the controller is about to start processing personal data that could potentially cause harm and/or damages to data subjects, the decision to start processing rests with the Data Protection Officer.
11.2.5 The Data Protection Officer must report this situation to the supervisory authority, if there are significant concerns, either in relation to damages and/or harm, or with the integrity of the data.
11.2.6 Choosing appropriate Security Standards and applying them to reduce the level of risk associated with the processing of individual data to an acceptable level.
This document has been approved by the Data Protection Officer, who has the task of reviewing this procedure in accordance with the revised requirements of the General Data Processing Regulation (EU GDPR).
This policy was approved by the BNET manager on May 25th, 2020.
Be the first to hear about our latest courses by signing up to our mailing list.
© DevOps Artisan 2020