PROTOCOL REPORTING DATA BREACHES
Dena Textile Productions attaches importance to the proper security of its (electronic) systems in which personal data is stored and processed.
It is never completely preventable that a data breach will occur.
Dena Textile Productions is obliged under the General Data Protection Regulation (AVG) to report (serious) data leaks to the Personal Data Authority and to the persons involved.
Dena Textile Productions wishes to comply with its legal obligations.
Dena Textile Productions has therefore formulated a policy to act as adequately as possible in the unlikely event of a data breach.
1 - Definition of data breach
A data breach occurs when there is an accidental or unlawful breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, data transmitted, stored or otherwise processed.
2 - Internal responsible data breach notification
Dena Textile Productions has appointed an internal controller responsible for the processing of data leaks.
This responsible party is the Marketing department, with Rolf van Eden as its first point of contact, telephone number: +31(0)318 588 595; e-mail address: [email protected] , hereinafter referred to as: 'internal responsible party'.
3 - Internal report on discovery of a data breach
Anyone who discovers a data breach at Dena Textile Productions will immediately report it to the internal manager.
If possible, the person who discovered the data leak will simultaneously ensure that the leaked data is immediately remotely deleted or made inaccessible.
4 - Investigation by the internal responsible person
The internal manager investigates, among other things:
Whether personal data has been lost or can be used unlawfully.
Who or which departments within the organisation are involved in the data breach.
Whether a processor is involved in the incident.
5 - Combating data breach
The internal responsible party shall stop the data breach if it is still possible and shall also take the necessary measures to combat the data breach as effectively as possible.
6 - Determination of the consequences of a data breach
The internal responsible person shall examine the possible consequences of the data breach, based on the nature and extent of the data leaked, and determine what the adverse consequences of the data leakage could be.
7 - Co-operation with the provision of data relating to the data breach
The discoverer/reporter of the data breach offers all cooperation to the internal responsible by answering the following questions as quickly and as well as possible (in writing):
what happened? (description of the incident)
Did it go by accident or was it caused by malicious intent (e.g. hacked data)?
when did it happen? (date and time)
when was it discovered?
what kind of data (registers) were leaked?
Are the data encrypted, and if so, how?
could the data be remotely erased or made inaccessible, and if so, did that happen?
what are the possible consequences for the persons concerned?
which group(s) of persons were affected? (e.g. pupils, patients, premium members)
how many people have been affected (approximately)?
Have data on persons in other EU countries also been affected by the data breach?
Could technical and/or organisational measures have already been taken as a result of the incident?
8 - Availability of personnel after discovery of data breach
The person in charge of the department from which the data breach occurred, as well as the person who discovered the data breach and anyone who, by virtue of their position or knowledge, is able to take organisational and/or technical measures to limit the consequences of the data breach, shall remain available in the first 24 hours after the data breach has been discovered for consultation with the internal person in charge or any experts appointed by him and, if necessary, for carrying out assigned work as a result of the data breach.
9 - Decision to report data breaches
The internal responsible party will decide as soon as possible and in any case within 60 hours after the data breach has been discovered - whether or not in consultation with the person in charge of the department from where the data breach was discovered and/or experts appointed by him - whether the data breach should be reported to the Authority for Personal Data and/or the persons involved.
In principle, a data breach will always be reported to the Authority Personal Data, unless it is unlikely that the data breach will pose a risk to the rights and freedoms of the persons involved.
The notification of the data breach will be accompanied by answers to the questions as described in section 7.
A data breach which has been reported to the Authority Personal Data shall also be reported.
10 - Notification of data breaches to the Authority Personal data and/or data subjects
If necessary, the internal responsible party will notify the Personal Data Authority and/or the data subject(s).
Reporting shall take place as soon as possible after the discovery of the data breach and at the latest within 60 hours after the discovery of the data breach.
Any employee other than the internal responsible party shall not be permitted to report the (possible) data breach himself/herself to the Authority Personal Data and/or the person(s) involved.
If an employee disagrees with the decision of the internal responsible party as to whether or not to report the data breach to the Authority for Personal Data and/or the person(s) involved, he may make his grievances known to the management.
If requested to do so, an employee shall render all assistance to the responsible party in order to be able to inform the persons affected about the data breach in accordance with Article 34 of the AVG.
11 - Consequences of reporting data breaches
If the data breach has negative consequences for those involved, the internal responsible party will do everything possible to limit these consequences as much as possible.
Depending on the nature and extent of the data breach for those involved, the internal responsible party will determine:
how the data subjects will be informed (including, in any case, the notifications as to which types of personal data have been affected, what the possible consequences are, what measures Dena Textile Productions will take and how the data subjects themselves can prevent or limit the damage).
what kind of aftercare the persons concerned will receive
what actions are necessary in the interest of the organisation
If a data breach has occurred - regardless of whether it has been reported or not - adequate technical and/or organisational measures shall be taken as soon as possible to prevent future similar data breaches.
12 - Keeping records of data leaks
The internal manager keeps a register of all data leaks, in which all data related to the data leak is recorded, such as:
A description of the incident.
Date and time of the data breach.
Date and time of the data breach?
Description of the type of personal data leaked.
Description of the category(ies) of data subjects affected.
Description of the number of data subjects (approximate) .
Data of persons in other EU countries have been leaked.
Whether the incident was reported to the Personal Data Authority and, if so, the date and time of the report.
Whether the incident was reported to the persons involved and if so, the date and time of the report.
How data subjects were informed.
The consequences of the data breach, stating the date and time if possible.
What technical and/or organisational measures were taken after the data breach, stating the date and time.
This protocol for reporting data breaches was drawn up on 01 May 2020.