Data Protection Policy
Table of contents
1. The importance of data protection
2. The organisation of data protection
3. Scope of data protection policy
4. The management of risks
5. Policy objectives for data protection
6. Priority action items from the risk analysis
1. The importance of data protection
VAMATEC NV (with registered office at 9800 Deinze, Winkelstraat 87, and with enterprise number 0449.411.292) attaches great importance to the proper protection of the data it processes, and personal data in particular. By means of this policy, VAMATEC wishes to establish on the strategic level how data are protected, what responsibilities are allocated are allocated with respect to this, and what priorities VAMATEC has set concerning the protection of data.
In particular, VAMATEC wishes to protect the data of customers and the personal data they provide against:
• loss: data are no longer available
• leaks: data end up in the wrong hands
• errors: data are incorrect, e.g. outdated or incomplete
• inaccessible: data are not accessible at the moment of the care
• unauthorised access: accessed by persons who are not authorised to do so
• the inability to verify who accessed, altered or removed the data
• processings that are not in line with regulations, guidelines and standards
In this policy, the management wishes to call upon everyone who is involved in the electronic and paper processing of (personal) data to process data made available by our customers and the visitors to our website in an appropriate way, based on our shared vision and our common determination to offer high-quality services.
This policy manual goes into greater detail concerning the protection of privacy and, more specifically, information-related privacy. This policy manual serves as the standard for the processing of the personal data of customers and their insuredsby VAMATEC. It is a guideline for all treatment processes and offers a reference standard for audits and inspections. The policy manual offers each interested party, employee or involved external party an understanding of the data protection policy and how we deal with sensitive personal data.
The manual is also written for everyone who has a position in VAMATEC where personal data are processed. They use (parts of) this policy manual for drafting procedures and guidelines for employees and external parties, such as ICT suppliers. The relevant parts of this policy manual are processed in agreements with personnel and suppliers.
2. The organisation of data protection
As the controller, the authority of this policy lies with VAMATEC, represented by its management. The management is responsible for formulating and establishing, as well as supervising compliance with, the policy principles within VAMATEC, supported in this by the executive committee / management team / or a related body.
The executive committee / management team / or a related body functions as the formal decision-making platform for data protection. The executive committee / management team / or a related body is competent to make decisions relating to the following aspects:
• The risk analysis and accompanying methodology;
• The development of the data protection policy and the related guidelines;
• The implementation of protective measures (i.e. the content of the security plan)
• The structural reaction to data protection problems and advice (within 3 months);
Responsibility for the substantive monitoring of the data protection policy lies with the Data Protection Officer (DPO). He/she performs this task in accordance with the provisions of the GDPR1. VAMATEC passes on the identity (and any changes) of the DPO to the data protection authority. The DPO reports to the management of VAMATEC and more specifically is responsible for:
• Submitting advice and recommendations to the executive committee / management team / or a related body
• Raising the awareness of all parties within VAMATEC
• Supervising compliance with the data protection policy within VAMATEC.
• Documenting the data protection requirements, such as a security plan and the processing register
• Conducting the specific tasks that are assigned to the DPO within the framework of the GDPR2
• Recording violations and turning them over, together with recommendations, to the executive committee / management team / or a related body.
2 Article 39 in the GDPR
Anyone (internal or external) who processes data (e.g. accesses, records, changes, etc.) does so in accordance with the policy principles contained in this policy manual. The user processes data in accordance with the duty of discretion, and in accordance with the following principles:
• Is responsible for the data of residentsthat he/she processes
• Implements the security guidelines during his/her processing assignment.
• Processes only those data which are necessary for the task
• Assumes responsibility for the data
• Reports breaches
• Complies with article 458 of the Penal Code: The user respects the duty of professional confidentiality.
ICT employee or key user
The ICT employee or key user are, in addition to the responsibilities for the user, responsible for:
• Implementing the technical measures
• Implementing the security measures in line with this policy manual.
• Reporting the security problems that arise before, during or after the implementation of ICT methods to the DPO
• Functioning as an expert. From this role he/she participates in identifying and remedying the data protection risks
• Complying with the code of conduct.
The ICT supplier has the same responsibilities as those of an ICT employee. Additionally:
• He highlights security risks of delivered applications
• Points out the security tasks to be carried out to the supplier
• The supplier strives for a transparent data protection policy by communicating about his own current security level and in dealing with security incidents.
3. Scope of the data protection policy
This policy applies for the entire lifetime of information within VAMATEC, from the acquisition of information to the ultimate erasure of the information within VAMATEC.
This policy applies for all of VAMATEC:
• The registered office and places of business of VAMATEC.
• All personnel members of VAMATEC, both internal employees and external parties who are employed within VAMATEC for a limited or unlimited term.
• All equipment and information-processing systems managed by VAMATEC as well as systems managed by external parties for the purpose of information processing for VAMATEC such as databases, information regardless of the medium it is on, networks, data centres, etc.
• All processing activities, both as controller and processor.
For certain areas or processes within VAMATEC supplementary guidelines or procedures can be elaborated that describe in detail what measures are taken in order to attain the desired level of data protection. This policy is the umbrella under which all other guidelines or procedures fall.
Given the important role of the ICT suppliers in setting up the ICT environment for processing data, the policy manual establishes the policy principles for this as well.
4. Risk management
VAMATEC had a risk analysis conducted in order to map out the data protection risks. The risk analysis was performed on the basis of the following criteria (review framework):
• The guidelines with regard to the information security of personal data as published by the Commission for the Protection of Privacy
• The General Data Protection Regulation
• The ISO 27001 standard on information security
The analysis mapped out operational and tactical risks. These risks were discussed together with the management. The findings from the risk analysis were discussed and integrated into an action plan to deal with the identified risks. Herein VAMATEC distinguishes four possible ways of dealing with risks:
• Acceptance: a risk is accepted, no additional measures are taken. VAMATEC strives to accept as few risks as possible.
• Transfer: a risk is transferred, as a result of which the responsibility relating to the risk no longer rests with VAMATEC.
• Limitation: VAMATEC takes the necessary measures in order to limit a risk so that the risk is reduced to an acceptable level.
• Exclusion: VAMATEC takes measures in order to prevent a risk from being able to arise in the first place.
The objective is for the risk analysis to be reviewed at least annually. This forms part of the activities of the DPO.
You will find the action items that are currently a priority as a function of the performed risk analysis in chapter 6.
5. Policy objectives for data protection
VAMATEC, in its role as both controller and processor:
1. Is transparent about the personal data that it processes and the purpose of the processing, vis-à-vis the data subject, the customers and the supervisory authorities. The communication conducted is honest, easily accessible and understandable. The transparency principle also applies when the personal data are exchanged.
2. Processes only the data that are relevantfor the performance of its tasks. Each task whereby personal data are processed is lawful. Amongst other things, this means that the processing is in accordance with the legal and statutory objectives. This is evaluated in each case for a new purpose of the processing, where necessary on the basis of a data protection impact assessment.
3. Processes only the personal data that are strictly necessaryfor implementing the activities. For example, identifiers that belong to the personal data are reduced to a minimum.
4. Monitors the integrity of the personal data during the entire processing cycle.
5. Stores data for no longer than necessary. The necessity is tested against statutory obligations and the rights and freedoms of the data subject.
6. Prevents breaches that might arise from the processing of personal data. Information security, data protection by design and privacy-friendly default settings are a few of the means for this. If a breach occurs, it is reported in accordance with the regulations on the subject.
7. Is able to fulfil all applicable rights of a data subject, such as the right to inspect, copy and possibly also delete. In so doing, the possible restrictions that apply to these rights are observed.
8. Actively ensures that, during the processing of the personal data for a specific purpose, the rights and freedoms (for example, right to insurability, right to care) of the data subject are guaranteed.
9. Processes data in accordance with the rights and freedoms that apply within the European Economic Area, and verifies the application thereof when the data are exchanged outside of that area. One consequently complies with all legal and prescriptive frameworks(i.e. Flemish, Federal and European rules) during the processing of personal data, and for this has clearly identified its responsibility about the personal data and those of others. Moreover, one also monitors and applies the codes of conduct applicable in the sector.
10. Can demonstrate that it complies with all policy objectives, in accordance with the legal provisions. This accountability is monitored by internal supervision and audit and is enforceable according to the legally applicable principles.
6. Priority action items deriving from the risk analysis
The following are the different priority action items generated by the risk analysis. These are the findings with a score of High or Critical.
1. WHO ARE THE PARTIES?
In our Cookie Statement, the following terms have the following meanings: VAMATEC: Vamatec NV, with registered office at 9800 Deinze, Winkelstraat 87, and with enterprise number 0449.411.292 ´User´ or ´you´: any natural person (B2C) who, or legal entity (B2B) which, via this online platform, is or comes to be in a contractual relationship of whatever nature with VAMATEC. ´Law´: art. 129 of the Law on Electronic Communications, as amended by W 2012-07-10/04, art. 90, 017; (entry into effect: 04-08-2012).
2. WHAT ARE COOKIES?
3. TYPES OF COOKIES
Our cookies can be subdivided according to their origin, their function and their lifetime.
- First party cookies are those cookies which are installed by a website that is being visited at that moment by the user (e.g. cookies installed by VAMATEC).
- Third party cookies are cookies which are installed by a different domain name than that of the website that is being visited by the user. If a user visits a website and a third party installs a cookie via this website, then it is a third party cookie (e.g. cookies installed by Google, Twitter, Facebook and Hotjar).
- Functional cookies are cookies that ensure that the Website functions properly (e.g. cookies for log-in or registration, language preferences). Functional cookies are, logically, first party cookies.
- Non-functional cookies are cookies that can be installed for statistical, social, targeting and commercial purposes. They have nothing to do with the purely technical support of the website. Cookies with statistical purposes make it possible to check which pages of the website you visit, where your computer is located, etc. Cookies with social purposes allow the user to directly share the content of the visited website with others via social media. Cookies with targeting purposes make it possible for a profile to be built up on the basis of your surfing behaviour, so that the advertisements displayed will match your interests. Cookies with commercial purposes retain how many (and which) advertisements were shown to a user. Non-functional cookies can be first party or third party cookies.
- Permanent cookies: These cookies remain present on the device of the user for the period defined in the cookie. They are activated each time the user visits the website that installed this cookie (e.g. cookies installed by social media such as Twitter, Facebook, Google Analytics, etc.). Most non-functional cookies are permanent cookies.
- Session cookies: These cookies enable us to simplify the actions of a user and to link them to one another during a browser session. A browser session begins when a user opens the browser screen and ends when he/she closes the browser screen. Session cookies are installed temporarily. As soon as you close the browser, all session cookies are deleted. Most functional cookies are session cookies.
4. MANAGING COOKIES
We wish to point out that web browsers enable you to change your cookie settings. These settings can be found in the ´Options´ or ´Preferences´ menu of your web browser. In order to better understand these settings, the following links can be useful. Otherwise you should consult the ´Help´ function in your web browser.
- Cookie settings in Internet Explorer
- Cookie settings in Firefox
- Cookie settings in Chrome
- Cookie settings in Safari
5. WHICH COOKIES ARE USED ON THIS PLATFORM?
Name / Purpose / Validity
locale / User language preference / 1 year
CraftSessionId* / Identification of logged-in user / Session duration
Craft login* / Log-in or registration cms / 1 month
Cookieconsent_status / Interaction cookie message / 1 year
Name / Content and purpose / Validity
_utma Google Analytics / Tracking cookie* / 2 years
_utmb Google Analytics / Tracking cookie* / 30 minutes
_utmc Google Analytics / Tracking cookie* / session
_utmz Google Analytics / Tracking cookie* / 6 months
_ga Google Analytics / Tracking cookie* / 2 years
_gat Google Analytics / Tracking cookie* / 1 day
_gid Google Analytics / Tracking cookie* / 2 days
_dc_gtm_ Google Tag Manager / cookie* / 2 minutes
_hjClosedSurveyinvites Hotjar / Cookie* / 1 year
_hjDonePolls Hotjar / Cookie* / 1 year
_hjMinimizedPolls Hotjar / Cookie* / 1 year
_hjDoneTestersWidgets Hotjar / Cookie* / 1 year
_hjMinimizedTestersWidgets Hotjar / Cookie* / 1 year
_hjIncludedInSample Hotjar / Cookie* / 1 year
Uid / AddThis* / 1 month – 2 years
_atuvc / AddThis* / 1 month – 2 years
Psc / AddThis* / 1 month – 2 years
Uit / AddThis* / 1 month – 2 years
Ssh / AddThis* / 1 month – 2 years
Ssc / AddThis* / 1 month – 2 years
Uvc / AddThis* / 1 month – 2 years
* For cookies installed by third parties (including Google Analytics & Hotjar) we refer you to the statements that these parties make about this on their respective websites. Note: we have absolutely no influence on the content of these statements nor on the content of the cookies of these third parties.
6. APPLICABLE LAW AND JURISDICTION CLAUSE