1. General informationSymphony Solutions BV (hereinafter referred to as SSBV) with a registered office at Laarderhoogtweg 25, 1101 EB, Amsterdam, The Netherlands, processes personal data in accordance with the General Data Protection (hereinafter referred to as GDPR). SSBV takes care of the privacy of the data subjects by respecting their right for privacy, observance of the principles and provisions for the protection of personal data and their legal processing, using numerous technical and organizational controls, measures and mechanisms which are continuously being upgraded.
Data Controller and Data Processor: Symphony Solutions BV
Data Protection Officer / Team (DPO): Aleksandar Gacevski, Mykola Zaika
Direct DPO Contact: DPO@symphony-solutions.com
Regulatory Body/Authority: Autoriteit Persoonsgegevens
Address: PO Box 93374, 2509 AJ, DEN HAAG
Phone number: +31708888500
Any changes or new versions of this Policy will be published on the web page.
2. Applicable regulation
SSBV continually strives to follow the principles of the GDPR that are based on legitimate processing of personal data, processing that has a definite purpose, avoiding over-processing/excessive processing, whilst maintaining integrity of personal data and ensuring their secrecy and disclosure to unauthorized persons.
3. Reason for creation of this Policy
4. Definitions and terms used in this Policy
Privacy is a fundamental human right that implies protection against unnecessary disclosure of one’s identity. Privacy is closely linked to one’s physical security and freedom.
Personal Data / Personal Identifiable Information (PD or PII) is information that refers to an identified natural person or identifiable natural person or natural person that can be identified as a person whose identity can be determined directly or indirectly, based on only unique ID number of the citizen or based on one or more characteristics specific to his physical, mental, economic, cultural or social identity. The following categories of data are considered to be treated as personal: name, surname, address, date of birth, citizen’s ID number, ID card number, passport number, photo ID, telephone number, email address and other data through which you can directly or indirectly reveal the person’s identity.
Processing of personal data means an operation or set of operations performed on personal data by manual, automated, electronic or other means, such as: collection, recording, organizing, structuring, storing, adapting or changing, retrieving, consulting, use, disclosure by transferring, posting or otherwise making available, combining, blocking, deleting or destroying.
A data subject is a natural person whose personal data is processed by SSBV.
A data processing agreement (DPA) is a legally binding document to be entered into between the controller and the processor in writing or in electronic form. It regulates the particularities of data processing – such as its scope and purpose – as well as the relationship between the controller and the processor.
Controller of personal data (Data Controller / Controller) is a natural or legal person, body of state authority or other body, which independently or together with others determines the purposes and the manner of personal data processing. SSBV has in some cases the role of Data Controller (for example: staff, applicants).
Processor of personal data (Data Processor / Processor) is a natural or legal person or a government authority which processes personal data on behalf of the Data Controller. The data processor processes the data in accordance with the applicable legislation, as well as in accordance with the guidelines and instructions obtained in the DPA signed with the Controller. In case of existence of a sub-processor, the Processor is obliged to inform the Controller, and to conclude with the sub-processor a DPA where the rights and obligations of the Processor are transferred/shared in relation to the Controller. SSBV in some cases acts as a data processor (for example: clients’ PII where in this case clients are data controllers).
Sub-processor of personal data (Sub-Processor) is a natural or legal person or authorized state agency that processes personal data on behalf of data processor and the data controller. The Sub-Processor shall process the data in accordance with the applicable legislation, as well as in accordance with the guidelines and instructions obtained in the DPA concluded with the Processor. SSBV in some cases acts as a sub-processor of personal data.
Data Protection Officer (DPO) is a person appointed in order to implement and continuously maintain the level of compliance of SSBV with the regulations in the field of data protection. The DPO reports directly to the highest management body of SSBV. The DPO should have relevant knowledge in the field of personal data protection, act independently and act as part of a team of DPOs. In order to allow the DPO to act and deliver its opinion in a timely manner, DPO should be involved in SSBV’s activities in a timely manner (for example, involved in projects, information risk analysis, recruitment process in coordination with HR and other processes that are in any way connected to processing of personal data).
Special categories of personal data (sensitive data) are personal data that reveal racial or ethnic origin, political, religious, philosophical or other beliefs, union membership, and data on human health, including genetic data, biometrics data or data relating to sex life.
Data registry is a structured set of personal data that is accessible according to specific criteria, whether centralized, decentralized or disseminated on a functional or geographical basis.
Authorized staff is staff/personnel engaged by the Controller who has authorized access to documents containing PII and who have access to information systems where PII is being processed.
The General Data Protection Regulation, EU 2016/679 (GDPR or Regulation) is a European legal framework whose primary purpose is to enhance and unify the protection of privacy, personal data and their complete processing. It is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also refers to the transfer of personal data outside the EU and EEA areas.
Dutch data protection authority (Autoriteit Persoonsgegevens) is a regulatory body of state authority whose role is to ensure the right of privacy of data subjects.
A data protection impact assessment (DPIA) is a privacy-related impact assessment whose objective is to identify and analyze how data privacy might be affected by certain actions or activities.
Direct marketing is any form of communication made in any way for the purpose of sending advertising, marketing or propaganda material that is directed directly to a particular subject of personal data.
Cookies are text files that the web browser has stored in the user’s device and are used by websites to authenticate, preserve the information / preferences for the website, other information on browsing and to another which can help the web browser while accessing certain web servers.
5. Why is SSBV collecting and processing personal data?
Under GDPR, there are six different legal bases under which personal data can be processed. SSBV uses a few of them, and these are briefly described below:
SSBV will collect and process data subjects PII with the statement of consent as legal ground only in situations when a contract or service agreement cannot be used as such (for example, job applicants). Such consent can be revoked at any point of time by the data subject by using minimal effort.
Performance or preparation of a contract
In case personal data is required to fulfil a legal contract with the data subject or to take necessary steps at the request of those concerned prior to entering the contract, the explicit consent is not required. This also applies to cases, when SSBV signs a legal contract with a client for the provision of our IT and Consultancy services and solutions and the data subjects’ personal data is necessary to complete the contract.
When SSBV acts as Data Controller, it is required to collect and process the data subject’s personal data in order to comply with legal obligations such as the EU member state’s employment or taxation legislation. Examples of those purposes are tax and financial documents and health and safety protocols.
If processing specific personal data is in the legitimate interest of SSBV and a proportionality assessment determines that it is not overridden by the interests or fundamental rights and freedoms of the data subject, then this may be defined as a lawful basis for processing. Possible uses are monitoring, access control (for safety purposes), conducting background criminal checks of personnel, storing the feedback of interviews with applicants (to maintain quality and consistence of our recruitment process) and cookies on the website (to analyze website usability).
6. Processing of personal data within SSBV
Depending on cases, SSBV can act as Data Controller, Data Processor or Sub-Processor.
In each of the cases above, the processing of personal data has an appropriate legal basis for processing.
SSBV always aims to minimize/narrow the set/amount of processed personal data regardless of the purpose of processing.
Publicly available channels/forms through which SSBV collects PII: SSBV’s Online Contact Form and CV Upload Form on the web page.
The data we collect using these channels can be stored on SSBV’s servers but also cloud services like Amazon, Azure or Google Cloud. Some parts of data might be processed by staff located outside the EU/EEA (as some of our delivery centers are located outside of EU/EEA). Such delivery centers must comply with SSBV`s instructions for processing or depending on the applicable laws, in some situations a DPA has to be signed.
The collected PII is organized and stored into data registry containing multiple data sets.
6.1 SSBV as a Data Controller
In cases where SSBV acts as a Controller, SSBV collects personal data directly from the data subjects and then structures them into appropriate data sets. Each data set contains information on the legal basis of the processing, the purposes of the processing, categories of personal data processed, information on the data transfers, information on data retention. Examples of data sets where SSBV is in the role of Controller are data set of employees, private entrepreneurs, engaged persons, contractors, business associates, applicants, interns, visitors, etc. In most cases the legal basis for processing these data subjects’ PII is binding service agreement / contract or a consent.
When collecting data for each individual purpose for processing (for example: applying for a job/cooperation), SSBV needs from each data subject to collect a consent for processing of personal data. Such consent should contain all mandatory elements that the GDPR promotes in order to protect the data subjects.
The default retention period for the PII of applicants (most often included in a form of CV) is 2 years.
The default retention period for the PII of visitors and data subjects who contact us via online forms is 1 year.
The data of the data subjects where SSBV is in the role of Controller can be also processed by other entities (processors and sub-processors) but only when SSBV has concluded a DPA with such entities. Those processors and sub-processors are obliged to protect the transferred PII with the same level of protection that SSBV has.
6.2 SSBV as a Data Processor
SSBV is in the role of Data Processor in cases where it processes PII of data subjects on behalf of other Controllers. Most often, the purpose of processing is the realization of contractual obligations between the Controller (usually a client) and SSBV. The manner of processing is regulated by a separate DPA concluded between such Controller and SSBV.
SSBV is committed to provide equal protection and treatment of each PII regardless of its role.
6.3 SSBV as a Sub-Processor
SSBV is in the role of a sub-processor of personal data in cases where it processes the PII of data subjects from other Controllers and Processors, on behalf of the Controller, the Processor and the data subjects. The purpose of such processing is the realization of contractual obligations between the Controller / Processor and SSBV. The manner of processing is regulated by a separate DPA concluded between the Controller / Processor and SSBV. SSBV is committed to provide equal protection and treatment of each PII regardless of its role.
7. Security of information system and protection of personal data
We are committed to ensuring appropriate level of information security by following the principle of providing confidentiality, integrity and availability to all information assets including the PII.
The information security objectives have been established and are compatible with the strategic direction of the company, the key objective is to work in line with the sections of the best practice standard ISO 27001:2013 detailed below. Furthermore, security objectives will be set by management as an ongoing task and in coordination with the Company’s Information Security Team. Management objectives for Information Security will be continually set and monitored to ensure they are achieved.
The Information Security measures and controls include:
8. Staff processing PII
Before commencing their work at/with SSBV and processing PII on behalf of SSBV (whether SSBV in role of data controller, data processor or sub-processor), all staff is required to:
9. Transfer of personal data
When transferring personal data, SSBV acts in accordance with Article 46 of the Regulation.
When acting as the Controller, SSBV may transfer personal data to entities in countries inside EU / EEA and in third countries when there is a secured appropriate level of data protection but not lower than that the Processor has. SSBV, when in the role of Controller, may transfer personal data to entities in EU / EEA member states as well as to third countries (outside of EU / EEA). Every transfer of personal data where SSBV is in the role of Controller is regulated by a DPA.
When acting as the Processor, SSBV may transfer personal data to entities in countries EU / EEA and in third countries (outside of EU / EEA) when there is a secured appropriate level of data protection, but not lower than that the Controller and SSBV have. Transferring of data to third countries, SSBV may only perform in case when that is being previously agreed with the Controller through a DPA. In such a case, the Controller is obliged to notify the subjects of personal data about the transfer which carries the data to the Processor and sub-Processor. SSBV, when in the role of Processor, transfers personal data to entities in EU / EEA member states as well as to third countries (outside of EU / EEA). Every transfer of personal data where SSBV is in the role of a Processor is governed by a separate DPA concluded with the Controller.
When acting as a sub-Processor, SSBV may transfer personal data to entities in countries EU / EEA and in third countries (outside of EU / EEA) when there is a secured appropriate level of data protection, but not lower than that the Controller and Processor have. Transferring of data to third countries SSBV may only perform in case when that is being previously agreed with the Controller through a DPA. In such a case, Controller and Processor are obliged to notify the data subjects in relation to the transfer performed by the data to sub-processors. SSBV, when acting as a Sub Processor, transfers personal data to entities in EU / EEA member states as well as to third countries (outside of EU / EEA). Each transfer of personal data where SSBV is a sub-processor is governed by a separate DPA concluded with the Controller and the Processor.
10. Data Retention
SSBV is the Data Controller of multiple data sets. Each data set may have a different data retention schedule depending on the purpose of processing as well as on the obligations arising between the Controller and the data subjects.
Upon fulfillment of the purpose of processing or after the expiry of data retention of personal data whether SSBV is in the role of Controller, Processor or Sub-Processor, they shall be destroyed in accordance with SSBV’s Data Retention Policy or according to a defined retention schedule with the Controller (most often a client of SSBV) in a manner that does not allow them to be further used or reconstructed. This applies not only to personal data stored in digital/electronic form but also to PII stored as hard copy documents.
11. Data subject rights
The rights of data subjects with regard to their privacy and legality of processing are according to Articles 13, 14 and 15 of the Regulation:
Such request may be addressed directly to the DPO’s email where will be further processed.
12. Profiling, machine learning and automated decision making
SSBV does not perform profiling, machine learning nor automated decision making on data subjects for any purpose.
13. Direct marketing
SSBV may conduct direct marketing only to persons who have signed a Statement of Consent for Direct Marketing in accordance with the Applicable Regulation.
15. Breach notification
In case of a security incident linked to the compromise, loss or disclosure of personal data to unauthorized persons, SSBV, if it owns contact details of the data subjects involved in the breach, shall inform the data subjects and/or other concerned parties about the incident.
In case the compromised personal data is inherited from another Controller, SSBV shall inform that Controller about the breach not than 72 hours after SSBV was aware of the existence of the incident.
If there is a large-scale data breach, SSBV shall notify by a public announcement or an appropriate posting on its website or other public media, not later than 72 hours after SSBV was aware of the existence of the incident.
This obligation is also included in the DPAs signed between SSBV and the Controllers / Processors.
Symphony Solutions BV