1. General informationSymphony Solutions BV (hereinafter referred to as SSBV) with a registered office at Laarderhoogtweg 25, 1101 EB, Amsterdam, The Netherlands, processes personal data in accordance with the GDPR. SSBV takes care of the privacy of the data subjects by respecting their right for privacy, observance of the principles and provisions for the protection of personal data and their legal processing, using numerous technical and organizational measures and mechanisms which are continuously being upgraded.
Data Controller and Data Processor: Symphony Solutions BV
Data Protection Officer / Team (DPO): Aleksandar Gacevski, Mykola Zaika
Direct DPO Contact: firstname.lastname@example.org
Regulatory Body/Authority: Autoriteit Persoonsgegevens
Address: PO Box 93374, 2509 AJ, DEN HAAG
Phone number: +31708888500
Any changes or new versions of this Policy will be published on the web page and the internal portal as well.
2. Applicable regulation
SSBV continually strives to follow the principles of the GDPR that are based on legitimate processing of personal data, processing that has a definite purpose, avoiding over-processing/excessive processing, whilst maintaining integrity of personal data and ensure their secrecy and disclosure to unauthorized persons.
4. Definitions and terms used in this Policy
Privacy is a fundamental human right that implies protection against unnecessary disclosure of one’s identity. Privacy is closely linked to one’s physical security and freedom.
Personal Data (PD) is information that refers to an identified natural person or identifiable natural person or natural person that can be identified as a person whose identity can be determined directly or indirectly, based on only unique id number of the citizen or based on one or more characteristics specific to his physical, mental, economic, cultural or social identity. The following date are considered to be treated as personal: name, surname, address, date of birth, citizen’s ID number, ID card number, passport number, photo ID, telephone number, email address and other data through which you can directly or indirectly to reveal the person’s identity.
Processing of personal data means an operation or set of operations performed on personal data by manual, automated, electronic or other means, such as: collection, recording, organizing, structuring, storing, adapting or changing, retrieving, consulting, use, disclosure by transferring, posting or otherwise making available, combining, blocking, deleting or destroying.
Excessive processing of personal data registries is a process in which personal data is processed for a purpose other than that for which it was collected / intended. Personal data may only be processed for purposes for which the subject of the PD has given his consent or for purposes provided by law.
A personal data subject is a natural person whose personal data is processed in SSBV.
A data processing agreement (DPA) is a legally binding document to be entered into between the controller and the processor in writing or in electronic form. It regulates the particularities of data processing – such as its scope and purpose – as well as the relationship between the controller and the processor.
Controller of personal data (Data Controller / Controller / DC) is a natural or legal person, body of state authority or other body, which independently or together with others determines the purposes and the manner of processing personal data. SSBV is in some cases the role of DC.
Processor of personal data (Data Processor / Processor / DPr) is a natural or legal person or a government authority which processes personal data on behalf of the DC. The DPr processes the data in accordance with the applicable legislation, as well as in accordance with the guidelines and instructions obtained in the Data Processing Agreement (DPA) with the Controller. In case of existence of a sub-processor, the Processor is obliged to inform the Controller, and to conclude with the sub-processor a DPA where the rights and obligations of the Processor are transferred in relation to the Controller. SSBV in some cases act as a DPr.
Sub-processor of personal data (sub-Processor / Spr) is a natural or legal person or authorized state organ that processes personal data on behalf of DPr and the DC. The Sub-Processor shall process the data in accordance with the applicable legislation, as well as in accordance with the guidelines and instructions obtained in the DPA concluded with the Processor. SSBV in some cases act as a sub-processor of personal data.
Data Protection Officer (DPO) is a person who is appointed by DC to implement and continuously monitor the level of compliance of SSBV with the regulations in the field of data protection. The DPO reports directly to the highest management body of SSBV. The DPO should have relevant knowledge in the field of personal data protection, act independently and act as part of a team of DPOs. In order for the DPO to act and deliver its opinion in a timely manner, it should be involved in SSBV’s individual activities in a timely manner (for example, involved in projects, information risk analysis, recruitment process in coordination with HR and other processes that are in any way connected to processing of personal data).
Special categories of personal data (sensitive data) are personal data that reveal racial or ethnic origin, political, religious, philosophical or other beliefs, union membership, and data on human health, including genetic data, biometrics data or data relating to sex life. SSBV.
Data registry (DR) is a structured set of personal data that is accessible according to specific criteria, whether centralized, decentralized or disseminated on a functional or geographical basis.
Authorized person is a person employed or engaged by the Controller who has authorized access to documents and information communication equipment where personal data is processed.
Employees are persons who have a direct business relationship with SSBV through an Employment Contract.
Engaged persons are persons who have entered into a business relationship with SSBV through engagement contracts.
Business associates are persons or entities that have entered into a business relationship with SSBV, but still appear in the role of Data Controller or Data Processor.
Visitors are individuals, other than employees, engaged or foreign persons who, for some reason, needed to physically access SSBV’s offices. In most cases, these are service providers or persons attending events supported by SSBV.
The General Data Protection Regulation, EU 2016/679 (GDPR or Regulation) is a European legal framework whose primary purpose is to enhance and unify the protection of privacy, personal data and their complete processing. It is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also refers to the transfer of personal data outside the EU and EEA areas.
Dutch data protection authority (Autoriteit Persoonsgegevens) is a regulatory body of state authority whose role is to ensure the right of privacy of data subjects.
A data protection impact assessment (DPIA) is a privacy-related impact assessment whose objective is to identify and analyze how data privacy might be affected by certain actions or activities.
Direct marketing is any form of communication made in any way for the purpose of sending advertising, marketing or propaganda material that is directed directly to a particular subject of personal data.
Cookies are text files that the web browser has stored in the user’s device and are used by websites to authenticate, preserve the information / preferences for the website, other information on browsing and to another which can help the web browser while accessing certain web servers.
5. Why is SSBV processing personal data?
Under GDPR, there are six different legal bases under which personal data can be processed. SSBV uses a few of them, and these are briefly described below:
SSBV will collect and process personal data with statement of consent of data subjects. This consent can be revocable at any time. Please note, SSBV will try whenever possible, not use your consent as legal ground.
Performance of a Contract
In case personal data is required to fulfil a legal contract with the data subject or to take necessary steps at the request of those concerned prior to entering into the contract, the explicit consent is not required. This also applies to cases, when SSBV signs a legal contract with a client for the provision of our IT and Consultancy services and solutions and the data subjects’ personal data is necessary to complete the contract. In other words, to be a party to a contract, we need to process some of your personal data.
When SSBV acts as Data Controller, it is required to collect and process the data subject’s personal data in order to comply with legal obligations such as the EU member state’s employment or taxation legislation. Examples of those purposes are: Tax and financial documents and health and safety protocols.
If processing specific personal data is in the legitimate interest of SSBV and a proportionality assessment determines that it is not overridden by the interests or fundamental rights and freedoms of the data subject, then this may be defined as a lawful basis for processing. This will be documented by SSBV. Possible uses are: Monitoring, access control (for safety purposes), storing the feedback of interviews (to maintain quality and consistence of our recruitment process) and cookies on the website (to analyze website usability).
6. Processing of personal data and data registries
In some cases, SSBV acts as Data Controller and in some cases SSBV is a Data Processor and sub-Processor.
In each of the cases above, the processing of personal data should have an appropriate legal basis such as legal processing, a statement of consent for processing personal data, a contractual business relationship, a legitimate legal interest or a processing that is vital for the data subject.
SSBV aims to minimize the amount of processed personal data. These operations require the following:
The data will be stored (including cloud services like Amazon, Azure or Google Cloud) internally. Some of the data will be processed in the non-EU countries (as some of our offices are located outside of EU/EEA), in which case SSBV provides appropriate level security. Whenever a hardcopy of the provided data is made, it will be destroyed immediately after processing.
The data will not be used for profiling, machine learning or automated decision making.
6.1 SSBV as a Data Controller
In cases where SSBV acts as a Controller, SSBV collects personal data directly from the data subjects and then structures them into appropriate data registries. Each data registry contains information on the legal basis of the processing, the purposes of the processing, categories of personal data, information on the transfer of data to data processors, information on authorized persons and information on the data retention. Examples of data registries where SSBV is in the role of Controller are for example: data registry of employees, engaged persons, associates, interns, visitors, etc.
Authorized personnel who processes personal data behalf of the Controller, is obliged to sign privacy statement / privacy notice / NDA. This document consists information about how one should perform data processing in order to be compliant with the applicable regulation and the signed DPAs with other Controllers and Processors. The document can be in written or electronic form and shall be written in clear and understandable language.
The data of the data subjects where SSBV is in the role of Controller shall be processed solely by authorized persons of SSBV or by a foreign processor in case SSBV has a DPA with the foreign processor) and shall be kept within the logical perimeter to which SSBV has appropriate access and control.
6.2 SSBV as a Data Processor
SSBV strives for equal treatment of the data of its own data subjects as well as of the data it has obtained under the Agreement from other Data Controllers, whilst fully complying with the Applicable Regulation.
Prior to commencing their operations, authorized persons of SSBV are getting familiar with the obligations arising from the Applicable Regulation, as well as from the DPA with the other Controllers and Processors.
6.3 SSBV as a Sub-Processor
SSBV strives to have equal treatment of the data of its own data subjects as well as of the data it has obtained under the Agreement from other Controllers and Processors of Personal Data, whilst fully complying with the Applicable Regulation.
7. Security of information system and protection of personal data
One of the main goals of SSBV is to provide a reliable and secure information system. Through the implementation of numerous information security policies and procedures and implementation of appropriate physical, technical, organizational and security measures, SSBV continuously improves reliability and the security level of its information system and are designed to provide an adequate level of protection of personal data. Such a system provides protection against abuse, loss of personal data, as well as protection of compromise and personal data disclosure to unauthorized persons. The established high level of security of the information system, as well as the measures provided for the protection of personal data, apply not only to the data where SSBV is in the role of Controller, but also to the data where SSBV processes on behalf of other Controllers and Processors.
In addition, SSBV regularly carries out internal audits, external audits on demand, scanning of vulnerability and penetration tests, which determine and confirm the level of reliability, security, integrity and availability of the information system.
SSBV utilizes systems, technologies and good practices that enable and ensure regular business operations and legitimate data processing (back-up storage, directory and network directories, computer network, hardware infrastructure, applications and databases).
In accordance with the methods and purposes defined (under Article 35 (7) of the Regulation), an initial assessment and classification is carried out for each system, which may result in a full DPIA. Based on the assessment of the impact on the protection of personal data and the risk of processing, we determine appropriate safeguards. All SSBV IT services are classified according to the internal methodology and requirements of the Regulation, taking into account the type of data processed, our participation and role in processing, and the level of responsibility.
For each application system, SSBV has identified responsible persons, administrators and implemented appropriate organizational and technical security measures to ensure compliance with the Regulation. Based on the evaluation of processing and data, the impact of the threat on the processing of personal data has been determined, and measures and a safeguard mechanism for reducing the estimated risk have been identified. The assessment will be carried out according to the purposes of data processing.
We have aligned our existing information security management system with the requirements of the Regulation, which ensures an adequate level of protection of personal data processing operations in order to ensure that personal data is protected, true and accessible. In complying with the Regulation, we have carried out activities that have met all the requirements of the Regulation, which we inform you through this policy and in a clear and transparent manner convey all the necessary information about the processing of personal data in SSBV.
The security incident management process is embedded in all our processing operations and is one of the basic information security management activities that enables us to effectively and continuously monitor the operation of the system and to detect irregularities and possible breaches of personal data in a timely manner.
8. Authorized persons for processing personal data
In regard to the processing of personal data, the DPO in SSBV prepares authorization for personal data processing to the individuals who have contractual business relationship with SSBV. The authorized persons, before starting to process personal data are undergoing a training regarding information security and personal data protection and also regarding the regulations and internal acts and procedures related to the protection of personal data processing. Authorized persons are signing a Privacy Statement (privacy notice), NDA (non-disclosure agreement) or DPA. Through trainings and presentations prepared by the DPO, the authorized persons are getting familiar with the obligations arising from the Applicable Regulation for the protection of personal data, and at the same time with the obligations arising from the DPA before commencing their work.
9. Transfer of personal data to other and third countries
When transferring personal data, SSBV acts in accordance with Article 47 of the Regulation.
When acting as the Controller, SSBV may transfer personal data to entities in countries EU / EEA and in third countries when there is a secured appropriate level of data protection but not less than that the Processor has. SSBV, when in the role of Controller, transfers personal data to entities in EU / EEA member states as well as to third countries. Every transfer of personal data where SSBV is in the role of Controller is regulated by a DPA.
When acting as the Processor, SSBV may transfer personal data to entities in countries EU / EEA and in third countries when there is a secured appropriate level of data protection, but not less than that the Controller and SSBV have. Transferring of data to third countries, SSBV may only perform in case when that is being previously agreed with the Controller through a DPA. In such a case, the Controller is obliged to notify the subjects of personal data about the transfer which carries the data to the Processor and sub-Processor. SSBV, when in the role of Processor, transfers personal data to entities in EU / EEA member states as well as to third countries. Every transfer of personal data where SSBV is in the role of a Processor is governed by a separate DPA concluded with the Controller.
When acting as a sub-Processor, SSBV may transfer personal data to entities in countries EU / EEA and in third countries when there is a secured appropriate level of data protection, but not less than that the Controller and Processor have. Transferring of data to third countries SSBV may only perform in case when that is being previously agreed with the Controller through a DPA. In such a case, Controller and Processor are obliged to notify the data subjects in relation to the transfer performed by the data to sub-processors. SSBV, when acting as a Sub Processor, transfers personal data to entities in EU / EEA member states as well as to third countries. Each transfer of personal data where SSBV is a sub-processor is governed by a separate DPA concluded with the Controller and the Processor.
10. Data Retention
SSBV is the Data Controller of multiple data registries. Each data registry has a different data retention policy depending on the purpose of processing as well as on the obligations arising between the Controller and the data subjects.
Upon fulfillment of the purpose of processing or after the expiry of data retention of personal data where SSBV is in the role of Controller, they shall be destroyed in accordance with the Data Retention Policy that is being previously defined by authorized persons in SSBV in a manner that does not allow them to be further used or reconstructed. This applies not only to personal data stored in digital/electronic form but also to PD stored as hard copy documents.
Only authorized persons of SSBV may process data registries obtained from other Controllers and Processors.
11. Rights of data subjects regarding their privacy and the processing of their personal data
The rights of data subjects with regard to their privacy and legality of processing are according Articles 13, 14 and 15 of the Regulation:
SSBV does not perform profiling on data subjects for any purpose.
13. Direct marketing
SSBV may conduct direct marketing only to persons who have signed a Statement of Consent for Direct Marketing in accordance with the Applicable Regulation.
Cookies are small text files placed on your device by our web server via your browser. Cookies may stay on your computer after you finish browsing our page, close your browser or shut down your computer.
All web browsers can be configured to decline cookies or clear them upon request. This will not affect your browsing experience (since we are not using them to personalize your experience, track your shopping or involve you in any marketing-related activities).
15. Breach notification
In case of a security incident linked to the compromise, loss or disclosure of personal data to unauthorized persons, SSBV, if it owns contact details of the data subjects involved in the breach, shall inform the data subjects and/or other concerned parties about the incident.
In case the compromised personal data is inherited from another Controller, SSBV shall inform that Controller about the breach not than 72 hours after SSBV was aware of the existence of the incident.
If there is a large-scale data breach, SSBV shall notify by a public announcement or an appropriate posting on its website or other public media, not later than 72 hours after SSBV was aware of the existence of the incident.
This obligation is included in the DPAs signed between SSBV and the Controllers / Processors.
Symphony Solutions BV