General Data Protection Regulation (GDPR)
Digitization is changing the world at a rapid pace. On the one hand, it makes a lot of things easier. On the other hand, all that data also entails the necessary risks, especially in the field of privacy. This has therefore been an important issue for the European Union and that is why they drafted the General Data Protection Regulation (GDPR) in 2016, a regulation that also affects many medium-sized institutions.
The General Data Protection Regulation (GDPR) has been in force since 25 May 2018. The aim is to do something about the protection of European citizens. This legislation therefore does not only apply to companies based in Europe, but is relevant to all organizations that collect personal data from European citizens.
In addition, GDPR wants to provide frameworks for organizations that collect personal data. Because these frameworks were completely missing, many organizations were completely unaware of what data they actually have, where this data is stored, and who all has access to this data. GDPR should change this. Collecting data is not completely prohibited, but as an organization you must properly ask permission from the user, and have a good reason for collecting this data.
iWeb is AVG/GDPR-compliant
1. We have a privacy policy / information security policy
- Measures have been taken to protect confidential data, such as limiting access to this data so that only authorized employees have access.
- Employees may not use data for any purpose other than the work they perform.
- A board member is responsible for supervising compliance with the measures and for compliance with the GDPR.
2. We have a procedure for reporting data breaches. This procedure includes the following:
- The difference between a security incident and a data breach: a security incident is a data breach if the protection of personal data has been breached, whereby the data is exposed to loss or unlawful processing of personal data;
- Security incidents are always registered in a registration tool;
- In the event of a data breach, this will be reported to the Dutch Data Protection Authority as soon as possible, but in any case within 72 hours;
- In the event of a data breach, a risk assessment is made and those involved are notified if necessary;
- Examples of incidents that could lead to a data breach, including the loss of a USB stick, an intrusion by a hacker, a malware infection or a calamity such as a fire in the data center.
3. We keep a register per processing of the services you provide to the controller, the means by which we provide these services and the categories of data that we process.
4. We only use the personal data for processing that we carry out on behalf of the customer.
5. Access to personal data within our systems is arranged according to the “need-to-know” principle.
6. When designing and setting up our IT infrastructure and IT architecture, we have put in place sufficient security measures to ensure that unauthorized access to personal data is prevented as much as possible.
7. We process and store personal digital identifiers, such as BSN, encrypted (encrypted)
8. We store special data encrypted. Special data include religion, race and health, but also biometric data, such as fingerprints, voice, handwriting and retinal scans.
9. We are able to correct, have deleted and transfer personal data to the controller or another processor, if the controller so requests.
10. We have concluded a processing agreement with the controller.
Certifications & Standards
In addition to our extensive measures in the context of the GDPR, we also have all relevant certificates and standards, such as ISO 9001, ISO 14001, ISO 27001, NEN 7510 certifications, SOC 2, type II statement and we are qualified as a healthcare service provider (ZSP) and as Well Managed Healthcare Network (GZN). Not only have our software and procedures undergone a comprehensive audit, the physical security of our buildings and the integrity of our specialists have also been included in that process. These certifications underline that we demonstrably know the ICT processes and procedures and assure organizations of a tested level of quality.