Privacy Do's & Don'ts
ABU has elaborated on the main consequences of AVG for staffing companies in a brief description.
Data breach protocol UBN
In a data breach, personal data has been unlawfully processed, exposed to loss or otherwise wrongfully or unintentionally fallen into the hands of a person or organization that should not have access to that data. It could be a lost USB stick or stolen laptop containing personal data, but it could also be a break-in into a data system or accidentally provided access to data to individuals or agencies who should not have access to it. A data breach can be as simple as sending an e-mail to an address file in which all e-mail addresses are visible to everyone.
Examples of a data breach include:
- You sent an email with personal data to the wrong person
- CVs have been thrown in the trash (and thus not in the bin for destruction)
- Someone knows your login credentials for Citrix or another UBN application
- You provide an id document to an outside party, barring alien documents to hirers.
Reporting requirement
If there is a serious data breach, UBN is obliged under the General Data Protection Regulation (AVG) to report this to the Personal Data Authority (AP) within 72 hours and sometimes also to the data subjects. If it is a limited data breach that does not lead to a privacy risk for the data subject(s), it does not have to be reported to the AP. Every data breach, no matter how minor, must be registered internally.
It is important that everyone knows what to do in the event of (suspected) data breach. Below you can read back on how you are supposed to act.
At UBN, we have a central hotline for (suspected) data breaches.
The members of the UBN data breach hotline are:
- Maurice Mulder; 0618131700
If Maurice is unreachable please contact:
- Advisor ICT; 0297 288 873
The protocol
Immediately after an employee/employee discovers or learns that there may be loss or unlawful processing of personal data within UBN, he/she shall report it to the UBN data breach hotline.
The data breach hotline decides whether there is a (possible) data breach and if so, whether this data breach must be reported to the Personal Data Authority and/or to the data subject(s).
If necessary, the data breach hotline will take care of reporting to the Personal Data Authority and/or the data subject(s). The employee is not permitted to report the (possible) data breach to the Authority for Personal Data and/or the data subject(s) themselves.
If the employee disagrees with the decision of the data breach hotline to report - or not to report - the (possible) data breach to the Personal Data Authority and/or the data subject(s), he or she shall address the management.