1. Objective
During Pointlogic’s work for its clients, it is possible that Pointlogic employees will come in contact with, or temporarily have access to confidential data. Due to the nature of the services, this will often concern personal data which may also be covered by the General Data Protection Regulation (GDPR, formerly Data Protection Act). This Protocol describes how Pointlogic will deal with confidential data.
Confidential Data means all data, in any form, relating to the client’s company (including all companies involved in this) including data on clients, suppliers, current and future trading activities, methods, products, financial, statistical, human data and software, systems or accessories, research, development, strategic planning, trade secrets, know-how and other relevant data, which are brought to our attention, directly or indirectly, within the framework of a – possible – cooperation, before or after the signing of this agreement.
In the context of the GDPR, Pointlogic is the Data Processor and Pointlogic’s clients are the Controller. The GDPR also requires that the Controller and Processor make agreements on data security. This document aims to describe this adequately.
2. Guiding principles
Pointlogic undertakes to keep such Confidential Data secret and confidential and in particular undertakes to:
- Not disclose Confidential Data to third parties and to take all necessary measures to prevent disclosure to third parties;
- Not to make Confidential Data known within its organisation, except to the extent necessary for the proper performance of its work;
- Only make Confidential Data accessible to competent personnel;
- Inform the persons in its organisation to whom the Confidential Data is disclosed on obligations arising from this confidentiality declaration, to ensure that those persons in turn fulfill the obligations contained in this declaration.
- Not to use Confidential Data for his own purposes outside the framework of the – possible – cooperation or for the purposes of third parties.
3. Exceptions
However, previous obligations do not relate to any Confidential Data:
- Which is already generally known before it is received
- That subsequently, through no fault of Pointlogic, becomes public knowledge
- Which Pointlogic demonstrably already knew before it was received;
- Which is subsequently received by Pointlogic, on a non-confidential basis, from a third party who is not in breach of any duty of confidentiality;
- Of which Pointlogic can prove that it has been produced entirely independently of the customer’s data.
These obligations do not apply if and insofar as legal disclosure requires them.
4. Return or destroy data
Material with Confidential Data received by Pointlogic – or third parties on behalf of Pointlogic – from the client remains owned by the client and will be returned or destroyed at first request to the client, including copies made. A corresponding obligation applies to material which has been subject to Pointlogic by or on behalf of other companies.
5. Processor agreement
As an addition to the regular cooperation agreement, Pointlogic strives to have a separate or integrated processor agreement.
This will by definition be fully agreed for agreements that go after the entry into force of the new GDPR legislation. A standard model is available and recommended for previously concluded agreements.
6. Data locations
The starting point in all collaborations is that all confidential personnel data of clients is stored on client data carriers, or data carriers under its responsibility. This also concerns Hosted environments of the customer, whether or not with Pointlogic-contracted Hosting partners, this data is also the responsibility of the client. Pointlogic never wants structural access to these data, it is the responsibility of the client to guarantee this.
If temporary access to this data is necessary for:
- Implementation projects;
- Consultancy work;
- Support issues.
The Client will provide temporary access to Pointlogic. The Client must ensure that this access is temporary and traceable.
Access to the data will always take place under the responsibility of the client. The Client will give explicit permission to Pointlogic, stating the reason for access, which of Pointlogic has access and an end date of access. The access period may be up to 6 months and can always be re-provided by the client upon expiration.
If, for the proper execution of the work, data must still be stored on Pointlogic data carriers, this will only be with its Hosting partner Proxsys. For details, see also #9.
7. Data Handling
Pointlogic undertakes to treat all the data made available confidentially and uses a number of stringent principles in terms of handling:
- Files with personnel data are exchanged exclusively via a secure file transfer application (Cryptshare), hosted by Pointlogics ICT hosting partner (Proxsys)
- Exchange by email is expressly not permitted
- File names may never contain the organization name or otherwise traceable name
- Personnel data will never contain any of the following data:
- Name;
- Address;
- Postcode;
- Home;
- Account;
- National Insurance Number/Social Security Number;
- Special personal data as laid down by the dutch data protection authority;
- Other data that allows the redirection to an individual, unless this data is necessary to perform the service to the customer.
If the client does not meet these requirements, Pointlogic will delete the data and do not take it into operation. In this case, the client is also responsible for the additional risks associated with the data and related data flows.
8. Data integrity
In order to ensure the integrity of the data, provided data will never be edited by Pointlogic. The source data is and remains as provided by the client.
This also implies:
- In the event that data is different from the agreed format, the client must provide corrected data;
- Renewed data delivery may result in project delay.
Deviations from this Data Protocol are not, in principle, possible. If there is a reason to allow a one-off change only after explicit permission from the Directors of the Client and Pointlogic. Potential additional risks due to the deviating of the standard protocol are for the client.
9. Data security
Pointlogic uses Proxsys services as an ICT Hosting partner for the storage of data. Pointlogic has taken measures to ensure that no external backups will be made of the data files (except email traffic). The data will only be present on Systems of Pointlogic/Proxsys for the time required for the proper execution of the work. Since email is not excluded from the backup facilities, as previously, file exchange via email is not allowed.
Additional security measures:
- All customer data available for Pointlogic systems will never be present on Pointlogic laptops, or on other (mobile) data carriers;
- There are only a limited number of authorized customer data locations, namely:
- On the customer’s infrastructural under his responsibility;
- On remote secure servers of Pointlogic with its ICT Hosting partner (Proxsys);
- In a hosted environment near Proxsys as part of the agreement between Pointlogic and customer.
- Pointlogic will ensure that all employees are aware of the data protocols and guidelines;
- Pointlogic will ensure that Proxsys complies with common security protocols/certifications (currently at least ISO17799/27001 or BS7799);
- Pointlogic will designate a security officer who will frequently monitor the protocols and appointments, both internally, at Proxsys and or the customer;
- Pointlogic will produce a six-monthly security reporting with findings, updates, alerts and measures. These can be viewed, upon request, by the customer;
- Pointlogic will conduct frequent tests on its/Proxsys infrastructure. This will also include a penetration test.
10. Personal data of clients and suppliers
Pointlogic stores data from clients and suppliers in its CRM-system Exact. This in order to fulfill its contractual obligations or in the context of responsible business operations. Pointlogic processes these data in its capacity as an independent controller.
Periodically, at least once a year, all those involved will be informed by e-mail about what data are recorded and for what purpose. Removal may be claimed if not contrary to a legal obligation.
11. Personal data of potential clients and other relationships
Pointlogic stores data from potential clients and other relationships in its CRM-system Exact. This in order to fulfill its contractual obligations or in the context of responsible business operations. Pointlogic processes these data in its capacity as an independent controller.
Periodically, at least once a year, all those involved will be informed by e-mail about what data are recorded and for what purpose. Removal may be claimed if not contrary to a legal obligation.
12. Human Resources
Pointlogic will ensure that Privacy is continuously a top of mind priority of all its employees. This is ensured, among others, by explicitly including this in the onboarding programs, having frequent discussion in various meetings and in addition Pointlogic will ensure periodic security training and assessments.
13. Physical access measures
Pointlogic will ensure that it assures authorized aces to its offices.
It is standard policy that visitors will always be accompanied by Pointlogic in the offices.
14. Data obtained by email
It cannot be prevented that data is automatically stored in Pointlogic’ s email system if received via email. These will not be included in the CRM-system, unlike described in 10 and 11.
Pointlogic will include a statement in its “email signatures” and a reference to this protocol.
© 2021 Pointlogic HR Privacy & data management protocol