The protection of privacy and responsible handling of personal data are of paramount importance at 9altitudes and its entities. We treat personal data carefully and provide appropriate security. In this Policy, we determine how we handle personal data and what we expect from our employees.
This policy applies to the handling of all personal data of employees, customers, users, partners, stakeholders and other personal data and the underlying documents, both digital and non-digital, within the 9altitudes group.
1.2 Privacy Governance
1.2.1. Corporate Privacy Officer and Local Privacy Officer
We strive to continuously ensure privacy in our organisation. Therefore, the responsibility for privacy compliance lies with the Board of Directors. The Board delegates privacy compliance tasks to the Chief Operating Officer (COO). The Corporate Privacy Officer (CPO) supports the COO and the Board of Directors with the implementation and monitoring of privacy protection. Within each 9altitudes entity, the Senior Management is responsible for privacy compliance within their field of authority. The Senior Management of the entity is supported by an entity Local Privacy Officer (LPO). At process and system level, Senior Management formally assigns process and system owners in the organization. These owners shall have delegated responsibilities for privacy compliance of the processes or systems assigned to them.
Tasks that fall within the duties of the CPO:
- drafting and updating privacy documentation;
- the development of internal privacy protocols and instructions;
- advising on Data Protection Impact Assessments (DPIA) on (new) processes and projects;
- training and awareness of employees;
- security of personal data (with Chief Information Security Officer (CISO));
- advising on data processing agreements;
- ensuring the rights of data subjects;
- coordination in the procedure for Personal Data Breaches;
- monitoring internal and external legal developments.
A privacy helpline has been set up for handling of privacy issues. Employees and external parties should address this reporting point with privacy-related questions. The duties and responsibilities relating to the privacy reporting point are assigned to the CPO. The reporting point can be reached via firstname.lastname@example.org.
1.2.2. The Information Security and Privacy Steering Group
The Information Security and Privacy (ISP) Steering Group is the coordinating body for Information Security and Privacy within 9altitudes. The ISP Steering Group consists of the CISO, CPO, the LISO’s and the LPO's. The ISP Steering Group advises the Board of Directors, Senior Management, and other stakeholders within 9altitudes on request or otherwise, with respect to Information Security and Privacy within 9altitudes. The responsibilities of the ISP Steering Groups are to:
- Maintain the Information Security and Privacy policies, standards, and guidelines.
- Prepare or update policies for approval by the Board of Directors.
- Advise and assist the organization about the implementation of Information Security and Privacy controls.
- Advise on necessary improvements with respect to Information Security and Privacy.
- Periodically perform checks (at least annually) on compliance and the correct interpretation of Information Security and Privacy.
- Ensure reporting of Information Security and Privacy incidents and manage follow-up actions.
- Monitor the follow-up of incident reports.
- Periodically report the status of Information Security and Privacy to the Board of Directors, the COO, and the Senior Management.
1.3 Review and update
2. Laws and Regulations
For the protection of privacy within organisations in Europe, the General Data Protection Regulation (GDPR) came into effect on 25 May 2018. Additional legislation applies in the various European member states. This legislation, together with the European Data Protection Board (EDPB) Guidelines and the guidelines of national Data Protection Authorities, forms the basis for this Policy.
2.1 What are personal data?
Personal data are data that can be traced back to a person; the individual can be identified, directly or indirectly. This can be done based on a name, an identification number, location data or one or more elements that characterise the physical, physiological, genetic, psychological, economic, cultural, or social identity of that individual.
Diverse types of personal data can be distinguished:
a. General personal data
These are data associated with everyday use. Examples of general personal details are names, telephone numbers, e-mail addresses and birth dates.
b. Sensitive data
These are data that have a major impact on the privacy of the individual, but that are not special categories of personal data. Common sensitive data types are information about a person's financial situation, authentication credentials (such as passwords), photos and video and information about a person’s private life.
c. Special categories of personal data
These are data that have a major influence on someone's privacy. These special details are mentioned separately in the GDPR. As a rule, special categories of personal data may not be processed, unless the grounds for exemption laid down in the law are met. Special categories of personal data are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. For the processing of data concerning criminal convictions and offences we equally need to meet the exemptions laid down in the law.
2.2 The General Data Protection Regulation (GDPR)
9altitudes complies with the following rules of thumb of the GDPR:
a. Purpose limitation
Personal data may only be collected for specific and legitimate purposes, and not further processed for purposes that are incompatible.
b. Legitimate basis
Any use of personal data must be based on a legitimate basis from the GDPR. These bases are unambiguous consent of the person involved, the performance of an agreement, compliance with a legal obligation, the protection of a vital interest or a legitimate interest of 9altitudes.
c. Quality and data minimisation
Personal data should be, as far as possible, accurate, adequate, and relevant. No more data may be processed than is necessary for the purpose of the processing.
d. Storing and destroying data
The processed data may not be stored longer than necessary to achieve the goal.
The person whose personal data is being processed must be able to see who is processing data and for what purposes. 9altitudes must actively inform the data subject about the data processing.
f. Appropriate security
9altitudes has a security obligation. The organisation must take appropriate technical and organisational measures to protect personal data.
g. Rights of data subjects
The individual whose personal data are processed has the right to become acquainted with the processed personal data, the so-called right of access. In some cases, they have the right to correct or delete the personal data. In certain cases, a data subject may also oppose processing or restrict processing.
h. Reporting obligation for data breaches
When we detect a data breach of personal data, we must report this to the Local Data Protection Authority within 72 hours. Depending on the nature and extent of the breach, the data subjects involved must also be informed.
i. Data Processing Agreements
With suppliers who process personal data on behalf of 9altitudes, we conclude a data processing agreement in which we regulate the obligations of parties and rights of data subjects under the terms of the GDPR.
j. Privacy by Design and Privacy by Default
We take protective measures and data protection principles into account from the design phase of a product, project, or process, onwards. We make sure that settings are so implemented that they protect privacy by default.
2.3 Local Data Protection Authorities
The local Data Protection Authorities are national supervisors for the GDPR. Data Protection Authority have, in addition to an investigative power, also the power to hand out fines. Furthermore, the authorities conduct research into privacy-related topics, provide advice to both organisations and stakeholders, and are the reporting point for data breaches.
Following the one-stop-shop principle the data controller only must deal with one lead authority. Which authority is in the lead depends on whether there is 'cross-border processing'. There is cross-border processing if:
- The processing is done in the context of activities for branches in several member states (for example shared systems/databases), or
- The processing is done in one member state but has actual consequences for data subjects in several member states.
In that case the Belgium authority is the lead supervisory authority for 9altitudes. Is there no cross-border activity? Then the local supervisory authority will be competent.
The CPO of 9altitudes keeps a close eye on the news reports, guidelines and policy rules of these local Data Protection Authorities and adjusts the policy and the practice if necessary. He/she will share relevant developments with the employees and will actively bring these to the attention. The CPO also ensures that our supply chain partners comply with laws and regulations and address them where necessary.
In our daily work, we cannot avoid processing personal data. By processing we mean: all actions that employees can perform with personal data, from collecting up to and including destruction. For example: collecting, creating, viewing, recording, organising, storing, updating, modifying, retrieving, consulting, using, forwarding, distributing, making available, bringing together, relating, shielding, erasing, and destroying data.
We are responsible for the processing of personal data. Therefore, it is important to inform data subjects, customers, partners, stakeholders and employees about the handling and use of personal data. We also inform them about their rights regarding personal data. This is stated in the privacy statement on our website and that of our entities.
- We only process personal data for the purpose for which it was obtained and do not process more data than necessary;
- We handle personal information with care and take appropriate organisational and technical measures to protect personal data;
- We regard all personal data as confidential information, which is subject to a duty of confidentiality. Internally, work is done based on the need-to-know principle, which means that employees and suppliers only gain access to data, as far as these data are necessary for the performance of their duties;
- We comply with the General Data Protection Regulation (GDPR) and other applicable laws and regulations concerning the processing of personal data.
4. Purposes and Conditions for Data Processing
9altitudes processes personal data for at least the following purposes:
- Providing hosting services;
- Customer relations and (direct) marketing;
- Testing and implementing software applications;
- Access control to our digital services;
- Calculating and recording income and expenses and making payments;
- Collecting debts, including the placing of those debts in the hands of third parties and other activities of internal management;
- Taking care of the implementation of services to be delivered to the parties involved;
- Maintaining contacts with the customers or suppliers;
- The handling of disputes and the exercise of auditing;
- Personnel administration: processing of personal data of payrollers, contractors or temporary contractors employed by or working for 9altitudes;
- Payroll administration: data processing of payrollers, contractors or temporary contractors employed by or working for 9altitudes;
- Applicants: processing of data of candidates who have applied to 9altitudes to be employed or to be contracted by 9altitudes;
- Termination benefits: processing of data of employees or former employees or contractors or former contractors, if 9altitudes provides the employee with a benefit for a certain period, in addition to any unemployment benefit that may have been granted;
- The implementation or application of legislation and regulations;
- Archive destination: processing personal data for archival management, handling disputes and conducting scientific, statistical, or historical research;
- Document management: processing of incoming and outgoing documents. You can think of, for example, mail registration and e-mail archiving;
- Network systems: processing of personal data by 9altitudes in connection with the provision of facilities or services on a network, to persons employed by or working for 9altitudes;
- Communication equipment: processing of personal data in connection with the use of communication equipment, made available to staff employed by or working for 9altitudes;
- Computer systems: processing of personal data exclusively aimed at the maintenance, management, security, use and proper functioning of computer systems or computer programs within 9altitudes;
- Access control: processing of personal data for providing access to (parts of) buildings or information systems to employees employed by or working for 9altitudes;
- Video camera surveillance: processing of personal data in the context of security, with the help of clearly visible video cameras, of persons, buildings, grounds, and cases;
- Other internal management: processing of personal data of persons employed by or working for 9altitudes, which do not fall under another category.
9altitudes does not process more personal data than is necessary for the purposes mentioned in this chapter, or the purposes stated in the register of processing activities.
Processing of personal data only takes place if one or more of the following points apply:
a) The processing of data is necessary for the performance of an agreement in which the data subject (person to whom the data relates) is or wishes to be a party.
b) There is a vital interest (matter of life or death).
c) The processing of data is necessary for the pursuit of a legitimate interest of 9altitudes and its affiliated companies or institutions, as far as that interest outweighs the privacy rights of data subjects (e.g., cases such as internal management, marketing, and fraud prevention).
d) Data processing is necessary to fulfil a legal obligation.
If none of the above applies, then the person concerned must give written, explicit, informed and freely given consent. This means, that it must be clear to the person concerned what permission is given for, what the data are needed for, how the data are handled, and that the person concerned is free to refuse permission.
5. Data Transfer to Third Parties and Processors
The exchange of personal data with other parties entails risks for privacy. This is something we never ‘just do’. We are after all responsible for what happens to the personal data.
When sending/delivering (large parts) of our customer or employee file, it must always first be established whether the rules mentioned in this policy are followed. In case of doubt, the CPO should be consulted in advance. Sending sensitive, special, or large quantities of normal personal data per unsecured e-mail is not permitted.
We only provide personal data of customers to third parties if there is the right basis and guarantees for this. 9altitudes has taken the necessary contractual and organisational measures, to ensure that the personal data will only be used by the third party for the above purposes.
Many processing of personal data is outsourced to us by our customers. In that case we are the processor, and the customer is controller, as they determine which data is processed and they cover the costs (determine purpose and means) to suppliers. Our obligations and the obligations of the customer, relating to the GDPR, are laid down in data processing agreements.
We, on our part, also use services by external parties, which makes them (sub) processors to us. Examples of processors are hosting parties, ICT and software suppliers, contractors who have access to our system or who have a copy of the database, but also suppliers who take care of (part of) marketing. These suppliers have access to the personal data in, for example, our systems or make the backups for us and store the data for us. In a standard processor agreement, 9altitudes has made agreements with these parties, about how they should handle our personal data. 9altitudes remains responsible for the data processing that these parties carry out on our behalf, which means that fines and liability are initially placed with us.
Taking out a data processing agreement is a legal requirement. In addition, the data processing agreement must ensure that we, as controller, can recover any fines and damages caused by the processor to that processor.
5.2 Stakeholders and Relations
9altitudes can exchange data with stakeholders and relations based on joint responsibility agreements. The exchange of information must take place within the legal framework and will not comprise more personal data than is strictly necessary.
In joint responsibility agreements we make agreements about what data we exchange, for what purpose, on what legal basis, what security we apply, how the liability is settled, and how we exercise the rights of those involved. In this way we create the frameworks that are needed to be able to exchange personal data with our partners.
More information about the applicable agreements and the corresponding frameworks for data exchange will be included in the 9altitudes processing register.
5.3 Legal Obligation
9altitudes is legally obliged to provide personal information to third parties in certain cases. Consider, for example, the provision of data to the tax authorities based on legislation and regulations. Another example is providing data to the police in the context of a criminal investigation. In the latter case, personal data will only be provided if there is a statutory regulation which states that the data must be provided (for example, about the examining prosecutor).
6. Rights of the Data Subject
9altitudes is obliged to inform data subjects about the processing and his or her rights in this. Customers or employees who have questions, comments, or complaints about the processing of personal data can contact email@example.com.
Data subjects have the right to inspect, correct and delete their own personal data, as well as the right to object to a particular processing and/or to limit the processing (except for exceptions). Requests must be made in writing, including by e-mail, and will be handled by the CPO. Within four weeks of receiving the request, the CPO decides whether and to what extent the request is being met and informs the person concerned. A rejection of the request must be motivated.
If an application for removal or correction is granted, 9altitudes will inform parties to whom the data of data subjects have been provided about the exercise of the right, unless this is impossible or requires a disproportionate effort.
6.1 Obligation to Inform
Now we collect personal data, we must provide the following information to the person concerned:
- The processing purposes for which the personal data are intended;
- The recipients or categories of recipients of the personal data;
- The period during which the personal data will be stored;
- The rights that the person concerned has.
Exceptions to the information requirement may apply.
6.2 Right to Access
Data subjects have the right to request their own personal data, which are known to us, to ask for the purposes for which this data is used and with whom this data is shared. They also have the right to receive a copy thereof. If data from a third party are included in the file in which the data subject wishes to be inspected, this data will be protected, unless explicit permission is granted for inspection by this third party.
6.3 Right to Rectification
Data subjects have the right to have data corrected or supplemented. Correcting or supplementing information is only possible if the data is incorrect or incomplete - think for example of a telephone number or bank details. The data subject will always have to specify which data should be adjusted and for what reason.
6.4 Right to Erasure
The data subject has the right to obtain data exchange of his/her personal data without unreasonable delay, and 9altitudes is obliged to do so, among other things in one of the following cases:
- The personal data are no longer required for the purposes for which they were collected;
- The personal data have been processed unlawfully;
- The person concerned withdraws his or her consent (if the processing is based on this).
6.5 Right to Object
Data subjects have the right to oppose any processing or provision to a particular recipient. To this end, the person concerned must provide (compelling) personal circumstances. The right of objection may be used by data subjects when they believe that their data is being processed incorrectly. Should a data subject wish to make use of this right, 9altitudes will first have to assess whether the application is justified. This is done by weighing the individual interests against its own interests. The starting point is that the right of opposition may not disadvantage 9altitudes disproportionately.
6.6 Right to Restriction
The person concerned has the right to obtain the limitation of the processing in, among other things, the following cases:
- The accuracy of the personal data is disputed by the data subject;
- The controller no longer needs the personal data for processing purposes, but the data subject needs it for the establishment, exercise, or substantiation of a legal claim.
6.7 Right to Data Portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to 9altitudes, in a structured, commonly used, and machine-readable (digital) format.
6.8 Right not to be subject to automated decision-making
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling and may demand human intervention in the decision-making process.
7. Retention Period
9altitudes does not store personal data longer than legally permitted and is necessary for the realisation of the purposes for which the personal data are processed. How long certain data is stored depends on the nature of the data and the purposes for which it is processed. The retention period can therefore differ per goal. An overview of all the retention periods used can be found in the 9altitudes’ Data Retention Policy.
When the retention periods have expired, 9altitudes ensures that the personal data are destroyed in a secure manner. 9altitudes understands the importance of the fact that that the destruction of the personal data is done with care.
8. The Protection of Personal Data
9altitudes gives priority to the security of personal data. The personal data must be classified based on the type of data (general, special or sensitive). The more sensitive the data is, the higher the security needs to be. The data stored is therefore protected by technical and organisational measures to effectively prevent loss or misuse by third parties. In anticipation of the outcome of this classification, we have already established a high level of security, because many personal details can be classified as sensitive or special.
Employees who process this personal data are obliged to observe confidentiality. Technical safety measures to gprotect the data are checked regularly and, if necessary, adapted to the latest state of the art techniques.
More information about the security measures at 9altitudes is in the Information Security Policy.
9altitudes has a Data Breach Procedure. The CPO or LPO has the responsibility to handle data breaches and to bring the Data Breach Procedure to the attention of the employees.
Complaints and disputes about the application, implementation and / or interpretation of these regulations, the application of privacy laws and regulations can be submitted in writing and motivated to the CPO. The person concerned will, if necessary, receive an invitation within two weeks of receipt to explain the complaint. The person concerned will receive a decision on the complaint within four weeks of receipt of the complaint, or within two weeks of the explanation.