- Definitions In these regulations the following terms are defined as stated below:
· the regulation: the General Data Protection Regulation;
- personal data: all data concerning a recognisable person;· personal data processing: any action or totality of actions concerning personal data. By this we mean in any event the collection, recording, collation, retention, updating, rectification, request, consultation, use, supply by means of forwarding, distribution or any other form of provision, gathering, connection and correlation, as well as the blocking, exchange or destruction of data;· filing system: a set of personal data which is accessible according to certain criteria and concerns various persons;
· controller: the person who, alone or together with others, determines the aim of and the means for the processing of personal data;
· processor: the person who processes personal data for the controller, without being employed by the controller or carrying out comparable activities;
· data subject: the person whom the personal data concerns;
· third party: any person other than the data subject, the controller, the processor or any person who is authorised under the direct authority of the controller or the processor to process personal data;
· recipient: the person to whom the personal data is provided;
· consent of the data subject: every expression of free will with which the data subject accepts that personal data concerning him or her will be processed;
· provision of personal data: the disclosure or supply of personal data;
· collection of personal data: the acquisition of personal data.
- These regulations apply to the wholly or partly automated processing of personal data. They also apply to the non-automated processing of personal data that is or will be included in a filing system.
- These regulations apply to Bake & Deco and concern the processing of personal data of visitors, job applicants, employees, temporary workers and (customer) contacts.3. Aim
- The aim of the collection and processing of personal data is to have access to data that is necessary in pursuance of legal requirements, but also for purposes on the basis of the articles of association, the annual plans and other plans of Bake & Deco and the implementation of policy and management in order to attain these aims.
- The purposes for which data is collected and processed within Bake & Deco are explicitly described in the register of processing activities.
- Representation of data subject
- If the data subject is a minor or is placed under guardianship, or if this person has a mentor, the consent of his or her legal representative is needed.
- Consent can be withdrawn by the data subject or his or her legal representative at any time.5. Responsibility for administration and liability
- Bake & Deco is responsible for the proper functioning of the processing and the administration of the data; administrators are charged with the actual administration of the personal data under the responsibility of Bake & Deco.
- Bake & Deco will provide for appropriate technical and organisational measures for protection against the loss or unlawful processing of data.
- Bake & Deco is liable for the damage or disadvantage that is caused by noncompliance with the provisions of the General Data Protection Regulation or these regulations.
- Lawful processing
- In accordance with the General Data Protection Regulation and these regulations, personal data will be processed in a proper, good and careful manner.
- Personal data will only be collected for the purposes stated in these regulations. It will not be processed further in a way that is not in accordance with the purposes for which it is acquired.
- Personal data must be necessary – taking into account the purposes for which it is acquired or is subsequently processed. No more personal data will be collected or processed than is necessary for the purpose of the registration.
- Personal data may only be processed if:
- the data subject has given his or her written consent for the processing;
- the data processing is necessary for the implementation of an agreement in which the data subject is involved (for example the employment contract with the data subject) or for actions, at the request of the data subject, that are necessary for entering into an agreement;· the data processing is necessary in order to comply with a statutory obligation of Bake & Deco;· the data processing is necessary due to an interest of Bake & Deco or of a third party, unless that interest is contrary to the interest of the person whose data is processed and that interest takes precedence.
- Those who act under the authority of Bake & Deco will only process personal data on the instructions of Bake & Deco. An exception to this applies to divergent statutory obligations.6. The data will only be processed by persons who have undertaken to maintain confidentiality.
- Processing of personal data
- The processing will be carried out by employees of Bake & Deco insofar as this is necessary, in view of the applicable regulations, or insofar as the administration by Bake & Deco is necessary.2. The processing will be carried out with the express consent of the data subject.8. Sensitive personal data
- The processing of personal data concerning a person’s religious or personal beliefs, race, political persuasion, health, sex life, membership of a trade union or criminal record is prohibited, except if this is determined by the regulation.
- The prohibition referred to in the previous paragraph is not applicable insofar as:
- processing takes place with the express consent of the data subject;
- the data has clearly been made public by the data subject;
- the processing is necessary for the establishment, the exercise or the defence of a right in court.9. Acquisition of dataData acquired from the data subject
1. If the personal data is acquired from the data subject himself or herself, Bake & Deco will inform the data subject, before the time of acquisition, of:
· its identity;
· the purpose of the processing for which the data is intended, unless that purpose is already known to the data subject.
- Bake & Deco will give the data subject further information insofar as this is necessary to assure the data subject of proper and careful processing. The type of data, the manner in which this data was acquired or the use that will be made of it will be taken into account in this context.
Data acquired elsewhere
- In the case of the acquisition of data other than from the data subject Bake & Deco will notify the data subject of:· its identity;· the purpose of the processing for which the data is intended.
The time at which this must occur is:
· the time at which Bake & Deco records the data, or
· if Bake & Deco only collects the data in order to provide it to a third party: no later than at the time that this data is first provided.
- Bake & Deco will give the data subject further information insofar as this is necessary to assure the data subject of proper and careful processing. The type of data, the manner in which this data was acquired or the use that will be made of it will be taken into account in this context.5. The provisions of point 3 are not applicable if the notification referred to there turns out to be impossible or requires unreasonable effort. In that case Bake & Deco will record the source of the data.6. The provisions of point 3 are not applicable either if the recording or provision is required by or pursuant to the law. In that case Bake & Deco will inform the data subject on request of the legal requirement that obliges the recording or provision of the data.
- Right of inspection
- The data subject has the right to inspect processed data that concerns his or her personal details.
- Bake & Deco will state on request whether personal data is processed that concerns a data subject. This will take place as soon as possible, but no later than within four weeks of the receipt of the request.
- If this is the case, Bake & Deco will provide the requester with a full written overview thereof with information on the purpose or purposes of the data processing, the data that the processing concerns, the recipients of the data and the source of the data. This will take place as soon as possible, but no later than within four weeks of the receipt of the request.
- If it is more important to comply with this request other than in writing, Bake & Deco will comply with this request.
- Bake & Deco can refuse to comply with a request if and insofar as this is necessary in connection with:· the investigation and prosecution of criminal offences;· the protection of the data subject or of the rights and liberties of others.
- Right of correction, supplementation and deletion
- At the written request of a data subject Bake & Deco will correct, supplement, delete and/or protect the processed personal data in question. This will take place under the condition that this data:
– is actually incorrect,
– is incomplete for the purpose of the processing,
– is not relevant,
– encompasses more than is necessary for the purpose of the registration,
– or will otherwise be processed in contravention of a legal regulation.The amendments to be made will be stated in the request of the data subject.
- Bake & Deco will inform the requester in writing as soon as possible, but no later than within four weeks of receipt of the request, of whether it will comply with the request. If it does not wish to comply with the request, or does not wish to comply with it in full, it will state reasons for this.
- Bake & Deco will ensure that a decision to correct, supplement, delete and/or protect personal data will be implemented as soon as possible.
- Retention of data
- Personal data will not be retained in a form that makes it possible to identify the data subject for longer than is necessary to achieve the purposes for which it is collected or subsequently processed.2. Bake & Deco will delete customer data and all data that can be traced to a person no later than 7 years after the ending of the service provision, except if the law specifies another period.
- The retention periods of data for the purpose of the personnel and salary administration are specified separately in the document ‘Retention periods of personnel and salary data’.
- Data will not be retained for longer than is necessary for the achievement of the purposes for which it is collected or subsequently processed. An exception to this applies to data that is exclusively retained for historical or statistical purposes. If the data in question is processed in such a way that tracing it to individual persons is impossible, it can be retained in anonymised form.5. If the retention period of the personal data has expired or the data subject makes a request for deletion before the expiry of the retention period, this data will be deleted within a period of three months.6. Data will not be deleted if it can be reasonably supposed that:
· the retention is of great importance for a person other than the data subject;
· the retention is required in pursuance of a legal requirement or
· if there is agreement on this between the data subject and the controller.
- Complaints procedure
If the data subject is of the opinion that the provisions of these regulations are not being complied with, he or she can address his or her concerns to:
· the manager of Bake & Deco concerned;
· the designated reporting officer for the whistleblowers’ scheme within Bake & Deco;
· the court, in the cases referred to in article 48 of the GDPR Implementation Act, and
· the Data Protection Authority with the request to mediate and to advise in the dispute between the data subject and the controller.
14. Amendments, entry into force and copy
1. Amendments to these regulations will be made by Bake & Deco.
2. The amendments to the regulations enter into force after four weeks of data subjects having been informed of them.
3. These regulations enter into force as of 25-05-2018.
4. These regulations can be inspected at Bake & Deco. A copy of these regulations can be obtained if desired.
15. Unforeseen circumstances
Bake & Deco will decide in cases not provided for by these regulations, taking due regard of the provisions of the General Data Protection Regulation and the purpose and scope of these regulations.
** Where reference is made to Bake & Deco in these regulations, equivalent regulations apply to Esbaco v.o.f., Fresh Monkeys B.V. and NMK B.V.**