PROTOCOL REPORTING OBLIGATION DATA LEAKS
• Global Property cowboys e.g. attaches importance to the good security of its (electronic) systems in which personal data is stored and processed
• nevertheless, it is never entirely preventable that a data breach will occur
• Global Property cowboys e.g. is obliged under the General Data Protection Regulation (GDPR) to report (serious) data breaches to the Dutch Data Protection Authority and to those involved
• Global Property cowboys e.g. wishes to meet its legal obligations
• Global Property cowboys e.g. has therefore formulated a policy to act as adequately as possible if there is an unexpected data breach
There is a data breach where there is a security breach that inadvertently or unlawfully leads to destruction, loss, modification or unauthorized access to transmitted data storedor unlawfully transmitted.
1. Global Property cowboys e.g. has appointed internal data breach controllers responsible for reporting a data breach.
2. Deze responsible is the internal securities division GPC, with the first point of contact: Roy
Mookhoek, telephone number: 085 0607024; email address: email@example.com and if it is not accessible Courtney Schouten, telephone number: 085 0607024; email address: firstname.lastname@example.org , hereinafter: 'internalresponsible'.
1. Anyone who discovers a data breach at Global Property cowboys e.g. reports this to the internal manager.
2. If possible, the person who discovered the data breach will simultaneously ensure that the leaked data is immediately deleted remotely or rendered inaccessible.
The internal manager examines, among other things:
• whether personal data has been lost or can be used unlawfully
• who or which departments within the organisation are involved in the data breach
• whether a processor is involved in the incident
The internal person responsible will stop the data breach if this is still possible and will also take the necessary measures to combat the data breach as best as possible.
The internal manager examines the possible consequences of the data breach by the nature and extent of the data that has been leaked and determines the adverse consequences of those involved.
The discoverer/reporter of the data breach offers all cooperation to the internal responsible by giving as quickly and as well as possible (in writing) answers to the following questions:
• What happened? (description of the incident)
• did it go by accident or was it caused by malice (think hacked data)? • When did it happen? (date and time)
• When was it discovered?
• what information (registers) have been leaked?
• the data are encrypted, and if so how?
• could the data op distance be erased or made inaccessible, and if so, did that happen?
• what are the possible consequences for those involved?
• which group(s) people have been/have been affected by this? (for example: pupils, patients, premium members)
• how many peoplehave been affected (approximately) by this?
• have data from individuals in other EU countries been affected by the data breach?
• could technical and/or organisational measures already be taken in response to the incident?
The person responsible of the department from where the data breach took place as well as the discoverer of the data breach and anyone who is able to take organisational and/or technical measures from their position or knowledge to limit the consequences of the data breach shall be available for consultation with the internal responsible or possibly experts appointed by him and for the execution of thedata breach as a result of the databreach.
1. The internal person responsible shall decide as soon as possible but in any case within 60 hours of the discovery of the data breach - whether or not in consultation with the person responsiblefrom where the data breach was discovered and/or experts appointed by him - whether the data breach should be reported to the Dutch Data Protection Authority and/or those involved.
2. In principle, a data breach is always reported to the Dutch Data Protection Authority,whether it is unlikely that the data breach poses a risk to the rights and freedoms of those involved.
3. The report of the data breach is accompanied by answering the questions as defined in Section 7.
4. A data breach reported to the Personal Data Authority is also reported to those concerned if it poses a high risk to the rights and freedoms of natural persons, unless appropriate measures have now been taken that have averted the high risk.
1. The internal person responsible shall, if necessary, ensure the notification to the Dutch Data Protection Authority and/or the data subject(s).
2. Notification will be made as soon as possible after the discovery and inthe first place within 72 hours of the discovery of the data breach.
3. It is not permitted to report the (possible) data breach to the Dutch Data Protection Authority and/or the data subject.
4. If an employee does not agree with the decision of the internal manager regarding whether or not to report the data breach to the Dutch Data Protection Authority and/or the data subject,then he can make his grievances known to the management.
5. If requested, an employee willcooperate fully with the person responsible in order to inform the affected persons about the data breach in accordance with Article 34 GDPR.
1. If the data breach has a negative impact on those involved, the internal manager will do everything in its power to minimise these consequences.
2. Depending on the nature and extent of the data breach for those involved, the internal person responsible shall determine:
• how stakeholders are informed (including at least the communications which types of personal data have been affected, the possible consequences, what measures Global Property cowboys e.g. takes and how those involved themselves can prevent or limit the damage)
• who are aftercare stakeholders
• what actions are necessary in the best interests of the organisation
3. If a data breach has occurred - whether reported or not - appropriate technical and/or organisational measures will be taken as soon as possible to prevent future similar data breaches.
The internal person responsible keeps a record of all data breaches, in which all data related to the data breach is recorded, suchas:
• a description of the incident
• date and date of the data breach
• date and time discovery of the data breach?
• description of the type of leaked personal data
• description of the category(s) of those affected
• definition number of parties (approximate)
• or data from individuals in other EU countries have also been leaked
• whether the incident has been reported to the Dutch Data Protection Authority and if so date and time notification
• whether the incident has been reported to those involved and zo yes, date and time notification
• how stakeholders have been informed
• the effects of the data breach, with the date and time possible, if possible
• the technical and/or organisational measures taken after the data breach, with thedate and time indicated in g
This protocol reporting data breach was drawn up on 02 May 2020.