WPT Privacy Statement
This WPT Privacy Statement shows how WPT deals on a day-to-day basis with personal data and privacy, and provides information on what is and what is not permitted by law. Privacy plays an important role in the relationship between the client and WPT.
WPT is responsible for personal data and data exchange for all areas in which it operates.WPT is obliged to handle carefully, securely, appropriately and confidentially the collection, retention and administration of the personal data of its employees, clients and other data subjects.Protecting privacy is a complex affair, and one that is becoming ever more complex due to technological developments, major security-related challenges and new European legislation.This is why we believe it is important to be transparent about the way in which we handle personal data and preserve privacy.
On 25 May 2018, the Dutch Personal Data Protection Act (Wbp) lapses and the European General Data Protection Regulation (the GDPR) comes into force, along with the Act to implement it.The GDPR follows on from the Wbp and amongst other things provides for an augmentation and expansion of privacy rights, as well as giving organisations greater responsibilities in this regard.
The following terms are used in the GDPR (see Article 4 GDPR):
The person that the personal data relates to.The data subject is the person whose data is being processed.
The person or organisation that processes the personal data on the instructions of another person or organisation.
All information about people and that can be used to identify an individual person. This point does not just refer to confidential data such as data concerning a person’s health but to any piece of information that can be traced back to a particular person (such as: name, address, date of birth). In addition to ordinary personal data, the law also designates certain personal data as being ‘special’. This is data that relates to sensitive subjects such as ethnic background, political preferences or the citizen service number.
Data protection impact assessment:
A data protection impact assessment assesses the effects and risks of the new or existing processings in respect of the protection of privacy. Accordingly, it is also known as a PIA (Privacy Impact Assessment).
A person or body that, alone or together with another, determines the purposes and means of the processing of the personal data.
A processing is everything that you can do with a piece of personal data, including its recording, storage, collection, pooling, provision to another party and destruction.
The regulation applies to all processings of personal data by WPT.Since WPT has offices in multiple member states, WPT, in accordance with GDPR, accepts the Dutch DPA (Autoriteit Persoonsgegevens, AP) as its Lead Supervisory Authority.
WPT is the controller (i.e. the party responsible) for the processings that are carried out by or on behalf of WPT.
WPT processes personal data for the following purposes:
WPT solely processes personal data for the aforementioned purposes.
WPT may provide this data to third parties that are involved in the processing and may also provide it to help achieve the aforementioned objectives. WPT has entered into processing agreements with these third parties. In addition, in so far as permitted by applicable European or national regulations, WPT can exchange the personal data with those enterprises that are affiliated with WPT and with other organisations, including those that are established outside the EEA (European Economic Area). The above for the purposes quoted in this Privacy Statement.
WPT informs the data subjects about the processing of personal data.When data subjects provide WPT with data then WPT will inform them about the way in which it will handle the personal data.
The law not only determines the obligations of the parties that process the personal data but also determines the rights of those persons whose data is being processed.These rights are also called the rights of the data subjects, and consist of the following rights:
Should the data subject wish to exercise his/her rights then he/she can submit an application to do so.This application may be made either in writing or by e-mail to which a copy of a valid proof of identity has been attached. WPT has four weeks from receipt of the application to evaluate whether it is justified.WPT will let it be known within four weeks what action (if any) will be taken in respect of the application.If the application is not followed up on then a complaint may be lodged either with WPT or with the Dutch DPA.Following an application, WPT may ask for additional information in order to be sure of the identity of the data subject.
Profiling takes place when automated (i.e. ICT) processing of personal data takes place, with the personal data being used to look at specific personal aspects of a person in order to categorise and analyse this person or in order to be able to predict certain matters.Examples of personal aspects could include: financial situation, interests, conduct or location.
WPT does not deploy profiling.
Records of processing activities (Article 30 GDPR)
WPT is responsible for creating a register of all processings for which WPT is the controller. Each record contains a description of what occurred during the processing and of the data used for this.
Security of processing (Article 32 GDPR)
WPT takes the utmost care with the personal data, and - together with any processors - is responsible for ensuring suitable organisational and technical protection of those of its files in which personal data is stored. In this way, we ensure that this data is only accessible for those persons who are authorised to this end by virtue of their employment position and that the data is only used for the purposes for which it was obtained.
Data breaches (Articles 33, 34 GDPR)
We define a data breach as being when personal data falls into the hands of third parties who should not have any access to this data.If a data breach has occurred, WPT will report this to the AP without any unreasonable delay and at the latest 72 hours after it learned of the breach.
If WPT takes more than 72 hours to report the breach then the aforementioned report will include the reason(s) for the delay.It may be that the breach involves a major threat to the rights and freedoms of the data subject(s).
In this case, WPT will inform the data subject(s) of this using simple and clear language.Existing data breaches will be evaluated in order to help prevent future data breaches.
Data protection impact assessment (Article 35 GDPR)
A data protection impact assessment assesses the effects and risks of the new or existing processings on the protection of privacy.WPT performs these assessments when an automated (ICT) or large-scale processing takes place.This is especially true for processings that are using new technologies.
WPT deploys the periods laid down by law for the retention of personal data. If WPT has received personal data from clients then the client in question will determine the retention period.
Amendment of the Privacy Statement
If WPT amends this Privacy Statement then we will inform you of this in our newsletter.
Questions, comments or complaints
If you have any questions that are not answered in this Privacy Statement or else have suggestions or comments about its content or should you wish to exercise your rights then you can let us know this either by sending a letter to WPT at P.O. Box 54, 9679 ZH Scheemda for the attention of the Liaison Officer for GDPR matters, stating as your reference ‘Privacy’, or else by sending us an e-mail at firstname.lastname@example.org.