|Date of last change:||26-06-2019|
|Data protection officer:||
Name: Michel Wery
Function: Finance Manager
e-mail: email@example.com Tel nr.: +31 35 628 68 48
- The Security Plan
- The Continuity Plan
- The Exit Plan
In addition, InContext has drawn up a Privacy Statement which you can find on our website. In this Privacy Statement we have described, among other things:
- Which groups InContext processes personal data for.
- Which personal data is processed.
- For what purposes and on what legal basis.
- A list of sub-processors with whom we have agreements.
- Retention periods.
The Security Plan
Technical and organizational measures taken by InContext to protect personal data and to keep it protected against loss, unauthorized access, mutilation or unlawful processing, as well as guaranteeing the (timely) availability of the data.
a.) measures to ensure that only authorized personnel have access to the Personal Data for the purposes described.
InContext gives its employees and sub-processors access via registered accounts in combination with a personal password. Access rights are granted to these accounts based on the function group to which the employee belongs. The use of these accounts is adequately logged and these accounts only give access to personal data required by the relevant person as needed.
The password must meet the following criteria:
- At least 7 characters long
- Expires every 3 months
- Must be a combination of uppercase letters, lowercase letters and numbers or symbols
Personal data (participant data) provided by clients
The InContext Project desk is the only department to receive participant data from our clients. They are responsible for correctly applying the privacy agreements / legislation to this data.
- Participant data is stored by the Project Desk department in a protected participant folder.
- Participant lists are not shared via e-mail with facilitators. Any communication with the participants after a training session is done via the Project Desk department.
- Facilitators are responsible for returning papers* with personal data used in an intervention.
- The Project desk department destroys participant data, both digital and hard copy.
*papers include: attendance lists / list of participants, Facet5 and TeamScape reports, (copies) certificates
b.) measures regarding data storage and security of devices Physical measures to secure the property
InContext’s premises are secured with access keys and an alarm. Employees have access via a key and an individually identifiable tag in order to switch security on and off.
InContext has a secured server room and only specifically authorized staff members and Card Services have the access key.
The data is stored exclusively in Dutch data centers.
Office 365 (Outlook)
- Exchange Online: divided among centers within Europe: the Netherlands, Finland, Ireland and Austria.
- Azure Active Directory (for synchronization of computer and mail passwords): The Netherlands, Ireland and the United States but is subject to European legislation.
Control based on Sophos:
- For Mac OS, FileVault2 is activated, the entire hard disk is encrypted and cannot be released without recovery key or password from the user.
- For Windows, Bitlocker is activated, the entire hard disk is encrypted and can only be released with the automatically generated recovery key. This changes with every new request to unlock.
Alienation / data leak / loss of devices
Employees are obliged to report alienation, a (potential) data leak and / or loss directly to the appointed privacy officer.
Devices are erased remotely when they are lost or stolen:
- JAMF: via the MDM system, all MacBooks can be locked and deleted remotely. The prerequisite for this is that the device has an internet connection.
- SecureFileSync: via the management portal, InContext can remotely withdraw the data from the device. We can also do this with the servers. The same condition applies, that the device is connected to the internet.
The Continuity Plan
a.) measures to ensure the timely availability of Personal Data. Obligation for employees to use centralized storage
InContext obliges its employees to store documents on the server in the designated customer folders and participant folders. This ensures that the continuity of the projects is secured and not dependent on individuals.
InContext uses an external backup server in the cloud. A copy of the server is made every night. This ensures data in the event of a server interruption / crash.
The Exit Plan
The exit plan sets out how the personal data we process on behalf of our clients is removed at the moment the relationship is ended.
Transferability to the client
InContext obliges its employees to store documents on the server in the designated customer folders and participant folders. If a client submits a request to transfer their personal data, InContext is able to do this without delay.
Destruction operations and their reporting
Participant lists are not saved for longer than 4 weeks after completion of an implementation
- Physical participant lists are destroyed via a sealed paper container that is emptied by a party specialized in it.
- Digital participant lists are removed from the server by the Project Desk department.
- Any e-mail contact between our facilitators and participants will be deleted annually before the end of the year. We also require our employees / freelancers to confirm the removal to us in writing.