These rules are contained in the Personal Data Protection Act (“WFP”). In contrast, the content of a privacy policy (internally) is not (yet) bound by rules in the Netherlands. The use of a privacy policy (internally) as a privacy statement (external) can therefore mean that you do not comply with the WFP. Worse still, visibly does not comply with the Wbp. For example, the supervisor can also see on your website that your privacy statement is incomplete.
And to complicate matters: indeed, the name of the document doesn’t matter legally. So it is not wrong to give the information on a website the name privacy policy. It’s about the right content.
2. What does a privacy policy look like?
Before I get into the content, a note about the drafting of the privacy policy. Policies can be created at different levels in an organization. So is privacy policy google right to be forgotten from UK.
A good privacy policy is layered and exists on several levels.
- The first document describes the organization’s principles for handling personal data. This document focuses in particular on principles of security and confidentiality.
- The second document deals with the specific way of security, confidentiality and how this is controlled . What requirements are imposed on contract parties (ISO certification, location), what security (encryption, two factor authentication) is used for communication, how is the working environment secured (access passes, login codes).
- In practice, the third document will often also be the only real privacy policy that has been drawn up. This document is about behavior . This document describes how personal data is handled operationally within the organization .
3. What is in a privacy policy?
If we assume that in practice only the document stating the desired behavior within the organization is used, then a privacy policy for employees who handle customer data includes:
Customer data
a. What is the basis for the use of customer data (art. 8 Wbp, create separate databases);
b. Which customer data may be used;
c. What can be done with the customer data (separate database for each purpose);
d. How long may the data be kept;
e. How are paper data destroyed, and how digital data;
Security
f. Provision of equipment to employees, the procedure;
g. Use of equipment in the work environment (what security measures are required);
h. Working outside the working environment, what are the agreements;
i. Bring your own device appointments;
j. Access rights to customer data and revocation of access rights;
k. Dealing with security measures (no post-it with password);
l. What is a data breach and to whom should it be reported;
