Processing is everything that is done with personal data.
Manner of processing
The key rule to processing personal data is that data processing is only permitted in accordance with the law and it must be done with care. Personal data is collected from the data subject in person wherever possible. The law is based on subsidiarity. This means that data processing is only allowed when its purpose cannot be achieved in another manner.
The law also refers to proportionality. This means that personal data may only be processed if it is in proportion to the purpose. The Foundation ensures that personal data is correct and complete before it is processed. Personal data is only processed by people who are subject to a duty of confidentiality. Furthermore, the Foundation protects all personal data. This should prevent personal data being viewed or amended by someone who is not entitled to do so.
The Foundation does not transfer or share personal data with any third parties with whom it has not concluded a processor’s agreement.
If personal data is obtained via a different route, in other words not directly from the data subject, the data subject will be informed when their data is first used.
Profiling takes place whenever there is automated processing of personal data involving the use of personal data to consider certain private details of a person in order to categorise and analyse the person, or to make predictions. Examples of private details include a person’s financial situation, interests, behaviour or location.
Profiling is only permitted if it meets the conditions. The exceptions to the use of profiling are set out in article 22.2 of the GDPR: 1. It is necessary for entering into, or performance of, a contract between the data subject and a data controller 2. It is authorised under Dutch or EU law. 3. It is based on the data subject’s explicit consent.
The Foundation only uses profiling where the data is general data. This is data that can no longer be linked to a person because it is in an anonymous and pseudonymous form. Furthermore, the profiling does not have a legal effect and/or persons are not affected to any appreciable degree.
Big data and tracking
Data may only be processed using big data analysis and tracking when the data cannot be traced back to a natural person. Furthermore, the data is only be collected for analysis that is performed by or on behalf of the foundation. The data collected by big data analysis and tracking is only data collected by authorised persons. If the data is converted into a data set, data minimisation will be used. This means that only data that is absolutely necessary for achieving the purpose will be used. Furthermore, personal data can be pseudonymised so that it cannot be traced back to a person.
The Foundation only uses big data where the data is general data and can therefore no longer be linked to a person.
Deployment of CCTV
The Foundation uses CCTV monitoring under certain circumstances. CCTV monitoring is only used to increase security. CCTV can greatly intrude upon the privacy of the individuals filmed. To guarantee the best possible privacy, CCTV is only deployed when there are no other means to achieve the purpose. Furthermore, the following requirements are placed on the deployment of CCTV:
- CCTV cannot be used on public highways unless this is unavoidable
- CCTV footage cannot be shared with third parties, unless this is formally requested by the courts
- Camera footage must only be kept for a maximum of between five and eight days
- Camera footage must only viewed/replayed by authorised personnel
Camera footage may be kept for longer in the event of an incident or under special circumstances. This decision rests with the head of business operations. This footage must be stored on a standalone PC with the team leader for security.