Protocol Notification Data Leak Atlas Professionals
Most Privacy Acts prescribe that the relevant Data Protection Authority must be notified if there is a suspicion of a serious data breach. We speak of a data breach when personal data fall into the hands of third parties who should not have access to that data. This may involve the release (leakage) of data, but also the unlawful processing of data. In some cases, the data breach must also be reported to those involved.
Upon detection of a data breach or a presumed data breach, this must be reported immediately to the Global Privacy Officer of Atlas Professionals. This can be done by sending an email to Privacyofficer@atlasprofessionals.com or by phone: + 31-23-5560430.
The notification must contain at least the following information:
- the nature of the infringement (so: what happened?);
- the cause of the data breach (hack, theft, loss, etc.);
- description of the leaked personal data (nature of the data, quantity, etc.);
- any measures that have been/are taken to close the data breach;
- an assessment of the risk that the people involved may run;
- the contact details of the reporter.
Unless the applicable country-specific Privacy Act or privacy principles provide otherwise, the internal reporting obligation to the Global Privacy Officer applies not only to staff employees and professionals of Atlas Professionals, but also to suppliers and partners of Atlas Professionals, insofar as those suppliers or partners process personal data of Atlas Professionals. A reference to this Protocol Notification Data Leak must be included in the agreement with the relevant suppliers and partners.
Notification by the Global Privacy Officer to the relevant Data Protection Authority and possibly involved parties:
- The Global Privacy Officer will investigate whether there is a serious data breach as a result of the internal report. This is the case if the data breach leads to serious adverse consequences for the protection of personal data. If so, the Global Privacy Officer will report the data breach 'immediately' (and, except where the applicable country-specific Privacy Act or privacy principles provide otherwise, in any event no later than the second working day after the occurrence of the incident) to the relevant Data Protection Authority.
- The Global Privacy Officer informs the management and, depending on the nature of the infringement, the other relevant departments (ICT and/or HR and/or Marketing and/or the relevant part of the line organization) about the data breach and the report to the relevant Data Protection Authority.
- The Global Privacy Officer then determines in consultation with the relevant departments whether the data breach should be reported to the data subjects. This only has to happen if the data breach is likely to have adverse consequences for their privacy. If that is the case, the data subjects must be informed about the data breach.
The notification to data subjects is not necessary if the personal data has been encrypted or made incomprehensible so that these cannot be read by others. This has to be assessed on a case-by-case basis because the effectiveness of the encryption also depends on (i) the algorithm used and (ii) the moment/point at which the data is encrypted.
- The reporting to data subjects can be done by placing a message on the website of Atlas Professionals and/or by means of a letter to those involved, at the discretion of the Global Privacy Officer in consultation with the management of Atlas Professionals. The notification to data subjects must at least contain the following information:
- the nature of the infringement in relation to personal data
- a telephone number or webpage where more information about the infringement can be obtained
- recommendations to limit possible negative consequences of the infringement for those involved.
The Global Privacy Officer keeps an overview of all data leaks, including the consequences of the data leaks and the remedial measures that have been taken. This overview may only contain the information necessary for this purpose.
Hoofddorp, the Netherlands
15 March 2018