GDPR

GENERAL DATA PROTECTION REGULATION (GDPR)
A short explanation regarding the GDPR and its Dutch implementation, the AVG.

You and ADR Register
You are a certificate holder. When filing with us your online application, you agreed to our general terms and conditions. As stated in the application, you are also aware and agree to our privacy statement. The online agreement will be regarded as both, a service level agreement as well as a service-contract that allows us to carry out your registration and certification. These agreements mean that you understand and agree to comply with our registration and certification requirements, which include but are not limited to: the entry and periodic qualification demandsrequirements, disciplinary rules as well as procedure requirements and that you agree to pay a fee for these services. We don’t collect data regarding your clients.  

Your privacy policy/declarationstatement

The letter of the law essentially requires you to have a privacy statement. This requirement is directly corresponding to article 8 of our procedure requirements. In your personal dashboard you can find a model/example privacy declaration. You can use this declaration directly or adapt it to meet your specific requirements. In your personal dashboard, you can find a model/example privacy statement. You can use this statement directly or adapt it to meet your specific requirements.

Your privacy policy/declarationstatement
For any client you have who is located in the EU or who is operating under EU laws & regulations, you must comply with the granted rights and articles in the GDPR as well as the local implementation of the law but only for this specific client. Client data can be identified as any single piece of information which, on its own, can be used to identify the EU citizen. These can be things such as names, addresses and IP-addresses.

As a brief summary, your requirements are that you must inform the client of the following:
- WHAT data is being collected on them
- HOW and WHERE this data is being managed
- HOW the client can get insights in their data
- HOW and WHERE the client can file for deletion of their data and under what conditions this may granted.
Pursuant to the GPDR you are also required to facilitate the client with rights as stated in the law. 

IMPORTANT:
- GDPR/AVG does not exclude data for collection, it does however restrict data for collection if it relates to the criminal record/committed offences of the client, these transactions are required to be monitored by a government agency. The GDPR does not only apply to digital records. Your paper notebook falls under the same law as a Microsoft word document, provided it can be used to identify a natural person.
- GDPR/AVG does not exclude data for collection. It is up to you to decide what data you need related to the delivery of your services to the client. It is up to the client to agree to the data you need to collect or to make customized agreements. If the client does not consent, you cannot collect data on them and are free to deny service.
- Exception: GDPR/AVG does however restrict data for collection if it relates to the criminal records of /committed offenses by the client. These data are required to be monitored by a government agency.

Example:
- The police clearance. The police investigates the (criminal) antecedents. As result, the police delivers the clearance or denies the request to deliver. You, as company, can file the clearance. You, as company, will not be informed with regard to the underlying facts.

You and your client
Clients can request insight, porting and/or deleting of their data. You are required to comply with this request. Complying with this request does NOT mean you have to perform the request of the client.

Under conditions, it is allowed to charge the client for the request handling. Identified conditions are: when requests are manifestly unfounded or excessive, in particular because of their repetitive character. Grounds for denial of a request:
- Pending invoices to which the client can be kept as these constitute a binding contract.
- Unfounded or excessive requests
- Other legal obligations. Separate laws may require you to deny this request.

Examples:
(1) Laws related to terrorism protection that may require you to keep a hold of data
(2) Legally invoices and financial data are bound by minimum holding dates.
(3) Where deleting the data would be against the public interest.

You and your service providers
You will most likely work together with service providers that have direct or indirect access to your data. You are required to sign a data-processors agreement with these providers Please check if you have such an agreement with each of your service providers and if you do not currently have one, contact them in order to get one in place a.s.a.p.

The following is a brief summary of some potential service providers with whom you may need or most likely want an agreement: -  Accountants/bookkeepers.
- ICT suppliers/providers such as Google’s g-suite or Microsoft’s Office 365 as well as any other online service provider that comes into contact with your clients data.
- Legal services such as lawyers, notaries e.t.c.
- Media services such as sales channels, lead generators, social media consultants and marketing’s advisors.

Who is responsible?
You must note down who is responsible regarding to the GDPR/AVG. Specifically, you must also appoint a data-coordinator who will handle the GDPR related activities within your company. This must reflect in your privacy policy.

In practice – what this all means in reality. 
- Make your privacy policy apart of your general terms & conditions and publish both on your website.
- Make sure you have measurable consent of your client regarding your terms and conditions.
- If a client requests to exercise his/her rights regarding GDPR: (1 ) React to the request. (2) Describe how and in what timeframe the request will be handled. (3)  Archive the request and when/how it was processed. 
- It is smart to make a description of your data processes. Do this by creating a document that describes how you process data, where it is stored and what data-controllers are a part of this transaction.
- Audits and controls: Governments can audit and check your business. Governments also have the right to hand out fines. During an audit, you are required to comply with the articles of the GDPR and show how you do this.
- During a periodic re-certification, you will be asked how you comply with the procedure requirements. Your GDPR/AVG compliance is a part of this.

Conclusion
- It is your responsibility to comply correctly with the GDPR/AVG.
- We cannot do this for you. However, we can and will provide tips and tools, such as the model privacy statement.

For practitioners