What is privacy?
What are personal data?
Personal data are data based on which your identity can be established (directly or indirectly). These data include name and address details, email addresses, telephone numbers, location data etc.
What are special personal data?
Apart from ‘personal data’ the regulation also mentions ‘special personal data’. These include information about your health, race, sexual orientation, belief, criminal records etc. It is not allowed to use these data, except when this is done on one of the special grounds mentioned in the regulation. For instance, a church is allowed to register the data of its worshippers. Another exception is when the person involved has given explicit consent.
What is ‘processing?’
When we talk about ‘processing’, this means executing all kinds of operations on data. To be more precise, it comes down to: using, collecting, organizing, recording, owning, correcting, saving, storing, protecting, editing, changing, requesting, consulting, combining or otherwise matching, providing, making available, handing over, spreading, connecting, erasing and destroying personal data. Whether the processing is done by man or by a computer is of no difference to the concept of ‘processing’, as long as the person responsible for the data has some kind of influence over those data. Whether or not he or she really exercises this influence, doesn’t make any difference. Since the word ‘processing’ is such an old-fashioned word, we prefer the verb ‘using’ in this statement.
When we talk about an employer in this statement, we mean any kind of working relationship in which the Beepp app can be used.
Purpose of this policy
It is our highest priority to maintain the privacy of our users. We see it is as our responsibility to protect the privacy of everybody whose data we use – and that includes your privacy – and to determine an honest and transparent policy that takes into consideration your interests. We trust that this statement is an important contribution in reaching our goal in this. If you still have questions and/or remarks after reading this policy, please send us an email: firstname.lastname@example.org.
We will treat and protect all the personal data you have given us, with the utmost care and consideration. Beepp complies with all legislation for the use of personal data. This includes, among other things, that we:
What does this statement apply to?
It is important for us to inform you that you have no obligation whatsoever to share your personal data with us. If you want to use the Beepp app, you will have to provide us with your name, telephone number and possibly your email address.
Downloading the app
Your employer or the organization you work for may decide to use the Beepp app to start a community within the organization. He or she can subsequently ask you to participate in the community and download the app. It is your voluntary decision whether or not you register and sign in on the app. However, probably you’ve already done so, otherwise you wouldn’t be reading this statement now.
In the app you find questions on your organization, about upcoming decisions, improvements in your department or other issues that matter to the organization, to you and your employer or client. Of course your employer is not allowed to ask you any questions that he or she cannot ask you in real life either. It is always up to you whether or not you answer a question.
Another advantage of the Beepp app is that it helps your organization get a realistic view of the organization itself. And that for instance it doesn’t only have to rely on the opinion of your new manager, with whom you might not get along all too well. The app helps your employer gain insight in the many compliments you received via the app. Compliments that you can put against the opinion of your new manager. We use your data – and the data of your colleagues and coworkers who also like to participate in this community – for this purpose. Without the use of these data we are unable to offer our services.
You can ask your employer to delete your data. Deleting in this case means: removing the personal data from your profile and seeing to it that data like your answers to questions in the app cannot be traced back to you.
The use of (regular) personal data is only allowed if you comply with these six basic principles:
In order to be allowed to use data you must have a specific goal. For example: optimizing your organization. We use your personal data for the following purposes:
For the purposes mentioned above Beepp may or may not process the following data:
Beepp also collects the following data:
As you can see, our software also keeps track of general visitor data, and it can register your username, the time and the duration of your visit. This information can be used for statistic analyses of visitor behavior within our software. Beepp uses these records in order to optimize (the use of) our software. We do our best to anonymize these data as much as possible. We do not provide this information to third parties.
For the use of personal data a lawful basis is needed. In other words: you need a good reason to use someone’s data. So, we’ll use ‘reason’ from now on. The law mentions six reasons:
Beepp uses reasons 1, 3, and 6. The lawful basis in this is (optimizing) the use of our software and our services based upon the software. The data collected within the Beepp community stay in the organization of your employer. The company formulates its own reasons and goals for the use of your data.
The data have to be up-to-date, complete and relevant. For that reason, an information obligation applies. This means that those, of whom personal data are used, must be informed of this in a timely manner. Your employer has to see to it that he enters your data correctly. If for some reason they are incorrect, you can ask your employer to correct or delete them.
Data have to be secured correctly, and of course we have taken measures to do so. We see to it that the security of your personal data is of the highest level, so that the risk of unlawful use of your data is reduced to a minimum. The same goes for unauthorized access by others, unlawful modification of your data, unlawful publication and/or loss of your data. We have taken these measures to secure your data (among others):
Third parties and processors
An important aspect of good security measures is that we cannot just pass your data onto other parties. If we passed your well-protected data to every Tom, Dick, Harry or Barry, we might as well not have protected them at all.
We can only pass the data you have provided us with to other parties if this is necessary for the execution of our services. Occasionally we make use of third parties for:
In the law, these third parties are called ‘processors’. Processors are parties who use your data upon our request, for example if that is necessary to use the app properly. If we ask them to provide you with a service, they are only allowed to use your data for that single purpose and only if the use is indeed required. If they provide us with a service that doesn’t require them to use your data, they simply cannot access them. If they do have to use your data, they are not allowed to use them for their own purposes.
The law obliges us to sign contracts with all processors, and of course we have done so. In these contracts we have determined that processors must abide the law and are thus obliged (among other things) to protect your data in a suitable manner. We do not pass your data to processors with whom we do not have a signed processing agreement. There is, however, one exception: if the law forces us to do so. This can be the case if the police request us to hand over personal data for a criminal investigation. In cases like this we have to cooperate and provide them with this information. To our judgment, the chances that such a situation may occur when using our software are very slim.
Access and copies
You can request access to your personal data from your employer. What’s good to know: the information you see in our software is the only information we use. All information is transparent and accessible for you. It is therefore very unlikely that you’ll find any surprises when you look into your data on our app.
Complete, improve, delete, erase and rectify
If the data are incorrect, you can ask your employer to correct, delete and/or block them. It is however, important to emphasize that you cannot change the answer you gave to a question, a tip, compliment or complaint. You can’t erase the contents of a chat session either.
You also have the right of rectification (to correct any mistakes or errors) and the right to completely erase your data (right to erasure). We will erase data in case they are incorrect, incomplete, if they are not necessary for the purpose we collected them, or if we have used them against the law in any other way. Should you so desire, and if the law allows us to do so, we will completely erase your data, so that you are no longer visible in our system. This means that we adjust your data in such a way that they can no longer be traced back to you.
Limited use and transfer of your data (right to data portability)
You have the right to limit the use of your data. That is: you can request your employer to stop using a part of your personal data and to continue the use of another part. You also have the right to data portability. In this case your employer hands you your compressed data, in a way that allows you to pass it onto someone else easily. You can also ask your employer to pass your data directly to someone else.
You can object to the use of your data if you believe that your specific privacy interests have more weight than the legitimate interest of your employer to use them. If you do file a complaint against the use of your data, your employer has to weigh your specific interests against his interests in the use of the data. And based on this he or she needs to make an informed decision. If you disagree with that decision, or if for some other reason you think that they do not handle your data well, you can file a complaint at the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). You can easily file your complaint through their website (autoriteitpersoonsgegevens.nl).
Profiling or automated decision-making
Companies are not allowed to make an automated decision based on a request you made. This means that it always has to be a human being who makes a decision about your request and that your request cannot be granted or rejected by the mere use of software. Profiling in order to sell you a product or service is not allowed either. Beepp doesn’t use profiling, nor does it make any automated decisions.
You have the right to start a procedure and you can request for compensation if privacy infringement is proven. You can also start a procedure together with other people. This is called ‘collective actions’.
If you have a complaint about the way Beepp uses your personal data, we would appreciate it if you contact us directly. We would regret it enormously, if for some reason we were unable to solve the issue together. In that case you have the right to file a complaint at the Dutch Data Protection Agency (Autoriteit Persoonsgegevens), the supervisory authority for privacy protection.
6) Retention period
Once you no longer need data, you must delete them, unless the law obliges you to store them for a longer time.
When you terminate your employment, your employer has the obligation to erase your data at the shortest possible time after you ended your working relationship; unless the law obliges them to store the information for a longer time.
If personal data fall into the hands of strangers, we speak of a data breach. In actual practice this often means that an employee accidentally loses his or her laptop, telephone and/or usb stick in public transport or in any other public place, or that such a device is stolen. We also speak of data breach when an organization’s data were hacked, if an employee mistakenly sends an email containing personal data to the wrong person, or if computer files or documents were leaked in another way.
We document all (small and large) data incidents. According to the law, a data breach must be reported to the Dutch Data Protection Agency (Autoriteit Persoonsgegevens – AP) if: “it leads to a considerable likelihood of serious adverse effects on the protection of personal data, or if it has serious adverse effects on the protection of personal data.” This means that an incident has to be reported to the AP if many data were lost or if they got into the hands of unauthorized persons. When it concerns very sensitive data, such as medical files, this obligation also applies, regardless of the quantity.
In order to be able to report a data breach in time, Beepp has set up a data breach protocol, to see to it that – in the highly unlikely event of a data breach – this actually is reported in a timely manner. If the breach concerns you in any way, of course we will inform you of this as well.