Based on the above-mentioned principles, IQ Messenger bases its position on accountability.
Taking into account the nature of the processing, IQ Messenger shall assist the data controller by appropriate technical and organizational measures, insofar as this is possible and required, in the fulfilment of the data controller’s obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR.
This entails that IQ Messenger shall, insofar as this is possible and required, assist the data controller in the data controller’s compliance with:
a) the right to be informed when collecting personal data from the data subject
b) the right to be informed when personal data have not been obtained from the data subject
c) the right of access by the data subject d. the right to rectification
d) the right to erasure (‘the right to be forgotten’)
e) the right to restriction of processing
f) notification obligation regarding rectification or erasure of personal data or restriction of processing
g) the right to data portability
h) the right to object
i) the right not to be subject to a decision based solely on automated processing, including profiling.
1. Awareness & Security
Since 2015 IQ Messenger has a NEN 7510 and an ISO 27001 certification ensuring compliance with its obligations pursuant to Article 32 GDPR. Part of these certifications is the information security system, also called the ISMS (Information Security Management System) system.
These certifications are tested annually on the functioning of our management system for information security through an external audit of an accredited notified body. An internal audit is also carried out between the periods of these external audits to keep the management system up to date. The following points in our ISMS system apply to the new AVG and NEN 7510 certification:
- Household regulation
- Confidentiality statement Employees
- Security of equipment and systems
- Periodical Information Security Management Forum consultation
- Reporting data leaks
- Privacy by design & privacy by default
Awareness of the GDPR-legislation is guaranteed through our NEN 7510 and ISO 27001 certifications in which this subject is included in the periodic toolbox meeting.
IQ Messenger has taken the necessary measures regarding the organizational and technical requirements for the protection of Personal Data.
2. Right of Data Subject
IQ Messenger has no direct relation to the Data Subject in its role as a Sub-Processor of Personal Data. It is the End User that carries out the communication and the resulting actions in relation to Personal Data processed by the Product with the Data Subject.
DPIA of the GDPR-legislation does not apply since IQ Messenger does not act as End User.
4. Privacy by design & Privacy by default
Privacy by design and privacy by default are guaranteed through our development guidelines and NEN 7510 and ISO 27001 certifications in which this subject is included in the periodic internal and external audits.
Within the design of the Product and organization policy it is ensured that Personal Data are properly protected, for example by ensuring that Personal Data are not shown by default. Personal Data are only made visible by the Product / provided to authorized Employees of the End User and the Client.
The Client could encounter with Personal Data, from a Source System, through the Product. The Client determines the duration of the storage of Personal Data in the Product.
5. Official Data Protection
Data Protection Officer (FG) as defined in the Documentation Authority Personal Data does not apply to IQ Messenger as it does not engage in tracking individuals on a large scale. However, from its NEN 7510 and ISO 27001 certification IQ Messenger has an Information Security Officer.
6. Reporting obligation data leaks
By means of the Procedure Reporting Data Leaks of the ISMS system in our organization we provide clarity regarding the legal obligation with regard to the reporting of data leaks, so that Employees know what a data leak is, when a data leak has to be reported to the manager, when a data leak must be reported to the Dutch Data Protection Authority and when a data leak must be reported to the Data Subject.
a) IQ Messenger has the obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Dutch Authoriteit Persoonsgegevens, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons;
b) IQ Messenger has the obligation to without undue delay communicate the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons;
c) The data controller has the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data protection impact assessment)