GDPR statement

Handling privacy & security

May 7th 2020
Version 2.0

Definitions

  1. Data Subject: a natural person whose personal data is processed by a Controller or Processor
  2. Special category of Personal Data: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
  3. Business Partner: authorized and trained legal person authorized for the delivery, sale, installation and support of the IQ Messenger Platform.
  4. Source System: any electronic information storage system which contains Personal Data (commonly implemented on a computer system running a database management system) that is the authoritative data source for a given data element or piece of information.
  5. Manufacturer: Owner and developered of The Product.
  6. Product: IQ Messenger Software Platform.
  7. App: Applications developed by The Manufacturer for use with the Product, knows as:7.1. IQ SmartApp Enterprise iOS
    7.2. IQ SmartApp Enterprise Android
    7.3. IQ SmartApp Medical Enterprise iOS
    7.4. IQ SmartApp Medical Enterprise Android
  8. End User: legal person which uses the IQ Messenger Platform/Product. End User will act as the Controller
  9. GDPR: General Data Protection Regulation.
  10. Agreement: the Agreement, drawn Written, between the Controller and Processor.
  11. Employee: A natural person who, on the basis of an Agreement with a legal entity, performs work for this or another designated legal person.
  12. Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Hereafter named as End User.
  13. Processor: a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
  14. Personal data: any information relating to an identified or identifiable natural person (Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  15. DPIA: A data protection impact assessment (DPIA) is a privacy-related impact assessment whose objective is to identify and analyze how data privacy might be affected by certain actions or activities.
  16. Witten: in writing or electronically, as referred to in Section 6: 227a of the Dutch Civil Code.
  17. Sub-Processor: third party data Processor who has or potentially will have access to or process data (which may contain Personal Data).
  18. Processing: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  19. Records or Processing: records of all the Processing activities which take place within the organization.

IQ Messenger

IQ Messenger B.V. located in Dordrecht is the manufacturer of the IQ Messenger Software Platform see also http://www.iqmessenger.com, hereafter mentioned as the Product.

IQ Messenger sells its Product to the Business Partner. The Business Partner resells the Product to the End User/ Processor. The Business Partner also provides the installation, service, expansion and maintenance of the Product.

The roles of each party are illustrated in the following chart, from Data Subject to Sub-Processor.

  • End User acts as Controller
  • The Business Partner acts as Processor

IQ Messenger acts here as a Sub-Processor.

The Product can be installed within the existing network environment of the End User and be linked to any or multiple Source System which can contain Personal Data (and or Special Categories Personal Data). Example of system is the Electronic Health Records (EHR).

The purpose of this link is usually in receiving alarm messages and enriching them with relevant and current Personal Data from a Source System. This functionality makes IQ Messenger a possible Sub-Processor of Personal Data and is the motivation for this Declaration of Processing.

IQ Messenger confirms that its operations are following the new GDPR legislation.

According to this GDPR statement, we inform Business Partners and End Users about how we have set up our systems, processes and internal organization for this law.

This IQ Messenger Processor statement can be used by the Business Partner in its communication, transparency, proof and responsibility towards the End User with regards to the chain of Processing of Personal Data of the Data Subject. This chain runs from the Controller to Sub-Processor, see also the diagram above. This to be able to comply with the protection of the Data Subject‘s rights regarding the Processing of Personal Data.

Processing Personal Data

The following principles may be applicable to IQ Messenger from the AVG:
1. Consent of Client
2. Vital interests
3. Agreement

1. Client’s permission

The Client undertakes to inform IQ Messenger in time that the Product will be used for the Processing of Personal Data.

The End User determines the duration of the storage of Personal Data in the Product.
The End User determines which Personal Data must be changed or removed in the Product.
IQ Messenger declares not to use or store Personal Data for its own purposes.
The Product functions within the secure network environment of the End User.
Employees of IQ Messenger can therefore only connect to the Product by explicit consent of the Client and encounter Personal Data from a Source System.

2. Vital interests

Personal Data processed by the Product may be of vital importance to the insight and instruction of the End User.

3. Agreement

IQ Messenger will only make the functionality of its Product that comes in contact with Personal Data available after receiving of an unambiguous Agreement from the Client.

Data Usage by the Product

1. What data is collected and what is it used for:

Usage data

The App collects anonymous usage data about the use of the App and information about the device on which it is installed. This usage data is saved in local log files and is used exclusively for error analysis. In the event of an error, the user can share this data with The Product.

The data are not used for advertising purposes and are not sold or made available to third parties.

The App uses the following third-party software to record usage data:

  • Google Analytics for Firebase
  • Firebase Crashlytics

Further information can be found in Google privacy policy : https://policies.google.com/privacy

Location data

The App collects location data to ensure reliable localization in the event of an alarm. This location data is also collected when the app is in the background or not currently in use. The location data are only collected if this is explicitly configured on the server and the necessary feature license is available and activated. This location data is not shared with third parties and is used exclusively for the purpose of personal security and alarms.

Accountability

Based on the above-mentioned principles, IQ Messenger bases its position on accountability.

Taking into account the nature of the processing, IQ Messenger shall assist the data controller by appropriate technical and organizational measures, insofar as this is possible and required, in the fulfilment of the data controller’s obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR.

This entails that IQ Messenger shall, insofar as this is possible and required, assist the data controller in the data controller’s compliance with:

a) the right to be informed when collecting personal data from the data subject
b) the right to be informed when personal data have not been obtained from the data subject
c) the right of access by the data subject d. the right to rectification
d) the right to erasure (‘the right to be forgotten’)
e) the right to restriction of processing
f) notification obligation regarding rectification or erasure of personal data or restriction of processing
g) the right to data portability
h) the right to object
i) the right not to be subject to a decision based solely on automated processing, including profiling.

1. Awareness & Security

Since 2015 IQ Messenger has a NEN 7510 and an ISO 27001 certification ensuring compliance with its obligations pursuant to Article 32 GDPR. Part of these certifications is the information security system, also called the ISMS (Information Security Management System) system.

These certifications are tested annually on the functioning of our management system for information security through an external audit of an accredited notified body. An internal audit is also carried out between the periods of these external audits to keep the management system up to date. The following points in our ISMS system apply to the new AVG and NEN 7510 certification:

  • Household regulation
  • Confidentiality statement Employees
  • Security of equipment and systems
  • Periodical Information Security Management Forum consultation
  • Reporting data leaks
  • Privacy by design & privacy by default

Awareness of the GDPR-legislation is guaranteed through our NEN 7510 and ISO 27001 certifications in which this subject is included in the periodic toolbox meeting.

IQ Messenger has taken the necessary measures regarding the organizational and technical requirements for the protection of Personal Data.

2. Right of Data Subject

IQ Messenger has no direct relation to the Data Subject in its role as a Sub-Processor of Personal Data. It is the End User that carries out the communication and the resulting actions in relation to Personal Data processed by the Product with the Data Subject.

3. DPIA

DPIA of the GDPR-legislation does not apply since IQ Messenger does not act as End User.

4. Privacy by design & Privacy by default

Privacy by design and privacy by default are guaranteed through our development guidelines and NEN 7510 and ISO 27001 certifications in which this subject is included in the periodic internal and external audits.

Within the design of the Product and organization policy it is ensured that Personal Data are properly protected, for example by ensuring that Personal Data are not shown by default. Personal Data are only made visible by the Product / provided to authorized Employees of the End User and the Client.

The Client could encounter with Personal Data, from a Source System, through the Product. The Client determines the duration of the storage of Personal Data in the Product.

5. Official Data Protection

Data Protection Officer (FG) as defined in the Documentation Authority Personal Data does not apply to IQ Messenger as it does not engage in tracking individuals on a large scale. However, from its NEN 7510 and ISO 27001 certification IQ Messenger has an Information Security Officer.

6. Reporting obligation data leaks

By means of the Procedure Reporting Data Leaks of the ISMS system in our organization we provide clarity regarding the legal obligation with regard to the reporting of data leaks, so that Employees know what a data leak is, when a data leak has to be reported to the manager, when a data leak must be reported to the Dutch Data Protection Authority and when a data leak must be reported to the Data Subject.

a) IQ Messenger has the obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Dutch Authoriteit Persoonsgegevens, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons;

b) IQ Messenger has the obligation to without undue delay communicate the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons;

c) The data controller has the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data protection impact assessment)

Processing Register

IQ Messenger has a Register of Processes that can be viewed at the request of the Dutch Data Protection Authority.

Questions or Complaints

Questions or complaints regarding the Processing of Personal Data by the Product can be addressed in writing to:

IQ Messenger B.V.
Attn. Quality Manager
Pieter Zeemanweg 57
3316 GZ Dordrecht
+31 (0) 88 20 22 333
quality@iqmessenger.com

 

Request a demo

Get started with IQ Messenger.
Optimize alarm management.

Request a demo

Keep me informed

Sign up to get the latest announcements and updates delivered to your email

Sign me up