From 25 May 2018, the General Data Protection Regulation applies to all organizations that store personal data (personal data) in a file. The use of data must meet the following conditions:
- A clear purpose must be set for what the data will be used for,
making it clear who has access to which data for what period.
- Only relevant data may be used. In other words, no
unnecessary or too much data may be collected or used.
- It must be recorded which persons have access to which data.
Good security must also be applied to the use of the data .
- The data may not be provided to third parties unless explicit permission
has been given by the person concerned or there is a legal obligation to do so.
- The data may only be used for a specified period of time and must then
be deleted. The length of that period varies per project. In the meantime, it must be
possible to delete data at the request of the data subject. Longer use than the
predetermined period (for example for the duration of an event) is only possible with the
explicit permission of the person concerned.
- Special data, including religion, health or criminal data, may
only be collected if there is a strict necessity for this and with the explicit
permission of the person concerned. This data must be completely deleted after
the specified period.
- A clear purpose must be set for what the data will be used for,
For what purpose are these personal data stored?
SKIN-Rotterdam stores personal data of its relations. These are contact persons of affiliated churches and organizations, employees, volunteers and external relations. Different purposes apply for each group, for which the information is stored. For example, for sending newsletters, invitations, time registration of employees, correspondence, mailings and relationship management.
There is also a paper file of affiliated churches and organizations at the SKIN-Rotterdam office.
To strengthen the involvement within the SKIN-Rotterdam wider community of churches and organizations and for PR and reporting purposes, photos and sometimes film material supplemented with text are often used on the website, in mailings and newsletters (using Mailchimp) on Facebook, Twitter, Youtube, newsletters and reports. Relevant activities of relations are published for PR purposes on the website and in any other means of communication such as flyers and newsletters.
What data is processed?
At SKIN-Rotterdam, data is only used on the basis of lawfulness, with the consent of the person concerned, because they are necessary for the execution of the activities or because there is a legitimate interest.
SKIN-Rotterdam keeps contact details of its relations. This means name, m/f in connection with salutation, church/organization(s), email address and telephone number. Physical addresses are kept at church/organization level as much as possible. In some cases, the physical address of a church/organization may coincide with a private address.
When the leadership of a church/organization consists of a couple, this is also mentioned. This is relevant information for SKIN-Rotterdam because leadership in international churches and organizations is often seen as a joint vocation, while the tasks and roles of men and women differ. The activities of SKIN-Rotterdam are aimed at strengthening these specific tasks and roles. For example, SKIN-Rotterdam has separate leadership groups for women and men. Only the name and email address of those interested in the newsletter will be saved. Because a connection is made between the church/organization and the contact person, the religious conviction of that person is indirectly recorded. In some cases, ethnicity can also be traced back to this context.
Photos and film material made under the responsibility of SKIN-Rotterdam are usually published publicly. SKIN-Rotterdam prevents as much as possible that people who have not given permission for this are not recognizable on the image. In cases where this has not (yet) been successful, you can report this to [email protected].
When using digital resources, SKIN-Rotterdam only uses technical, functional and analytical cookies that do not infringe your privacy. A cookie is a small text file that is stored on your computer, tablet or smartphone when you first visit a website. The
cookies we use are necessary for the technical operation of the website and your ease of use. They ensure that the website works properly and, for example, remember your preferred settings. We can also optimize our website with this. You can opt out
of cookies by setting your internet browser so that it no longer stores cookies. In addition, you can also delete all information that has previously been stored via the settings of your browser.
SKIN-Rotterdam does not make decisions based on automated processing that may have consequences for individuals.
Who can view your data and how is it secured?
Employees of SKIN-Rotterdam are authorized to view the data. Employees are contractually bound to confidentiality with regard to stored personal data unless there is a legal or reasonable need to provide data.
SKIN-Rotterdam employees have their own login details for the SKINRotterdam computer network and the supporting online programs. Electronic data can only be accessed with the personal login data from another location.
Perfectview online is used as a relationship management system, Exactonline for financial and payroll administration, 14dayz for time registration. SKIN-Rotterdam checks the compliance of these programs with the GDPR.
In addition, office applications such as Word and Excel are used for participant lists of activities, which are stored on the computer network of SKIN-Rotterdam.
The administrator of the computer server protocols for the security of our data and protection against hacking (privacy by design – when designing the information system, privacy has already been taken into account and the processing of personal data as little as possible). There is 1 server on which all data is stored. All employees have access to this server. There are no external users. All employees can consult documents from colleagues for information via shared storage.
Physical files are stored under lock and key. The SKINRotterdam office location is closed off with a security system with electronic authorization. Access is managed by the secretariat of the Samen010 foundation. Guests are only allowed to access the location with an escort. A Certificate of Good Conduct is requested for volunteers. Among other things, the application is checked for the handling of information. SKIN-Rotterdam does not sell your data to third parties and only provides it if this is necessary for support in consultation with you or to comply with a legal obligation. How long is your data kept?
When the relationship is terminated, data is removed from the systems. This means that data will be deleted if you no longer wish to be regarded as a relation of SKIN-Rotterdam, you can report this to [email protected]. The data will also be deleted when the relationship is no longer relevant for SKIN-Rotterdam. For example in the case of a temporary contribution to a project as an employee or as a volunteer. In practice, it appears that even after a project, a relationship with SKIN-Rotterdam often continues to exist with the minimum level of interest. Anonymized data may be kept for statistical purposes. Financial and personnel data for legal authorities and accountability to subsidy providers and funds are generally kept for 7 years after the date. Other personnel data will be deleted after 2 years. Data from applicants will be deleted after 6 months.
Photos and film material made under the responsibility of SKIN-Rotterdam can be archived for future use after withdrawal from public publication.
In case of recognizability of persons, permission for use will be requested again upon publication .
What are your rights?
You have the right to view, correct or delete your personal data. In addition, you have the right to withdraw your consent to the data processing or to object to the processing of your personal data by SKIN-Rotterdam and you have the right to data portability. This means that you can submit a request to us to send the personal data we have about you in a computer file to you or another organization mentioned by you.
You can send a request for access, correction, deletion, data transfer of your personal data or request for withdrawal of your consent or objection to the processing of your personal data to [email protected].
Questions and/or complaints
Questions about privacy at SKIN-Rotterdam can be sent to [email protected]. You can also contact us here for a complaint or report. We will register the necessary information for each report. This allows us to maintain contact with the person who has approached us about this during the treatment. With every report we will try to find out:
- where the data used comes from
- what happened to the data
- who is involved
- whether damage has occurred and how it can be repaired as much as possible
- whether steps are required to prevent recurrence.
Naturally, SKIN-Rotterdam does everything it can to ensure that personal data does not fall into the hands of third parties. If this does happen, we speak of a data breach. The law stipulates that if a data breach occurs, this is reported. However, there is an explicit mention here of the leakage of
personal data as a result of security vulnerabilities. These data breaches must – if they are sufficiently serious – be reported without delay to the supervisory authority, the Dutch Data Protection Authority (AP), formerly the Dutch DPA, within 72 hours. This notification must in any case contain the nature of the infringement,
the measures that have been taken to limit and remedy the consequences of this infringement, and the observed and possible consequences of the infringement for the processing of personal data.
After a data breach has taken place and it is likely that the breach will have adverse consequences for the privacy of the person whose data is involved, the data subjects should receive a notification. This notification must at least state the nature of the infringement, the authorities where more information about the infringement can be obtained and the recommended measures to take the negative consequences of the infringement.