MegaGroup attaches great importance to the privacy of both its customers and its employees. The point of departure is that the privacy of data subjects is respected and that MegaGroup works in accordance with the relevant legislation and regulations.
This document, endorsed by management, is the basis for the transparency of the organisation's actions with regard to privacy, both of its customers and of its own employees. This includes creating awareness, but also familiarity with the described policy processes. Examples include the obligation to report data leaks, the rights of the parties involved and privacy by design. The basis for the entire organisation is the processing register, in which is laid down what, when and by whom personal data is used.
The policy, procedures and register that are linked to this are periodically (annually) checked and adapted to the situation and laws and regulations that are in force at that time. The Privacy Officer ensures that interim process improvements are also implemented and provides the management board with both solicited and unsolicited advice.
MegaGroup only collects data that is necessary for the performance of its activities and thus arises from the "execution agreement" basis or from the "consent" basis for marketing purposes. Personnel data are stored exclusively on the basis of "legitimate interest". This is recorded in the processing register.
MegaGroup also ensures that third parties handle the personal data to be processed by it in accordance with the guidelines of MegaGroup. This is laid down in the processing agreements with third parties or MegaGroup has agreed to the privacy statement of the third party.
The management board is also responsible for structuring the privacy organisation, the roles and responsibilities.
Managers are also responsible for periodically bringing the issue of privacy to the attention of work meetings, reviews, etc. They will also report to the management board on the progress made towards achieving the policy objectives.
The controller is the party who has established the purposes and means of the data processing: it is always clear who the controller is.
The controller is responsible for compliance with Article 5(1) GDPR and can demonstrate this ("accountability"). The controller is also responsible for the follow-up of measures that are necessary to continue to comply with legislation and regulations.
The controller is a role that will be fulfilled locally at each Bosta/Bevo site. The local controller reports progress to the privacy officer.
Privacy legislation prescribes an independent consultant in the field of privacy.
Duties of the Privacy Officer:
- Advice to management, executives, employees and third parties on the obligations with regard to privacy legislation.
- Monitor and report on compliance with privacy laws and procedures.
- Creating awareness and training employees in the field of privacy;
- Act as contact point for the Dutch Data Protection Authority in case of data breaches or audits.
- Responsible for logging data leaks.
- Continuously improve policy, the procedures and registration.