1.       Background

MegaGroup attaches great importance to the privacy of both its customers and its employees. The point of departure is that the privacy of data subjects is respected and that MegaGroup works in accordance with the relevant legislation and regulations.

The management board of MegaGroup takes the position that all employees are responsible for the proper handling of personal data. By adopting both a top-down and bottom-up approach to the implementation of privacy policy, MegaGroup can comply with relevant legislation and regulations. The Privacy Officer helps the organisation and its employees to achieve this goal.

2.       Embedding in the organisation

This document, endorsed by management, is the basis for the transparency of the organisation's actions with regard to privacy, both of its customers and of its own employees. This includes creating awareness, but also familiarity with the described policy processes. Examples include the obligation to report data leaks, the rights of the parties involved and privacy by design. The basis for the entire organisation is the processing register, in which is laid down what, when and by whom personal data is used.

3.       Recurring process

The policy, procedures and register that are linked to this are periodically (annually) checked and adapted to the situation and laws and regulations that are in force at that time. The Privacy Officer ensures that interim process improvements are also implemented and provides the management board with both solicited and unsolicited advice.

4.       Use of personal data

MegaGroup only collects data that is necessary for the performance of its activities and thus arises from the "execution agreement" basis or from the "consent" basis for marketing purposes. Personnel data are stored exclusively on the basis of "legitimate interest". This is recorded in the processing register.
MegaGroup also ensures that third parties handle the personal data to be processed by it in accordance with the guidelines of MegaGroup. This is laid down in the processing agreements with third parties or MegaGroup has agreed to the privacy statement of the third party.

5.       Roles and responsibilities

Roles and responsibilities have been defined on the basis of this privacy policy. This chapter describes the roles and responsibilities. 

5.1.    Management board

The management board is ultimately responsible for the privacy policy and its follow-up. This also makes it directly responsible for the proper and lawful processing of personal data.

The management board is also responsible for structuring the privacy organisation, the roles and responsibilities. 

5.2.    Managers

The managers / executives (hereinafter called managers) are responsible for communicating with all stakeholders in order to ensure that employees are aware of the privacy policy and its consequences. They also ensure that employees comply with the policy and the associated processes, guidelines and procedures.

Managers are also responsible for periodically bringing the issue of privacy to the attention of work meetings, reviews, etc. They will also report to the management board on the progress made towards achieving the policy objectives. 

5.3.    Controller

The controller is the party who has established the purposes and means of the data processing: it is always clear who the controller is.

The controller is responsible for compliance with Article 5(1) GDPR and can demonstrate this ("accountability"). The controller is also responsible for the follow-up of measures that are necessary to continue to comply with legislation and regulations.

The controller is a role that will be fulfilled locally at each Bosta/Bevo site. The local controller reports progress to the privacy officer. 

5.4.    Privacy Officer

Privacy legislation prescribes an independent consultant in the field of privacy.

Duties of the Privacy Officer:

  • Advice to management, executives, employees and third parties on the obligations with regard to privacy legislation.
  • Monitor and report on compliance with privacy laws and procedures.
  • Creating awareness and training employees in the field of privacy;
  • Act as contact point for the Dutch Data Protection Authority in case of data breaches or audits.
  • Responsible for logging data leaks.
  • Continuously improve policy, the procedures and registration.