DATA BREACH NOTIFICATION PROTOCOL

Considerations:

  • SincereV values the security of its (electronic) systems in which personal data is stored and processed.
  • Nevertheless, it can never be entirely prevented that a data breach will occur.
  • SincereV is obligated under the General Data Protection Regulation (GDPR) to report (serious) data breaches to the Data Protection Authority and the affected individuals.
  • SincereV wishes to comply with its legal obligations.
  • SincereV has therefore formulated a policy to act as adequately as possible in the event of a data breach.

1 – Definition of Data Breach

A data breach occurs when there is a security breach that accidentally or unlawfully leads to the destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to transmitted, stored, or otherwise processed data.

2 – Internal Responsible Party for Data Breach Reporting

SincereV has appointed an internal responsible party for handling data breaches who is responsible for reporting a data breach. This responsible party is: Danny Wagensveld, phone number: (+31) 036 – 526 0779; email address: info@sincerev.com, hereinafter referred to as: ‘internal responsible party.’

3 – Internal Reporting upon Discovery of a Data Breach

Anyone who discovers a data breach at SincereV must immediately report it to the internal responsible party. If possible, the person who discovered the data breach must ensure that the leaked data is immediately deleted or made inaccessible.

4 – Investigation by the Internal Responsible Party

The internal responsible party investigates, among other things:

  • Whether personal data has been lost or can be unlawfully used.
  • Who or which departments within the organization are involved in the data breach.
  • Whether a processor is involved in the incident.

5 – Combating the Data Breach

The internal responsible party stops the data breach if possible and takes the necessary measures to combat the data breach as effectively as possible.

6 – Determining the Consequences of a Data Breach

The internal responsible party investigates the possible consequences of the data breach based on the nature and extent of the leaked data and determines what the adverse effects on the data subjects may be.

7 – Cooperation in Providing Information about the Data Breach

The discoverer/reporter of the data breach must cooperate fully with the internal responsible party by answering the following questions as quickly and thoroughly (in writing) as possible:

  • What happened? (description of the incident)
  • Was it accidental or caused by malicious intent (e.g., hacked data)?
  • When did it happen? (date and time)
  • When was it discovered?
  • What type of data (records) was leaked?
  • Were the data encrypted, and if so, how?
  • Could the data be deleted or made inaccessible remotely, and if so, was that done?
  • What are the possible consequences for the affected individuals?
  • Which group(s) of individuals were affected? (e.g., students, patients, premium members)
  • Approximately how many individuals were affected?
  • Were data of individuals in other EU countries also affected by the data breach?
  • Could any technical and/or organizational measures be taken in response to the incident?

8 – Availability of Personnel after Discovery of a Data Breach

The responsible party of the department where the data breach occurred, the discoverer of the data breach, and anyone who, due to their position or knowledge, can take organizational and/or technical measures to limit the consequences of the data breach, must be available for consultation with the internal responsible party or experts appointed by him for the first 24 hours after discovery of the data breach and perform necessary tasks as a result of the data breach.

9 – Decision on Reporting Data Breaches

The internal responsible party decides as soon as possible, but in any case within 60 hours of discovering the data breach, whether the data breach should be reported to the Data Protection Authority and/or the affected individuals, possibly in consultation with the responsible party of the department where the data breach was discovered and/or experts appointed by him.

A data breach is in principle always reported to the Data Protection Authority, unless it is unlikely that the data breach poses a risk to the rights and freedoms of the data subjects.

The report of the data breach includes answers to the questions as described in section 7.

A data breach reported to the Data Protection Authority is also reported to the affected individuals if it poses a high risk to the rights and freedoms of natural persons, unless appropriate measures have been taken to mitigate the high risk.

10 – Reporting Data Breaches to the Data Protection Authority and/or Affected Individuals

The internal responsible party ensures, if necessary, the notification to the Data Protection Authority and/or the affected individual(s).

Notification is made as soon as possible after discovery and no later than 72 hours after discovery of the data breach.

No other employee than the internal responsible party is allowed to report the (possible) data breach to the Data Protection Authority and/or the affected individual(s).

If an employee disagrees with the decision of the internal responsible party regarding the reporting of the data breach to the Data Protection Authority and/or the affected individual(s), he can express his grievances to the management.

If requested, an employee will fully cooperate with the responsible party to inform the affected individuals about the data breach in accordance with Article 34 GDPR.

11 – Consequences of Reporting Data Breaches

If the data breach has negative consequences for the affected individuals, the internal responsible party does everything possible to minimize these consequences.

Depending on the nature and extent of the data breach for the affected individuals, the internal responsible party determines:

  • How the affected individuals will be informed (including which types of personal data were affected, what the possible consequences are, what measures SincereV is taking, and how the affected individuals can prevent or limit the damage).
  • What follow-up care the affected individuals will receive.
  • What actions are necessary in the interest of the organization.

If a data breach has occurred, regardless of whether it has been reported, adequate technical and/or organizational measures are taken as soon as possible to prevent similar data breaches in the future.

12 – Keeping a Data Breach Register

The internal responsible party keeps a register of all data breaches, in which all data related to the data breach are recorded, such as:

  • A description of the incident.
  • Date and time of the data breach.
  • Date and time of discovery of the data breach.
  • Description of the type of leaked personal data.
  • Description of the category(ies) of affected individuals.
  • Approximate number of affected individuals.
  • Whether data of individuals in other EU countries were leaked.
  • Whether the incident was reported to the Data Protection Authority and if so, the date and time of the report.
  • Whether the incident was reported to the affected individuals and if so, the date and time of the report.
  • How the affected individuals were informed.
  • The consequences of the data breach, if possible with date and time.
  • Which technical and/or organizational measures were taken after the data breach, with date and time.

This data breach notification protocol was drawn up on August 6, 2024.