From regulations to action framework.
This regulation gives an overview of the rules that apply to an educational organisation. However, a regulation does not adequately reflect how these rules should be interpreted and applied in daily practice. It is not a business protocol for professionals in individual cases. How to handle, for example, the exchange of data is also in discussion, which is reinforced by the ever-increasing and necessary cooperation in chains and networks: educational institutions, ISDs, municipalities, expat centres, etc. And, of course, with individuals. With the shift from the national direction to municipalities, there is a growing need for deforestation of information exchange between partners involved in education and security issues at regional level. A growing number of organisations and employees are entrenched in this collaboration in a large amount of privacy protocols and interpretations of legislation. This means that many professionals are wrong to feel limited in their capabilities. While others unjustly share everything with each other. Choices made are hardly testable. This is an undesirable situation and this requires solutions.
For the purposes of this Regulation:
The Law: The Data Protection Act 2010
Personal Data: each given about an identified or identifiable natural person;
Processing of Personal Data: any act or whole of personal data processing. This includes, at least, the gathering, recording, arranging, storing, updating, modifying, retrieving, consulting, using, providing by means of transmission, distribution or any other form of posting, bringing together, linking together, and shielding , Exchange or destruction of data;
File: Any coherent set of personal data, regardless of whether this aggregate of data is collected or separated from each other, which is accessible according to certain criteria and relates to different persons;
Responsible: The person who alone or in conjunction with others determines the purpose and resources for the processing of personal data. Responsible may be a natural person, a legal entity or a governing body.
Processor: The person who processes the responsible personal data without being subject to his direct authority.
The person concerned: the person to whom a personal data relates;
Third Party: anyone other than the person concerned, the responsible person, the editor or any person authorised under the authority of the person responsible or the processor to process personal data;
Recipient: the person to whom the personal information is provided;
Consent of the person concerned: any free, specific and information-based welfare that the person accepts to process personal data about him;
Providing personal data: disclosing or making available personal data;
Collection of personal data: Obtaining personal information.
This Regulation applies to the fully or partially automated processing of personal data. It also applies to the non-automated processing of personal data contained in a file or intended to be included therein.
- These rules apply within Think Smart English and relate to the processing of personal data from clients, employees and volunteers.
1. The purpose of collecting and processing personal data is to provide the information necessary for the realisation of legal purposes and the purposes as defined in the articles of association, the annual plans and other plans of Think Smart English and the conduct of policy and management in the context of these purposes.
- The purposes for which data is collected and processed within Think Smart English data; Conducting a sound customer administration, drafting a sound lesson plan, identifying the customer’s strengths and weaknesses with the aim of developing weaknesses, monitoring customer progress and testing the achieved results of Both customers and the company itself.Representation of the person concerned
1. If the person concerned is a minor and has not yet reached the age of sixteen, or if the person concerned is a minor and has been placed under curtailment or mentoring has been instituted for the benefit of the person concerned, instead of the consent of the person concerned requires the consent of his legal representative. The permission is recorded in writing. If the person concerned has issued a written authorisation in respect of his / her representation to the processor, the written consent of the person concerned is required.
- A consent may be revoked at any time by the person concerned, his written representative or his legal representative.
- Responsibility for management and liability
1. The responsible person is responsible for the proper functioning of the processing and management of the data; Under the responsibility of the responsible person, a manager is usually charged with the actual management of personal data.
- The responsible person shall ensure that appropriate technical and organisational measures are implemented to protect against any loss or any form of unlawful data processing.
- The responsibility referred to in paragraph 1 and the provisions of paragraph 2 shall apply without prejudice to the processing by a processor; This is governed by an agreement (or through another legal act) between the editor and the responsible person.
- The responsible person is liable for the loss or damage caused by non-compliance with the law or regulations. The processor is liable for such damage or damage, in so far as it is due to his / her actions.
- Straight forward processing
1. Personal data are processed in accordance with the law and regulations in a proper and careful manner.
- Personal data shall be collected for the purposes of this Regulation only and shall not be further processed in a manner incompatible with the purposes for which they were obtained.
- Personal data shall be adequate and relevant in view of the purposes for which they are collected or subsequently processed. There is no need to collect or process any personal data other than for the purpose of registration.
- Personal data may only be processed if:
- The data subject has been granted unambiguous consent;
• the data processing is necessary for the execution of an agreement in which the party concerned is (for example, the contract of employment with the person concerned) or for actions, at the request of the person concerned, necessary for the conclusion of an agreement;
• Data processing is necessary to comply with a legal obligation of the responsible person.
- Data processing is necessary in view of the vital importance of the data subject.
• Data processing is necessary in view of the interests of the person responsible or of a third party, unless that interest is contrary to the interest of the person to whom the data is processed and which matters.
- The registration of the Civil Service Number (BSN) will only take place if there is a legal basis and / or that a person or teacher is given a form of education to the person concerned.
6. Anyone acting under the authority of the controller or the processor – and the processor himself – processes personal data only on behalf of the person in charge, except in case of deviating legal obligations.
7. The data will only be processed by persons who are required by virtue of their duties, occupations, statutory requirements or on the basis of a confidentiality agreement.
Special personal data
1. The processing of personal data about one’s religion or belief, race, political affiliation, health, sexual life, membership of a trade union or criminal data is prohibited except in cases where the law explicitly determines by whom for what purpose and Under which conditions such data may be processed (Articles 17 to 22 of the Personal Data Protection Act 2010).
- Subject to the provisions of Articles 17 to 22 of the Act, the prohibition referred to in the preceding paragraph shall not apply in so far as there is an exception as referred to in article 23 of the Act.
Data obtained from the person concerned:
- If the personal data is obtained from the person concerned, the responsible person shall inform the person concerned before the date of acquisition:
• his identity;
• The purpose of processing for which the data is intended, unless the person already knows that purpose.
- The responsible person shall provide the person concerned with further information in so far as, in view of the nature of the data, the conditions under which they are obtained or the use made therein, it is necessary to ensure proper and careful processing to the person concerned.
- In obtaining data outside the person concerned, the responsible person shall inform the person concerned:
• his identity;
• The nature of the data and the purpose of the processing for which the data are intended.
The moment that must be done is:
• The moment when the controller determines the data or
• If the controller collects the data only to provide it to a third party: at the time of first submission to the third party.
- The controller shall provide further information insofar as, in view of the nature of the data, the conditions under which they are obtained or the use made of it, it is necessary to ensure proper and careful processing to the person concerned.
- The provision of paragraph 3 shall not apply if the communication referred to therein becomes impossible or disproportionate. In that case, the person responsible determines the origin of the data.
- The provision under 3 shall also not apply if the imposition or provision is prescribed by or under the law. In that case, the person responsible shall inform the person concerned, at his request, of the statutory provision for the purpose of establishing or providing the information in question.
Top of Form
- Access to data
Within Think Smart English, the following persons have access to the data: the controller, the processor, the recipient and the person concerned.
- Right to inspection
1. The person concerned has the right to know the processed data relating to his / her person.
- The responsible person shall inform any person at his request, as soon as possible but no later than four weeks after receipt of the request, in writing or personal data relating to him.
- If that is the case, the responsible person shall provide the applicant with, in writing as soon as possible but not later than four weeks after receipt of the request, a full statement thereof with information on the purpose or purpose of data processing, data or categories Of data to which the processing relates, the recipients or categories of recipients of the data as well as the origin of the data.
- If an important interest of the applicant claims this, the person responsible shall meet the request in a form other than the written form adapted to that interest.
- The responsible person may refuse to meet a request if and to the extent necessary in connection with:
• the detection and prosecution of criminal offences;
• the protection of the person concerned or the rights and freedoms of others.
Provision of personal data
1. Provision of personal data to a third party shall, in principle, be done only by consent of the person concerned or his representative, subject to a statutory provision or emergency order.
- If, without the consent of the person concerned or his legal representative, personal data is provided to third parties, the responsible person or his legal representative shall immediately inform the person concerned, unless this presents a danger to persons and / or business.
Right to correction, addition, removal
1. At the written request of a person concerned, the person responsible shall improve, supplement, remove and / or shield the personal data processed on the applicant if and to the extent that this data is actually incorrect, for the purpose of processing incomplete, is not relevant Serve or include more than is necessary for the purposes of registration, or otherwise contravened by a statutory provision. The request of the person concerned contains the changes to be made.
- The responsible party shall inform the applicant in writing as soon as possible, but not later than four weeks after receipt of the request, whether he meets the requirements. If he does not want to or does not fully comply, he motivates that. In this regard, the applicant has the opportunity to refer to the complaints committee of the responsible person.
- The responsible person shall ensure that a decision to improve, supplement, remove and / or shield within 14 working days, and when this reasonably is not possible otherwise, as soon as possible, will be carried out.
- Retention of data
1. Personal data are no longer stored in a form that allows the person to identify, then is necessary for the realisation of the purposes for which they are collected or subsequently processed.
- The responsible party determines how long the personal data stored will remain.
- Data is kept for a maximum of six years. Either no longer than necessary for the realisation of the purposes for which they are collected or subsequently processed, unless stored for historical, statistical or scientific purposes. If the relevant data is processed so that redirect to individual persons is impossible, they can be preserved in anonymous form.
- If the retention period of the personal data has expired or the person requesting removal before expiry of the retention period, the data shall be removed within a period of three months.
- However, removal will be omitted when it is reasonable to assume that:
• storing is of great importance to someone other than the person concerned;
• The storage is required by a legal requirement or
• if there is any correspondence between the person concerned and the responsible agreement.
Notification of data processing
1. A fully or partially automated processing of personal data destined for the realisation of a purpose or coherent purpose shall be reported to the College of Personal Data Protection before processing commences. 2.The non-automated processing of personal data intended for the realisation of a purpose or coherent purpose shall be notified if it has been subject to prior investigation.
If the person concerned considers that the provisions of this Regulation are not complied with, he may focus on:
- the responsible person;
- the body for independent complaints handling or any such organisation outside the company, in which the company has affiliated.
- The court, in the cases referred to in Article 46 of the Act
- Mediate and advise the College of Personal Data Protection in the dispute between the person concerned and the responsible person.
- Changes of entry into force and copy
1. Changes to these rules shall be made by the responsible person.
- The amendments to the Rules shall take effect four weeks after they have been made known to those involved.
- This Regulation entered into force on 3 October 2016.
- These rules are in charge of the responsible person. If desired, a copy of this regulation can be obtained at cost.
In cases where this Regulation does not provide, the responsible person shall decide with due observance of the provisions of the Act and the purpose and scope of this Regulation. Information about the Data Protection Act:
- text of the law: http://wetten.overheid.nl/BWBR0011468/
- The website of the College of Personal Data Protection: www.cbpweb.nlThe previous text concerns a model to comply with the obligations of the Personal Data Protection Act 2010 and the BSN in Education Act. Derogation from this is possible, provided that it remains within the stated frameworks of law and regulation to protect the privacy of the person concerned.