1. Objective 

During Pointlogic’s work for its clients, it is possible that Pointlogic employees will come into contact with, or temporarily have access to confidential data. Due to the nature of the services, this will often concern personal data which may also be covered by the GeneralDataProtection Regulation(GDPR, formerly Data Protection Act). This Protocol describes how Pointlogic will deal with confidential data 

Confidential Data means all data, in any form, relating to the client’s company (including all companies involved in this) including data on clients, suppliers, current and future trading activities, methods, products, financial, statistical, human data and software, systems or accessories, research, development, strategic planning, trade secrets, know-how and other relevant data, which before or after signed of this Agreement directly or indirectly, in the context of a possible cooperation. 

In the context of the GDPR, Pointlogic is data processor and pointlogic’s clients are the Controller. The GDPR also requires that the Controller and Processor make agreements on data security. This document aims to describe this adequately. 

 

2. Appointments and principles 

Pointlogic undertakes to keep such Confidential Data secret and confidential and undertakes to do more specifically: 

 

  • Not to disclose confidential Data to third parties and to take all necessary measures to prevent disclosure to third parties 
  • Not to inform others of Confidential Data within its organisation, except in so far as this is necessary in the context of the proper implementation of the work 
  • Confidential data only to be made accessible to competent personnel. 
  • The persons in its organisation to whom the Confidential Data is disclosed will be informed on obligations arising from this confidentiality declaration and to ensure that those persons in turn fulfill the obligations contained in this declaration 
  • Confidential Data will not be used outside the normal cooperation nor for third-party purposes. 

 

3. Exceptions 

However, previous obligations do not relate to any Confidential Data: 

  • Which is already well known before it has been received 
  • Which is then widely known, beyond Pointlogic’s fault, 
  • Those Pointlogic was demonstrably already known before it was received 
  • Subsequently received by Pointlogic, on an unconfidential basis, by a third party who does not infringe an obligation to secrecy 
  • Pointlogic can prove that it has been created entirely independently of the client’s data. 

 

These obligations do not apply if and to the extent legally disclosure obligations.  

 

4. Return or destroy data 

Material with Confidential Data received by Pointlogic – or third parties on behalf of Pointlogic – from the client remains owned by the client and will be returned or destroyed at first request to the client, including copies made. A corresponding obligation applies to material which has been subject to Pointlogic by or on behalf of other companies. 

 

5. Processor agreement 

As an addition to the regular cooperation agreement, Pointlogic strives to have a separate or integrated processor agreement. 

This will by definition be fully agreed for agreements that go after the entry into force of the new GDPR legislation. A standard model is available and recommended for previously concluded agreements. 

 

6. Data locations 

The starting point in all collaborations is that all confidential personnel data of clients is stored on client data carriers, or data carriers under its responsibility. This also concerns Hosted environments of the customer, whether or not with Pointlogic-contracted Hosting partners, this data is also the responsibility of the client. Pointlogic never wants structural access to these data, it is the responsibility of the client to guarantee this. 

 

If temporary access to this data is necessary for: 

  • Implementation projects 
  • Consultancy work 
  • Support issues 

The Client will provide temporarily access to Pointlogic. The Client must ensure that this access is temporary and traceable. 

Access to the data will always take place under the responsibility of the client. The Client will give explicit permission to Pointlogic, stating the reason for access, which employees of Pointlogic have access and an end date of access. The access period may be up to 6 months and can always be re-provided by the client upon expiration. 

 If, for the proper execution of the work, data must still be stored on Pointlogic data carriers, this will only be with its Hosting partner Proxsys. For details, see also #9. 

 

7. Data Handling 

Pointlogic undertakes to treat all the data made available confidentially and uses a number of stringent principles in terms of handling: 

  • Files with personnel data are exchanged exclusively via a secure file transfer application (Cryptshare), hosted by Pointlogics ICT Hosting partner (Proxsys) 
  • Exchange by email is expressly not permitted 
  • File names may never contain the organization name or otherwise traceable name 
  • Personnel data will never contain any of the following data: 
  • Name 
  • Address 
  • Postcode 
  • Home 
  • Account 
  • BSN 
  • Special personal data as laid down by the dutch data protection authority 
  • Other data that allows the redirection to an individual, unless this data is necessary to perform the service to the customer 

 

If the client does not meet these requirements, Pointlogic will delete the data and do not take it into operation. In this case, the client is also responsible for the additional risks associated with the data and related data flows. 

8. Data integrity 

In order to ensure the integrity of the data, provided data will never be edited by Pointlogic. The source data is and remains as provided by the client. 

This also implies: 

  • In the event that data is different from the agreed format , the client must provide corrected data 
  • Renewed data delivery may result in project delay 

 

Deviations from this Data Protocol are not, in principle, possible. If there is a reason to allow a one-off change only after explicit permission from the Directors of the Client and Pointlogic. Potential additional risks due to the deviating of the standard protocol are for the client. 

 

9. Data security 

Pointlogic uses Proxsys services as an ICT Hosting partner for the storage of data. Pointlogic has taken measures to ensure that no external backups will be made of the data files (except email traffic). The data will only be present on Systems of Pointlogic/Proxsys for the time required for the proper execution of the work. Since email is not excluded from the backup facilities, as previously, file exchange via email is not allowed. 

Additional security measures: 

  • All customer data available for Pointlogic systems will never be present on Pointlogic laptops, or on other (mobile) data carriers 
  • There are only a limited number of authorized customer data locations, namely 
  • On the customer’s infrastructural under his responsibility 
  • On remote secure servers of Pointlogic with its ICT Hosting partner (Proxsys) 
  • In a hosted environment near Proxsys as part of the agreement between Pointlogic and customer 
  • Pointlogic will ensure that all employees are aware of the data protocols and guidelines 
  • Pointlogic will ensure that Proxsys complies with common security protocols/certifications (currently at least ISO17799/27001 or BS7799) 
  • Pointlogic will designate a security officer who will frequently monitor the protocols and appointments, both internally, at Proxsys and or the customer 
  • Pointlogic will produce a six-month ly security reporting with findings, updates, alerts and measures. These can be viewed, upon request, by the customer 
  • Pointlogic will conduct frequent tests on its/proxsys infrastructure. This will also include a penetration test 

 

 

10. Personal data of clients and suppliers 

Pointlogic stores data from clients and suppliers in its CRM system Exact. This in order to fulfil its contractual obligations or in the context of responsible business operations. 

Periodically, but at least once a year, all those involved will be informed by e-mail about what data are recorded and for what purpose.  Removal may be claimed if not contrary to a legal obligation. 

 

11. Personal data of potential clients and other relationships 

Pointlogic stores data from potential clients and other relationships in its CRM system Exact. This in order to fulfil its contractual obligations or in the context of responsible business operations 

 Periodically, but at least once a year, all those involved will be informed by e-mail about what data are recorded and for what purpose.  Removal may be claimed if not contrary to a legal obligation. 

 

12. Physical access measures 

Pointlogic will ensure that it assures authorized access to its offices. 

It is standard policy that visitors will always be accompanied by Pointlogic in the offices. 

 

 

13. Data obtained by email 

It cannot be prevented that data is automatically stored in Pointlogic’ s email system if received via email. These will not be included in the CRM system, unlike described in #10 and #11. 

 Pointlogic will include a statement in its “email signatures” and a reference to this protocol.