General Data Protection Regulation (EU-GDPR)

organizational or technical measures

Processing Agreement

Parties to the agreement
Taking into consideration

Definitions
1.1 Personal data
1.2 Processing
1.3 Controller
1.4 Processor
1.5 Data subject
1.6 Processing Agreement
1.7 Agreement
1.8 Assignment
1.9 Breach in connection with personal data
1.10 Supervisory authority
Conclusion, term and end of this Processing Agreement
2.1 Coming into effect
2.2 Link with the Principal Agreement
2.3 Termination of the Processing Agreement
2.4 Continuation of the obligations from the Processing Agreement
Processing Personal Data
3.1 Minimisation of data en powers
3.2 Purposes of the processing
3.2.1 Specification of services
3.2.2 Object of processing
3.2.3 Control
3.3 Compliance and transparency
3.4 Engagement of third parties
3.5 Conditions as regards third parties
3.6 Cooperation in implementation of the rights of the data subjects
Securing Personal Data
4.1 Adequate level of security
4.2 Risk assessment
4.3 Annual reporting of security plan
4.4 Self-assessment
4.5 Audit
4.6 Notification of audit
4.7 Audit costs
4.7 Modification management security measures
Export of Personal Data
5.1 Written consent for processing outside of the EEA
Secrecy
6.1 Purport of confidentiality
6.2 Confidentiality Agreement
Data breaches
7.1 Notification duty in relation to data breaches
7.2 Progress Report
7.3 Report to supervisory body
7.4 Costs of resolving the data breach
Liability
8.1 Claim for liability
8.2 Liability for damage and disadvantage
8.3 Compensation
8.4 Transferability of administrative penalty
8.5 Liability for processing
Return of Personal Data and retention period
9.1 Return of Personal Data
9.2 Destruction of data at the end of the retention periods
Final provisions
10.1 Rights and obligation as regards the agreement
10.2 Priority rules in the event of contradictions
10.3 Validity of derogations

Parties to the agreement

Controller, namely [NAME GIVEN IN THE ARTICLES OF ASSOCIATION], with its registered office in [PLACE], represented by [NAME AND/OR NAME OF EXECUTIVE DIRECTOR]

hereinafter referred to as: “I”,

and

Processor, namely LiteServer B.V., with its registered office in Tilburg [the Netherlands], represented by J.M. Gorsic, Head of Legal and Security;

hereinafter referred to as: “You”,

jointly referred to as: “We”;

Taking into consideration that

You provide services on my behalf, which have been agreed upon separately by means of one or more orders and are subject to the Processor’s General Terms and Conditions (hereinafter referred to as: ‘Principal Agreement’).
I have personal data of various data subjects.
I am considered the Controller within the meaning of the GDPR.
I attach great importance to the protection of these Personal Data.
I want you to perform certain forms of processing operations, whereby I point out the purpose and the means.
You process the data in question only by my order and not for your own purposes.
I have not performed a privacy impact assessment for the services and the personal data that are to be processed by the services.
We wish to record our agreements with regard to the processing operations of personal data in detail in this Agreement, this being a Processing Agreement with the following Appendixes forming a part thereof:

1. Summary of processing operations of personal data and processing purposes
2. Summary of security measures
3. Process entailed in reporting of data breaches and the information to be provided and what You may and may not do with the Personal data.

1. Definitions:

The terms used above and below result from the General Data Protection Regulation and have the following meaning:

1.1 Personal data:

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

1.2 Processing:

any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

1.3 Controller:

a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

1.4 Processor:

natural or legal person, public authority, agency or other body who or which processes personal data on behalf of the controller;

1.5 Data subject:

identified or identifiable natural person the processed personal data relate to;

1.6 Processing Agreement:

this Agreement including the Appendixes;

1.7 Agreement:

the Agreement as referred to in recital (A) and this Processing Agreement resulting from the Principal Agreement.

1.8 Assignment

You will undertake to process personal data by my order according to the conditions set out in this Processing Agreement. Processing operations will only take place in the context of the Processing Agreement for the achievement of the registration of domain names, SSL certificates, managed services en other services offered by you and for those purposes as laid down in the Principal Agreement with indication of assent.

1.9 Breach in connection with personal data:

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed ( ‘data breach’);

1.10 Supervisory authority:

an independent public authority responsible for ensuring the compliance with the provisions of the Directive with regard to processing of Personal Data. In the Netherlands this is the Dutch Data Protection Authority [Autoriteit Persoonsgegevens];

2. Conclusion, term and end of this Processing Agreement

2.1 Coming into effect

This Processing Agreement will come into effect on the date of signing by Us.

2.2 Link with the Principal Agreement

The Processing Agreement forms part of the Principal Agreement, as referred to in the recitals (A). The provisions of the Principal Agreement apply to this agreement – in so far as not derogated from by this Agreement – and will apply for the term of the Agreement.

2.3 Termination of the Processing Agreement

If the Agreement expires, the Processing Agreement will expire automatically; the Processing Agreement may not be terminated separately.

2.4 Continuation of the obligations from the Processing Agreement

After the termination of this Processing Agreement your current obligations, such as reporting data breaches involving my Personal data and the duty of confidentiality, will continue.

3. Processing Personal Data

3.1 Minimisation of data en powers

You will only process Personal Data by my order and you have no control over the Personal Data. You will follow up the instructions given by me and you may not process the Personal Data in any other way, unless with my prior consent therewith or order thereto.

3.2 Purposes of the processing

3.2.1 Specification of services

3.2.2 Object of processing

The personal data that are (or will be) processed by you in the context of the Principal Agreement and the categories of data subjects from whom these personal data originate, have been included in Appendix 1. You will not process the personal data for any other purpose other than determined by me.
I will inform you of the processing objectives, in so far as these have not already been mentioned in this Processing Agreement.

3.2.3 Control

You have no control over the objective and the means of the processing of personal data.
You will not take your own decisions regarding the receipt and the use of personal data, the provision thereof to third parties and storage term of the personal data.

3.3 Compliance and transparency

You will comply with the law and process the data in a proper, careful, and transparent way.

3.4 Engagement of third parties

Without my prior written consent, you are not allowed to engage other persons or organisations in processing the Personal Data.

3.5 Conditions as regards third parties

If you engage other organisations with my consent, they must meet at least the requirements included in this Processing Agreement.

3.6 Cooperation in implementation of the rights of the data subjects

If I receive a request from a Data Subject that he/she wishes to exercise his/her privacy rights, you will cooperate therein within a period of fourteen days. These rights consist of a request for access, rectification, completion, erasure or restriction, objection to the processing of the personal data, and request to transmit the own personal data.

4. Securing Personal Data

4.1 Adequate level of security

You will ensure that the personal data are secured sufficiently. In order to prevent loss and unlawful processing you will take appropriate technical and organisational measures.

4.2 Risk assessment

These measures are aligned with the risk of the processing. You will include a summary of these measures and the policy relating thereto in Appendix 2.

4.3 Annual reporting of security plan

To check, you will send me a report of the measures taken and any points of concern and/or improvement annually. For this You will not charge me any costs.

4.4 Self-assessment

The supervision of the overall processing of Personal Data may be performed by you by means of self-assessment.
You will thereby provide me with a report evidencing that you comply with the law and the agreements as laid down in this Processing Agreement. This report will have to be signed by a board member within your organisation.

4.5 Audit

In case of any doubt as regards the self-assessment, I will be allowed to have an inspection or audit performed in your organisation by an accredited organisation to establish whether the processing of the Personal data complies with the law and the agreements as laid down in this Processing Agreement. You will lend your assistance to this, including giving access to the buildings and the databases and making all relevant information available.

4.6 Notification of audit

If I would consider to have an audit performed, I will give notification thereof at least 14 days prior to the performance of the audit or the inspection. The performance will take place in consultation and mutual agreement.

4.7 Audit costs

Any costs for the performance of this audit will be at your expenses if it would prove that you have not complied with the obligations under this Processing Agreement.

4.7 Modification management security measures

In the event either of us is of the opinion that a modification of the security measures to be taken will be necessary, we will enter into consultations with each other on the modification thereof. The costs for the modification of the security measures will be at the expense of the party that makes the costs.

5. Export of Personal Data

5.1 Written consent for processing outside of the EEA

You are not allowed to have any Personal Data processed by other persons or organisations outside the European Economic Area (EEA), without having received my prior written consent thereto.

6. Secrecy

6.1 Purport of confidentiality

You will observe the secrecy of the Personal Data provided to you, unless this is not possible under a legal obligation.

6.2 Confidentiality Agreement

You will ensure that your staff and any persons engaged will also observe this confidentiality by including an duty of confidentiality in the (employment) contracts.

7. Data breaches

7.1 Notification duty in relation to data breaches

In the event a possible data breach has been discovered, you will inform me thereof within 24 hours (through e-mail address and telephone number) and will provide me with the information as referred to in Appendix 3 to enable me to inform the Supervisory Body if necessary.

7.2 Progress Report

After you have informed me about a data breach, you will keep me informed of any new developments concerning the data breach and of the measured taken by you to minimise the scale of the data breach and to henceforth prevent similar incidents.

7.3 Report to supervisory body

You are not allowed to report a Data Breach to the Supervisory Body, nor are you allowed to inform the Data Subjects of the Data Breach. It will be my responsibility to do so.

7.4 Costs of resolving the data breach

Any costs made to resolve the Data Breach and to prevent it henceforth will be at the expense of the party that makes the costs.

8. Liability

8.1 Claim for liability

If you fail to comply with your obligations under this Processing Agreement, I will hold you liable therefore.

8.2 Liability for damage and disadvantage

In so far as it has been caused by your work activities, you will be liable for all damages and disadvantages incurred by no-compliance with the law and the provisions of the Processing Agreement.

8.3 Compensation

I furthermore reserve the right to claim damages, also when suffering immaterial damages. The immaterial damages will be motivated by me by means of an extensive description and argumentation.

8.4 Transferability of administrative penalty

You will be liable for any administrative penalty imposed on me by the Supervisory Body if the damages suffered result from your unlawful or negligent actions.

8.5 Liability for processing

I will not be liable for any claims of Data Subjects or other persons and organisations you entered into a cooperation with or whose Personal Data you process if the claims result from your unlawful or negligent actions.

9. Return of Personal Data and retention period

9.1 Return of Personal Data

Following the termination of this Processing Agreement you will return the Personal Data. Any remaining Personal Data will be destroyed by you in a careful and safe manner.

9.2 Destruction of data at the end of the retention periods

The Personal Data processed by you according to this Processing Agreement will be destroyed by you at the end of the legal retention period and/or upon my request.

10. Final provisions

10.1 Rights and obligation as regards the agreement

This Processing Agreement forms a part of the Agreement. All rights and obligations under the Agreement therefore also apply to the Processing Agreement.

10.2 Priority rules in the event of contradictions

In the event of any contradictions between the provisions of this Processing Agreement and the Agreement, the provisions of this Processing Agreement prevail.

10.3 Validity of derogations

Derogations from this Processing Agreement will only be valid if agreed by the both of us in writing.

Signature

Thus agreed and signed:

Controller:

Signed for and on behalf of[NAME GIVEN IN THE ARTICLES OF ASSOCIATION],

Name:

Position:

Date and place:

Signature:

Processor:

Signed for and on behalf of LiteServer B.V.,

Name: J.M. Gorsic

Position: Head of Legal and Security

Place and Date: Tilburg,

Signature:

Appendix 1

Summary of processing operations of personal data and data subjects

Personal Data

The Processing Agreement has been concluded in the context of the processing operations of personal data by you as the Processor in my order as the Controller for the purposes as described in the Processing Agreement.

It concerns the following data subject categories:

Contacts necessary for registration of domain names; depending on the extension to be registered, it may concern one or more contacts, i.e.: owner, administrative contact, technical contact, invoicing contact, reseller contact or another contact as defined by the registry in question.
Contacts necessary for ordering or managing the other products or services as described in article 1.1. of this Processing Agreement.

Within the context of the Processing Agreement you will process the following types of personal data in my name and by my order:

when I request you to register/transfer a domain name, we process the following personal data: company name, title/sex, initials, last name, street, house number and suffix, postal code, abode, country, telephone number, mobile phone number, fax number, email address, VAT no., position and department, sort of company, province and country.
when necessary for purchasing certain products and services, you will process the following additional types of personal data in my name and by my order: place of birth, country of birth, date of birth, number of passport or identification, authority that issued the identification. An identification and password may also be necessary, which you have received from the registry.
when you are requested by me to manage web hosting for me, e.g. virtual serves, dedicated serves, shared (reseller) web hosting or customised applications, you will have access to the data you collect on this web hosting. Which data you will collect, you cannot know beforehand.
Data that possibly will be processed include:
company name, title/sex, initials, last name, street, house number and suffix, postal code, abode, country, telephone number, mobile phone number, fax number, email address, VAT no., position and department, sort of company, province. In addition to this you may process also other data, the existence of which being unknown to you. If this would be the case, it is of the essence that I will notify you thereof without delay, in order to include a customised article in this Processing Agreement.

I warrant that the personal data and categories of data subjects as described in this Appendix 1 are complete and correct and indemnify you for any claims due to incorrect information by me as the Controller.

Overview of processing of personal data and data subjects

In order to prevent every organization itself having to look for a structure and interpretation of an overview of processing operations with the associated processing objectives, LiteServer B.V. developed a standard processing register. Using a web form, the processing for which LiteServer B.V. as processor is responsible are added if the final responsible wishes.

The processing is performed on the following services:
(Specification of purchased Product / Service.

For the specification of the processing carried out on these dedicated Servers or VPS, reference is made to the aforementioned Processing Register that has been completed by the person with final responsibility.

Appendix 2

Summary of security measures

1. Legal requirements

The Processor will follow the Controller’s instructions as regards the personal data in the context of the regulatory framework applicable and comply therewith by taking measures if requested to do so.

2. Practical security measures

With due observance of your obligations under article 3 of this Agreement with regard to the processing operations of personal data on behalf of the Controller, you, being the Processor, will implement some security measures (based on ISO 27001/2).
Based on a risk analysis by me, being the Controller, the following measures will have to be taken in order to comply with my security policy as the Controller.

In the context of IaaS services

A. Physical access security
An access policy will have to be determined, documented and assessed based on the requirements of the organisation and those for secure access.
This policy will bring about that only authorised users will have access to the information systems on which personal date are being processed.

B. Capacity management
The risk of system failures will be limited to the minimum.
The use of means must be supervised and coordinated structurally. In order to achieve the system performances required, expectations will have to be drawn up for future capacity requirements at regular intervals.

C. Synchronisation of system clocks
The clocks of all relevant information systems within an organisation or security domain need to be synchronised with an agreed precise source of time.

D. Leaking information
It must be prevented that there may be occasions to leak information.

At the interface of a trusted and non-trusted environment content will be scanned.
There must a process for notification in case any (personal) content has been leaked.

E. Control of technical vulnerabilities
Information must be obtained in a timely manner on the technical vulnerabilities of the information systems used. The extent to which the organisation is exposed to such vulnerabilities must be evaluated and proper measures will have to be taken for the handling of the associated risks.
This implies that:

A process will have to be set up for the management of technical vulnerabilities, which includes at least informing the Data Security Service of any incidents, penetration tests at regular intervals, risk assessments of vulnerabilities, and patching.
Of the software facilities of the technical infrastructure there will be (preferably automated) check-ups whether the last updates (patches) have been implemented. Implementation of updates will not take place in an automated manner, unless specific arrangements have been made in this regard with the supplier.
If a patch is available, the risks involved with its installation must be evaluated (the risks connected to the vulnerability need to be compared with the risks of the installation of the patch).
Updates/patches for vulnerabilities with a high risk of misuse and of which the damage is high will be implemented as soon as possible, though within one week. Less critical security updates/patches will have to be scheduled for the next maintenance round.

F. Reporting of incidents relating to data security
Reporting of incidents relating to data security will have to take place as soon as possible through the appropriate management levels.
This implies that:

a procedure for reporting security incidents has been determined, combined with a reaction and escalation procedure in case of incidents, in which the actions are laid down to be taken after having received report of a security incident.
A contact has been appointed for reporting of security incidents.

All security incidents will be recorded in a system and escalated to me being the Controller.

In the context of PaaS services

G. Non-disclosure agreement
Requirements for confidentiality or for a non-disclosure agreement reflecting the organisation’ s needs for the protection of information will be established and assessed regularly.
The following points of concern apply to the requirements set for the confidentiality agreement and the non-disclosure agreement:

the definition of the information that must be secured (for example, confidential information);
the expected term of a confidentiality or non-disclosure agreement, including cases where the confidentiality may be subject to restrictions;
actions needed at the end of the agreement;
responsibilities and actions of the signatories to prevent unauthorised publication of information;
ownership of the information, intellectual property and the connection thereof with the protection of the confidential information;
authorised use of confidential information and the rights of the signatory to use information;
right to audit activities and to inspect where any confidential Information may be involved;
process for notification an reporting of unauthorised disclosure or infringement of confidential information;
conditions on which the information must be returned or destroyed at the end of the agreement; and anticipated actions to be taken in the event of a breach of the provisions of the agreement.

H. Assessment of the information security policy
The organisation’s approach to the management of information security and the implementation thereof (i.e. management objectives, management measures, policy, processes and procedures for information security) need to be independent and assessed at appropriate intervals or once changes occur in the implementation of the security.

1. The information security policy will be evaluated at least once every three years (by an independent expert) and will be adjusted if required.
2. Periodic self-evaluations will be executed by order of the line management.
3. Annually, in accordance with the P&C cycle, the board will be given a report of the functioning of the information security.

I. Identification of risks relating to external parties
The risk the organisation’s information and ICT facilities are exposed to from the business processes involving external parties must be identified and suitable management measures need to be implemented before granting access.

1. Information security is demonstrably considered (based on a risk assessment) when deciding whether or not to engage the external party.
2. It has been determined, prior to entering into a contract for outsourcing or hiring of external staff, what kind of access (physical, network or to data) external parties will need have to perform the assignment as agreed upon in the contract and the necessary security measures involved therein.
3. It has been determined, prior to entering into a contract for outsourcing or hiring of external staff, what kind of value or sensitivity the information has the third party may come into contact with and whether additional security measures may be necessary.
4. It has been determined, prior to entering into a contract for outsourcing or hiring of external staff, how authenticated or authorised access will be determined.
5. If the external parties manage systems in which personal data are being processed, a Processing Agreement will be entered into (in conformity with 28 of the GDPR).
6. In the contract with the external parties the security measures to be provided have been laid down, that the external party has taken these measures and complies with them, and that security incidents will be reported without delay (also see 6.2.3.3)
  It is also described how these security measures will have to be inspected by the external party (e.g. by audits or penetration tests) and the way in which the supervision has been arranged for.
7. Annually it will be reported how the external party complies with the arrangements.

J. Dealing with security in agreements of LiteServer with a third party (sub-processor)
In agreements with third parties including access to, processing of, communication or management of information or of ICF facilities or addition of products or services to the ICT facilities, the relevant security requirement will have to be included.

1. The measures forming a part of 6.2.1. have been defined and implemented prior to entering into the contract.
2. Outsourcing (development and adaptation) of software is organised in line with formal contracts in which inter alia intellectual property, quality aspects, security aspects, liability, escrow and reviews have been regulated.
3. It has been laid down in contracts with external parties how to deal with changes and how to prevent the security of being affected by the changes.
4. In contracts with external parties it has been laid down how to deal with confidentiality and the non-disclosure agreement.
5. There is a plan for termination of the hired services that addresses availability, confidentiality and integrity.
6. It has been laid down in contracts with external parties how escalations and liability have been arranged for.
7. When using sub-contractors the same security requirements apply as for the contracting party. The main contractor is responsible for ensuring agreements made with the sub-contractor.
8. The products, services and the preconditions applying, reports and registrations delivered by a third party, will be assessed in terms of compliance with the arrangements in the agreement. Improvement actions will be initiated when performances are under the agreed level.

K. Measures for networks
Networks are to be managed and controlled adequately to secure them against threats and to maintain security for the systems and applications using the network, including information which is transported.

1. The network is monitored and managed, so attacks, malfunctions or failures will be discovered and remedied and the network’s integrity will not get lower than the agreed minimum level.
2. Exchange of data between trusted and non-trusted zones must be checked in an automated manner as regards content for the presence of malware.
3. When transporting confidential Information through non-trusted networks, such as the Internet, a suitable encryption must be used. See 12.3.1.3.
4. There are procedures for remote management of equipment.

L. Monitoring system utilisation
Procedures need to be laid down for monitoring the use of the ICT facilities. The result of the monitoring activities will have to assessed regularly.

1. 1. In either case the following events will be included in the logging:
    1. usage of the technical management functions, such as changes of configuration or setting, implementation of a system command, starting and stopping, implementation of a backup or restore.
    2. usage of the technical management functions, such as changes of configuration or setting, release of new functionality, interventions in data sets (including databases).
    3. proceedings of security management, such as import and export of users, granting and withdrawing rights, password reset, issuance and withdrawal of crypto keys.
    4. security incidents (such as the presence of malware, testing for vulnerabilities or weaknesses, erroneous login attempts, exceedance of authorisation powers, refused attempts to gain access, use of non-operational system services, starting and stopping the security services).
    5. disruptions of the production process (such as queues filling up, system failures, abort during the execution of the software, non-availability of the invoked programme parts or systems).
    6. actions of users, such as good and bad login attempts, system access, use of on-line transactions and system administrators accessing files.

M. Protection of information in log files
Log facilities and information in log files need be protected against infringement and unauthorised access.

1. Overwriting (automatically) or deleting log files will be logged in the newly built log.
2. The consultation of log files is restricted to authorised users. Hereby access is limited to read-only permission.
3. Log files are protected in such a way that they cannot be adapted nor manipulated.
4. The settings of the log mechanisms are protected in such a way that they cannot be adapted nor manipulated. If the settings will have to be adapted, this will always be subject to a four eyes principle.
5. The availability of log information is ensured within the term in which the log analysis is deemed necessary, with a minimum of three months, in accordance with the wishes of the system owner. In the event of a (presumed) information security incident the retention period will be at least three years.
6. Monitoring of storage and logging: the filling of the storage medium for the log files above a certain limit will be logged and leads to automatic alerts of the management organisation. This also applies if retention of log data is not (or no longer) possible (e.g. a logging server not being accessible).

N. Integrity of messages
There are requirements to be determined and appropriate management measures to be adopted and implemented for the achievement of authenticity and the protection of the integrity of messages in applications.

O. Policy for the use of cryptographic management measures
A policy will have to be developed and implemented for the use of cryptographic management measures for the protection of information.

1. 1. The cryptographic algorithms used for encryption are documented as open standard and have been tested by independent reliable experts.
  2. When using cryptographic products an assessment of the risks associated with locations, processes, and attending parties will follow.
  3. The cryptographic security services and components comply with generally accepted security criteria (such as FIPS 140-2 and, where possible, the [Dutch] National Communications Security Agency [NBV]).

P. Key Management
Key management needs to be adopted to support the use of cryptographic techniques within the organisation.

1. In the key management attention has been paid to the process, the actors and their responsibilities at least.
2. The period of validity of cryptographic keys is determined on the basis of the intended use and is laid down in the cryptographic policy.
3. The confidentiality of cryptographic keys must be ensured during generation, use, transport and storage of the keys.
4. A procedure has been laid down in which it is determined how to deal with compromised keys.

Q. Management of operational software
Procedures will have to be determined to manage the installation of software on production systems.

Only authorised personnel may install or activate features and software.
Only following a successful test and acceptance may software be installed on a production environment.
Installed software, configurations and documentation are kept in a configuration database.
Only (versions of) software maintained by the supplier will be used.
A log will be kept of updates.
There will be a rollback strategy.

R. Change management procedures
The implementation of changes will be subject to formal change control procedures.

1. Change management has been demonstrably set up in accordance with current best practices such as ITIL and ASL for applications.

S. Technical assessment of applications after changes in the operating system
In case of changes in operating systems, business-critical applications need to be assessed and tested to ensure that the activities or security of the organisation will not be adversely affected.

1. Of adjustments (such as updates) to software components of the technical infrastructure it is established that these will not endanger the correct functionality of the technical components.

T. Control of technical vulnerabilities
Information must be obtained in a timely manner on the technical vulnerabilities of the information systems used. The extent to which the organisation is exposed to such vulnerabilities must be evaluated and proper measures will have to be taken for the handling of the associated risks.

1. There is a process for the management of technical vulnerabilities; this shall include, as a minimum, reporting of incidents to the Information Security Service for municipalities, periodic penetration tests, risk analyses of vulnerabilities and patching.
2. Of the software facilities of the technical infrastructure there may be (preferably automated) check-ups whether the last updates (patches) have been implemented. Implementation of updates will not take place automated, unless specific arrangements have been made in this regard with the supplier.
3. If a patch is available, the risks involved with its installation must be evaluated (the risks connected to the vulnerability need to be compared with the risks of the installation of the patch).
4. Updates/patches for vulnerabilities with a potential high risk of misuse and extensive damage will be implemented as soon as possible, though within one week. Less critical security updates/patched will have to be scheduled for the next maintenance round.
5. If there is still no patch available, actions must be taken in accordance with the opinion of a Computer Emergency Response Team (CERT), e.g. the Dutch National Cyber Security Centre (NCSC).

U. Collecting evidence
In the event a follow-up proceeding including legal measures (either under civil law or criminal law) is initiated against a person or organisation after an information security incident, evidence will be collected, preserved and presented in accordance with the requirements for proof applying to the relevant legal area.

1. In support of a follow-up procedure resulting from a security incident evidence needs to be collected, preserved and presented in accordance with the requirements for proof applying to the relevant legal area.

V. Compliance with security policies and standards
To achieve compliance with security policies and standards, Line Managers need to ensure that all security procedures within their area of responsibility will be properly implemented.

1. The line management is responsible for the implementation and the security procedures and the testing accordingly (e.g. annually in control statement). In accordance with our strategic Baseline Policy, the Head of Legal & Security will, on behalf of the board, ensure supervision of the implementation of the security policy. This also includes periodical security self-evaluations, which may be performed by or on behalf of the Head Legal & Security or by internal of external audit teams.
2. In the P&C cycle reports are produced on information security based on the in control statement.

W. Testing technical compliance

Information systems will have to be tested regularly for compliance with implementation of security standards.

Information systems will have to be tested regularly for compliance with security standards. This may be facilitated e.g. by vulnerability analysis and penetration tests.

Appendix 3

Process reporting of Data Breaches

What is a security incident and when will it have to be reported?

A data breach is a security incident where Personal Data managed by the Processor on behalf of the Controller may be lost or unintentionally accessed by third parties. This concerns data that may be linked to these persons, such as, but not limited to, names, addresses, telephone numbers, e-mail addresses, login data, cookies, IP addresses or identifiable data of computers or telephones.

Below you may find some examples of security incidents that must be reported to the Dutch Data Protection Authority [Autoriteit Persoonsgegevens].

The website containing login data has been hacked or accessed by third parties.
Loss of a laptop or USB flash drive containing personal data.
Employees’ salary slips have been accidentally sent to the wrong persons.
Letters or e-mails are sent to a wrong address.
A hacker attack on a ICT system.
A lost or stolen telephone with personal data on it.

What to do in case of doubt?

If, based on the foregoing, you are not sure there is a security incident, in any case – as a tool – already ask yourself the following questions:

Is there a technical of physical security problem?
Does the problem involve the security of Personal Data? This may include IP addresses, telephone numbers or identifying data, e.g. of hardware.
Is this about sensitive data, such as data on race, health data, information on a person’s financial situation, e.g. salary, or data enabling (identity) fraud, e.g. a Citizen Service Number.
Have large quantities of personal data have been unintentionally accessed by third parties?
It this about data of vulnerable groups, e.g. those of children? Are the personal data managed by a supplier?

Also in case of doubt, stay on the safe side and always contact the [enter name contact or department].

Where to report a security incident?

If you have discovered a security incident, please contact the [enter name contact or department] without delay.

TEL: [Enter telephone number]

Or E-MAIL: [Enter e-mail address].

Answer the questions below in your e-mail.

We would like you to answer the following questions for us. The answers to these questions equal the information required by the Dutch Data Protection Authority.

The [enter name contact or department] may be of help in answering the questions. Please answer the questions as completely as possible in writing.

Give a summary of the security breach / security incident / data breach:
- what happened? State here the name of the system involved.

What types of personal data are involved in the security incident?
- Such as, but not limited to, name, address, e-mail address, IP number, Citizen Service Number, passport photo an any fact that may be traced back to a person.

The personal data of how many people are involved in the security incident?
- Please enter a minimum and maximum number of persons.

Description of the group of persons whose data are involved.
- Specify whether it concerns employee records, Internet users’ data. Data of vulnerable groups of people, such as children, require special attention.

Are the contact details of the persons involved known?
- It may be that the data subjects need to be informed about the data breach. Can we reach these persons in these circumstances?

What is the cause (root cause) of the security incident?
- Do you have an idea how the security incident could have arisen?

The date on which or the period in which the security incident could have taken place?
- Please indicate this in as specific a manner as possible.