Skills Unlimited BV, the owner of Personalcolor and Smartfeedack, is a Dutch company. We offer assessment tools and training to HR specialists, trainers, coaches, psychologists and other talent development practitioners. We work directly, or through (international) partners, with numerous multinational corporations and public sector bodies globally.
Under current data protection legislation every individual has rights as to how his/her personal data is handled and we recognise the need to treat all such data in an appropriate and lawful manner, according to the nature and classification of such data. With effect from 25th May 2018, personal data, including sensitive data, will be subject to new legal safeguards under the EU General Data Protection Regulation (GDPR). This regulation is the most significant piece of European data protection legislation to be introduced in 20 years and it has global implications. It strengthens the rights that individuals have regarding their personal data and seeks to unify data protection laws across the European Union, governing the rights of EU citizen data subjects, regardless of where their data is processed or stored.
We are focused on our global GDPR compliance efforts. During our implementation period for GDPR, we are evaluating new legislative requirements and restrictions imposed by GDPR and will take appropriate action necessary to ensure that we handle personal data in full compliance with GDPR by the 25th May 2018 deadline. Our clients and suppliers will be notified of updated terms of business based on changes that we have implemented.
We are committed to providing robust privacy and security protections which have been built into our services and contracts over the years. Currently, Skills Unlimited BV uses a “defence in depth” approach to information security that provides multiple layers of technical, administrative, and physical controls to secure the data that we process.
In our role as a data controller we are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with GDPR. Our data controller obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling data subjects’ rights with respect to their data, together with only using data processors that operate in such a manner that their data processing will also meet the requirements of GDPR. We enter into contractual agreements with our processors, including EU standard contractual clauses (model contracts) where applicable.
In our role as a data processor, we are responsible for implementing appropriate technical and organisational measures to meet the requirements of GDPR, ensuring a level of information security appropriate to the risk, and acting in accordance with the relevant data controller’s instructions. We enter into contractual agreements as appropriate with the applicable data controller, and also with sub-processors, to provide sufficient representations to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of GDPR.
Skills Unlimited BV’s commitments to GDPR
We are fully committed to complying with GDPR and highlight below key areas of our GDPR compliance effort.
Privacy Notices, Policies and Procedures – Our public Privacy Policy sets out how we handle data including how we collect, store and use personal data and sensitive personal data, our lawful bases for processing personal data, as well as the rights of data subjects, including the right to withdraw consent. We also use fair collection/ processing notices at key data capture points. These notices include information, and consents where applicable, at the relevant data capture point, and signpost to our Privacy Policy. Our current privacy policy will be updated prior to the GDPR deadline.
Our internal policies and procedures, including our Data Protection Policy, explain how our officers, employees and consultants shall operate in respect of handling of personal data, sensitive personal data and other data protection matters, including collection, storage, processing and destruction of such data. Our internal policies and procedures set out the technical and organisational measures that we take in order to prevent unauthorised and unlawful processing, accidental loss or destruction or damage to personal data that we hold on behalf of our customers and others. We expect all our officers, employees and consultants to comply with all applicable data protection policies and procedures in all aspects of their day-to-day work.
Knowledge, Experience and Resources – Using our existing knowledge and experience, and supplementing this with ongoing information security training and external advice where necessary, we seek to ensure we maintain the company’s defensive systems, developing security review processes, building security infrastructure, and implementing our security policies.
Data Processing Agreements – Presently we are updating customer and other third party contracts to reflect GDPR, including executing data processing agreements where required. Where applicable, we enter into model contracts in our role as data controller.
Processing According to Instructions – Any personal data entered into our systems will only be processed in accordance with the data controller’s instructions, as described in GDPR-updated data processing agreements and provisions.
Personnel Confidentiality Commitments – All Skills Unlimited BV employees and consultants are bound to comply with confidentiality provisions and will be subject to GDPR compliant Privacy Statements, in addition to completing revised GDPR-compliant privacy and data protection training. We have various policies that specifically address responsibilities and expected behaviour with respect to the protection of confidential information.
Use of Sub-processors – We engage certain third-party providers to assist in supporting our data processing activities. Each provider goes through a formal selection process to ensure it has the required technical expertise and can deliver the appropriate level of information security and privacy. Processors and sub-processors will be bound by data processing agreements/ provisions, and model contracts (EU standard contractual clauses) where required. All sub-processors undergo periodic reviews to ensure their on-going compliance with Skills Unlimited BV’s information security standards.
Security of the Services – According to GDPR, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of information security appropriate to the risk. Our IT infrastructure and software applications are built to provide secure deployment of services, encrypted storage of data with end-user privacy safeguards, encrypted communications between services, and safe operation by customers.
Personacolor and Smartfeedback – Presently we are updating our existing fair collection/ processing notices to provide updated transparency in respect of collection and use of any sensitive personal data and transfers of data outside the EEA. These notices will continue to link to our Privacy Policy where full details will be provided on how we handle data including how we collect, store and use personal data and sensitive personal data, our lawful bases for processing such personal data, information on transfers outside the European Economic Area (EEA), as well as individual’s rights as a data subject, including the right to withdraw consent.
Data Retention and Deletion – When we receive a deletion instruction from a data subject, we will delete the relevant personal data from our systems unless retention obligations apply. Our Data Retention and Destruction Policy clearly sets out such retention obligations.
Data Subject’s Rights – We will fulfil our obligations to respond to requests from data subjects to exercise their rights under GDPR-specified timeframes.
Incident Notifications – We shall promptly inform data subjects of incidents involving their personal data in line with any data breach notification terms in our current agreements and the updated terms that will apply when GDPR comes into force.
Data Protection Officer and reporting of concerns – If you have any questions about our stance on data protection matters generally or how we process personal data, please refer to our Privacy Policy. This will be updated in respect of GDPR prior to the implementation date. In the meantime, if you have any questions on our steps towards implementation of GDPR requirements, please contact us.
Skills Unlimited BV’s Data Protection Officer (DPO) is a member of Skills Unlimited BV’s Board of Directors and is responsible for ensuring and monitoring compliance with data protection requirements, including GDPR after the implementation date. Our DPO, Bart de Kruiff, should be contacted in the first instance in relation to any data protection concerns.
We are fully committed to ensuring that we act in accordance with various global data protections laws as applicable, including GDPR, and will take seriously any data protection concerns you raise with us.
Data Protection Officer
Skills Unlimited BV
Zaagmolenlaan 4
3447GS Woerden
The Netherlands
T: + 31 (0)348-498855
E: privacy@skillsunlimited.com
April 2018
Comments are closed.