Privacy policy municipality of Leudal

1.1 What is privacy?

The Dutch Constitution defines privacy as the right to respect for private life, Article 10 of the Constitution. The core of the right to respect for personal privacy (privacy) is the protection of the right to personal freedom and individual autonomy, both in relation to the government in delineating the private sphere, and in relation to the rights and freedoms of others. Key points regarding the processing of personal data in this regard are: 1) lawful, proper and transparent, 2) purpose limitation and compatibility, 3) data minimization, 4) accuracy, 5) storage limitation, 6) integrity and confidentiality, and 7) accountability.

Privacy applies to all processes of the municipality and concerns the political administration, all employees, citizens, guests and external relations. 

1.2 Mission, vision and ambition privacy

Privacy is an integral part of organizational strategy. The protection of personal data has an increasing role within business operations. Privacy should thereby be enshrined in all ambitions that the municipality pursues.

Mission

Municipality of Leudal wants to comply with laws and regulations. This concerns the General Data Protection Regulation and the AVG Implementation Act.

Vision

The employees of the Municipality of Leudal have sufficient knowledge to proactively anticipate developments in the work processes. Whereby it is demonstrated that privacy is secured in the processes. 

Ambition 

Demonstrate that privacy is secured in all work processes. 

Ensuring privacy requires good practices, commandments and prohibitions. It requires an overview of the total chain within which data of the organization circulates and the making of agreements within which this happens. The processing of personal data must be monitored and action must be taken if contract partners do not fulfill their agreements. Properly arranging all the necessary facets to ensure privacy does not guarantee that a data breach or other calamity involving personal data will never occur. But should it happen, it virtually eliminates the chance of it occurring due to unlawful and improper administration.  

The ambition of the Municipality of Leudal around securing privacy is therefore to be able to demonstrate that privacy is secured in all work processes that the organization has.

1.3 Purpose and scope of the policy

The purpose of this privacy policy is to establish frameworks to ensure that the municipality of Leudal processes personal data in a proper and careful manner in accordance with the law. With this policy, the municipality of Leudal thus wants to clarify how it deals with personal data on a daily basis in relation to various laws and treaties that regulate the protection of privacy. This privacy policy is in line with the relevant national and European laws and regulations. 

The policy applies to all processing of personal data by all
administrative bodies of the municipality. Like the AVG, the policy does not cover the processing of data on legal entities or companies established in the municipality of Leudal, such as the name and legal form of the legal entity and the contact details of the legal entity.

This policy also covers the processing of police data by the Municipality of Leudal. The rules concerning the processing of police data are regulated in the Police Data Act (Wpg). Because this Act differs from the AVG on a number of points, it has been decided to deal with the principles under the Wpg separately in Chapter 8 of this policy.

1.4 Consistency of privacy and information security and other interfaces

There is a close relationship between privacy and information security. They are two different concepts, but with a common interface. Privacy is about keeping personal information confidential and adequately protecting it. Information security is about the availability, integrity and confidentiality of all (sensitive) information. Both information security and privacy require a risk-driven approach.
The image below shows the connection.

Because of this connection, the privacy policy cannot be viewed separately from the information security policy. The vision in this privacy policy corresponds to the vision included in the information security policy (i-vision). The information security policy of the municipality of Leudal meets the nationally set security standards for the government and is included in the Strategic Information Security Policy 2020-2022, which are translated into the Tactical Information Security Policy. 

1.4.1 Archive and data destruction.

The archive policy of the municipality of Leudal is laid down in the Archiefverordening gemeente Leudal 2020 and the Besluit informatiebeheer gemeente 2020. These also include provisions regarding data destruction, which are based on the Archives Act. In privacy legislation, it is an obligation to agree on a clear term for how long personal data are kept, with storage limitation being the starting point.  

1.4.2 Integrity

Safe handling of personal data requires an attitude of integrity. To create awareness for this at the front, new employees of the municipality of Leudal take the oath or promise and must sign a confidentiality declaration. All external parties performing work for the municipality of Leudal will sign a declaration of confidentiality in advance. This is laid down in the Process 'In- Door- en Uitstroom (IDU).

Since May 25, 2018, the European Regulation 'The General Data Protection Regulation' (GDPR) has been in force. In the Netherlands, this regulation has been translated into the General Data Protection Regulation (AVG), also known as the European Privacy Law. The purpose of the AVG is to ensure the protection of natural persons in connection with the processing of their data and the free movement of personal data within the European Union. 

The AVG has direct effect throughout the European Union, harmonizing the rules for the protection of personal data. However, on specific points the AVG gives Member States room to give further interpretation to provisions of the AVG. This interpretation is done through so-called implementing laws, such as the AVG Implementation Act in the Netherlands. The main areas in which the AVG Implementation Act plays a role are: 

1. the scope of the AVG;
2. The role, position and powers of the national regulator (AP);
3. arrangements around the use of special categories of personal data;
4. Arrangements regarding (the exceptions to the rights of data subjects and; 
5. arrangements for specific processing situations (such as in relation to freedom of expression).  

Furthermore, specific laws contain additional or more specific requirements and frameworks for a particular sector or domain. Such as in the Social Support Act 2015 (Wmo), the Youth Act, the Basic Records of Persons Act ( BRP Act), as well as the Police Data Act (Wpg).

2.1 Important definitions

Since the following terms are commonly used in the privacy policy, they will be elaborated. If the terms are already included in the AVG (Article 4), a connection will be made to them:  

Concerned

The person to whom the personal data relates. The data subject is the person whose data is being processed.

Data Protection Impact Assessment (DPIA).

A DPIA assesses the privacy impacts and risks of new or existing processing operations.

Personal data

All data that is about people and from which you can identify a person as an individual. This includes not only confidential data, such as about someone's health, but any data that can be traced to a particular person (for example; name, address, date of birth). In addition to ordinary personal data, the law also recognizes special personal data. These are data that deal with sensitive subjects, such as ethnic background, political preferences or the Citizen Service Number (BSN).

Police data

All personal data in the exercise of police duties are processed. This includes data processed by the municipality's boas for the detection of criminal offenses. 

Processor

The person or organization that processes personal data on behalf of another person or organization.

Processing Register

The register kept by the processing controller,
in which the categories of processing of personal data organization are kept. The Data Protection Officer is internally responsible for maintaining the processing register.

Controller

A person or body that alone, or jointly with another, determines the purposes and means of processing personal data.

Processing

A processing is anything you do with personal data, such as: collect, record, organize, structure, store, update or modify, retrieve, consult, use, transmit, distribute or otherwise make available, align or combine, screen, erase or destroy.

2.2 Specific policy areas

2.2.1 Social domain

The new tasks undertaken by the municipality in the social domain since Jan. 1, 2015, involve the processing of personal data, often special, of new client groups.

2.2.1.1 Client consultations.

Efficiency, effectiveness and quality of services benefit from the fact that where necessary and possible, internal and external coordination about a client takes place between the various components of the social domain. Despite this also being one of the objectives of the legislature, the legislature has not regulated the exchange of information in the context of coordination. Participation Act, Youth Act and WMO 2015 each have their own rules for this.
This means that from the general principles of the AVG, data should be exchanged and in particular the principles of:

• transparency (always be transparent to stakeholders);
• proportionality and data minimization (no more than necessary);
• subsidiarity (only if necessary, can it be done another way?);
• No longer than necessary (remember retention periods).

Within the social domain, working agreements have been made about this. It is important to note the advent of the Act to tackle multiple problems in the social domain (Wams). With the advent of the Wams, the legal loophole in this will be filled and there will be clarity about data exchange within the social domain as well as the reuse of data in case of multiple problems.

2.2.1.2 The connection between public order and security and social domain

In recent years, the municipality of Leudal has started to process more personal data of persons who (may) pose a threat to public order and safety. Solving problems with (potential) troublemakers is increasingly an administrative rather than a police matter and data from the police and judiciary are included in case discussions in the social domain. The exchange of such data takes place within the legal possibilities of processing personal data.

2.2.2 Openness of Government

Publication of personal data on the Internet is limited to the utmost. In the first place it should be considered whether publication of personal data (spontaneous as well as on request) cannot be avoided. If publication is unavoidable, then it will be considered whether the means of publication is the Internet. The municipality of Leudal uses the Guidelines for Active Publication and the Guidelines for Publication of Personal Data on the Internet as a starting point. Should publication of personal data on the Internet be necessary, such data will be protected from search engines.

2.2.3 Police Data Act (Wpg).

The AVG does not always apply. For investigative data, there is the Police Data Act (Wpg) and since March 2019 this law also applies to data processed by special investigating officers (boas). It follows from the Wpg that the employer of the boas is responsible for compliance with the Wpg. This means that the Municipal Executive of the Municipality of Leudal is responsible for taking measures to ensure compliance with the Wpg.  
 

The Municipality of Leudal is obliged to observe some principles when processing personal data (Article 5 AVG). The municipality of Leudal handles personal data in a careful manner, respecting the privacy of those involved. The principles to which the municipality of Leudal must adhere when processing personal data are elaborated on point by point below: 

3.1 Lawful, proper, transparent (sub a)

Lawful

The Municipality of Leudal handles the personal data it processes with care. We call this lawfulness. A processing is lawful only if and insofar as the Requirements are met as included in Article 6 AVG, namely: 

• when the data subject has given consent to the specific processing (sub a);
• for the performance of a contract in which the data subject was a part (sub b);
• To fulfill an obligation stated in the law (sub c);
• to combat a serious threat to the person's health (subd);
• for the proper performance of municipal duty (sub e);
• if a careful balancing of interests so indicates (subsection f).

The municipality of Leudal processes personal data as much as possible on the basis of the public duty it has by virtue of the tasks assigned to it. Legality is also translated into specific work processes and procedures, without compromising workability.

Quite

Dealing properly and carefully with personal data also means that we do not process more data than necessary. We call this data minimization or data minimization.
This is also in line with the principles of subsidiarity and proportionality. This means that we keep the processing of personal data - which can be seen as an infringement in the privacy of the person concerned - as small as possible and this is in proportion to achieving the purpose for which the personal data are processed.
Sometimes the data necessary to achieve the purpose is determined by law. In other
cases the municipality of Leudal makes this consideration itself. Only the data necessary to achieve the goal will be processed. Where possible, anonymous data will be used.

Transparent

The Municipality of Leudal wishes to propagate the importance of privacy and to be a trustworthy government by respecting the privacy of data subjects in its actions and to be transparent about how it does so. In accordance with the transparency principle, information and communication related to the processing of those personal data should be easily accessible and understandable, and clear and simple language should be used. The Municipality of Leudal ensures that data subjects are informed about the purposes of processing. Often this is already done by the person concerned providing his/her own data on an application form. This often already states which personal data are needed and for which purpose. If the municipality processes personal data that it does not receive from the data subject, it informs the data subject.

3.2 Purposeful and compatible (sub b)

The municipality only processes personal data for a purpose for which there is a basis. The AVG has six bases that justify the processing of personal data, see Article 6 AVG. Personal data are used for the purpose for which they were collected and any compatible purposes. The Municipality of Leudal does not reuse this personal data for other purposes.

3.3 Data minimization (sub c)

Data minimization is also known as data minimization. It means that the municipality should not collect more personal data than is strictly necessary for the intended purpose (proportionality principle). 

3.4 Correctness (sub d)

All reasonable steps should be taken to ensure that inaccurate personal data are rectified or deleted. 

3.5 Storage limitation (sub e)

Care should be taken to keep the storage period (or retention period) of personal data to a strict minimum. If there is any personal data still stored that is no longer needed to achieve the purpose, it shall be deleted as soon as possible. This includes destroying this data, or modifying it so that the information can no longer be used to identify a person.

To ensure that personal data are not kept longer than necessary, the municipality sets time limits for erasure or periodic review of data.
How long the Municipality of Leudal retains personal data varies. The Archives Act and various other laws, require the municipality to retain data for a minimum or maximum period. During this retention period, the municipality ensures careful and safe storage. After expiration of the mandatory retention period, the data are destroyed.

3.6 Integrity and confidentiality (sub f)

Integrity and confidentiality

The Municipality of Leudal handles personal data with care and treats them confidentially. For example, personal data are only processed by persons who have signed a duty of confidentiality. In addition, the municipality of Leudal ensures appropriate security of personal data, for which the frameworks are laid down in the information security policy. 

Appropriate security

Personal data must be processed in a manner that ensures appropriate security and confidentiality of that data, including to prevent unauthorized access to or use of personal data and the equipment used for processing.
For municipalities, the Government Information Security Baseline (BIO) applies as mandatory Requirements to meet the concept of Appropriate Security. The strategic information security policy further elaborates on this to which reference is made here.

3.7 Privacy by design and privacy by default

Privacy by design

The Municipality of Leudal designs its work processes so that they comply with the frameworks and principles set out in this policy. We call this privacy by design. By thinking in advance about possible privacy issues and including this in the design of the processes and systems, we reduce any privacy risks.

Privacy by default

Wherever possible, application settings are set in such a way that the protection of the rights of individuals is taken into account as much as possible. This means that, where possible, no more data will be shared/shared than is necessary for the performance of tasks. This will be monitored via logging and logging checks. 

Pursuant to Article 5, second paragraph, AVG, the controller is responsible for compliance with the principles regarding the processing of personal data as elaborated in Chapter 3. The Personal Data Authority (AP) is the supervisory body in the Netherlands that monitors that the controller actually complies with the AVG and protects personal data. The AP can conduct (additional) investigations and has the ability to impose administrative measures and fines if the AVG is not complied with.

But who in the organization is now responsible for compliance with privacy laws and regulations, and what role does each person play in it

4.1 Accountability

All governing bodies of the municipality are responsible for compliance with privacy laws and regulations, such as the AVG and the privacy policy, each as far as its administrative duties are concerned. The governing bodies of the municipality are the City Council, the Board of Mayor and Aldermen (the College of B&W) and the Mayor. 

When the processing of personal data is delegated by law to external organizations that can also determine the purpose and means, the governing bodies of this organization are themselves processors (and thus responsible for privacy compliance) within the meaning of the AVG. 

4.2 Securing compliance

Ensuring the protection of personal data is a task for everyone in the organization. After all, the entire organization is involved in processing personal data. The board, the city clerk/general manager, the process owners and the process managers play a crucial role in implementing this privacy policy. The management, partly based on an assessment of the risks that the municipality of Leudal runs in this regard, makes the assessment of the importance of the various parts of the privacy.

4.3 Different roles 

In order to effectively ensure that privacy protection is embedded in the organization, it is necessary to consider all persons working in the organization (including external and hired employees), each from their own role. Below, these various roles and responsibilities to implement this privacy policy are briefly addressed.

4.3.1 City Council

The City Council has a supervisory role based on the control function assigned to them by the Municipal Law.

4.3.2 Board of bailiffs and mayor

The Municipal Executive and the Mayor, each insofar as his or her authority is concerned, are integrally (administratively) responsible for the security of information and the safeguarding of privacy within the work processes of the Municipality of Leudal. They establish frameworks for information security and privacy protection based on European and national laws and regulations and related standards frameworks. This is established in the information security policy, privacy policy and privacy statement. In a number of specific cases determined by law, this authority lies with the Mayor instead of the College.
Both the college of B&W and the city council (control function) can order checks to be carried out. The College of B&W is accountable to the Council. They also proactively report details regarding data processing to the city council. Examples include serious data breaches.

Privacy is secured through a permanent seat in the college, with a permanent portfolio holder who has the time, knowledge and administrative power to intervene in all areas of the organization and its processes where the care of personal data is at stake.

4.3.3 The city clerk/general manager

The city clerk/general manager also has an important role in ensuring privacy. The city clerk/general manager:

• Ensures that all processes and systems and associated resources are always the responsibility of a department head/process owner, process manager and system owner;
• Steers for corporate risks with respect to information security and privacy;
• ensures that information security topics are a part of P&C discussions and that high-risk topics are included in audit plans.

4.3.4 The department heads and team leaders

The department heads make up management, which takes a joint position on, among other things, the mission, vision and ambition of the privacy policy. Team leaders are the link between management and employees who execute the processes. The department heads and team leaders are therefore an important link in ensuring that laws and regulations are adhered to and feel responsible for this. They ensure that:

• there is sufficient awareness of privacy and information security and these two topics become a regular item on the agenda. To raise awareness, they are of course assisted by the PO (privacy) and the CISO (information security).
• there is a staff member on each team designated as a privacy ambassador. 
• the employees on their teams implement the privacy policy and take adequate measures to mitigate risks;
• the necessary people and resources are made available to carry out their departmental/team processes in accordance with this policy; 
• operational procedures/work plans for processing in their department/team are established and that management adopts them;
• verify that the measures taken are consistent with the requirements set and that they provide sufficient protection to comply with privacy laws;
• the responsible portfolio holders within the college are informed solicited and unsolicited about the assurance and compliance of the privacy policy within the organization. 

The Department Head of Services ensures that the privacy policy, which is consistent with the information security policy, is drafted.

4.3.5 The Data Protection Officer (FG)

In accordance with the obligation in Article 37 AVG and Article 36 Wpg, the municipality has appointed a FG to conduct independent control and supervision of the way in which the organization implements measures to comply with privacy laws and regulations and information security. The tasks of the FG are described in Article 39 AVG and Article 26 Wpg and are, in brief:

• Inform and advise processors and processors' controllers about their obligations under the AVG and the Wpg;
• monitor compliance with the AVG and the Wpg;
• Provide advice regarding DPIAs when requested and oversee their implementation;
• Working with and acting as liaison to the AP and;
• Create awareness about privacy laws. 

A new processing of personal data is first reported to the FG before the processing begins, so that he can determine whether this requires a DPIA to be conducted first. 

The FG is responsible for structurally reviewing the implementation and execution of legal requirements and municipal privacy guidelines. The FG works closely with the CISO and the PO and should serve as the first point of contact for issues from the CISO and the PO. 

The FG must also be easily accessible to citizens whose personal data we process or other external parties with whom the municipality cooperates. Citizens and external parties can ask questions about the organization's processing of personal data or communicate (suspicions) of misuse of personal data by our organization. The FG can be reached at the dedicated email address: fg@leudal.nl. 

4.3.6 The Privacy Officer (PO).

The Privacy Officer serves as the point of contact for privacy issues that arise in the organization. He advises on and contributes to the municipality's privacy policy/vision and works to increase privacy awareness within the organization.

He advises the organization on organizational privacy issues and handles incoming privacy requests. The PO also supports and advises organization-wide on privacy and (the processing of) personal data. The PO is not intended to take over the privacy protection tasks of the teams. The teams have their own responsibility in dealing properly with privacy-sensitive data.

The PO ensures that the legally required tasks under privacy laws and regulations are carried out and that measures are embedded in the organization. To this end, the PO works closely with the CISO and the FG. 

4.3.7 The Chief Information Security Officer (CISO)

The Chief Information Security Officer supports and advises the organization and the process owners and process managers in monitoring and increasing the reliability of the information provision. He directs the information security process throughout the municipality and keeps an eye on quality and timeliness and makes proposals on possible and/or necessary adjustments. He reports directly to the town clerk/general manager. 

He drafts the information security policy and development plans. These are based on a risk management approach, taking into account the information security threat picture, trends and organizational needs. The CISO works closely with the PO and the FG.

The CISO is the ENSIA coordinator. The ENSIA coordinator has a supervisory and monitoring role and is responsible for the timely submission of all ENSIA audits.
The CISO is designated as the first Trusted Contact Person for Information Security (VCIB).

4.3.8 Privacy Ambassador

Placing privacy protection and information security in one department does not do justice to the subject. To create and maintain higher awareness throughout the organization, one employee per team has been designated as privacy ambassador. The privacy ambassador carries, in cooperation with the department head/team leader and the FG, PO and CISO, Health a continuous awareness about privacy (and information security) within his team. The privacy ambassador makes an effort to:

• for updating and communicating new processing operations of his team and changes in existing processing operations of his team involving personal data for the purpose of keeping the municipality's processing register up-to-date. He communicates these changes to the PO, who is responsible for keeping the processing register up-to-date organization-wide
• for contributing to creating more awareness, at least while discussing the regular topic during team meetings. He will also update the team on new developments in privacy law, supported by the PO.
• inform new employees in his team about the privacy rules, at least highlighting this privacy policy and the Data Breach Protocol.

4.3.9 Privacy team and data breach team

Ensuring that the organization complies with privacy regulations and that the information in the organization is secure often requires a great deal of knowledge and expertise. This requires different disciplines and different departments to be hooked up. 

The key officers of the privacy team and the data breach team are: the FG, the CISO and the PO. They have weekly meetings to keep each other informed of what is going on within the organization in the area of privacy and information security. They also update each other on new developments, with the FG taking the lead from his role.
The internal organization can reach the team through the special e-mail addresses set up for this purpose in the: privacy@leudal.nl and datalekken@leudal.nl. 

In their role, the privacy ambassadors can support the PO to become and remain a privacy-aware organization. The privacy ambassadors join the privacy team meeting at least quarterly, with the main purpose being knowledge transfer and discussion of a plan of action regarding optimizing ongoing awareness within the teams.

Indispensable link in the data breach team is ICT. By taking the right security measures on the municipal organization's ICT infrastructure, security incidents and data leaks can be prevented. Once a year, together with ICT, the Data Breach Protocol is gone through and, if necessary, an exercise is carried out.   

In his role, the FG keeps the municipal secretary/general manager informed and, upon request, reports to him on developments and agreements made in the teams and their progress. 

4.3.10 Employees 

All employees (including hired/externs) are responsible for protecting the privacy of data subjects and processing personal data properly and carefully. This means that every employee, within the frameworks of their role/function, ensures the lawful, proper and transparent processing of personal data. Employees ensure that privacy is included in their work processes in which personal data play a role. When they have doubts about this, they call in the help of the PO (for the assurance of privacy) and CISO (for the Health around information security).

As stated above, the municipality has an accountability obligation to make an important contribution to the protection of people's fundamental right regarding privacy. The Municipality of Leudal must demonstrate that a processing complies with the main principles of privacy as included in Chapter 3 of this policy. To this end, the municipality has taken the following steps.

5.1 Register of processing operations 

In order to demonstrate compliance with the AVG and the Wpg, the Municipality of Leudal keeps a register of all processing activities for which the municipality is the data controller. This is an obligation arising from Article 30 AVG and Article 31d Wpg. The register of processing activities is also referred to as the processing register. Each register contains a description of what takes place during a processing operation, and what data are used for that purpose, namely:

• the name and contact information of the processing controller and, possibly, the
• joint controller (sub a);
• The purposes of the processing (sub b);
• A description of the type of personal data and the associated data subjects (sub c);
• A description of the recipients of the personal data (sub d);
• A description of the sharing of personal data to a third country or international organization (sub e);
• The time limits within which the various personal data must be deleted (sub. f) and;
• A general description of security measures (sub g).

The processing register of the Municipality of Leudal is a living document, which is continuously updated with the latest processing of personal data. The register is published online. The latest version of the municipality of Leudal's processing register can be found on the municipal website.

5.2 Duty to report data breaches

We speak of a data breach when personal data falls into the hands of third parties who should not have access to that data. Examples include the loss of a USB stick or paper file containing personal data, break-ins by a hacker or the granting of authorizations to unauthorized persons in the municipal system and the sending to someone (in writing or digitally) of personal data not intended for the recipient. If a (suspected) data breach occurs, the municipality should act quickly and efficiently. It should verify that all appropriate technical and organizational measures have been taken to determine whether a personal data breach has occurred, and notify the AP and the data subject without delay. 

When a data breach has occurred, pursuant to Article 33 AVG, the municipality shall report it to the AP without unreasonable delay, no later than 72 hours after learning of the breach. If this is later than 72 hours, a justification for the delay is attached to the notification. The notification may result in the AP acting in accordance with its duties and powers set forth in the AVG. 

The determination of a data breach will include whether or not the personal data had been protected by adequate and technical measures that limited the possibility of identity fraud or other forms of misuse. If the breach is found to pose a high risk to the rights and freedoms of the data subject(s), pursuant to Article 34 AVG, the municipality shall notify the data subjects without unreasonable delay in simple and clear language. The notification should include both the nature of the personal data breach and recommendations on how the natural person concerned can mitigate possible negative consequences. 

To prevent future data breaches, existing data breaches are evaluated. The municipality has also adopted a "Procedure Data Leak Municipality of Leudal".
In addition, processing agreements are concluded with contractors and other external parties who process personal data, containing agreements on how to protect the privacy of personal data and how to act in the event of a (suspected) data leak.

5.3 Sharing personal data with third parties

Some goals are achieved through cooperation between multiple (social) organizations. This may require sharing personal data with each other. When personal data is shared with other organizations, this is always done within the frameworks and principles as stated in this policy.

When the municipality cooperates with partners for personal data processing or has its tasks performed by another organization (i.e. engages a processor), the municipality must take precautions to ensure privacy protection. Therefore, a covenant is concluded with a cooperating party and a processor agreement is concluded with a third party/company that processes, in which agreements are laid down regarding the processing of personal data. When an external/hiring party is expected to process personal data on behalf of the municipality by virtue of his/her position, he/she must sign a confidentiality agreement beforehand.

Entering into a covenant or a processing agreement provides the opportunity to ensure that the other party (cooperating party or processor) also handles personal data with care and guarantees adequate protection. Department/team leaders are responsible for ensuring that the requirements set out in the contracts are secured and monitored. 

The municipality uses the standard model processor agreement adopted by the VNG. Entering into a processor agreement is a permanent part of the Leudal Municipality's procurement and purchasing policy. 

5.4 Data Protection Impact Assessment (DPIA).

A Data Protection Impact Assessment (DPIA), also known as a data protection impact assessment, assesses the effects and risks of new or existing processing operations on the protection of privacy. It is an obligation arising from Article 35 AVG and Article 4c Wpg to improve compliance with the AVG and Wpg if the processing poses a high privacy risk to the citizens whose data the municipality processes. In the DPIA, the origin, nature, specificity and severity of that risk of processing personal data are evaluated in advance by the processor-responsible party.

Under the AVG, the municipality conducts a DPIA at least when the following processing occurs: 

• automated processing (including profiling);
• a large-scale processing of personal data or processing of criminal data or;
• When large-scale monitoring of public areas (camera surveillance) takes place. 

This applies in particular to processing operations that use new technologies, where the DPIA should always be carried out before processing begins. 

For new processing of police data, the municipality conducts a DPIA under the Wpg if the proposed processing results in a high risk to data subjects. 

The municipality uses a list of processing operations that, based on risk assessment, leads to a simple, medium and complex DPIA. Based on current developments at the time, the choice of which DPIA to conduct is made.

5.5 Privacy-conscious organization

Awareness is the capstone of privacy laws and regulations. As stated earlier in Chapter 4, privacy is a subject that affects the entire organization. If everyone in the organization is aware of their own responsibility in the area of privacy, this also contributes to improving personal data protection in general. 

The media is full of reports of data breaches, mostly caused by human error. Creating awareness about information security and privacy can reduce this. Awareness is related to four aspects: 

• Behavior: to be influenced by controlling motivation, attitude and accuracy.
• Culture: to be influenced by controlling norms, values and artifacts.
• Knowledge: create awareness of terminology, priority and processes and protocols.
• Environment: create awareness of individual, group and organization.

Knowledge of the subject (what it entails and how to deal with it) can be measured by review and research. It can be checked that all guidelines and protocols are in place and comply with privacy laws and regulations. Behavior and culture are important aspects that influence awareness. By preventing a lack of motivation and accuracy among employees, behavior and culture will contribute positively to ensuring privacy and information security and also reduce a risk of rights infringement. 

A privacy-aware organization will only come about if all employees have knowledge of the rules on handling personal data at their own level. Privacy awareness is therefore a continuous process within the Municipality of Leudal, in which knowledge is transferred so that careful handling in accordance with the principles of the AVG is encouraged and continuously improved. The privacy policy is brought to the attention of existing and new employees. The municipality therefore ensures an ongoing supply of awareness on this subject. For this purpose, a communication plan has been prepared to increase awareness of privacy and information security. But employees are also expected to make efforts to put this knowledge into practice.
 

Three particular forms of automated processing of personal data addressed in this chapter are: "profiling," "big data and tracking" and "deployment of cameras." These forms can be called special because this form of automated processing usually serves a higher purpose.

6.1 Profiling (Article 22, AVG)

Profiling occurs when there is automated processing of personal data that uses personal data to look at certain personal aspects of a person in order to categorize and analyze that person, or to predict things. Examples of personal aspects may include; financial situation, interests, behavior or location.

To make profiling a little clearer we use the following example:
When a visitor on the municipal website looks at a certain service, the municipality may not take action to offer the service. Municipalities may look at how often a particular service has been viewed, but thus not specifically target advertising. In addition, the law states that no decision may be made based on profiling.

The municipality of Leudal only uses profiling if it fits within the framework of privacy laws and regulations.

6.2 Big data and tracking

Through Big Data research and tracking, data may only be processed when it is not traceable to a natural person. In addition, they are collected only for research conducted by, or on behalf of, the Municipality of Leudal.
The data collected by Big data research and tracking are only the data collected by authorized individuals. When the data are converted into a dataset, data minimization will be applied. This means that only the data that is truly necessary to achieve the goal will be used. In addition, personal data can be pseudonymized so that they cannot be traced back to a person.

Municipality of Leudal does not use tracking. The use of Big Data is not applied at this time, but we are investigating what benefits the use of Big Data can have for our services. This does take into account what is set forth in this policy. Before proceeding with this, a DPIA, including privacy by design, will be conducted. This is extremely important with big data and tracking, as it can quickly unknowingly violate the rules surrounding the processing of personal data. 

6.3 Deployment of cameras

Within the municipality, camera surveillance can be used under certain circumstances, as stipulated in the Municipal Law. Among other things, camera surveillance can be used to enhance street safety. Cameras can greatly infringe on the privacy of those being filmed. To best ensure privacy, cameras are used only when there are no other ways to achieve the goal, and requirements are set for the use of cameras.
 

In accordance with the principle of transparency, information on personal data addressed to the public or to the data subject must be concise, easily accessible and comprehensible and must be used clearly and in simple language and, where appropriate, additionally visualized. The municipality provides information addressed to the public primarily through its website. The municipality also operates a privacy statement, in which - in addition to providing information - personal data can be requested electronically. 

7.1 Right to information 

Everyone has different ways to request information from the government. 

7.1.1 Open Government Act (Woo).

Through the Open Government Act (formerly Public Access Act (Wob)), a request for information can be submitted to the municipality. When making the request, the municipality always considers whether the answer does not violate the privacy of those involved. The basic principle is that no personal data is provided.

7.1.2 Government Information Reuse Act.

The Government Information Reuse Act regulates the provision of government information for reuse upon request. When making the request, the municipality always considers whether the response does not violate the privacy of those involved. The basic principle is that no personal data is provided.

7.1.3 Rights of data subjects

The AVG grants data subjects various privacy rights to allow individuals whose personal data is processed to maintain control over their personal data. These rights are also known as data subjects' rights and can be found in Articles 13 through 22 of the AVG. 

The data can be provided via a written or web form, which can be accessed through the use of Digid. The rights of data subjects will be explained point by point below.    

The blue colored spheres refer to rights that were also present before the advent of the AVG. The orange colored spheres indicate that these rights are new with the advent of the AVG.

The Wpg regulates the rights of data subjects when it comes to processing police data. These can be found in Articles 24a to 28 Wpg. This will be discussed further in Chapter 8 of this policy.

7.1.3.1 Right to information (Transparency)

Personal data may have been obtained directly (i.e., from the data subject) or indirectly (not from the data subject). The municipality shall inform the data subject of the fact that processing of their personal data is taking place or will take place and what the purposes of such processing are. Articles 13 and 14 AVG describe what information must be provided in each case. If the purpose of processing changes, the municipality will inform the data subject. 

When data subjects give data to the municipality, they are informed of how the municipality will handle personal data. This can be done through a form, for example. Often the request forms state which data will not be disclosed without consent. The data subject is not informed again if he/she already knows that the municipality collects and processes personal data about him/her, and knows why and for what purpose this is done.

When the data is obtained through another route, i.e. outside the data subject, the data subject is informed at the time it is processed for the first time.

7.1.3.2 Right of inspection. 

Data subjects have the opportunity to control whether and how their data is collected and processed. Article 15 AVG lists information to which the right of inspection applies. At the request of the data subject, a copy of the personal data being processed will be provided. 

7.1.3.3 Right to rectification

If the municipality processes personal data of data subjects which, in their opinion, are incorrect, they may submit a request to the municipality to correct it. This is a right of the data subject laid down in Article 16 AVG. The request will of course be processed with due observance of the restrictions laid down in legislation and regulations. If rectification actually takes place, the municipality will notify every recipient to whom personal data have been provided of this rectification, unless this is impossible or requires a disproportionate effort.

7.1.3.4 Right to data erasure / oblivion

In accordance with Article 17 AVG, data subjects have the right to request the municipality to delete excessive personal data if:

• personal data are no longer necessary for the purposes for which they were collected or otherwise processed (sub a);
• the data subject withdraws consent and no other legal basis for processing exists (sub b); 
• data subjects object to the processing and there are no compelling legitimate grounds for the processing that prevail (sub c); 
• the personal data have been unlawfully processed (subd);
• the law compels removal (sub e) and;
• data of children were collected in the context of information society services (sub (f)).

Erasure of data is not always mandatory, for example, when the data is necessary for the purposes for which it was processed. 

7.1.3.5 Right to restriction of processing.

The right to restriction means that the municipality may not process personal data (temporarily and under Requirements) and may not modify them. Under Article 18 AVG, a data subject may request restriction of processing in the following cases:

• the accuracy of the data is disputed by the person concerned (sub a);
• the data are unlawfully processed, but the data subject does not want the data deleted (sub b);
• the purposes have expired, but data subject still needs the data for the establishment, exercise or support of legal claims (sub c) and;
• in the case of a pending appeal (subd).

The individual should be informed before the blockade is lifted.

7.1.3.6 Right to portability/data portability

The right to data portability is laid down in Article 20 AVG and implies that a data subject has the right to obtain their personal data from a processing controller in structured, common and machine-readable form. The municipality is not required by the AVG to implement data portability. The right to data portability only exists when the processing is based on consent or an agreement and the processing is automated. Nevertheless, where appropriate, the municipality will make provisions for data portability.

7.1.3.7 Right to object.

A data subject has the right, due to reasons related to his/her specific situation, to ask the municipality to stop using his/her personal data and to object (which is not comparable to an objection under the Awb) to the processing of his/her personal data (Article 21 AVG). The municipality must comply with this unless there are legitimate grounds for the processing.

7.1.3.8 Right not to be subjected to automated individual decision-making/profiling 

The basic premise of Article 22 AVG is that no automated decision-making based on profiling may take place if it has legal consequences for the data subject (the person whose personal data is involved) or if the decision significantly affects him. This could include, for example, the creditworthiness of a person. Another example is the processing of job applications via the Internet without human intervention.

In three cases, however, automated individual decision-making is possible (second paragraph). This is the case when:

• it is necessary for the formation or performance of a contract (sub a);
• it is permitted by a provision of Union or Member State law (sub b) and;
• it relies on the explicit consent of the data subject (sub c).

7.2 Submission of request rights of data subject

In order to exercise his/her rights, the data subject may submit a request. This request can be made in writing or via a web form, which is accessible through the use of DigiD. The person making the request must always identify him/herself and be able to prove that the data that the person wishes to access, correct or delete actually belongs to him/her. In accordance with the AVG, the municipality has four weeks from receipt of the request to assess whether the request is justified. In complex situations, this period can be extended by two additional months. In case of overrun, the rules of the General Administrative Law Act (Awb) apply.

7.3 Complaint about the processing of personal data

Anyone who comes into contact with the municipality can express his dissatisfaction with the way in which an administrative body or an official of the municipality has behaved towards a natural or legal person in a certain matter. This is then a complaint as referred to in article 9:1 of the Awb. Complaints will be handled in accordance with the "Regulation on the handling of complaints by the Municipality of Leudal". Complaints will always be handled confidentially. This means that the personal data within the municipal organization will only be provided to those involved in handling the complaint.
If the complaint concerns the (suspected) processing of the data subject's own personal data in a way that violates privacy laws and regulations, the complaints coordinator will seek coordination with the FG.
The data subject (or his/her representative) may also submit his/her complaint in this regard or a request for mediation to the AP, Postbus 93374, 2509 AJ The Hague. For the sake of completeness, it is hereby mentioned that this does not concern the regular complaints procedure concerning the actions and conduct of representatives of the municipality.

The Police Data Act (Wpg) is a special law that applies to the processing of personal data for investigative tasks. Within the municipality of Leudal, boas are appointed who are charged with investigative tasks. Since March 2019, the Wpg has been applicable to data processed by boas for investigative duties. It follows from the Wpg that the employer of the boas is responsible for compliance with the Wpg; this makes the municipality of Leudal responsible for compliance with the Wpg. 

8.1 Boa domains and investigative authority

Each boa is assigned to one of the six domains listed in the "Regeling domeinlijsten buitengewoon opsporingsambtenaar. In addition to administrative law, the organization also uses criminal law instruments for supervision and enforcement. Therefore, within this task area, Boas have been appointed and the Wpg applies. The Municipality of Leudal has appointed Boas in four domains: 

• Domain I - Public Space - (Public Order Enforcement)
• domain II - Environment, welfare and infrastructure - (Environment)
• domain III - Education - (Compulsory education)
• Domain V * - Work, Income and Health - (Social Search). 

* Domain V (Work, Income and Health) does not fall under the processing responsibility of the Municipality of Leudal. For the (possible) processing of police data within this domain, the municipality of Leudal is in fact not a data controller, since a cooperation agreement has been concluded with the municipality of Weert. In this agreement it has been agreed that Weert takes care of the daily management and systems if the boa of domain V should proceed to criminal enforcement. This has not occurred in recent years. In view of the foregoing, it is not the municipality of Leudal, but the municipality of Weert that has processing responsibility for the Wpg within domain V.

Boas deal with different types of data and therefore have to deal with two laws when performing their work: the AVG and the Wpg. The AVG applies to data processing by boas in the context of their role as supervisors. Data that the boas process while performing their investigative duties as investigating officers fall under the scope of the Wpg.

8.2 Principles of application of the Wpg

The data protection principles below govern how the municipality processes police data under the Wpg. 

8.2.1 General provisions

1. To concretize the obligations of the Wpg, the municipality uses the Norea Control Framework. 
2. When processing police data, the Municipality of Leudal takes into account the Privacy-by-Design and Privacy-by-Default principles. In concrete terms, this is implemented by conducting DPIAs for the processing of police data. These DPIAs are reviewed every three years. 
3. Police data is not transferred to third countries. 
4. If the Municipality of Leudal uses suppliers/applications to process police data, processor agreements are entered into.  
5. The Municipality of Leudal does not use automated decision-making, including profiling. 
6. The municipality conducts an external audit every four years and an annual internal audit on police data processing. 
7. The Boas process police data in accordance with work instructions. 

8.2.2 Legality

1. The Municipality of Leudal processes police data on the basis of Article 8 Wpg (the daily police task).
2. The Municipality of Leudal does not process police data on the basis of: 
   • Article 7a (use of automated decision-making, including profiling);
   • Article 9 Wpg (investigation in a particular case);
   • Article 11 Wpg (automated comparison and combination search);
   • Article 13 Wpg (support tasks).
3. Police data are recorded correctly and completely. 
4. Police data are processed as necessary. 
5. When recording police data, the role of a data subject is made clear. For example, it is indicated whether the person is a suspect, witness, victim, convicted or other. 
6. When recording police data, a distinction is made between facts and personal judgment. 

8.2.3 Retention periods

1. Police records are not kept longer than necessary. 
2. Police data processed under Art. 8 Wpg are retained: 
   • to one year for performing daily police duties; 
   • then four years for targeted searches;
   • then five years for handling complaints and conducting audits. 

8.2.4 Rights of data subjects

1. Data subjects have a number of rights under the Wpg. These rights include the right to information, inspection, rectification and destruction. Data subjects can exercise their rights using the forms on the website of the municipality of Leudal.
2. The Municipality of Leudal has the right to reject Wpg requests if (Article 27 Wpg):  
   • the request would impede judicial investigations or proceedings; 
   • that adversely affects the prevention of the commission of crimes, detection, investigation, prosecution or imposition of penalties; 
   • public safety is at stake; 
   • the rights and freedoms of third parties are violated; 
   • national security is at stake; 
   • it is manifestly an unfounded or excessive request. 

8.2.5 Sharing of data

1. The Municipality of Leudal only makes police data available if there is a need for the recipient to know the police data in question.
2. The Municipality of Leudal provides police data only if the Police Data Act or Police Data Decree permit it. When providing, the receiving party is reminded of confidentiality.

8.2.6 Security

1. Access security is set up so that only Boas and authorized persons have access to police data. This access is monitored periodically. 
2. When sending police data, it is always sent securely. 

8.2.7 Roles and authority

1. The privacy officer shall take stock annually (whether or not jointly with the quality officer and/or privacy ambassadors) whether the scope of processing operations involving police data has changed. Based on this, this policy and the processing register are adjusted as necessary. 
2. The privacy officer is responsible for conducting/coordinating DPIAs. 
3. The privacy officer is responsible for conducting/coordinating the periodically required Wpg audits.
4. The FG oversees this policy and conducts the following audits annually: 
   1. random review of Process Minutes, at least annually, for the following criteria: 
      • Work in accordance with established work instructions; 
      • Adequate handling of goal binding; 
      • necessity, lawfulness, proper and complete processing of police data; 
      • Checking the assignment of authorizations. 
   2. verifies that mandatory Wpg audits are performed; 
5. monitors whether DPIAs are carried out, including checking whether the FG has been asked for advice. The team leader of the team that includes Boas is responsible for the implementation and execution of the Wpg and in that context his duties include the following: 
   • Bringing the handbook/ rules of conduct for Boas to the attention of employees and monitoring these rules of conduct; 
   • Establish work instructions, process descriptions and related documents; 
   • Contribute annually to raising awareness about the Wpg; 
   • Keeping the processing register up-to-date with regard to processing operations in the team; 
   • Maintain a list of common dispensations along with the rationale for the basis for the dispensation; 
6. Ensure that retention deadlines are met. The team leader of the team containing Boas has the following powers: 
   • making authorization decisions within the meaning of art 6, paragraphs 3, 4, 5 of the Wpg using the form "Authorization processing police data";
   • deciding on access to information systems containing police data, including establishing the authorization matrix for the information system that processes police data;
   • establishing other Wpg documentation, such as process descriptions and work instructions. 

This policy was adopted on December 12, 2023 by the College of Mayor and Aldermen of the Municipality of Leudal and takes effect immediately upon publication, simultaneously repealing the Privacy Policy Municipality of Leudal published on July 20, 2021.

Citation

This policy may be cited as "Privacy Policy Municipality of Leudal.

Thus adopted at the college meeting of December 12, 2023.