Skip to main content

Privacy & Data Protection (AVG/GDPR)

Conduction processes personal data in two roles:

  • Data processor — when we process data on behalf of our clients (e.g. hosting government applications)
  • Data controller — when we process data for our own purposes (e.g. employee data, client contact details)

Employee Obligations

Every employee who handles personal data must:

  • Process personal data only for the purpose it was collected
  • Never store personal data locally on your device — use Google Drive or the approved systems
  • Never share personal data via Slack, email, or other unencrypted channels
  • Report any suspected data breach immediately via the incident reporting procedure
  • Delete downloaded documents containing personal data from your laptop within 5 days

For detailed security practices (passwords, clean desk, VPN, encryption), see the Security Policy.

Processing Register (AVG Article 30)

Conduction maintains a processing register documenting all personal data processing activities. The register is maintained internally and reviewed annually. Contact the Quality & Safety Lead for access.

Data Subject Rights

Individuals have the right to request access to, correction of, or deletion of their personal data. Requests are handled via info@conduction.nl. The procedure for receiving and processing such requests is documented internally.

Data Breach Notification

In case of a personal data breach:

  1. Report immediately via the incident reporting procedure (label: security-incident)
  2. The Quality & Safety Lead assesses whether notification to the Autoriteit Persoonsgegevens is required (within 72 hours per AVG Article 33)
  3. If the breach poses a high risk to individuals, those individuals are notified

Supplier Data Assessment

Suppliers with access to personal data are assessed on:

  • Data sovereignty — is data stored within the EEA?
  • CLOUD Act exposure — is the supplier subject to non-EU data access laws?
  • ISO certification — does the supplier hold ISO 27001 or equivalent?
  • Privacy compliance — is there a data processing agreement in place?

The supplier evaluation register is maintained internally and reviewed during MT quality meetings (April and September).

Key Documents (Internal)

The following documents are maintained on the internal ISO drive:

  • AVG handboek — comprehensive data protection manual
  • Processing register — all processing activities documented
  • Data processing agreements — with each supplier
  • AVG verklaring — public-facing privacy statement

AVG/GDPR reference: Articles 5, 6, 13-22, 28, 30, 32-34 ISO 27001:2022 reference: A.5.34 — Privacy and protection of PII