1.1. Data processing – PROFILE ANALYSIS
FILES WITH ASSOCIATED DATA
Course participants.
Council members.
Web user: Users and collaborators
Members of Continental Councils for Juvenile Justice
Candidates
Researchers
Employees, interns, volunteers and freelancers
Suppliers
Project partners
AUTOMATED ARCHIVING
Profile analysis database
PERSONALLY IDENTIFIABLE DATA CATEGORIES
PERSONALLY IDENTIFIABLE DATA CATEGORIES
Name and surname
Postal address
Telephone number
Publications
Fax
NON-SENSITIVE DATA CATEGORIES
Personal characteristics
Employment information
DATA ORIGIN
The data subject or their legal representative
DATA SUBJECT COLLECTIVES OR CATEGORIES
Course participants.
Council members.
Web user: Users and collaborators
Members of Continental Councils for Juvenile Justice
Candidates
Researchers
Employees, interns, volunteers and freelancers
Suppliers
Project partners
ASSIGNMENT ADDRESSEE CATEGORIES
European Union organisations: European Commission
Coordinating partner of a project
OTHER PEOPLE/BODIES RESPONSIBLE FOR DATA PROCESSING
Fundación Diagrama: Avenida Ciudad de Almería 10, Murcia, España
INTERNATIONAL DATA TRANSFERS
Any movement of personal data by the association is carried out between Belgium and Spain for various reasons:
- The Observatory’s headquarters is located in Belgium.
- The financing of the Organisation is mainly based on European grants and subsidies, and these investments have to be justified by providing the corresponding documentation to Belgium.
- Fundación Diagrama, who is a data processer, provides this service from Spain.
OBJECTIVES
Profile analysis is a method of compiling the personal requisites and qualifications required for the most satisfactory adaptation of the IJJO’s webpage, as well as the sending of communications regarding events, publications, projects, etc.
In this case, once this information has been compiled, a series of solutions and personalised programmes will be designed, focussed on the improvement of the Observatory’s website for users and collaborators.
In addition, profiles of members of the Continental Councils for Juvenile Justice are divided depending on their professional sector, in order to classify them for future collaborations or to publicise their belonging to the Council as members.
Moreover, participants in events have their profiles analysed in order to provide concrete data to the EU Commission that shows these events are reaching the targeted profiles.
In addition, candidates profiles are analysed to see if they fit the profile that the IJJO is looking to hire for a position or job.
Moreover, suppliers’ profiles are analysed to see if they comply for the requirements of the service.
In addition, employee’s profiles are analysed in order to comply with work regulations and organise them by department.
In addition, project partner’s proles are analysed in order to classify them by professional sector and the activities that they carry out.
DATA CONSERVATION TIME LIMITS
Data will be conserved for the length of time necessary to fulfil the objective for which it was collected, and to determine the possible responsibilities that may stem from said objective and from the data processing. Filing and documentation regulations will be applicable.
TECHNICAL AND ORGANISATIONAL MEASURES
SERVER
Access control
Physical access control
Backup copies and recovery
Management and distribution of media
Identification and authentication
Access log
LEGAL BASIS
Consent of data subject
Legitimate interest of Data Controller or of a third party
1.2. Data processing – ATTENTION TO PERSONAL RIGHTS
FILES WITH ASSOCIATED DATA
Course participants.
Council members.
Web user: Users and collaborators
Members of Continental Councils for Juvenile Justice
Candidates
Researchers
Employees, interns, volunteers and freelancers
Suppliers
Project partners
AUTOMATED ARCHIVING
Profile analysis database
Client, accounting, fiscal and administrative management database
Human resources database
Other objectives database
Associative, cultural, recreational, sporting and social activities management database
PERSONAL DATA CATEGORIES
PERSONALLY IDENTIFIABLE DATA CATEGORIES
NIF/DNI/ID/Passport number
Name and surname
Postal address
NON-SENSITIVE DATA CATEGORIES
Personal characteristics
Academic and professional
Employment information
Economic, financial and insurance
DATA ORIGIN
The data subject or their legal representative
DATA SUBJECT COLLECTIVES OR CATEGORIES
Employees
Users or collaborators
Students
ASSIGNMENT ADDRESSEE CATEGORIES
Public administration with relevant competence: Belgian Data Protection Authority
OTHER PEOPLE/BODIES RESPONSIBLE FOR DATA PROCESSING
Fundación Diagrama: Avenida Ciudad de Almería 10, Murcia, España
OBJECTIVES
Any data subject has a right to obtain information on the processing of their data as carried out by the IJJO. Any data subject has the right to access their personal data transparently, as well as to request rectification of incorrect data, or, if relevant, to request its deletion when, amongst other reasons, the data is no longer necessary for the objectives for which it was collected.
In certain circumstances, the data subject may be able to ask for the limitation of the processing of their data, in which case it will only be retained for the exercise or defence of claims.
In certain circumstances and for reasons related to their particular situation, the data subject may be able to object to the processing of their data. The IJJO will then stop processing the data, except for urgent legitimate reasons, or for the exercise or defence of possible claims.
The data subjects will also have right to the portability of their personal data.
The data subject has the right to withdraw their consent to receive the information bulletin at any time, without affecting the lawfulness of the data processing prior to the withdrawal of consent.
The data subject can make a complaint to the Belgian Data Protection Authority, especially when they are not satisfied with the IJJO’s treatment of their rights.
DATA CONSERVATION TIME LIMITS
The party responsible for the file will deal with the access request within a maximum of one month from the receipt of the request. This will come into effect within 10 working days of communication of the resolution.
TECHNICAL AND ORGANISATIONAL MEASURES
SERVER
Access control
Physical access control
Backup copies and recovery
Management and distribution of media
Identification and authentication
Access log
LEGAL BASIS
Consent of data subject
Fulfilment of a legal obligation
INTERNATIONAL DATA TRANSFERS
Any movement of personal data by the association is carried out between Belgium and Spain for various reasons:
- The Observatory’s headquarters is located in Belgium.
- The financing of the Organisation is mainly based on European grants and subsidies, and these investments have to be justified by providing the corresponding documentation to Belgium.
- Fundación Diagrama, who is a data processer, provides this service from Spain.
1.3. Data processing - ACCOUNTING, FISCAL AND ADMINISTRATIVE MANAGEMENT.
FILES WITH ASSOCIATED DATA
Accounting and invoicing
AUTOMATED ARCHIVING
Client, accounting, fiscal and administrative management database
PERSONAL DATA CATEGORIES
PERSONALLY IDENTIFIABLE DATA CATEGORIES
NIF/DNI/ID/Passport number
Name and surname
Postal address
Phone
Signature
Fax
NON-SENSITIVE DATA CATEGORIES
Personal characteristics
Economic, financial and insurance
DATA ORIGIN
The data subject or their legal representative
DATA SUBJECT COLLECTIVES OR CATEGORIES
Employees
Suppliers
Project partners
ASSIGNMENT ADDRESSEE CATEGORIES
European Union organisations: European commission and Coordinating Partner of European Projects
OTHER PEOPLE/BODIES RESPONSIBLE FOR DATA PROCESSING
KPMG: Rue Emile Francqui 11, 1435 Mont-Saint-Guibert, Belgium
Fundación Diagrama: Avenida Ciudad de Almería 10, Murcia, España
Assurteam: Rue Paul Wemaere 4, 1150 Woluwe-Saint-Pierre, Bélgica
INTERNATIONAL DATA TRANSFERS
Any movement of personal data by the association is carried out in Belgium for two reasons:
- The Observatory’s headquarters is located in this European country.
- The financing of the Organisation is mainly based on European grants and subsidies, and these investments have to be justified by providing the corresponding documentation
OBJECTIVES
Management of users and invoicing, management of collections and payments, payment delay control, collection of charges, accounting document management and VAT.
DATA CONSERVATION TIME LIMITS
Data will be kept for a period of 5 years if it refers to the fulfilment of payment obligations over years or shorter timeframes. (Art. 1966 CC). According to invoicing regulations, invoices will be kept for 5 years from their issue.
LEGAL BASIS
Consent of data subject
Execution of a contract of which the data subject is part
Legitimate interest of Data Controller or of a third party
TECHNICAL AND ORGANISATIONAL MEASURES
SERVER
Access control
Physical access control
Backup copies and recovery
Management and distribution of media
Identification and authentication
Access log
INTERNATIONAL DATA TRANSFERS
Any movement of personal data by the association is carried out between Belgium and Spain for various reasons:
- The Observatory’s headquarters is located in Belgium.
- The financing of the Organisation is mainly based on European grants and subsidies, and these investments have to be justified by providing the corresponding documentation to Belgium.
- Fundación Diagrama, who is a data processer, provides this service from Spain.
1.4. Data processing - CV MANAGEMENT
FILES WITH ASSOCIATED DATA
Candidates
Researchers who apply for the publication of their research
AUTOMATED ARCHIVING
Human resources database
PERSONAL DATA CATEGORIES
PERSONALLY IDENTIFIABLE DATA CATEGORIES
Name and surname
Postal address
Publications
Phone
Photograph
Signature
NON-SENSITIVE DATA CATEGORIES
Academic and professional
OTHER PARTIES RESPONSIBLE FOR DATA PROCESSING
Coordinating Partner of European Project - Received Services
Fundación Diagrama: Avenida Ciudad de Almería 10, Murcia, España
OBJECTIVES
The candidates’ initial data in application to a job post (CV and cover letter) will be collected in order to classify, select and reject future members of the Organization, as well as interns, volunteers or freelancers, on the basis of their knowledge and educational training.
DATA CONSERVATION TIME LIMITS
Data will be conserved for the length of time necessary to fulfil the objective for which it was collected, and to determine the possible responsibilities that may stem from said objective and from the data processing. Filing and documentation regulations will be applicable. If the data subject offering the CV is removed from the selection process, the CV will have to be destroyed within a reasonable period of time, unless consent has been for its permanent storage. The law does not indicate an exact period, but the period established by companies for the storage of such data is usually around six months. In the case that the candidate is not selected, the IJJO will be able to keep their CV for a maximum of two years to include it in future campaigns, unless the candidate is opposed to this.
TECHNICAL AND ORGANISATIONAL MEASURES
SERVER
Access control
Physical access control
Backup copies and recovery
Management and distribution of media
Identification and authentication
Access log
LEGAL BASIS
Consent of data subject
Legitimate interest of Data Controller or of a third party
INTERNATIONAL DATA TRANSFERS
Any movement of personal data by the association is carried out between Belgium and Spain for various reasons:
- The Observatory’s headquarters is located in Belgium.
- The financing of the Organisation is mainly based on European grants and subsidies, and these investments have to be justified by providing the corresponding documentation to Belgium.
- Fundación Diagrama, who is a data processer, provides this service from Spain.
1.5. Data processing - MANAGEMENT OF SUPPLIERS
FILES WITH ASSOCIATED DATA
Freelancers
Suppliers
AUTOMATED ARCHIVING
Other objectives database
PERSONAL DATA CATEGORIES
PERSONALLY IDENTIFIABLE DATA CATEGORIES
Name and surname
Postal address
Phone
Signature
Fax
NON-SENSITIVE DATA CATEGORIES
Economic, financial and insurance
Other data types: Email
DATA ORIGIN
The data subject or their legal representative
DATA SUBJECT COLLECTIVES OR CATEGORIES
Suppliers
ASSIGNMENT ADDRESSEE CATEGORIES
European Union organisations: European Commission
Banks and building societies: Bank
OTHER PARTIES RESPONSIBLE FOR DATA PROCESSING
KPMG: Rue Emile Francqui 11, 1435 Mont-Saint-Guibert, Belgium
Fundación Diagrama: Avenida Ciudad de Almería 10, Murcia, España
OBJECTIVES
The organisations will process the personal data of their Suppliers and the people with whom they have commercial relations with the objective of fulfilling the obligations of these relations. In relation to the Suppliers, such obligations include: evaluating their performance; establishing, managing or ending commercial relations or verifying references; providing business metrics, and any other obligations as established in the agreements or contracts that they have with the respective Supplier. The processing of data collected for the purpose of the subject of this paragraph will be carried out and will remain legitimate as long as the objective for which it was collected is maintained.
DATA CONSERVATION TIME LIMITS
Data will be kept for a period of 5 years if it refers to the fulfilment of payment obligations over years or shorter timeframes. (Art. 1966 CC). According to invoicing regulations, invoices will be kept for 5 years from their issue.
TECHNICAL AND ORGANISATIONAL MEASURES
SERVER
Access control
Physical access control
Backup copies and recovery
Management and distribution of media
Identification and authentication
Access log
LEGAL BASIS
Execution of a contract of which the data subject is part
INTERNATIONAL DATA TRANSFERS
Any movement of personal data by the association is carried out between Belgium and Spain for various reasons:
- The Observatory’s headquarters is located in Belgium.
- The financing of the Organisation is mainly based on European grants and subsidies, and these investments have to be justified by providing the corresponding documentation to Belgium.
- Fundación Diagrama, who is a data processer, provides this service from Spain.
1.6. Data processing - NOTIFICATION OF A PERSONAL DATA SECURITY BREACH UNDER GDPR
FILES WITH ASSOCIATED DATA
Course participants.
Council members.
Web user: Users and collaborators
Members of Continental Councils for Juvenile Justice
Candidates
Researchers
Employees, interns, volunteers and freelancers
Suppliers
Project partners
AUTOMATED ARCHIVING
Profile analysis database<
Client, accounting, fiscal and administrative management database
Human resources database
Other objectives database
Associative, cultural, recreational, sporting and social activities management database
PERSONAL DATA CATEGORIES
PERSONALLY IDENTIFIABLE DATA CATEGORIES
NIF/DNI/ID/Passport number
Name and surname
Postal address
Phone
Signature
Photograph
NON-SENSITIVE DATA CATEGORIES
Personal characteristics
Academic and professional
Employment information
Economic, financial and insurance
DATA ORIGIN
The data subject or their legal representative
DATA SUBJECT COLLECTIVES OR CATEGORIES
Employees
Users or collaborators
Students
ASSIGNMENT ADDRESSEE CATEGORIES
Public administration with relevant competence: Belgian Data Protection Authority
OBJECTIVES
GDPR defines a data security breach very widely as any incident stemming from the destruction, loss, or accidental or illicit modification of personal data which has been collected, stored or processed in any other way, or the communication of or unauthorized access to this data.
Incidents like the loss of a laptop, the unauthorized access to an organisation’s databases (even by its own personnel), or the accidental deletion of access logs are considered security breaches under GDPR and therefore must be treated as indicated by the Regulation.
DATA CONSERVATION TIME LIMITS
In the case of a personal data security breach, the party responsible for data processing will notify the competent control authority in accordance with article 55 without undue delay and, if possible, within 72 hours at the latest following the incident, unless it is unlikely that the security breach constitutes a risk to the rights and freedoms of people involved. If the control authority is not notified within a period of 72 hours, it must be accompanied by an indication of the reasons for the delay.
TECHNICAL AND ORGANISATIONAL MEASURES
SERVER
Access control
Physical access control
Backup copies and recovery
Management and distribution of media
Identification and authentication
Access log
LEGAL BASIS
Fulfilment of a legal obligation
OTHER PARTIES RESPONSIBLE FOR DATA PROCESSING
Fundación Diagrama: Avenida Ciudad de Almería 10, Murcia, España
INTERNATIONAL DATA TRANSFERS
Any movement of personal data by the association is carried out between Belgium and Spain for various reasons:
- The Observatory’s headquarters is located in Belgium.
- The financing of the Organisation is mainly based on European grants and subsidies, and these investments have to be justified by providing the corresponding documentation to Belgium.
- Fundación Diagrama, who is a data processer, provides this service from Spain.
1.7. Data processing - WEB CONSULTATIONS PROCESSING
FILES WITH ASSOCIATED DATA
Web user: users and collaborators
Non-registered user
AUTOMATED ARCHIVING
Web consulting database
PERSONAL DATA CATEGORIES
PERSONALLY IDENTIFIABLE DATA CATEGORIES
Name and surname
CATEGORÍAS DE DATOS NO SENSIBLES
Características personales
DATA ORIGIN
The data subject or their legal representative
DATA SUBJECT COLLECTIVES OR CATEGORIES
Web user: users and collaborators
Non-registered user
OBJECTIVES
Management of consultations, which can be sent through the webpage https://www.oijj.org/en/form/contact-us
DATA CONSERVATION TIME LIMITS
Data will be stored for the time period necessary to fulfil the objective for which they were collected. The personal data of web users for the transfer of information relative to the Observatory will be kept until consent is withdrawn.
TECHNICAL AND ORGANISATIONAL MEASURES
SERVER
Access control
Physical access control
Backup copies and recovery
Management and distribution of media
Identification and authentication
Access log
LEGAL BASIS
Express consent of the data subject GDPR art. 6.1.a)
Satisfaction of the legitimate interests pursued by the party responsible for data processing, as it is important to resolve questions raised in order to promote themselves or to help potential clients GDPR 6.1. f)
OTHER PARTIES RESPONSIBLE FOR DATA PROCESSING
Fundación Diagrama: Avenida Ciudad de Almería 10, Murcia, España
INTERNATIONAL DATA TRANSFERS
Any movement of personal data by the association is carried out between Belgium and Spain for various reasons:
- The Observatory’s headquarters is located in Belgium.
- The financing of the Organisation is mainly based on European grants and subsidies, and these investments have to be justified by providing the corresponding documentation to Belgium.
- Fundación Diagrama, who is a data processer, provides this service from Spain.
1.8. Data processing – USERS, PARTICIPANTS, PARTNERS
FILES WITH ASSOCIATED DATA
Course participants, project partners and web users: users and collaborators
Events participants
Online course participants
Members of Continental Councils for Juvenile Justices
DATA PROCESSING SYSTEM
AUTOMATED
PERSONAL DATA CATEGORIES
PERSONALLY IDENTIFIABLE DATA CATEGORIES
NIF/DNI/ID/Passport number
Name and surname
Postal address
Phone
Publications
Signature
NON-SENSITIVE DATA CATEGORIES
Personal characteristics
Academic and professional
DATA ORIGIN
The data subject or their legal representative
DATA SUBJECT COLLECTIVES OR CATEGORIES
Clients and users
Partners and members
ASSIGNMENT ADDRESSEE CATEGORIES
European Union organisations: European Commission and Coordinating Partner of European Project
INTERNATIONAL DATA TRANSFERS
Any movement of personal data by the association is carried out between Belgium and Spain for the following reasons:
- The Observatory’s headquarters is located in Belgium.
- Fundación Diagrama, responsible of data processing, provides its service in Spain.
- The computer servers used for data storage are located in Spain.
- The financing of the Organisation is mainly based on European grants and subsidies, and these investments have to be justified by providing the corresponding documentation to Belgium.
OBJECTIVES
Data processing is mandatory to the global management of all organization users in its non-economic activities.
TECHNICAL AND ORGANISATIONAL MEASURES
SERVER
Access control
Physical access control
Backup copies and recovery
Management and distribution of media
Identification and authentication
Access log
LEGAL BASIS
Consent of data subject
Legitimate interest of Data Controller or of a third party
OTHER PARTIES RESPONSIBLE FOR DATA PROCESSING
Fundación Diagrama: Avenida Ciudad de Almería 10, Murcia, España
1.9. Data processing – HUMAN RESOURCES
FILES WITH ASSOCIATED DATA
Employees
Interns and volunteers
Freelancers
DATA PROCESSING SYSTEM
MIXED
PERSONAL DATA CATEGORIES
PERSONALLY IDENTIFIABLE DATA CATEGORIES
NIF/DNI/ID/Passport number
Name and surname
Postal address
Signature
Phone
NON-SENSITIVE DATA CATEGORIES
Academic and professional
Economic, financial and insurance
DATA ORIGIN
The data subject or their legal representative
DATA SUBJECT COLLECTIVES OR CATEGORIES
Employees
Interns and volunteers
ASSIGNMENT ADDRESSEE CATEGORIES
Other public administration entities responsible
Social security organisations
European Union organisations: European Commission and Coordinating Partner of European Project
OTHER PARTIES RESPONSIBLE FOR DATA PROCESSING
Assurteam - Received Services
Group S (secrétariat social agréé d'employeurs) - Received Services
Coordinating Partner of European Project - Received Services
Fundación Diagrama: Avenida Ciudad de Almería 10, Murcia, España
INTERNATIONAL DATA TRANSFERS
Any movement of personal data by the association is carried out between Belgium and Spain for the following reasons:
- The Observatory’s headquarters is located in Belgium.
- Fundación Diagrama, responsible of data processing, provides its service in Spain.
- The computer servers used for data storage are located in Spain.
- The financing of the Organisation is mainly based on European grants and subsidies, and these investments have to be justified by providing the corresponding documentation to Belgium.
OBJECTIVES
An organisation’s human capital management in order to increase its productivity.
Personnel management (certificates of discharge, sickness leaves, business trips and hotel nights, advances, times off, holidays and any other aspect related to the work world), selection, promotion and/or training programmes, benefits, and other remunerations.
DATA CONSERVATION TIME LIMITS
Hereunder, some of the mandatory minimum data conservation time limits :
- Payroll records: 5 year minimum
- National Insurance contributions statement: 5 years minimum.
- Contract of employment: A 4 year minimum is required upon termination but we choose to use a 6 year time limit.
- Foreign citizens’ identification documents copies: 4 year minimum.
- Career development and training programmes: 4 year minimum.
- Rejected candidates data: 3 year minimum.
- Temporary workers data: 4 year minimum.
- Labour Law violations reports: 3 year minimum.
TECHNICAL AND ORGANISATIONAL MEASURES
SERVER (automated)
Access control
Physical access control
Backup copies and recovery
Management and distribution of media
Identification and authentication
Access log
PAPER ARCHIVES (nonautomated)
Resource access
Data storage
Access control
Copy or reproduction. Copy or reproduction control
Copy or reproduction. Destruction
Medium and documents management
Access log
Resource transfer
LEGAL BASIS
Fulfilment of a legal obligation
Execution of a contract of which the data subject is part