Data processing

1.1. Data processing – PROFILE ANALYSIS

FILES WITH ASSOCIATED DATA

Course participants.

Council members.

Web user: Users and collaborators

Members of Continental Councils for Juvenile Justice

Candidates

Researchers

Employees, interns, volunteers and freelancers

Suppliers

Project partners

AUTOMATED ARCHIVING

Profile analysis database

PERSONALLY IDENTIFIABLE DATA CATEGORIES

PERSONALLY IDENTIFIABLE DATA CATEGORIES

Name and surname

Postal address

Telephone number

Email

Publications

Fax

NON-SENSITIVE DATA CATEGORIES

Personal characteristics

Employment information

DATA ORIGIN

The data subject or their legal representative

DATA SUBJECT COLLECTIVES OR CATEGORIES

Course participants.

Council members.

Web user: Users and collaborators

Members of Continental Councils for Juvenile Justice

Candidates

Researchers

Employees, interns, volunteers and freelancers

Suppliers

Project partners

ASSIGNMENT ADDRESSEE CATEGORIES

European Union organisations: European Commission

Coordinating partner of a project

OTHER PEOPLE/BODIES RESPONSIBLE FOR DATA PROCESSING

Fundación Diagrama: Avenida Ciudad de Almería 10, Murcia, España

INTERNATIONAL DATA TRANSFERS

Any movement of personal data by the association is carried out between Belgium and Spain for various reasons:

  • The Observatory’s headquarters is located in Belgium.
  • The financing of the Organisation is mainly based on European grants and subsidies, and these investments have to be justified by providing the corresponding documentation to Belgium.
  • Fundación Diagrama, who is a data processer, provides this service from Spain.

OBJECTIVES

Profile analysis is a method of compiling the personal requisites and qualifications required for the most satisfactory adaptation of the IJJO’s webpage, as well as the sending of communications regarding events, publications, projects, etc.

In this case, once this information has been compiled, a series of solutions and personalised programmes will be designed, focussed on the improvement of the Observatory’s website for users and collaborators.

In addition, profiles of members of the Continental Councils for Juvenile Justice are divided depending on their professional sector, in order to classify them for future collaborations or to publicise their belonging to the Council as members.

Moreover, participants in events have their profiles analysed in order to provide concrete data to the EU Commission that shows these events are reaching the targeted profiles.

In addition, candidates profiles are analysed to see if they fit the profile that the IJJO is looking to hire for a position or job.

Moreover, suppliers’ profiles are analysed to see if they comply for the requirements of the service.

In addition, employee’s profiles are analysed in order to comply with work regulations and organise them by department.

In addition, project partner’s proles are analysed in order to classify them by professional sector and the activities that they carry out.

DATA CONSERVATION TIME LIMITS

Data will be conserved for the length of time necessary to fulfil the objective for which it was collected, and to determine the possible responsibilities that may stem from said objective and from the data processing. Filing and documentation regulations will be applicable.

TECHNICAL AND ORGANISATIONAL MEASURES

SERVER

Access control

Physical access control

Backup copies and recovery

Management and distribution of media

Identification and authentication

Access log

LEGAL BASIS

Consent of data subject

Legitimate interest of Data Controller or of a third party

1.2. Data processing – ATTENTION TO PERSONAL RIGHTS

FILES WITH ASSOCIATED DATA

Course participants.

Council members.

Web user: Users and collaborators

Members of Continental Councils for Juvenile Justice

Candidates

Researchers

Employees, interns, volunteers and freelancers

Suppliers

Project partners

AUTOMATED ARCHIVING

Profile analysis database

Client, accounting, fiscal and administrative management database

Human resources database

Other objectives database

Associative, cultural, recreational, sporting and social activities management database

PERSONAL DATA CATEGORIES

PERSONALLY IDENTIFIABLE DATA CATEGORIES

NIF/DNI/ID/Passport number

Name and surname

Postal address

NON-SENSITIVE DATA CATEGORIES

Personal characteristics

Academic and professional

Employment information

Economic, financial and insurance

DATA ORIGIN

The data subject or their legal representative

DATA SUBJECT COLLECTIVES OR CATEGORIES

Employees

Users or collaborators

Students

ASSIGNMENT ADDRESSEE CATEGORIES

Public administration with relevant competence: Belgian Data Protection Authority

OTHER PEOPLE/BODIES RESPONSIBLE FOR DATA PROCESSING

Fundación Diagrama: Avenida Ciudad de Almería 10, Murcia, España

OBJECTIVES

Any data subject has a right to obtain information on the processing of their data as carried out by the IJJO. Any data subject has the right to access their personal data transparently, as well as to request rectification of incorrect data, or, if relevant, to request its deletion when, amongst other reasons, the data is no longer necessary for the objectives for which it was collected.

In certain circumstances, the data subject may be able to ask for the limitation of the processing of their data, in which case it will only be retained for the exercise or defence of claims.

In certain circumstances and for reasons related to their particular situation, the data subject may be able to object to the processing of their data. The IJJO will then stop processing the data, except for urgent legitimate reasons, or for the exercise or defence of possible claims.

The data subjects will also have right to the portability of their personal data.

The data subject has the right to withdraw their consent to receive the information bulletin at any time, without affecting the lawfulness of the data processing prior to the withdrawal of consent.

The data subject can make a complaint to the Belgian Data Protection Authority, especially when they are not satisfied with the IJJO’s treatment of their rights.

DATA CONSERVATION TIME LIMITS

The party responsible for the file will deal with the access request within a maximum of one month from the receipt of the request. This will come into effect within 10 working days of communication of the resolution.

TECHNICAL AND ORGANISATIONAL MEASURES

SERVER

Access control

Physical access control

Backup copies and recovery

Management and distribution of media

Identification and authentication

Access log

LEGAL BASIS

Consent of data subject

Fulfilment of a legal obligation

INTERNATIONAL DATA TRANSFERS

Any movement of personal data by the association is carried out between Belgium and Spain for various reasons:

  • The Observatory’s headquarters is located in Belgium.
  • The financing of the Organisation is mainly based on European grants and subsidies, and these investments have to be justified by providing the corresponding documentation to Belgium.
  • Fundación Diagrama, who is a data processer, provides this service from Spain.

1.3. Data processing - ACCOUNTING, FISCAL AND ADMINISTRATIVE MANAGEMENT.

FILES WITH ASSOCIATED DATA

Accounting and invoicing

AUTOMATED ARCHIVING

Client, accounting, fiscal and administrative management database

PERSONAL DATA CATEGORIES

PERSONALLY IDENTIFIABLE DATA CATEGORIES

NIF/DNI/ID/Passport number

Name and surname

Postal address

Phone

Email

Signature

Fax

NON-SENSITIVE DATA CATEGORIES

Personal characteristics

Economic, financial and insurance

DATA ORIGIN

The data subject or their legal representative

DATA SUBJECT COLLECTIVES OR CATEGORIES

Employees

Suppliers

Project partners

ASSIGNMENT ADDRESSEE CATEGORIES

European Union organisations: European commission and Coordinating Partner of European Projects

OTHER PEOPLE/BODIES RESPONSIBLE FOR DATA PROCESSING

KPMG: Rue Emile Francqui 11, 1435 Mont-Saint-Guibert, Belgium

Fundación Diagrama: Avenida Ciudad de Almería 10, Murcia, España

Assurteam: Rue Paul Wemaere 4, 1150 Woluwe-Saint-Pierre, Bélgica

INTERNATIONAL DATA TRANSFERS

Any movement of personal data by the association is carried out in Belgium for two reasons:

  • The Observatory’s headquarters is located in this European country.
  • The financing of the Organisation is mainly based on European grants and subsidies, and these investments have to be justified by providing the corresponding documentation

OBJECTIVES

Management of users and invoicing, management of collections and payments, payment delay control, collection of charges, accounting document management and VAT.

DATA CONSERVATION TIME LIMITS

Data will be kept for a period of 5 years if it refers to the fulfilment of payment obligations over years or shorter timeframes. (Art. 1966 CC). According to invoicing regulations, invoices will be kept for 5 years from their issue.

LEGAL BASIS

Consent of data subject

Execution of a contract of which the data subject is part

Legitimate interest of Data Controller or of a third party

TECHNICAL AND ORGANISATIONAL MEASURES

SERVER

Access control

Physical access control

Backup copies and recovery

Management and distribution of media

Identification and authentication

Access log

INTERNATIONAL DATA TRANSFERS

Any movement of personal data by the association is carried out between Belgium and Spain for various reasons:

  • The Observatory’s headquarters is located in Belgium.
  • The financing of the Organisation is mainly based on European grants and subsidies, and these investments have to be justified by providing the corresponding documentation to Belgium.
  • Fundación Diagrama, who is a data processer, provides this service from Spain.

1.4. Data processing - CV MANAGEMENT

FILES WITH ASSOCIATED DATA

Candidates

Researchers who apply for the publication of their research

AUTOMATED ARCHIVING

Human resources database

PERSONAL DATA CATEGORIES

PERSONALLY IDENTIFIABLE DATA CATEGORIES

Name and surname

Postal address

Publications

Phone

Photograph

Email

Signature

NON-SENSITIVE DATA CATEGORIES

Academic and professional

OTHER PARTIES RESPONSIBLE FOR DATA PROCESSING

Coordinating Partner of European Project - Received Services

Fundación Diagrama: Avenida Ciudad de Almería 10, Murcia, España

OBJECTIVES

The candidates’ initial data in application to a job post (CV and cover letter) will be collected in order to classify, select and reject future members of the Organization, as well as interns, volunteers or freelancers, on the basis of their knowledge and educational training.

DATA CONSERVATION TIME LIMITS

Data will be conserved for the length of time necessary to fulfil the objective for which it was collected, and to determine the possible responsibilities that may stem from said objective and from the data processing. Filing and documentation regulations will be applicable. If the data subject offering the CV is removed from the selection process, the CV will have to be destroyed within a reasonable period of time, unless consent has been for its permanent storage. The law does not indicate an exact period, but the period established by companies for the storage of such data is usually around six months. In the case that the candidate is not selected, the IJJO will be able to keep their CV for a maximum of two years to include it in future campaigns, unless the candidate is opposed to this.

TECHNICAL AND ORGANISATIONAL MEASURES

SERVER

Access control

Physical access control

Backup copies and recovery

Management and distribution of media

Identification and authentication

Access log

LEGAL BASIS

Consent of data subject

Legitimate interest of Data Controller or of a third party

INTERNATIONAL DATA TRANSFERS

Any movement of personal data by the association is carried out between Belgium and Spain for various reasons:

  • The Observatory’s headquarters is located in Belgium.
  • The financing of the Organisation is mainly based on European grants and subsidies, and these investments have to be justified by providing the corresponding documentation to Belgium.
  • Fundación Diagrama, who is a data processer, provides this service from Spain.

1.5. Data processing - MANAGEMENT OF SUPPLIERS

FILES WITH ASSOCIATED DATA

Freelancers

Suppliers

AUTOMATED ARCHIVING

Other objectives database

PERSONAL DATA CATEGORIES

PERSONALLY IDENTIFIABLE DATA CATEGORIES

Name and surname

Postal address

Phone

Email

Signature

Fax

NON-SENSITIVE DATA CATEGORIES

Economic, financial and insurance

Other data types: Email

DATA ORIGIN

The data subject or their legal representative

DATA SUBJECT COLLECTIVES OR CATEGORIES

Suppliers

ASSIGNMENT ADDRESSEE CATEGORIES

European Union organisations: European Commission

Banks and building societies: Bank

OTHER PARTIES RESPONSIBLE FOR DATA PROCESSING

KPMG: Rue Emile Francqui 11, 1435 Mont-Saint-Guibert, Belgium

Fundación Diagrama: Avenida Ciudad de Almería 10, Murcia, España

OBJECTIVES

The organisations will process the personal data of their Suppliers and the people with whom they have commercial relations with the objective of fulfilling the obligations of these relations. In relation to the Suppliers, such obligations include: evaluating their performance; establishing, managing or ending commercial relations or verifying references; providing business metrics, and any other obligations as established in the agreements or contracts that they have with the respective Supplier. The processing of data collected for the purpose of the subject of this paragraph will be carried out and will remain legitimate as long as the objective for which it was collected is maintained.

DATA CONSERVATION TIME LIMITS

Data will be kept for a period of 5 years if it refers to the fulfilment of payment obligations over years or shorter timeframes. (Art. 1966 CC). According to invoicing regulations, invoices will be kept for 5 years from their issue.

TECHNICAL AND ORGANISATIONAL MEASURES

SERVER

Access control

Physical access control

Backup copies and recovery

Management and distribution of media

Identification and authentication

Access log

LEGAL BASIS

Execution of a contract of which the data subject is part

INTERNATIONAL DATA TRANSFERS

Any movement of personal data by the association is carried out between Belgium and Spain for various reasons:

  • The Observatory’s headquarters is located in Belgium.
  • The financing of the Organisation is mainly based on European grants and subsidies, and these investments have to be justified by providing the corresponding documentation to Belgium.
  • Fundación Diagrama, who is a data processer, provides this service from Spain.

1.6. Data processing - NOTIFICATION OF A PERSONAL DATA SECURITY BREACH UNDER GDPR

FILES WITH ASSOCIATED DATA

Course participants.

Council members.

Web user: Users and collaborators

Members of Continental Councils for Juvenile Justice

Candidates

Researchers

Employees, interns, volunteers and freelancers

Suppliers

Project partners

AUTOMATED ARCHIVING

Profile analysis database<

Client, accounting, fiscal and administrative management database

Human resources database

Other objectives database

Associative, cultural, recreational, sporting and social activities management database

PERSONAL DATA CATEGORIES

PERSONALLY IDENTIFIABLE DATA CATEGORIES

NIF/DNI/ID/Passport number

Name and surname

Postal address

Phone

Email

Signature

Photograph

NON-SENSITIVE DATA CATEGORIES

Personal characteristics

Academic and professional

Employment information

Economic, financial and insurance

DATA ORIGIN

The data subject or their legal representative

DATA SUBJECT COLLECTIVES OR CATEGORIES

Employees

Users or collaborators

Students

ASSIGNMENT ADDRESSEE CATEGORIES

Public administration with relevant competence: Belgian Data Protection Authority

OBJECTIVES

GDPR defines a data security breach very widely as any incident stemming from the destruction, loss, or accidental or illicit modification of personal data which has been collected, stored or processed in any other way, or the communication of or unauthorized access to this data.

Incidents like the loss of a laptop, the unauthorized access to an organisation’s databases (even by its own personnel), or the accidental deletion of access logs are considered security breaches under GDPR and therefore must be treated as indicated by the Regulation.

DATA CONSERVATION TIME LIMITS

In the case of a personal data security breach, the party responsible for data processing will notify the competent control authority in accordance with article 55 without undue delay and, if possible, within 72 hours at the latest following the incident, unless it is unlikely that the security breach constitutes a risk to the rights and freedoms of people involved. If the control authority is not notified within a period of 72 hours, it must be accompanied by an indication of the reasons for the delay.

TECHNICAL AND ORGANISATIONAL MEASURES

SERVER

Access control

Physical access control

Backup copies and recovery

Management and distribution of media

Identification and authentication

Access log

LEGAL BASIS

Fulfilment of a legal obligation

OTHER PARTIES RESPONSIBLE FOR DATA PROCESSING

Fundación Diagrama: Avenida Ciudad de Almería 10, Murcia, España

INTERNATIONAL DATA TRANSFERS

Any movement of personal data by the association is carried out between Belgium and Spain for various reasons:

  • The Observatory’s headquarters is located in Belgium.
  • The financing of the Organisation is mainly based on European grants and subsidies, and these investments have to be justified by providing the corresponding documentation to Belgium.
  • Fundación Diagrama, who is a data processer, provides this service from Spain.

1.7. Data processing - WEB CONSULTATIONS PROCESSING

FILES WITH ASSOCIATED DATA

Web user: users and collaborators

Non-registered user

AUTOMATED ARCHIVING

Web consulting database

PERSONAL DATA CATEGORIES

PERSONALLY IDENTIFIABLE DATA CATEGORIES

Name and surname

Email

CATEGORÍAS DE DATOS NO SENSIBLES

Características personales

DATA ORIGIN

The data subject or their legal representative

DATA SUBJECT COLLECTIVES OR CATEGORIES

Web user: users and collaborators

Non-registered user

OBJECTIVES

Management of consultations, which can be sent through the webpage https://www.oijj.org/en/form/contact-us

DATA CONSERVATION TIME LIMITS

Data will be stored for the time period necessary to fulfil the objective for which they were collected. The personal data of web users for the transfer of information relative to the Observatory will be kept until consent is withdrawn.

TECHNICAL AND ORGANISATIONAL MEASURES

SERVER

Access control

Physical access control

Backup copies and recovery

Management and distribution of media

Identification and authentication

Access log

LEGAL BASIS

Express consent of the data subject GDPR art. 6.1.a)

Satisfaction of the legitimate interests pursued by the party responsible for data processing, as it is important to resolve questions raised in order to promote themselves or to help potential clients GDPR 6.1. f)

OTHER PARTIES RESPONSIBLE FOR DATA PROCESSING

Fundación Diagrama: Avenida Ciudad de Almería 10, Murcia, España

INTERNATIONAL DATA TRANSFERS

Any movement of personal data by the association is carried out between Belgium and Spain for various reasons:

  • The Observatory’s headquarters is located in Belgium.
  • The financing of the Organisation is mainly based on European grants and subsidies, and these investments have to be justified by providing the corresponding documentation to Belgium.
  • Fundación Diagrama, who is a data processer, provides this service from Spain.

1.8. Data processing – USERS, PARTICIPANTS, PARTNERS

FILES WITH ASSOCIATED DATA

Course participants, project partners and web users: users and collaborators

Events participants

Online course participants

Members of Continental Councils for Juvenile Justices

DATA PROCESSING SYSTEM

AUTOMATED

PERSONAL DATA CATEGORIES

PERSONALLY IDENTIFIABLE DATA CATEGORIES

NIF/DNI/ID/Passport number

Name and surname

Postal address

Phone

Email

Publications

Signature

NON-SENSITIVE DATA CATEGORIES

Personal characteristics

Academic and professional

DATA ORIGIN

The data subject or their legal representative

DATA SUBJECT COLLECTIVES OR CATEGORIES

Clients and users

Partners and members

ASSIGNMENT ADDRESSEE CATEGORIES

European Union organisations: European Commission and Coordinating Partner of European Project

INTERNATIONAL DATA TRANSFERS

Any movement of personal data by the association is carried out between Belgium and Spain for the following reasons:

  • The Observatory’s headquarters is located in Belgium.
  • Fundación Diagrama, responsible of data processing, provides its service in Spain.
  • The computer servers used for data storage are located in Spain.
  • The financing of the Organisation is mainly based on European grants and subsidies, and these investments have to be justified by providing the corresponding documentation to Belgium.

OBJECTIVES

Data processing is mandatory to the global management of all organization users in its non-economic activities.

TECHNICAL AND ORGANISATIONAL MEASURES

SERVER

Access control

Physical access control

Backup copies and recovery

Management and distribution of media

Identification and authentication

Access log

LEGAL BASIS

Consent of data subject

Legitimate interest of Data Controller or of a third party

OTHER PARTIES RESPONSIBLE FOR DATA PROCESSING

Fundación Diagrama: Avenida Ciudad de Almería 10, Murcia, España

1.9. Data processing – HUMAN RESOURCES

FILES WITH ASSOCIATED DATA

Employees

Interns and volunteers

Freelancers

DATA PROCESSING SYSTEM

MIXED

PERSONAL DATA CATEGORIES

PERSONALLY IDENTIFIABLE DATA CATEGORIES

NIF/DNI/ID/Passport number

Name and surname

Postal address

Signature

Phone

Email

NON-SENSITIVE DATA CATEGORIES

Academic and professional

Economic, financial and insurance

DATA ORIGIN

The data subject or their legal representative

DATA SUBJECT COLLECTIVES OR CATEGORIES

Employees

Interns and volunteers

ASSIGNMENT ADDRESSEE CATEGORIES

Other public administration entities responsible

Social security organisations

European Union organisations: European Commission and Coordinating Partner of European Project

OTHER PARTIES RESPONSIBLE FOR DATA PROCESSING

Assurteam - Received Services

Group S (secrétariat social agréé d'employeurs) - Received Services

Coordinating Partner of European Project - Received Services

Fundación Diagrama: Avenida Ciudad de Almería 10, Murcia, España

INTERNATIONAL DATA TRANSFERS

Any movement of personal data by the association is carried out between Belgium and Spain for the following reasons:

  • The Observatory’s headquarters is located in Belgium.
  • Fundación Diagrama, responsible of data processing, provides its service in Spain.
  • The computer servers used for data storage are located in Spain.
  • The financing of the Organisation is mainly based on European grants and subsidies, and these investments have to be justified by providing the corresponding documentation to Belgium.

OBJECTIVES

An organisation’s human capital management in order to increase its productivity.

Personnel management (certificates of discharge, sickness leaves, business trips and hotel nights, advances, times off, holidays and any other aspect related to the work world), selection, promotion and/or training programmes, benefits, and other remunerations.

DATA CONSERVATION TIME LIMITS

Hereunder, some of the mandatory minimum data conservation time limits :

  • Payroll records: 5 year minimum
  • National Insurance contributions statement: 5 years minimum.
  • Contract of employment: A 4 year minimum is required upon termination but we choose to use a 6 year time limit.
  • Foreign citizens’ identification documents copies: 4 year minimum.
  • Career development and training programmes: 4 year minimum.
  • Rejected candidates data: 3 year minimum.
  • Temporary workers data: 4 year minimum.
  • Labour Law violations reports: 3 year minimum.

TECHNICAL AND ORGANISATIONAL MEASURES

SERVER (automated)

Access control

Physical access control

Backup copies and recovery

Management and distribution of media

Identification and authentication

Access log

PAPER ARCHIVES (nonautomated)

Resource access

Data storage

Access control

Copy or reproduction. Copy or reproduction control

Copy or reproduction. Destruction

Medium and documents management

Access log

Resource transfer

LEGAL BASIS

Fulfilment of a legal obligation

Execution of a contract of which the data subject is part