Introduction
The General Data Protection Regulation greatly affects the use of personal data within MoveYou. However, there are still many open standards to be found in the privacy legislation. When do we speak of a ‘high’ risk? When does MoveYou “doubt” a client’s identity and what are “appropriate measures”? These are just some of the questions that can arise on a daily basis. This privacy policy fleshes out these terms through legally based frameworks and criteria with the goal of having one line of conduct at MoveYou. The MoveYou derives the authority to write policies about this from Article 24(2) GDPR.
MoveYou is aware that its services infringe to some extent on the privacy of its users, after all, the journey of users is tracked. It should be noted that users use MoveYou’s services voluntarily through registration, with thorough information provided to them prior to doing so. This document explains how MoveYou protects the privacy of its users and employees, how it wishes to deal with personal data and how some open norms from the GDPR are implemented. In short; This document does not contain a repetition of already known legislation, but an interpretation of the open standards and answers to the question of how MoveYou wishes to deal with personal data.
To clarify: this policy is not intended to inform clients or employees about the handling of their personal data. The privacystatement for clients can be found on the website and for employees in the staff guide.
Principles
Everything is about data at MoveYou. When dealing with data, MoveYou has a set of core values, which are also embedded in the ethical policy. The core values are simple:
- Transparency
- Carefulness
- No discrimination
- Use artificial intelligence only for travel behavior prediction and credit check
Employees
Security of personal data starts with employees. How does MoveYou ensure that employees handle personal data with care?
- An adequate hiring policy (where necessary a certificate of conduct) Employees know a strict non-disclosure agreement for which they sign upon employment. They also sign for having read the staff guide, which includes this policy and the 10 golden rules.
- An internal privacy statement which explains how the personal data of our employees is handled. MoveYou is convinced that if employees are well taken care of this will also affect the handling of our clients’ personal data.
- The 10 golden rules for employees as embedded in our staffguide:
- Be aware that you are working with someone else’s personal data and act accordingly. Handle the data exactly as you would want your data to be handledby others.
- Make sure you study MoveYou’s policy and rules on personal data.
- Realize that clients have the right to see their personal data, including your emailif it is in there. If you write about clients, write it in such a way that that email canalso appear on the front page of The Telegraph tomorrow.
- Integrity is key; don’t share data with others just like that. This applies not onlywithin MoveYou, but also outside the organization.
- Make sure you have a good password. A passphrase is even better. Replaceletters with numbers and symbols. Something like “M0bilityi$futur€22”, but ofcourse different!
- Speak to your colleagues if you see that customer personal data is not handledcarefully. Conversely, be open to feedback and change.
- Do you doubt you are acting correctly with personal data? Ask the managementor the data protection officer via fg@moveyou.com.
- Do you suspect a data breach? Study the data breach protocol (part of thestaffguide) and report it as soon as possible!
- Good riddance! Do not leave paperwork lying around on your desk and lock yourcomputer when you leave your workplace.
- Last but certainly not least: Think along! Do you have ideas on how we canhandle data even better together? Are you missing any information? Share it!
Measures
The following measures are implemented to ensure the security of our customers’ and employees’ personal data:
- Physical access security in – and around the premises by means of:
- Cameras
- Access by means of facial recognition
- Access to some key areas by fingerprinting
- Daily backups on Amazon’s servers
- Authorization matrix on the software and computer disks
- Control of granted access to premises and software
- Privacy awareness and security training.
- Guidelines on use of ICT tools
- Non-disclosure agreements for employees
- Service level agreements
- Screening of staff (references and certificate of conduct where necessary)
- Determination of roles, responsibilities and agreements with external parties regarding, for example, liability
- Performance of EPIAs and annual review
- Mandatory annual ethics committee and during development of new services & products
- Password policy
- Encrypting data
- Multifactor authenticaton
- Periodic hacking and pen testing
- Data breach procedure
MoveYou aims to achieve ISO certification over time. In addition, MoveYou has a desire to provide multifactor authentication for enduser part of the app.
Transparency
On the basis of art. 13 and 14 GDPR MoveYou is obliged to inform stakeholders about a number of issues regarding the use of personal data. MoveYou has designed a privacy statement on its website. Users are made aware of the privacy statement when they register and agree to read the privacy statement before using the services. However, MoveYou cannot comply with full transparency because of competitive interests. After all; if MoveYou were to reveal which (public) sources are used to track customers, it would thereby reveal its trade secret. Because this is not entirely in line with the transparency obligation under the GDPR, MoveYou strives to be as transparent as possible and the list is not exhaustive, but does provide some examples. All this in order to safeguard article 14 paragraph 5 sub B GDPR. Should a client insist on receiving a complete list, MoveYou will meet with the applicant to discuss the possibilities together. MoveYou has the intention to eventually, in addition to the written privacy statement, also show this on visual material by means of a video on the website.
Clients & Co-riders
Data sharing agreements are made with each Client and Co-rider. Clients and Co-riders are not to be regarded as processors (because acting under their own authority and name1), but as controllers within the meaning of the GDPR. MoveYou also qualifies as a controller and not as a processor on behalf of the other party for the same reasons mentioned above. In addition, MoveYou itself determines the purposes and means and furthermore has much actual influence on the processing of data. Finally, it is always made known in the apps that it is powered by MoveYou, which means that both Client, Co-rider and MoveYou are concerned as (independent) controllers within the meaning of the GDPR. For that reason, a processor agreement as referred to in Art. 28 GDPR is not mandatory. Because the legislation and jurisprudence in the field of data sharing agreements in situations other than processing, is not yet crystallized and in some cases there may be joint responsibility as referred to in Art. 26 GDPR, data sharing agreements are made with each client. To this end, MoveYou has standard clauses that are part of the main contract, which have been reviewed by the legal department. If agreements are made that deviate from these standard clauses or if the service deviates from the regular, the agreement is submitted to the legal department.
1 In contrary to what is mentioned in art. 28(1) GDPR.
Ethical & Privacy Impact Assessment
The GDPR requires controllers to carry out a data protection impact assessment of the processing, especially when it involves the use of new technologies. In addition, a data protection impact assessment (hereinafter: DPIA) is required in case of a systematic and comprehensive assessment of personal aspects of natural persons that is based on automated processing, including profiling, and on which decisions are based that produce legal effects for the natural person or that substantially affect the natural person in a similar way.
Given the use of artificial intelligence, usertracking and credit checks, MoveYou performs this DPIA. It is impossible to perform this in an understandable way for the platform as a whole. Therefore, risk analysis is performed on the following services separately:
- Fueling
- Loading
- Parking
- Shared transport/OV
- Post-payment (private & business) o Mobility data
MoveYou chooses not only to map the legally required components, but to address ethical issues as well. After all, the services not only touch the privacy of the users, but also raise many social and ethical issues. For that reason, MoveYou uses the name Ethical & Privacy Impact Assessment (EPIA) for the DPIA. EPIAs are mandatory on the agenda mandatory ethics committee and are reviewed semi-annually.
Ethics committee
Given the sensitivity and societal views on user tracking and artificial intelligence, MoveYou does not want to deploy this blindly, although registration is entirely voluntary. For this reason, MoveYou has established an ethical committee that annually reviews MoveYou’s products and services and discusses whether they are still ethically acceptable at that time. The committee does this using the EPIA. In addition to the annual review, the committee also meets when new services and products are developed and these will be consulted early in the process as part of “privacy by design” obligation2. The ethics committee consists of 5 alternating members, not being MoveYou employees, who are briefed by MoveYou management on the service and product in question. By means of voting, a weighty opinion comes out which the management can only disregard with justification.
Data Protection Officer
The GDPR requires data controllers to appoint a Data Protection Officer (DPO) in case they are mainly in charge of processing operations that require regular and systematic observation of data subjects (3). Given MoveYou’s core business, DPO, corporate lawyer Elles Caroline Boer, has been appointed for this reason.
Data breach protocol
MoveYou work with personal data on a daily basis. Despite the care and the security measures that are taken it can sometimes go wrong. In this protocol you will read what exactly a data breach is, how to prevent it and how to act if you think you have discovered a data breach.
What is a data breach?
You speak of a data breach when data has been unintentionally deleted, lost or modified. But also when there has been access by others or data has come into the hands of persons while this was not intended. Did you know that something can very quickly be considered a data breach? A wrong recipient of an email or letter, a printout that was left at the printer or hidden attachments, filters and tabs in a sent Excel. It can happen to all of us.
What should you do?
Report a suspected data breach to management as soon as possible and answer the questions below. Some data breaches must be reported to the supervisory authority, the Dutch Data Protection Authority (hereinafter: DPA). This must be done quickly, namely within 72 hours. It is therefore important that you report every data breach as soon as possible. The DPO (the internal supervisor, in our case Elles Caroline Boer) first examines whether it is a data breach and then whether it poses a major risk to the people affected and whether they should be informed. Want to know how the DPO assesses a data breach? You can read about that below.
This is not the only reason to make notifications. MoveYou is required by law to keep track of all data breaches (4). That way the AP can hold us accountable if we haven’t reported a data breach when we should have.
(3) Art. 37(5) under B GDPR.
(4) Art. 33(5) GDPR.
Questionnaire when reporting a (suspected) data breach to the DPO:
- When and at what time did the (suspected) breach occur?
- What types of personal data were leaked? For example, name, social society number, financial data, (copies) of identification documents, photos.
- Were the leaked data encrypted and if so, how?
- How large is (approximately) the group of people whose data has been leaked?
- In what manner did the leak occur? Give as complete a description of the incident as possible; what happened?
- Was the leak to third parties or individuals? If so, is this a MoveYou supplier or partner?
- After the incident, what did you do to repair or mitigate the data breach or incident?
- What could be possible consequences for the data? For example, unauthorized access, a service may not be provided (temporarily), the data may no longer be accurate, or the data may be used in an improper or unlawful manner.
- Is it possible to remotely delete or make inaccessible the leaked personal data? If so,has this already been done?
- What is the potential harm to data subjects? (Consider, for example, discrimination,reputational damage, identity theft or fraud or financial losses).
- Has the incident now been resolved?
- Is it possible to take additional technical and or organizational measures to preventa similar incident? If yes, what technical and/or organizational measures?
- If further information is needed, what is your name and on what business phonenumber can you be reached?
How can you prevent it?
This is very obvious, but by always double-checking the recipients of your letter or e-mail. And by taking an extra look at the content and any attachments. Simply be aware that you are working with personal data and act accordingly.
Data breach at partners
It may happen that data is leaked to a party we work with or to whom we have outsourced work. In the contracts with those partners, we have made agreements about what to do in the event of a data breach. In most cases, it has been agreed that MoveYou’s DPO will be contacted.
Assessment data breach
The GDPR says the following about reporting a data breach: “If a personal data breach has occurred, the controller shall report it to the data controller without unreasonable delay and, if possible, no later than 72 hours after becoming aware of it, unless the personal data breach is unlikely to pose a risk to the rights and freedoms of natural persons.”
What is a risk?
A risk exists if the data breach may result in physical, material or immaterial harm to the individuals whose data is the subject of the leak. Examples of such harm include discrimination, identity theft or fraud, financial loss and reputational damage. Where the data leak involves personal data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs, or union membership, or personal data that includes genetic data or data relating to health or sex life, or criminal convictions and offenses or related security measures, such harm should be considered likely.
The DPA has issued guidance on how to assess this risk. If the personal data was sent to an incorrect but reliable recipient, it may mean that the data breach no longer poses a risk. ‘Reliable’ means, according to the DPA, that it can be said with reasonable certainty that the incorrect recipient does not mean any harm. For example, that the recipient does nothing with the inadvertently received data and complies with any instructions, such as destroying or returning it. The DPA indicates on its website that, for example, a party with whom there is a business relationship, such as a regular supplier or partner, could be considered trustworthy. When assessing a risk due to a data breach, the DPA’s advice is followed.
Based on the above criteria, the DPO decides whether an incident qualifies as a data breach and whether it should then be reported to the DPA.
Reporting a data breach to the data subject
Not all data breaches reported to the DPA must also be reported to the data subject(s); only if the breach is likely to pose a high risk to the rights and freedoms of the data subject(s) must the data breach be reported to the data subject.
A data breach need not be reported to data subject if :
- Appropriate technical and organizational measures that mitigate the risks have been taken without delay but at the latest within 24 hours;
- Measures to minimize the high risk to the rights and freedoms of data subjects have been taken without delay but at the latest within 24 hours;
- Making the communication would require a disproportionate effort. A public announcement or similar measure to inform data subjects will suffice instead.
Rights of data subjects
Under the General Data Protection Regulation, data subjects have various rights with respect to their personal data. The rights, any restrictions on these rights and grounds for refusal are discussed below.
Data subjects may submit the following requests or objections to MoveYou:
- Right to be informed(art. 13 and 14 GDPR)
- Right to access (art. 15 GDPR)
- Right to rectification and/or supplementation (art. 16 GDPR)o Right to be forgotten (art. 17 GDPR)
- Right to restriction of processing (art. GDPR) o Right to object (art. 21 GDPR)
- Right to data portability (art. 20 GDPR)
These fundamental rights are very important, but they are not absolute. This means that sometimes another (fundamental) right carries more weight or that there are (legal) grounds to limit or deny these rights.
Restrictions
Purpose of the right of access
The right of access by the data subject does not mean that MoveYou is obliged to provide a copy of the documents containing the personal data. MoveYou may do so, but may also choose another form, provided that the purpose of access is met with this method of provision. The purpose of Art. 15 GDPR is so that the data subject can find out about the processing and check its lawfulness. Obviously MoveYou wants to accommodate customers who simply want to receive a copy of certain items (and do not wish to check the lawfulness), but this is a form of customer service that is not subject to handling deadlines and other legal formalities.
Rights and freedoms of others
When a request is complied with, names of third parties (such as employees or other users) are anonymized or not provided in order to protect their rights and freedoms.
Burden of Proof
If the person concerned believes that the documentation provided is incomplete and MoveYou has stated that after investigation it has been found that a certain document is not (or no longer) available and this does not appear implausible, it is up to the applicant to make it plausible that the opposite is true.
Other grounds for refusal
A request can be (partially) refused because of the interest of national security, public safety, the prevention, detection and prosecution of criminal offenses and for the protection of the person concerned or rights and freedoms of others or other limitations mentioned in art. 23 GDPR.
MoveYou may refuse a request if it is manifestly excessive or charge a fee if this is the case. Because of the amount of data MoveYou has at its disposal and the processing time, more than two requests per calendar year are considered excessive. A request may also be refused if preconditions, such as identification (more on this later), are not met.
Finally, a request may be refused if there is suspected abuse of rights. Abuse of right occurs if such a power is used for a purpose other than that for which it was given, so the purpose of the request may be relevant in assessing whether abuse of right occurs. If in doubt, an explanation of the purpose will be requested. Examples of an abuse of right are requests whose purpose is to challenge an employee’s dismissal, to prove innocence or to initiate litigation.
Identification policy
When a data subject makes a request under the GDPR, identity is verified to ensure that the request relates to the correct person. MoveYou expressly does not ask for a copy of an identification document to prevent unlawful processing. In most cases MoveYou already has a large amount of personal data of the applicant. In that case, a number of verification questions are asked, preferably by telephone, such as address, license plate number, date of birth, to establish that the correct profile is matched to the correct person. If the MoveYou employee doubts the identity of the applicant, for example because the voice does not match the age or gender or when the verification questions are answered in doubt, the MoveYou employee invites the applicant to show valid identification at the office in Franeker or Amsterdam. If circumstances do not allow this, an attempt will be made to have the applicant show proof of identity via video calling.
Monitoring plan
In order to guarantee the privacy of users and employees, the following monitoring plan is used. This is reported to the management directly and annually if necessary.