GDPR

Pinakes Accountability Document

Objective

The purpose of this document is to show how Pinakes complies with the obligations set out in the GDPR[1]. For more information or additional questions, the Pinakes DPO can be contacted via dpo [at] pinakes.be or via Keizerslaan 34, 1000 Brussels.

How does Pinakes respect the basic principles of personal data processing?

Pinakes respects the basic principles governing the processing of personal data at all times. How Pinakes complies with each principle is set out below for each principle.

a) How does Pinakes guarantee the lawfulness, fairness and transparency of processing?

Lawfulness means that the processing operations must comply with applicable rules and principles. Fairness and transparency means that personal data are not processed for purposes, and in ways, that have not been properly communicated to the data subject.

Pinakes informs data subjects in a concise, transparent, clear and comprehensible way about the processing of their personal data and their rights through e-mail, a privacy statement and a cookie statement. The Pinakes DPO is the point of contact for data subjects when they have questions about certain processing operations. This allows us to optimally inform data subjects about the processing of their personal data.

b) How does Pinakes comply with the principle of purpose limitation?

Personal data may only be collected for specific, explicit and legitimate purposes and may not be further processed in a way incompatible with those purposes. Pinakes does not process the personal data of data subjects for purposes other than the purposes communicated to the data subjects.

Pinakes processes personal data only for the purposes that it clearly communicates to data subjects prior to processing.

For example, Pinakes processes the data of individuals working in the public sector for two specific purposes that are compatible with each other:

First, Pinakes processes their personal data when it offers the Pinakes database to its customers. The Pinakes database contributes to an efficient communication between private and public institutions and persons working in the public sector such as political representatives, senior officials and decision-makers. Pinakes offers its database to its customers against payment and facilitates a detailed communication plan, but also contributes to simple searches for specific contacts with people from the public sector.

Secondly, Pinakes processes their personal data when it offers a newsletter to people who subscribe to the database, which, for example, refers to an appointment or a new appointment of a particular person.

Pinakes imposes restrictions on the commercial use of information to all its customers. Customers may never process data of persons who are included in the Pinakes database without permission.

c) How does Pinakes comply with the principle of data minimisation?

Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This means that only personal data that are necessary to achieve the purposes for which they were collected may be processed. Pinakes takes great care to ensure that it will only process personal data that are necessary to achieve a certain goal.

For example, Pinakes only includes information in the Pinakes database that is necessary to guarantee smooth communication between its customers and persons working in the public sector.  This concerns basic identity data, information about training and employment such as information about the position and name of the organisation for which the data subject works, information about party political affiliation (if the data subject holds a political position), a picture of the data subject, information about the data subject’s profile on social media channels such as LinkedIn or Twitter and information about which language the data subject speaks.

For example, the FPS Public Health must have information about members of the executive committee of university hospitals in Flanders in the event of emergency medical assistance such as an epidemic. In that case, the FPS Public Health has every interest in consulting basic identity data and information about the position of the members of such a management committee.

d) How does Pinakes guarantee the accuracy of the data?

Personal data must be accurate and complete and must be updated, whenever necessary.

The Pinakes database has become an indispensable asset in the smooth communication between private and public institutions and people working in the public sector. In order to maintain its reputation and to guarantee a quality service, Pinakes has every interest in ensuring that its database is as complete and accurate as possible. In order to achieve this, Pinakes regularly performs checks to ensure that the information collected in the Pinakes database is (still) accurate. Pinakes achieves this by regularly checking publications/databases made available by official bodies such as the Belgian Official Gazette, regularly reviewing the websites or social media channels of those involved and consulting databases made public by third parties. In addition, Pinakes regularly contacts public institutions or authorities to verify the accuracy of the data of persons working at one of these institutions or authorities. By means of these regular check-ups, Pinakes can offer a very high quality and complete database.

e) How long does Pinakes store data?

Personal data may only be (a) processed and stored by Pinakes for as long as necessary to achieve the purposes of the processing, and (b) further processed and stored for purposes that are compatible with the initial purpose of the processing. Once such a purpose no longer exists, Pinakes will de-identify the personal data. 

For example, when a particular public officer switches to the private sector, Pinakes will de-identify information about this individual.

f) How does Pinakes protect the data?

Pinakes must guarantee the integrity and confidentiality of personal data.

Pinakes will treat personal data in the same way as confidential business information. It is extremely important for Pinakes to secure the data it possesses as well as possible. In addition, Pinakes will select its service providers carefully and only wishes to cooperate with parties that offer the necessary security guarantees and sign a confidentiality clause.

Pinakes will take the following safety precautions:

  • prevent unauthorised persons from having access to equipment for processing personal data (equipment access control);
  • prevent unauthorised persons from reading, copying, modifying or deleting the data carriers (control of the data carriers);
  • prevent unauthorised persons from entering data or accessing, modifying or deleting stored personal data (storage control);
  • prevent the use of automated data processing systems by unauthorised persons using data transmission equipment (user control);
  • ensure that persons authorised to use an automated data-processing system have access only to the data covered by their access authorisation (data access control);
  • ensure that it is possible to verify and determine to which bodies personal data were or may be provided or made available using data transmission equipment (transmission control);
  • ensure that it is subsequently possible to verify and determine which personal data, when and by whom, have been entered into automated data-processing systems (input control);
  • prevent unauthorised reading, copying, modification or deletion of personal data during transfers of personal data or during transport of data carriers (transport control);
  • ensure that the systems used can be reactivated in the event of failure (recovery);
  • ensure that the functions of the system are working, that any functional failure is signalled (reliability) and that stored data cannot be damaged by system malfunctions (integrity).

 

g) How does Pinakes demonstrate compliance with the principles?

Pinakes must demonstrate compliance with all of the above principles.

By means of this document, Pinakes documents how it complies with the principles. Pinakes keeps a detailed register that provides information about each processing activity for which Pinakes is responsible. In addition, Pinakes keeps track of advice given by the DPO, as well as information in case of a data breach and the resulting decisions. Pinakes will also keep track of when a DPIA needs to be interrogated.

What lawful basis does Pinakes rely on?

In order to process personal data, Pinakes must have a lawful basis. The law describes this lawful basis in an exhaustive manner, including the consent of the data subject, the performance of a contract, the legitimate interest of the data controller or of a third party, or applicable legislation.

The applicable lawful basis for the main processing activities is explained below.

a) On what lawful basis does Pinakes rely for the Pinakes database?

Pinakes is a specialist in government contacts and has an extensive database. The Pinakes database is the main activity of Pinakes and contributes to the efficient communication between private and public institutions and individuals working in the public sector. Pinakes offers its database to its customers against payment. This facilitates a detailed communication plan, but also contributes to a simple search for a specific contact with someone from the public sector.

The Pinakes database contains basic identity data, information about training and employment such as information about the position and name of the organisation for which the data subject works, information about party political affiliation (if the data subject holds a political position), a picture of the data subject, information about the data subject’s profile on social media channels such as LinkedIn or Twitter and information about which language the data subject speaks. The above information is, depending on the case, extremely important in order to contact the right people.

For example, the Pinakes database enables management committees of all hospitals in Flanders to communicate very efficiently with each other and with the FPS Public Health in the event of an epidemic. In addition, a head of a Flemish prison can very quickly contact the Director-General of the prison system by consulting the database if a problem arises with a particular service or with a prisoner. The existence of the database is both in the interest of persons who are included in the Pinakes database and in the interest of the customers of Pinakes. As the above examples show, people working in the public sectors benefit greatly from being included in the Pinakes database. What’s more, they often personally request to be included in the database. Pinakes takes direct contact with every data subject, by always informing them that they will be included in the Pinakes database.

Pinakes collects information about individuals working in the public sector by checking publications/databases made available by official bodies such as the Belgian Official Gazette. In addition, Pinakes consults the websites or social media channels of these persons, as well as databases made public by third parties. In addition, Pinakes regularly contacts public institutions or administrations (e.g. town clerks) to verify the accuracy of the data. This greatly reduces the risk of people who no longer hold a position in the public sector being included in the database.

Moreover, Pinakes does not allow its customers to use the data for commercial purposes without permission. The social component is essential for Pinakes and that is also clearly communicated to the customers.

Pinakes processes these personal data on the basis of its legitimate interest, namely to make the Pinakes database available to its customers.

Different rules apply with regard to the information of party political affiliation of someone in a political function. This processing is prohibited in principle, but is permitted in this context. This exception stems from the fact that holding a political office automatically implies that the information is manifestly made public by that person. By holding a political office, a political mandatory automatically and indisputably discloses information about his/her party political affiliation.

b) What lawful basis does Pinakes rely on for other processing bases?

As described in detail in the Privacy Statement and the Cookie Statement, Pinakes also processes personal data for other purposes. A number of processing bases are explained below.

Sending newsletters

i. When a data subject wishes to receive the Pinakes newsletter, Pinakes processes personal data of the data subject.

Pinakes only sends newsletters to data subjects if Pinakes receives permission from the data subject, in accordance with Article XII.13 (ff.) of the Economic Law Code. This article stipulates that the use of electronic mail for advertising purposes shall be prohibited without the prior, free, specific and informed consent of the addressee of the messages.

Pinakes logs the consent data subjects who are included in a mailing file.

In addition, Pinakes offers customers the possibility of an opt-out. Each e-mail with a newsletter offers the opportunity to data subjects to unsubscribe. Pinakes logs this via the email automation platform. Pinakes never sends newsletters to people who are unsubscribed.

ii. The newsletter also contains personal data of political representatives, senior officials and decision-makers.

Pinakes processes data from political representatives, senior officials and decision-makers to inform people who subscribe to the newsletter about appointments (such as taking oaths, making a new appointment, etc.).

This processing is necessary to protect the legitimate interest of Pinakes. The impact on the rights and freedoms of data subjects is relatively small. It is often in the interests of those who are appointed that others are informed of the fact that they are now in this new position.

iii. Improving the offer

To improve the offer, Pinakes takes the following actions: segmentation of potential customers and existing customers, analysis of habits and preferences of data subjects (based on the individual’s use of the Pinakes services), analysis of interaction with Pinakes through various channels such as via emails, social media messages or a visit to the Pinakes website and comparison of the products and services that those involved have already used with other data that Pinakes has about the data subjects.

This processing is necessary to protect the legitimate interest. The impact on the rights and freedoms of data subjects is relatively small. It is in the interest of the data subjects to improve the offer and to make it more personal.

Has Pinakes appointed a DPO?

In a number of cases, the appointment of a DPO is mandatory.

The main activity of Pinakes is to bring public and private institutions from all over Europe into contact with people working in the public sector in order to inform them about matters that concern them. In order to facilitate smooth communication, Pinakes has created a database with contact details and other information that may be relevant about those persons. The Pinakes database contains information on more than 135,000 political representatives, civil servants and managers in Belgium, Luxembourg and the European institutions, including information showing the party political affiliation of persons holding a political function.

That is why Pinakes has appointed a DPO. The contact details of the Pinakes DPO are dpo [at] pinakes.be or Keizerslaan 34, 1000 Brussels.

Has Pinakes carried out a DPIA?

In a number of situations, the GDPR requires a Data Protection Impact Assessment or a DPIA to be carried out.

Recital 171 GDPR states that a granted consent of a privacy authority concerning a past processing shall remain in force until amended, replaced or withdrawn. In the past Pinakes obtained such consent from the then Privacy Committee. The processing carried out by Pinakes has remained virtually unchanged since then. The Article 29 Working Party states in its opinion on DPIAs that a DPIA is not necessary for processing operations controlled by a supervisory authority in accordance with Article 20 of the (former) Directive 95/46/EC.[2]

Based on the above, Pinakes did not perform a DPIA. In addition, Pinakes also believes that, even if the above should not apply, there is currently no reason to assume that Pinakes is required to perform a DPIA. Pinakes will therefore not (for the time being) carry out a DPIA, unless there is reason to do so in the future, taking into account the implementation conditions for a DPIA. Pinakes, in consultation with its DPO, will review and assess whether or not to carry out a DPIA where necessary. If Pinakes decides not to carry out a DPIA, it will document the reason for its decision.

How does Pinakes inform the data subjects?

Every data subject should be informed in a clear, easily accessible, concise, transparent and comprehensible manner of all the main elements of the processing of their personal data. This information should include the purpose of the processing, the identification details of Pinakes, the rights granted to the data subject, and other information about the processing, to the extent necessary to ensure its fairness.

Pinakes shall inform the data subjects in an appropriate manner:

  • Pinakes provides a general Privacy Statement. The Privacy Statement is published on the Pinakes website. This statement describes the processing of visitors to the Pinakes website, customers of Pinakes and its employees and individuals included in the Pinakes database (i.e. political representatives, senior officials and decision-makers). In addition, Pinakes will send, no later than 2 weeks after a (new) data subject is included in the Pinakes database, an e-mail to that data subject that his personal data will be used for communication with the data subject, before the data subject is included in the Pinakes database.
  • Pinakes provides a Cookie Statement that is published on the Pinakes website.
  • Both the Privacy Statement and the Cookie Statement are available in Dutch, French and English. The data subjects shall be informed in their own language or at least in a language with which they are sufficiently familiar.
  • Pinakes provides, when communicating with anyone, a banner at the bottom of the email signature with a link to the Privacy Statement on the website. This will allow data subjects to consult the Privacy Statement at all times in a very efficient manner.
  • By means of the Privacy Statement, Pinakes informs data subjects in detail about their rights.
 
How does Pinakes deal with the rights of data subjects?

Pinakes attaches great importance to individuals working in the public sectors and other data subjects whose personal data it processes. Information about decision-makers is the cornerstone of the Pinakes database and is extremely important for Pinakes and its customers.

It is therefore obvious that Pinakes will adequately inform data subjects about their rights. The Pinakes Privacy Statement explains in detail what each right means.

In addition, Pinakes makes every endeavour to assist the data subjects to the best of its ability when they wish to exercise a right with regard to their personal data.

The Pinakes DPO was appointed as the point of contact for the data subjects. In the event of a request from a data subject, the DPO shall follow up and process the data subject’s request. The Pinakes DPO responds to every request in two ways:

  • The DPO shall immediately inform each data subject that it has received the request from the data subject and that, within one month, it shall inform the data subject of the follow-up given to the request;
  • The DPO shall inform each data subject of the outcome of the request within one month.

 

In order to ensure the privacy of other data subjects and to guarantee that information about them will not be abused, Pinakes will always ask for proof of identity before responding to the request. For example, the DPO can ask the data subject to provide a copy of an identification document issued by the government, such as an identity card, residence card, social security card or driving licence, which is still valid and which at least states the name and date of birth of the data subject.

When data are processed for the purpose of direct marketing, the data subject should be able to object, free of charge, to the processing of his data for such purposes. The survey form also points out the right to object to marketing. Data subjects will always receive an email in which this will be clearly communicated.

How does Pinakes protect personal data?

A controller should take appropriate technical and organisational measures to ensure the security of personal data. Those measures shall be evaluated and, where necessary, updated. In addition, all members of Pinakes are required to guarantee confidentiality.

Pinakes shall take appropriate technical and organisational measures to protect personal data of data subjects against unauthorised access or theft, accidental loss, alteration or destruction. It wishes to cooperate only with third parties offering the same level of protection and concludes an agreement with them containing provisions on security measures and confidentiality. Safety and security are effort commitments and it can never be excluded with certainty that incidents will occur.

Has Pinakes concluded the necessary agreements?

The controller should conclude agreements with certain third parties such as processors and joint controllers.

Pinakes relies on third parties for some of its services. For example, Pinakes works with an IT company to manage the website. In order to perform their service properly, such parties process personal data on behalf of Pinakes. Pinakes will carefully select its service providers and only wishes to cooperate with parties that offer the necessary security guarantees. Pinakes concludes an agreement with any third party processing personal data on its behalf, which contains the elements required by Article 28 of the GDPR. This agreement contains written instructions from Pinakes and stipulates that third parties must ensure the security of personal data and that they are bound by confidentiality. Pinakes only cooperates with service providers within the European Economic Area.

To date, Pinakes has not been in a situation of joint responsibility with any other organisation. Should this change in the future, Pinakes will enter into a joint responsibility agreement in accordance with article 26 of the GDPR and make it available to the data subjects.

How does Pinakes react to data breaches?

A personal data breach or data leak is a breach of security leading, accidentally or unlawfully, to the destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, data transmitted, stored or otherwise processed.

Pinakes shall take appropriate technical and organisational measures to protect personal data of data subjects against unauthorised access or theft, accidental loss, alteration or destruction. It wishes to cooperate only with third parties offering the same level of protection and concludes an agreement with them containing provisions on security measures and confidentiality. Safety and security are effort commitments and unfortunately it is not possible to prevent data breaches.

Pinakes has set up a procedure to respond timely and appropriately to a data breach and will attempt to restrict the damage to the maximum. Where necessary, Pinakes will inform the Data Protection Authority (within 72 hours) and the data subjects.

Register of processing activities

Pinakes keeps a register of processing activities that take place under its responsibility. This register shall contain information on, inter alia, the purpose of the processing, the lawful basis of the processing, categories of personal data and data subjects, etc.

Pinakes shall keep the register in an Excel list and list all mandatory elements of Article 30 GDPR per processing activity. Pinakes used the Excel list published by the Data Protection Authority to draw up the register. Pinakes complements the register when new processing activities are added or changes are made to existing processing activities on a periodic basis (at least once a year) in order to keep the register up to date.

 

[1] Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”).

[2] See Opinion WP 248 rev.01, “Guidelines on Data Protection Impact Assessment (DPIA)” and determining whether processing is “likely to result in a high risk” within the meaning of Regulation 2016/679”, 16-17.