GDPR FAQs

The General Data Protection Regulation will come into effect on 25 May 2018. We understand that this new legislation may raise many questions, so we have assembled a list of FAQs for you here.

You will find the FAQs below, structured as follows:

  • 1. General
  • 2. Clients’ obligations
  • 3. The data processing agreement
  • 4. Security, audits, standards and certificates
  • 5. Sub-processors
  • 6. Other

If you do not find the information you need here, please contact your account manager. If you are unable to attain a satisfactory answer to your question, then our Data Protection Officer will contact you personally.

1. General

What is the GDPR?

GDPR stands for the General Data Protection Regulation, which is the name of the European privacy legislation that will take effect on 25 May 2018. This legislation replaces the Dutch Personal Data Protection Act (Wbp). It goes without saying that Raet is in full compliance with European privacy legislation. 

What is the difference between the AVG and GDPR?

GDPR stands for General Data Protection Regulation and is the English reference to this European privacy legislation. AVG (Algemene verordening gegevensbescherming) is the Dutch reference. 

What are the most important components of the GDPR?

  • The GDPR grants citizens more rights with regard to their privacy.
  • It also imposes obligations on organisations: they must demonstrate compliance with the law.
  • Data Protection Authorities will soon have greater authority to impose significant penalties on organisations that fail to comply. 

Can you demonstrate how you comply with the GDPR?

Raet is currently compliant with the European Directive and the Dutch Personal Data Protection Act (Wbp), and will be compliant with the GDPR as of 25 May 2018. At Raet, we always endeavour to be fully compliant with all applicable regulations and legislation. 

All of our systems, processes, policies, measures and internal and external documentation have been adapted and implemented based on GDPR requirements as published to date. See the section on Privacy on our trust site at www.raet.nl/trust for additional information about our role as a processor in relation to the GDPR. 

Where can I find further information about the GDPR in relation to Youforce or Raet?

On our trust site you can find more information under 'Privacy' about our role as processor in relation to the GDPR.

What if I still have questions and cannot find the answer on the trust site?

We have taken full effort to assemble a full and complete list of FAQs. If you do not find the information you need, please contact your account manager. If you are unable to attain a satisfactory answer to your question, then our Data Protection Officer will contact you personally.

2. Clients’ obligations

What are my obligations as a client?

We at Raet see GDPR compliance as a shared responsibility with you, our client.

As a client, you are a ‘controller’ in the sense of the GDPR. You determine the purposes and means for the processing of your personal data. We at Raet process your data on your behalf in the context of the service we provide. This makes us a ‘processor’ in the sense of the GDPR. An agreement must be in place that governs this processing. A Data Processing Agreement is the most usual form. 

As a controller, you are responsible for taking the technical and organisational measures necessary for processing data in accordance with the stipulations of the GDPR, and you must be able to demonstrate compliance with these stipulations. 

Please be aware that the information on this website cannot be interpreted as legal advice or as a substitute for legal advice. We therefore recommend that you obtain independent legal advice on your status and obligations with regard to the GDPR. 

When does Raet process my data?

We at Raet process your personal data exclusively in accordance with your written instructions regarding such processing. These instructions may result from specific requests or conform with the obligations under the main agreement or the applicable processing agreement.

How can Raet help me achieve GDPR compliance?

All of our services and software will meet the requirements of the GDPR when it comes into effect, and we are there to answer all of your questions.
We will also help you meet your GDPR compliance requirements as indicated in the new standard Data Processing Agreement.

3. Data Processing Agreement

What is a data processing agreement?

An agreement must be in place that governs all processing by Raet. A processing agreement is the most usual form. The Raet standard processing agreement complies with GDPR requirements and is available on our trust site.

Does a processing agreement form a standard part of my contract?

The aspects referred to in the GDPR form a standard part of the contract framework we have in place with all of our clients. The processing agreement has formed a separate part of this contract framework since late 2017. 

What about previous privacy agreements with Raet?

These remain in force. The only exception is if the new standard processing agreement deviates from previous agreements (and you have assented to the new standard processing agreement). In this case, the provisions of the new standard processing agreement will prevail.

What personal data is involved in Raet’s processing activities?

This information forms part of Raet’s standard processing agreement. 

All personal data is assigned to a risk class as indicated separately by personal data category. By checking the correct information, you can indicate whether this applies to your specific case. 

Who has access to personal data at Raet?

See Annex 1 of the new standard processing agreement.

4. Security, audits, standards and certificates

Does Raet’s security comply with the GDPR?

Yes. We have taken all appropriate technical and organisational measures to protect your personal data in accordance with the GDPR. We do our utmost to ensure system and data security in all of our services every step of the way. The Raet Information Security Policy governs our security strategy, and has been established in accordance with the ISO27001 international standard. We also subject our control measures to an annual audit. See our trust site for further information on data security at Raet.

Does Raet have an information protection policy, and can I inspect it?

Yes, Raet has an information protection policy that is certified on the basis of the ISO27001 standard. The policy document itself is for internal use at Raet. The ISO27001 certificate is available on our trust site. The corresponding Statement of Applicability is available on request. 

How does Raet audit its control measures?

We have a system of control measures in place to ensure the security of data input, processing and output. In addition, all of our IT processes are subject to a system of control measures. These measures are laid down in a control framework. They are subject to an annual, independent audit, which results in an ISAE3402 type II statement. At the request of the controller, the processor will make the audit results available subject to a non-disclosure agreement specifically drawn up for this purpose.

Does Raet use encryption?

We employ SSL-based encryption for digital communications.

We also encrypt data prior to storage on external media (offsite backup). We encrypt highly sensitive data both during transfer and storage.

According to the GDPR, our organisation has a right to conduct an audit. Is this correct?

Yes, that is correct, subject to the conditions as stated in the processing agreement with Raet. 

5. Sub-processors

What are sub-processors?

Sub-processors are external suppliers that we use to assist us in processing your personal data. Examples include KPM for hosting services and PostNL for regular mail.

Does Raet use sub-processors?

Yes, depending on the service provided. In general, we always use KPN for hosting and storage services, PostNL for regular mail, Capgemini for payment services and ITRP for incident reporting and our service desk’s communication system.

We are responsible for the sub-processors we engage.

How does Raet select its sub-processors?

We have a rigorous selection procedure to ensure that our sub-processors have the necessary technical expertise and that they provide the required level of security and privacy. We are concluding sub-processing agreements that meet the requirements of the GDPR with all of our sub-processors.

Does Raet request permission to engage sub-processors?

Yes. However, this will only be permitted if agreed in the processing agreement or in the main agreement, or with your prior consent. Also see Article 4 of the new standard processing agreement.

Does Raet audit its sub-processors?

We conduct annual audits to ensure that our sub-processors continue to meet all requirements, and we include this information in our ISAE3402 type II statement.

In addition, we have reached agreements with our sub-processors regarding continuity of service, and we assess exit scenarios annually.

6. Other

How does Raet comply with the principles of privacy by design and privacy by default?

We incorporate security standards as an integral part of our software development process. These standards are implemented as Non-Functional Requirements (NFRs), which ensure that information security and privacy come first at all stages of the development process. 

How does Raet take data portability into account in relation to the GDPR?

Our self-service functionality offers data subjects an easy way of viewing and storing their data for personal use. They can also easily transfer their personal information to other organisations. 
In addition, controllers can use the reporting function to inform data subjects about what information (including salary data) has been stored. 

Upon termination of the contract with Raet, the data will be returned to the controller in accordance with the contractual procedure. We can provide the data in a standard file format on a commonly accepted medium. Our default is a .csv file delivered on DVD. 

What retention period applies to my personal data?

Some data from your personnel file is subject to a fiscal retention obligation. This means that your employer is required to retain this information for a specific period in accordance with tax law. Examples include your payroll tax statement and a copy of your identity document. The employer must retain this personal data for a period of five years after termination of employment. 
Other data from the personnel file is not subject to a legally mandated retention period, although as a general guideline it should be retained for a period of two years after termination of employment. 
Generally, organisations delete job application data no later than four weeks after the conclusion of the application process. This retention period can be extended to one year, subject to the data subject’s consent. 

Have you appointed a Data Protection Officer (DPO)? And how can I contact this officer?

Yes, we have appointed a Data Protection Officer (DPO). This individual’s primary responsibility involves advising the internal organisation.

We ask you always to submit your questions to your regular contacts first, such as your account manager or our service desk. Alternatively, visit our trust site. If you are unable to obtain a satisfactory answer to your question, our Data Protection Officer will contact you.

As a processor of personal data, does Raet keep a register of processing activities?

Yes, Raet keeps a processing register in compliance with the GDPR. This register is intended for internal use and for the Data Protection Authorities.

Can Raet provide me with a DPIA or PIA from Youforce?

Conducting a Data Privacy Impact Assessment is your own responsibility as a controller.

Naturally, we will be pleased to assist you by making the relevant information available at www.raet.nl/trust. We will be happy to provide you with supplementary information where necessary.

I need Raet’s register of processing activities to make a DPIA

Information for conducting a Data Privacy Impact Assessment is available for our clients on our trust site and in our brochure, ‘Raet in Control’. The processing register itself is intended for internal use and for the Dutch Data Protection Authority. We therefore do not share it with clients.