DATA BREACH NOTIFICATION PROTOCOL

Considerations

• Information Development Europe B.V. attaches importance to the proper security of its (electronic) systems in which personal data are stored and processed
• it can nevertheless never be prevented entirely that a data breach will occur
• Information Development Europe B.V. is obliged under the General Data Protection Regulation (AVG) to report (serious) data breaches to the Personal Data Authority and to data subjects
• Information Development Europe B.V. wishes to comply with its legal obligations
• Information Development Europe B.V. has therefore formulated a policy to act as appropriately as possible in the unlikely event that a data breach does occur

1 - Definition of data breach

A data breach occurs when a security breach occurs that accidentally or unlawfully results in the destruction, loss, alteration or the unauthorised disclosure of, or unauthorised access to, transmitted, stored or otherwise processed data.

2 - Internal responsible data breach notification

1. Information Development Europe B.V. has appointed an internal data breach manager who is responsible for reporting a data breach.
2. This controller is: Kaori Asano, telephone number: +31-(0)20-299-8760; e-mail address: amsterdam@idnet.co.jp , hereinafter referred to as: 'internal controller'.

3 - Internal notification upon discovery of a data breach

1. The person who discovers a data breach at Information Development Europe B.V. shall report this immediately to the internal responsible party.
2. If possible, the person who discovered the data breach simultaneously ensures that the leaked data is immediately remotely deleted or made inaccessible.

4 - Investigation by the internal manager

The internal responsible examines, among other things:

• whether personal data have been lost or could be used unlawfully
• who or which departments within the organisation are involved in the data breach
• whether a processor is involved in the incident

5 - Combating data breach

The internal responsible party will stop the data breach if it is still possible and will further take the necessary measures to combat the data breach as best as possible.

6 - Determining the consequences of a data breach

The internal responsible party examines the possible consequences of the data breach based on the nature and extent of the data that has been leaked and determines what the adverse effects of the data subjects may be.

7 - Cooperation in providing data breach information

The discoverer/notifier of the data breach offers all cooperation to the internal responsible party by providing answers (in writing) to the following questions as quickly and as well as possible:

• what happened? (description of the incident)
• Was it accidental or caused by malicious intent (think hacked data)?
• when did it happen? (date and time)
• when was it discovered?
• what data (registers) were leaked?
• Is the data encrypted, and if so how?
• Could the data be remotely deleted or made inaccessible, and if so, was this done?
• what are the possible consequences for those affected?
• which group(s) of people is/are affected (e.g. pupils, patients, premium members)
• How many people were (approximately) affected by this?
• Is data of individuals in other EU countries also affected by the data breach?
• Were technical and/or organisational measures already in place as a result of the incident?

8 - Staff availability after data breach discovery

The manager of the department from which the data leak occurred as well as the person who discovered the data leak and anyone who, based on their position or knowledge, is in a position to take organisational and/or technical measures to limit the consequences of the data leak, will make themselves available for consultation with the internal manager or any experts designated by him in the first 24 hours after discovery of the data leak and, if necessary, to carry out the work ordered as a result of the data leak.

9 - Decision on data breach notification

1. The internal responsible party decides as soon as possible but in any case within 60 hours of the discovery of the data breach - whether or not in consultation with the responsible party of the department from which the data breach was discovered and/or experts appointed by him - whether the data breach should be reported to the Personal Data Authority and/or the data subjects.
2. In principle, a data leak is always reported to the Personal Data Authority, unless the data leak is unlikely to pose a risk to the rights and freedoms of data subjects.
3. Reporting the data breach is accompanied by answering the questions described in section 7.
4. A data leak reported to the Personal Data Authority will also be reported to the data subjects if it poses a high risk to the rights and freedoms of natural persons, unless appropriate measures have since been taken that have averted the high risk.

10 - Notification of data breaches to the Personal Data Authority and/or data subjects

1. If necessary, the internal responsible person shall ensure notification to the Personal Data Authority and/or the data subject(s).
2. Notification shall be made as soon as possible after the discovery and no later than 72 hours after the discovery of the data breach.
3. Any employee other than the internal responsible party is not allowed to report the (possible) data breach to the Personal Data Authority and/or the data subject(s) themselves.
4. If an employee disagrees with the internal manager's decision on whether or not to report the data breach to the Personal Data Authority and/or the data subject(s), he can make his grievances known to the management.
5. If requested, an employee shall provide all cooperation to the responsible party in order to inform the affected persons about the data breach in accordance with Article 34 AVG.

11 - Consequences of reporting data breaches

1. If the data breach has negative consequences for data subjects, the internal responsible party will make every effort to minimise these consequences.
2. Depending on the nature and extent of the data breach for data subjects, the internal responsible party determines:
   
   • How data subjects will be informed (including in any case announcements on which types of personal data are affected, what the possible consequences are, which measures Information Development Europe B.V. takes and how data subjects themselves can prevent or limit the damage)
   • what after-care those involved receive
   • which actions are necessary in the interest of the organisation
3. If a data breach has occurred - whether reported or not - adequate technical and/or organisational measures will be taken as soon as possible to prevent future similar data breaches.

12 - Maintaining data breach register

The internal responsible party keeps a register of all data breaches, recording all details surrounding the data breach, such as:

• a description of the incident
• date and time of the data breach
• date and time of discovery of the data breach
• description of the type of personal data leaked
• description of the category or categories of data subjects affected
• description number of people involved (approximate)
• Whether data of individuals in other EU countries was also leaked
• whether the incident was reported to the Personal Data Authority and, if so, date and time of reporting
  • whether the incident was reported to those involved and, if so, date and time of reporting
  • how data subjects were informed
  • the consequences of the data breach, specifying if possible the date and time
  • what technical and/or organisational measures have been taken following the data breach, including date and time