Quan BV offers well-being assessments and tailored interventions to employees of organisations throughout the Netherlands. In this document we will outline our compliance and commitment to GDPR.
Well-being Assessments results are anonymous and are provided through our platform. Our processes support this and will be described below.
Quan Well-Being involves:
A comprehensive well-being assessment
- Each individual will complete an evidence-based well-being assessment(s) measuring five dimensions: Mind, Body, Meaning, Social connectedness and Self-fulfilment.
- Individual insights
- Once the assessment is completed, each individual will be able to access personalised results containing well-being insights via the Quan platform
We understand that individuals will not be able to make changes on their own. Each individual can be provided tailored paths delivered via our platform, which can include suggested articles, podcasts, videos and exercises, all to drive positive habits to improve well-being.
Quan well-being assessment can be:
- Used by individuals opting to take part in the assessment
- Used by individuals who complete the assessment
- Used by employees referred to complete the assessment by their organisation
Participants could use the assessment
- As a standalone wellbeing assessment
- As part of a wellbeing initiative
The EU General Data Protection Regulation (GDPR) strengthens the rights that EU individuals have over their data, and creates a uniform data protection law across Europe. We will comply with applicable GDPR regulations as a data processor.
If you have any questions or requests regarding these policy, please feel free to reply to this email or contact our support team at email@example.com
1.0 GDPR COMPLIANCE OVERVIEW
Quan Well-Being GDPR requirements
- Notification of data breaches – When we are aware of a data breach of personal or sensitive personal data, we understand that we have a 72-hour window to notify the relevant supervisory authority of the breach. Additionally, we must individually notify data subjects of any breach that presents a high risk to their individual rights and freedoms.
- Responsibility – Quan Wellbeing BTD. Ability to demonstrate compliance – This document outlines our understanding of the security requirements prescribed directly or indirectly by the regulating party to demonstrate compliance. We have aligned our data with the secure cloud controls that meet these specific requirements.
- Right to access– We have ensured that participants know that they have the right to data access, which means they can request the personal data they have supplied. Data will be delivered in “a structured, commonly used and machine-readable format” in order to transfer aforementioned personal data to another data controller.
- Right to erasure (right to be forgotten) – Participants are informed that they have the right to request the erasure of personal data held by a data controller, subject to certain conditions. We are clear about processing data, the appropriate legal basis, and when required, we have a technological ability to erase all affected data promptly.
- Security of processing – We have implemented technical and organizational measures to ensure an appropriate level of security is in place for processing activities. These activities include, but are not limited to, pseudonymization, encryption and regular testing of organizational and technical measures.
- Transfers of personal data to third countries or international organizations – The GDPR outlines specific requirements governing when and where personal data can be transferred to third countries or international organization.
2.0 COMPLIANCE INFORMATION
The following information outlines the steps taken and procedures in complying with GDPR.
2.0.1 – LEGITIMATE INTERESTS
- We explain clearly about personal data, anonymity and data usage for anyone taking a wellbeing assessment. We ensure any contracting organisation is aware of this.
- We explain clearly how or why we need an individual’s personal data when we collect it throughout the survey, and experts forward a consent statement to all participants opting for experts.
- Individuals are well informed of what we plan to do with their data when we collect it.
- We clearly state that we do not use data for marketing to third parties.
- We collect the minimum data necessary (Individuals can choose what data to enter and although we collect a minimum of name and email this can be fictitious if required.
- We delete records after use. If an individual asks us to delete their data from our systems, we delete their data from our systems completely and with reasonable expediency.
2.0.2 – OBTAINING AND INFORMING ON CONSENT
Asking for consent
- We ask people to positively opt-in – individuals are invited to choose to opt in for taking a well-being assessment.
- We do not use pre-ticked boxes or any other type of consent by default.
- We use clear, plain easy to understand language at each process.
- We explain why we want the data and what we’re going to do with it.
- We name our organisation and third parties who can access the data.
- We inform individuals they can withdraw their consent.
- We inform the individual they can refuse to consent to options such as the tailored well-being journey.
- We don’t make consent a precondition of our service.
- We are clear that we do not provide services to children.
- We keep a record of when individuals refuse consent or wish to delete records.
- We keep a record of exactly what they were told at the time.
- We regularly review consent to make sure that the relationship, the processing and the purposes have not changed since consent was given.
- We have the means to refresh consent at appropriate intervals.
- We make it easy for individuals to withdraw their consent at any time, and show them how to do so.
- When consent is withdrawn, we act as soon as we can.
- We don’t penalise individuals who want to withdraw their consent.
2.0.3 – INFORMATION PROVISIONS
When collecting personal data we make sure individuals are aware of the following:
- The identity and contact details of our organisation.
- Contact details of the data protection responsible person are clear on the Quan wellbeing website.
- The consent or legitimate interests necessary for data processing and why.
- Other countries outside the EU the data may be processed.
- Tell individuals about their right to have their personal data deleted and to object to data processing in the future.
- The right to complain to the national data protection authority.
2.0.4 – THIRD PARTY DATA
- We do not supply data to any third parties for business or marketing reasons.
Third Party Services
- We may use a variety of services offered by third parties to help maintain and improve our Website, to help us understand the use of our Website and Services, or simply to provide the Services.
- These services may store both personally identifiable information about you which we collect and the information sent by your browser as part of a web page request, such as cookies or your IP address.
- If any third parties are given access to your personally identifiable information, we will limit the use of such personally identifiable information only to provide the services to us which we have requested.
2.0.5 – PROFILING
Profiling means evaluating personal data so you can review individual or group data.
- We provide data reports to organisations using anonymous data and inform people that any group reports will not only be completed on 6+ participants and will respect medical and client confidentiality.
- Marketing communications for all services include detail on use of data.
- We tell people how and why we profile personal data but give people the chance to opt-out.
2.0.6 – LEGACY DATA
- We will not continue contacting individuals after the event (Wellbeing initiative, assessment) has finished.
- All data is deleted following an event completion if required by an organisation or individual.
- If an individual wishes to delete their records; they can inform us on firstname.lastname@example.org and we will do so expediently.
2.0. 7 – DATA STORAGE AND SECURITY
We use third party vendors and hosting partners to provide the necessary hardware, software, networking, storage, and related technology required to run Quan. We do not transfer ownership of any code, databases, Website rights or data to any third party vendors or hosting partners.
Quan Well-Being GDPR compliance - G Suite - https://gsuite.google.com/security/
Keeping users’ information safe, secure and private is the highest priority at Google. They have worked closely with data protection authorities around the world and have implemented strong privacy protections that reflect their guidance.
- Robust Safeguards: We are well placed to meet the security requirements of the applicable data protection laws.
- We constantly monitor our applications and deploy patches through automated network analysis and proprietary technology. This lets us detect and respond to threats to protect products from spam, malware, viruses, and other forms of malicious code.
- Incident Response: We will promptly inform you of incidents involving your customer data in line with the data incident terms in our agreements with you. Advanced threat detection, and avoidance technologies, 24/7 incident management
- We use security monitoring to protect users from malware
- We scan for software vulnerabilities.
- Our security and privacy experts work with development teams, reviewing code and ensuring products utilize strong security protections.
- User Transparency: We provide transparency about how data is used in our ads products. We ask users for permission to use data to personalize ads and provides transparency into how the data is used in real time.
- Privacy Practices: "We already have processes to build privacy into our products from the very earliest stages, and we are continually evolving our practices, including Data Protection Impact Assessments, to meet worldwide changing requirements including those in the GDPR around Privacy by Design and Privacy by Default."
Our data processor is Label A
Label A security measures for Quan:
- Access control (authentication and authorization is handled by AWS Cognito https://aws.amazon.com/privacy/)
- Data encryption at rest and in transit (SSL certificated)
- Continuous network and security monitoring
- Vulnerability management
- Incident response and recovery under SLA
- Security awareness training
- Multiple data centers to guarantee a secure and highly available service of 99.9% p/m
- Label A has a data processing agreement with Quan BV.