1. Organizational measures

1.1. Phenox works without a physical archive; privacy sensitive personal data (hereinafter: data) is only stored electronically.
1.2. The Privacy Officer (hereinafter: PO) is the person responsible for the office. In emergency situations, another person to be designated by this office manager may be granted short-term rights. In exceptional emergency situations, the IT manager could also be appointed
1.3. If privacy-sensitive information is supplied to the customer, this will in principle take place by means of the specially designed customer portal according to the corresponding internal guidelines for a “file transfer”, including:
1.3.1. Files to be sent are always encrypted and protected with a password.
1.3.2. The employee must explicitly inform the customer that passwords are preferably sent via WhatsApp (in connection with end-to-end encryption), and only to pre-agreed and approved telephone numbers.
Only at the express request of the customer can – in exceptional cases – files be sent as an attachment to an email.
If the customer explicitly chooses to have the password sent by e-mail, text message or otherwise, the resulting additional security risks are for the account of the customer.
1.4. If employees ask customers for privacy sensitive information and / or necessary personal data, they must request the customer to do this in a similarly secure manner. All additional security risks that arise in the context of AVG from unsafe and non-compliance with the guidelines by the customer are at the expense of the customer. Phenox Consultants BV cannot be held liable in any way for the actions of the customer, and therefore also not for the consequences of the sending, (temporary) possession and possible forwarding by Phenox Consultants BV of these unnecessary personal data.
This can be, for example – not exhaustive – if the customer chooses:
1.4.1. send unsolicited unnecessary personal data;
1.4.2. sends or has sent personal data and / or passwords by e-mail, SMS or otherwise;
1.4.3. ask third parties, such as external pension providers, to provide data;
1.4.4. sends personal data in a general sense unsafe or has them sent.
1.5. Compliance or non-compliance with the above and following work agreements for Phenox employees does not affect the fact that articles 1.3 and / or 1.4 apply to these data.
1.6. Received data is screened by the employees concerned upon receipt for the purpose for which it is to be used. Received data that is not necessary for the tasks to be performed is deleted immediately as much as possible. In this case, the employee concerned will notify the customer and PO of the deletion of this data.
1.7. Data received by post is scanned as a PDF if necessary and stored in the relevant electronic customer folder. In all cases, physical data is disposed of as quickly as possible by means of a special closed container, the contents of which are destroyed by a specialized company.
1.8. Phenox employees work on the basis of a clean desk policy, which means that (possibly privacy-sensitive) information may not be physically stored and can only be present in physical form for short periods in exceptional cases, for example in the case of notes during an assignment. In that case, this (temporary) information will be kept locked when leaving the workplace or processed in accordance with paragraph 1.5.
1.9. Received data is stored in the relevant (digital) customer folder. Only employees who are directly connected to the customer have access to the electronic folder, in which data of the relevant customer is stored. This list of privileges is kept and kept up to date by the PO.
1.10. Data that is no longer relevant to the assignment to be carried out, such as received source files, are placed and kept on an at least annual basis in the extra secure archive folder available for each client. These folders are not accessible to anyone as a starting point. If access proves necessary for whatever reason, this can only be done via the PO.
1.11. Employees must inform the PO in case of doubt about the state of data protection or in case of possible or actual data leakage, knowingly or unknowingly.
1.12. As far as employee data is concerned, only the principal manager and office manager have access to the relevant electronic folders.
1.13. No physical data is kept of employees. If physical information is kept for compelling or legal reasons, the employer undertakes:
1.13.1. to inform the employee concerned of this;
1.13.2. keep the physical data under lock and key.

2. Technical measures

2.1. All devices (computers, laptops, telephones, tablets, etc.) are equipped with up-to-date antivirus software and active management. See the document: Management plan IT systems Phenox Consultants BV
2.2. An active patch / update policy for all systems.
2.3. All devices (computers, laptops) that may contain privacy-sensitive data are encrypted and secured with strong passwords (minimum 8 characters) or a comparable strong alternative.
2.4. All mobile devices (telephones, tablets, etc.) are encrypted and secured with strong passwords (at least 6 characters) or a comparable strong alternative such as fingerprint scan or Face ID.
2.5. Mobile devices such as laptops, tablets or telephones should not be left unattended (e.g. in the car)
2.6. In case of absence, all devices must be locked.
2.7. All devices are equipped with an automatic fail safe when not in use.
2.8. The use of mobile data carriers (including USB Sticks, CDs) is generally not permitted. If necessary for the performance of the tasks, an exception can be made, this only happens with the permission of the PO. In that case, Phenox will provide the employee with an encrypted and secure solution.
2.9. Use of private devices and any form of data storage (including, but not limited to e-mail) on private devices (including computers, mobile devices) is expressly prohibited.
2.10. The use of or sending of data to private e-mail addresses or other private data storage is expressly prohibited
2.11. Unsecured devices are expressly not allowed within Phenox
2.12. Communication via e-mail is only allowed securely

3. Website measures

3.1. Communication via the website, for example via a contact form, must be secured with encryption.
3.2. Phenox has an active update policy for its own and related websites.
3.3. Employees involved in adapting the websites must ensure that no sensitive information is disclosed via the website.

4. Backup measures

4.1. All data must be encrypted locally (on the Phenox servers) and only sent encrypted to the external backup server.
4.2. The Data is 2048-bit AES-128 encrypted.
4.3. The decryption key required to restore the backup is only in the possession of the PO. This is stored in the designated extra secure digital locker, with a backup copy in the safe present at Phenox.
It is therefore not directly accessible by the hosting party or third parties.
4.4. To prevent unauthorized use of any stolen decryption key, the backup server is provided with an extra authentication layer.
4.5. The backup is updated in real-time and features “versioning”, i.e. multiple, previous versions of the same file are maintained to restore accidental saved changes.

5. Server measures

5.1. The server is protected by an active firewall.
5.2. The server is equipped with up-to-date anti-virus software
5.3. There is an active patch and update policy on the server
5.4. The server is provided with a (limited) log feature regarding access by external users
5.5. The server is actively managed for access rights in accordance with Article 1.5
5.6. The server provides a backup option as set out in article 4.