Our first principle is that an employee will never have access to any data set, unless access to said data set is required to execute their job or project.

Our second principle is data minimization. All requests to data will be subject to scrutiny to assess how much (or better, how little) data is required to execute the task, to ensure that the scope (e.g. size and duration) of the data access is appropriate and a good fit. At the end of a project the data access permissions are revoked.

E.g. a new sales employee that covers Southern Europe, does not necessarily need the contact details of (potential) clients outside of that territory.

Every six months we revisit the access of employees to data sets to see if all permissions are still required.

During the on-boarding of each new employee they will, verbally and via written documentation, be made aware of our approach to (personal) data and data privacy.

When an employee leaves the company, our standardized off-boarding checklist ensures that they no longer have access to any of our company’s resources.

At least once a year, the data protection officer organises a session on data privacy, and adjacent topics, to keep the necessary stakeholders up-to-date.

The aim of these sessions is to ensure that key employees and decision makers have up-to-date knowledge about the data protection legislation and our related internal procedures.

On any extraordinary or urgent topics, an impromptu session will be hosted by the data protection officer.