‍Introduction 

This document outlines the different steps taken by Runwell in the event of a data breach, which falls under the data breach notification obligation. The data breach notification obligation is a modification to the General Data Protection Regulation, which entered into force with effect from April 27st, 2016. When there is a data breach, there is a security breach of personal data. The personal data is then exposed to loss or unlawful processing. 

‍

Data breaches can occur through: 

– willful action (cyber crime, hacking, identity theft, malware infection); 

– technical failure (ICT malfunctions);

– human error (passwords are too simple/providing a username or password to colleagues and external contacts); 

– disaster (fire in data centre, flooding);

– loss of USB stick or laptop; 

– sending an e-mail including e-mail addresses of all recipients; 

– as well as the unlawful processing of data

‍

A data breach should be reported to the Authority for Personal Data in the relevant country immediately (within two days) after the person responsible within Runwell has been informed. The parties concerned must also be notified about the data breach. For Runwell, these are generally customers (companies and employees of the companies) or Runwell’s employees. Those involved are those whose personal data has been involved in an infringement. The person concerned must be informed immediately of the breach if the breach is likely to adversely affect his/her privacy. Processors are required to report the data breach to the person responsible. 

‍

1. Person responsible: 

CEO (Chief Executive Officer) of Runwel is responsible for handling data breaches. The CEO has control over the purpose and method of processing. Formally, legally and factually (functionally), he is the person who determines the purpose and method of processing personal data. The CEO also has control and responsibility over purpose and method of processing and makes decisions about the retention periods, providing access requests, etc. The CEO has the directive role (control of the privacy management in the company). 

‍

2. Processor:

Individuals that process the data on behalf of the person responsible without being subject to his direct authority (also externally) is defined as a processor. The processor processes personal data in accordance with the instructions and ultimate responsibility of the person responsible. The processor does not make decisions about the use of the data, the disclosure to third parties and other recipients, the duration of data storage, etc. 

‍

Report 

All data breaches of personal data must be reported internally and documented by the Data Protection Officer (DPO) in Runwell’s case the CEO. The report can be made by every employee and every processor both internally and externally. The report must be sent out directly and by telephone to the DPO and it must be in writing. Our DPO reports the data breach, if necessary, to the Authority for Personal Data in the relevant country. 

‍

The DPO establishes: 

– name of the reporter

– date and time of the report 

– date and time of the breach

– nature of the infringement (is there a substantial risk of loss or unlawful processing?)

– the personal data missing in the breach

– which amount and/or data records is it regarding

– which persons are involved in the breach

– which actions have been or will be taken by the reporter

– what are the implications for those involved, according to the reporter

– the contact person for the report

‍

First analysis 

The DPO assess whether the infringement “can be reasonably assumed to lead to a significant risk of loss or unlawful processing, which adversely affects the privacy of the parties related.” If this is not the case, then the DPO will carry out the following actions: 

‍

1. inform the Management of Runwell by phone; 

2. inform the manager of specific department officer by phone (Not applicable yet); 

3. Directly convene the Data Breach Response team, consisting of: The DPO/CEO, CFO/COO and Chairman of the board. The DPO is responsible for reporting. 

‍

Data Breach Response Team 

The Data Breach Response Team, in case of a high priority, is convened by the DPO. The meeting is chaired by the DPO. The response team discusses and defines: 

‍

– the information that has been recorded by the DPO when drawing up the report

– the necessary follow-up actions with regard to the data breach (immediately seal the leak, limit access to information and simultaneously gather more information about the intruder)

 – what will be reported by the DPO to the Authority of Data Protection (aside from the nature of the infringement, which personal information, number of persons/records involved)

– the potential consequences for those involved

– the actions Runwell takes or can take to reduce the damages for those involved

– the actions that those involved can take to further reduce damages, including the manner with which they are notified

– contact information for those involved

– the method of handling the breach internally, including communication with the one who reported the breach, the relevant department(s) and manager(s)

– whether there is personal liability, or third party liability, such as on account of breach of contract (because a confidentiality obligation has been breached, or inadequate security was realised which is in violation of a contractual obligation)

– assess whether to make a declaration and determine whether there is criminal culpability. This can come into play when there is, for example, involvement from Runwell itself, a processor, or when insufficient actions have been taken to prevent disturbances.

– what is communicated internally and at what time; 

– what is communicated externally and at what time. It is determined whether the press should be informed; 

– if other stakeholders need to be informed, in addition to the Personal Data Authority;

– if other individuals and/or companies need to be informed; 

– how it is reported internally, including the shareholders; 

– if any damage is covered by the insurance policy. 

‍

Continuation 

The Data Breach Response Team decides which activities that should be carried out, and make sure that they are being done by the CTO or other relevant person/external company.

‍

Reporting to the Personal Data Authority 

The DPO reports the data breach to the Authority of Personal Data (Personal Data Authority online form in Altinn) within 2 days. The following must be reported, in any case: 

‍

– nature of the infringement, including categories involved, number of persons involved, number of data records; 

– How long the breach have been active and when did Runwell noticed

– Who is exposed for the breach

– What have happened

– Which personal data is missing 

– The relation between the processors and the affected persons

– Where is the personal data after the breach

– contact information for those involved; 

‍

Delivery confirmation of Personal Data Authority 

If a report has been made, Runwell will receive a delivery confirmation. In the reports that give rise to further action by the Authority, the Authority will contact Runwell to verify the origin of the message. 

‍

Absence of DPO 

In the event of absence, the DPO’s role will be filled by COO.