In the course of business HEMA collects personal information about its customers, website visitors and employees via its shops, website(s), application(s), special offers, loyalty programme and other services. HEMA is convinced that the protection of personal data is of essential importance.
This document contains the foundation of HEMA’s policy with regards to privacy, privacy sensitive information and data protection. In order to protect privacy, privacy sensitive information and personal data, effective security is a top priority for HEMA. HEMA has therefore taken adequate technical and organisational measures to secure personal data against loss or any form of unlawful processing.
Besides national laws and regulations the European Union also dictates strict privacy laws. Examples are the European Convention for the protection of Human Rights (everyone is entitled to respect for their private life) and the General Data Protection Regulation. This regulation provides new and more strict rules regarding privacy and how it should be protected.
Autoriteit Persoonsgegevens, the Dutch authorative body checking compliance with privacy laws and issuing fines.
a security incident causing Personal Data to be stolen, leaked or copied.
Data Breach Response Team
the HEMA team consisting of (i) Head Legal, Audit & Risk, (ii) the Privacy Officer and (iii) the Information Security Officer that assesses and responds to notifications of Data Breaches.
the general principle reflected in the GDPR to keep the personal data You gather & store to a minimum.
Data Processing Agreement an agreement signed between the responsible party(HEMA) and a party processing personal data on HEMA’s behalf
the private person whose personal data is being processed.
the general principle reflected in the GDPR to only use personal data for the purpose for which it is given.
all data which might provide information on an identifiable person. Examples are: name, address, e-mail, customer database, characteristics, opinions, actions of people, photo’s and other visual data, special personal data such as data on religion, beliefs, race, political preference, health, sexsual life, union memberships, criminal records.
the information document on www.hema.nl for website visitors and customers detailing how HEMA handles personal data of visitors and customers. The statement is being amended from time to time if so prompted by new developments.
every incident that resulted or could have resulted in loss of or damage to data or which has caused a breach of security procedures.
When working for HEMA with access to personal data it is of great importance that you adhere to the following guidelines:
Limit the collection of personal data as much as possible à Data Minimalisation
Only use personal data for prior set purposes à Purpose Limitation
Limit the duration of storage of personal data to a minimum
Share and provide access to personal data on a strict need-to-know-basis
Keep personal data confidential
Do not share log in or passwords
When processing personal data you must only use the HEMA network, e.g. do not use USB sticks or personal cloud services
When third parties are given access to personal data a Data Processing Agreement (DPA) is required. Please contact the Legal department to have a DPA drafted.
Always consider encryption, anonymisation or pseudonymisation when processing personal data
It is important to HEMA that its services are transparent and reliable. Therefore the various responsibilities surrounding privacy and data protection are set out below:
It is the responsibility of the person working with privacy sensitive information (e.g., customer service department, HR department, e-commerce department, etc) to comply with the guidelines in order to keep this sensitive information secure.
It is the responsibility of the person detecting a data breach to inform the Data Breach Response Team.
It is the responsibility of the Data Breach Response team to report to the AP.
The Information Management department is responsible for the security of the HEMA network and systems.
The Information Security Officer is responsible for monitoring the security of the HEMA network and systems.
6. Data Breach / Security Incident
Security incident / Data breach
A security incident becomes a data breach in case personal data (e.g. name, address, email, phone numbers, IP addresses etc. etc.) have been lost, deleted, hacked or if unauthorized access/viewing became possible. Examples are: losing a USB stick or mobile device, malware on PC’s connected to the HEMA network, emailing personal data files to unintended addressees. Also the complete loss of data (for instance: a fire without any backup of data) is considered a data breach.
HEMA takes adequate measures to prevent data breaches, for instance by means of encryption techniques.
Incidents with other data than personal data are not considered data breaches.
What to do in case of a data breach?
The GDPR dictates that companies must promptly notify the authorities in case of a data breach. So if you become aware of a data breach:
immediately contact the audit & risk department (Security Officer) + the legal department (Privacy Officer)
Data Breach Response Team’ starts protocol
please act fast and be co-operative ; the AP must be notified by us within 72 hours
If a data breach occurs at a company and this is not timely reported to the authorities, fines of 2% of our annual turnover or EUR 10.000.000,- may be imposed!
7. Contact list
Martijn Suijten (020-311 4194)
Audit & Risk Department
Ayche Linsen (020-311 4473)
Head of Legal, Audit & Risk
Helen Draijer (020-311 4196)
Mob: +316 1164 4629
© HEMA - February 2017