Data Plan | Pabbl
top of page

Last updated April 01, 2021

Content

1.  Privacy by design
2.  Consent management program
3.  Data-processing activities mapping & justification
4.  Data Subjects' Access Right procedure
5.  Right to Erasure / Right to be Forgotten procedure
6.  Information Security policy & certifications
7.  Breach / Incident Management plan
8.  PIAs and DPIAs
9.  Data Protection Officer

1. Privacy by design

Description: Privacy by Design involves embedding privacy proactively into all corporate functions and processes including IT systems, networked infrastructure and business practices. Demonstrating this means communicating and training all employees to use a privacy-minded framework when developing new processes, products and procedures. 
 
Pabbl works with a privacy first policy. When developing or introducing new processes, features or practices, we assess whether: 
 

  • Personal data is involved; 

  • What the goal is of using personal data; 

  • What the timeframe is of saving personal data; 

  • Where we save the personal data and how we protect it; 

  • Who has access to the personal data 

We aim to retain our transparency of processed personal data towards users and employees, and update our terms of service and privacy policy accordingly. 

2. Consent management program

Description: A consent management program is a process whereby Data Subjects provide consent whenever personal data is collected. A suitable program would include offering respondents the ability to provide or decline to provide consent and a method of recording and storing said consent. 
 
In the on-boarding of our app, we ask if the future user: 

1. Is at least 13 years old 
a. If user checks ‘no’, the user is not able to use the Pabbl app and its services 
b. If user checks ‘yes’, proceed to question 2. 

2. Is at least 16 years old 
a. If user checks ‘no’, proceed to question 3. 
b. If user checks ‘yes’, proceed to question 4. 
 
3. Has permission of its parents/guardians to use Pabbl app and its services and they agree with the terms and conditions and the privacy policy of the Pabbl app and its services. 
a. If user has no permission of parents, user is not able to use Pabbl app and its services; 
b. If parents agree, proceed to question 4. 
 
4. Accepts the terms and conditions and our privacy policy of Pabbl and its services. 
a. If user check to accept, proceed to user registration; 
b. If user does not accept, user is not able to use Pabbl app and its services. 

3. Data-processing activities mapping & justification

Description: Data mapping means documenting the flow of personal data within your company. This can be done via software or a simple graph. Creating an inventory includes categorizing and listing all applications used in-house, documenting whether or not applications process personal data and ensuring those applications handle data appropriately. 

We document all processed personal data in a database including a description of the data itself, the purpose/goal and the period and place of storage in our databases. 

4. Data Subjects' Access Rights procedure

Description: A Data Subject Access Rights procedure allows Data Subjects to request a copy of all Personal Data held regarding themselves. These requests must be handled within 30 days and a record of these requests must be logged and stored.
 

All users can request a copy of their personal data regarding themselves through: https://www.pabbl.com/gegevens-opvragen

Users should receive a record of their request within the required timeframe of their requested category: registration data, user profile, user history and usage data. 

5. Right to Erasure / Right to be Forgotten procedure

Description: A Right to Erasure policy allows Data Subjects to request that their Personal Data be erased. These requests must be handled within 30 days  and a record of these requests and erasures must be logged and stored. 
 
All users can request data regarding themselves to be changed or to be erased through the Pabbl app or via: https://www.pabbl.com/wijzigen-en-verwijderen

Requests should be handled within 7 days. 

6. Information Security policy & certifications

Description: An Information Security Policy documents policies around security and technology processes as it relates to the business so that sensitive information remains secure. 
 
All users can request data regarding themselves to be changed or to be erased through the Pabbl app or via: https://www.pabbl.com/wijzigen-en-verwijderen

Requests should be handled within 7 days. 

7. Breach / Incident Management plan

Description: A Breach/Incident Management plan details processes when a breach of Personal Data occurs. All breaches must be reported to affected Data Subjects and EU Authority within 72 hours. 
 

Our breach incident plan consists of 9 steps:
 

Discovery of (potential) data breach of personal data; 

1. Directly inform DPO and Directors (Frank Malotaux, Jeroen Malotaux & Bas Gerritsen) ; 

2. Access data breached (involved employees, personal data & potential data processor (s)); 

3. Resolve data breach where possible; 

4. Access data breach impact on involved people/data subjects; 

5. Establish report plan and plan to resolve involved issues; 

6. Report data breach to official instances (AP); 

7. Report data breach to involved people/data subjects and stakeholders; 

8. Execute plan to resolve involved issues; 

9. Review and optimize data security and data breach process. 

8. PIAs and DPIAs

Description: PIAs are completed on all company initiatives, systems and products to determine what Personal Data they touch. More information is here. 
If special categories of Personal Data are processed a DPIA must be completed. 
 

Pabbl works with a privacy first policy. When developing or introducing new processes, features or practices, the following should be assessed: 

  • Whether personal data is involved; 

  • What the goal is of using personal data; 

  • What the timeframe is of saving personal data; 

  • Where we save the personal data and how we protect it; 

  • Who has access to the personal data 

We aim to retain our transparency of processed personal data towards users and employees, and update our terms of service and privacy policy accordingly. 

9. Data Protection Officer

Description: An employee or third party appointed to oversee data protection strategy and implementation to ensure compliance with GDPR and privacy requirements. A DPO should report directly to the CEO and/or board. 

Frank Malotaux – fmalotaux@pabbl.com 

Privacy by design
Consent Mangement
Data-processing
Data Subjects
Right to Erasure
Informtion Security
Breach
PIAs and DPIAs
Data Protection Officer
bottom of page