GDPR statement INREV

As per 25 May 2018, the European General Data Protection Regulation (GDPR) will be applicable. We send you this letter to inform you on the efforts that INREV has and will put into GDPR compliance.

Minimising the processing of personal data received from Members
INREV processes a limited amount of personal data (privacy by design and default) in pursuance of the proportionality and necessity principles as stated in Article 5[1] of the GDPR (i.e. name of Member contact person, his/her company e-mail address and company telephone number). Special categories of personal data as referred to in Article 9[2], or personal data relating to criminal convictions and offences referred to in Article 10[3] are not and will not be processed by INREV.

Controller or processor
In terms of processor” and “controller” (Article 4[4] and Chapter 4[5]), INREV can be seen as the processor on behalf of our Members who are the actual controllers of this personal data.

Records of processing activities
We performed an internal analysis based on the criteria as provided in paragraph 5 of Article 30[6]. The results of this analysis where the following:

1. INREV is an organisation with less than 250 employees.
2. The processing it carries out on behalf of our Members is not likely to result in a risk to the rights and freedoms of data subjects (based on a risk assessment using the criteria in WP 248[7]).
3. The processing does not include special categories of data as referred to in Article 92 or personal data relating to criminal convictions and offences referred to in Article 103.
4. However, the processing is carried out more than occasionally.

For that reason, INREV will from now on maintain records of processing activities it carries out for its Members conform Article 306.

Security of processing
INREV wants all personal data to remain as secure as possible and has implemented various technical and organisational security measures to safeguard the ongoing confidentiality, integrity, availability and resilience of information, (processing) systems and services. For this the ISO27001 standard is adopted as a guidance.

Examples of information security measures that are of relevance for the processing of personal data within INREV are:

• Information security policies for among others: information classification, access control, passwords, acceptable use, ethics, mobile device and teleworking, BYOD, disposal and destruction, permanent removal of obsolete or outdated personal data, clear desk and clear screen and usage of social media;
• Policies for assistance of the controller (our Members) in compliance with their obligations under Chapter 3 of the GDPR[15], such as compliance with Article 28[14] Section 3e, regarding the fulfillment of their obligations to respond to requests for exercising data subject’s rights (such as: access, rectification, erasure and/or restriction of processing of personal data), and compliance with Article 28[16] Section 3f, regarding the obligations pursuant to Articles 32 to 36 in Chapter IV5 of the GDPR (security and DPIA).
• Procedures for among others: risk assessment and treatment, incident management, crisis management, data security breach;
• Publication of a Privacy Statement and a Cookie Policy on the website;
• Introducing a clear and unambiguous protocol for obtaining informed consent of data subjects;
• Confidentiality clauses in employment agreements,including agreements with temporary staff and consultants, that are at least equivalent to the requirements set out in INREV’s Privacy Statement;
• Attention for information security (including privacy) throughout the design phase of new products and services (privacy by design and default);
• Secure transmission by industry-standard security techniques of personal data from your computer through the INREV website to our servers;
• Servers are located in secure and controlled environments, protected from unauthorised access, use or modification;
• Only employees who need access to your personal data to perform a specific task or function are granted access to such personal data. All employees must abide by the privacy statement as stated on our website and the confidentiality clauses in the Employment Agreement;
• Yearly tests on the security of our servers.

Personal data breach
INREV has developed and implemented a documented procedure for dealing with personal data breaches that is compliant with GDPR articles 33[8] and 34[9].

Data Protection Impact Assessment (DPIA)
INREV has carried out an internal analysis to determine whether or not a formal Data Protection Impact Assessment (DPIA) according to Article 35[10] is to be carried out within INREV. The analysis was performed using the ten risk criteria provided in WP 2487. This guideline considers that the more criteria are met by the processing operation, the more likely it is to present a high risk to the rights and freedoms of data subjects, and therefore to require a DPIA. As a general rule, a processing operation meeting less than two criteria may not require a DPIA due to the lower level of risk, and processing operations which meet at least two of these criteria will require a DPIA. The result of the analysis was that all ten criteria in WP 2487 were not applicable to the processing activities of INREV and according to Article 3510, paragraph 1, INREV is not obliged to carry out such a DPIA because the processing of data is not likely to result in a high risk to the rights and freedoms of natural persons.

Data Protection Officer (DPO)
INREV has also carried out an internal analysis to determine whether or not INREV is obliged to designate a Data Protection Officer (DPO). The analysis was based on the criteria provided in Article 37[11], and resulted in the following observations:

• INREV is not a public authority or body;
• the core activities of INREV do not consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale;
• the core activities of INREV do not consist of processing on a large scale of special categories of data (as stated in Art. 9) or personal data relating to criminal convictions and offences (as stated in Art. 10).

For these reasons, INREV is not obliged to designate a Data Protection Officer (DPO). However, INREV has assigned an Information Security Officer with all subject matters regarding data protection in its portfolio.

Contractual clauses
Organisations and individuals apply for an INREV Membership via an application form in which they agree to the INREV Membership terms and conditions[12] that are published on the INREV website. In these terms and conditions, it is stated that Members’ data will be treated in accordance with the Privacy Statement of INREV[13], which can be found on the INREV website.

Members attending INREV Events and/or Training Courses are required to agree with additional terms and conditions as providing all services surrounding Events and Training Courses requires specific processing of personal data, including – in some cases the reproduction of images taken at  INREV Events.

All contractors of INREV either agree with the INREV Contractor Terms and Conditions, containing clauses to assure that these contractors will treat any personal data they may receive from or process on behalf of INREV, in accordance with the Privacy Statement of INREV13, or present INREV with contractual guarantees that are at least equal to the measures and conditions set out in the Privacy Statement of INREV13.

In the next months, INREV will thoroughly review the application/contract process for becoming a Member as well as the GDPR compliance of all our contracts, terms and conditions, disclaimers and privacy statement. Where necessary, improvements will be made about which you will be informed in due course.

1. https://gdpr-info.eu/art-5-gdpr/ ↑
2. https://gdpr-info.eu/art-9-gdpr/ ↑
3. https://gdpr-info.eu/art-10-gdpr/ ↑
4. https://gdpr-info.eu/art-4-gdpr/ ↑
5. https://gdpr-info.eu/chapter-4/ ↑
6. https://gdpr-info.eu/art-30-gdpr/ ↑
7. Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679. http://ec.europa.eu/newsroom/document.cfm?doc_id=44137 ↑
8. https://gdpr-info.eu/art-33-gdpr/ ↑
9. https://gdpr-info.eu/art-34-gdpr/ ↑
10. https://gdpr-info.eu/art-35-gdpr/ ↑
11. https://gdpr-info.eu/art-37-gdpr/ ↑
12. https://www.inrev.org/inrev-membership-terms-and-conditions-2022 ↑
13. https://www.inrev.org/privacy-statement ↑
14. https://gdpr-info.eu/art-28-gdpr/ ↑
15. https://gdpr-info.eu/chapter-3/ ↑
16. https://gdpr-info.eu/art-28-gdpr/ ↑