Data Protection, Privacy and Compliance

1. How is the data protected? What is the data protection policy?

510, the digital and data unit, is part of The Netherlands Red Cross (NLRC). The NLRC has a Data Protection Policy enforced since 2018. Both the NLRC and Reliefbox adhere to the European General Data Protection Regulation (GDPR). The GDPR also specifies data breach reporting, which must be reported to the Dutch Autoriteit Persoonsgegevens.

NLRC employs a legal officer specialized in data protection. NLRC is a data processor for the client, as stated in the Service Level Agreement (SLA). For more information about data processors, visit: https://www.gdpreu.org/the-regulation/key-concepts/data-controllers-and-processors/

The partner remains the data controller and is responsible for any data entered into the platform. They must ensure compliance with their own data protection legislation.

Please contact our Account Manager Team to discuss any requirements and questions regarding our GDPR responsibilities at info@510.global.

2. Where and how do you store and process data?

Reliefbox and NLRC adhere to the GDPR. Data is stored, hosted, and processed in Western Europe.

3. What is your cloud server and host provider?

Reliefbox runs in Microsoft Azure Cloud, with all resources located in Western Europe by default. On request, hosting in a different region may be possible. Please contact info@510.global for further information. It may also be possible to host Reliefbox in the country where data storage and processing occur, subject to Azure datacenter availability.

4. Can you host the data in-country?

Depending on Azure datacenter availability, data storage and processing may be hosted in-country. Alternative options, such as other IaaS/PaaS providers or on-premise hosting solutions, can be discussed. Please contact us at info@510.global to discuss the best alternatives.

5. In which geographical locations do you store or process data?

Data is stored, hosted, and processed in Western Europe on Azure Cloud servers.

6. How long do you store the data?

Data is stored for a maximum of 7 years on our Azure cloud server after the last update. Data not updated within 7 years will be deleted. If a shorter storage period is required, please contact our team.

The client can delete data at any time.

7. How do you ensure data confidentiality, integrity, and availability?

Confidentiality is maintained by:

• Limiting access to a controlled set of administrators.

Availability is ensured by:

• Utilizing an optimized configuration in Microsoft Azure.

• Setting up automated backups, health checks, and exception reporting.

• Testing new code thoroughly with both automated and manual tests.

Integrity is maintained by:

• Implementing extensive automated and manual testing.

• Enforcing database integrity through primary/foreign key relationships, unique constraints, and non-null columns.

• Monitoring logs and performing regular penetration tests by an external company.

• Ensuring all involved parties adhere to the IFRC Code of Conduct.

8. Who processes the data?

NLRC is the main data processor under the GDPR, maintaining Reliefbox.

Additional third-party processors include:

• Microsoft Azure Legal Information: https://azure.microsoft.com/en-us/support/legal/

9. What are my responsibilities as a Reliefbox user?

Users are responsible for:

• Adhering to all applicable legislation.

• Keeping account credentials confidential.

• Ensuring that personnel are adequately trained in data protection.

• Evaluating the need for a Data Protection Impact Assessment (DPIA) based on their use case.

• Establishing a data retention policy that reflects the sensitivity of the data.

• Providing clear information to data subjects regarding data processing and their rights.

• Enabling data subjects to exercise their rights (access, rectification, erasure, objection, etc.).

• Maintaining a data breach protocol.

10. What are some additional privacy best practices for end-users?

Recommended reading for Red Cross/Red Crescent movement users:

• IFRC Practical Guidance for Data Protection in Cash and Voucher Assistance

• IFRC Data Protection Overview and General Best Practices

Recommended reading for all organizations:

• General Data Protection Regulation (GDPR)

• Module 3 (Data and Digital Responsibility) of the Data and Digital Literacy Introduction Course

Additional recommendations:

• Only collect necessary data.

• Do not retain data longer than necessary.

• Conduct monthly or bi-monthly access reviews.

• Handle exported Excel files responsibly by deleting them securely after use.

• Protect Excel workbooks with a password: - Select File > Info. - Choose Protect Workbook and select Encrypt with Password. - Enter and confirm a robust password. - Update any default passwords with strong, unique passphrases.

• Follow data protection training.

• Use a digital password manager (e.g., Bitwarden).