Responsibilities and organisation

The overall responsibility for data protection at Pro lies with senior management. Data protection issues are part of the induction of all employees and regular training is provided.

The Data Protection Officer provides guidance and advice on the implementation and application of data protection legislation. The Data Protection Working Party is composed of representatives from different services and supports the DPO. The Data Protection Officer or a representative of the Data Protection Working Party shall be involved as early as possible in the handling of all data protection issues.

Data protection work is risk-based. Risks are regularly reviewed and corrective action is taken where necessary. An internal process is in place to deal with data breaches. The contact person in case of a data breach is the Data Protection Officer ([email protected] or [email protected]).

The Federation maintains a centralised list of members of its member associations and of associations within the meaning of the Associations Register Act. In other respects, member associations are responsible for their own activities.

Principles for processing personal data

The following principles apply to the processing of personal data:

1. Lawfulness, fairness and transparency

2. Purpose limitation

3. Data minimisation

4. Accuracy

5. Limitation of retention

6. Integrity and confidentiality

Pro monitors and manages the implementation of the Principles within its own organisation and requires its partners and contractors to comply with the Principles. Any deviations are to be reported by all parties, and the matter will be clarified and the procedures clarified.
 

Principles for contracts

Contracts for the processing of personal data and software procurement (cooperation agreements, supply agreements, service contracts, processing agreements, etc.) are always drawn up in writing.

Particular attention is paid to the requirements of the Data Protection Regulation and potential risks are analysed, identified and minimised as early as possible (data protection by design and by default). Design, testing, risk management and other documentation is comprehensively prepared and maintained. For example, if the software or system to be procured is likely to pose significant risks to data protection, an impact assessment and risk management plan will be included as part of the tender.

As the data controller, Pro is always entitled to issue instructions on data processing, which the data processor undertakes to comply with. A processing agreement (outsourcing agreement) refers to situations under Article 28 of the GDPR where personal data are processed on behalf of and for the account of Pro. A template for processing agreements has been prepared and can be used where appropriate.

The contractual partner is required to take the necessary technical and organisational measures to ensure the security of the processing. The contracting partner must process the personal data and other information of Pro only to the extent and in the manner necessary for the purpose specified in the contract and only to the extent that the data can be accessed by specifically designated persons whose tasks include the processing of such data.

Data communication between Pro and its contractual partners must be carried out in a secure manner, taking advantage of the security features of encrypted communication links and various software.

The contracting parties are each responsible for their own legal or contractual obligations. However, the contracting parties must undertake to assist Pro, as far as possible, in fulfilling its obligations under the GDPR. These obligations refer in particular to the exercise of the rights of the data subject and to situations of data breach. To the extent that a breach or threat thereof affects Pro's data, the contracting partner shall inform Pro in writing without delay of the breach or threat thereof that has occurred and provide an understanding of the cause and consequences of the breach.

Informing the data subject

The Privacy Policy on the processing of personal data can be found on the websites of the Trade Union Confederation Pro and the Unemployment Fund Pro.