Dark@2x.png

ABOUT Quan

Quan BV offers wellbeing assessments and tailored interventions to employees of organisations throughout the Netherlands. In this document we will outline our compliance and commitment to GDPR.

 

Wellbeing Assessments results are anonymous and are provided through Surveymonkey (see Surveymonkey site for GDPR compliance). Our processes support this and will be described below.

 

Quan Wellbeing involves:

 

A comprehensive well-being assessment

  • Each individual will complete an evidence-based well-being assessment measuring five dimensions: Mind, Body, Meaning, Social connectedness and Self-fulfilment.

  • Individual insights

  • Once the assessment is completed, each individual will receive a personalized report containing action-oriented well-being insights.

  • Tailored interventions:

  • We understand that individuals will not be able to make changes on their own. Each individual can be provided, with consent, with specific interventions delivered by our network of proven experts. These can include psychologists, nutritionists, sports therapists, sleep coaches, leadership coaches and so on.

 

Quan wellbeing assessment can be:

  • Used by individuals opting to take part in a survey

  • Used by individuals who complete the assessment

  • Used by employees referred to complete the assessment by their organisation

  • Used by coaches to support individuals 

 

Participants could use the assessment

  • As a standalone wellbeing assessment 

  • As part of a wellbeing initiative

  • As part of a coaching engagement

 

Commitment statement

The EU General Data Protection Regulation (GDPR) strengthens the rights that EU individuals have over their data, and creates a uniform data protection law across Europe.  We will comply with applicable GDPR regulations as a data processor. 

 

In general we have added transparency to our published policies, especially regarding the way we collect and process personal data and the rights you have to request changes or deletion of that information. In addition to updating our Privacy Policy, we have also committed to maintain a culture of compliance by; i) appointing a Data Protection Officer to lead this process ii) developing separate Cookies and Security Policies for added clarity. 

 

If you have any questions or requests regarding these policy, please feel free to reply to this email or contact our support team at hello@quanwellbeing.com

 

1.0    GDPR COMPLIANCE OVERVIEW

Quan Wellbeing GDPR requirements

  • Notification of data breaches – When we are aware of a data breach of personal or sensitive personal data, we understand that we have a 72-hour window to notify the relevant supervisory authority of the breach. Additionally, we must individually notify data subjects of any breach that presents a high risk to their individual rights and freedoms.

  • Responsibility – Quan Wellbeing Ltd. Ability to demonstrate compliance – This document outlines our understanding of the security requirements prescribed directly or indirectly by the regulating party to demonstrate compliance. We have aligned our data with the secure cloud controls that meet these specific requirements.

  • Right to access– We have ensured that participants know that they have the right to data access, which means they can request the personal data they have supplied. Data will be delivered in “a structured, commonly used and machine-readable format” in order to transfer aforementioned personal data to another data controller.

  • Right to erasure (right to be forgotten) – Participants are informed that they have the right to request the erasure of personal data held by a data controller, subject to certain conditions. We are clear about processing data, the appropriate legal basis, and when required, we have a technological ability to erase all affected data promptly.

  • Security of processing – We have implemented technical and organizational measures to ensure an appropriate level of security is in place for processing activities. These activities include, but are not limited to, pseudonymization, encryption and regular testing of organizational and technical measures.

  • Transfers of personal data to third countries or international organizations – The GDPR outlines specific requirements governing when and where personal data can be transferred to third countries or international organization

 

2.0 COMPLIANCE INFORMATION

The following information outlines the steps taken and procedures in complying with GDPR.

 

2.0.1 – LEGITIMATE INTERESTS   

  • We explain clearly about personal data, anonymity and data usage for anyone taking a wellbeing survey. We ensure any contracting organisation is aware of this.

  • We explain clearly how or why we need an individual’s personal data when we collect it throughout the survey, and experts forward a consent statement to all participants opting for experts.

  • We have a Privacy Policy that puts the most important information upfront. 

  • Individuals are well informed of what we plan to do with their data when we collect it.

  • We clearly state that we do not use data for marketing to third parties.

  • We collect the minimum data necessary (Individuals can choose what data to enter and although we collect a minimum of name and email this can be fictitious if required.

  • We delete records after use. If an individual asks us to delete their data from our systems, we delete their data from our systems completely and with reasonable expediency.​ 

 

2.0.2 – OBTAINING AND INFORMING ON CONSENT

Asking for consent

  • We ask people to positively opt-in – individuals are invited to choose to opt in for taking a survey or for expert coaching.

  • We do not use pre-ticked boxes or any other type of consent by default.

  • We use clear, plain easy to understand language at each process.

  • We explain why we want the data and what we’re going to do with it.

  • We name our organisation and third parties who can access the data.

  • We inform individuals they can withdraw their consent.

  • We inform the individual they can refuse to consent to options such as coaching.

  • We don’t make consent a precondition of our service.

  • We are clear that we do not provide services to children.

 

Recording consent

  • We keep a record of when individuals refuse consent or wish to delete records

  • We keep a record of exactly what they were told at the time

 

Managing consent

  • We regularly review consent to make sure that the relationship, the processing and the purposes have not changed since consent was given.

  • We have the means to refresh consent at appropriate intervals.

  • We make it easy for individuals to withdraw their consent at any time, and show them how to do so.

  • When consent is withdrawn, we act as soon as we can.

  • We don’t penalise individuals who want to withdraw their consent.

 

2.0.3 – INFORMATION PROVISIONS

When collecting personal data we make sure individuals are aware of the following:

  • The identity and contact details of our organisation.

  • Contact details of the data protection responsible person are clear on the Quan wellbeing website.

  • The consent or legitimate interests necessary for data processing and why.

  • Other countries outside the EU the data may be processed.

  • Tell individuals about their right to have their personal data deleted and to object to data processing in the future.

  • The right to complain to the national data protection authority

 

2.0.4 – THIRD PARTY DATA

  • We do not supply data to any third parties for business or marketing reasons

Third Party Services

  • We may use a variety of services offered by third parties to help maintain and improve our Website, to help us understand the use of our Website and Services, or simply to provide the Services.

  • These services may store both personally identifiable information about you which we collect and the information sent by your browser as part of a web page request, such as cookies or your IP address.

  • If any third parties are given access to your personally identifiable information, we will limit the use of such personally identifiable information only to provide the services to us which we have requested

 

2.0.5 – PROFILING

Pro­filing means evaluating personal data so you can review individual or group data.

  • We provide data reports to organisations using anonymous data and inform people that any group reports will not only be completed on 5+ participants and will respect medical and client confidentiality.

  • Marketing communications for all services include detail on use of data.

  • We tell people how and why we profi­le personal data but give people the chance to opt-out.

 

2.0.6 – LEGACY DATA

  • We will not continue contacting individuals after the event (Wellbeing initiative, coaching, survey) has finished.

  • All data is deleted following an event completion if required by an organisation or individual.

  • If an individual wishes to delete their records; they can inform us on hello@quanwellbeing.com and we will do so expediently.

 

2.0. 7 – DATA STORAGE AND SECURITY

We use third party vendors and hosting partners to provide the necessary hardware, software, networking, storage, and related technology required to run Quan. We do not transfer ownership of any code, databases, Website rights or data to any third party vendors or hosting partners. 

 

Quan Wellbeing GDPR compliance - Gsuite - https://gsuite.google.com/security/

Keeping users’ information safe, secure and private is the highest priority at Google. They have worked closely with data protection authorities around the world and have implemented strong privacy protections that reflect their guidance.

  • Robust Safeguards: We are well placed to meet the security requirements of the applicable data protection laws. 

  • We constantly monitor our applications and deploy patches through automated network analysis and proprietary technology. This lets us detect and respond to threats to protect products from spam, malware, viruses, and other forms of malicious code.

  • Incident Response: We will promptly inform you of incidents involving your customer data in line with the data incident terms in our agreements with you. Advanced threat detection, and avoidance technologies, 24/7 incident management 

  • We use security monitoring to protect users from malware

  • We scan for software vulnerabilities.

  • Our security and privacy experts work with development teams, reviewing code and ensuring products utilize strong security protections.

  • User Transparency: We provide transparency about how data is used in our ads products. We ask users for permission to use data to personalize ads and provides transparency into how the data is used in real time.

  • Privacy Practices: "We already have processes to build privacy into our products from the very earliest stages, and we are continually evolving our practices, including Data Protection Impact Assessments, to meet worldwide changing requirements including those in the GDPR around Privacy by Design and Privacy by Default."

 

We collect and process the data via Survey Monkey 

https://www.surveymonkey.com/mp/privacy/

CERTIFIED Compliant: with certifications:

•          ISO 27001 certified

•         EU US Privacy Shield Certified

•         PCI DSS 3.2

•         HIPAA compliant

•         SOC2 accredited data centers 

 

Other survey monkey security measures:

•         Access control (authentication and authorization)

•         Single sign-on support

•         Data encryption at rest and in transit

•         Continuous network and security monitoring

•         Vulnerability management

•         Incident response and recovery

•         Security awareness training

•         Periodic independent 3rd-party security reviews and penetration testing

•         Multiple data centers to guarantee a secure and highly available service at scale

•         Select group of trusted security partners, to ensure our customers are always protected with the best-in-class security.