We are aware that sensitive personal data, including that of a medical nature, is collected in the NiceDay app. The GDPR imposes strict requirements on the processing of such personal data, for example regarding security. NiceDay has taken appropriate measures to protect the personal data and keeps these measures up to date from time to time. On this page we inform you about these measures and other details about how we handle personal data. For our full privacy statement, click here.
Basic Principles GDPR
The General Data Protection Regulation came into effect in 2018. This law regulates at European level how the privacy of data subjects is protected when processing personal data.
Any processing of personal data must in any case comply with the principles of lawfulness, fairness and transparency. The controller is responsible for compliance with the law, together with any processors.
When NiceDay is used in the context of a medical treatment agreement by a healthcare provider, or by an employer in the context of an employment contract, NiceDay is regarded as the processor. The controller is the party who has agreed with us to use the application. After all, that party determines the purpose of the application’s deployment.
For private individuals who wish to use the NiceDay app on their own initiative, NiceDay is the controller.
What does NiceDay do to protect your personal data?
Processing agreements
NiceDay enters into processor agreements, based on a model that is common in the healthcare sector, with the controllers (if applicable) and with the (sub)processors engaged by NiceDay.
The current (sub)processors of NiceDay are:
| Name of party | Type of party | Location of storage of personal data | Guarantee for data processing outside the EEA (if applicable) |
|---|---|---|---|
| Google Cloud (Region: Netherlands) | Primary Data Hosting | https://cloud.google.com | |
| CloudVPS | Data Hosting Failover | https://www.cloudvps.nl/ | |
| Amazon S3 (Region: Germany) | Uploading Files & Photos | https://aws.amazon.com/s3/ | |
| Twilio | Primary Video Calling Technology Provider | https://www.twilio.com/video | |
| Segment | Analytics Warehousing | https://segment.com/ | |
| Firebase | Crash Reporting (Mobile Apps) | https://firebase.google.com/ | |
| Urban Airship | Push Notifications Service Provider | https://www.airship.com/ | |
| Mailjet | Email Service Provider | https://mailjet.com/ | |
| Visual Studio App Center | Application Updates Provider | https://appcenter.ms/ | |
| Cloudflare | DNS Provider | https://cloudflare.com | |
| Freshdesk | Ticketing Support | https://freshdesk.com |
Privacy declaration
We try to be as transparent as possible about the use of personal data. We have drawn up a privacy statement for this, which you can read here. Among other things, it deals with how a data subject can exercise his or her rights under the GDPR, such as access or deletion, in the event that NiceDay is the controller.
Security measures
NiceDay takes appropriate technical and organisational measures with regard to the processing of personal data to be carried out, against loss or against any form of unlawful processing (such as unauthorised access, damage, modification or provision of the personal data). This means that NiceDay uses a combination of, among other things, firewalls, encryption and authentication procedures to secure personal data and protect user accounts and systems from unauthorised access.
NiceDay has at least taken the following technical measures.
- The network servers have been housed in a secure data centre of Google Cloud, Nederland region and Cloud VPS;
- The internet connections within this provider are not open internet lines but private lines. The data traffic (for example from computers to servers and from servers to printers) is completely separated from the open internet;
- The controller has one good and safe access to and from the internet by means of an L5 security solution. Only the necessary traffic from inside to outside and from outside to inside is open.
- For working from internet locations on the controller’s system, two-factor authentication is used, namely a personal password for access to a computer and another personal password for using a VPN connection;
- There is a password policy to login to the terminal server. access to servers is only possible with verification of public / private keys and is only accessible with VPN connections.
- There is a good virus scanner. The incoming mail has a good ‘managed’ filter to stop malicious code. Outgoing mail is (if possible by the receiving end) sent encrypted over the internet;
- The processing of data is also handled encrypted within the network as much as possible;
- Permission groups are used within the network. Membership of a permissions group gives the right to use certain files or applications.
NiceDay has taken the following organisational measures:
- Employees only have access to Personal Data if and as soon as the Controller gives permission for this
- Employees must lock a workplace with flag + L before leaving the workplace;
- The use of web applications on employees’ computers is discouraged because of the leakage of opened files via the temporary folder of the internet browser;
- There is a dismissal procedure. Here, the steps to be taken are described for the technical denial of access to the various systems, so that a former Employee cannot gain undesired access to these systems.