Privacy Statement COMMA

This privacy statement informs users of COMMA about the processing of personal data in COMMA. For more information or questions about this privacy declaration you can mail to: DCV-COMMA@minbuza.nl

Last updated on 4 November 2022

Purpose and necessity of personal data processing
COMMA processes personal data for the following purposes:

With the launch of the COMMA long distance learning platform the Directorate for Consular Affairs and Visa Policy (DCV) promotes and facilitates the development of consular knowledge and skills of the consular staff. With this knowledge and these skills, consular staff will be able to provide suitable service and support to Dutch nationals abroad who qualify for social consular assistance. Processing personal data of the users of COMMA is necessary to inform DCV to what extend COMMA is used by the consular staff and when it needs to be updated.
In addition, COMMA can be used by employees who do not regularly work in the consular field to either prepare for a future consular position, or because he or she has a personal interest in consular work or because special circumstances forces someone to, temporarily, perform consular duties.
In conclusion, DCV can take decisions about the further development of COMMA (content and learning methods, but also possible extension to other directorates at Foreign Affairs) based on the way and extent to which COMMA is being used.
With the introduction of remote learning through the COMMA application, the Main Directorate of Operations, 3W, FSO and FEZ promote and facilitate the development of knowledge and skills in the field of operations for all employees at the ministry and missions abroad who handle operations. With this knowledge and these skills, employees in operations will have the right support to perform their jobs to the best of their ability.

The processing of personal data by COMMA takes place as part of the operational management of the consular services. The legal ground for the processing of personal data is legitimate interest.

Categories of personal data and reports
COMMA processes the following personal data of its users:

First name;
Family name;
Contact information (e-mail address);

Furthermore, the status of the exam (‘followed’/’passed’) is processed. In conclusion, the use of COMMA is automatically processed in reports. These reports provide the previously mentioned data as well as the following details:

Last login time;
Followed modules;
Result of the test exam;
Result of the final exam.

Based on the ‘need to know’ principle, users can see their own results in COMMA. Reports about the use of COMMA by all users can be seen, essentially, only by the staff members that are authorized to put together these reports for the benefit of heads of department and/or heads of unit. Only managers at DCV are then allowed to examine the content of these reports (via the Tableau reporting tool and through data from BZIAM) from COMMA. In view of the degree and the way in which COMMA is being used by all users they can then make decisions about the further development of COMMA as a learning instrument. No reports are made at individual level. DCV does not check who has followed/finished which e-learnings nor does DCV look at individual results. There are no consequences when a final test is not passed. At their request and via the mission film, managers and/or COMMA contacts at the missions abroad can be informed on the use of COMMA at their own mission, still only based on anonymous totals, not at individual level.

Data sharing
Personal data of users will only be shared with third parties in case of I) a legal obligation to do so and/or II) the sharing is necessary in order to provide the COMMA services. In the latter case, the Ministry of Foreign Affairs concludes a data processing agreement to ensure the same level of security and confidentiality of the personal data of COMMA users. For the use of COMMA, the Ministry is currently cooperating with the following contractors: Tele’Train Education BV and Creapolis Media BV. A data processing agreement was concluded with both contractors.

Retention period and data security
The processed personal data will be deleted two months after the termination of a position or at the request of a user through the Self Service Portal (SSP). The Ministry of Foreign Affairs ensures that personal data for which it is responsible is appropriately protected.

Privacy rights
A user of Comma can submit a request in the following situations:

A user wishes to know what personal data is being processed;
A user wishes to modify personal data;
A user wishes to have personal data deleted;
A user wishes to limit the processing of personal data;
A user wishes to lodge an objection.

A request can be submitted to the Ministry by sending an e-mail to djz-nr@minbuza.nl or by regular mail. The mail address is:

Ministry of Foreign Affairs
Legal Affairs Department (DJZ/NR)
P.O. Box 20061
2500 EB The Hague
The Netherlands
Requests for inspection and correction can also be made via an SSP request.

Contacting the data protection officer
The Ministry of Foreign Affairs has a Data Protection Officer. This officer monitors internal compliance with privacy legislation. This officer can be contacted by sending an e-mail to FG@minbuza.nl or by regular mail. The mail address is: Data Protection Officer
Ministry of Foreign Affairs
Security, Crisis Management and Integrity Group (VCI)
P.O. Box 20061
2500 EB The Hague
The Netherlands

Personal Data Authority
Any complaints can be filed with the Dutch privacy regulator, the Personal Data Authority.

Phishing messages
If phishing messages are suspected, please refer to the procedure for reporting phishing messages.

Data breaches
In case of (suspected) data breaches, please refer to the SSP-form for reporting data breaches.

Other Information Security (IB) incident
Other IB incidents can be reported via security2@minbuza.nl.