Introduction
The online world is increasingly dependent on information and (mostly automated) information systems. The amount of information is also growing due to developments such as personalized learning with ICT. This dependence on ICT and data introduces new vulnerabilities and risks. It is essential to take adequate measures in the area of information security and privacy (GDPR) to reduce the consequences of these risks to an acceptable level and to ensure the smooth continuity of education and business operations.

Explanation of Information Security
Information security refers to the implementation and maintenance of a coherent set of measures to guarantee the quality aspects of information provision.
These aspects are:

• Availability: the extent to which data and/or functionalities are available at the right times.

• Integrity: the extent to which data and/or functionalities are accurate and complete.

• Confidentiality: the extent to which access to data and/or functionalities is limited to those authorized.

Insufficient information security can lead to unacceptable risks in the execution of education and in the organization’s business operations. Incidents and breaches in these processes can result in financial loss and reputational damage.

Explanation of Privacy
Privacy concerns personal data. Personal data must be protected in accordance with current laws and regulations. Privacy protection regulates, among other things, under which conditions personal data may be used. Personal data includes all information that can be traced back to an individual. Processing refers to any action concerning personal data. The law provides examples of processing: collecting, recording, organizing, storing, updating, modifying, retrieving, consulting, using, sharing by transmission, distribution, or any other form of provision, combining, linking, shielding, erasing, and destroying data.

Interconnection Between Information Security and Privacy
It is clear that information security is an important part of privacy, while careful handling of personal data is necessary for information security. Both concepts are interdependent. The topic of information security and privacy is referred to as GDPR.

---

Purpose
This policy aims to:

• Guarantee the privacy of clients and employees, thereby preventing security and privacy incidents and their potential consequences.

This policy is designed to optimize the quality of information processing and the protection of personal data, maintaining a good balance between privacy, functionality, and security. The underlying principle is that the personal privacy of individuals, particularly employees and clients, is respected and that The Boost Group complies with relevant laws and regulations.

Scope
The information security and privacy policy within The Boost Group applies to all employees, clients, suppliers, and external relations (hired staff / outsourcing). This policy also applies to all devices from which authorized access to systems can be obtained.

The focus of the policy is on applications under the responsibility of The Boost Group. The policy covers both controlled information generated and managed by the organization itself and uncontrolled information for which the organization may be held accountable, such as statements by employees in discussions or on (personal) websites.

The policy applies to the processing of personal data of all individuals involved with The Boost Group, including employees, clients, suppliers, and external relations, as well as other individuals whose personal data The Boost Group processes.

The policy emphasizes fully or partially automated/systematic processing of personal data under the responsibility of The Boost Group, as well as the underlying documents included in a file. It also applies to non-automated processing of personal data recorded or intended to be recorded in a file.

The GDPR policy within The Boost Group intersects with:

• General security and access control policy: focusing on emergency response, physical access and security, crisis management, facilities, and accidents

• Personnel and organization policy: focusing on employee onboarding/offboarding, role changes, segregation of duties, and trust positions

• IT policy: focusing on acquisition, management, and use of ICT and (digital) learning tools

---

Principles

General Policy Principles
The main policy principles at The Boost Group are:

• Information security and privacy must comply with all relevant laws and regulations, in particular the Personal Data Protection Act and the General Data Protection Regulation (effective May 25, 2018).

• The processing of personal data is based on a legal ground, balancing The Boost Group’s interest in processing data with the individual’s interest in exercising choice regarding their personal data.

• Within The Boost Group, safe and reliable handling of information is everyone’s responsibility. This includes actively contributing to the security of automated systems and stored information, as well as physical documents.

• The organization owns the information produced under its responsibility and manages information owned by third parties (copyright). Employees and clients must be well informed about regulations concerning the use of information.

• Information has value: financial, economic, and emotional. Information is classified at The Boost Group, forming the basis for required measures. Risks are identified using risk analysis based on classification. There is a balance between the risks of what we want to protect and the necessary investments and measures.

• All employees, clients, suppliers, and external relations are expected to behave responsibly. Unacceptable behavior leading to unsafe situations, damage, or reputational loss is not tolerated. The Boost Group has formulated, approved, and implemented a code of conduct.

• Information security and privacy at The Boost Group is a continuous process, with regular evaluation (at least annually) to determine if adjustments are needed.

• Changes in infrastructure or acquisition of new (information) systems consider information security and privacy from the outset.

Privacy Principles
The five key rules regarding handling personal data at The Boost Group are:

1. Purpose limitation: Personal data is used only for explicitly defined and justified purposes. These purposes are concrete and established before processing. Personal data is not processed in ways incompatible with the original purpose.

2. Legal basis: Processing personal data is based on a legal ground: consent, agreement, law, public task, vital interest of the individual, or legitimate interest.

3. Data minimization: Only necessary personal data is processed. Data type must be proportional to the purpose, and data is not stored longer than necessary.

4. Transparency: The organization informs individuals (clients, suppliers, employees) transparently about the use of their data and GDPR policies. Individuals have rights to correction, supplementation, deletion, or restriction of data, and can object to processing.

5. Data integrity: Measures are in place to ensure personal data is accurate and up to date.

Personal data must be adequately protected according to generally accepted security standards.

For registrations based on consent, The Boost Group provides a clear opt-out procedure for the individual.

---

Monitoring and Reporting
This information security and privacy policy is reviewed and updated by management at least every two years, considering:

• The overall status of information security (policy, organization, risks)

• The effectiveness of measures and demonstrable impact

The Boost Group also maintains an annual planning and control cycle for information security and privacy, a periodic evaluation process to assess policy content and effectiveness.

Meetings are aligned with existing organizational consultation structures:

• Strategic level: guidance on organization and compliance, as well as GDPR goals and scope

• Tactical level: translating strategy into plans, standards, and evaluation methods, guiding execution

• Operational level: discussing daily business operations. These meetings are organized locally and, if needed, in every organizational unit of The Boost Group

---

Awareness and Training
Policy and measures alone are insufficient to eliminate risks in information security and privacy. Human factors are usually the main risk. Therefore, The Boost Group continuously enhances employee awareness to increase knowledge of risks and encourage safe, responsible behavior. Regular awareness campaigns for employees, participants, and guests are part of the policy.

Classification and Risk Analysis
At The Boost Group, all information has value. All data covered by this policy is classified. The level of security measures depends on classification. Classification is based on risk analysis, considering availability, integrity, and confidentiality as key quality aspects.

Incidents and Data Breaches
All incidents can be reported to info@theboostgroup.io. 

Incident handling follows a structured process, including steps for GDPR data breach reporting obligations.

Compliance, Monitoring, and Sanctions
Compliance consists of general oversight of daily GDPR practices. Leaders and process owners are responsible for ensuring employees adhere to standards. The Boost Group actively addresses GDPR compliance during hiring, performance reviews, through organization-wide codes of conduct, periodic awareness campaigns, team meetings, and workshops. The organization’s owner plays a key role in promoting compliance with the Personal Data Protection Act.