5.8 Consumers and end-users
A growing part of our business model is providing our customers with SaaS solutions to support them in optimizing their core business operations. Due to the expansion of our SaaS portfolio, we process more and more sensitive data every day. For example, within the key market Healthcare, this is highly sensitive information concerning our customers' clients and caregivers. Within the key market Security, this is security information of the end-users, primarily members of the organizations who use our security solutions. For this reason, we need to maintain a high level of information security to prevent widespread impact on our end-users, whose data we process within our solutions. Failing to comply with high information security standards not only poses a risk of regulatory fines, but also of reputational damage for Nedap as a whole, as we depend on our end-users to trust the security of our solutions.
5.8.1 Policies related to consumers and end-users
Privacy and data security are considered human rights under the United Nations Guiding Principles on Business and Human Rights. Protecting the human rights of our customers and end-users is a core aspect of our business operations. As disclosed in section 5.7 Own workforce, respecting human rights is embedded in the Nedap code of conduct, as well as our Human Rights policy. We also embedded compliance management on privacy and data security as a key element of the Nedap Compliance Framework.
Additionally, Nedap's Privacy Policy, outlines how General Data Protection Regulation (GDPR) principles are applied when processing any personal data, with a focus on safeguarding individuals' rights and addressing and remediating any potential impacts on privacy. The implementation of the Privacy Policy was completed in 2024. We have published the full policy on our internal website, and a relevant summary as the privacy statement on the website. Each business unit has a designated privacy officer who is trained and serves as the primary contact for privacy-related matters. On an international scale, Nedap is expanding its privacy framework, planned to be finished in 2025, with a General Privacy Officer overseeing privacy risks across the organization. A Data Protection Officer (registered with the Dutch Data Protection Authority) supervises Nedap's privacy compliance, with ultimate responsibility resting with the Board of Directors.
Nedap's Information Security Policy outlines our commitment to safeguarding information by balancing security and availability, prioritizing security when necessary. It establishes governance through the Board of Directors and a Security Committee, defines roles and responsibilities, and aligns controls with ISO 27001 standards. The policy covers risk management, asset protection, access controls, network security, employee training and incident response, ensuring compliance with legal and contractual requirements. It emphasizes security across the upstream and downstream value chain, requiring suppliers and partners to adhere to security standards, protect data and mitigate risks associated with third-party access and outsourced development. The Nedap N.V. Information Security Policy is available on our intranet Spark.
Both policies describe how customers and end-users can contact us regarding data security and privacy matters, which is further detailed in the next subsection.
5.8.2 Processes for engagement
Nedap has established general privacy and security incident response procedures. Incident reports by end-users, either directly or via business partners, are registered, followed up on by relevant teams and resolved according to internal protocols. A root cause analysis is a mandatory part of this process from an information security perspective. Depending on the nature of the incident, the information is communicated back to the individual or party that submitted the incident report. In some cases, communication with a broader group of stakeholders may be required. The Board of Directors is ultimately responsible for ensuring the correct actions are taken.
The Nedap Privacy Policy emphasizes the protection of individuals' rights and freedoms while managing potential privacy impacts. Several processes support this effort, including privacy assessments that ensure personal data is handled appropriately in both internal and external tools used by Nedap. Data processing activities are recorded in the company’s data processing register, and data protection impact assessments (DPIAs) are conducted where applicable.
Any data breaches are managed in accordance with Nedap's Incident Response Plan. Data processing agreements (DPAs) include provisions for reporting breaches and other concerns.
Feedback and input from stakeholders such as business partners and customers are received through various channels, including formal communication channels and informal interactions with Support, TechOps, Customer Success and Product Management.
In the event of a critical security incident, Nedap may issue a press release to inform stakeholders.
Coordinated vulnerability disclosure (CVD) has been implemented for the Healthcare and Retail business units. The implementation of CVD for the Livestock and Security business units is in progress and scheduled to be completed in 2025. CVD acts as a framework for the responsible handling of security risks across our software products. It covers risk identification, incident response, stakeholder engagement and compliance with ISO 27001. It ensures that vulnerabilities are assessed, mitigated and transparently reported. By integrating CVD, Nedap enhances cybersecurity resilience, regulatory compliance and trust across its ecosystem.
5.8.3 Remediating negative impacts and raising of concerns
We have various processes in place through which we aim to remediate any negative impacts to customers. Incident Response Plans are in place for handling data breaches and other incidents, and these plans are reviewed periodically. For privacy-related issues, general channels such as privacy@nedap.com (accessible at nedap.com/privacy) allow individuals to raise concerns.
When Nedap acts as a data processor, customers can contact the privacy officer of the relevant business unit, following the terms outlined in the DPA. The DPA also specifies procedures for customers to report data breaches.
Each business unit has communication portals for raising concerns, and data breaches are managed internally according to the Incident Response Plan. All significant data breaches are reported to the specific privacy officer, as well as to the General Privacy Officer, who logs them in the general Incident Register.
Nedap actively uses and continuously monitors channels available for customers to contact the company. In doing so, Nedap aims to ensure that appropriate follow-up actions are negative impacts are remediated. We determine the effectiveness of these channels by assessing the number of reports submitted and actions taken in response to those reports.
Additionally, Nedap has a whistleblower policy to protect any person who raises a concern.
Nedap has a crisis communication plan that is activated in the event of an incident or crisis that could negatively impact consumers or end-users. This plan includes information regarding the remediation of such incidents.
For general information security concerns, info@nedap.com is used as a contact point. Incidents are handled according to the relevant incident response plans, while vulnerabilities are addressed through the respective vulnerability response plans. Each business unit maintains its own incident response plan and incident register.
Depending on the nature of the security issue, national laws such as the Security of Network and Information Systems Act ('Wet beveiliging netwerk- en informatiesystemen'; Wbni) or the Cyber Security Act ('Cyberbeveiligingswet'; CBW) may require Nedap to notify the appropriate supervisory authorities, such as the Dutch Authority for Digital Infrastructure ('Rijksinspectie Digitale Infrastructuur'; RDI).
Each year, we receive both privacy- and security-related reports through our formal and informal channels. This leads us to conclude that customers and end-users are aware of and trust our processes, and that our processes to raise concerns are effective.
5.8.4 Actions in relation to IROs
The actions to manage privacy and security impacts, originating from our policies, with which we aim to prevent incidents is an ongoing process at Nedap. By maintaining a continuous focus on privacy and security, we minimize the likelihood of vital or critical incidents occurring. Nedap has established a privacy organization to ensure that the privacy of data subjects, including all consumers and end-users whose data we process, is protected. This is detailed in the Privacy Policy.
Nedap's privacy officers hold regular meetings to share knowledge and discuss developments, incidents and projects, all aimed at protecting consumers and end-users. Progress on reported incidents is monitored during these meetings, and relevant updates in legislation are discussed within the compliance framework. Nedap uses learnings from incidents to improve processes and assess their effectiveness.
To ensure compliance, Nedap drafts DPAs, conducts privacy assessments for new tools, products and services, and enforces data subject rights. The privacy officers participate in events, such as seminars and webinars, to stay informed about the latest developments in privacy legislation and technology.
Nedap's Privacy Policy and its related processes undergo an annual review by the General Privacy Officer to ensure they remain current and effective. This review includes updates based on changes in legislation, insights and best practices.
Each business unit has an incident response plan outlining responsibilities and processes, as defined in the Standard Operating Procedures (SOP). These plans focus on follow-up, remediation and prevention of negative impacts. We are exploring the option of combining the different SOPs into one Nedap-wide SOP.
ISO 27001 certifications and other security-related certifications highlight Nedap's ongoing actions to maintain security standards and its intention to keep its ISO 27001 certification.
Nedap has a Security Committee, and progress is regularly discussed during security officers' meetings. Security officers use insights from these meetings and incident reviews to improve processes. The company also continuously participates in various industry and government initiatives, such as membership in the Cyber Resilience Center Brainport ('Weerbaarheidscentrum Brainport'; CWB) and the National Cyber Security Center ('Nationaal Cyber Security Centrum'; NCSC), to stay up to date on data security issues. These actions contribute to achieving the targets in the policy.
As with privacy, Nedap's Information Security Policy is reviewed annually by the Information Security Officer to ensure it remains relevant and effective, incorporating updates based on new legislation and best practices.
Each business unit has an Information Security Officer.
5.8.5 Targets and metrics related to managing IROs
At Nedap, we encourage people to report all privacy and security incidents, no matter the size. All reported incidents are registered as data leaks in the incident log and are subsequently classified based on size and exposure. Size represents the number of applications or parties involved, and exposure is the number of business units or legal entities affected. Based on the incident’s size and exposure, we assign an escalation level of vital (endangering the continuity of Nedap), critical (severe damage to Nedap) or regular. Please refer to subsection 5.10.5 Incident classification of section 5.10 Sustainability notes for more detailed information about the incident classification.
Both policies are focused on minimizing the impact, so Nedap's continuous target is no vital or critical incidents. We analyze all incidents, even minor ones, so that we can learn from them and take action to prevent recurrence. To encourage the reporting of all incidents, we regularly discuss privacy and security impacts and risks with our stakeholders. It is proven that implementing security strategies and continuously monitoring of privacy risks brings down the risk of breaches and compliance violations.
In 2024, there were no critical or vital incidents (2023: 0 and 0).
There were no instances of privacy and data security-related human rights violations reported in 2024.