We process personal data in the context of providing our services. It is possible that you share this information with us, for example via our website, e-mail, phone, or app. We may also obtain your personal data in the context of our services via third parties (for example your employer). This privacy statement explains how we handle this personal data.
THE PERSONAL DATA WE PROCESS
We process various types of personal data, depending on the service and circumstances. Usually, this concerns the following data:
- Name and address;
- Position of contact persons;
- Birthdate and place;
- Contact details (e-mail addresses, phone numbers) and name and position of contact persons;
- Copies of IDs;
- Citizen service number (only if necessary!);
- Passport photo (only if strictly necessary! For example, for the personnel file);
- Salary and other data required for tax returns, salary calculations, etc.;
- Marital status, details of partner, and where relevant information about children; to the extent necessary for tax returns etc.);
- Bank account number;
- Information about your activities on our website, IP address, internet browser and device.
PURPOSE AND GROUNDS FOR PROCESSING
Sometimes, we process personal data to comply with a statutory obligation, but usually processing is carried out so we can provide our services. Some data is recorded for practical reasons or in view of efficiency reasons, which we assume and may assume are also in your interest, such as:
- Communications and sharing information;
- To provide our services as efficiently as possible;
- To improve our services;
- Invoicing and collection.
In practice, this also means that we use your personal data for marketing or to send you advertisements or messages about our services, in cases where we think these may be of interest to you. We can also contact you to request feedback on services we provide, for marketing or other research purposes.
In appropriate cases, we may want to process personal data for reasons other than the above, in which case we will ask you for your explicit consent to do so. If at any time we want to process your personal data that we are authorized to process based on your consent for other purposes than those for which you gave consent, we will first request your consent again.
Finally, we may also use your personal data to protect our own and our users' rights and property, and, if necessary, to comply with legal procedures.
SHARING OF DATA WITH THIRD PARTIES
In the context of our services, we may use the services of third parties, for example if these third parties have specialist knowledge or resources that we are lacking in-house. These third parties may be processors or sub-processors, who will process the personal data based on your exact assignment. Other third parties who are not processors of the personal data in the strict meaning of the term, but who have or may have access to your data, include our system administrator, suppliers, and hosting parties of online software, and advisors whose advice we obtain regarding your assignment. If, by engaging third parties, these third parties gain access to the personal data or that they record or otherwise process this data, we will agree in writing with those third parties that they will comply with all the obligations of the GDPR. We will only engage third parties if we can and may assume that these parties are reliable and able to handle personal data adequately, and that they will comply with the GDPR. Among other obligations, this means that these third parties may only process your personal data for the purposes mentioned above.
We may also have to provide your personal data to third parties in connection with a statutory obligation.
Under no circumstances will we provide your personal data to third parties for commercial or charitable purposes, unless you give explicit consent to do so.
We will not process your personal data for longer than is useful for the purpose for which it was provided (see the section 'Purposes and grounds for processing'). This means that your personal data will be retained for as long as necessary to achieve the relevant goals. Certain data must be kept for a longer period, usually 7 years, in the context of our statutory retention obligations, such as the tax data retention obligation, or in connection with the rules of our professional association.
We have taken appropriate organizational and technical measures to protect personal data to the extent that this can reasonably be expected of us, taking into account the interest to be protected, the latest technological insights, and the costs of the relevant security measures.
We oblige our employees and any third parties who require access to personal data to maintain confidentiality. We also ensure that our employees have received correct and complete instructions on handling personal data, and that they are sufficiently familiar with the responsibilities and obligations set out in the GDPR. If you wish, we will be happy to provide you with further information about how we protect your personal data.
You have the right to inspect, rectify, or erase the personal data we hold about you, unless this conflicts with any statutory obligation. You can also object to the processing of all or part of your personal data by us or one of our processors. You also have the right to request us to transfer the data you provide to yourself, or directly to another party.
If a data breach occurs regarding the personal data in question, we will inform you without delay, unless there are compelling reasons not to do so, if there is a concrete risk of negative consequences for your privacy and this happening in practice. Our policy is to inform you within 48 hours after we have discovered such a data breach, or have been informed about it by our processors of sub-processors.
If you have a complaint about the processing of your personal data, please contact us. If this does not resolve your issue, you always have the right to file a complaint with the Dutch Data Protection Authority, the supervisory authority for privacy in the Netherlands.
PROCESSING IN THE EEA
We will only process your personal data inside the European Economic Area, unless you have concluded written agreements stating otherwise with us. However, this does not apply in situations in which we want to draw up an inventory of contacts via our website or social media pages, such as Facebook and LinkedIn. This could include data on visitor numbers and requested web pages, for example. Your data is stored by third parties outside the EU when Google Analytics, LinkedIn, or Facebook are used. These parties have obtained certification under the EU-US Privacy Shield, which requires them to adhere to European privacy regulations. However, this only concerns a limited amount of sensitive personal data, in particular your IP address.
The first point of contact for privacy aspects at our organization is Guy van der Heijden, who can be contacted by phone on +31 43 321 4477.