We process personal data in the context of our services. We may have received this information from you, for example via our website, e-mail, telephone or app. In addition, we may obtain your personal data from third parties in the context of our services. With this privacy statement we inform you about how we handle this personal data.
Processing of personal data and purposes
If we process Personal Data, this will take place in accordance with the requirements set by the General Data Protection Regulation (GDPR) and the related laws and regulations.
Which personal data we process depends on the exact service and circumstances. This usually concerns the following data:
• Name and address details;
• Position of contact persons;
• Contact details (e-mail addresses, telephone numbers) and name and position of contact persons;
• Information about your activities on our website, IP address, internet browser and device type.
Purposes of and bases for the processing
In a number of cases we process the personal data in order to comply with a legal obligation, but usually we do this to be able to implement our services. Some data is recorded for practical or efficiency reasons, which we assume or may assume is also in your interest, such as:
• Communication and information provision;
• To be able to provide our services as efficiently as possible;
• The improvement of our services;
• Invoicing and collection
The above concretely means that we use personal data for marketing purposes or to send you advertising materials or messages about our services, as we think it might be of interest to you. We may also contact you to request feedback on services provided by us or for market or other research purposes.
In some cases, it may be that we want to process personal data for reasons other than the above and that we will ask you for explicit permission. If we ever want to process personal data that we are allowed to process on the basis of your consent for other or more purposes, we will first ask you for permission again.
Finally, we may also use your personal data to protect our own and our users’ rights or property and, if necessary, to comply with legal proceedings.
Provision to third parties
In the context of our services, we can make use of the services of third parties, for example if these third parties have specialist knowledge or resources that we do not have in-house. These can be so-called processors or sub-processors, who will process the personal data based on your exact assignment. Other third parties who, strictly speaking, are not processors of the personal data, but who do or may have access to them, are, for example, our system administrator, suppliers or hosting parties of online software, or advisers whose advice we obtain regarding your assignment. If the engagement of third parties means that they have access to the personal data or that they record and / or otherwise process the personal data, we will agree (in writing) with those third parties that they will comply with all obligations of the GDPR. Naturally, we will only engage third parties who we can and may assume are reliable parties who handle personal data adequately and who can and will comply with the GDPR. This means, among other things, that these third parties may only process your personal data for the aforementioned purposes.
Of course, it may also be the case that we have to provide your personal data to third parties in connection with a legal obligation.
Under no circumstances will we provide your personal data to third parties for commercial or charity purposes without your explicit consent.
We will not process your personal data for longer than is useful for the purpose for which it was provided (see the section ‘Purposes and bases for processing’). This means that your personal data will be kept for as long as it is necessary to achieve the relevant goals. Certain data must be kept longer (usually 7 years), because we have to comply with legal retention obligations (for example, the fiscal retention obligation) or in connection with regulations from our professional association.
We have taken appropriate organizational and technical measures for the protection of personal data insofar as they can reasonably be required of us, taking into account the interest to be protected, the state of the art and the costs of the relevant security measures. We oblige our employees and any third parties who necessarily have access to the personal data to confidentiality. We also ensure that our employees have received correct and complete instructions on how to handle personal data and that they are sufficiently familiar with the responsibilities and obligations of the GDPR. If you appreciate this, we will gladly inform you further about how we have implemented the protection of personal data.
You have the right to inspect, rectify or delete the personal data that we have about you (except, of course, if this conflicts with any legal obligations). You can also object to the processing of your personal data (or part thereof) by us or by one of our processors. You also have the right to have the information provided by you transferred by us to yourself or directly to another party if you wish.
Incidents with personal data
If there is an incident (a so-called data breach) regarding the personal data concerned, we will inform you immediately, unless there are compelling reasons, if there is a concrete chance of negative consequences for your privacy and its realization. We aim to do this within 48 hours after we have discovered this data breach or have been informed about it by our (sub) processors.
If you have a complaint about the processing of your personal data, we ask you to contact us. If this does not lead to a satisfactory outcome, you always have the right to file a complaint with the Dutch Data Protection Authority; the supervisory authority in the field of privacy.
Processing within the EEA
We will only process personal data within the European Economic Area, unless you agree other written agreements with us about this. An exception to this are situations in which we want to map contact moments via our website and / or social media pages (such as Facebook and Twitter). Consider, for example, visitor numbers and requested web pages. Your data will be stored by third parties outside the EU when using Google Analytics, LinkedIn or Facebook. These parties are ‘EU-US Privacy Shield ‘ certified, so that they must comply with European privacy regulations. Incidentally, this only concerns a limited number of sensitive personal data, in particular your IP address.