In the context of our service provision we process personal data, which we may have received from you yourself, for example via our website, by email, phone or app. We may also obtain your personal data via third parties, such as your employer, in the context of our service provision. This privacy statement explains how we deal with these personal data.

The type of personal data that we process depends on the exact service and circumstances. The following types of data are often concerned:

In some cases we process the personal data so as to be able to comply with a legal obligation, but usually we do it in order to be able to provide our service. Some data are stored for practical or efficiency reasons, which we (can) assume is also in your interest, such as:

What this also means in practice is that we use your personal data for marketing purposes or to send you advertising material or reports about our services if we think that these might be of interest to you. We might also contact you to ask for feedback about services we provide or for market or other research purposes.

 

It may happen that we want to process personal data for reasons other than those indicated above and that we have to ask for your explicit consent to this. If, after having obtained your consent to process personal data, we then want to process it for different or additional reasons, we will first have to ask for your consent again.

 

Finally, we can also uses your personal data to protect our rights or property and those of our users and, if necessary, to comply with court procedures.

In the context of our service provision we may make use of third-party services, for instance if these third parties have specialist knowledge or resources which we do not have in-house. These may be what are called processors or sub-processors that will process the personal data exactly as instructed by you. Other third parties, which are probably not strictly speaking processors of the personal data but which do or may see them, include for example our system manager, suppliers or hosting parties of online software, or advisors whose advice we obtain with regard to your order. If the involvement of third parties means that they have access to the personal data or store and/or otherwise handle it themselves, we will conclude (written) agreements with these third parties so that they comply with all the obligations of the GDPR. We will of course only use third parties which we can and may assume to be reliable parties that handle personal data responsibly and can and will comply with the GDPR. Among other things, this means that these third parties may only process your personal data for the aforementioned purposes.

 

It is of course possible that we have to distribute your personal data to third parties in connection with a legal obligation.

 

We will never distribute your personal data to third parties for commercial or charitable purposes without your explicit consent.

We will not process your personal data for longer than is useful for the purpose for which they were provided (for more information on this, see the section above headed ‘Purposes of and principles for processing’). This means that your personal data will be retained for as long as they are needed to achieve the aims in question. Some data has to be retained for longer (often 7 years) because we must comply with legal retention obligations (for example, the requirement to retain data for tax purposes) or in connection with requirements laid down by our professional association.

We have implemented suitable organisational and technical measures to protect personal data insofar as we can reasonably be expected to do so, taking account of the interest to be protected, the state of the art and the costs of the relevant security measures.

We require our employees and any third parties requiring access to the personal data to respect confidentiality. We also ensure that our employees have also been given accurate and comprehensive instruction in handling personal data and that they are sufficiently familiar with the responsibilities and duties arising from the GDPR. If you wish, we would be happy to provide you with further information as to how we protect personal data.

You are entitled to see, correct or remove personal data that we have about you (unless this would contravene a legal obligation). You can also object to the processing of all or some of your personal data by us or by one of our processors. You are also entitled to have the data submitted by you transferred to you or directly to another party if you wish.

If an incident (referred to as a data leak) occurs with regard to the personal data in question, we will, unless there are significant reasons not to do so, notify you immediately if there is a concrete chance of negative consequences for your personal life and its realisation. We will aim to do this within 48 hours of discovering the data leak or being informed of it by our (sub)processors.

Please contact us if you have a complaint about the processing of your personal data. If this does not lead to a satisfactory conclusion, you are at all times entitled to submit a complaint to the Dutch Personal Data Authority, which is the supervisory body in charge of privacy.

We will only process the personal data within the European Economic Area unless you have entered into written agreements with us that are different. The exception to this is situations in which we want to record contacts via our website and/or social media pages such as Facebook and LinkedIn. Examples could include, for instance, numbers of visitors and websites that have been accessed. Your data will be stored by third parties outside the EU when Google Analytics, LinkedIn or Facebook are used. These parties are ‘EU-US Privacy Shield’-certified, which means that they are required to abide by European privacy regulations. Furthermore, this will relate only to a limited number of sensitive personal data, in particular your IP address.

Our privacy policy will undoubtedly change from time to time. The latest version of the privacy statement is, logically, the version that applies and can be found on our website.

We hope that this privacy statement has given you a clear idea of our privacy policy. However, if you have any questions about how we handle personal data, please let us know. The first point of contact for privacy aspects in our organisation is:

Ronald Dijkslag, ronald@grasspartners.com, tel: +31 (0)38 030 35 100