GRASS PARTNERS privacy statement
In the context of our service provision we process personal data, which we may have received from you yourself, for example via our website, by email, phone or app. We may also obtain your personal data via third parties, such as your employer, in the context of our service provision. This privacy statement explains how we deal with these personal data.
Personal data to be processed
The type of personal data that we process depends on the exact service and circumstances. The following types of data are often concerned:
- Name and address data;
- Roles of contact persons;
- Date and place of birth;
- Contact data (email addresses, telephone numbers) and names and roles of contact persons;
- Copy of proofs of identity;
- Citizen service number (only if necessary!);
- Passport photo (only if strictly necessary! For example, for staff dossier);
- Salary and other data required for tax returns, salary calculations etc.;
- Marital status, data about partner and if applicable information about children; where necessary for tax returns for example);
- Bank account number;
- Data about your activities on our website, IP address, web browser and device type.
Purposes of and principles for processing
In some cases we process the personal data so as to be able to comply with a legal obligation, but usually we do it in order to be able to provide our service. Some data are stored for practical or efficiency reasons, which we (can) assume is also in your interest, such as:
Communication and provision of information;
Being able to provide our service as efficiently as possible;
Improving our services;
Billing and collecting payments
What this also means in practice is that we use your personal data for marketing purposes or to send you advertising material or reports about our services if we think that these might be of interest to you. We might also contact you to ask for feedback about services we provide or for market or other research purposes.
It may happen that we want to process personal data for reasons other than those indicated above and that we have to ask for your explicit consent to this. If, after having obtained your consent to process personal data, we then want to process it for different or additional reasons, we will first have to ask for your consent again.
Finally, we can also uses your personal data to protect our rights or property and those of our users and, if necessary, to comply with court procedures.
We will not process your personal data for longer than is useful for the purpose for which they were provided (for more information on this, see the section above headed ‘Purposes of and principles for processing’). This means that your personal data will be retained for as long as they are needed to achieve the aims in question. Some data has to be retained for longer (often 7 years) because we must comply with legal retention obligations (for example, the requirement to retain data for tax purposes) or in connection with requirements laid down by our professional association.
We have implemented suitable organisational and technical measures to protect personal data insofar as we can reasonably be expected to do so, taking account of the interest to be protected, the state of the art and the costs of the relevant security measures.
We require our employees and any third parties requiring access to the personal data to respect confidentiality. We also ensure that our employees have also been given accurate and comprehensive instruction in handling personal data and that they are sufficiently familiar with the responsibilities and duties arising from the GDPR. If you wish, we would be happy to provide you with further information as to how we protect personal data.
You are entitled to see, correct or remove personal data that we have about you (unless this would contravene a legal obligation). You can also object to the processing of all or some of your personal data by us or by one of our processors. You are also entitled to have the data submitted by you transferred to you or directly to another party if you wish.
Incidents with personal data
If an incident (referred to as a data leak) occurs with regard to the personal data in question, we will, unless there are significant reasons not to do so, notify you immediately if there is a concrete chance of negative consequences for your personal life and its realisation. We will aim to do this within 48 hours of discovering the data leak or being informed of it by our (sub)processors.
Please contact us if you have a complaint about the processing of your personal data. If this does not lead to a satisfactory conclusion, you are at all times entitled to submit a complaint to the Dutch Personal Data Authority, which is the supervisory body in charge of privacy.
Processing within the EEA
We will only process the personal data within the European Economic Area unless you have entered into written agreements with us that are different. The exception to this is situations in which we want to record contacts via our website and/or social media pages such as Facebook and LinkedIn. Examples could include, for instance, numbers of visitors and websites that have been accessed. Your data will be stored by third parties outside the EU when Google Analytics, LinkedIn or Facebook are used. These parties are ‘EU-US Privacy Shield’-certified, which means that they are required to abide by European privacy regulations. Furthermore, this will relate only to a limited number of sensitive personal data, in particular your IP address.
The management of GRASS PARTNERS