23092
page-template-default,page,page-id-23092,qode-social-login-1.1.2,qode-restaurant-1.1.1,stockholm-core-1.0.6,woocommerce-no-js,select-child-theme-ver-1.0.0,select-theme-ver-5.1,ajax_fade,page_not_loaded,wpb-js-composer js-comp-ver-5.7,vc_responsive

Version 14-05-2018

GRASS PARTNERS privacy statement

Introduction

 

In the context of our service provision we process personal data, which we may have received from you yourself, for example via our website, by email, phone or app. We may also obtain your personal data via third parties, such as your employer, in the context of our service provision. This privacy statement explains how we deal with these personal data.

Personal data to be processed

 

The type of personal data that we process depends on the exact service and circumstances. The following types of data are often concerned:
  • Name and address data;
  • Roles of contact persons;
  • Date and place of birth;
  • Gender;
  • Contact data (email addresses, telephone numbers) and names and roles of contact persons;
  • Copy of proofs of identity;
  • Citizen service number (only if necessary!);
  • Passport photo (only if strictly necessary! For example, for staff dossier);
  • Age;
  • Salary and other data required for tax returns, salary calculations etc.;
  • Marital status, data about partner and if applicable information about children; where necessary for tax returns for example);
  • Bank account number;
  • Data about your activities on our website, IP address, web browser and device type.

Purposes of and principles for processing

 

In some cases we process the personal data so as to be able to comply with a legal obligation, but usually we do it in order to be able to provide our service. Some data are stored for practical or efficiency reasons, which we (can) assume is also in your interest, such as:

 

  • Communication and provision of information;
  • Being able to provide our service as efficiently as possible;
  • Improving our services;
  • Billing and collecting payments

 

What this also means in practice is that we use your personal data for marketing purposes or to send you advertising material or reports about our services if we think that these might be of interest to you. We might also contact you to ask for feedback about services we provide or for market or other research purposes.

 

It may happen that we want to process personal data for reasons other than those indicated above and that we have to ask for your explicit consent to this. If, after having obtained your consent to process personal data, we then want to process it for different or additional reasons, we will first have to ask for your consent again.

 

Finally, we can also uses your personal data to protect our rights or property and those of our users and, if necessary, to comply with court procedures.

Distribution to third parties

 

In the context of our service provision we may make use of third-party services, for instance if these third parties have specialist knowledge or resources which we do not have in-house. These may be what are called processors or sub-processors that will process the personal data exactly as instructed by you. Other third parties, which are probably not strictly speaking processors of the personal data but which do or may see them, include for example our system manager, suppliers or hosting parties of online software, or advisors whose advice we obtain with regard to your order. If the involvement of third parties means that they have access to the personal data or store and/or otherwise handle it themselves, we will conclude (written) agreements with these third parties so that they comply with all the obligations of the GDPR. We will of course only use third parties which we can and may assume to be reliable parties that handle personal data responsibly and can and will comply with the GDPR. Among other things, this means that these third parties may only process your personal data for the aforementioned purposes.

 

It is of course possible that we have to distribute your personal data to third parties in connection with a legal obligation.

 

We will never distribute your personal data to third parties for commercial or charitable purposes without your explicit consent.

Retention periods

 

We will not process your personal data for longer than is useful for the purpose for which they were provided (for more information on this, see the section above headed ‘Purposes of and principles for processing’). This means that your personal data will be retained for as long as they are needed to achieve the aims in question. Some data has to be retained for longer (often 7 years) because we must comply with legal retention obligations (for example, the requirement to retain data for tax purposes) or in connection with requirements laid down by our professional association.

Security

 

We have implemented suitable organisational and technical measures to protect personal data insofar as we can reasonably be expected to do so, taking account of the interest to be protected, the state of the art and the costs of the relevant security measures.
We require our employees and any third parties requiring access to the personal data to respect confidentiality. We also ensure that our employees have also been given accurate and comprehensive instruction in handling personal data and that they are sufficiently familiar with the responsibilities and duties arising from the GDPR. If you wish, we would be happy to provide you with further information as to how we protect personal data.

Your rights

 

You are entitled to see, correct or remove personal data that we have about you (unless this would contravene a legal obligation). You can also object to the processing of all or some of your personal data by us or by one of our processors. You are also entitled to have the data submitted by you transferred to you or directly to another party if you wish.

Incidents with personal data

 

If an incident (referred to as a data leak) occurs with regard to the personal data in question, we will, unless there are significant reasons not to do so, notify you immediately if there is a concrete chance of negative consequences for your personal life and its realisation. We will aim to do this within 48 hours of discovering the data leak or being informed of it by our (sub)processors.

Complaints

 

Please contact us if you have a complaint about the processing of your personal data. If this does not lead to a satisfactory conclusion, you are at all times entitled to submit a complaint to the Dutch Personal Data Authority, which is the supervisory body in charge of privacy.

Processing within the EEA

 

We will only process the personal data within the European Economic Area unless you have entered into written agreements with us that are different. The exception to this is situations in which we want to record contacts via our website and/or social media pages such as Facebook and LinkedIn. Examples could include, for instance, numbers of visitors and websites that have been accessed. Your data will be stored by third parties outside the EU when Google Analytics, LinkedIn or Facebook are used. These parties are ‘EU-US Privacy Shield’-certified, which means that they are required to abide by European privacy regulations. Furthermore, this will relate only to a limited number of sensitive personal data, in particular your IP address.

Changes

 

Our privacy policy will undoubtedly change from time to time. The latest version of the privacy statement is, logically, the version that applies and can be found on our website.

Finally

 

We hope that this privacy statement has given you a clear idea of our privacy policy. However, if you have any questions about how we handle personal data, please let us know. The first point of contact for privacy aspects in our organisation is:
Ronald Dijkslag, ronald@grasspartners.com, tel: +31 (0)38 030 35 100

The management of GRASS PARTNERS