PRIVACY POLICY DYSECO B.V.
WHO IS DYSECO?
DYSECO is the private limited company DYSECO B.V., with its registered office and place of business in Rotterdam at Weena 290 (Mailing address: Weena 290, 3012 NJ, Rotterdam).
WHO IS THE CUSTOMER?
The customer is the party with whom DYSECO has entered into an agreement. Personal data may be processed by DYSECO on behalf of the customer without being subject to the customer’s direct authority; in such cases, DYSECO is the processor. It is also possible that DYSECO, alone or jointly with others, determines the purposes and means of the processing of personal data; in such cases, DYSECO is the data controller.
WHAT IS PERSONAL DATA?
Any information relating to an identified or identifiable natural person processed within the framework of the agreement. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
I AM NOT A CUSTOMER, BUT YOU HAVE MY PERSONAL DATA
In addition to our customers, we also process personal data of leads, prospects, newsletter readers, suppliers, business relations, job applicants, and, of course, our own employees. In general, the provisions set out below also apply to the personal data we process for these individuals. Deviating provisions for these individuals are addressed further on.
WHAT DO WE MEAN BY PROCESSING PERSONAL DATA?
By this, we mean: an operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of data.
WHO IS RESPONSIBLE FOR PERSONAL DATA UNDER THE GDPR?
DYSECO processes, among other things, personal data of the customer and the data controller.
WHICH PERSONAL DATA DO WE PROCESS?
In most cases, this involves the business contact details of the customer. This includes data such as: surname, first name, initials, business address, city, email address, and telephone number.
HOW DO WE PROCESS PERSONAL DATA?
We process personal data exclusively for the execution of the assignment. We do not process this data longer or more extensively than necessary for the execution of this assignment. To the extent possible, we comply with requests for inspection, correction, or deletion of personal data. The deletion of personal data is a right under the GDPR, but we are subject to legislation regarding data retention obligations, and such legislation takes precedence. We do not store your data longer than necessary. In many cases, we have a legal obligation to retain data, which in most cases is 7 or 10 years.
SECURITY MEASURES
We have taken appropriate security measures with a level of security suited to the nature of the personal data and the scope, context, purposes, and risks of the processing. In implementing these security measures, we have taken into account the risks to be mitigated, the state of the art, and the costs of the security measures. DYSECO will periodically conduct internal audits and perform random checks. We provide appropriate safeguards for the application of technical and organizational security measures regarding the processing to be performed. If the customer wishes to have the manner in which we comply with security measures inspected by an independent expert, a request can be made to this effect. We will make arrangements regarding this together with the customer. The costs of an inspection or audit shall be borne by the customer. The customer shall provide us with a copy of the inspection report.
DATA BREACHES
DYSECO has established an email address where customers, employees, sub-processors, and third parties can report incidents that may constitute a data breach. DYSECO addresses reports as soon as possible for further investigation and takes necessary measures to prevent further damage to data subjects and DYSECO. As required by law, a data breach that may have serious consequences will be reported to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and to the person(s) whose personal data are involved in the breach.
CONFIDENTIALITY OBLIGATION
We keep obtained personal data confidential and also require our employees and any sub-processors to maintain confidentiality. Furthermore, employees observe confidentiality regarding the personal data entrusted to them as applicable based on any professional and ethical rules.
LIABILITY
The customer guarantees that the processing of personal data in accordance with our agreement and these provisions is not unlawful and does not infringe upon the rights of other data subjects, such as family members or employees. We are not liable for damage resulting from the customer’s failure to comply with the GDPR or other laws or regulations. The customer also indemnifies us against third-party claims based on such damage. This indemnification applies not only to damage suffered by third parties (material and non-material) but also to the costs we must incur in connection therewith, for example, in any legal proceedings, and the costs of any fines imposed on us as a result of the customer’s actions. The limitation of our liability agreed upon in an assignment and the associated general terms and conditions applies to the obligations set out herein, provided that one or more damage claims under this privacy statement and/or the service assignment can never lead to an exceedance of that limitation.
GENERAL TERMS AND CONDITIONS
Our general terms and conditions apply to all work and deliveries. By signing the assignment, the customer declares to be in possession of, familiar with, and in agreement with our general terms and conditions and this privacy statement.
Termination and return/destruction of personal data: Given our legal retention obligations and other legal or (professional) regulations, we generally cannot comply with a customer’s request for the destruction or return of personal data upon the termination of our service assignment. Should this be possible, we will cooperate with such a request. The costs of collecting and transferring personal data at the end of the assignment shall be borne by the customer. The same applies to the costs of destroying the personal data.
SUPPLEMENTS AND AMENDMENTS TO THE DYSECO PRIVACY STATEMENT
We ensure that this privacy statement remains up to date and will adjust its provisions as necessary. If these provisions undergo significant changes or additions due to new or amended legislation, we will inform our customers accordingly. If we can no longer meet a certain level of protection, this may be a reason for us to terminate a service assignment.
DEVIATING PROVISIONS FOR CERTAIN NATURAL PERSONS
For personal data of leads and prospects, we apply the rule that once a year we delete all personal data that has been processed by us for more than a year for the purpose of concluding a service assignment. This is unless a follow-up appointment has been agreed upon and recorded with the person concerned, showing that we may continue processing for another year.
With job applicants, we agree that their personal data will be deleted within a maximum of 24 months after a vacancy has been closed.
For personal data of employees, interns, hired personnel, temporary workers, or self-employed persons (ZZP) at DYSECO, the same applies as for customers, with the understanding that “the assignment” should be read as the employment contract, internship agreement, hiring agreement, temporary employment contract, or management agreement. We also apply statutory retention periods for the storage of their personal data.
FINAL PROVISIONS
Parties shall, upon request, cooperate with the supervisory authority in the performance of its tasks. These provisions are governed by Dutch law; the Dutch courts shall have jurisdiction to hear all disputes arising from or related to these provisions. This privacy statement forms an integral part of our service assignments and is therefore binding upon the parties. This privacy statement takes precedence over the provisions in our general terms and conditions, unless explicit reference is made to a specific provision in the general terms and conditions. If one or more provisions mentioned herein prove to be invalid for a customer, this shall not affect the validity of the remaining provisions. In such a case, we will enter into consultations with the customer to jointly draft a new provision. This provision shall, as much as possible, reflect the spirit of the invalid provision, but will naturally be formulated in such a way that the provision is valid.
CONTACT
For questions regarding rights and the manner in which DYSECO handles personal data, an information request may be submitted to DYSECO via email. DYSECO will respond to questions as quickly as possible, but in any event within four weeks.