Home » Privacy Statement

Privacy Statement

This document was last updated on March 27, 2019

Table of contents

1. Introduction
2. Definitions
3. Applicability and duration
4. Which Personal Data do we Process?
5. Purposes for Processing Personal Data
6. Bases for Processing Personal Data
7. Automated processing
8. Retention periods
9. To whom do we pass on Personal Data?
10. Data Subjects’ rights
11. Security measures
12. Data Breaches
13. Liability
14. Your rights and exercise of them
15. Where can you file a complaint?
16. Conclusion

1. Introduction

This Privacy Statement describes which personal data we process and for which purpose, when you use our services. It sets out our policy regarding how we handle data, including personal data, that you transfer or that will become available to us in another way while performing our assignment. We process personal data in accordance with the applicable legislation.

If we have entered into an agreement for services or investigative assignment, this agreement will be referred to as the ‘Underlying Assignment’.

We are considered to be the ‘Controller’ for the purpose of performing this Underlying Assignment. As our client, you are also considered to be a ‘Controller’ (however not as referred to in Article 26 GDPR).

For part of our activities, we work as an Investigative Agency as referred to in Article 1(f) of the Private Security Organisations and Investigative Agencies Act (WPBR; Wet op de Particuliere Beveiligingsorganisaties & Recherchebureaus). For this purpose our office holds a licence with number POB 922 issued by the Ministry of Justice and Security and as provided for in Article 2 WPBR.

All personal data is being processed on the basis of confidentiality. To enforce this, we work on the basis of separation of duties to minimise the access to data and all our employees are obliged to keep information confidential. Personal data can only be accessed by permitted persons through secured systems.

2. Definitions

Terms are used in this document. These terms are written with a capital letter. Their meaning is in conformity as stipulated in the General Data Protection Regulation (GDPR).

3. Applicability and duration

This policy applies to any Processing we do based on an Underlying Assignment and any Security Incidents or Data Breaches in connection with Personal Data that might occur in relation to those data.

The most recent version of this policy applies to all Underlying Assignments that we enter into and ends when we no longer hold any Personal Data for the purpose of the Underlying Assignment. However, the policy remains always in force for us and will continue to apply to you, even after the Underlying Assignment has ended.

4. Which Personal Data do we Process?

For the purpose of an agreement to be concluded

Your data:
gender
first and last name
telephone number
e-mail address

Your company data:
legal form
company name
invoicing address
postal code and town/city
e-mail address

Payment data (after entering into a business relationship):
IBAN and name
VAT number

For the purpose of commercial information regarding our services

From time to time, we may send you information about the expansion of our services. If you do not wish, or no longer wish, to receive this information, you can unsubscribe from these messages.

For the purpose of communicating about the Underlying Assignment

When e-mails or other messages are sent to us, we retain these messages. We may ask you for personal data relevant to the particular situation. This allows us to process your questions and answer your requests.

For the purpose of performing the Underlying Assignment

For the purpose of performing the services agreed with you, we also process sensitive Personal Data, Special Personal Data and criminally relevant Personal Data, none of which can ever be specified in advance.

Cookies and website

We use Google Analytics on our website. This is a web analytics service provided by Google Inc., referred to below as ‘Google’. Google Analytics uses cookies (small files placed on your computer) to help the website analyse how users use the site. The information generated by the cookie about your use of the website (including your IP address) is transmitted to and stored by Google on its servers. Google uses this information to evaluate your use of the website, compile reports on website activity for website operators and provide other services relating to website activity and internet use. Google may also transfer this information to third parties if required to do so by law, or insofar as these third parties process the information on Google’s behalf. Google will not combine your IP address with any other data that it holds. You may refuse the use of cookies by selecting the appropriate settings in your browser. However, if you do this, you may not be able to use all the features of our website. By using our website, you consent to Google processing the information in the manner and for the purposes set out above.

More information about Google Privacy and Conditions can be found at: https://support.google.com/analytics/answer/6004245?hl=en

5. Purposes for Processing Personal Data

We process your data to ensure our business operations are efficient and effective, to send you information about our services and to respond to your questions and/or complaints. We also use your data to enable us to pay invoices sent to us or to send you invoices.

We process Personal Data to be able to carry out adequate and thorough investigations and apply the principle of ascertaining the truth.

6. Bases for Processing Personal Data

We Process data when necessary to protect legitimate interests. We Process data when you, as our client, have given us consent for that purpose. We Process data to perform any agreement to which you are involved. Some aspects of this work involve fulfilling a duty in the public interest.

7. Automated processing

For the purpose of performing our services, data may be processed automatically in the form of search, comparison and selection. No decisions that produce legal effects for Data Subjects or otherwise significantly affect them are based on this automated Processing, without human intervention.

8. Retention periods

Personal data are not kept longer than necessary after completion of the purpose for which they have been obtained.

We retain data related to our own company administration for seven years, or such longer period as is necessary for financial settlement or any obligation to do so.

Data obtained during a background check (screening) or integrity investigation are retained for one year after reporting. In case of a broader investigation, such as fraud, the data will be retained for five years.

9. To whom do we pass on Personal Data?

We may provide data to third parties insofar as you have given your explicit consent for this purpose.

We may provide data to third parties insofar as this is necessary to perform an agreement, the Underlying Assignment or to comply with a legal obligation to do so, if we are required to do so due to legal proceedings and/or if we deem this necessary to protect our own interests or rights.

As part of our services are covered within the context of the Money Laundering and Terrorist Financing (Prevention) Act (Wwft, Wet ter voorkoming van witwassen en financieren van terrorisme) we assess data that we investigate. If necessary, we report our findings to the Financial Intelligence Unit (FIU). This is based on a legal obligation.

10. Data Subjects’ rights

When requests will be forwarded to us from Data Subjects to exercise their rights, we will assess those request and respond within a period of four weeks.

If we receive requests from Data Subjects to exercise their rights while we are performing our services, we will forward these requests to you for further handling. Due to the nature of the Underlying Assignment and our contextual responsibility for processing, it is not appropriate for us to deal directly with the requests made to us by Data Subjects to exercise their rights. You will handle these requests yourself. We will make no statements concerning Personal Data towards the Data Subjects.

11. Security measures

We have implemented appropriate Technical and Organisational measures that adequately protect Personal Data (and all other data) against any form of unlawful processing. When adopting the security measures, we considered the risks to be mitigated, the state of the art and the costs of the security measures.

All Personal Data (and other data) are stored on our own secure servers, standardised to a security level equivalent with ISO 27002, or on the servers of a third party for which the same security standard is used. Insofar as Subprocessors are involved, we have concluded an adequate processing agreement with them.

12. Data Breaches

If there is a Data Breach, involving Personal Data processed for the purpose of the Underlying Assignment, you will be notified.

We also report any Data Breaches to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). Because of the nature of the Underlying Assignment, and our contextual responsibility for processing, it is not always logical for us to inform Data Subjects directly about a Data Breach, where necessary. Should the need arise, we will jointly determine which party, viewed from the perspective of Data Subjects, would be the most logical party to report the Data Breach to them.

13. Liability

You warrant that the Processing of Personal Data based on the Underlying Assignment is not unlawful and does not infringe the rights of the Data Subject(s).

We are not liable for any loss or damage resulting from your failure to comply with the GDPR or other legislation. You also indemnify us against third-party claims based on such loss or damage. The indemnity not only applies to the loss or damage suffered by third parties (material and immaterial), but also to the costs we have to incur in that regard, for example in any legal proceedings, and any penalties imposed on us due to your actions.

The limitation of our liability, as agreed in the Underlying Assignment and associated General Terms and Conditions, applies.

14. Your rights and exercise of them

As a data subject, you have the Right of Access, the Right of Rectification and Erasure, the Right to Restrict Processing, the Right to Portability of the data you provide to us, the Right of Objection and the Right not to be subjected to a decision based solely on automated processing.

To exercise your rights, please contact the Data Protection Officer. This can be done by e-mail at dpo@hollandintegritygroup.nl or by sending a letter to the postal address ‘for the attention of the Data Protection Officer’. The DPO will respond to your request within four weeks.

The Data Protection Officer is bound by confidentiality.

15. Where can you file a complaint?

If you have a complaint about the use of your personal data, please contact our Data Protection Officer or the Dutch Data Protection Authority.

16. Conclusion

The latest version of this document is published on our website.

If requested, we will cooperate with the Dutch Data Protection Authority in fulfilling its duties. If one or more provisions of this Privacy Statement turn out to be invalid, this will not affect the validity of the other provisions.