Privacy statement Surf ‘s Cool! (version November 2018)
Surf ‘s Cool! processes personal data of current, future and ex-employees, (customers and employees of) customers, suppliers and relations. We may have received this information from you, for example via our website, e-mail, telephone or app. In addition, we can obtain your personal data in the context of our services via third parties (eg your employer). We process your personal data according to the rules of the General Data Protection Regulation (‘AVG’). With this privacy statement we inform you about how we deal with these personal data.
Personal data to be processed
The personal data we process depends on the exact service and circumstances. Often this concerns one or more of the following data:
• name and address details;
• Contact function;
• Birthdate and place;
• Contact details (e-mail addresses, telephone numbers) and name and function of contacts;
• Copy of identity documents;
• Citizen service number (only if necessary);
• Passport photo (only if strictly necessary, for example for personnel file);
• Salary and other information required for tax returns, salary calculations and the like;
• Marital status, data partner and possibly. information about children; insofar as necessary for, for example, tax returns);
• Bank account number;
• Information about your activities on our website, IP address, internet browser and device type.
Goals of and bases for processing
In a number of cases we process the personal data in order to comply with a legal obligation, but usually we do this in order to be able to implement our services or an employment contract. Some data are recorded for practical or efficiency reasons, which we assume may be that they are also in your interest, such as:
• communication and information provision;
• to be able to perform our services as efficiently as possible;
• the improvement of our services;
• invoicing and collection.
The above also means that we use personal data for marketing purposes or to send you advertising materials or messages about our services, if we think that these may be of interest to you. [It may also happen that we contact you to request feedback on services provided by us or for market or other research purposes.]
In some cases it may be that we want to process personal data for reasons other than those mentioned above and that we will explicitly ask you for permission. If we wish to process personal data that we may process on the basis of your consent for other or more purposes, we will first ask you for permission again.
Finally, we may also use your personal data to protect the rights or property of ourselves and those of our users and, if necessary, to comply with legal proceedings.
Provision to third parties
In the context of our services, we can make use of the services of third parties, for example if these third parties have specialist knowledge or resources that we do not have in house. These can be so-called processors or subprocessors, who will process the personal data on the basis of your exact order. Other third parties who, strictly speaking, are not processors of the personal data but have access to them or have access to them, are for example our system administrator, suppliers or hosting parties of online software, or advisors whose advice we obtain regarding your assignment. If engaging third parties has the effect that they have access to the personal data or that they themselves record and / or otherwise process, we will agree (in writing) with those third parties that they will comply with all the obligations of the AVG. Of course, we will only involve third parties from whom we can and may assume that they are reliable parties that deal adequately with personal data and, moreover, can and will comply with the GDPR. This means, among other things, that these third parties may only process your personal data for the aforementioned purposes.
Of course, it may also be that we have to provide your personal data to third parties in connection with a legal obligation.
We will in no case provide your personal data to third parties for commercial or charitable purposes without your explicit permission.
We will not process your personal data for longer than is useful for the purpose for which it was provided (see the section on ‘Goals of and bases for processing’). This means that your personal data will be kept for as long as they are necessary to achieve the relevant goals. Certain data must be retained for a longer period of time (often 7 years), because we have to comply with statutory custody obligations (for example the fiscal retention obligation) or in connection with instructions from our professional association.
We have taken appropriate organisational and technical measures for the protection of the personal data insofar as these can reasonably be required of us, taking into account the interest to be protected, the state of the technology and the costs of the relevant security measures. We oblige our employees and any third parties who necessarily have access to the personal data to secrecy. Furthermore, we ensure that our employees have received a correct and complete instruction on the handling of personal data and that they are sufficiently familiar with the responsibilities and obligations of the AVG. If you appreciate this, we will gladly inform you about how we have designed the protection of personal data.
You have the right to inspect, rectify or delete the personal data that we have from you (except, of course, if this would interfere with any legal obligations). You can also object to the processing of your personal data (or a part thereof) by us or by one of our processors. You also have the right to have the information provided by you transferred by us to yourself or directly to another party if you wish.
Incidents with personal data
If there is an incident (a so-called data leak) regarding the personal data concerned, we will inform you without delay, subject to compelling reasons, if there is a real chance of negative consequences for your privacy and the realization thereof. We aim to do this within 72 hours after we have discovered this data breach or have been informed about this by our (sub) processors.
If you have a complaint about the processing of your personal data, we ask you to contact us about this. If this does not lead to a satisfactory outcome, then there is always the right to file a complaint with the Dutch Data Protection Authority; the supervisory authority in the area of privacy.
Processing within the EEA
We will only process the personal data within the European Economic Area, unless you agree on this with our other written agreements. Exceptions to this are situations in which we want to map contact moments via our website and / or social media pages (such as Facebook and LinkedIn). Think, for example, of visitor numbers and requested web pages. Your data will be stored by third parties outside the EU when using Google Analytics, LinkedIn or Facebook. These parties are ‘EU-US Privacy Shield’ certified, so they have to comply with European privacy regulations. Incidentally, this only concerns a limited number of sensitive personal data, in particular your IP address.