Privacy statement Q-Team Solutions B.V. (version 2.1 May 2020)
We process personal data in the context of our services. We provide Microsoft software and IT infrastructure for your services with which you register data of your employees and employees of your customers. In our own administration we register data that we have received from yourself, for example via our website, e-mail, telephone or app. We believe it is important that your information is handled with care and that the personal and medical information that you register in the Microsoft software using the Microsoft IT infrastructure is treated confidentially. With this privacy statement we inform you about how these personal data are protected.
Personal data to be processed
Which personal data we process depends on the exact service and circumstances. This usually concerns the following information:
- name and address details;
- Function of contact persons;
- Birthdate and place;
- Contact details (e-mail addresses, telephone numbers) and name and position of contact persons;
- Copy of identity documents;
- Citizen service number;
- Salary and other information required for tax returns, salary calculations, etc.;
- Marital status, partner details and possibly. information about children; to the extent necessary for, for example, tax returns);
- Bank account number;
- Medical data in the context of health and safety services;
- Information about your activities on our website, IP address, internet browser and device type.
It is not possible to register special personal data in our systems, such as data regarding race or ethnic background, religion, criminal record or sexual orientation. We will ask for your explicit permission if, in the context of our services, it is required that we require (indirect) access to your data.
We do not register special and medical data in our own administration.
Purposes of and principles for processing
We provide software and IT infrastructure for your (ARBO) services to your customers. Our software has been provided by Microsoft and by us in the context of the GDPR legislation, where you can, among other things, register purposes and bases for processing in the GDPR register.
In our own administration we register the personal data in order to comply with a legal obligation, but we usually do this in order to be able to implement our services. Some data is recorded for practical or efficiency reasons, which we (may) assume are also in your interest, such as:
- Communication and information provision;
- Being able to provide our services as efficiently as possible;
- Improving our services;
- Billing and collection.
In concrete terms, the above also means that we use your personal data for marketing purposes or to send you advertising materials or messages about our services, if we think they may be of interest to you. We may also contact you to request feedback on services provided by us or for market or other research purposes.
In some cases, we may want to process personal data for reasons other than the above and we will ask you for explicit permission for this. If we ever want to process personal data that we are allowed to process based on your consent for other or more purposes, we will first ask you for permission again.
Finally, we may also use your personal data to protect the rights or property of ourselves and those of our users and, if necessary, to comply with legal proceedings.
Provision to third parties
In the context of our services, we can use third-party services, for example if these third parties have specialist knowledge or resources that we do not have in-house. These can be so-called processors or sub-processors, who will process the personal data based on your exact assignment. Other third parties that, strictly speaking, are not processors of the personal data, but who have or can have access to them, are, for example, our system administrator, suppliers or hosting parties of online software, or consultants whose advice we obtain regarding your assignment. If engaging third parties results in them having access to the personal data or which they themselves record and / or otherwise process, we will agree with those third parties (in writing) that they will comply with all obligations of the GDPR. Naturally, we will only engage third parties from whom we can and may assume that they are reliable parties who handle personal data adequately and who can and will comply with the GDPR. This means, among other things, that these third parties may only process your personal data for the aforementioned purposes. You agree that we may provide your personal data to these third parties in order to fulfill your request.
It is of course also possible that we have to provide personal data to third parties in connection with a legal obligation.
Under no circumstances will we provide your personal data to third parties for commercial or charity purposes without your explicit consent.
We will not process personal data in our own administration for longer than is useful for the purpose for which it was provided (see the paragraph “Purposes of and principles for processing”). This means that your personal data is kept for as long as it is necessary to achieve the relevant goals. Certain data must be kept longer (usually 7 years), because we must comply with legal retention obligations (for example, the tax retention obligation).
Our software that we provide to you or that you have purchased from us contains provisions to administer retention periods.
We have taken appropriate organizational and technical measures for the protection of personal data, insofar as they can reasonably be required of us, taking into account the interest to be protected, the state of the art and the costs of the relevant security measures. These measures include:
- Physical and logical access protections through multi-factor authentication;
- Access to the systems is controlled via secure and encrypted connections with adequate firewalls and antivirus programs;
- procedures to prevent unauthorized persons from unintentionally gaining access to the personal data provided;
- The security is at a level that, given the state of the art, is necessary and reasonable.
We oblige our employees and any third parties who necessarily have access to the personal data to secrecy. Furthermore, we ensure that our employees have received correct and complete instructions about the handling of personal data and that they are sufficiently aware of the responsibilities and obligations of the GDPR. If you would appreciate this, we would be happy to inform you further about how we have designed the protection of personal data.
You have the right to inspect, rectify or delete the personal data that we hold about you (except, of course, if this crosses any legal obligations). You can also object to the processing of your personal data (or part thereof) by us or by one of our processors. You also have the right to have the data provided by you transferred by us to yourself or directly to another party if you wish.
Our software contains provisions with which you can comply with the right to inspect, rectify or delete the personal data that you register from your employees and employees of your customers.
Incidents with personal data
If there is an incident (a so-called data leak) with regard to the relevant personal data, we will immediately inform you, unless there are serious reasons, if there is a concrete chance of negative consequences for your privacy and the realization thereof. We strive to do this within 48 hours after we have discovered this data breach or have been informed about this by our (sub) processors.
If you have a complaint about the processing of personal data, we ask you to contact us about this. If this does not lead to a satisfactory outcome, you always have the right to file a complaint with the Dutch Data Protection Authority; the supervisory authority in the field of privacy.
Processing within the EEA
We will only process the personal data within the European Economic Area, unless you agree other written agreements with us about this. An exception to this are situations in which we want to map contact moments via our website and / or social media pages (such as Facebook and LinkedIn). Consider, for example, visitor numbers and requested web pages. Your data is stored by third parties outside the EU when using Google Analytics, LinkedIn or Facebook. These parties are “EU-US Privacy Shield” certified, so they must comply with European privacy regulations. Incidentally, this only concerns a limited number of sensitive personal data, in particular your IP address.