Privacy Policy

Privacy Policy Takii Europe B.V. (TEBV)

In some cases, we require information to be able to do our work and offer our service. When this relates to privacy-sensitive information, we believe that there should be no uncertainty. In this policy, we set out how we deal with personal data. We will make clear what personal data we collect and for what purposes we use this data. We explain how long we retain personal data and how this data can be viewed, modified or deleted.

Personal data is any information about an identified or identifiable natural person. This means that this information is about a specific person or that it can be directly tracked back to a person. This can include a name, date of birth and contact details, but an employee number, (business) e-mail address and (business) telephone numbers are also personal data.

Personal data processing relates to all activities we can carry out with personal data, from collecting to destroying. It is, therefore, a broad concept. Activities that fall under that concept include in any event: collecting, recording, ordering, retaining, processing, modifying, requesting, consulting, using, forwarding, disseminating, making available, accumulating, linking, blocking, erasing and destroying data.

Grounds on which, by law, we can process personal data are:

·         The data is required to be able to decide whether we enter into an (employment) agreement.

·         The data is required to enter into and/or implement the (employment) agreement.

·         The data is required to enable us to fulfil a legal requirement (for example, for the payment of taxes and premiums or the identification requirement).

·         The data is required because TEBV has a legitimate interest in the data (for example, in case of ongoing or threatened legal proceedings and TEBV must be able to mount a defence).

·         The data is required in a situation of critical importance, for example to be able to arrange help or inform others (such as designated contact persons) in an emergency situation.

·         The data is provided with clear and unequivocal permission for certain activities.

Below, you will find our privacy principles and what we do with data if someone:

1)      Is a (potential) client or (potential) supplier of TEBV.
2)      Subscribes to our newsletter.
3)      Is a prospect, stakeholder and/or interested party.
4)      Is a (potential) TEBV employee.
5)      Is a visitor to TEBV.
6)      Makes use of our Wi-Fi network.
7)      Is a visitor to our website.

TEBV is committed to the protection of personal data.

We do our utmost to protect everyone’s privacy and we therefore handle personal data with all due care. TEBV complies at all times with the applicable legislation and regulations, including the General Data Protection Regulation (GDPR). This means that, in any event, we:

–          Process personal data in conformance with the purpose for which this information is provided. These purposes and types of personal data are described in this Privacy Policy;

–          Limit the processing of personal data to only the minimum information that is required for the purposes for which the information is provided;

–          Request express permission if we need this information to process personal data;

–          Have taken suitable technical and organisational measures to guarantee the protection of personal data;

–          Do not pass on personal data to other parties, unless this is required for achieving the objectives for which they are provided;

–          Are up to date of rights relating to personal data, make the involved parties aware of these rights and respect these rights.

As TEBV, we are responsible for the processing of personal data. After reading through our Privacy Policy or, in a more general sense, if you have questions about this or wish to contact us, you can do that using the contact information at the end of this document.

For Clients or Suppliers

TEBV processes personal data of clients or suppliers for the following purpose(s):

–          Administrative purposes;

–          Communication regarding the assignment and/or invitations;

–          Carrying out or issuing an assignment.

The basis for this personal data is:

–          The agreed upon assignment;

–          The data is provided with clear and unequivocal permission for certain activities.

For the above objective(s), TEBV can request the following personal data:

–          Company name;

–          Invoicing address;

–          Delivery address;

–          (Business) telephone number;

–          (Business) e-mail address;

–          VAT number;

–          Bank account number (if applicable);

–          Contact person (first name, middle name, last name, department/job title (if relevant), telephone number (if relevant), e-mail (if relevant).

Additionally, we note:

–          Department (flowers, vegetables or home garden);

–          The payment terms as agreed upon;

–          Discount agreements (if any);

–          Other agreements relating to:

o   Seed quality;

o   Seed treatments;

o   Packaging units;

o   Desired labels;

o   Required (freight) documents with shipments;

o   Which transporter/shipper is used (company name, contact person);

o   Other wishes relating to the method/conditions of delivery.

–          Who the contact person is within TEBV;

–          Whether you would like to receive the annual brochure and/or price list;

–          Whether we can keep you op to date of new products that might interest you.

TEBV will save this personal data for the above-mentioned processing for the period:

–          That you are a TEBV client or we are your client up to a maximum of 3 years after your/our last order, unless you indicate that you would like a shorter period, and then only in the financial administration for a maximum of 7 years.

Please contact us if you would you like to know more, for example, about where your information will be saved, or who you must contact to delete your data.

For Newsletter subscribers

On the one hand our newsletters are commercial, and on the other hand they are geared towards knowledge sharing. TEBV processes the personal data of Newsletter subscribers for the following purpose(s):

–          Informing subscribers through news communications.

The basis for this personal data is:

–          The data is provided with clear and unequivocal permission for certain activities (using the Newsletter registration form or by registering for the ‘newsletter’ on the TEBV website).

For the above objective(s), TEBV can request the following personal data:

–          Name (First name, middle name, last name);

–          Gender;

–          Date of birth;

–          E-mail address.

TEBV will save this personal data for the above-mentioned processing for the period:

–          During the period that people are subscribed. Every newsletter contains a link that can be used to unsubscribe at any time.

Third parties

Personal data that we collect for the newsletter will be processed by MailChimp. MailChimp is located in the United States of America, which territory ensures a suitable protection level with regard to personal data according to a adequacy decision by the European Commission. This is because MailChimp is affiliated with, and meets the requirements of, the EU-US Privacy Shield agreement. You can find the MailChimp privacy statement here.

Please contact us if you would you like to know more, for example, about where your information will be saved, or who you must contact to delete your data.

For prospects, stakeholder contacts and/or interested parties

TEBV processes the personal data of prospects, stakeholder contacts and/or interested parties for the following purpose(s):

–          Information provision in the form of newsletters and/or targeted contacts.

The basis for this personal data is:

–          The data is provided with clear and unequivocal permission for certain activities (for example, by verbal permission, submitting a business card and/or by connection on LinkedIn).

For the above objective(s), TEBV can request the following personal data:

–          (Company) name (first name, middle name, last name);

–          Telephone number;

–          E-mail address;

–          Postal address;

–          Gender;

–          Date of birth.

TEBV will save this personal data for the above-mentioned processing for the period:

–          For the period that an individual is considered a prospect, stakeholder contact and/or interested party;

–          Until a prospect, stakeholder contact and/or interested party indicates that they no longer wish to receive the information in the form of newsletters and/or targeted contacts.

Please contact us if you would you like to know more, for example, about where your information will be saved, or who you must contact to delete your data.

For Employees

TEBV processes the personal data of Employees in the personnel administration for the following purpose(s):

–          Implementing the employment agreement, including:

o   Calculation, recording and payment of the salary, reimbursements and other monetary amounts and remunerations in kind to the employee or for the employee;

o   Calculation, recording and payment of taxes and premiums for the employee;

o   Termination of the employment agreement;

o   Arranging claims for payments relating to the termination of the employment agreement;

o   The collection of receivables, including using the services of a debt collection agency;

o   Handling disputes and having audits carried out;

o   The implementation or application of another law.

–          Communication with the employee.

The basis for this personal data is:

–          The employment agreement;

–          The data is provided with clear and unequivocal permission for certain activities.

For the above objective(s), TEBV can request the following personal data:

–          Last name, first name, initials, title if applicable, gender, date of birth, address, postcode, town/city, telephone number and other information that we require to communicate with the employee, such as e-mail address and business e-mail address;

–          Information as indicated in the first ident of parents, guardians or caregivers in case of an underage employee;

–          Nationality and place of birth.

Other personal data that we record includes:

–          Information about completed training, training to be completed, courses and internships;

–          Information about the position or previous position, as well as information about the nature, the content and the termination of the employment agreement;

–          Information in consideration of registering presence at the location where the activities are carried out;

–          Information in consideration of registering absence in connection with various forms of leave, reduced working hours, childbirth or illness, with the exception of information on the nature of the illness;

–          Information that is included in consideration of working conditions;

–          Information that is required in consideration of an agreed upon employment condition. This can also relate (insofar as relevant) to information about family members and former family members;

–          Information with regard to the implementation of the cycle of performance interviews, insofar as the information is known to the employee;

–          Information with regard to having an assessment carried out;

–          Information that is required for the implementation or application of a law;

–          Salary data;

–          Copy of ID;

–          Citizen’s service (BSN) number;

–          Bank information;

–          Name and contact details of contact person in case of emergency;

–          Member of a trade union.

TEBV will save this personal data for the above-mentioned processing for the period:

–          That a person has a contract; we do not save personal data for longer than is necessary for the purpose for which the data is provided. After leaving the company, we utilise a standard retention period of 2 years after the date of leaving the company, with the exception of the personal data for which a statutory retention period applies (maximum 7 years). TEBV can also retain data for longer if we have a justified interest in doing so (for example, when legal proceedings are ongoing or are announced and TEBV must be able to mount a defence).

Transfer of personal data:

In principle, TEBV only uses the personal data of employees for its own business operations and in the context of the (implementation of) the employment agreement. TEBV will only use this information for the purposes for which it is obtained. In some instances, it can be necessary to pass on personal data to third parties, such as to a party that processes data on behalf of TEBV. Examples of this include:

o   Salary processing: information will be provided to our payroll administrator;

o   Illness and reintegration: information will be provided to the company doctor and/or the Employee Insurance Administration (UWV);

o   An attachment of earnings: information will be provided to the bailiff;

o   ICS: credit card application to a bank;

o   Having surveys carried out such as the employee satisfaction survey;

o   Travel insurance: request for travel document with insurance;

o   Second passport: municipality;

o   Employer’s declaration: mortgage lender or bank;

o   Company car: insurance.

TEBV has always entered into an agreement with these third parties concerning the purposes for which the personal data can be used, the protection of the personal data and when and how personal data will be destroyed. Moreover, TEBV will not make personal data available to other parties, unless this is legally required.

Please contact us if you would you like to know more, for example, about where your information will be saved, or who you must contact to delete your data.

For applicants

TEBV processes the personal data of applicants for the following purpose(s):

–          To assess whether the applicant is suitable for the position for which they are applying;

–          To be able to contact the applicant with additional questions and/or invite the applicant for a (preliminary) interview;

–          To be processed in preparation for a possible employment agreement.

The basis for this personal data is:

–          The data is provided with clear and unequivocal permission for certain activities.

For the above objective(s), TEBV can request the following personal data:

–          Name (first name, middle name, last name);

–          Gender;

–          Date of birth;

–          Telephone number;

–          E-mail address;

–          Curriculum vitae;

–          All of the information relating to the applicant’s education (and list of marks), courses and internships and on the nature and content of the current occupation and/or previous occupation(s).

To whom can we provide this personal data?

–          Only TEBV employees who are involved in the recruitment process have direct access to this information in TEBV’s systems;

–          Only if the applicant is invited for an aptitude test and/or other assessment after the preliminary interview will we share the information necessary for this with our assessment firm.

TEBV will save this personal data for the above-mentioned processing for the period:

–          A maximum of four weeks after the application procedure has ended, unless the applicant grants permission for this information to be retained for a longer period for possible future vacancies. In that case, we will retain the personal data for a maximum of one year after permission is granted to do so.

Please contact us if you would you like to know more, for example, about where your information will be saved, or who you must contact to delete your data.

For visitors

TEBV processes the personal data of visitors for the following purpose(s):

–          For the registration and hospitable welcoming of visitors;

–          For the protection of TEBV offices and employees;

–          To be able to see who is present at our offices in the event of disasters.

The basis for this personal data is:

–          The data is provided with clear and unequivocal permission for certain activities;

–          Promoting the justified interests of TEBV, specifically to prevent unwanted access to our offices;

–          The legal obligation that rests with TEBV as an FAFS organisation to be able to safely evacuate those who are present at our locations.

For the above objective(s), TEBV can request the following personal data:

–          Name (first name, middle name, last name);

–          Company;

–          TEBV employee with whom the visitor has an appointment;

–          Arrival and departure times.

To whom can we provide this personal data?

–          Only TEBV employees who require the personal data to carry out their work have direct access to this information in TEBV’s systems;

TEBV will save this personal data for the above-mentioned processing for the period:

–          1 year.

Please contact us if you would you like to know more, for example, about where your information will be saved, or who you must contact to delete your data.

For users of TEBV’s Wi-Fi

During a visit to TEBV, visitors can make free use of Wi-Fi. When people are logged in on our Wi-Fi network, data is automatically collected that is sent by the device itself. TEBV only uses this data to prevent any misuse. The use of the TEBV Wi-Fi guest network is subject to the general terms and conditions and code of conduct. More information on the use of Wi-Fi can be found here.

If illegal activities are conducted from our Wi-Fi network, we can block access on the device (unique) or the type of device (group) with which you make use of our Wi-Fi network. Blocking is also possible if a hotspot is created.

Objectives

–          To prevent abuse of our Wi-Fi network.

The basis for this personal data is:

–          The data is provided with clear and unequivocal permission for certain activities (by logging in to our Wi-Fi network).

For the above objective(s), TEBV can collect the following personal data about you:

–          Identification number (MAC address) of your device, the brand of the device and the name that the user himself has given the device.

TEBV will save your personal data for the above-mentioned processing for the period:

–          One month after the most recent login on the network, this data disappears.

Please contact us if you would you like to know more, for example, about where your information will be saved, or who you must contact to delete your data.

The use of the TEBV Wi-Fi guest network is subject to the general terms and conditions and code of conduct.

Applicability

These terms and conditions apply to the use of the TEBV Wi-Fi guest network by anyone that uses the network to access the Internet.

Definition

Use: TEBV makes a free Wi-Fi guest network available to its visitors exclusively for personal and non-commercial use.

User: Anyone that accesses the Internet by means of the TEBV Wi-Fi guest network.

TEBV Wi-Fi guest network: Wireless network, not by means of a cable, but by radio frequency. Using the Wi-Fi guest network, users can connect to the Internet using their own devices without using cables. In this way, you are not bound to a set location, and you can establish a connection with the Internet in various places.

General terms and conditions

TEBV does not offer support with establishing a connection on third-party devices.

Where applicable, the TEBV house rules shall apply, as specified in the General Terms and Conditions of TEBV. TEBV has the right in particular cases to block Internet access.

The use of the Wi-Fi guest network is provided based on a fair use policy. This means that no set limit has been specified for the amount of data that can be sent and received.

TEBV can take measures if significantly more data traffic is used than the average. For this or other reasons, TEBV reserves the right to block Wi-Fi connection with the user and/or to temporarily or permanently block use of the Wi-Fi by a certain user if, in the opinion of TEBV, a user is acting in conflict with these terms and conditions or if, in the opinion of TEBV, there is another reason for doing so.

TEBV is not responsible for any claims that arise from activities of the user.

Code of conduct

The user undertakes to comply with the letter of the law concerning copyright. You may not upload anything to the Internet for which you are not sure that you hold the copyright.

TEBV does not accept responsibility for the information placed by a user on a server or on the Internet. A user is fully responsible for the information that is placed on the server/Internet. The content and scope of the text and images must in no case be pornographic, discriminatory or otherwise offensive and/or improper.

The user is strictly prohibited from making inflammatory statements, inciting violence, conducting criminal activities and/or other illicit activities over the network. In the event of discovery of such acts, reports of these activities will be filed, and appropriate measures will be taken. This includes, among other things:

Spamming and Invasion of Privacy – Intellectual Property Right Violations – Obscene or Indecent Speech or Materials – Defamatory or Abusive Language – Forging of Headers – Hacking – Distribution of Internet Viruses, Trojan Horses, or Other Destructive Activities – Facilitating a Violation of this Agreement of Use – Export Control Violations – Other Illegal Activities – Resale.

The user undertakes never to hold TEBV responsible for any Internet outages, network and/or loss of data or loss of income due to technical disruptions or other malfunctions.

TEBV is not liable for damage, in the broadest sense, to the user. In particular, TEBV is not liable for damage connected with or that is the result of: disruptions in, or blocking of access to, the system or the Internet by TEBV or third parties; a defect in the protection of the information saved on the systems by the customer; actions of other customers or Internet users; or changes to the login procedure, account and e-mail address.

The user that acts in conflict with his or her obligations arising from these general terms and conditions and/or code of conduct is liable for all resulting damage to TEBV.

TEBV reserves the right to make periodic changes to the general terms and conditions without prior notice. Check these terms and conditions regularly for changes.

TEBV undertakes to protect personal data as specified in the TEBV Regulations.

Before being able to use the TEBV Wi-Fi service, the user must agree to the above-described general terms and conditions and code of conduct.

These conditions of use/code of conduct and any disputes related to the use of the TEBV Wi-Fi guest network are governed by Dutch law. The court having jurisdiction in Zutphen, the Netherlands, has exclusive competence with regard to such disputes.

Please contact us if you would you like to know more, for example, about where your information will be saved, or who you must contact to delete your data.

For visitors to our website

Visitors to our website can leave their personal data to receive our newsletter (see the chapter on the newsletter), to receive an answer to question they ask or to respond to a vacancy. TEBV processes the personal data of visitors to our website for the following objective(s):

–          To contact the website visitor;

–          To respond to a question or to a CV and cover letter;

–          To improve the website itself or the information on the website.

The basis for this personal data is:

–          You have submitted the data with clear and unambiguous consent for certain actions.

For the above objective(s), TEBV can request the following personal data:

–          Name (first name, middle name, last name);

–          Company;

–          Telephone number;

–          E-mail address.

For more information on the privacy policy regarding applicants, click here.

We use various cookies on our website. Would you like to know more about cookies? If so, read our cookie policy here.

TEBV will save this personal data for the above-mentioned processing for the period:

–          Necessary for the purpose for which we process it.

Please contact us if you would you like to know more, for example, about where your information will be saved, or who you must contact to delete your data.

Issuing to third parties

We can make data that is provided to us available to third parties, if this is required for carrying out one of the above-mentioned tasks.

For example, we use third parties to:

–          Provide the Internet environment for the GDPR programme;

–          Handling the (financial) administration;

–          Preparing newsletters and invitations;

–          Arranging transportation for your order;

–          Printing business cards;

–          Booking trips.

We never make personal data available to other parties with whom we have not concluded a processing agreement. We of course reach the necessary agreements with these parties (processors) in this regard, to guarantee the protection of your personal data. Moreover, TEBV will not make personal data provided available to other parties, unless this is legally required and permitted. An example of this is if police officials request (personal) data from us as part of an investigation. In such cases, we must grant our cooperation and we are therefore required to provide this data. Additionally, we can share personal data with third parties if we are given written permission to do so.

We will never sell data to other parties.

Please contact us if you would you like to know more, for example, about where your information will be saved, or who you must contact to delete your data.

 

Sending data abroad

Within the EU

We do not make personal data available to parties that are located in other EU countries, with the exception of Takii Group locations. These Takii Group locations satisfy the general requirements of the GDPR.

Outside the EU

We do not provide personal data to parties that are based in countries outside the EU, unless the European Commission has reached an ‘adequacy decision’ (Article 45 of the GDPR) or unless an appropriate guarantee has been provided (model contract provision as specified by the European Commission (Article 46 (2) under b)).

At this time, we share personal data with MailChimp, which is based in the United States of America, which territory ensures an adequate level of protection with regard to personal data in accordance with an adequacy decision by the European Commission.

We also share personal data with Takii & Co., Ltd., based in Japan, during which the protection of personal data is ensured under a model contract clause between TEBV and Takii & Co.

Please contact us if you would you like to know more, for example, about where your information will be saved, or who you must contact to delete your data.

Minors

We only collect the personal data of minors (people younger than 16 years of age) if written permission is given to do so by the parent, guardian or legal representative.

Please contact us if you would you like to know more, for example, about where your information will be saved, or who you must contact to delete your data.

Retention period

TEBV does not retain personal data for longer than necessary for the purpose for which this data is provided or for longer than required by law.

Please contact us if you would you like to know more, for example, about where your information will be saved, or who you must contact to delete your data.

Protection

We have taken suitable technical and organisational measures to protect personal data against unlawful processing. For example, we have taken the following measures:

–          All individuals that can access your data on behalf of TEBV are required to keep that data confidential;

–          We utilise a username and password policy on all of our systems;

–          We pseudonymise personal data and provide encryption of personal data if there is reason to do so;

–          We make backups of the personal data to be able to recover information in case of physical or technical incidents;

–          We regularly test and evaluate our measures;

–          Our employees are informed of the importance of protecting personal data.

Please contact us if you would you like to know more, for example, about where your information will be saved, or who you must contact to delete your data.

Rights regarding your data

You also have the right to access, amend and delete the personal data that we have received from you. You can also object to the processing of your personal data (or a portion of the data) by us or by one of our processors. You also have the right to have us transfer the data that you have submitted either to yourself or, on your behalf, directly to another party. We can ask you to provide valid identification before we can comply with the above-mentioned request.

If we are permitted to process your personal data based on permission you have granted to do so, you always have the right to withdraw this permission.

Please contact us if you would you like to know more, for example, about where your information will be saved, or who you must contact to delete your data.

TEBV data leak protocol

(relating to procedures on the reporting and handling of data leaks)

If personal data falls into the hands of third parties that should not have access to that data, we refer to this as a data leak. A data leak is the result of a security problem. In most cases, this relates to leaked computer files, although a stolen printed customer list can also form a data leak. Other examples: cyber-attacks, e-mail sent to incorrect addresses, stolen laptops, discarded but not erased computers and lost USB sticks. Illegally obtained business information about a production process or market strategy is valuable information but does not fall under the usual definition of a data leak. If a company telephone is lost or stolen, that is a potential data leak. There is no data leak if a private telephone is lost (the GDPR does not apply to the processing of personal data for exclusively personal or domestic purposes).

Introduction

This document describes the actions to be carried out by TEBV in case of a data leak as defined in the General Data Protection Regulation (GDPR).

A data leak is a security breach involving personal data. The personal data are then exposed to loss or unlawful processing.

A data leak must be reported immediately to the Data Protection Authority (DPA) and, in certain cases, also to the involved party or parties. The involved party is the party whose personal data is leaked.

The reporting obligation also applies to TEBV if the data leak occurs at a third party’s location, for example, a processor of personal data from TEBV (‘Processor’).

Identification of a data leak: organisation

The employee that identifies a (possible) data leak must report this incident immediately to the Board of TEBV and to the TEBV data protection officer (DPO).

A TEBV employee or a Processor is authorised at all times to submit a report independently to the DPO The data leak notification requirement as described in this protocol will then be started.

When must a data leak be reported?

Not all incidents must be reported to the DPA. Only incidents that meet the following criteria must be reported:

  • an incident for which there is a ‘considerable chance’ of serious negative consequences for the people whose data is lost;
  • an incident that can have serious consequences for the protection of personal data (for example, the loss of a USB stick with personal data).
    More information on whether a data leak must be reported to the DPA and/or involved party or parties is described in greater detail below.

More information on whether a data leak must be reported to the DPA and/or involved party or parties is described in greater detail below.

Identification of an incident/has a data leak occurred?

The DPO will arrange as quickly as possible the inventory and collection of the information that is required to report a data leak to the DPA (if applicable). The form from the DPA can serve as the basis for reporting data leaks. The form is available at the following website:

datalekken.autoriteitpersoonsgegevens.nl

Based on the information obtained and in the event of a suspected data leak, in consultation between the business director and chairman of the board, the DPO and any other responsible and/or involved persons in the TEBV organisation or the relevant Processor, an assessment will be made of whether a data leak has actually occurred.

During that consultation, an assessment can also be made of whether immediate measures must be taken to limit the damage as much as possible, including submitting a (provisional) report to the involved parties. If required, advice can be requested from the legal advisor and/or the communications consultant, if present.

In case of an incident that must be reported to the DPA, the overview in the policy rules ‘Data leak notification requirement in the General Data Protection Regulation’ of the DPA must be used, which can be found at the following website:

https://autoriteitpersoonsgegevens.nl/uploads/imported/policy_rules_data_breach_notification_obligation.pdf

During the assessment of whether a data leak has occurred, the following factors are relevant:

  • has personal data been unlawfully processed?

this refers, among other things, to the unintentional or illegal destruction, loss or changing of processed personal data or unauthorised access to processed personal data or the unauthorised disclosure of that data;

  • has personal data been lost?

this means TEBV (or, in fact, its Processor) no longer has this information, because it has been destroyed or has in some other way been lost;

  • is there a single deficiency or vulnerability in the protection?
  • can it be reasonably ruled out that a security breach has led to unlawful processing?
  • have personal data of a sensitive nature been leaked?

sensitive personal data includes among other things (i) information regarding the involved party’s financial or economic situation, (ii) information that can lead to stigmatisation or exclusion of the involved party, (iii) usernames, passwords and other login data and (iv) information that can be used for (identity) fraud;

  • do the nature and scope of the breach lead to (a considerable chance) of serious negative consequences?

during the assessment of whether this situation applies, the following factors, among others, are significant: (i) the scope of the processing, (ii) the question of whether the breach involves a large amount of personal data per person and/or the data of large groups of involved parties, (iii) the impact of loss or unlawful processing of personal data, (iv) the sharing of the personal data with third parties as a result of which the consequences of loss and unauthorised change of personal data can also have an impact elsewhere and (v) involvement of vulnerable groups.

If the incident has not led to loss or wrongful processing of personal data, this is not a data leak, but rather a security breach. In that case, reporting to the DPA is not necessary.

If the conclusion is reached that a (potential) data leak has occurred, the communication pathway towards the involved party or parties and (if applicable) the relevant Processor will be discussed between the board of TEBV and the DPO.

Reporting to the Data Protection Authority

The board of TEBV or the DPO handles the prompt reporting to the DPA in accordance with the above-mentioned DPA reporting form. Pursuant to the GDPR, the notification must be submitted immediately, without undue delay, and if possible no later than 72 hours after the discovery of the data leak. The Board will also be informed of the notification.

The Board of TEBV (or, upon request from the board, the DPO) functions as the contact person with respect to the communication with the DPA. Depending on the nature of the data leak or if it turns out that the incident is not a data leak, the notification to the DPA will be supplemented or withdrawn.

The Board or (upon request from the board) the DPO will ensure that the employees involved in the incident are informed and will ask the employees involved in the incident to prepare a report as soon as possible on the circumstances of the incident. This written information will be submitted to the board and the DPO to be added to the TEBV’s data leak file.

Following receipt of the notification to the DPA, the DPA will send a confirmation. The DPA will only contact you if it sees reason to do so.

Has the system been hacked?

In case of a data leak as a result of an (unethical) hack (Article 138ab Dutch Penal Code), it is important to determine what the nature of the leaked personal data is and what the risks of misuse are for the involved party or parties. In case of a hack, in addition to the notification to the DPA, it can also be worthwhile to report the hack to police. In that case, the DPO will ensure consultation with the board of TEBV.

Must the data leak be reported to the involved party or parties?

If a data leak is reported to the DPA, it must be determined whether the data leak must also be reported to the parties to whom this personal data relates. The board will determine that in consultation with the DPO.

The assessment of whether an incident must be reported to the involved parties can be established using the overviews in the ‘Data leak notification requirement in the General Data Protection Regulation’ policy rules of the DPA, which can be found at the website mentioned above.

As part of the consideration of whether the data leak must be reported to the involved parties, the following points, among others, are of importance:

  • if TEBV has taken suitable technical protective measures, as a result of which the personal data to which this relates is incomprehensible or inaccessible to everyone that has a right to view the information, the involved party or parties do not need to be notified. In case of doubt, the data leak must be reported to the involved party or parties;
  • the data leak must be reported to the involved party or parties if the infringement is likely to have unfavourable consequences for their privacy.

The interests of the involved party or parties can be harmed as a result of loss, wrongful use or misuse of personal data. The damage can be of a material or immaterial nature, for example, unlawful publication, defamation of character, identity fraud or discrimination;

The involved party or parties need not be informed if there are significant reasons for this. Notification can only be omitted if this is necessary in consideration of (i) the security of the state, (ii) the prevention, investigation and prosecution of criminal offences, (iii) substantial economic and financial interests of the state and other public bodies, (iv) supervision of compliance with the legal provisions that are set on behalf of the interests as specified under (ii) and (iii), or (v) the protection of the involved party or of the rights and freedoms of others).

Procedure for notifying involved party or parties

On assignment from the board of TEBV, the DPO will prepare a notification for the involved party or parties in consultation with the communications advisor and legal advisor. The DPO determines what will be reported to the involved party or parties.

The notification contains, in any event, the nature of the infringement, contact details for TEBV and a contact person or information point where the involved party or parties can find more information about the infringement and the measures that TEBV recommends involved party or parties to take to limit the negative consequences of the infringement.

The data leak must be reported immediately to the involved party or parties. This means that, after discovery of the data leak, TEBV can take some time for further investigation so that TEBV can inform the involved party in a proper and careful manner. When doing this, consideration should be given to the (possible) fact that, as a result of the notifications, the involved party or parties must possibly take measures to protect against the consequences of the data leak. The sooner the involved party or parties are informed of that, the sooner those measures can be implemented.

The involved party or parties will be informed individually.

IThe notification to the DPA indicates whether or not the data leak has been reported to the involved party or parties. If the period specified to the DPA within which notification must be sent to the involved party or parties cannot be met, the DPO must notify the DPA by means of an adjustment to the previous notification.

Data leak investigation and determining improvement measures

As soon as possible after identifying the incident, the DPO will initiate an (internal) investigation into the facts of the (possible) data leak and address the question of whether and how such incidents can be avoided in the future.

In consultation with the board of TEBV, the DPO can speak with employees of TEBV and/or other relevant persons (such as any employees of the Processor(s) of TEBV), view all relevant documents and have access to all locations insofar as necessary for a thorough investigation;

Where necessary, the DPO can propose that the board of TEBV bring in external personnel if that is necessary for a proper investigation.

The DPO will report the conclusions of the above-mentioned investigation as quickly as possible to the board and the management of TEBV.

In consultation, which in any event the board of TEBV and the DPO attend, the results of the above-mentioned investigation will be discussed and agreements will be reached regarding improvement measures to avoid a repeat of the incident to the extent possible.

The board of TEBV will report to management on what improvement measures will be implemented and ensures that the designated improvement measures are implemented and are communicated within the TEBV organisation (and externally where necessary, such as to a Processor).

Data leak file

The data leak file will be maintained digitally by the DPO and the secretariat of the board of TEBV for the a period of at least 1 year. A longer period of at least 3 years can apply, as specified in the ‘Data leak notification requirement in the General Data Protection Regulation’ policy rules of the DPA, page 46.

Please contact us if you would you like to know more, for example, about where your information will be saved, or who you must contact to delete your data.

Complaints

If you have complaints about the processing of your personal data, we ask that you contact us about this immediately. If we are unable to find a solution together with you, we of course find this very unfortunate. You always have the right to submit a complaint to the Data Protection Authority, which is the supervisory authority in the area of privacy protection.

Questions

If you still have questions or comments regarding our Privacy Statement, contact us!
privacy@takii.eu

Takii Europe B.V.
Hoofdweg 19
1424 PC De Kwakel, the Netherlands
+31(0)297-345 700

Who is responsible for your data?

Takii Europe B.V.
Hoofdweg 19
1424 PC De Kwakel,
the Netherlands

Can this Privacy policy be modified?

Yes, this privacy policy can be modified. This version is from 22-12-2023. We recommend that you check the privacy policy regularly. We will inform you separately with regard to major changes.

Stay up-to-date!

Subscribe to our newsletter and keep up to date with all our latest news, products and events.

How can we help you?

Our team of experts will be more than happy to assist and answer any question.

Get in Touch