Privacy Policy

1. Introduction and purpose of the privacy statement

[Bedrijfsnaam] attaches great importance to privacy and careful handling of the personal data of its customers and other data subjects (hereinafter also referred to as "Data Subjects"). In this privacy statement, [Company Name] wishes to explain in a clear, transparent, simple and correct manner how [Company Name] handles the personal data it collects and processes from Data Subjects, regardless of whether [Company Name] collects this data directly or through a third party.

The Privacy Statement also explains for what purposes [Company Name] processes Data Subjects' personal data, what categories of personal data are processed, what rights Data Subjects have regarding their personal data and how to exercise their rights.

[Company Name] kindly requests that you read this privacy statement carefully so that you are adequately informed about your rights and how to exercise them.

In this privacy notice, the term "independent contractors" refers to freelancers, consultants and other independent professionals that [Company Name] works with to perform audits and other services.

2. [Company name] and its activities

[Company Name] is an organization that specializes in performing various types of audits, including source code reviews, development environment reviews, architecture reviews, usability audits and troubleshooting. In doing so, [Company Name] gains access to source code, development environments and other confidential information of its customers. In order to provide these services, [Company Name] collects and processes certain personal data.

[Company Name] can be contacted by phone at [phone number] or by email at [email address].

A security or privacy incident is preferably reported at [privacy@bedrijfsnaam.nl].

3. What personal data is collected and processed by [Company Name]?

By visiting the website, contacting and/or using the services of [Company Name], [Company Name] may or may not - necessarily - collect and process personal data.

Depending on the relationship with [Company Name], the following data may be collected and processed:

  • When visiting the website: the visitor's IP address is temporarily recognized and used (not individually) for the purpose of analysis and optimization of the website, also the website uses some cookies;
  • When contacting [Company Name]: of the person who contacts [Company Name] directly, contact information (phone number, e-mail address, etc.) is temporarily processed, as well as any identifying information (name, position, etc.) that the person communicates to [Company Name] during this contact;
  • When requesting an audit or other service: the applicant's representative's name, first name, position, company name and contact information may be collected and processed;
  • When conducting the audit: details of the employees involved such as name, position, contact information, and where appropriate, access details to systems and code repositories.
  • When contacting self-employed employees: of self-employed employees who contact [Company Name] for possible cooperation or already work together, name, first name, contact details, CV, expertise information, VAT/Corporation number, bank details, and information on qualifications, certifications and professional experience are collected and processed for business administration, contract management and assignment assignment.

For processing operations that [Bedrijfsnaam] necessarily carries out in the context of providing a good service regarding the performance of audits and support for its clients, [Bedrijfsnaam] acts as a processor. The client who makes use of the services and/or products of [Bedrijfsnaam] is in that case the processing controller.

4. Why does [Company Name] collect and process personal data?

[Company Name] collects and processes Data Subjects' personal data for the following purposes:

  • Responding correctly to individuals when they contact [Company Name], to this end [Company Name] enjoys a legitimate interest in processing personal data;
  • To improve the operation of [Company Name] its services, processes and applications, to this end [Company Name] enjoys a legitimate interest in processing personal data;
  • The performance of the services offered by [Company Name], as agreed upon in one or more agreement(s), for this purpose [Company Name] processes personal data in performance of relevant agreement(s);
  • Managing the pool of independent workers with whom [Company Name] works, including evaluating qualifications, expertise matching for specific audits, and administration of contracts and payments;
  • Complying with instructions from police and/or judicial authorities when they require [Company Name] to process data, in short from a legal obligation.

5. With whom does [Company Name] share personal data?

5.1 Internal - [Company Name]

[Company Name] takes the necessary measures so that access to personal data within the organization is limited to those employees who effectively need access as part of their duties.

5.2 External - third parties

[Company Name] transfers personal data to the following categories of third parties:

  • Independent employees who actually conduct the audit. They are bound by strict confidentiality through an NDA;
  • Organizations and/or individuals to whom [Company Name] has outsourced certain services and/or functions, such as IT systems vendors, software, IT support, destruction of confidential documents, etc., among others;
  • Organizations and/or individuals that are integral to the operation of [Company Name], such as external consultants and employees, among others;
  • Organizations that provide technology services such as Google (cookies).

[Company Name] emphasizes that personal data of data subjects is shared with these third parties only to the extent necessary for the performance of the audit and related services. [Company Name] does not share this data with third parties for marketing, data sales, profiling or other commercial purposes. Third parties with whom data is shared are primarily freelancers and consultants working with [Company Name] to perform the audits, and they are contractually bound to the same privacy standards that [Company Name] maintains.

6. For how long does [Company Name] retain personal data?

As a general principle, [Company Name] keeps personal data collected and processed for no longer than is strictly necessary to fulfill the purposes for which the data is collected. In addition, [Company Name] deletes any personal data, without undue delay, when requested by individuals.

  • Source code and other technical documentation will be deleted upon completion of the audit unless otherwise agreed upon for follow-up audits. In the case of agreed-upon follow-up audits, information will be retained until after the last scheduled audit.
  • Customer contact information will be retained for the duration of the contractual relationship and for up to five (5) years after the last interaction or service, for the purpose of record keeping and customer acquisition.
  • Audit reports will be retained during the term of the agreement and as part of any follow-up audits. After termination of the agreement or after the last scheduled audit, these reports will be retained for up to two (2) years, unless otherwise agreed upon with the client.
  • Data of independent collaborators will be kept for the duration of the collaborative relationship and for up to seven (7) years after the last collaboration, in connection with legal retention obligations for financial records and possible liability issues.

At the end of the applicable retention period, personal data will be permanently deleted.

7. Rights regarding personal data.

With respect to his or her personal data, Data Subjects always have the right:

Submit a request for access to his/her personal data to [Company Name]:

[Company Name] will confirm whether personal data are processed or not. In the event that personal data are being processed, Data Subjects may request an extract of such personal data. If multiple copies are requested, [Company Name] may charge a fee for this.

Submit a request for rectification of his/her personal data to [Company Name]:

If the personal information held by [Company Name] is inaccurate or incomplete, Data Subjects may request that it be corrected or supplemented. If requested by Data Subjects, [Company Name] may inform them of the third parties who have received the inaccurate and/or incomplete information in the past.

Submit a request to restrict the processing of his/her personal data to [Company Name]:

Data Subjects may request [Company Name] to stop processing some or all of their personal data in certain situations. If requested by Data Subjects, [Company Name] may inform them of the third parties who have received the information in the past.

Submit a request for total deletion of his/her personal data to [Company Name]:

Data subjects may request [Company Name] to delete their personal data completely. However, this is limited to those situations where this personal data is no longer necessary for [Bedrijfsnaam] to perform its services. If requested by Data Subjects, [Company Name] may inform them of the third parties who have received the information in the past.

Submit a request to object to the processing of his/her personal data to [Company Name]:

Data Subjects have the right to object to the processing of his/her personal data by [Company Name], where [Company Name] processes this data from a legitimate interest where Data Subjects demonstrate that their right prevails over the legitimate interest of [Company Name], or for the situations where [Company Name] processes this data for marketing purposes.

Submit a request for withdrawal of consent to process his/her personal data to [Company Name]:

Data Subjects may, in those situations where the processing of personal data by [Company Name] is based on the consent obtained, withdraw this consent at any time. Once Data Subjects have withdrawn their consent, [Company Name] will no longer process such personal data.

Modalities for exercising rights

The handling of requests from data subjects is subject to certain modalities, depending on the role played by [Company Name] in the processing of personal data:

  • For processing operations in which [Company Name] acts as a data controller (for example, for data of its own employees or of persons who contact [Company Name] directly), [Company Name] may handle requests directly.
  • For processing operations where [Bedrijfsnaam] acts as a processor (for example, for data of employees of the customer or other data subjects whose data [Bedrijfsnaam] processes on behalf of the customer), the data subject should direct the request to the controller (the customer of [Bedrijfsnaam]). In this case, the customer will contact [Company Name] if the customer requires the assistance of [Company Name] to fulfill the request.

If a data subject makes a request directly to [Company Name] while [Company Name] is acting as a processor, [Company Name] will refer the data subject to the controller. [Company Name] should be able to verify the identity of the requestor anyway before fulfilling any request.

Filing a complaint with the Data Protection Authority:

If Data Subjects disagree with the processing of their personal data by [Company Name] and they do not agree with the response and/or solution from [Company Name], they may file a complaint with the Data Protection Authority.

Data Protection Authority - [address]

[email from authority]

[authority website]

All requests for the exercise of the above rights must be delivered to [Company Name] by contacting [Company Name] in the manner indicated in Article 2 of this Privacy Statement.

8. The security of personal data.

[Bedrijfsnaam] makes great efforts to prevent abuse, loss, unauthorized access and other unwanted actions with the personal data of Data Subjects. To this end, [Bedrijfsnaam] takes the necessary and appropriate technical and organizational measures so that the processing meets the requirements of national and European legislation. [Company Name] also ensures in this way the protection of the rights of Data Subjects. [Bedrijfsnaam] ensures that these measures are regularly monitored and adapted where necessary.

These measures include:

  • Strict NDAs with all our employees and freelancers
  • Need-to-know access control to systems
  • Encryption of all sensitive data
  • Multi-factor authentication for access to systems, where possible
  • Regular security updates to our systems
  • Internal audits of our own processes

9. Exchange of data outside the EEA.

[Company Name] always tries to limit the transfer of personal data to third parties outside the European Economic Area ("EEA").

Should this nevertheless be the case, [Company Name] shall ensure that this transfer takes place in accordance with the AVG (by, among other things, the presence of an adequacy decision in the country in question or the establishment of an appropriate alternative, additional measures if necessary, etc.).

10. Changes to the privacy statement.

[Company Name] may modify this privacy statement from time to time, in accordance with the restrictions applicable within applicable privacy and data protection regulations. All updates and changes will take effect immediately upon their publication. [Company Name] therefore encourages Data Subjects to consult this Privacy Statement at regular intervals to ensure that they are always aware of changes that may affect them.

Version: [date]