Privacy Statement DC.
We are committed to ensuring your privacy and therefore handle personal data with care. In all cases, Duinkerken Consultancy adheres to the applicable laws and regulations, including the General Data Protection Regulation. This entails at least:
- Process your personal data in accordance with the purpose for which it was provided, these purposes and types of personal data are described in the Privacy Statement;
- Processing of your personal data is limited to only those data that are minimally necessary for the purposes for which they are processed;
- Have taken appropriate technical and organizational measures to ensure the security of your personal data;
- Not disclose personal data to other parties unless necessary to carry out the purposes for which it was provided;
- Are aware of, want to make you aware of and respect your rights regarding your personal data.
This Privacy Statement covers
Duinkerken Consultancy, registered with the Chamber of Commerce under No. 64573060.
Who is the customer?
The customer is the person with whom Dunkirk Consultancy has entered into a contract for services, for which privacy-sensitive data of the customer, its family or its employees is processed.
I am not a customer but you have personal information about me
In addition to our customers, we also process personal data of leads, prospects, newsletter readers, suppliers, associates, job applicants. In general, the provisions below also apply to the personal data we process for these individuals.
Who is responsible for personal data within the meaning of the General Data Protection Regulation Act (AVG)?
Among other things, Dunkirk Consultancy processes personal data for and on behalf of clients. If we only process the personal data without determining what happens to it, the customer remains responsible for the personal data. The client then determines for what purpose and by what means the personal data will be processed. This is usually the case if we process payroll for the client. In most other cases, Dunkirk Consultancy is responsible for the client’s personal data. To the extent we have personal data processed through a third party, such as a software provider, the third party is a sub-processor.
What personal data do we process?
In most cases, these are privacy-sensitive personal data. These are data such as:
- Name, first name, initials, titles, gender
- Address and residence
- Email address and phone number
- Birth dates of the client and their family
- BSN number
- Income data and other data on the client’s financial or economic situation.
To take care of tax returns and benefits, (subsidy) applications and payroll administration, Dunkirk Consultancy is required by law to process the BSN number. A complete copy of the ID is additionally required from payroll tax purposes. The Wwft (Money Laundering and Terrorist Financing Prevention Act) requires Dunkirk Consultancy to establish the client’s identity and keep proof of it.
The preparation of various types of financial and advisory reports, tax returns and pay slips is the core of the services provided by Dunkirk Consultancy. This is handled with extreme care. Confidentiality and secrecy to third parties is the starting point for this. This, of course, also applies to login information such as usernames and passwords. Technical and organizational security is designed accordingly.
We do not process data on, for example, race, political views, religious beliefs and medical information. Should there be a need to do so for a special reason, we will specifically include this with the client in the service agreement.
How do we process personal data?
We process personal data only in the manner agreed upon with the client in the service order. We do not do this processing longer or more extensively than necessary for the performance of this assignment. Processing takes place according to written instructions from the client, unless we are required by law or regulation to do otherwise (for example, when considering whether to report an “unusual transaction” under the Money Laundering and Terrorist Financing Act (Wwft)). If an instruction, in our opinion, violates the AVG, we will notify the customer immediately. In case we are responsible, such as when preparing the tax return, we will process the data as we consider appropriate as an expert and in light of the agreed assignment. If we might have an independent obligation based on legal regulations or the professional and conduct rules applicable to employees regarding Processing of Personal Data, we will comply with these obligations.
Customer is required by law to comply with applicable privacy laws and regulations. In particular, the client must establish whether there is a lawful basis for processing the personal data. We ensure that we comply with the regulations applicable to us regarding the processing of personal data.
We will only process the personal data within the European Economic Area (EU), unless we have made other arrangements with the customer in writing.
Who has access to personal data?
We ensure that only our employees have access to personal data. The exception to this is any sub-processors. We limit access by our employees, whenever possible, to those data necessary for their work. We also ensure that employees who have access to personal data have received proper and complete instruction on handling personal data and are familiar with responsibilities and legal obligations.
We may engage other processors (sub-processors) to perform certain work resulting from the order, for example, if these sub-processors have specialized knowledge or resources that we do not have. If engaging sub-processors results in them processing personal data, we will impose the same obligations on those sub-processors (in writing). Granting an assignment to Dunkirk Consultancy constitutes consent to the engagement of any (replacement) sub-processors.
Inspection, modification or deletion of personal data
To the extent possible, we will comply with requests to access or modify or delete personal data. Deletion of personal data is a right under the AVG, but we are dealing with legislation regarding data retention and that legislation takes precedence. The fiscal legal retention period is 7 years. Due to the review period of input tax deductions for real estate, such as business properties, records of real estate must be kept for 10 years. Should fulfilling requests incur costs to us or the sub-processor we may charge those costs.
If we receive a request to make personal data available, we will only do so if the request is made by an authorized entity. Moreover, we first assess whether we believe the request is binding, or whether we are required by rules of conduct and professional practice to comply with the request. If there are no criminal or other legal impediments, we will notify the customer of the request. We try to do so at such short notice that it is possible for the customer to file any legal appeals against the disclosure of the personal data. If we may notify the customer we will also consult with the customer on how and what data we will make available.
We have taken appropriate security measures with a security level appropriate to the nature of the personal data and the scope, context, purposes and risks of the processing. The security measures took into account the risks to be mitigated, the state of the art and the cost of the security measures. This could include up-to-date firewalls, virus scanners, encryption, backups and accounts protected with strong passwords (two-step verification).
We provide appropriate safeguards for the application of technical and organizational security measures with respect to the processing operations to be performed. If the customer wishes to have the way we comply with the security measures inspected by an independent expert, a request can be made. We will make arrangements with the customer about this. The cost of an inspection or audit shall be borne by the customer. The client provides us with a copy of the inspection report.
Dunkirk Consultancy has an email address where customers, employees, sub-processors and third parties can report incidents that may be data breaches. A data breach is a security breach that accidentally or unlawfully results in – or where it cannot reasonably be ruled out that it could result in – the destruction, loss, alteration or unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise processed. Reports are addressed to email@example.com
Dunkirk Consultancy picks up reports for further investigation as soon as possible within the legal deadlines and takes those measures necessary to prevent further harm to data subjects and Dunkirk Consultancy. As required by law, a data breach that may have serious consequences is reported to the Personal Data Authority and to the person(s) whose personal data is involved in the data breach.
Duty of confidentiality
We keep personal data obtained confidential and also require our employees and any sub-processors to maintain confidentiality. Employees shall also observe confidentiality with respect to the personal data entrusted to them as applicable under their professional and conduct rules, if any.
The client warrants that the processing of personal data in accordance with our service agreement and these provisions is not unlawful and does not infringe on the rights of other data subjects such as family or co-workers.
We are not liable for damages resulting from the customer’s failure to comply with the AVG or other laws or regulations. The customer also indemnifies us against third-party claims based on such damages. The indemnification applies not only to the damages suffered by third parties (material as well as immaterial), but also to the costs we incur in connection therewith, for example in any legal proceedings, and the costs of any fines imposed on us as a result of the customer’s actions.
The limitation of our liability agreed upon in an order for services and associated terms and conditions shall apply to the obligations as herein provided, except that one or more claims for damages under this privacy statement and/or the order for services may never result in the limitation being exceeded. By signing the service order or agreeing to this privacy statement, you declare that you are in possession of, or are familiar with, our terms and conditions.
Termination and return/destruction of personal data
In view of our statutory retention obligation and other laws or (professional) regulations, we are generally unable to comply with any request from the client for the destruction or return of personal data at the end of our service assignment. Should this be possible, we will cooperate with this request.
The cost of collecting and transferring personal data at the termination of the assignment shall be borne by the client. The same applies to the cost of destroying personal data.
Additions and changes privacy statement Dunkirk Consultancy
If these provisions undergo significant changes or additions due to new or amended legislation, we will inform our customers. If we can no longer meet a certain level of protection, this may be grounds for us to terminate a service order.
Derogations for certain natural persons
For personal data of leads and prospects, our rule is that once a year we delete all personal data that has been processed by us for more than a year for the purpose of concluding a service order. This is unless a follow-up arrangement has been agreed and recorded with the person involved that shows we can continue processing for another year.
For personal data of job applicants, we follow the rule that after a vacancy is closed, all personal data will be deleted after a maximum of three months.
For personal data of employees, interns, hires, temporary workers or self-employed workers at Dunkirk Consultancy, the same applies as for clients with the understanding that instead of the order to provide services, read the employment contract, internship agreement, hiring agreement, agency agreement or management agreement.
Upon request, the parties shall cooperate with the supervisory authority in the performance of its duties. These provisions shall be governed by Dutch law, the Dutch court shall have jurisdiction over all disputes arising out of or in connection with these provisions.
This privacy statement is part of our orders for services and are therefore binding on the parties. This privacy statement supersedes the provisions in our terms and conditions, unless a provision in the terms and conditions is explicitly referenced.
If one or more provisions listed here are found not to be valid for a customer, this does not affect the validity of the other provisions listed. We then enter into consultation with the client to jointly draft a new provision. This provision will be as much in the spirit of the invalid provision as possible, but then obviously designed so that the provision is valid.