Privacy Statement

What is accon■avm

accon■avm is a private limited liability company known as accon■avm groep B.V., which has its registered office and principal place of business at Meander 725, Arnhem, the Netherlands (mailing address: P.O. Box 5090, 6802 EB Arnhem, the Netherlands), and all private companies associated with it¹.

Who are our clients?

Our clients are people with whom accon■avm has concluded a contract for services. Personal data may be processed by accon■avm for a client without being under its direct authority; accon■avm then qualifies as the processor. In some situations, accon■avm may, alone or jointly with others, determine the purposes and means of the processing of personal data; accon■avm then qualifies as the controller.

What is personal data?

Personal data is any information relating to an identified or identifiable natural person which is processed in the context of a contract for services. An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

I am not a client, but you do have personal data of mine

We process the personal data not only of our clients but also of leads, prospects, newsletter readers, suppliers, business contacts, job applicants and, naturally, our own staff as well. In general, the provisions set out below also apply to the personal data that we process on their behalf. Different provisions applicable to these categories will be addressed later on.

What do we mean by processing of personal data?

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Who is responsible for personal data within the meaning of the General Data Protection Regulation (GDPR)²?
accon■avm processes personal data for and on behalf of clients. If our role is confined to processing the personal data without determining what happens to them, the client remains responsible for the personal data. The client then determines for what purpose and by what means the personal data is processed. This is often the case where we process payroll records for a client.

accon■avm may also qualify as the controller in relation to a client’s personal data, for example where it performs compilation engagements for the client. In such a case accon■avm, either alone or jointly with others, determines the purposes and means of the processing of personal data. If accon■avm qualifies as the controller, the client is required to comply with the GDPR or other laws or regulations governing the processing of personal data.

Insofar as we arrange for personal data to be processed by a third party, e.g. a software supplier, the third party qualifies as a sub-processor.

What personal data do we process?

In most cases, the personal data is privacy-sensitive. Examples are:

• surname, given name, title, sex
• address (street, house number and town)
• email address and telephone number
• dates of birth of client and his/her family
• citizen service number
• Income details and other data concerning the client’s financial or economic situation

accon■avm is required by law to process citizen service numbers when preparing tax returns and arranging for allowances, subsidy and other applications, and payroll records. A complete copy of an identity document is also obligatory for payroll tax purposes. Under the Dutch Money Laundering and Terrorist Financing (Prevention) Act, accon■avm is required to check the identity of the client and keep a copy of their identity document. The chief service provided by accon■avm involves compiling various types of financial and advisory reports, tax returns and payslips. Due care is exercised in providing these services. The basic principles are confidentiality and non-disclosure to third parties. This obviously also applies to login data, such as user names and passwords. This forms the basis of the technical and organisational security.

We do not process data on matters such as race, political opinion and religious conviction or data concerning health. If there should nonetheless be a special reason why this is necessary, we will raise the matter specifically with the client and include it in the contract for services.

How do we process personal data?

We process personal data exclusively in the manner we have agreed with the client in the contract for services. We do not process data longer or more extensively than strictly necessary for the performance of the contract.

The processing is carried out in accordance with the client’s instructions, unless we are required by law or regulation to act differently (e.g. when deciding whether or not an ‘unusual transaction’ should be reported to the authorities under the Dutch Money Laundering and Terrorist Financing (Prevention) Act. If we believe that an instruction infringes upon the General Data Protection Regulation Act, we inform the client immediately.

If we qualify as the processor, the processing takes place under the client’s responsibility. We have no control over the purposes and means of the processing and take no decisions on such matters as the use of personal data, the period during which the personal data is kept for the client and the disclosure of personal data to third parties. If we qualify as the controller, as is the case where we perform compilation engagements, we will process the data in the manner we, as the expert, consider correct and in accordance with the agreed contract. The client should then ensure that he complies with the personal data processing legislation applicable to him as processor and should observe the arrangements we have made in the contract for services.

We comply with any independent obligation we may have on the basis of the statutory regulations or any professional rules or code of conduct applicable to the staff in relation to the processing of personal data.

The client has a statutory obligation to comply with the existing privacy laws and regulations. The client should determine in particular whether there is a lawful basis for the processing of the personal data. We ensure that we comply with the regulatory provisions applicable to us in respect of the processing of personal data.

We will process the personal data only within the European Economic Area (EEA), unless we have made other arrangements with the client that have been recorded in writing.

Who has access to the personal data?

We ensure that only our staff have access to the personal data. An exception to this is where we use sub-processors. Where possible, we limit our staff’s access to personal data on a need-to-know basis. We also ensure that staff who have access to the personal data receive correct and complete instructions on how to deal with such data and that they are conversant with their responsibilities and statutory obligations.

We may engage other processors (or sub-processors) to carry out certain activities under the contract, for instance where they have specialist knowledge or resources that we lack. If, as a result of their engagement, sub-processors become involved in processing these personal data, we will impose the same obligations on them (in writing). When awarding an engagement to accon■avm, the client accepts that sub-processors may be used in the performance of the contract.

Access to and rectification or erasure of personal data

We comply with requests for access to and rectification or erasure of personal data where possible. The erasure of personal data is a right under the GDPR, but we have to comply with legislation on the duty to retain data and this takes precedence. We keep your data for no longer than necessary. In many cases, we have a statutory obligation to keep data. This statutory obligation will usually span seven or ten years. We may charge a fee if complying with a request entails any costs either for us or for the sub-processor.

If we receive a request to disclose personal data, we will do so only if the request has been made by a competent authority. What is more, we will first determine whether, in our view, the request is binding or whether we must comply with the request under our professional rules and code of conduct. If there are no criminal law restrictions or other legal obstacles, we will inform the client of the request. We will try to do this as quickly as possible so that the client has an opportunity to exercise any legal remedies that may be available to prevent disclosure of the personal data. If we are allowed to notify the client of the request, we will also consult with the client about what data we make available and how.

Security measures

We have adopted suitable security measures that provide a level of security geared to the nature of the personal data and the scope, context, purpose and risks of the processing. In introducing these measures we have taken into account the risks to be mitigated, the current state of technology and the costs. accon■avm will periodically carry out internal audits and make random checks.

We offer suitable safeguards for the application of the technical and organisational security measures to the processing activities undertaken.

Clients who wish to arrange for the implementation of our security measures to be inspected by an independent expert may submit a request to this effect. We will then make the necessary arrangements with the client. The costs of an inspection or audit are borne by the client. The client agrees to provide us with a copy of the inspection report.

Data breaches

accon■avm has created a special email address where clients, staff, sub- processors and third parties can report incidents that may involve a data breach³. accon■avm will investigate reports as quickly as possible and take whatever measures are necessary to prevent further losses for those concerned and for accon■avm. As required by law, a data breach that may have serious consequences will be reported to the Dutch Data Protection Authority and to the person or persons whose personal data is affected by the data breach.

The aforementioned email address is: meldplichtdatalekken@acconavm.nl.

Duty of secrecy

We ensure that personal data we receive are kept secret and also impose a duty of secrecy on our staff and any sub-processors. Where staff are entrusted with personal data, they will also observe the duty of secrecy to which they may be subject under any professional rules and code of conduct.

Liability

The client warrants that the processing of personal data in accordance with our contract for services and these provisions is not unlawful and does not infringe upon the rights of other data subjects such as relatives or staff.

We are not liable for losses resulting from failure by the client to comply with the General Data Protection Regulation Act or any other laws or regulations. The client also indemnifies us against claims of third parties in respect of such losses. The indemnity relates not only to losses (both material and non-material) suffered by such third parties but also to the costs we have to incur in this context, for instance in any legal proceedings, and the costs of any fines imposed on us as a consequence of the client’s actions.

The limitation of our liability agreed in a contract for services and the related general terms and conditions applies to the obligations contained in this privacy statement, provided always that one or more claims for damages under this privacy statement and/or the contract for services may never exceed the limitation.

General terms and conditions

Our general terms and conditions apply to all our services. By signing the contract for services, clients acknowledge that they have in their possession, have read and agree to our general terms and conditions and this privacy statement.

Termination and return/destruction of personal data

In view of our statutory retention duty and other legislation or professional or other regulations, we are generally unable to comply with a request from a client to destroy or return personal data at the end of our contract for services. If this is possible, however, we will cooperate in meeting the request.

The costs of collecting and transferring personal data at the end of the contract are borne by the client. The same applies to the costs of destroying personal data.

Additions and changes to the accon■avm privacy statement

We will ensure that this privacy statement is kept up-to-date and will modify its provisions where necessary. If these provisions should undergo significant changes or additions on account of new or changed legislation, we will notify our clients accordingly. If we are no longer able to provide a given degree of protection, we may decide to terminate the contract for services.

Different provisions for certain natural persons

The rule we apply in the case of personal data of leads and prospects is that once a year we remove all such data we have processed longer than a year with a view to being able to conclude a contract for services. The only exception is where the data subject has agreed and recorded a follow-up arrangement showing that we can continue processing for a further year.

We make an agreement with job applicants that we will keep their personal data for a maximum of 24 months after the closing date for applications.

The same rule applies to staff, trainees, hirers, agency staff and self-employed persons of accon■avm as to clients, although here references to contract for services must be read as employment contract, traineeship agreement, temporary employment contract, agency employment contract or management agreement, as the case may be. We also observe the statutory periods for keeping their personal data.

Final provisions

On request, the parties will assist the supervisory authority in performing its tasks.

Dutch law applies to these provisions and the Dutch courts have jurisdiction to hear all disputes resulting from or related to these provisions.

This privacy statement forms part of our contracts for services and is therefore binding on the parties. This privacy statement takes precedence over the provisions of our general terms and conditions, unless express reference is made to a provision in the general terms and conditions.

If one or more of the provisions referred to here prove to be invalid in respect of a client, this will not affect the validity of the other provisions. We will then consult with the client with a view to drawing up together a new provision. This provision will be as close as possible to the spirit of the invalid provision, but obviously framed in such a way as to be valid.

Contact

For questions about rights and the manner in which accon■avm handles personal data, please email a request for information to accon■avm at informatiebeveiliging@acconavm.nl.

accon■avm will answer questions as quickly as possible, but in any event within four weeks.

1. The associated companies are: accon■avm groep b.v. (Chamber of Commerce (COC) 09171813), accon■avm accountants b.v. (COC 09173926), accon■avm belastingadvies b.v. (COC 09114596), accon■avm branche advies b.v. (COC 08056899), accon■avm juridisch advies b.v. (COC 09114594), accon■avm subsidieadvies b.v. (COC 01051341), accon■avm corporate finance b.v. (COC 09154731), accon■avm consultants b.v. (COC 09114589), accon■avm vastgoed b.v. (COC 1051342, accon■avm rentmeesters b.v. (COC 30220273) and accon■avm werkgeversservice b.v. (COC 08049607).
2. GDPR is the General Data Protection Regulation, including the legislation implementing this regulation. The Regulation will replace the Dutch Personal Data Protection Act (Wpb) with effect from 25 May 2018.
3. A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.