Privacy statement Jolles & Ko Accountants
(version April 16th, 2018)
In the context of our services we process personal data. We may have received this information from you, for example via our website, e-mail, telephone or app. In addition in the context of our services, we can obtain your personal data via third parties (eg your employer). With this privacy statement we inform you about how we handle these personal data.
Personal data to be processed
Which personal data we process depends on the exact service and circumstances. Often this involves the following data:
- name and address details;
- Function contact;
- Birthdate and -place;
- Contact details (e-mail addresses, telephone numbers) and name and function of contacts;
- Copy of identity documents;
- Citizen service number (only if necessary!);
- Passport photo (only if strictly necessary! For example, for personnel file);
- Salary and other information required for tax returns, salary calculations and the like;
- Marital status, data partner and possibly. information about children; insofar as necessary for, for example, tax returns);
- Bank account number;
- Information about your activities on our website, IP address, internet browser and device type.
Goals of and bases for processing
In a number of cases we process personal data in order to comply with a legal obligation, but usually we do so in order to be able to implement our services. Some data is recorded for practical or efficiency reasons, from which we may assume that these are also in your interest, such as:
- Communication and information provision;
- Being able to provide our services in the most efficient way possible;
- The improvement of our services;
- Invoicing and debtcollection
The above also means that we use personal data for marketing purposes or to send you advertising materials or messages about our services, only if we think that this information may be of interest to you. We may also contact you to request feedback on services provided by us or for market or other research purposes.
In some cases it may be that we want to process personal data for reasons other than those mentioned above and that we will explicitly ask you for permission. If we wish to process personal data that we may process on the basis of your consent for other or more purposes, we will first and each time again ask you for permission again.
Finally, we may also use your personal data to protect the rights or property of ourselves and those of our users and, if necessary, to comply with legal proceedings.
Provision to third parties
In the context of our services, we can make use of the services of third parties, for example if these third parties have specialist knowledge or resources that we do not possess. These can be so-called processors or subprocessors, who will process the personal data on the basis of your exact order. Other third parties who, strictly speaking, are not processors of the personal data but have access to or have access to them, are for example our system administrator, suppliers or hosting parties of online software, or advisors whose advice we obtain concerning your assignment. If engaging third parties has the consequence that they have access to the personal data or that they themselves record and / or otherwise process, we will agree (in writing) with those third parties that they will comply with all the obligations of the GDPR. Of course, we will only involve third parties from whom we can and may assume that they are reliable parties that deal adequately with personal data and, moreover, can and will comply with the GDPR. This means, among other things, that these third parties may only process your personal data for the aforementioned purposes.
Of course, it may also be that we have to provide your personal data to third parties in connection with a legal obligation.
We will in no case provide your personal data to third parties for commercial or charitable purposes without your explicit permission.
We will not process your personal data for longer than is useful for the purpose for which it was provided (see the section on 'Goals of and bases for processing'). This means that your personal data will be kept for as long as they are necessary to achieve the relevant goals. Certain data must be retained for a longer period of time (often 7 years), because we have to comply with statutory custody obligations (for example the fiscal retention obligation) or in connection with instructions from our professional association.
We have taken appropriate organizational and technical measures for the protection of the personal data insofar as these can reasonably be required of us, taking into account the interest to be protected, the state of the technology and the costs of the relevant security measures.
We oblige our employees and any third parties who necessarily have access to the personal data to secrecy. Furthermore, we ensure that our employees have received a correct and complete instruction on the handling of personal data and that they are sufficiently familiar with the responsibilities and obligations of the AVG. If you appreciate this, we will gladly inform you about how we have designed the protection of personal data.
You have the right to inspect, rectify or delete the personal data we have about you (except, of course, if this would interfere with any legal obligations). You can also object to the processing of your personal data (or a part thereof) by us or by one of our processors. You also have the right to have the information provided by you transferred by us to yourself or directly to another party if you wish.
Incidents with personal data
If there is an incident (a so-called data breach) concerning the relevant personal data, we will inform you without delay, unless there are compelling reasons, if there is a real chance of negative consequences for your privacy and the realization thereof. We strive to do this within 48 hours after we have discovered this data breach or have been informed about this by our (sub) processors.
If you have a complaint about the processing of your personal data, we ask you to contact us about this. If this does not lead to a satisfactory outcome, then there is always the right to file a complaint with the Dutch Data Protection Authority; the supervisory authority in the area of privacy.
Processing within the EEA
We will only process the personal data within the European Economic Area, unless you agree on this with our other written agreements. Exceptions to this are situations in which we want to map contact moments via our website and / or social media pages (such as Facebook and LinkedIn). Think, for example, of visitor numbers and requested web pages. Your data will be stored by third parties outside the EU when using Google Analytics, LinkedIn or Facebook. These parties are 'EU-US Privacy Shield' certified, so they have to comply with European privacy regulations. Incidentally, this only concerns a limited number of sensitive personal data, in particular your IP address.