How and why does HybrIT collect personal data?
HybrIT collects personal data in the performance of its activities. In most cases, this involves data it requests from the data subject or which the data subject provides on his or her own initiative. For example, an initial telephone conversation between HybrIT and a (potential) customer or the situation where a (potential) customer sends an email to HybrIT.
HybrIT processes personal data with the utmost care. Transparency is an essential part of that care. HybrIT considers it important that third parties and data subjects have insight into the way in which it uses personal data and the underlying reasons. This is why it has drawn up this statement. If you have any questions or comments after reading this statement, please contact HybrIT. Obviously, this also applies if you wish to exercise one of the rights described below or if you have a complaint. The full address and name of the contact can be found at the bottom of this statement.
Who exactly is HybrIT?
HybrIT is regarded as the controller of the personal data. It is registered with the Chamber of Commerce under number 66475627, with its registered office at Rijnzathe 4 3454 PV in De Meern, can be contacted on telephone number +31 (0)30 227 31 97 and by email at firstname.lastname@example.org.
Does HybrIT have a Data Protection Officer?
HybrIT has not appointed a Data Protection Officer. It has, however, appointed an employee who is the first point of contact with respect to privacy and personal data. It is Mr. T. Heuring. The full address is given at the bottom of this statement.
Which personal data does HybrIT process and why?
HybrIT processes different types of personal data, for different reasons. The data it processes are Identification Data (name, email address, contact person, telephone number, Chamber of Commerce number), Location data (postal and/or business address), and Financial data (bank account number, payment details). The first main objective of this processing is to conclude an agreement with the customer. To do this, HybrIT and the customer must be able to communicate with each other. Consider, for example, identifying the customer’s wishes and preparing an offer. The second main objective is to implement the agreement that has been concluded. Consider, for example, regular consultations regarding the progress. The third main objective is to facilitate invoicing of the activities and/or the provision of services, as well as payment (and collection if necessary). The final main objective is to inform the customer about developments that may be relevant to him or her.
Is HybrIT allowed to process that data?
HybrIT processes personal data if this is necessary for concluding or performing an agreement with a customer and/or a supplier. This is the case, for example, when a quotation is requested, when an order is placed, or when HybrIT places an order. Furthermore, HybrIT processes personal data if its own interests justify this. This will be the case if it is reasonably impossible for HybrIT to perform its activities without processing such data. Finally, in some cases HybrIT (also) requests permission to use the data. Therefore, the legal bases for processing are:
- processing is necessary for the performance of an agreement to which the data subject is a party, or is carried out at the request of the data subject for the conclusion of an agreement.
- Processing is necessary for the representation of the legitimate interests of HybrIT (or a third party)
- The data subject has given his or her consent to the processing
With respect to category (ii), in all cases it concerns processing operations that are necessary for HybrIT to realise its services. It simply cannot carry out its activities, it cannot communicate, it cannot … etc. without using the customer’s personal data. Therefore, it has a legitimate interest in those processing operations. HybrIT believes that this interest should take precedence when weighed against the interest of the data subject. The reason for this is twofold. Firstly, the fact that HybrIT knows from experience that such processing operations do not normally give rise to objections. HybrIT therefore takes that as its starting point. Secondly, the fact that HybrIT does not retain the data for longer than necessary. Nevertheless, in order to respect the rights of the data subject to the extent possible, HybrIT only makes use of the data that is necessary to achieve the purpose.
With regard to category (iii), given consent may be withdrawn at any time without stating reasons.
Does that personal data also end up with others?
In some cases, HybrIT will share personal data with parties it collaborates with. These are so-called “processors”. HybrIT has concluded agreements with those processors. These serve to ensure that those processors (just like HybrIT) handle the data with care. For example, the agreement obliges the processor to ensure adequate security, to treat the data confidentially, and to destroy the data.
HybrIT does not intend to share personal data with parties other than processors. It anticipates that, at most, information will be shared with (another) employee of the customer or with parties who have a direct relationship with the customer in a few cases.
Will the personal data remain in Europe?
Within this context, reference is made to the European Economic Area (EEA). It consists of the EU countries, plus Norway, Liechtenstein, and Iceland. All countries that are not included are considered to be ‘third countries’. HybrIT does not transfer any personal data to third countries. In principle, therefore, personal data remains in Europe. If, in an exceptional case, there is a transfer to a ‘third country’, this will only be a country in respect of which it has been expressly established at European level that an adequate level of personal data security is guaranteed there.
How long will the data be retained?
HybrIT retains the data it collects for different periods of time, depending on the category of data and the manner in which it has been collected. The exact periods are included in the register of processing operations that HybrIT has set up.
HybrIT has in the first instance based the applicable periods on the statutory (minimum) periods. Consider the legal obligation to retain accounting information. Furthermore, HybrIT has also sought to follow the retention periods included in the PDPA Exemption Decree, where possible. For example, the customer’s contact data are subject to a retention period of a maximum of one year after the termination of the relationship between the parties. Finally, in determining the retention periods, HybrIT has been guided by its interests and those of its customers. For example, it may be important for both parties that documents containing (further) arrangements are kept for longer than two years. If such documents (e.g. email correspondence) contain personal data, this will also be retained.
With respect to the data collected via the cookies on the website, the retention periods as set out in the Cookie Statement (see elsewhere on this website) shall apply.
What rights do I have?
According to the law, you are a ‘data subject’, and data subjects have a number of specifically defined legal rights. You can submit a request with HybrIT to access, receive or modify your personal data or have it deleted. You may also object to the (further) processing of your data. If HybrIT processes your personal data on the basis of your consent, you may withdraw that consent at any time. For all these matters and other questions, please contact:
3454 PV De Meern
+31 (0)30 227 31 97
HybrIT will respond to your message within one month.
If you believe that HybrIT is acting in violation of applicable laws and regulations regarding personal data, you may lodge a complaint with the Dutch Data Protection Authority (Postbus 93374, 2509 AJ DEN HAAG).
Does HybrIT have an automated decision-making process?
There is no automated decision-making at HybrIT.
What else do I need to know?
- To protect your personal data, HybrIT has taken appropriate technical and organisational measures. A description thereof is also included in the register of processing operations. HybrIT periodically assesses whether these measures are still adequate.
- It will be necessary to amend this statement from time to time. HybrIT has the right to do so. We recommend you check this statement for any changes from time to time.
Version 1 d.d. 15-09-2020