1. General information
OLD AMSTERDAM BV (including its wholly and partially owned subsidiaries) (hereinafter referred as “OABV“, “we“, “our” , “us” , “data controller” or the “Company“, and their cognates) respects the privacy of its customers, employees, co-workers, members and followers, and is committed to protecting the personal information that its data subjects share with it. We are fully transparent about our processing activities related to personal data whether we may collect and use personal data when you use our work spaces, private offices and related office services at its facility locations (hereinafter referred as the “Services“), apply for a position, are employed/hired by us, visit our offices, visit our websites or otherwise engage with us, and describe our practices in this policy and notice.
Please read the following carefully to understand our practices regarding how we treat your personal data.
Data Controller and Data Processor: Old Amsterdam Business Centers B.V
Address: 1e Dorpsstraat 20, 3701HB Zeist, the Netherlands
Data Protection Officer (DPO): Mykola Zaika, Aleksandar Gacevski
Direct DPO Contact: firstname.lastname@example.org
2. Applicable regulation and supervisory authority
- The General Data Protection Regulation, EU 2016/679 (GDPR)
OABV continually strives to follow the principles of GDPR that are based on legitimate processing of personal data, processing that has a definite purpose, avoiding over-processing/excessive processing, whilst maintaining integrity of personal data and ensure their secrecy and disclosure to unauthorized persons.
Autoriteit Persoonsgegevens, Address: PO Box 93374, 2509 AJ, DEN HAAG
Phone number: +31708888500
3. Reason for creation of this policy
- is aware about the importance of the GDPR and protecting the privacy of the data subjects
- has implemented numerous technical and organizational measures and controls in order to maintain the established level of protection of personal data / personal identifiable information
- that it is open and transparent to the data subjects whose data are being processed
- continuously raises awareness and among its staff regarding the processing of personal data
- acts proactively in terms of protecting the privacy of the data subjects by the principle ‘Privacy by Design’ that the GDPR promotes.
4. Definitions and terms used in this policy
Privacy is a fundamental human right that implies protection against unnecessary disclosure of one’s identity. Privacy is closely linked to one’s physical security and freedom.
Personal Data / Personal Identifiable Information (PD or PII) is information that refers to an identified natural person or identifiable natural person or natural person that can be identified as a person whose identity can be determined directly or indirectly, based on only unique ID number of the citizen or based on one or more characteristics specific to his physical, mental, economic, cultural or social identity. The following categories of data are considered to be treated as personal: name, surname, address, date of birth, citizen’s ID number, ID card number, passport number, photo ID, telephone number, email address and other data through which you can directly or indirectly reveal the person’s identity.
Processing of personal data means an operation or set of operations performed on personal data by manual, automated, electronic or other means, such as: collection, recording, organizing, structuring, storing, adapting or changing, retrieving, consulting, use, disclosure by transferring, posting or otherwise making available, combining, blocking, deleting or destroying.
A data subject is a natural person whose personal data is processed by OABV.
A User may be either an entity, for example an employer which has executed an agreement with OABV (“Customer“) or a Customer’s users, for example a Customer’s employees, of the Services (“End User(s)“) (Customer and End User and any others with respect to whom we collect personal data, shall collectively be referred to as “Users” or “you”).
A data processing agreement (DPA) is a legally binding document to be entered into between the controller and the processor in writing or in electronic form. It regulates the particularities of data processing – such as its scope and purpose – as well as the relationship between the controller and the processor.
Controller of personal data (Data Controller / Controller) is a natural or legal person, body of state authority or other body, which independently or together with others determines the purposes and the manner of personal data processing . OABV has in some cases the role of Data Controller (for example: staff, applicants).
Processor of personal data (Data Processor / Processor) is a natural or legal person or a government authority which processes personal data on behalf of the Data Controller. The data processor processes the data in accordance with the applicable legislation, as well as in accordance with the guidelines and instructions obtained in the DPA signed with the Controller. In case of existence of a sub-processor, the Processor is obliged to inform the Controller, and to conclude with the sub-processor a DPA where the rights and obligations of the Processor are transferred/shared in relation to the Controller. OABV in some cases acts as a data processor (for example: clients’ PII where in this case clients are data controllers).
Sub-processor of personal data (Sub-Processor) is a natural or legal person or authorized state agency that processes personal data on behalf of data processor and the data controller. The Sub-Processor shall process the data in accordance with the applicable legislation, as well as in accordance with the guidelines and instructions obtained in the DPA concluded with the Processor. OABV in some cases acts as a sub-processor of personal data.
Data Protection Officer (DPO) is a person appointed by OABV in order to implement and continuously maintain the level of compliance of OABV with the regulations in the field of data protection. The DPO reports directly to the highest management body of OABV. The DPO should have relevant knowledge in the field of personal data protection, act independently and act as part of a team of DPOs. In order to allow the DPO to act and deliver its opinion in a timely manner, DPO should be involved in OABV’s activities in a timely manner (for example, involved in projects, information risk analysis, recruitment process in coordination with HR and other processes that are in any way connected to processing of personal data).
Special categories of personal data (sensitive data) are personal data that reveal racial or ethnic origin, political, religious, philosophical or other beliefs, union membership, and data on human health, including genetic data, biometrics data or data relating to sex life.
Data registry is a structured set of personal data that is accessible according to specific criteria, whether centralized, decentralized or disseminated on a functional or geographical basis.
Authorized staff is staff/personnel engaged by the Controller who has authorized access to documents containing PII and who have access to information systems where PII is being processed.
The General Data Protection Regulation, EU 2016/679 (GDPR or Regulation) is a European legal framework whose primary purpose is to enhance and unify the protection of privacy, personal data and their complete processing. It is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also refers to the transfer of personal data outside the EU and EEA areas.
Dutch data protection authority (Autoriteit Persoonsgegevens) is a regulatory body of state authority whose role is to ensure the right of privacy of data subjects.
A data protection impact assessment (DPIA) is a privacy-related impact assessment whose objective is to identify and analyze how data privacy might be affected by certain actions or activities.
Direct marketing is any form of communication made in any way for the purpose of sending advertising, marketing or propaganda material that is directed directly to a particular subject of personal data.
Cookies are text files that the web browser has stored in the user’s device and are used by websites to authenticate, preserve the information / preferences for the website, other information on browsing and to another which can help the web browser while accessing certain web servers.
5. Why is OABV collecting and processing personal data?
Under GDPR, there are six different legal bases under which personal data can be processed. OABV uses a few of them, and these are briefly described below:
OABV will collect and process personal data with statement of consent of data subjects. This consent can be revoked at any time. Please note, we will try not to use your consent as legal grounds, whenever we can.
Performance of a Contract / Service Agreement
In case personal data is required to fulfil a legal contract / service agreement with the data subject or to take necessary steps at the request of those concerned prior to entering into the contract / service agreement, the explicit consent is not required.
- When OABV acts as Data Controller, it is required to collect and process the data subject’s personal data in order to comply with legal obligations such as the EU member state’s employment or taxation legislation. Examples of those purposes are tax and financial documents and health and safety protocols.
- If processing specific personal data is in the legitimate interest of OABV and a proportionality assessment determines that it is not overridden by the interests or fundamental rights and freedoms of the data subject, then this may be defined as a lawful basis for processing. Possible uses are monitoring, access control (for safety purposes), conducting background criminal checks of personnel, storing the feedback of interviews with applicants (to maintain quality and consistence of our recruitment process) and cookies on the website (to analyze website usability).
6. Processing of personal data within OABV
We aim to follow he GDPR principle “privacy by design” and to minimize the amount of processed personal data and to process personal data only to the extent necessary to perform the operations related to our Services.
How we collect personal data?
The personal data may be collected via online forms or legal contracts / service agreements with the Users.
OABV also collects Personal Data through the use of CCTV cameras and members’ site access cards. This may consist of video images of you in the public spaces at OABV offices, as well as records of your entrances and exits of the OABV buildings and office floors.
OABV may not be aware of the nature of the information collected through the Services (for example, through CCTV), and such information may include sensitive or special categories of Personal Data, but we do not knowingly collect such data about our Users, members, site visitors etc (“Sensitive Information”).
The CCTV system will not be used in a way that can reveal the biometric footprints of the data subject and the Users.
The personal data we collect and process may be stored both on paper documents and digitally on internal servers or cloud services like Microsoft O365.
Minors Personal Data
We do not knowingly collect or solicit information or data from children under the age of 16 or knowingly allow children under the age of 16 to register for OABV services. If you are under 16, do not register or attempt to register for any of the OABV Service or send any information about yourself to us. If we learn that we have collected or have been sent Personal Data or from a child under the age of 16, we will delete that Personal Data as soon as reasonably practicable without any liability to OABV. If you believe that we might have collected or been sent information from a minor under the age of 16, please directly contact the DPO as soon as possible.
7. Securing personal data and breach notification
Article 32 from the GDPR is all about security of processing. OABV is committed to ensuring an appropriate level of information security by following the principle of providing confidentiality, integrity and availability to all information assets including the PII.
We take a great care in implementing, enforcing and maintaining the security of the personal data we process. OABV implements, enforces and maintains security measures, technologies and enforces policies to prevent the unauthorized or accidental access to or destruction, loss, modification, use or disclosure of personal data. We likewise take steps to monitor compliance of such policies on an ongoing basis. Where we deem it necessary in light of the nature of the data in question and the risks to data subjects, we may encrypt data. Likewise, we take industry standard steps to ensure our website and application are safe.
Note however, that no data security measures are perfect or impenetrable, and we cannot guarantee that unauthorized access, leaks, viruses and other data security breaches will never occur.
OABV shall act in accordance with its policies to promptly notify the relevant authorities and data subjects in the event that any personal data processed by OABV is lost, stolen, or where there has been any unauthorized access to it, all in accordance with applicable law and on the instructions of qualified authority. OABV shall promptly take reasonable remedial measures.
In case of a security incident linked to the compromise, loss or disclosure of personal data to unauthorized persons, OABV, if owns contact details of the data subjects involved in the breach, shall inform the data subjects and/or other concerned parties about the incident.
In case the compromised personal data is from the Controller, OABV shall inform the Controller about the breach not than 72 hours after OABV was aware of the existence of the incident.
If it is a large-scale data breach, OABV shall notify by a public announcement or an appropriate posting on its website or other public media, not later than 72 hours after OABV was aware of the existence of the incident.
8. Transferring personal data
We may transfer your personal data outside of the EU/EEA, in order to:
- Store or backup the information
- Enable us to provide you with the Services and fulfil our contract with you
- Fulfill any legal, audit or compliance obligations which require us to make that transfer
- Facilitate the operation of our group businesses, where it is in our legitimate interests and we have concluded these are not overridden by your rights
- To serve our customers across multiple jurisdictions and
- To operate parent company, subsidiaries and affiliates in an efficient and optimal manner.
9. Data Retention
OABV and its staff are fully aware of the GDPR principles and about the obligations related to data retention. The Company manages multiple data sets that are organized in the form of a Data Registry.
OABV is the Data Controller of multiple data sets. Each data set may have a different data retention schedule depending on the purpose of processing and as well as on the obligations arising between the Controller and the data subjects, each data set may have a different retention period.
Upon fulfillment of the purpose of processing or after the expiry of the retention period of the PII, the records containing PII shall be destroyed in accordance with OABV’s internal policies and procedures. Such destruction of records and PII must be conducted in a manner that does not allow the PII to be further used or reconstructed. This applies not only to personal data stored in digital/electronic form but also to PII stored as hard copy documents.
10. Data subject rights
One of the main objectives of OABV regarding processing of PII is to be proactive and transparent to the data subjects as possibly can.
The rights of data subjects regarding their privacy and legality of processing their PII are according to Articles 13, 14 and 15 of the Regulation and are the following:
- Right to object on incompliances on data processing
- Right for correction of personal data
- Right to restrict processing
- Data portability
- Right to access personal data
Such request may be addressed directly to the DPO’s email where will be further processed.
11. Profiling, machine learning and automated decision making
OABV does not perform profiling, machine learning nor automated decision making on data subjects for any purpose.
12. Direct marketing
OABV may conduct direct marketing only to data subjects who have given their consent for this specific purpose.
Cookies are small text files placed on user’s device by our web server via user’s browser. Cookies may stay on your computer after you finish browsing our page, close your browser or shut down your computer.
All web browsers can be configured to decline cookies or clear them upon request. This will not affect your browsing experience (since we are not using them to personalize your experience, track your shopping or involve you in any marketing-related activities).
OABV is not using cookies to track users when they leave the website, we do not try to identify users, offer any extra services, capture e-mail address or any other personal data.