1. General information
OLD AMSTERDAM BV (including its wholly and partially owned subsidiaries) (hereinafter referred as “OABV“, “we“, “our” , “us” , “data controller” or the “Company“, and their cognates) respects the privacy of its customers, employees, co-workers, members and followers, and is committed to protecting the personal information that its data subjects share with it. We are transparent about our practices regarding the information we may collect and use when you use the Services, apply for a position, are employed by us, visit our office sites, visit our websites or otherwise engage with us, and describe our practices in this policy and notice.
OABV provides open work spaces, private offices and related office services at its facility locations (hereinafter referred as the “Services“).
A User may be either an entity, for example an employer which has executed an agreement with OABV (“Customer“) or a Customer’s users, for example a Customer’s employees, of the Services (“End User(s)“) (Customer and End User and any others with respect to whom we collect personal data, shall collectively be referred to as “Users” or “you” or “Data Subjects”).
Please read the following carefully to understand our practices regarding your personal data and how we will treat it.
Data Controller and Data Processor: Old Amsterdam Business Centers B.V
Address: 1e Dorpsstraat 20, 3701HB Zeist, the Netherlands
Data Protection Officer (DPO): Mykola Zaika, Aleksandar Gacevski
Direct DPO Contact: firstname.lastname@example.org
2. Applicable regulation and supervisory authority
- The General Data Protection Regulation, EU 2016/679 (GDPR)
OABV continually strives to follow the principles of GDPR that are based on legitimate processing of personal data, processing that has a definite purpose, avoiding over-processing/excessive processing, whilst maintaining integrity of personal data and ensure their secrecy and disclosure to unauthorized persons.
Autoriteit Persoonsgegevens, Address: PO Box 93374, 2509 AJ, DEN HAAG
Phone number: +31708888500
3. Why are we processing personal data?
Under GDPR, there are six different legal bases under which personal data can be processed. OABV uses a few of them, and these are briefly described below:
OABV will collect and process personal data with statement of consent of data subjects. This consent can be revoked at any time. Please note, we will try not to use your consent as legal grounds, whenever we can.
Performance of a Contract
In case personal data is required to fulfil a legal contract with the data subject or to take necessary steps at the request of those concerned prior to entering into the contract, the explicit consent is not required.
We will use personal data to provide and improve the Services and meet our contractual, ethical and legal obligations, including for example:
- carrying out our obligations arising from any contracts entered into between you and OABV and/or any contracts entered into between a Customer and OABV and to provide you with the information, products and Services that you request from OABV;
- administering your account with OABV including to identify and authenticate your access to the parts of the Services that you are authorized to access.
- verifying and carry out financial transactions in relation to payments you make in connection with the Service;
- contacting you to inform you of additional services and locations which may be of interest to you;
- compliance and audit purposes, such as meeting our reporting obligations in our various jurisdictions, and for crime prevention and prosecution in so far as it relates to our staff, members, facilities etc;
- for security purposes and to identify and authenticate your access to the parts of the Services and our application that you are authorized to access.
- notifying you about changes to our Service;
- contacting you for the purpose of providing you with technical assistance and other related information about the Service;
- replying to your queries, troubleshooting problems, detect and protect against error, fraud or other criminal activity;
- contacting you to give you information about events or promotions or additional Services offered by OABV, including in other locations;
- soliciting feedback in connection with your use of the Services;
- tracking use of OABV facilities and services to enable us to optimize and improve our services;
4. Data registries and storage
We aim to minimize the amount of processed personal data and to process only to the extent necessary to perform the operations that might require the following categories of personal data:
- Name, surname, contact information like email or phone, business area.
How we collect personal data?
The data may be collected via online forms or legal contracts with the Users.
OABV also collects Personal Data through the use of CCTV cameras and members’ site access cards. This may consist of video images of you in the public spaces at OABV offices, as well as records of your entrances and exits of the OABV buildings and office floors.
OABV may not be aware of the nature of the information collected through the Services (for example, through CCTV), and such information may include sensitive or special categories of Personal Data, but we do not knowingly collect such data about our Users, members, site visitors etc (“Sensitive Information”).
The User’s personal data may be stored both on paper documents and digitally on internal servers or cloud services like Microsoft O365.
Minors Personal Data:
We do not knowingly collect or solicit information or data from children under the age of 16 or knowingly allow children under the age of 16 to register for OABV services. If you are under 16, do not register or attempt to register for any of the OABV Service or send any information about yourself to us. If we learn that we have collected or have been sent Personal Data or from a child under the age of 16, we will delete that Personal Data as soon as reasonably practicable without any liability to OABV. If you believe that we might have collected or been sent information from a minor under the age of 16, please contact us at email@example.com , as soon as possible.
5. Security and breach notification
We take a great care in implementing, enforcing and maintaining the security of the personal data we process. OABV implements, enforces and maintains security measures, technologies and policies to prevent the unauthorized or accidental access to or destruction, loss, modification, use or disclosure of personal data. We likewise take steps to monitor compliance of such policies on an ongoing basis. Where we deem it necessary in light of the nature of the data in question and the risks to data subjects, we may encrypt data. Likewise, we take industry standard steps to ensure our website and application are safe.
Note however, that no data security measures are perfect or impenetrable, and we cannot guarantee that unauthorized access, leaks, viruses and other data security breaches will never occur.
OABV shall act in accordance with its policies to promptly notify the relevant authorities and data subjects in the event that any personal data processed by OABV is lost, stolen, or where there has been any unauthorized access to it, all in accordance with applicable law and on the instructions of qualified authority. OABV shall promptly take reasonable remedial measures.
In case of a security incident linked to the compromise, loss or disclosure of personal data to unauthorized persons, OABV, if owns contact details of the data subjects involved in the breach, shall inform the data subjects and/or other concerned parties about the incident.
In case the compromised personal data is from the Controller, OABV shall inform the Controller about the breach not than 72 hours after OABV was aware of the existence of the incident.
If it is a large-scale data breach, OABV shall notify by a public announcement or an appropriate posting on its website or other public media, not later than 72 hours after OABV was aware of the existence of the incident.
This obligation is included in the DPAs signed between OABV and the Controllers / Processors.
6. Transfer of personal data to third countries
We may transfer your personal data outside of the EU/EEA, in order to:
- Store or backup the information;
- Enable us to provide you with the Services and fulfil our contract with you;
- Fulfill any legal, audit or compliance obligations which require us to make that transfer;
- Facilitate the operation of our group businesses, where it is in our legitimate interests and we have concluded these are not overridden by your rights;
- To serve our customers across multiple jurisdictions; and
- To operate parent company, subsidiaries and affiliates in an efficient and optimal manner.
7. Data Retention
Upon fulfillment of the purpose of processing or after the expiry of data retention of personal data where OABV is in the role of Controller, they shall be destroyed in accordance with the Data Retention Policy that is being previously defined by authorized persons in OABV in a manner that does not allow them to be further use or reconstruct. This applies not only to personal data stored in digital/electronic form but also to PD stored as hard copy documents.
Only authorized persons of OABV may process data registries obtained from other Controllers and Processors.
8. Data subject rights
Data subjects have rights under the GDPR and local laws, including, in different circumstances, rights to data portability, rights to access data, rectify data, object to processing, and erase data. It is clarified for the removal of doubt, that where personal data is provided by a customer being the data subject’s employer, such data subject rights will have to be effected through that customer. In addition, data subject rights cannot be exercised in a manner inconsistent with the rights of OABV employees and staff, with OABV proprietary rights, and third party rights. As such, job references, reviews, internal notes and assessments, documents and notes including proprietary information or forms of intellectual property, cannot be accessed or erased or rectified. In addition, these rights may not be exercisable where they relate to data that is not in a structured form, for example emails, or where other exemptions apply. If processing occurs based on consent, data subjects may have a right to withdraw their consent
If, for any reason, a data subject wishes to modify, delete or retrieve their Personal Data, they may do so by contacting OABV at firstname.lastname@example.org .Note that OABV may have to undertake a process to identify a data subject exercising their rights. OABV may keep details of such rights exercised for its own compliance and audit requirements. Please note that Personal Data may be either deleted or retained in an aggregated manner without being linked to any identifiers or Personal Data, depending on technical commercial capability. Such information may continue to be used by OABV.
9. Profiling, machine learning and automated decision making
OABV does not perform profiling, machine learning nor automated decision making on data subjects for any purpose.
10. Direct marketing
OABV may conduct direct marketing only to persons who have signed a Statement of Consent for Direct Marketing in accordance with the Applicable Regulation.
Cookies are small text files placed on your device by our web server via your browser. Cookies may stay on your computer after you finish browsing our page, close your browser or shut down your computer.
All web browsers can be configured to decline cookies or clear them upon request. This will not affect your browsing experience (since we are not using them to personalize your experience, track your shopping or involve you in any marketing-related activities).