As part of our commitment to maintaining the trust of our colleagues and protecting their personal information, we have created this internal privacy policy. This policy outlines how we collect, use, share and protect your personal data within our organization. If you have any question about this policy, please feel free to reach out to the Data Protection Officer.

• Lawfulness of processing
• Processing of personal data by third parties
• Employee Files
• Pictures and videos
• Security
• Clear screen & clear workspace policy
• Clear Screen
• Clear workspace
• Check in
• Leaving the company
• Retention period
• Data subject rights
• Data Protection Officers (DPOs)

Lawfulness of processing

Personal data may only be processed if we have a legal basis for doing so. We rely on the following bases for processing personal data of employees:

• The colleague has given permission for the processing of personal data;
• The processing is necessary for the performance of the (employment) contract entered into with the colleague;
• The processing is necessary to comply with legal obligations;
• The processing is necessary for the protection of our legitimate interests in the proper and efficient conduct of business within the organisation.

For example, Voys has a legal obligation to keep a record of sick days of employees to facilitate the payment of statutory sick pay. Another example would be the need to process employees’ bank account details so that they can be paid. This constitutes a necessity for the performance of a contract.

We collect and use your personal data only for the purposes for which the personal data has been provided to us and thus to the extent necessary for the performance of the employment and related purposes.

In our data processing register, it can be found what data we process for which purpose and under which lawful basis.

Processing of personal data by third parties

By law, we are obliged to provide certain personal data of employees to third parties. This provision to third parties has the following purposes:

• Employee data are provided to the Belastingdienst (Tax Authorities) in order to comply with legislation on the levying of taxes.
• Personal data are provided to pension funds and other institutions and organisations associated with them in order to implement the pension scheme included in the employment contract.
• Sickness and recovery reports are passed on to GOED and ASR in order to provide support in absenteeism cases.
• In the event of dismissal due to illness and in the event of maternity leave, employee data are passed on to the UWV in connection with obtaining a (temporary) benefit. The UWV is provided with name and address details and the BSN.

We may also share personal data with third parties for which there is no legal obligation. These data are shared in a careful manner and only if we can rely on a lawful basis on processing. For example, we may share your details when providing you with a fitness subscription from Plaza Sportiva, when offering you a lease car through a lease company, when offering you a company massage or a company bicycle, or when providing your address details when sending you a present.

Do you object to the provision of this last category of third parties? Then please let us know. In such cases, you will have to take care of these facilities yourself if you want to make use of them.

Finally, we use external parties to process employee data on our behalf. These include, but are not restricted to, Nmbrs, PandaDoc, Appical and Verzuimsignaal. We make agreements with these parties about the conditions under which they may process your personal data. These agreements are recorded in a data processing agreement.

Employee Files

Every colleague has an employee file in NMBRS. You can access your own file upon request. Only roles that absolutely need to have access to these files. The energizer(s) of these role(s) are bound by a confidentiality obligation from the GDPR.

So, what do we store? Your citizen service number, a copy of your identification document, your application details, salary details, an overview of leave, frequency of absenteeism (no medical details), and an employer's declaration. And if applicable: formal documents from the occupational health and safety service and (legal) documents in case of an official warning.

Some personal data may not be recorded and we certainly do not do that. For example, information about a person's race, political affiliation, sexual orientation, religion, and trade union membership do not belong in the personnel file. It is also forbidden to include medical data.

At the Voys office, there is a Human Capital cabinet which is locked, containing employee data. This cabinet has an archive from the past and will be cleared up: current data will be digitized while other data that is no longer required to store will be destroyed.

Pictures and videos

We like to share our stories and knowledge with the world. This is why we prefer to use pictures of actual colleagues instead of stock photos on our websites and in marketing and social media campaigns.

If you leave us, we will delete your profile on our websites. We will also try our best to avoid using your pictures on new marketing or social media campaigns. If you see a photo you don't like, please let the @Photo hero (Agency) know.

Security

It is important to us that the data of our colleagues is properly protected. For this reason, we have taken security measures to protect the data. These include measures such as physical access protection, passwords and firewalls on our computers, as well as rules that apply to all employees with regard to confidentiality.

Information regarding colleagues is only visible to other colleagues if this is strictly necessary to carry out their daily work.

By working at our company, you are required to keep all data that is provided confidential. This is also explained in the non-disclosure agreement that you have signed. If you handle (confidential) customer data, information about partners and/or employees you must also submit a Certificate of Conduct (VOG in Dutch). Depending on the activities to be performed, stricter requirements may apply to the VOG to be submitted.

Clear screen & clear workspace policy

We work a lot with confidential data. To protect this data and to prevent the risk of misuse of this data, we apply a Clear Screen and Clear Workspace Policy.

Clear Screen

• Whether you work at the office or from another location (e.g. your home office), as long as you have access to an internet connection, you always work from a secure network environment.
• Documents with confidential data are normally saved directly within this secure network environment and not on the desktop of your laptop.
• You are responsible for providing your laptop with a strong password. See the ✅Am I Secure Checklist
• You are responsible for ensuring that you work in a safe place, where third parties cannot view the screen without your knowledge.
• You lock your screen when you leave your workplace. To be on the safe side, the screen is automatically locked after three minutes of inactivity. See the ✅Am I Secure Checklist
• The printers in the offices at Lübeckweg 2 all have a cable attached to them, so you have to be at the printer when you print. This makes sure we don’t leave any documents in the printer by accident thus leaking it. The cable also increases the change of a printer actually working 😈

Clear workspace

The following rules apply not only to your desk, but to the entire workspace:

• When temporarily leaving the workplace (wherever that may be), you ensure that no confidential documents are in sight.
• When you leave the workplace at the end of the day, you either store confidential documents carefully, in the appropriate place, or you destroy them. This also goes for information on the whiteboards or post-its after a meeting. These rules apply for all workspaces, so at home, in the office or on the beach.

Check in

We use Proxyclick to register who has been in the office. At the entrances of our offices, there is a tablet in which you can enter your name, or you scan the QR code with your phone, and then you are checked in.

More on ✔️Check-in @ the office-proxyclick

Leaving the company

In the event that you leave us, you are required to return any provided data (including written and copies). If you take company property with you, all business information will be deleted by the Hardware Inventory Manager.

The employee agrees both during and after the term of the employment contract not to disclose to third parties in any way whatsoever any particulars relating to:

1. the business of the employer or any company affiliated with the employer which he/she knows or may suspect could harm the interests of the employer and/or those affiliated companies; or
2. matters in respect of which the employer has imposed secrecy. These obligations also apply to any matters concerning the employer or relations of the employer or the employer’s affiliates.

All items of property that the employer has made available to the employee are and remain the employer’s property. All items the employer has made available to the employee must be immediately returned to the employer without the employer having to request them after the termination of the employment contract or earlier if circumstances deem this necessary, for example in the event that the items are no longer being used for business purposes.

Retention period

Personal data shall not be stored or processed any longer than necessary for the purposes for which it was collected. The retention period can differ per (category of) personal data.

The personal data of (former) employees are removed no later than 2 years after the end of the employment unless they are still needed at that moment to meet a legal obligation resting upon us. For example, data concerning salary is kept for a longer period of time, namely at least 7 years, due to applicable tax legislation.

With the applicant's consent, we will retain the personal data of job applicants for a maximum of 1 year, unless the applicant enters into employment with us. If an applicant does not give us permission, the applicant's personal data will be deleted within 4 weeks after the end of the application procedure.

In our data processing register, it can be found what the exact retention periods are for your personal data.

Data subject rights

As a colleague, you have the following rights regarding your personal data:

1. the right to be informed, which encompasses the obligation of employers to provide transparency as to how personal data will be used;
2. the right of access to the data that your employer holds on you;
3. the right to rectify data that is inaccurate or incomplete;
4. the right to delete data your employer holds on you;
5. the right to block or suppress processing of personal data, under certain circumstances;
6. the right to data portability which allows employees to obtain and reuse their personal data for their own purposes across different services, again under certain circumstances.

If you are seeking to exercise any of the above rights, please contact the Data Protection Officer, so they can initiate the appropriate processes.

Data Protection Officers (DPOs)

What should you know about the Data Protection Officer? The primary role of the data protection officer (DPO) is to ensure that the organization processes the personal data of its staff, customers, providers, or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules.  Check Glassfrog to see who the current DPO is. If you have any questions after reading this privacy statement, please contact one of the DPOs.