GDPR: your privacy and data

This page can only be edited by the Data Protection Officer

As an organization, we deal with the data regarding our customers and external relationships, but also with the data regarding us as colleagues. We treat your data with great care, and it is important to know the following.

Employee Files

Every colleague has an employee file in GoogleDrive. You can access your own file upon request. Only roles that absolutely need to have access to these files. The energizer(s) of these role(s) are bound by a confidentiality obligation from the GDPR/ AVG.

So, what do we store? Your citizen service number, a copy of your identification document, your application details, salary details, an overview of leave, frequency of absenteeism (no medical details), and an employer's declaration. And if applicable: formal documents from the occupational health and safety service and (legal) documents in case of an official warning.

Some personal data may not be recorded and we certainly do not do that. For example, information about a person's race, political affiliation, sexual orientation, religion, and trade union membership do not belong in the personnel file. It is also forbidden to include medical data.

At the Spindle office, we don’t store any physical papers in a cabinet.

At the Voys office, there is a Human Capital cabinet which is locked, containing employee data. This cabinet has an archive from the past and will be cleared up: current data will be digitized while other data that is no longer required to store will be destroyed.

Lawfulness of processing

Personal data may only be processed if we have a legal basis for doing so. We rely on the following bases for processing personal data of employees:

  • The colleague has given permission for the processing of personal data;
  • The processing is necessary for the performance of the (employment) contract entered into with the colleague;
  • The processing is necessary to comply with legal obligations;
  • The processing is necessary for the protection of our legitimate interests in the proper and efficient conduct of business within the organisation.

For example, Spindle and Voys have a legal obligation to keep a record of sick days of employees to facilitate the payment of statutory sick pay. Another example would be the need to process employees’ bank account details so that they can be paid. This constitutes a necessity for the performance of a contract.

We collect and use your personal data only for the purposes for which the personal data has been provided to us and thus to the extent necessary for the performance of the employment and related purposes.

The purposes for which we process your personal data can be described as follows:

  • Recruiting and selecting internal and external candidates for an open vacancy;
  • Enabling proper business operations by creating personal (company) accounts with which the employee can work and communicate internally and externally;
  • Paying salaries and declarations;
  • The provision of company property;
  • Assessing the performance of employees;
  • Recording sick and leave days;
  • Granting dismissal;
  • Participating in a pension scheme;
  • Executing agreements included in the employment contract or otherwise agreed upon with the employee.

Data subject rights

Employees have already had many existing rights when it comes to having their data stored by their employer. The advent of GDPR expands these rights, introduces some new ones, and increases the penalties for employers who fail to comply.

Employees have the following rights under data regulations:

  1. the right to be informed, which encompasses the obligation of employers to provide transparency as to how personal data will be used;
  2. the right of access to the data that your employer holds on you;
  3. the right to rectify data that is inaccurate or incomplete;
  4. the right to delete data your employer holds on you;
  5. the right to block or suppress processing of personal data, under certain circumstances;
  6. the right to data portability which allows employees to obtain and reuse their personal data for their own purposes across different services, again under certain circumstances.

Processing of personal data by third parties

By law, we are obliged to provide certain personal data of employees to third parties. This provision to third parties has the following purposes:

  • Employee data are provided to the Belastingdienst (Tax Authorities) in order to comply with legislation on the levying of taxes.
  • Personal data are provided to pension funds and other institutions and organisations associated with them in order to implement the pension scheme included in the employment contract.
  • Sickness and recovery reports are passed on to GOED and Nationale Nederlanden in order to provide support in absenteeism cases.
  • In the event of dismissal due to illness and in the event of maternity leave, employee data are passed on to the UWV in connection with obtaining a (temporary) benefit. The UWV is provided with name and address details and the BSN.

We may also share personal data with third parties for which there is no legal obligation. These data are shared in a careful manner and only if we can rely on a lawful basis on processing. For example, we may share your details when providing you with a fitness subscription from Plaza Sportiva, when offering you a lease car through a lease company, when offering you a company massage or a company bicycle, or when providing your address details when sending you a present.

Do you object to the provision of this last category of third parties? Then please let us know. In such cases, you will have to take care of these facilities yourself if you want to make use of them.

Finally, we use external parties to process employee data on our behalf. These include, but are not restricted to, Nmbrs, PandaDoc, Appical and Verzuimsignaal. We make agreements with these parties about the conditions under which they may process your personal data. These agreements are recorded in a data processor agreement.

Pictures and videos

We like to share our stories and knowledge with the world. This is why we prefer to use pictures of actual colleagues instead of stock photos on our websites and in marketing and social media campaigns.

If you leave us, we will delete your profile on our websites. We will also try our best to avoid using your pictures on new marketing or social media campaigns. If you see a photo you don't like, please let the @Photo hero (Agency) know.


At Voys we use pool cars. You can reserve these cars, ask the Fleetcaptain for more information. Please be aware that the pool car has a track and trace system.  This enables us to keep a log of the kilometres that the company has to keep for the tax authorities.


It is important to us that the data of our employees is properly protected. For this reason, we have taken security measures to protect the data. These include measures such as physical access protection, passwords and firewalls on our computers, as well as rules that apply to all employees with regard to confidentiality.

Information regarding colleagues, customers and partners with whom we do business is only visible to you if this is necessary to carry out your daily work.

By working at our company, you are required to keep all data that is provided confidential. This is also explained in the non-disclosure agreement that you have signed. If you handle (confidential) customer data, information about partners and/or employees you must also submit a VOG. Depending on the activities to be performed, stricter requirements may apply to the VOG to be submitted.

Clear screen & clear desk policy

We work a lot with confidential data of customers and employees. To protect this data and to prevent the risk of misuse of this data, we apply a Clear Screen and Clear Desk Policy.

Clear Screen

  • Whether you work at the office or from another location (e.g. your home office), as long as you have access to an internet connection, you always work from a secure network environment.
  • Documents with confidential data are normally saved directly within this secure network environment and not on the desktop of your laptop.
  • You are responsible for providing your laptop with a strong password. See the
    Am I Secure Checklist
  • You are responsible for ensuring that you work in a safe place, where third parties cannot view the screen without your knowledge.
  • You lock your screen when you leave your workplace. To be on the safe side, the screen is automatically locked after three minutes of inactivity. See the
    Am I Secure Checklist
  • The printers in the offices at Lübeckweg 2 all have a cable attached to them, so you have to be at the printer when you print. This makes sure we don’t leave any documents in the printer by accident thus leaking it. The cable also increases the change of a printer actually working 😈

Clear desk

  • You only have documents on your desk that you need at that moment to carry out your work. When temporarily leaving the workplace, you ensure that no confidential documents are in sight. When you leave the workplace at the end of the day, you either store confidential documents carefully, in the appropriate place, or you destroy them.

Check in

We use Proxyclick to register who has been in the office. At the entrances of our offices, there is a tablet in which you can enter your name, or you scan the QR code with your phone, and then you are checked in.

Leaving the company

In the event that you leave us, you are required to return any provided data (including written and copies). If you take company property with you, all business information will be deleted by the security offboarder.

The employee agrees both during and after the term of the employment contract not to disclose to third parties in any way whatsoever any particulars relating to:

  1. the business of the employer or any company affiliated with the employer which he/she knows or may suspect could harm the interests of the employer and/or those affiliated companies; or
  2. matters in respect of which the employer has imposed secrecy. These obligations also apply to any matters concerning the employer or relations of the employer or the employer’s affiliates.

All items of property that the employer has made available to the employee are and remain the employer’s property. All items the employer has made available to the employee must be immediately returned to the employer without the employer having to request them after the termination of the employment contract or earlier if circumstances deem this necessary, for example in the event that the items are no longer being used for business purposes.

Retention period

Personal data shall not be stored or processed any longer than necessary for the purposes for which it was collected. The retention period can differ per (category of) personal data.

The personal data of (former) employees are removed no later than 2 years after the end of the employment unless they are still needed at that moment to meet a legal obligation resting upon us. For example, data concerning salary is kept for a longer period of time, namely at least 7 years, due to applicable tax legislation.

With the applicant's consent, we will retain the personal data of job applicants for a maximum of 1 year, unless the applicant enters into employment with us. If an applicant does not give us permission, the applicant's personal data will be deleted within 4 weeks after the end of the application procedure.

Data Protection Officers (DPOs)

What should you know about the Data Protection Officer? The primary role of the data protection officer (DPO) is to ensure that the organization processes the personal data of its staff, customers, providers, or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules.  Check Glassfrog to see who the current DPO is. If you have any questions after reading this privacy statement, please contact one of the DPOs.