Privacy

ARTICLE 1: DEFINITIONS

Personal data
Any information relating to an identified or identifiable natural person (‘data subject’);

Processing of personal data
Any operation or set of operations involving personal data, including in any case the collection, recording, organisation, storage, adaptation, modification, retrieval, consultation, use, provision by means of transmission, dissemination or any other form of making available, bringing together, linking, as well as blocking, erasure or destruction of data;

File
Any structured set of personal data, whether centralised or dispersed in a functional or geographical manner, accessible according to certain criteria and relating to different individuals;

Controller
The natural person, legal entity or any other person who, alone or jointly with others, determines the purposes and means of processing personal data;

Data Subject
The natural person to whom the personal data processed relates;

Processor
The person who processes personal data on behalf of the controller, without being subject to its direct authority;

Recipient

The person to whom personal data are disclosed; Third Party Any person other than the data subject, the controller, the processor or any person authorised under the direct authority of the controller or the processor to process personal data;

Consent of the data subject
Any freely given, specific and informed expression of will by which the data subject accepts the processing of personal data concerning him/her. Disclosure of personal data Disclosing or making available personal data;

Collection of personal data
Obtaining personal data.

Article 2: Scope of application

These regulations apply to any processing of personal data of data subjects by processing controller, automated or otherwise. These privacy regulations are an elaboration of the European privacy regulations and are an elaboration of Article 13 and 14 of the AVG and can also serve as a practical guide for data subjects and processing controller.

ARTICLE 4 – PROCESSING MANAGEMENT RESPONSIBILITY AND LIABILITY

4.1 The controller is responsible for the proper functioning of the processing and management of the data; under the controller’s responsibility, an administrator is usually charged with the actual management of the personal data.

4.2 The controller shall ensure that appropriate technical and organisational measures are implemented to protect against any loss or any form of unlawful processing of data.

4.3 The responsibility referred to in paragraph 1 and the provisions of paragraph 2 apply without prejudice if the processing is carried out by a processor.

4.4 The controller is liable for any damage or disadvantage caused by non-compliance with the requirements of the law or these regulations. The processor shall be liable for such damage or disadvantage to the extent that it/they have been caused by his/her actions.

ARTICLE 5: ACCESS, PROVISION AND PROCESSING OF PERSONAL DATA

5.1 Access to personal data

5.1.1 Within the organisation of the controller, only the following shall have access to personal data:

• the persons working for processing controller to the extent necessary for the proper performance of their duties. Annex II contains an overview of which persons have access to which personal data of data subjects.
  5.1.2 Outside the organisation of the controller (and processors engaged by it), only the recipients/third parties hired or otherwise appointed by the controller in the context of the performance of the agreement with the controller have access to the personal data.

5.2 Provision of personal data
5.2.1 Processor shall process personal data only in accordance with the purposes specified in Article 3.
5.2.2 The Processor will not provide personal data to third parties except for the grounds set out in Article 3, unless the data subject has expressly and unambiguously consented to this, or the data may be provided on the basis of a statutory basis, or the Processor is otherwise obliged by law to provide this data.
5.2.3 Under no circumstances shall Processor further process/provide the personal data than stipulated above. If the personal data are processed/provided for other purposes, the controller shall inform the data subject as soon as possible.

5.3 Processing of (personal) data
5.3.1. Only the following (personal) data will be processed by the controller and processors: Employees (and/or potential employees):
a. Name, first names, initials, titles, gender, date of birth, nationality, place of birth, address, postcode, place of residence, telephone number and similar data required for communication, as well as IBAN account number of the data subject;
b. Data referred to under a., of the parents, guardians or caretakers of minor employees;
c. Data concerning education, courses and internships attended and to be attended;
d. Data concerning the position or former position, as well as the nature, content and termination of the employment;
e. Data relating to the administration of the presence of the persons concerned at the place where the work is performed and their absence in connection with leave, reduction of working hours, childbirth or illness, with the exception of data relating to the nature of the illness;

f. Data recorded in the interest of the data subjects for the purpose of working conditions;
g. Data, including data concerning family members and former family members of the persons concerned, which are necessary for the purpose of an agreed condition of employment
h. Data with a view to organising personnel assessment and career guidance, insofar as such data are known to the data subject;
i. Data with a view to calculating, recording and paying salaries, allowances and other sums of money and remuneration in kind to the person concerned;
j. Data with a view to calculating, recording and paying taxes and contributions on behalf of the person concerned;
k. Data other than those referred to under a to k, the processing of which is required pursuant to or necessary with a view to the application of another law.

Clients:
a. Company name, name, first names, initials, date of birth, address, postal code, place of residence, telephone number and similar data required for communication of the person concerned and her contacts, as well as the IBAN account number;
b. Data relating to the registration of the person concerned in the Trade Register
c. The concluded agreement;
d. Data other than those referred to under a to c, the processing of which is required pursuant to or necessary for the application of another law.

Suppliers:
a. Company name, surname, first names, initials, date of birth, address, postal code, place of residence, telephone number and similar data required for communication, of the person concerned and her contacts as well as the IBAN account number;
b. Data relating to registration in the Trade Register;
c. Data relating to the agreements made between controller and data subject;
d. Data other than those referred to under a to c, the processing of which is required pursuant to or necessary for the application of another law.

5.4 The provision of the data mentioned under 5.3.1. is a necessary condition to conclude the agreement with the person concerned. If these data are not provided (in full), the agreement cannot be concluded, or there will be other (tax) consequences for the data subject.

ARTICLE 6: DATA SUBJECT’S RIGHTS

6.1 The Controller shall ensure that the data subject can exercise all his/her statutory rights.

6.2 Upon the data subject’s first written request, the controller will, as soon as possible, but no later than within four (4) weeks after a request has been made, proceed to: a. provide the necessary information requested by the data subject in writing; b. correct, supplement, delete or block personal data.

6.3 Processor is entitled to charge Data Subject reasonable costs for the activities referred to in Article 6.2. insofar as this is not excluded in the AVG.

6.4 Data Subject has the right to inspect and obtain a copy of their personal data, the processing purposes, the categories of personal data concerned, to which third parties the personal data will possibly be provided, in which countries personal data will possibly be stored and the duration of storage of personal data.

6.5 Data Subject has the right to lodge a complaint with the Personal Data Authority;

6.6 Data Subject has the right to rectification of their personal data if they are inaccurate;

6.7 Data subject has the right to oblivion: processors must delete personal data at the data subject’s request if:

• The personal data are no longer necessary for the purposes for which they were collected and/or processed;
• The personal data have been unlawfully processed;
• The personal data must be erased to comply with legal obligation incumbent on the controller;

6.8 Data Subject has the right to obtain restriction (Data Minimisation) of the processing of personal data, if:

• The accuracy of the data is contested by the data subject and, after verification, the personal data are indeed found to be inaccurate;
• The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use;
• Processor no longer needs the personal data for the processing purposes, but data subject needs them for the establishment, exercise or substantiation of a legal claim;

6.9 Data Subject has the right to object to the processing of personal data concerning him/her.

6.10 Data Subject has the right to obtain the personal data concerning him/her, in a structured, common and digital form (data portability).

6.11 Processor shall ensure that in case of change of personal data of data subject that have also been provided to third parties, the third parties are informed of this change in a timely manner, unless this information obligation is impossible or requires disproportionate effort.

ARTICLE 7: OBLIGATIONS OF THE CONTROLLER

7.1 Personal data retention periods

Controller shall not retain personal data made available to it for longer than necessary for the performance of the agreement, or to comply with a legal obligation incumbent upon it (Annex I).

7.2 Security of personal data
7.2.1 Processor shall take appropriate technical and organisational measures to adequately secure and keep secure the personal data against loss or any form of unlawful use or processing, taking into account the state of the art, the cost of implementing these measures and the nature of the personal data to be protected.
7.2.2 The Controller shall in any case take the following measures in relation to the personal data:

(a) Encryption (encryption) of digital files;
b) Password protection of data carriers (including mobile phones);
c) If physical files are involved, the responsible party will always keep these files in a lockable cabinet accessible only to designated persons.

7.3 Obligation to report security incidents
7.3.1 If a security incident qualifies as a data breach as referred to in Article 33 of the Dutch Data Protection Act (AVG), the controller is obliged to report it to the Personal Data Authority and, if necessary (Article 34 of the AVG), to the data subject(s) as well.

7.4 The processor shall impose the same obligations on the third parties and/or processors it engages as the obligations incumbent on the processor under the AVG. If necessary, the processor will impose these obligations on those third parties and/or processors by means of a processing agreement.

ARTICLE 8: FINAL PROVISIONS

8.1 If and insofar as these Regulations do not provide, the applicable Dutch (and/or European) Privacy Legislation shall be decisive/leading.

8.2 These regulations were published on 15 December 2018 and are available digitally on the website of the controller www.schenk-tanktransport.eu.

8.3 Amendments to these regulations will be made by the controller, stating the amendment date.

ANNEX I

Retention periods

Data	Retention Period*	Effective date of retention period
Personnel file	2 years after termination of employment contract	Date of leaving employment
Tax data	7 years after termination of contract	Date end of contract / assignment
Copy of identity document	5 years after employment contract is terminated	Date of leaving employment
Job application file	At the request of the data subject, or no later than 4 weeks after the job application procedure has ended. With the data subject’s consent, the retention period may be extended to 1 year after the end of the application procedure	Date termination of application procedure

*The data will not be destroyed after the expiry of the retention period if the retention is of significant interest to a party other than the data subject or if this is prevented by a legal obligation to retain the data.

ANNEX II

Overview of those who have access to the personal data of Schenk Papendrecht B.V. as referred to in article 5.1.1 of these privacy regulations:

Function and reason for access to personal data	To which personal data can be accessed?	Categories of personal data
Management / planning / financial administration	Contact details suppliers / clients: (Company) name, name and contact details, e-mail address, telephone number	Identifying data
Personnel administration / financial administration / managers	Employees / potential employees: name details, gender, date of birth, nationality, phone number, email address, IBAN, BSN, copy ID proof, letters of application, CVs	Identifying data

List of third parties that have access to personal data of data subjects as referred to in article 5.1.2 of these privacy regulations:

Organisation and reason for access to personal data	Organisation and reason for access to personal data	Categories of personal data
Payroll administration / Accountant / Pension fund / Occupational health and safety service / Absenteeism insurance.	Employees: name and address details, gender, date of birth, nationality, telephone number, email address, IBAN, BSN.	Identifying data
Personnel officer	Employees / potential employees: name and address details, gender, date of birth, nationality, telephone number, email address, IBAN, BSN, copy of ID card, letters of application, CVs.	Identifying data