This privacy statement sets out which personal data ICT Group N.V. (“ICT”) and its affiliated companies collect from you through our interaction with you and through our services and products, in which way this takes place, the role of cookies, for which we use the personal data, how long we store personal data, how you can view and change the personal data stored by us and how your personal data is protected by us.
Our company details are:
ICT Group N.V.
2993 LL Barendrecht
Tel: +31 (0)88 9082000
Chamber of Commerce number: 24186237
Applicability of General Data Protection Regulation (GDPR)
When processing data, the General Data Protection Regulation (GDPR) may apply. We refer to it further as the GDPR. The GDPR applies in the case of the fully or partially automated processing of personal data, but also to the manual processing of personal data included in a file or intended for recording therein.
To determine whether the GDPR applies, the following questions are important:
- Is data processed?
- Is this data personal data?
- Is this data processed automatically fully or partially, or is it included in a file or intended to be included in a file?
- Is the data processing within the scope of the GDPR?
How do we obtain personal data?
Personal data is shared with us by employees, potential employees, customers, prospects, suppliers or if you have contact with us.
Users of our websites, e-mails, films and videos and other digital communication channels share certain personal data directly with us.
Personal data is collected from visits to our websites ICT.eu, Freelance.ict.nl, WERKENBIJICT.BE, DVTK.org, and ICT-Hackathon.nl, by entering or leaving personal data on one of our websites, by filling in personal details or leaving them behind at one of our branches or with employees or by registering to use our services.
We also collect personal data, for example you create an ICT account, register for events and activities (in writing or on our websites), consent (opt-in) for marketing or recruitment activities or are willing to be added to our customer database.
We obtain another part of the data by recording how you handle our products, for example by using technologies such as cookies and receiving error reports or usage data from software on your device.
We also obtain personal data by entering into agreements or through other business activities. These may be commercial project agreements for products or services, employment contracts, detavast agreements, contracts for hiring in freelancers or temporary workers, subscriptions or licenses.
Which websites are hosted by ICT?
ICT.eu – corporate and commercial website
Freelance.ict.nl. – website aimed at recruiting freelancers
WERKENBIJICT.BE – website aimed at recruiting employees
DVTK.org – commercial website
ICT-Hackathon.nl – website aimed at recruiting employees
Which personal data is processed by us?
We collect the following personal data:
- name and address
- birthdate and place
- phone number
- e-mail address
- IP address
- bank account number
- identity card details (passport photo and citizen service number (BSN))
Processing targets: for what purposes do we process personal data?
ICT uses the data that is processed for:
- business management
- delivery of products and services
- improvement of products and services
- offering events
ICT works for contractors and supplies professionals to hirers. The legal requirement for such cases is that the contractor or the hirer obtains certain data from the identity card of the professional, including the BSN.
In addition, as an employer ICT is legally required under Article 28 of the Wage Tax Act to include a copy or scan of the identity documents of its personnel in the payroll administration.
A copy or scan of the identity card is made when an employee starts work at ICT. This means that we can prove later that our employees have properly identified themselves and that they were in the Netherlands legally. The copies of the IDs processed by ICT are also used for inspections on the work floor, for example by the SZW Inspectorate.
Delivery and improvement of ICT products and services
We collect (personal) data that we receive via websites in order to be able to work effectively and to inform and provide our customers with the best possible information about our products and services.
Furthermore, personal data may also be used for communication with customers and users, for example for providing information about user accounts, security updates and product information.
Recruitment for ICT
We use personal data for recruitment for IT and its affiliated group companies. We may provide this personal data to these companies.
Prior to an event, we ask visitors for permission to take photos, or make video or sound recordings. These recordings are kept (up to a maximum of 3 years) and may also be used for the internal/external communication purposes of ICT Group, using online and offline resources, both for commercial purposes and recruitment. Visitors and participants in such events can also announce prior to the event that they do not wish to appear recognizable on photos, video or sound recordings of the event. They then receive a coloured sticker that they can affix to their clothing. When processing the material we take their objections into account.
ICT websites and cookies
Cookies enable us to:
1) store the preferences and settings of ICT website visitors
2) make it possible for ICT website visitors to register for a specific purpose
3) offer advertising and marketing based on specific interests
4) achieve sound security (identification, fraud prevention, internal controls and operational safety)
5) analyse how our websites and online services perform. Our apps also use other IDs for similar purposes, such as the advertising ID in Windows (see the Windows section of this statement).
There are exceptions to the permission requirement. For example, if the cookies are technically necessary for the website to function correctly. Examples include certain analytical cookies, which provide better insight into how our website functions. The Telecommunications Act was amended on 11 March 2015. The provider of a website no longer needs permission to use analytical cookies, provided that these cookies are only used to count visitors. If analytical cookies are not used to treat people differently, they hardly affect the privacy of website visitors. In that case permission from website users is no longer necessary.
The Dutch Personal Data Protection Act also applies to tracking cookies (in combination with other data collected on the website visit).
ICT uses tracking cookies on the websites ICT.eu and Freelance.ict.nl. The website user is asked to give explicit permission for this purpose. If permission is not granted, the website visitor is asked to click for further information and the choice can be made to activate cookies fully or partially. A choice for all or none of the cookies may reduce functionality of the website.
How do we store personal data?
Personal data is stored by ICT, among others, in the following databases:
This list of the most important databases is based on an inventory on the date on which this privacy statement was formulated and may be subject to change.
We have created a so-called “Privacy Impact Analysis” for a number of these systems in order to identify the risks associated with their use.
With whom can your personal data be shared?
Personal data is shared with:
- other ICT companies
- customers, for whom ICT fulfils service and/or management functions
- Facebook, Google and BiZo/LinkedIn, WordPress
- clients, suppliers or subcontractors, government agencies and other business relations.
Basis for providing personal data
The provision of personal data is based on:
- a legitimate interest
- legal obligation and/or
- implementing the agreement in accordance with the aforementioned objectives
ICT has added the applicable basis to its processing register.
ICT deems the following means of communication as permission:
- handing over a business card at an event;
- request for information;
- quotation request;
- execution of an assignment;
- permission for use of data by email.
Processing personal data
We conclude a data processing agreement with data processors of personal data. We record these data processing agreements in a data processing register.
The data processing register includes the following information:
- the name and contact details of the responsible individual;
- the purposes for which personal data is processed;
- the categories of personal data (such as name and address details, contact details, payment details);
- the categories of individuals involved (for example: customers, website visitors, employees);
- the categories of recipients (to whom is the data provided?);
- information about the potential transfer of personal data to countries outside the EU;
- the retention periods of the personal data;
- the ways in which personal data is secured (for example: encryption, access control, pseudonymisation).
Data processing register
With regard to the requirements for a data processing register, ICT has adapted the following:
Since ICT has no obligation to appoint a data protection officer, this is not included in the processing register. ICT has instead included the roles of process owner and an application manager in the processing register. This also stipulates that the owner can never be the same person as an application manager, as a result of which the “two sets of eyes” principle is achieved. The purpose for which the personal data is processed has been translated by ICT into the process for which the personal data in question is used.
The categories of personal data are based on the categories in the retention period schedule. This enables the storage period to be defined. Where the data is hosted is registered: NL, EU or outside the EU.
Rights of data subjects
ICT undertakes to:
- provide data subjects with reasonable information about the processing of their personal data
- provide data subjects with a copy of or otherwise provide insight into their processed personal data
- remove, correct, supplement or protect the personal data of data subjects on request, unless a legal (storage) obligation conflicts with this
- provide evidence that personal data of data subjects has been removed or corrected
- enable data subjects to exercise other rights under the applicable legislation.
The retention periods for the standard personal data linked to:
- applicants. The storage period is four weeks after the application procedure has ended.
- potential employees. The retention period for personal data of potential employees amounts to three years with the explicit consent of the person concerned.
- employees. The retention period with regard to personal data of persons who are available to ICT for secondment is seven years as per the statutory retention obligation.
- ICT intranet. The retention period with regard to the personal details of employees on the ICT intranet and similar IT applications is seven years as per the statutory retention obligation.
- hired persons. The retention period with regard to the personal details of persons hired by ICT is seven years as per the statutory retention obligation.
- customers. The retention period with regard to personal data of ICT customers is seven years as per the statutory retention obligation.
- suppliers. The retention period with regard to personal data of suppliers of ICT is seven years as per the statutory retention obligation.
- Prospects. The retention period with regard to personal data of prospects of ICT is three years.
Sharing personal data outside the Netherlands
If personal data is shared outside the Netherlands, we will only do so if and insofar as this is legally permitted. This means, for example, that processors of our personal data outside the European Union are asked to draw up so-called “Standard/Model Contractual Clauses”.
Obviously, we ask our data processors to store the personal data that is processed on our behalf on servers that are located within the European Union.
How do we protect your personal data?
ICT does everything necessary to protect your personal data. To this end, ICT has developed an information security policy based on ISO27001. The Information Security Policy is checked several times a year by an independent authority and an ISO27001 certificate is subsequently issued. Part of this policy includes the performance of a risk analysis for each system where data is collected. Based on this risk profile, ICT has identified specific measures that include Multi Way Authentication and encryption.
In addition to technical protection, people are also important. All our employees have a confidentiality clause in their contract. ICT also invests significantly in raising employee awareness in the area of information security and data privacy. For example, several e-learning modules are available, knowledge sessions are held regularly, and a phishing test is regularly conducted to ensure that our employees remain alert.
We also keep our suppliers vigilant in this area. Again on the basis of risk, it is determined that like us, suppliers must have an information security policy that is tested by an independent body.
ICT may amend this privacy statement from time to time. You can always view the most recent version via the hyperlink “Privacy Statement / Privacy Statement” on the ICT website. If and insofar as you provide ICT with personal data, we advise you to regularly check the contents of the Privacy Statement that is also available in English on the ICT website (Privacy Statement).
Version: 19 April 2018