This privacy statement sets out which personal data ICT Group N.V. („ICT“) and its affiliated companies collect from you through our interaction with you and through our services and products, in which way this takes place, the role of cookies, for which we use the personal data, how long we store personal data, how you can view and change the personal data stored by us and how your personal data is protected by us.

Our company details are:

ICT Group N.V.
Kopenhagen 9
2993 LL Barendrecht
The Netherlands
Tel: +31 (0)88 9082000

e-mail: info@ict.nl

Chamber of Commerce number: 24186237

Questions:

If you have any questions about the privacy and cookie policy of ICT, exercising your rights, or requests regarding transparency, please contact ICT by post or phone using the above information. It is also possible to send an email to Privacy@ict.nl.

Applicability of General Data Protection Regulation (GDPR)

When processing data, the General Data Protection Regulation (GDPR) may apply. We refer to it further as the GDPR. The GDPR applies in the case of the fully or partially automated processing of personal data, but also to the manual processing of personal data included in a file or intended for recording therein.

To determine whether the GDPR applies, the following questions are important:  

1.  Is data processed?
2.  Is this data personal data?
3.  Is this data processed automatically fully or partially, or is it included in a file or intended to be included in a file?
4.  Is the data processing within the scope of the GDPR?

How do we obtain personal data?

Personal data is shared with us by employees, potential employees, customers, prospects, suppliers or if you have contact with us.

Users of our websites, e-mails, films and videos and other digital communication channels share certain personal data directly with us.

Personal data is collected from visits to our websites by entering or leaving personal data on one of our websites, by filling in personal details or leaving them behind at one of our branches or with employees or by registering to use our services.

Personal data that have been placed, published or shared, respectively, on a forum on or linked to one of the websites operated by us, have not been collected, stored or processed by us or on our behalf or initiative, respectively. We are neither a controller or a processor pursuant to the applicable laws and regulations, including GDPR, for placing, publishing or sharing, respectively, of the these personal data and in no event will ICT Group N.V. and/or its associated companies be responsible or liable for any damage, costs or any equitable relief hereunder in relation to placing, publishing or sharing, respectively, of these personal data, respectively.

We also collect personal data, for example you create an ICT account, register for events and activities (in writing or on our websites), consent (opt-in) for marketing or recruitment activities or are willing to be added to our customer database.

We obtain another part of the data by recording how you handle our products, for example by using technologies such as cookies and receiving error reports or usage data from software on your device.

We also obtain personal data by entering into agreements or through other business activities. These may be commercial project agreements for products or services, employment contracts, detavast agreements, contracts for hiring in freelancers or temporary workers, subscriptions or licenses.

Which websites are hosted by ICT?

ICT.eu – corporate and commercial website

ICT.nl – corporate and commercial website

Freelance.ict.nl. – website aimed at recruiting freelancers

werkenbijict.nl – website aimed at recruiting employees

WERKENBIJICT.BE – website aimed at recruiting employees

DVTK.org – commercial website

Orangenxt.com – corporate and commercial website

Improveqs.nl – corporate and commercial website

Intraffic.nl – corporate and commercial website

Raster.com – corporate and commercial website

Nedmobiel.com – corporate and commercial website

BMA-Mosos.com – corporate and commercial website

Strypes.eu – corporate and commercial website

Which personal data is processed by us?

We collect the following personal data:

• name and address
• date of birth and place
• phone number
• e-mail address
• IP address
• bank account number
• identity card details (passport photo and citizen service number (BSN))

Processing targets: for what purposes do we process personal data?

ICT uses the data that is processed for:

• business management
• recruitment
• delivery of products and services
• improvement of products and services
• offering events

Business management

ICT works for contractors and supplies professionals to hirers. The legal requirement for such cases is that the contractor or the hirer obtains certain data from the identity card of the professional, including the BSN.

In addition, as an employer ICT is legally required under Article 28 of the Wage Tax Act to include a copy or scan of the identity documents of its personnel in the payroll administration.

A copy or scan of the identity card is made when an employee starts work at ICT. This means that we can prove later that our employees have properly identified themselves and that they were in the Netherlands legally. The copies of the IDs processed by ICT are also used for inspections on the work floor, for example by the SZW Inspectorate.

Delivery and improvement of ICT products and services

We collect (personal) data that we receive via websites in order to be able to work effectively and to inform and provide our customers with the best possible information about our products and services.

Furthermore, personal data may also be used for communication with customers and users, for example for providing information about user accounts, security updates and product information.

Recruitment for ICT

We use personal data for recruitment for IT and its affiliated group companies. We may provide this personal data to these companies.

ICT events

Prior to an event, we ask visitors for permission to take photos, or make video or sound recordings. These recordings are kept (up to a maximum of 3 years) and may also be used for the internal/external communication purposes of ICT Group, using online and offline resources, both for commercial purposes and recruitment. Visitors and participants in such events can also announce prior to the event that they do not wish to appear recognizable on photos, video or sound recordings of the event. They then receive a coloured sticker that they can affix to their clothing. When processing the material we take their objections into account.

ICT websites and cookies

ICT uses cookies (small text files) that are stored (by the provider of a website) on the devices of users or visitors to ICT websites, for example on a computer, telephone or tablet, and similar technologies, by means of which our services can be provided and data can be collected). With cookies, information can be collected or stored for the website visit or on the device of the user.

Cookies enable us to:

1) store the preferences and settings of ICT website visitors
2) make it possible for ICT website visitors to register for a specific purpose
3) offer advertising and marketing based on specific interests
4) achieve sound security (identification, fraud prevention, internal controls and operational safety)
5) analyze how our websites and online services perform. Our apps also use other IDs for similar purposes, such as the advertising ID in Windows.

Visitors and users of ICT websites can, after having given permission for the use of cookies, delete these cookies via the setting of the internet browser on the computer.

Applicable laws and rules for the use of cookies

The use of cookies is subject to legal regulations. The main rules for placing cookies are set out in the Telecommunications Act (Tw). Under Article 11.7a of the Tw, the provider of a website must inform internet users about placing and/or reading cookies on their device (such as their computer, laptop or smartphone). The provider of a website must then request permission from the users in many cases.

Analytical cookies

There are exceptions to the permission requirement. For example, if the cookies are technically necessary for the website to function correctly. Examples include certain analytical cookies, which provide better insight into how our website functions. The Telecommunications Act was amended on 11 March 2015. The provider of a website no longer needs permission to use analytical cookies, provided that these cookies are only used to count visitors. If analytical cookies are not used to treat people differently, they hardly affect the privacy of website visitors. In that case permission from website users is no longer necessary.

Tracking cookies

The Dutch Personal Data Protection Act also applies to tracking cookies (in combination with other data collected on the website visit).

ICT uses tracking cookies on the websites ICT.eu and Freelance.ict.nl. The website user is asked to give explicit permission for this purpose. If permission is not granted, the website visitor is asked to click for further information and the choice can be made to activate cookies fully or partially. A choice for all or none of the cookies may reduce functionality of the website.

How do we store personal data?

Personal data is stored by ICT, among others, in the following databases:

• AFAS
• AllSolutions
• Connexys
• Pardot
• SalesForce
• Starred
• Teampass
• Tobania
• TopDesk

This list of the most important databases is based on an inventory on the date on which this privacy statement was formulated and may be subject to change.

We have created a so-called “Privacy Impact Analysis” for a number of these systems in order to identify the risks associated with their use.

With whom can your personal data be shared?

Personal data is shared with:

• other ICT companies
• customers, for whom ICT fulfils service and/or management functions
• Facebook, Google and BiZo/LinkedIn
• clients, suppliers or subcontractors, government agencies and other business relations.

Basis for providing personal data

The provision of personal data is based on:

• a legitimate interest
• legal obligation and/or
• implementing the agreement in accordance with the aforementioned objectives
• permission

ICT has added the applicable basis to its processing register.

ICT deems the following means of communication as permission:

• handing over a business card at an event;
• request for information;
• quotation request;
• execution of an assignment;
• permission for use of data by email.

Processing personal data

We conclude a data processing agreement with data processors of personal data. We record these data processing agreements in a data processing register.

The data processing register includes the following information:

• the name and contact details of the responsible individual;
• the purposes for which personal data is processed;
• the categories of personal data (such as name and address details, contact details, payment details);
• the categories of individuals involved (for example: customers, website visitors, employees);
• the categories of recipients (to whom is the data provided?);
• information about the potential transfer of personal data to countries outside the EU;
• the retention periods of the personal data;
• the ways in which personal data is secured (for example: encryption, access control, pseudonymisation).

Data processing register

With regard to the requirements for a data processing register, ICT has adapted the following:

Since ICT has no obligation to appoint a data protection officer, this is not included in the processing register. ICT has instead included the roles of process owner and an application manager in the processing register. This also stipulates that the owner can never be the same person as an application manager, as a result of which the „two sets of eyes“ principle is achieved. The purpose for which the personal data is processed has been translated by ICT into the process for which the personal data in question is used.  

The categories of personal data are based on the categories in the retention period schedule. This enables the storage period to be defined. Where the data is hosted: NL, EU or outside the EU.

Rights of data subjects

ICT undertakes to:

• provide data subjects with reasonable information about the processing of their personal data
• provide data subjects with a copy of or otherwise provide insight into their processed personal data
• remove, correct, supplement or protect the personal data of data subjects on request, unless a legal (storage) obligation conflicts with this
• provide evidence that personal data of data subjects has been removed or corrected
• enable data subjects to exercise other rights under the applicable legislation.

Retention periods

The retention periods for the standard personal data linked to:

• Applicants. The storage period is four weeks after the application procedure has ended.
• Potential employees. The retention period for personal data of potential employees amounts to three years with the explicit consent of the person concerned.
• Employees. The retention period with regard to personal data of persons who are available to ICT for secondment is seven years as per the statutory retention obligation.
• ICT intranet. The retention period with regard to the personal details of employees on the ICT intranet and similar IT applications is seven years as per the statutory retention obligation.
• Hired persons. The retention period with regard to the personal details of persons hired by ICT is seven years as per the statutory retention obligation.
• Customers. The retention period with regard to personal data of ICT customers is seven years as per the statutory retention obligation.
• Suppliers. The retention period with regard to personal data of suppliers of ICT is seven years as per the statutory retention obligation.
• Prospects. The retention period with regard to personal data of prospects of ICT is three years.

Sharing personal data outside the Netherlands  

If personal data is shared outside the European Union, we will only do so if and insofar as this is legally permitted. This means, for example, that processors of our personal data outside the European Union are asked to draw up so-called “Standard/Model Contractual Clauses”.

Obviously, we ask our data processors to store the personal data that is processed on our behalf on servers that are located within the European Union.

How do we protect your personal data?

ICT does everything necessary to protect your personal data. To this end, ICT has developed an information security policy based on ISO27001. The Information Security Policy is checked several times a year by an independent authority and an ISO27001 certificate is subsequently issued. Part of this policy includes the performance of a risk analysis for each system where data is collected. Based on this risk profile, ICT has identified specific measures that include Multi Way Authentication and encryption.

In addition to technical protection, people are also important. All our employees have a confidentiality clause in their contract. ICT also invests significantly in raising employee awareness in the area of information security and data privacy. For example, several e-learning modules are available, knowledge sessions are held regularly, and a phishing test is regularly conducted to ensure that our employees remain alert.

We also keep our suppliers vigilant in this area. Again on the basis of risk, it is determined that like us, suppliers must have an information security policy that is tested by an independent body.

Policy amendment

ICT may amend this privacy statement from time to time. You can always view the most recent version via the hyperlink “Privacy Statement / Privacy Statement” on the ICT website. If and insofar as you provide ICT with personal data, we advise you to regularly check the contents of the Privacy Statement that is also available in English on the ICT website (Privacy Statement).

Version: 26 June 2019