Privacy Statement
Purified Metal Company
Purified Metal Company is a private limited liability company, which has its registered office at Van Leeuwenhoekweg 21, Dordrecht, the Netherlands (mailing address: Van Leeuwenhoekweg 21, 3316 AV Dordrecht), and principal place of business at Fivelpoort 10, Appingedam, the Netherlands.
Purified Metal Company (Chamber of Commerce (COC): 59672978) registered as: Purified Metal Company, Purified Metal Company BV.
Who are our clients?
Our clients are people with whom Purified Metal Company has concluded a contract for services. Personal data may be processed by Purified Metal Company for a client without being under its direct authority; Purified Metal Company then qualifies as the processor. In some situations, Purified Metal Company may, alone or jointly with others, determine the purposes and means of the processing of personal data; Purified Metal Company then qualifies as the controller.
What is personal data?
Personal data is any information relating to an identified or identifiable natural person which is processed in the context of a contract for services. An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
I am not a client, but you do have personal data of mine
We process the personal data not only of our clients but also of leads, prospects, suppliers, business contacts, job applicants and, naturally, our own staff as well. In general, the provisions set out below also apply to the personal data that we process on their behalf. Different provisions applicable to these categories will be addressed later on.
What do we mean by processing of personal data?
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organising, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Who is responsible for personal data within the meaning of the General Data Protection Regulation (GDPR)?
Purified Metal Company may processes personal data for and on behalf of clients. If our role is confined to processing the personal data without determining what happens to them, the client remains responsible for the personal data. The client then determines for what purpose and by what means the personal data is processed.
Purified Metal Company may also qualify as the controller in relation to a client’s personal data. In such a case Purified Metal Company, either alone or jointly with others, determines the purposes and means of the processing of personal data. If Purified Metal Company qualifies as the controller, the client is required to comply with the GDPR or other laws or regulations governing the processing of personal data.
Insofar as we arrange for personal data to be processed by a third party, the third party qualifies as a sub-processor.
Welke persoonsgegevens verwerken wij?
Examples of personal data are:
- Surname, given name, title, sex
- Address (street, house number and town)
- Email address and telephone number
- Date of birth
- Citizen service number
- IP address
The basic principles are confidentiality and non-disclosure to third parties. This forms the basis of the technical and organisational security.
We do not process data on matters such as race, political opinion and religious conviction or data concerning health. If there should nonetheless be a special reason why this is necessary, we will raise the matter specifically with the client and include it in the contract for services.
How do we process personal data?
We process personal data exclusively in the manner we have agreed with the client in the contract for services. We do not process data longer or more extensively than strictly necessary for the performance of the contract.
The processing is carried out in accordance with the client’s instructions, unless we are required by law or regulation to act differently. If we believe that an instruction infringes upon the General Data Protection Regulation Act, we inform the client immediately.
If we qualify as the processor, the processing takes place under the client’s responsibility. We have no control over the purposes and means of the processing and take no decisions on such matters as the use of personal data, the period during which the personal data is kept for the client and the disclosure of personal data to third parties. If we qualify as the controller, as is the case where we perform compilation engagements, we will process the data in the manner we, as the expert, consider correct and in accordance with the agreed contract. The client should then ensure that he complies with the personal data processing legislation applicable to him as processor and should observe the arrangements we have made in the contract for services.
We comply with any independent obligation we may have on the basis of the statutory regulations or any professional rules or code of conduct applicable to the staff in relation to the processing of personal data.
The client has a statutory obligation to comply with the existing privacy laws and regulations. The client should determine in particular whether there is a lawful basis for the processing of the personal data. We ensure that we comply with the regulatory provisions applicable to us in respect of the processing of personal data.
We will process the personal data only within the European Economic Area (EEA), unless we have made other arrangements with the client that have been recorded in writing.
Who has access to the personal data?
We ensure that only our staff have access to the personal data. An exception to this is where we use sub-processors. Where possible, we limit our staff’s access to personal data on a need- to-know basis. We also ensure that staff who have access to the personal data receive correct and complete instructions on how to deal with such data and that they are conversant with their responsibilities and statutory obligations.
We may engage other processors (or sub-processors) to carry out certain activities under the contract. If, as a result of their engagement, sub-processors become involved in processing these personal data, we will impose the same obligations on them (in writing). When awarding an engagement to Purified Metal Company, the client accepts that sub-processors may be used in the performance of the contract.
Access to and rectification or erasure of personal data
We comply with requests for access to and rectification or erasure of personal data where possible. The erasure of personal data is a right under the GDPR. We may charge a fee if complying with a request entails any costs either for us or for the sub-processor.
If we receive a request to disclose personal data, we will do so only if the request has been made by a competent authority. What is more, we will first determine whether, in our view, the request is binding. If there are no criminal law restrictions or other legal obstacles, we will inform the client of the request. We will try to do this as quickly as possible so that the client has an opportunity to exercise any legal remedies that may be available to prevent disclosure of the personal data. If we are allowed to notify the client of the request, we will also consult with the client about what data we make available and how.
Security measures
We have adopted suitable security measures that provide a level of security geared to the nature of the personal data and the scope, context, purpose and risks of the processing. In introducing these measures we have taken into account the risks to be mitigated, the current state of technology and the costs. Purified Metal Company will periodically carry out internal audits and make random checks.
We offer suitable safeguards for the application of the technical and organisational security measures to the processing activities undertaken.
Transparency
Clients who wish to arrange for the implementation of our security measures to be inspected by an independent expert may submit a request to this effect. We will then make the necessary arrangements with the client. The costs of an inspection or audit are borne by the client. The client agrees to provide us with a copy of the inspection report.
Data breaches
Purified Metal Company has created a special email address where clients, staff, sub- processors and third parties can report incidents that may involve a data breach. Purified Metal Company will investigate reports as quickly as possible and take whatever measures are necessary to prevent further losses for those concerned and for Purified Metal Company. As required by law, a data breach that may have serious consequences will be reported to the Dutch Data Protection Authority and to the person or persons whose personal data is affected by the data breach.
Incidents that may involve a data breach can be reported to .
Duty of secrecy
We ensure that personal data we receive are kept secret and also impose a duty of secrecy on our staff and any sub-processors. Where staff are entrusted with personal data, they will also observe the duty of secrecy.
Liability
The client warrants that the processing of personal data in accordance with our contract for services and these provisions is not unlawful and does not infringe upon the rights of other data subjects such as relatives or staff.
We are not liable for losses resulting from failure by the client to comply with the General Data Protection Regulation Act or any other laws or regulations. The client also indemnifies us against claims of third parties in respect of such losses. The indemnity relates not only to losses (both material and non-material) suffered by such third parties but also to the costs we have to incur in this context, for instance in any legal proceedings, and the costs of any fines imposed on us as a consequence of the client’s actions.
The limitation of our liability agreed in a contract for services and the related general terms and conditions applies to the obligations contained in this privacy statement, provided always that one or more claims for damages under this privacy statement and/or the contract for services may never exceed the limitation.
General terms and conditions
Our general terms and conditions apply to all our services. By signing the contract for services, clients acknowledge that they have in their possession, have read and agree to our general terms and conditions and this privacy statement.
Termination and return/destruction of personal data
In view of legislation or other regulations, we may be unable to comply with a request from a client to destroy or return personal data at the end of our contract for services. If this is possible, however, we will cooperate in meeting the request.
The costs of collecting and transferring personal data at the end of the contract are borne by the client. The same applies to the costs of destroying personal data.
Additions and changes to the Purified Metal Company privacy statement
We will ensure that this privacy statement is kept up-to-date and will modify its provisions where necessary. If these provisions should undergo significant changes or additions on account of new or changed legislation, we will notify our clients accordingly. If we are no longer able to provide a given degree of protection, we may decide to terminate the contract for services.
Different provisions for certain natural persons
The rule we apply in the case of personal data of leads and prospects is that once every 5 years we remove all such data we have processed longer than 5 years with a view to being able to conclude a contract for services. The only exception is where the data subject has agreed and recorded a follow-up arrangement showing that we can continue processing for a further 5 years.
We make an agreement with job applicants that we will keep their personal data for a maximum of 24 months after the closing date for applications.
The same rule applies to staff, trainees, hirers, agency staff and self-employed persons of Purified Metal Company as to clients, although here references to contract for services must be read as employment contract, traineeship agreement, temporary employment contract, agency employment contract or management agreement, as the case may be. We also observe the statutory periods for keeping their personal data.
Final provisions
On request, the parties will assist the supervisory authority in performing its tasks.
Dutch law applies to these provisions and the Dutch courts have jurisdiction to hear all disputes resulting from or related to these provisions.
This privacy statement forms part of our contracts for services and is therefore binding on the parties. This privacy statement takes precedence over the provisions of our general terms and conditions, unless express reference is made to a provision in the general terms and conditions. If one or more of the provisions referred to here prove to be invalid in respect of a client, this will not affect the validity of the other provisions. We will then consult with the client with a view to drawing up together a new provision. This provision will be as close as possible to the spirit of the invalid provision, but obviously framed in such a way as to be valid.
Contact
For questions about rights and the manner in which Purified Metal Company handles personal data, please email a request for information to Purified Metal Company at .
Purified Metal Company will answer questions as quickly as possible, but in any event within four weeks.
GDPR
GDPR is the General Data Protection Regulation, including the legislation implementing this regulation.
Data breach
A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.