In principle, personal data are not kept longer than is strictly necessary for the purpose for which they have been provided. We strive to observe the principle of minimal data processing. We therefore use different retention periods. After this retention period, we remove or anonymise the personal data.
For exceptional situations (e.g. fraud prevention) we have a legitimate interest to keep personal data longer. We regularly check whether this legitimate interest still applies.
Special personal data
In principle, Fidron does not process special personal data. After all, the processing of special personal data is prohibited without legal exception. That is why special personal data are only processed when there is a specific statutory exception.
When do we provide personal data to third parties?
We only provide personal data to third parties if this is strictly necessary for one of the above purposes. We have concluded processing agreements with these third parties. These (sub)processors will only use the personal data for the purpose that we agreed upon.
We will not share personal data with third parties/sub-processors without the express consent of the (co-)controller.
We never sell personal data to third parties.
What rights do you have as a data subject?
As a data subject, you have several rights to control your personal data. We want to be transparent in our data processing. Below you will find the rights you, as a data subject, can invoke. We take care to respond to your request in the right way.
- Right of Inspection: If you request your right of access, we will provide you with an overview of all personal data or copies of documents that we have collected from you. In addition, we will state the purpose and explain the basis of this processing.
- Right to rectification: You have the right to submit a request for rectification of any incorrect information relating to you. You also have the right to have the incorrect information rectified and possibly replaced by correct information.
- Right to Object: In certain situations you can object to the data processing.
- Right to data portability: You have the right to request your personal data which we process digitally. We will transfer these data to you in a digital and structured way.
- Right to forget: In a few situations you have the right to be forgotten. This means that we will remove any (possible) personal data about you.
- Right to restriction: In some situations you have the right to (temporarily) restrict data processing.
For exceptions and explanations to the above rights, please refer to the website of the Authority for the Protection of Personal Data.
We ask you to verify your identity by sending a copy of your identity document. Please make sure to cover the BSN number and your passport photo (Tip: use the CopyID app from the Dutch government). We will not share personal data if you cannot prove that you are the data subject.
To invoke one of the above rights, please submit your request to the e-mail address below. For a sample letter you can consult the website of the Authority Personal Data.
How do we ensure that personal data is processed securely?
Fidron takes the protection of your personal data very seriously. Personal data are stored in a secure cloud environment. Our ICT partner ensures that this digital environment is constantly up-to-date and meets the necessary security requirements. The ICT partner has the ISO 27001 and NEN 7510 certificates, received for its information security policy.
In addition to technical measures, we also take various organisational measures to secure personal data against loss and/or unlawful processing. Employees are required to sign a confidentiality agreement and are regularly trained on the internal protocols for processing personal data.
We have a protocol for when a data breach occurs, in order to act as quickly as possible after discovery. If necessary, we report data breaches to the AP and to the person(s) concerned. We always report data breaches to our clients within the agreed period.
Do we share personal data outside the EEA?
We only share personal data with parties in countries outside the EEA if certain conditions are met regarding the level of protection of the data processing. The third country, outside the EEA, must meet the adequacy requirement of the EC.
We do not share personal data outside the EEA without our client's written consent.
Automated decision making
We do not engage in automated decision making and/or profiling.
How can you file a complaint?
If you suspect that we have handled your personal data carelessly, you can file a complaint with our internal manager. If the complaint requests it, we will contact you or try to solve the complaint ourselves. You can address your complaint to firstname.lastname@example.org with the subject line "Complaint about...
You have the right at all times to submit a complaint to the supervisory body, the Dutch Data Protection Authority.
PO Box 696
8000 AR Zwolle
Tel.: +31 (0)38 - 4258860