Privacy statement

VEX Accountants & Adviseurs

Introduction
As an accountancy firm, we are responsible for the processing of a great deal of data. Some of this data relates to personal data. We may have received this information from you, for example via our website, e-mail, telephone or app. In addition, we may obtain your personal data from third parties in the context of our services. The personal data that we process may relate to you in your capacity as a client of our office, but also to you as a business relationship of our clients (such as in the event that you are a supplier or client of our client). In any case, we must inform you as a data subject whose personal data is (may) be processed by us. With this privacy statement we inform you about how we handle personal data.

Personal data to be processed
Which personal data we process depends on the exact service and circumstances. This usually concerns the following information:
  • Name and address details;
  • Contacts function;
  • Date and place of birth;
  • Gender;
  • Contact details (email addresses, telephone numbers) and name and position of contact persons;
  • Copy of identity documents;
  • Citizen Service Number (only if necessary);
  • Passport photo (only if strictly necessary! For example for personnel file);
  • Age;
  • Salary and other data required for tax returns, salary calculations, etc.;
  • Marriage status, details of partner and possibly. information about children; to the extent necessary for, for example, tax returns);
  • Bank account number;
  • Information about your activities on our website, IP address, internet browser and device type.

Purposes and bases for processing

In a number of cases we process the personal data in order to comply with a legal obligation, but we usually do this to be able to implement our services. Some data is recorded for practical or efficiency reasons, which we assume are also in your interest, such as:
  • Communication and information provision;
  • Being able to provide our services as efficiently as possible;
  • Improving our services;
  • Billing and collection

In concrete terms, the above also means that we use your personal data to send information or messages about our services, if we think that they may be of interest to you. In some cases, it may be that we want to process personal data for reasons other than those mentioned above and that we will ask you for explicit permission for this. If we ever want to process personal data that we are allowed to process on the basis of your permission for other or more purposes, we will first ask for your permission again. Finally, we may also use your personal data to protect our rights or property and those of our users and, where necessary, to comply with legal proceedings.

Provision to third parties
In the context of our services, we may use the services of third parties, for example if these third parties have specialist knowledge or resources that are necessary for an optimal service. These may be so-called processors or sub-processors, who will process the personal data on the basis of your exact assignment. Other third parties who, although strictly speaking are not a processor of the personal data, but who do have or may have access to it, are, for example, our system administrator, suppliers or hosting parties of online software, or advisers whose advice we obtain regarding your assignment. If engaging third parties means that they have access to the personal data or that they record and/or otherwise process, we will agree (in writing) with those third parties that they will comply with all

obligations of the GDPR. We will of course only engage third parties who we can and may assume are reliable parties who can deal adequately with handle personal data and can and will comply with the GDPR. This means, among other things, that these third parties may only process your personal data for the aforementioned purposes. Of course, it is also possible that we have to provide your personal data to third parties in connection with a legal obligation.

Under no circumstances will we provide your personal data to third parties for commercial or charitable purposes without your explicit permission.



Retention periods
We will not process your personal data for longer than is useful for the purpose for which it was provided (see the section 'Purposes of and bases for processing'). This means that your personal data will be kept for as long as it is necessary to achieve the relevant goals. Certain data must be kept longer (usually 7 years), because we have to comply with legal retention obligations (for example, the fiscal retention obligation) or in connection with regulations from our professional association.

Security
We have taken appropriate organizational and technical measures for the protection of personal data insofar as these can reasonably be expected of us, taking into account the interest to be protected, the state of the art and the costs of the relevant security measures. We oblige our employees and any third parties who necessarily have access to the personal data to maintain confidentiality. We also ensure that our employees have received correct and complete instructions on how to handle personal data and that they are sufficiently familiar with the responsibilities and obligations of the GDPR. If you would appreciate this, we would be happy to inform you further about how we have designed the protection of personal data.

Your rights
You have the right to inspect, rectify or delete the personal data we hold about you (unless, of course, this conflicts with any legal obligations). You can also object to the processing of your personal data (or part of it) by us or by one of our processors. You also have the right to have the data provided by you transferred by us to yourself or directly to another party if you wish.

Incidents involving personal data
If there is an incident (a so-called data breach) regarding the personal data in question, we will inform you without delay, unless there are serious reasons, if there is a concrete chance of negative consequences for your privacy and the realization thereof. We strive to do this within 48 hours after we have discovered this data breach or have been informed about it by our (sub) processors.

Complaints
If there is an incident (a so-called data breach) regarding the personal data in question, we will inform you without delay, unless there are serious reasons, if there is a concrete chance of negative consequences for your privacy and the realization thereof. We strive to do this within 48 hours after we have discovered this data breach or have been informed about it by our (sub) processors.

Processing within the EEA
We will only process the personal data within the European Economic Area, unless you agree otherwise in writing with us. An exception to this are situations in which we want to map contact moments via our website and/or social media pages (such as Facebook and LinkedIn). This includes, for example, visitor numbers and requested web pages. Your data will be stored by third parties outside the EU when using Google Analytics, LinkedIn or Facebook. These parties are 'EU-US Privacy Shield' certified, so that they must comply with European privacy regulations. Incidentally, this only concerns a limited number of sensitive personal data, in particular your IP address.

Amendments
Undoubtedly, our privacy policy will be changed from time to time. The most recent version of the privacy statement is logically the applicable version.

Finally
We hope that this privacy statement has given you a clear picture of our privacy policy. However, if you have any questions about how we handle personal data, please let us know. The first point of contact for privacy aspects at our organization is mr. J.M. van Vessem,
justin@vexaa.nl,
06 – 410 489 86