Privacy Statement for customers of Zestgroup


As Zestgroup (including its companies such as Zest Consultancy, Zest Academy, Zest Industries, Zest Utilities and Zest Purchasing), we want to meet the requirements of the General Data Protection Regulation (GDPR) as an organization.

In our service, we gather your personal data. In this document we explain which data we gather & store, and for what purpose we use it. The provision of our consultancy services automatically leads to a collaboration with employees in your organization. This collaboration may occur on the one hand in the role of a temporary colleague, but also in the role of client and of course also in the form of the person who is responsible for credit management.

As your supplier of consultancy services, we believe it is important to provide you with information about:

  • The personal data that we process from you
  • The way we do that
  • The provision of data to others within or outside Europe
  • How long we store your data
  • How we protect this data

In addition, we want to inform you about your rights via this privacy statement. Finally, we would like to let you know where to go with questions, requests or complaints. We ask you to read this information carefully.

Important definitions and Basic principles

Personal data refers to any information on an identified or identifiable natural person. This contains the information you provide us with in the context of the mutual administration, but also the names, business email addresses and business telephone numbers that you, or your employees, share with us.

The processing of personal data refers to all actions that we can carry out with your personal data. This is therefore a very broad concept. Actions include: collecting, recording, organizing, storing, updating, modifying, retrieving, consulting, using, forwarding, distributing, making available, bringing together, relating, shielding, erasing and destroying of data.

The primary basic principles when processing personal data are:

  • Purpose binding: data may only be processed for a specific and explicitly defined purpose. This means that it should be considered why data must be processed (purpose) and what the necessity is for the data (principle of necessity: subsidiarity and data minimization).
  • Basis: there must be a foundation for every data processing. A basis is a term from the legislation. A number of principles are stated in the law. Only when we can use one of these bases, we may process data.
  • Proportionality: this principle means that the infringement of the interests of the person involved in the processing of personal data may not be disproportionate in relation to the purpose of the processing.
  • Rights: data subjects have rights with regard to the personal data processed about them. This concerns the right to information that is collected, on inspection, a copy, supplement, correction, and removal.
  • Subsidiarity: it must be examined whether the purpose of the processing can also be achieved in another way that reduces privacy.
  • Transparency: data subjects, whose data are processed, must know which personal data is being processed, for what purpose (where appropriate) and how they can exercise their rights.
  • Responsibility: the person responsible for the processing of personal data must account for taking measures that implement the basic principles with respect to the processing of personal data.
  • Carefulness: the data must be treated ‘neatly’. This relates on the one hand to taking security measures and on the other hand to more organizational and cultural characteristics of dealing with data.

This Privacy Statement applies to Zestgroup BV and its affiliates, collectively referred to as “Zestgroup“.

Confidential about personal data

Zestgroup and all its employees (including third parties) are contractually obliged to keep all personal details of employees, customers and other persons working at Zestgroup, regardless of the nature and content of their contract.
Through an information security policy, we ensure that our employees consciously deal with data and personal data that they obtain in the performance of their work.

Data Zestgroup uses in the context of providing services to you

We only process the following data:

Administration (deployed consultant)

  • We store your contacts for the processing of offers, order confirmations and invoices. You provide us with this information; you will see this information in our communication to you. If you have any questions, we will contact you by email or telephone.
  • In many cases you ask us to sign a confidentiality agreement. These confidentiality statements are stored digitally with us.

Administration (you take other services, for example a training)

  • You provide us with the names and contact details of participants. We use this information for the organization / planning of the training, for recording, and where necessary registering for Certifications.

You are the client (our consultant delivers to a specific employee of your organization services).

  • Our account managers coordinate with your employees about the quality of our services, adjustments, etc. The contact details per client are stored.
  • Clients also vote in written evaluations which are stored in the p-records of our employees and form part of our periodic evaluation interviews. The name, telephone number and e-mail address of the client is often known and becomes clear to the Zestgroup evaluator.

You have been the client or principal

Your data and data from your employees may occasionally be used to inform you about relevant matters or to invite you for relevant events organized by Zestgroup.

  • Some examples:
    • A sector release is scheduled twice a year in the Utilities market. Zest Utilities processes this into a global impact analysis and makes it available to its customer base.
    • Once a year, Zestgroup organizes a beach volleyball event. Invitation to participate is discussed personally by Zest colleagues with your employees. You can also receive an invitation from known Zesters by e-mail.
    • Zestgroup organizes round the table sessions or Meeting of Minds several times a year. A specific employee can be personally approached for each theme.

Zestgroup can have commercial contact in your organization in consultation with your purchasing policy. To this end, we use the network we have available; we do not send all kinds of information unsolicited. We appreciate personal contact in order to get to know you and your organization better and thus to continuously optimize our services for you.

  • Contacts and storage of data is limited to our CRM. We only speak to the employees who are open to this and after a referral from your employee, we may contact others within your organization. We record the following information:
    • Name
    • E-mail
    • Telephone number
    • Position
    • Short report of the meeting (business information, no personal information)
  • Your employees can be linked to Zestgroup employees via social media, but they can also follow our company. We actively use social media as a medium to share information about Zestgroup. This is addressed to our followers and non-followers.
  • Making contact via social media always happens first with a request to link, only then we will approach people directly via social media. This contact is incidental and often linked between two people and not Zestgroup as a whole. We never ask our employees to share their contact details with us.

Transfer of your personal data

We only use your personal data for ourselves (our own business operations). We do not make this  data available to others, and we will never sell the data. There is one exception: giving up references in resumes of our employees (and former employees) and possibly giving up references in commercial processes at clients.

References linked to the suitability of a Zest employee are always coordinated directly with the sponsor. Data is only exchanged if a future customer / employer wants to make contact with the sponsor and always in preliminary consultations.

References linked to our service from Zestgroup are only given after explicit permission from your organization. This is covered by our standard confidentiality.

With parties that process personal data on our behalf (the so-called ‘processors’), we conclude processing agreements (if necessary). We do this so that when we provide data to them, it is, among other things, well established that they also protect these data properly and they must report to us timely in case of a (presumption of a) data breach. In your case, this is limited to the invoice administration that we carry out.

Storage of your personal data

When storing personal data, our basic principle is that we do not store data longer than necessary for the purpose for which we have processed it. As far as there are, we observe the statutory retention periods. Data may be retained by us for longer if we have a legitimate interest in it (for example, when legal proceedings are underway or have been announced and we must be able to defend ourselves).

Securing your personal data

The security of your personal data is well regulated by us through physical, administrative, organizational and technical measures. We therefore have an appropriate level of protection. We also update this periodically if necessary.

Part of the security is also the reporting and handling of data leaks. A data breach is a violation of the security of personal data, whereby personal data (permanently) are lost, or unlawful processing can not reasonably be excluded.

Your rights

Under the terms of the General Data Protection Regulation (GDPR), you have the right to ask us for the personal data that we process from you:

  • Access your data
  • A copy of your data
  • To receive information about the processing of your data (this privacy statement also applies for this, but you may still have questions that are not answered).
  • Information to be corrected that is actually not correct.
  • Complete incomplete information when needed for the purpose for which the data is processed.
  • In certain cases to have your data removed. Please note: we do not have to comply with this if we still have a legitimate interest in (longer) storage of data or in order to comply with a statutory duty or on the basis of another reason stated in the law.
  • In certain cases to “limit” the data that we process from you. Please note: we strive to collect as little data as possible (data minimization).
  • In certain cases to object to the use of your data.
  • If you have given permission for the use of your data to withdraw permission. The withdrawal then applies to future use of your data.
  • If you supplied the data yourself or if data was created by you and you have given permission for this or the data are required for the execution of the agreement, and if the data is digitally processed: to get your data in a standard format and, if this is technically possible, transfer this data to another party in this way.
  • Submit a complaint to the competent organization that monitors compliance with the privacy legislation in the Netherlands. In the Netherlands, this is the Dutch Data Protection Authority (AP) in The Hague. In this case, we would appreciate it if you first contact us to see if we can solve your complaint.

If you wish to invoke your rights, you can contact the contact persons mentioned in this privacy statement. If we have good reasons to refuse your request, we will explain why this is so.


If you have questions, requests or complaints about the processing of your personal data, please contact:

Adaptation of the privacy statement

We reserve the right to amend this privacy statement. If this is a major change, we will inform you accordingly.

Date of this privacy statement

This privacy statement is from May 22, 2018.

Want to know more?

More information, contact, apply; we'd love to hear from you!