Privacy statement for customers of zestgroup
We, Zestgroup (and its affiliated companies such as Zest Consultancy, Zest Academy, Zest Industries, Zest Utilities and Zest Purchasing) want to comply as an organization with the requirements of the General Data Protection Regulation (GDPR).
We also receive personal data in our services to you. In this document we explain which data we receive and store and what we use it for. Providing our consultancy services leads to collaboration with employees in your organization, on the one hand as temporary colleagues, but also in the role of client and of course also in the form of the persons responsible for creditor management.
As your provider of consultancy services, we believe it is important to provide you with information about:
- The personal data we process about you
- The way we do it
- The provision of data to others within or outside Europe
- How long we keep your data
- How we secure this data
In addition, we would like to inform you about your rights via this privacy statement. Finally, we would like to let you know who you can contact with questions, requests or complaints. We ask that you read this information carefully.
Important Definitions and Basics
Personal data is any information about an identified or identifiable natural person. For you, this means that this information is directly about you or that this information can be traced back to you. This can, for example, be your name, date of birth and address, but also your employee number, business email address or business telephone number.
Processing personal data concerns all actions we can perform with your personal data, from collection to destruction. So this is a very broad concept. Acts that are in any case covered are: collecting, recording, organizing, storing, updating, modifying, retrieving, consulting, using, forwarding, disseminating, making available, bringing together, relating, shielding, erasing and destroying of data.
The primary basic principles when processing personal data are:
- Purpose limitation: data may only be processed for a well-defined and explicitly defined purpose. This means that it must be considered in advance why data must be processed (purpose) and which data is necessary for this (principle of necessity: subsidiarity and data minimization).
- Basis: there must be a basis for every data processing. A basis is a legal term. A number of principles are specified in the law. We may only process data if we can make use of one of these bases.
- Proportionality: this principle means that the infringement of the interests of the data subject when processing personal data of the data subject may not be disproportionate in relation to the purpose to be served by the processing.
- Rights: data subjects have rights with regard to the personal data that are processed about them. This concerns the right to information that and what is collected, to access, a copy, supplement, correction, deletion and under the GDPR also of opposition.
- Subsidiarity: it must be examined whether the purpose of the processing can also be achieved in another way that infringes less/no infringement on privacy.
- Transparency: data subjects whose data is processed must know which of their personal data is processed, for what purpose (where applicable) and how they can exercise their rights.
- Responsibility: the person responsible for the processing of personal data must be accountable for taking measures that implement the basic principles with regard to the processing of personal data.
- Care: the data must be handled ‘neatly’. On the one hand, this relates to taking security measures and, on the other, to more organizational and cultural characteristics of handling data.
This Privacy Statement applies to Zestgroup BV and its affiliates, hereinafter collectively referred to as ‘Zestgroup’.
Confidentiality of personal data
Zestgroup and all its employees (including third parties) are contractually obliged to maintain the confidentiality of all personal data of employees, customers and other persons employed by Zestgroup, regardless of the nature and content of their contract.
Through an information security policy, we ensure that our employees deal consciously with data and personal data that they obtain in the performance of their duties.
Information that Zestgroup uses in the context of providing services to you
We only process the following data:
Administration (we deploy a consultant)
- We store your contacts for the handling of quotations, order confirmations and invoices. You provide us with this information; you will see this information in our communication with you. If you have any questions, we will contact the contact persons provided to us by e-mail or telephone.
- In many cases you ask us to sign a non-disclosure agreement. These confidentiality statements are stored digitally with us.
Administration (you purchase other services, for example a training)
- You provide us with the names and contact details of participants, we use this information for the organization/planning of the training and for recording and where necessary registering for exam and/or certification.
You are the client (our consultant provides services to a specific employee of your organization)
- Our account managers coordinate with your employees about the quality of our services, adjustments, etc. The contact details per client are stored.
- Clients also provide us with written evaluations, which are stored in the p-file of our employees and are part of our periodic evaluation conversations. This often contains the name, telephone number and e-mail address of the client and becomes visible for the Zest assessor.
You are of have been a client
Your details and details of your employees can occasionally be used to inform you about relevant matters or to invite you to relevant events that are organized by Zestgroup.
- In the Utilities market, a sector release is scheduled twice a year. Zest Utilities processes this into a global impact analysis and makes it available to its customer base.
- Once a year, Zestgroup organizes a beach volleyball event. Invitation to participate will be discussed personally by Zest colleagues with your employees. You can also receive an invitation by mail from well-known Zesters.
- Zestgroup organizes round table sessions or Meeting of Minds several times a year. A specific employee can be approached personally for each theme.
Zestgroup can have commercial contact within your organization in accordance with your purchasing policy. For this we use the network at our disposal; we do not send all kinds of information unsolicited. We appreciate personal contact to get to know you and your organization better and thus to continuously optimize our services for you.
Contacts and data storage is limited to our CRM. We only speak to employees who are open to this and we may contact others within your organization after a referral from your employee. We record the following information:
- Phone number
- Short report of the meeting (business information, no personal information)
Your employees can be linked to Zestgroup employees on social media, but they can also follow our company. We actively use social media as a medium to share information about Zestgroup. This is addressed to our followers and not-yet-followers.
Making contact through social media is always done first with a request for links, only after that we will approach people directly via social media. This contact is also incidental and often linked between two people and not Zestgroup as a whole. We never ask our employees to share their contact file with us.
Transfer of your personal data
We only use your personal data for ourselves (our own business operations). We do not make these available to others, and never resell them. There is one exception: specifying references in the resumes of our employees (and former employees) and possibly specifying references in commercial processes with customers.
References linked to the suitability of a Zest employee are always directly coordinated with the referent. Data is only exchanged if a future customer / employer wants to contact the sponsor and always after preliminary consultation.
We only provide references linked to our services from Zestgroup after explicit permission from your organization. This is subject to our standard confidentiality.
We conclude processing agreements (as far as this is necessary) with parties that process personal data on our behalf (the so-called ‘processors’). We do this so that when we provide data to them, it is well established that they also properly protect this data and that they must report to us in a timely manner in the event of a (suspected) data breach. In your case, this is limited to the invoice administration that we conduct.
Storing your personal data
When storing personal data, our starting point is that we do not keep data longer than is necessary for the purpose for which we processed it. As far as there are any, we observe the statutory retention periods. We can keep data for longer if we have a legitimate interest in doing so (for example, when legal proceedings are ongoing or announced and we must be able to defend ourselves).
Securing your personal data
The security of your personal data is well organized by us through physical, administrative, organizational and technical measures. We therefore have an appropriate level of protection. We also periodically adjust this when necessary.
The reporting and handling of data breaches is also part of the security. A data breach is a breach of the security of personal data, where personal data is (permanently) lost, or unlawful processing cannot reasonably be ruled out.
If you would like to have more information about security in general and data breach handling specifically, view our information security policy.
Under the GDPR, you have the right to ask us with regard to the personal data that we process about you:
- Access to your data (with the exception of any personal notes of the managers and others).
- A copy of your data (excluding personal notes from your manager(s) or others within our organization).
- Information about the processing of your data (this privacy statement also serves this purpose, but you may still have questions that are not answered here).
- Correct information that is factually incorrect.
- Complete incomplete information when necessary for the purpose for which the data is processed.
- In certain cases to have your data removed.
- In certain cases to have the data that we process about you “limited” (please note: we strive to collect as little data as possible (data minimization).
- In certain cases, object to the use of your data.
- If you have provided the data yourself or if data has been created by you and you have given permission for this or the data is necessary for the execution of the agreement, and if the data is processed digitally: to receive your data in a common format and, if technically possible, to have this data transferred to another party in this way.
- Submit a complaint to the competent organization that monitors compliance with privacy legislation in the Netherlands. In the Netherlands, this is the Dutch Data Protection Authority (AP) in The Hague. In this case, we would appreciate it if you first contact us to see if we can resolve your complaint.
If you want to invoke your rights, you can contact the contact persons mentioned in this privacy statement. If we have good reasons to refuse your request, we will explain why.
With questions, requests or complaints about the processing of your personal data, you can contact:
- Ramon van der Wal, CEO Zestgroup | firstname.lastname@example.org | 06-47955409
- Ron Saas, COO Zestgroup | email@example.com | 06-54611786
Changes to Privacy Statement
We reserve the right to change this privacy statement. If it concerns an important change, we will inform you.
Date of this privacy statement
This privacy statement is dated May 22, 2018.
3401 MX IJsselstein
3400 AG IJsselstein