Privacy plays an important role in the relationship between the client and Red Harvest B.V. and is therefore an aspect that we take very seriously. Red Harvest B.V. is responsible for personal data and data exchange in all areas in which it operates. Red Harvest B.V. is obliged to treat the collection, storage, and management of personal data of clients, employees, and supply chain partners carefully, securely, confidentially, and in accordance with the principle of proportionality. The proper and careful handling of personal data is a daily activity at Red Harvest B.V. Protecting privacy is complex and is becoming even more so due to technological developments, major security challenges, and new European legislation. We therefore believe it is important to be transparent about the way in which we handle personal data and guarantee privacy.
1. Legislation and definitions
Each Member State of the European Union used to have its own privacy law, based on the European directive of 1995. In the Netherlands, the Personal Data Protection Act (‘Wet bescherming persoonsgegevens’, Wbp) previously regulated the legal framework for the handling of personal data. But this Act expired on 25 May 2018 and was replaced by the European General Data Protection Regulation (GDPR) and the implementation Act. The GDPR builds on the Wbp and strengthens and expands the privacy rights with more responsibilities for organizations.
The following terms are used in the GDPR (Article 4, GDPR):
- Data subject: The person to whom the personal data relate. The data subject is the person whose data are processed.
- Processor: The person or organization that processes the personal data on behalf of another person or organization.
- Personal data: All data that relate to people and by which you can recognize a person as an individual. This does not only concern confidential information, such as the status of someone's health, but any data that can be traced back to a particular person (for example: name, address, or date of birth). In addition to ordinary personal data, the GDPR also provides for special personal data. These are data that relate to sensitive subjects, such as ethnic background, political preferences, or the citizen service number (BSN).
- Data protection impact assessment: A data protection impact assessment (DPIA) assesses the impact and risks of new or existing processing activities on the protection of privacy. This is also known as a privacy impact assessment (PIA).
- Controller: An individual or body that alone or together with another determines the purpose and means of processing personal data.
- Processing: Processing is everything you do with personal data, such as recording, storing, collecting, merging, giving it to someone else, and erasing.
The disciplines within Red Harvest B.V. are all responsible for the processing carried out by or on behalf of Red Harvest B.V. The disciplines within Red Harvest B.V. include accountants, tax consultants, lawyers, business administrators, consultants, and staff departments.
4. Processing (Article 4, GDPR)
The processing of personal data is any activity or set of activities involving personal data, whether or not carried out via automated processes. Under the GDPR, processing includes:
- Collection, recording, and organizing
- Saving, adapting, and altering
- Accessing, consulting, using
- Provision of data through transmission
- Dissemination or any other form of making data available
- Bringing together, relating data to each other
- Screening, erasing, or destroying data
This list shows that everything you do with personal data is considered to be processing.
Purpose (Article 5, GDPR)
According to the GDPR, personal data may only be collected if a purpose to do so has been established. The purpose must be explicitly described and justified. At Red Harvest B.V. we do this in the Record of Processing. The data may not be processed for other purposes.
Legal basis (Article 6, GDPR)
The GDPR states that any processing of personal data must be subject to a legal basis. This means that the processing of data may only take place:
- In order to comply with an obligation laid down in the law
- For the performance of a contract in which the data subject was a party
- To combat a serious threat to the health of the data subject
- For the proper fulfilment of the tasks of Red Harvest B.V.
- Where the data subject has given their consent to the specific processing
Method of processing
The main rule of the processing of personal data is that it is only allowed in accordance with the law and in a careful manner. Personal data are collected from the data subject themselves as much as possible. The GDPR is based on subsidiarity, which means that processing is only permitted if the purpose cannot be achieved in another way. The GDPR also refers to proportionality. This means that personal data may only be processed if this is in proportion to the purpose. When no or less possibly incriminating personal data can achieve the same purpose, this must always be chosen.
Red Harvest B.V. ensures that the personal data are correct and complete before they are processed. These data are only processed by persons with an obligation of confidentiality. In addition, Red Harvest B.V. secures all personal data. This is intended to prevent the personal data from being viewed or changed by someone who has no right to do so. The way in which Red Harvest B.V. secures personal data can be found in our information security policy.
Transfer (Articles 44 to 50, GDPR)
Option 1: Transfer
Red Harvest B.V. does not transfer personal data to countries outside the European Economic Area (EEA) or international organizations.
Option 2: Transfer
Red Harvest B.V. only transfers personal data to countries outside of the European Economic Area (EEA) or international organizations on the basis of agreements approved by the European Commission.
5. Transparency and communication
Duty to inform (Articles 13 and 14, GDPR)
Red Harvest B.V. informs data subjects about the processing of personal data. When data subjects provide data to Red Harvest B.V., they are informed of the way in which Red Harvest B.V. will handle their personal data. The data subject will not be informed again if they are already aware that Red Harvest B.V. collects and processes their personal data and knows why and for what purpose this is done.
Red Harvest B.V. does not retain personal data for longer than is necessary for the performance of its tasks or in accordance with statutory regulations such as retention periods. If there are still personal data stored that are no longer necessary to achieve the purpose for which they were collected, these will be erased as soon as possible. This means that these data will be erased or modified in such a way that the information can no longer be used to identify someone.
Rights of data subjects (Articles 13 to 20, GDPR)
The GDPR not only determines the obligations of the persons processing personal data, but also the rights of the persons whose data are being processed. These rights are also referred to as the rights of data subjects, and consist of the following rights:
- The right to be informed: Data subjects have the right to ask Red Harvest B.V. whether their personal data are being processed.
- The right of access: Data subjects have the opportunity to check whether and in what way their data are processed.
- The right to rectification: If it becomes clear that the data are not correct, the data subject can submit a request to Red Harvest B.V. to correct this.
- The right to restrict processing: Data subjects have the right to ask Red Harvest B.V. to stop using their personal data.
- The right to be forgotten: In cases where the data subject has given permission to process data, they also have the right to have their personal data erased.
- The right to object: Data subjects have the right to object to the processing of their personal data. Red Harvest B.V. will comply with this, unless there are justified grounds for the processing.
Submitting a request
In order to exercise their rights, the data subject may submit a request verbally, in writing, or by e-mail. Red Harvest B.V. has four weeks from the date of receipt of the request to assess whether the request is justified. Within four weeks, Red Harvest B.V. will inform you about what will happen with the request. Based on a request, Red Harvest B.V. can request additional information to verify the identity of the data subject.
6. Automated processing
Profiling (Article 22, GDPR)
Big data and tracking
7. Obligations of Red Harvest B.V.
Record of processing activities (Article 30, GDPR)
Red Harvest B.V. is responsible for establishing a record of all processing activities for which Red Harvest B.V. is the controller. Each record contains a description of what takes place during a processing activity and what data is used for that purpose, namely:
- The name and contact details of the controller and, possibly, the
- joint controller
- The purpose of the processing
- A description of the type of personal data and the associated data subjects
- A description of the recipients of the personal data
- A description of the sharing of personal data with a third party such as a different country or international organization
- The time limits within which the various personal data are to be erased
- A general description of the security measures.
Data protection impact assessment (Article 35, GDPR)
A data protection impact assessment (DPIA) assesses the impact and risks of new or existing processing activities on the protection of privacy. Red Harvest B.V. performs this assessment when automated or large-scale processing takes place. This is particularly the case for processing activities using new technologies.
Appointment of a Data Protection Officer (DPO) (Articles 37 to 39, GDPR)
Red Harvest B.V. is not legally obliged to appoint a DPO. We do have a GDPR core group which serves as the point of contact for Red Harvest B.V. for GDPR-related matters.
Data breaches (Articles 33 and 34, GDPR)
A data breach has occurred when personal data falls into the hands of third parties who should not have access to that data. If a data breach occurs, Red Harvest B.V. will report it to the Dutch Data Protection Authority (Dutch DPA) without unreasonable delay and no later than 72 hours after the breach has been confirmed. If this report is submitted later than 72 hours after the data breach has been confirmed, a justification for the delay will be attached to the report. It is possible that a data breach poses a high risk to the rights and freedoms of the data subjects. In such a case, Red Harvest B.V. will report this to the parties concerned in simple and clear language. In order to prevent future data breaches, existing data breaches are evaluated and, where necessary, action is taken to prevent such a situation occurring in the future.