Privacy policy

The Fritom Group takes privacy seriously. In this privacy statement we explain which personal data we collect and use, for what purpose we do this and how we ensure that these personal data are properly secured.

Privacy policy
As data controller, The Fritom Group processes, manages and secures personal data with the utmost care. We offer our employees a safe place to work. We comply with the requirements of the General Data Protection Regulation (GDPR) and national legislation. We have laid out how we meet these requirements in our privacy statement.

Personal data that we process
The Fritom Group processes personal data of staff, visitors, customers, relations and other persons. We receive part of that personal data directly from those involved. For example, the name and address of a customer and when hiring new employees. We collect some of the personal data that we process ourselves, such as data on how employees perform their roles. We also receive personal data from third parties.

We process the following personal data of our staff:

  1. surname, first names, initials, title, gender, date of birth, address, zip code, place of residence, telephone number and similar information required for communication, such as the email address and bank account number of the person concerned;
  2. social security number;
  3. copy of ID documentation or passport;
  4. an employee number that does not contain any further information than what is referred to under a;
  5. nationality, place of birth;
  6. information regarding religion or belief, insofar as this is necessary for the proper performance of duties in accordance with conditions of employment;
  7. information regarding training, courses and internships;
  8. information on working conditions;
  9. data relating to the calculation, recording and payment of salaries, allowances and other amounts of money and remuneration in kind;
  10. data relating to the calculation, recording and payment of taxes and premiums;
  11. details of the post or former post(s), as well as the nature, content and termination of previous employment;
  12. information necessary for the administration of the presence of the persons concerned at the place where the work is performed and their absence due to leave, reduction of working hours, childbirth or illness, excluding information concerning the nature of the illness;
  13. data recorded in the interest of the persons concerned in view of their working conditions and safety;
  14. data, including data concerning family members and former family members of the persons concerned, necessary for the purposes of agreed working conditions;
  15. data relating to the performance of duties, staff appraisal and career guidance, to the extent that such data are known to the persons concerned;
  16. login details for Fritom network;
  17. photos and video images with or without sound of activities of the Fritom company in question and the work carried out by employees;
  18. camera images of the company premises and the generally accessible areas of the respective Fritom company;
  19. the information concerning the time, date and place when the camera recordings were taken;
  20. data other than those referred to under a. up to and including s., the processing of which is required pursuant to or necessary for the application of another unspecified law.

Data that we have not acquired from employees or collected ourselves are received from the following third parties:

  • Arbodienst (Health and Safety Service)
  • Tax authorities
  • UWV (Employee Insurance Agency)
  • Other governmental agencies

We process the following personal data of charters and hired third parties:

  1. surname, first names, initials, title, gender, date of birth, address, zip code, place of residence, telephone number and similar information required for communication, such as the person's e-mail address and bank account number;
  2. Social security number
  3. copy of ID documentation or passport;
  4. nationality, place of birth;
  5. information relating to religion or belief, to the extent necessary for the proper performance of duties in accordance with conditions of employment;
  6. information regarding training, courses and internships;
  7. data regarding to the service contract;
  8. data on the calculation, recording and payment of salaries, fees and other sums of money and remuneration in kind;
  9. information relating to the administration of the presence of the persons concerned at the place where work is carried out;
  10. data recorded in the interest of the persons concerned in view of their working conditions and safety;
  11. photos and video footage, with or without sound, of the activities of the relevant Fritom company and the work carried out by charters/third party hires;
  12. camera images of the company premises and the general accessible areas of the respective Fritom company;
  13. the information concerning the time, date and place of when the recordings were taken;
  14. data other than those referred to under a. up to and including m., the processing of which is required pursuant to or necessary for the application of another unspecified law.

We process the following personal data of clients and customers:

  1. surname, first names, initials, title, sex, date of birth, address, zip code, place of residence, telephone number and similar information required for communication, such as e-mail address and the organization to which the person concerned belongs;
  2. administrative/client number
  3. data forasmuch the order given by the client/customer;
  4. camera images of the company premises and the general accessible areas of the respective Fritom company;
  5. the information concerning the time, date and place of when the recording was taken;
  6. data other than those referred to under a. up to and including d., the processing of which is required pursuant to or necessary for the application of another law.

Why we use personal data
We only use our employee’s personal data to allow us to carry out their labor contract. The purpose of processing personal data of employees is to:

  1. entering into an employment contract (Article 6 paragraph 1b GDPR);
  2. the determination of salary and other employment conditions (Article 6 paragraph 1b GDPR);
  3. payment of salary, tax deductions and bonusses (Articles 6(1b) and 6(1c) GDPR);
  4. the implementation of employment conditions applicable to the employee concerned (article 6 paragraph 1b GDPR);
  5. for collecting payments, including placing collection in the hands of third parties. (article 6 paragraph 1b GDPR);
  6. the granting of dismissal (Article 6 paragraph 1b GDPR);
  7. the transfer of the person concerned to (temporary) employment with another part of the group, as referred to in Article 2:24b of the Dutch Civil Code, to which the controller is attached (Article 6 paragraph 1b GDPR);
  8. managing and supervising the person concerned (Article 6, paragraph 1b GDPR);
  9. providing company medical care for the person concerned and the ability to fulfil reintegration obligations in the event of absenteeism (Article 6 paragraph 1c GDPR);
  10. granting access to the Fritom network (Article 6(1b) GDPR);
  11. arranging and monitoring entitlements to benefits in connection with termination of employment (Article 6, paragraph 1b AVG);
  12. election of the members of the representative body (Article 6, paragraph 1c of the GDPR);
  13. handling of disputes (Article 6 paragraph 1b GDPR);
  14. the handling of personnel matters other than those mentioned under a. to m. (Article 6 paragraph 1b GDPR);
  15. having an audit carried out and having claims for funding established (Article 6, paragraph 1c of the GDPR);
  16. security and surveillance of persons, property and buildings (Article 6 paragraph 1f GDPR)

The purpose of processing personal data of charters and hired third parties is:

  1. entering into the contract for the provision of services; (Article 6 paragraph 1b GDPR)
  2. determining the remuneration and other conditions of service;
  3. the payment of remuneration (Article 6 paragraph 1b GDPR);
  4. the implementation of an agreement applicable to the person concerned; (Article 6(1b) of the GDPR);
  5. collecting claims, including placing those claims in the hands of third parties; (Article 6, paragraph 1b GDPR);
  6. the termination of the contract for the provision of services (Article 6 paragraph 1b GDPR);
  7. the transfer of the person concerned to his (temporary) employment with another part of the group, as referred to in Article 2: 24b of the Civil Code to which the controller is connected (Article 6 paragraph 1b GDPR);
  8. giving instructions and accompanying the person concerned (Article 6, paragraph 1b GDPR);
  9. handling disputes; (Article 6 paragraph 1b GDPR)
  10. the handling of matters relating to the services, other than those mentioned under a. to i.; (Article 6 paragraph 1b GDPR)
  11. to have an audit carried out and to have claims for funding determined; (Article 6 paragraph 1c GDPR)
  12. security and supervision of persons, objects and buildings (Art.6 para. 1f GDPR)

The purpose of the processing of personal data of clients and customers:

  1. placing orders or assigning services to service providers (Article 6 paragraph 1b GDPR);
  2. calculating and recording income and expenditure and making payments (Article 6 paragraph 1b GDPR);
  3. collecting claims, including placing those claims in the hands of third parties as well as other internal management activities (Article 6 paragraph 1b GDPR);
  4. the maintenance of contacts by the controller with the suppliers (Article 6 paragraph 1b GDPR);
  5. handling disputes and having an audit carried out (Article 6 paragraph 1c GDPR);
  6. the implementation or application of another law (Article 6 paragraph 1c GDPR);
  7. and supervision of persons, objects and buildings entrusted to the care of the relevant Fritom company (Article 6 paragraph 1f GDPR).

Security and storage
We take appropriate measures to prevent misuse, loss, unauthorized access and other undesirable acts with personal data. For example, we store personal data in systems with limited access and use encryption. These measures are included in our security policy.

The collected personal data is not kept longer than necessary. We remove personnel data two years after termination of employment, unless we are required to comply with a (longer) retention period by law.

We've taken security measures including:

  1. The Fritom Group has outsourced the management of its IT infrastructure to an IT service provider (ISO 9001, ISO / IEC 27001 and NEN7510 certified).
  2. The Fritom Group's IT infrastructure is housed on a private cloud in a 24-hour secured data center in the Netherlands.
  3. Data is stored according to a backup schedule which limits the damage in the event of unintentional destruction or deterioration of the data.
  4. The IT infrastructure is equipped with up-to-date antivirus and malware software that is applied to various layers of technology.
  5. The Fritom Group has an authorization policy whereby only those authorized by their role or function have access to the system and the necessary data, for the period necessary.
  6. Remote access to our IT infrastructure is secured with secure passwords that need to be changed periodically. The software with which remote access takes place contains measures against unwanted access, such as limiting the number of login attempts per unit of time.
  7. Software suppliers only have access to the part of the system where they need to perform their work. Access is explicitly limited to the period in which the work takes place and is only possible with the permission of the IT Manager responsible for the data processing at the Fritom Group.
  8. Changes in the IT infrastructure take place according to the change procedure and are recorded by means of a Request for Change form.
  9. Security incidents are reported centrally, recorded in a notification system and handled with the IT service provider according to regular incident management.
  10. The local (wireless) network of the Fritom Group is equipped with various security measures (firewall, monitoring systems, etc.).
  11. Employees who come into contact with sensitive personal data in the course of their work have signed a confidentiality agreement.

Data sharing outside the EU
If personal data is transferred to a country outside the European Economic Area (EEA), there must be a security level comparable to the security level under the GDPR (see also the explanatory notes to Annex 3 of the Register).

To ensure this, there are the following possibilities:

  1. transmission on the basis of an adequacy decision of the European Commission;
  2. transfer based on appropriate safeguards, where a country or organization has not been identified as adequate by the European Commission, transfer may take place if the controller and the processor (provably) provide appropriate safeguards and enforceable rights and remedies for the person concerned (s);
  3. transfer based on the explicit consent of the person concerned, whereby the person concerned has been informed about the risks, or if there is a situation of necessity.

Data sharing to the US
The European Commission (EC) has established a regulation for the transfer of personal data to the United States (US). This regulation is called the EU-US privacy shield. The purpose of the privacy shield is to provide a level of protection in the exchange of personal data with the US that is broadly equivalent to the level within the European Union (EU).

The privacy shield will replace the Safe Harbour agreement, which the European Court of Justice declared invalid on October 6, 2015. Every organization in the US that is certified under the privacy shield will have an adequate level of protection (for the duration of the certification). This means that organizations from Europe are allowed to transfer personal data to these organizations in the US.

Does the Fritom Group share personal data with third parties?
We only share personal data with third parties if this is necessary for the performance of an agreement or to comply with a legal obligation. Agreements are made with organizations that process your data on behalf of our company to ensure that your data is properly secured there as well. We also use cloud services where data is stored on a server abroad. We only do this if there is an adequate level of data protection.

Your rights
You have the right to object to the processing of your data, to revoke previously given consent and you have the right to access, correct or delete your data. If necessary, you can also ask the Fritom company concerned to limit the processing of your personal data or to transfer your data to yourself or to a third party.

If you wish to make use of (one of) these rights or if you have any questions about how we deal with privacy and personal data. Please contact us at fg@fritom.nl or contact our data protection officer (FG), Mr. R. Beuving, directly.

Do you have a complaint about the way we process personal data? If so, please contact Fritom Group via the contact details above. In the unlikely event that we cannot resolve the matter with you, you can submit a complaint to the supervisory authority, the Personal Data Authority.

A request is free of charge. However, where requests from a person concerned are manifestly unfounded or excessive, in particular because of their repetitive nature, the Fritom company to which the request is addressed may charge a reasonable fee in the light of the administrative costs involved in the request or refuse to execute the request.

The Fritom company to which the request is addressed shall provide the party concerned with information on the action taken in response to the claim within one month of receipt of the claim.

If the claimant submits a request because certain recorded data is incorrect or incomplete, he or she has an interest in the termination of the processing that outweighs that of the organization, or the processing is not (or no longer) necessary in view of the objective of the Fritom Group privacy regulations, or is contrary to these regulations, the data protection officer shall take a written decision on behalf of the data controller within one month after the person concerned has submitted this request.

Depending on the complexity of the requests and the number of requests, this period may be extended by another two months if necessary. The Fritom company concerned shall inform the claimant concerned of any such extension within one month. Where the claimant submits its request electronically, the information shall, where possible, be provided electronically, unless the person concerned requests otherwise.

If the Fritom company in question has doubts about the identity of the claimant, it will ask the claimant as soon as possible to provide further details of his or her identity or to submit a valid proof of identity in writing. This request suspends the time limit until the requested proof has been provided.

If the Fritom company in question does not wish to comply with an application as referred to above, it shall notify the party concerned in writing, stating its reasons, within one month after receipt of the application.

Revision of privacy policy
We reserve the right to modify this privacy policy. We will post any revised versions on this website. If a revised version is published, we will provide a clear notification with information about the most significant changes. We will also indicate when the policy was last modified.

FRITOM CORPORATE

CERTIFICATIONS

Fritom Corporate is part of the Fritom Group