Privacy Statement
Northwave's
Privacy Statement
Version: 1.7
Date: 16-02-2023
Northwave Group B.V. respects your privacy. We process personal data so that we can carry out our activities quickly and efficiently and optimise our service to you. Guaranteeing the safety and privacy of your personal data is not only in your interest, but also in ours. Northwave Group B.V. therefore adheres to the relevant legislation andregulations which stipulate requirements concerning the use of privacy-sensitive information. Northwave Group B.V. guards the quality, confidentiality, accuracy, and completeness of the personal information it processes. We use adequate technical and management procedures to keep the information accurate, current, and complete. If you indicate that certain information may not be used as a basis for further contact, we will respect that. As a result, your privacy is guaranteed.
Personal data that we process
Personal data are all data that can be traced back to a person. Examples include your name, address, telephonenumber, and account number, and photographs and biometric data are also considered personal data. The personal data that we process can be divided into categories per purpose of processing for ease of reference. We use the following categories of personal data about you:
Category of personal data
(customers, suppliers, and business contacts)
Name and surname.
This data is required for the agreements we enter into with you and for their financial settlement. Examples of these include service agreements and purchase agreements. In addition, clients’ employees’ data can be used in the context of the awareness training courses we offer.
Contact details.
Northwave Group B.V. needs contact details to be able to contact its clients. Northwave Group B.V. also uses this information to maintain an extensive business network and to retain and expand its project portfolio.
All data emerging from investigations into security incidents, vulnerabilities, scans, and monitoring.
Our CERT, SOC, and Red Team investigate and monitor clients’ security. When doing so, they may come across personal data relevant to the investigation.
Business mobile phone number, business email, and signature.
Northwave Group B.V. retains some of the personal data of its business contacts so that it can carry out the cooperation. In addition, it screens its business contacts before entering into partnerships. Some personal data are needed for this purpose.
(office visitors)
First and last name, signature, and camera images.
Before visitors enter the office, we process a certain amount of personal data on them so that we have a clear idea of who was in the building and when. This enables us to ensure business continuity and the safety of those present.
(potential) employees and trainees
Name, address, citizen service number, copy of proof of identity, employee number, nationality, number plates of company car, (desired) salary, gender, copy of driving license, time sheet, date of birth, (business) mobile telephone number, IBAN data, signature, (business) email, performance reviews, training and education, assessment reviews, data on absence due to illness, reintegration data, family composition, partner’s name, child(ren)’s name(s), certificate of conduct, CV (screening), emergency contact, marital status, connection times, IP address, security codes, passwords, authorisations, declaration of no objection, MAC addresses, use of information tools, rejection of candidate data, personal interests, references, work experience, evaluation of the use of information tools, camera images, photographs.
These data are at the heart of all Northwave Group B.V.'s objectives in recruitment and selection, the conclusion and execution of employment or internship contracts, and the career guidance that goes with those. In addition, this data is used for the security of Northwave Group B.V.’s systems, for business continuity purposes, and for the observance of legal obligations.
Processing purposes
We use the personal data listed for the purposes stated below:
- Being able to conclude agreements with (potential) customers, employees, and trainees;
- Executing and administratively handling the agreements we conclude with our customers, employees, and trainees;
- The fulfilment of legal obligations, such as tax record retention requirements;
- Security purposes;
- Maintaining and expanding a business network;
- Maintaining and expanding project portfolios.
Legitimate basis
Agreement - Northwave Group B.V. utilises agreements for its services and labour relations. Before this agreement is effected, customers and employees are registered in the system; this is considered the precontractual phase. For the pre-contractual phase, the legal basis is also the agreement..
Legal requirements - Northwave Group B.V. also collects personal data to be able to comply with its legal obligations, such as administration obligations as required by tax authorities.
Legitimate interest - Legitimate interest applies to us only as a basis for processing within the context of marketing and security purposes.
Mandatory provision of personal data
Sometimes, we are obliged by law to store or provide certain personal data about you, such as to tax authorities.
In many instances, it is necessary to use some of your personal data in order to provide you with the service or product that you purchase from us. In this case, the use of your data is necessary for the agreement or the pre-contractual phase.
In these cases, you are obliged to provide us with data because otherwise, we cannot fulfil our legal and/or contractual obligations.
Third parties
Northwave Group B.V. does not collect personal data from third parties.
We do not provide your (personal) data to other parties unless this is necessary within the framework of the execution of the agreement, unless we have a legitimate interest in doing so, or if it is necessary to comply with astatutory obligation. This includes, for example, the provision of personal data in the context of salary administration, forensic investigation, and other necessary processing.
Data outside the EU
In principle, Northwave Group B.V. does not process data outside the EU. It could be, however, that a supplier islocated outside of Europe. In that case, Northwave Group B.V. will only use suppliers located in countries with an adequate level of protection, or where an exception applies that is laid down in the current privacy legislation.
Security of personal data
Because the security of personal data is very important, Northwave Group B.V. makes sure it takes various appropriate technical and organisational measures to ensure that personal data cannot be abused or otherwise end up in the wrong hands. We ensure that if we transfer your personal data to other organisations such as processors, these organisations maintain the same standards. To this end, we have implemented ISO 27001 within every facet of our business operations
Statutory time limits
We will not retain your data any longer than is necessary to fulfil the purposes set out in this privacy statement.
Your rights
Northwave Group B.V. considers your ability to exercise the rights you have under the law important. Therefore, it is very easy to contact us via security@northwave.nl .
You can exercise the following rights:
- The right of inspection: you have the right to inspect any of your personal data that we process. Exceptions may apply to this, such as a legal obligation or a legitimate interest on the part of Northwave Group B.V.
- The right of rectification: if the personal data we process about you is incorrect, you have the right to have it corrected.
- The right to erasure: if we no longer need your personal data for the purpose for which we received them, you have the right to ask us to delete them. This is subject to a number of conditions, for instance that Northwave Group B.V. has processed your personal data unlawfully, that the personal data are no longer needed for the activities of Northwave Group B.V., that you have withdrawn your permission, or that the legal retention period has expired. Exceptions include the right to freedom of expression, a legal obligation of Northwave Group B.V., the legitimate interest of Northwave Group B.V., or the necessity for a legal claim.
- The right to restriction of processing: during the time frame that we are in the process of determining whether your data should be rectified, determining the (un)lawfulness of data processing, determining whether data have to be deleted, or if you have lodged an objection to the processing, you have the right to request the restriction of the processing.
- The right of data portability: upon your request, we must transfer any personal data we have about you to you or another organisation of your choice.
- The right to object: if we process data on the grounds of legitimate interest or public interest, it is possible to object, after which a weighing of interests will follow. In the case of direct marketing, you always have the right to object. The exception to this is if we have a legitimate interest in processing your personal data.
- The right to a human view in decision-making: you have the right to have a person involved in decision-making regarding your personal data. You do not have this right if automated decision-making is necessary for the agreement concluded between you and Northwave Group B.V., if automated decision-making is permitted, or if you have given your explicit consent for this processing.
Northwave Group B.V. will reply to your request within four weeks or will inform you of the reasons why it is taking longer to reply.
Reporting a data breach
Should you discover a data breach, you can report it to us using the contact details below.
Security & Privacy Office
+31 (0) 30-3031240
Cookies
Our website make use of functional cookies. You can find out more about them in our Cookie Statement: https://northwave-cybersecurity.com/cookie-statement.
Changes to this Privacy Statement
We reserve the right to amend this privacy statement if this is required by law or regulations. Because of this, you are requested to regularly read through the privacy statement so that you remain aware of its current content.
Contact
Should you have any questions, complaints or comments, please contact us via security@northwave.nl. This will put you in touch with Northwave Group B.V.’s Privacy Officer.
Filing a complaint with a competent supervisory authority
Northwave Group B.V. believes it is important to have satisfied customers and employees. Even though we make every effort to achieve this, it may happen that you are dissatisfied. Should this happen, it is possible to file acomplaint with the competent supervisory authority. In principle, you can do so with the supervisory authority situated in the country where you reside or where the office of Northwave Group B.V. that processes your personal data is situated. For further information, you can visit the following website of the European Data Protection Board (EDPB): https://edpb.europa.eu/about-edpb/board/members_en.
Should you have any doubts concerning the competent supervisory authority, you can always contact the Dutch Data Protection Authority (Dutch DPA). They can be contacted via: https://autoriteitpersoonsgegevens.nl/nl/contact-met-de-autoriteitpersoonsgegevens/informatie-en- meldpunt-privacy