Code of Conduct Processing Personal Data
Boreas Maritime B.V. and / or its affiliated companies, including Boreas Tunnelling, (hereinafter referred to as the responsible party), takes into consideration that:
The Processing Personal Data Act sets rules for the protection of personal data;
The Processing Personal Data Act stems directly from the European Directive 95/46/EG, which is aimed at setting guarantees to protect the fundamental rights and freedoms, in particular the protecting of privacy;
Article 25 of the Processing Personal Data Act offers the responsible party the possibility, given the characteristics of the sector in which it operates, to draft such a Code of Conduct that is an elaboration of this act or to other legal provisions regarding the processing of personal data;
The responsible party processes personal data of natural persons, within the framework of its normal business operations and takes into consideration the importance to process personal data with great care;
The responsible party provides full disclosure to maximise a complete transparency for all persons concerned.
Has taken into regard:
The Processing Personal Data Act (Stb. 2000, Lts. Gew. Stb. 2009, 8);
Decided to be bound by the following Code of Conduct.
1: General Provisions
Art. 1: Definitions
In the context of this Code of Conduct the definitions hereunder shall have the following meaning:
a. The Wpb: Processing Personal Data Act (Stb. 2000, 302);
b. Personal data: any information concerning an identified or identifiable natural person;
c. Processing of personal data: any action or any set of operations concerning personal data including the collection, recording, ordering, storage, adoption or alteration, retrieval, consultation, use, dissemination by means of transmission, distributing or making available in any other forms, merging, linking, as well as blocking, deleting or destructing of personal data;
d. File: any structured set of personal data that is accessible according to specific criteria and related to natural persons, whether centralised or dispersed in a functional or geographical manner;
e. Responsible party: Boreas Maritime B.V. and / or its affiliated companies, which determines the purpose and means of processing personal data;
f. Processor: the person or company that processes personal data for the responsible party without failing under the direct authority;
g. Person concerned: the person to whom an item or personal data relates to;
h. Third party: every other person, not being the person concerned, the responsible party, the processor or any other person who is falling under the direct authority of the responsible party or the processor and is authorised to process personal data;
i. Recipient: a person or organisation to whom personal data will be provided, being the client or a (government) agency;
j. Third country: a country located outside the European Economic Area;
k. Dutch Data Protection Authority: the supervisor as mentioned in Article 51 Wbp;
l. Providing personal data: the revealing or providing of personal data;
m. Collection of personal data: obtaining personal data.
Paragraph 2: Principles of data processing
Art. 2: Scope and principles for processing personal data
1. This Code of Conduct is applicable to any form of processing of personal data by the responsible party, the authorised staff of the responsible party, or any processor hired by the responsible party.
2. Personal data shall only be processed if:
a. The person concerned has given his unambiguous consent to the responsible party for the processing of personal data;
b. The data processing is necessary for the execution of an agreement to which the person concerned is a party, or for taking pre-contractual measures that are necessary to conclude such an agreement;
c. The processing is necessary in order to fulfil a legal obligation to which the responsible party or the recipient is subjected to;
d. The processing of personal data is necessary in order to protect the vital interests o the person concerned;
e. The processing of personal data is necessary for the purpose of the legitimate interests pursued by the responsible party or a third party to whom the data is disclosed, unless the interest or fundamental rights and freedom of the person concerned, in particular the right to privacy, prevails. The processing will be ended if the interest of the person concerned prevails.
Art. 3: Purpose for data processing
1. The responsible party processes personal data for the purpose of obtaining or providing information concerning natural persons, to support the preparation and / or settlement of the decisions that must be taken by the responsible party and / or recipients concerning:
a. The selection of (potential) candidates;
b. The entering or termination of any employment relationship;
c. Whether or not to apply, respectively continue assignments and / or agreements;
d. Determining the conditions under which assignments and / or agreements take place;
e. Whether or not to enter into rights and obligations that are necessary for the context of the implementation of assignments and / or agreements;
f. The termination of assignments and / or agreements;
g. Determining rights and obligations that stem from legal obligations and regulations;
h. Entering into such rights and obligations.
2. Taken into account the provisions of Article 2 of this Code of Conduct, the aforementioned purposes listed here provide the legitimate base for the processing of personal data.
Art. 4: Provision of data
1. Taken into account the principles of diligence and carefulness, the processed personal data can derive from:
a. The person concerned or on his behalf; if personal data will be obtained by a third party on behalf of the person concerned, the responsible party should ensure this third party is authorized or otherwise competent to obtain the data on behalf of the person concerned, unless the competence can reasonably be presumed;
b. A third party who maintains or has maintained a financial or business relationship for the respective particular processing purpose with the person concerned and who has obtained this data within the framework of the purpose of the processing, insofar as obtaining f the data is not incompatible with the purpose for which it was collected;
c. A third party that maintain or has maintained an employment relationship with the person concerned;
d. Public registers, such as the Trade Registry of the Chamber of Commerce, Land Registry, the Central Register of Insolvencies or the Receivership Register;
e. Public sources and registers, such as Registries of Subdistrict Courts (bankruptcies, suspensions of payments, debt restructuring), the Dutch State Gazette (Staatscourant) and internet sources;
f. Public document verification- and signalling registers;
g. International equivalents of the sources mentioned above.
2. Personal data will be processed in such a manner that expresses the nature of the source from which it is obtained.
Art. 5: Processing of personal data
1. Personal data shall only be processed insofar as it is sufficient, relevant and not excessive given the purpose for which it was collected or for which it was processed.
2. The following types of personal data can be processed:
a. Name, address, zip code, residence, date of birth or age, place of birth, native country, gender, marital status, family status, BSN, passport number, telephone number, email address and other relevant data for identification and communication;
b. Current and previous positions, professions and / or business activities;
c. Names of present and former employer(s);
d. Data relating to training and certificates;
e. Court decisions such as attachment under an execution, summons or notification of judgements;
f. Juridical decisions regarding bankruptcy, suspension of payment and debt restructuring due to the Dutch and / or foreign legislation, such as the Natural Persons Composition Act;
g. Other data necessary for the purpose of processing.
3. The responsible party shall take all the necessary provisions to promote the accuracy and completeness of the processed personal data.
4. If there is a reasonable suspicion that the personal data is not accurate anymore, the responsible party should examine the accuracy of the data and if necessary improve, supplement, remove or block such data.
5. In offering its services, the responsible party uses a server park that is located in the Netherlands. Consequently, Dutch Law and Regulations are applicable to the processing of personal data. This server park is managed and maintained by the responsible party and a processor with whom the responsible party has concluded a Service Level Agreement and Data Processing Agreement. All the activities will be maintained in an administration that is carried out by the responsible party.
Art. 6: Specific data
1. No personal data will be processed concerning someone’s religion or belief, race, political opinion, health and sexual orientation as well as a trade-union membership.
2. The provisions of the first paragraph are not applicable:
a. If the data is manifestly made public by the person concerned;
b. If the data is processed with the explicit permission of the person concerned;
c. If the processing regards data concerning race that is inevitable in order to contribute to the identification of the person concerned;
d. Insofar as the data is necessary for:
i. An adequate application of (foreign) statutory regulations, which include the obtaining of required permit or the implementation of pension schemes or collective labor agreements that provide in entitlements that are dependent on the health status of the person concerned;
ii. The re-integrations, guidance or support of employees or beneficiaries regarding sickness or disability;
e. In all the other cases permitted by the Wpb.
3. Data of a criminal or disciplinary nature shall not be processed. Therefrom is excluded data concerning financial-economic crimes insofar as the data comes from open sources and insofar as the documentation is necessary for a responsible practice by the responsible party.
Art 7: Retention period
1. Personal data shall be stored for the period that is necessary regarding the purpose of the processing. The following retention period are applicable;
a. Personal data wherefore a legal retention period is applicable: minimum 5 years post-employment;
b. Personal data wherefore a legal retention period is not applicable: maximum 2 years post-employment;
c. Application information: maximum 1 year after termination of the application procedure.
2. Any personal data that is deleted, shall be destroyed in a way that it is no longer available or could be made available.
Paragraph 3: Information obligation, access and correction
Art. 8: Information obligation
1. In the case of automated processing or manual processing of personal data in a document, the responsible party shall inform the person concerned about its identity and the purpose of the processing:
a. If personal data is obtained from the person concerned, before or at the time of the acquisition;
b. If personal data is obtained in a different manner:
i. At the moment of the registration;
ii. No later than the moment of the first provision, when the data is intended to be disclosed to a recipient, unless the responsible party can assume on substantial grounds that the person concerned is already informed.
2. The obligation, as referred to in the first section, can be discarded if this is necessary for the interest of others than the person concerned, the responsible party included therein. In that case, the responsible party establishes the source of the data.
Art. 9: Right of access to the person concerned
1. Within four weeks, the responsible party shall inform anyone in writing, at their own request and after determination of their identity, whether personal data concerning them has been processed or not. If the personal data is requested for by another person than the person concerned, the responsible party must ensure that the application is authorised or is otherwise entitled to request this personal data on behalf of the person concerned, unless such entitlement can reasonably be presumed.
2. If such data shall be processed, a complete written overview of all the processed personal data shall be provided to the applicant at request within four weeks, along with intelligence regarding the nature of the sources from which the data is derived. In addition, a description of the purpose will be submitted, as well as information concerning the personal data and recipients.
3. The responsible party may require a reasonable compensation, up till the maximum amount prescribed by law, for the provision of this overview.
4. The obligations as mentioned in this Article can be set aside insofar as this is necessary for the interests of others than the applicant, the responsible party included therein.
Art. 10: Improvement, replacement, deleting or blocking
1. Following a message, respectively a request hereto from the person concerned, the responsible party shall correct, supplement, delete or block the personal data that is factually inaccurate, incomplete, or is processed in conflict with a statutory regulation or the purpose of the processing, as soon as possible after the finding thereof.
2. In case the information provided by the person concerned and / or the explanation thereof, in the opinion of the responsible party, forms an insufficient ground for immediately correcting, supplementing, deleting or blocking of the data as described in the first section or if this otherwise results in questions regarding the accuracy, respectively the completeness of the processed personal data of the person concerned, the responsible party will additionally investigate this.
3. The person concerned receives within 4 weeks after submitting a notification, respectively a request as mentioned in the first section, a written notice from the responsible party about whether or not personal data is corrected, supplemented and / or removed.
4. In case the responsible party corrects, supplements, deletes or blocks the personal data as a result of a notification, respectively a request from the person concerned, as mentioned in the first section, the responsible party shall inform those to whom the personal data of the person concerned is provided to about any correcting, supplementing, blocking or deleting, unless this is impossible or brings a disproportionate effort.
Paragraph 4: Provision of data
Art. 11: Provision of data to recipients
1. All personal data that the responsible party provides orally, written, through data communication or data carriers, regardless of the layout and whether or not in compressed formats, to a recipient as a result of automatic processing, will only be provided at prior request of such a recipient an in accordance with the purpose mentioned in Article 3.
2. Provision to recipients does not take place if the responsible party knows or has reasonable grounds to believe that the data:
a. Shall be published or utilised in a wider circle;
b. Will be used for purposes that are not in line with the purpose of the processing.
3. If there is a reasonable suspicion that the personal data is no longer up to date, provision thereof shall only take place after the data has been examined on accuracy.
Art. 12: Provision of data to processors
1. If the responsible party processes personal data by means of a processor on its own behalf, it shall ensure that sufficient guarantees regarding technical and organisational security measures for such processing operations are offered. The responsible party shall also supervise the compliance of these measures.
2. The carrying out of a processing operation by way of a processor shall be governed by an agreement or another legal act whereby a commitment arises between the processor and the responsible party.
3. The responsible party shall ensure that the processor:
a. Only processes the personal data in accordance with the responsible party’s mandate;
b. Keeps the personal data confidential;
c. Fulfils the obligations of the responsible party that are derived from Paragraph 4 of this Code of Conduct.
4. If the processor is located in another country of the European Economic Area, the responsible party shall ensure that the processor fulfils its duties under the law of that other country, in derogation from Article 9 section 3 subsection c of this Code of Conduct.
Art. 13: Compatible use
1. Personal data is provided for the legitimate purposes mentioned in Article 3 and may not be processed further in a way that is incompatible with these purposes.
2. In determining whether there is compatible use, the responsible party shall take into account the relationship between the purpose of the intended processing and the purpose for which the data is provided, the nature of the respective date, the consequents of the intended processing for the person concerned, the manner in which the data is provided and the extent wherein appropriate guarantees are foreseen towards the person concerned.
Art. 14: International aspects
1. This Code of Conduct is also applicable to the processing of personal data in a third country if the responsible party is located in the Netherlands.
2. The responsible party only gives personal data, that is subjected to provision or is intended for provision after transfer to a recipient or processor from a third country is an adequate level of protection is guaranteed or if one of the exceptions of article 77Wbp is applicable.
Paragraph 5: Confidentiality and Security
Art. 15: Confidentiality
1. The authorised representatives are subjected to an obligation of strict confidentiality, unless a legal provision or duty requires them to disclosure.
2. The authorised representatives must state in writing towards the responsible party that they are made aware of this Code of Conduct and that they shall act in accordance with the provisions thereof.
Art. 16: Security
1. The responsible party shall implement technical and organisational measures to secure personal data against loss or any form of unlawful processing. Considering the state of the technology and cost of the implementation, these measures shall ensure a level of security appropriate to the risks of the processing and the nature of the data to be protected. These measures are also focused on the unnecessary collection and further processing of personal data. The processor has an equal obligation for the whole or a port of the equipment, which it has in its possession.
2. Within the organisation of the responsible party, only the representatives that are authorised by the responsible party shall have exclusive access to the files concerning personal data. The responsible party will mention all the names of these authorised representatives in a register designated for such purpose.
Paragraph 6: Final provision
Art. 17: Contact
1. This Code of Conduct is available on the responsible party’s website.
2. This Code of Conduct may be sent along with the agreement between the responsible party and the person concerned. Copies thereof can be ordered via the following e-mail address: firstname.lastname@example.org.