Privacy Statement The VAT Consultancy Firm B.V.
The VAT Consultancy B.V. (hereafter TVCF) values its relationship with you and considers it of great importance that your personal data is handled with the utmost care. This Privacy Statement informs you of why and how TVCF collects, processes and discloses your personal data, and what TVCF undertakes to protect it. TVCF may unilaterally modify or update this Privacy Statement without prior notice. For this reason, we encourage you to regularly review the Privacy Statement. However, if substantive adjustments are made, a clear notification will be made available on our website.
- Privacy and Data Protection at TVCF
TVCF is a Dutch legal entity with two offices in the Netherlands and protection of your personal data lies with TVCF’s headquarter, Carolina van Nassaustraat 351, 2595 SV The Hague, The Netherlands, registered at the Chamber of Commerce under number 69153124.
TVCF complies with the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in the European Economic Area (EU, Iceland, Liechtenstein and Norway) with regard to the processing of personal data and the free movement of such data. As required by the GDPR, TVCF maintains a comprehensive register of its data processing activities in electronic form. TVCF has assigned a privacy officer who deals with all matters related to data protection, but is not a formal data protection officer in the sense described in the GDPR.
In the event that ownership of (parts of) TVCF is transferred to a third party, your personal data may be transferred to that third party. TVCF will inform you of this upfront, whereby you will be given the opportunity to object to such transfer of data.
Personal data: Any information that relates to a living individual who can be identified from that data. Different pieces of information that can lead to the identification of a particular person when they are collected together also constitute personal data (e.g. an IP address in combination with a name).
Data subject: The identifiable person whose personal data is collected.
Data controller: A person or organization that decides why and how the collected personal data is processed, and is responsible for the protection of that data. Unless otherwise stated, TVCF is a data controller for personal data we collect through the services subject to this statement.
Data processor: An external person or organization that processes the personal data on behalf of the data controller.
Data processing: Any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Cookies: Small text files (up to 4KB) created by a website that are stored on the user’s device, either temporarily in the web browser for that session only, or permanently on the hard disk (‘persistent cookie’). Cookies provide a way for a website to recognize you when you return to it, and keep track of your preferences. Cookies are ‘passive’ as they contain retrievable information, but do not contain programmes, viruses or malicious software.
- Personal Data Collection
2.1. Personal data we collect
We may collect the following personal data from you:
- Your personal contact details (name, postal address, e-mail address and telephone number);
- Your professional contact details (company, position, postal address, e-mail address and telephone number);
- Your device’s Internet Protocol (IP) address;
- Your user ID’s and passwords;
- Your invoice and payment details, including your credit card number;
- Your reported interests and preferences;
- Your ordered products or subscriptions;
- Information regarding the equipment you use, such as a unique device ID, the version of your operating system and the settings of the device you use to gain access to a product or service;
- Information regarding the use of a product or service, such as the type of product or service you use and the specific time you use it;
- Location details derived from your device or IP address, that may be automatically transferred when you use a product or service;
- Information that is available via external sources, such as your social media profile;
- Information that is transferred via external sources, for example when you access a product or service via another company’s website.
We do not collect or process any of the personal data classified in the Regulation as ‘special categories’, such as race, political opinions or religious beliefs (See Article 9 of the GDPR for a full list). We do collect and process ‘sensitive’ financial and location data, to fulfil our obligations towards authorities, customers and suppliers.
2.2. When we collect personal data
Your personal data may be collected in the following situations:
- When you take out a subscription to an TVCF product or service, either from TVCF or via a third party;
- When you purchase a single TVCF product or service, either from TVCF or via a third party;
- When you use one of TVCF’s websites or online platforms (incl. social media), either directly or via a third party;
- When you create a personal account to one of TVCF’s websites or platforms;
- When you sign up for one or more of TVCF’s free services, such as newsletters or mailings;
- When you participate in a panel or survey conducted by TVCF or one of TVCF’s trusted partners;
- When you register for one of TVCF’s digital products or services, such as an online course or webinar;
- When you send documents, images and other content containing personal data to TVCF;
- When you sign into TVCF’s Library and Information Centre;
- When you contact TVCF.
2.3. How we collect personal data
We collect personal data through various channels:
- We obtain some of the data from you directly, for example when you send us the information via email, subscribe to a product, create an account or sign up to a newsletter;
- We get some of it by recording how you interact with our products, for example by using cookie technology or obtaining usage data through web analytics;
- We obtain some personal data from third parties, such as social media platforms and trusted partners.
- Google can provide this information to third parties if Google is legally obliged to do so, or insofar as these third parties process the information on behalf of Google. TVCF has no influence on this.
- TVCF has not given Google permission to use Analytics information obtained via TVCF for other Google services.
- Personal Data Processing
3.1. Why we process personal data
At TVCF, we process personal data for the basic purposes we must achieve to operate our business: to provide our products and services, and to send communications about our products and services. We need to process personal data for these purposes, to be able to provide you with the products and services outlined in your agreement(s) with us (e.g. Customer Relationship Management), to keep you up-to-date on the products and services of your interest (e.g. marketing communications), and to continuously improve our products and services and your experiences with them (e.g. usage analytics).
We also process personal data for certain carefully considered purposes (‘legitimate interests’), which are in the interest of our business and our customers, as they enable us to fulfil our contractual obligations, enhance the services we provide and protect your privacy. The processing of data for these purposes occurs with the highest regard for your rights and interests. You have the right to object to these forms of processing, but keep in mind that this may affect our ability to carry out certain tasks for your benefit.
We process personal data based on the following (non-accumulative) bases for ‘lawful processing’:
You or your company has agreed (by engaging The VAT Consultancy Firm B.V., or by ordering products from our website) to the General Terms and Conditions including this Privacy Statement.
You can withdraw your consent at any time by informing us by telephone (+31(0)707447516) first. We also require in addition that you provide to us in writing you want us to remove your information. In the written request you have to provide us a precise specification of the information you want us to remove (e.g. name, contact details, financial details and or any other details, the years your request relates to and when and how this data was obtained by us); please allow 30 days for your request to be processed. Note that we may not be able to comply with such a request in all cases, as we still may need to process your personal data on a different legal basis (see below).
The written request must be sent in Dutch or English to:
The VAT Consultancy Firm B.V.
GDPR privacy officer
Carolina van Nassaustraat 351
2595 SV The Hague
Processing is necessary for the performance of a contract, or to take steps to enter into a contract.
Processing is necessary for compliance with a legal obligation to which TVCF may be subject as data controller, such as a court order or tax legislation.
Processing is necessary for purposes of legitimate interests pursued by TVCF or a third party used by TVCF, except where such interests are overridden by your interests, rights or freedoms.
Legitimate interests for which TVCF processes personal data are:
- Fraud detection and prevention;
- IT security measures to protect TVCF’s network and information systems, e.g. to prevent data breaches or leaks;
- Intra-organization transfer of data, such as for the processing of tax returns, orders and payments by TVCF’s headquarters that come in via other TVCF locations or third parties;
- Employment relationship management, for operational, administrative, HR and recruitment purposes;
- Corporate operations and due diligence, such as business intelligence, risk assessment, strategy planning and reporting;
- Credit management, such as the transfer of data to a debt collection agency in case of non-payment;
- Product development and enhancement, such as monitoring website usage and conducting analytics (e.g. pages and links clicked, time at page, navigation patterns, devices used, where users are coming from) to improve our products and services;
- Communications, marketing and intelligence, such as for personalized services and communications, direct marketing, targeted advertizing, event planning, and conducting profiling and business intelligence analytics to e.g. create trend reports, analyse the effectiveness of a marketing campaign or determine the most effective channels and messages.
3.2. How we process and use personal data
Your personal data is stored on a server located in our office and sometimes also on servers used by parties we work with such as Microsoft.
We process only the minimum amount of personal data necessary to achieve our purposes. This makes it easier for us to keep data accurate and up-to-date, and limits the amount of data accessible to an unauthorized party in the event of a data breach. We may combine data we collect to enhance or personalize your user experience, for example based on a course you followed, advise your organization received from us or a previous purchase.
At TVCF, we do not use ‘automated decision-making’.
Financial information (‘sensitive data’) is processed solely for tax compliance, billing, payment processing, debt collection, fraud prevention and financial audits.
- Personal Data Sharing
4.1. Why we share personal data
We have agreements with third parties that may receive your personal data, as they need it to carry out certain business activities for us (e.g. compliance) or we have to carry out certain business activities for you.
As TVCF in its role of data controller is responsible for the personal data we collect from you, we only want to work with parties that are GDPR-compliant. We (will) have detailed agreements in place with these parties, that outline that any personal data obtained from TVCF is to be kept confidential, and that personal data may only be processed at the direct and precise instruction of TVCF and solely for the purpose defined by TVCF. In case such an agreement is terminated, any personal data in the possession of the third party is either returned to TVCF or deleted unless there are legal obligations for the other party to store any of such information to comply with local rules.
Recipients of your personal data can be other data controllers, data processors, third party licensees, third countries and international organizations.
4.2. Who we share personal data with
- Other data controllers
- Data processors
TVCF makes use of various types of companies that process data on behalf of TVCF to help us with our daily operations. As stated above, TVCF has concluded or will conclude a GDPR-compliant data processing agreement with such companies.
Categories of data processors used by TVCF:
- IT service providers
- Hosting companies
- Web analytics services
- Translation agencies
- Tax and legal consultants
- Debt collecting agencies
- Third party licensees
TVCF has agreements with several carefully selected third parties, allowing them to use TVCF content in order to attain a wide spread of TVCF’s information. Vice versa, TVCF has agreements in place with third parties that deliver content to TVCF for further use or distribution.
These parties may need to obtain personal data from TVCF, or send personal data to TVCF, for example for the purpose of order fulfilment, events, advise or the provision of information.
Categories of third parties used by TVCF:
- Tax consultancy firms
- Notary and legal firms
- (Inter)national conference organisors
- Publishing companies
- Academic institutions
- Online training developers
TVCF will not share your personal data with any third parties without informing you in advance.
Third countries and international organizations
As an international organization with a global network of relations and clients (e.g. customers, third parties used) and suppliers (e.g. tax firms), TVCF may need to transfer your personal data to (international organizations operating in) countries outside the European Economic Area (EEA).
The countries in the EEA are covered by the GDPR: they all have to comply with the data protection principles set out in the Regulation, which guarantees the protection of your personal data when transferred between EEA countries. The European Commission (EC) has declared that the transfer of data to countries outside the EEA may only take place if the level of protection guaranteed by the GDPR is not undermined.
The EC has taken a number of ‘adequacy decisions’ for non-EU countries that the EC considers to have an adequate level of protection, such as Switzerland, Canada and the United States (arranged in the EU-US Privacy Shield).
To enable the transfer of data to countries that have not (yet) been labeled ‘safe’, the European Commission has established a number of Standard Contractual Clauses that can be used in agreements with parties in these countries, in order to safeguard the protection of your personal data.
In cases where TVCF may need to transfer your personal data to (international organizations operating in) third countries, we will cooperate with you to ensure that an agreement is in place that includes the relevant Standard Contractual Clauses and outlines precisely which data may be processed, how it may be processed and for which purpose, and which laws and regulations apply.
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. The overview below explains the cookies we use and why.
These are used to make our websites function well, for example to offer such functionality as Single Sign On and our shopping cart.
TVCF does not use third-party cookies and will therefore not collect any data from sites other than TVCF’s own websites and platforms.
- Personal Data Retention
We do not store personal data for longer than is necessary for the purposes for which the personal data is processed. We have a regular review process in place to cleanse our databases of obsolete personal data.
Once we no longer need personal data for the purpose for which it was collected, we will delete it unless we are obligated by law to keep it. We may archive a minimum amount of personal data for historical, statistical or research purposes, for example to defend possible future legal claims or to comply with employment law or financial audits.
TVCF uses both session cookies and persistent cookies. Session cookies are stored for the duration of the user’s session on an TVCF website. Persistent cookies used for website statistics are stored for no more than two years; persistent cookies used for the TVCF web shop expire after one day.
Job application information is deleted 4 weeks after the application procedure is finalized, unless the applicant has given us permission to retain the information for future reference, in which case the information is stored for a maximum of one year.
We are obligated by law to store tax related information records for a minimum of 7 years.
- Personal Data Protection
Information security at TVCF is based on generally accepted ‘good practices’ in Information Security Risk Management. Information security refers to the ways and means to protect printed, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.
7.1. Data security
TVCF works with professional software from Microsoft Office and Windows for the communication with its relations. As a result we send and receive data via the servers of Microsoft. We refer to their website for information on data security. We store also data and processes personal data both on our premises and in data centres. All connections to such data centres are secured and where possible restricted to parts of the organization via a Virtual Local Area Network (VLAN). All data centres TVCF uses are ISO certified (e.g. ISO 27001). Within TVCF, all possible measures to protect information, both technical and organizational, are implemented:
- Multi-tier firewall protection (main firewall, ‘Intrusion Detection System’ in the network, firewalls on all servers) ensures an overall protection from external threats, as well as a limitation in potential damage;
- VLAN’s are used for logical and technical separation of access rights and risks;
- The wireless access to resources is separated from the main internal network;
- Virus scanners are used within the network and on all workstations and servers;
- Remote access to the offices can only be gained via VPN;
- Development, test and acceptation environments are fully separated from production environments;
- Where possible, data used in non-production environments is encrypted and pseudonimized, and additional security measures are implemented to prevent the risks of data loss or data breach in these environments.
Organizational measures include, but are not limited to, a security officer, security policies including a patch and password policy, separation of duties and access, monitoring and communication policies.
TVCF ensures that our security controls remain effective in protecting data and mitigating existing threats over time. Log files are checked on a daily basis, our processing operations and security tools are regularly monitored and we perform yearly audits and security tests.
An IT audit is performed each year by our accountants, whereby all IT processes (e.g. backups, restores, user management) are audited. In addition, a yearly security test (also known as a ‘penetration test’) is executed by external specialists.
7.3. Data breaches
TVCF has breach detection, investigation and reporting procedures in place.
The procedure in case of a data breach consists of the following steps, worked out in detail in the TVCF Data Breach Policy:
- Determine the likeliness of a high risk to the rights and freedoms of the data subjects;
- If relevant, notify without undue delay, after becoming aware of the breach, the supervisory authority;
- Inform the affected data subjects;
- Take all necessary measures to limit any damage caused by the breach and prevent further damage or the breach from happening again.
7.4. How we handle and protect sensitive data
In case TVCF does process sensitive data, this is done by qualified and trained staff only, and proper technical (role-based access) and organizational measures (e.g. segregation of duties) are implemented to secure such data.
- How to Access and Control Your Personal Data
The GDPR provides you, the data subject, with various rights to guarantee the fair and correct processing of personal data. In case you wish to exercise any of these rights, please get in touch with us. Your request will be assessed in light of the standards and recommendations outlined in the GDPR.
You can call us by telephone (+31(0)707447516). The written request to exercise you rights must be sent in Dutch or English to: The VAT Consultancy Firm B.V.
GDPR privacy officer
Carolina van Nassaustraat 351
2595 SV The Hague
8.1. Data subject rights pertaining to the personal data collected by TVCF
At all times, you have the right to:
- Request that TVCF allows you to inspect your personal data;
- Request that TVCF provides you with an electronic copy of your personal data;
- Request that TVCF rectifies or erazes your personal data (within 30 days);
8.2. Data subject rights pertaining to the processing of the personal data collected by TVCF
At all times, you have the right to:
- Request that TVCF provides you with information regarding the processing of your personal data;
- Request that TVCF applies a (temporary) restriction to the processing of your personal data;
- Request that TVCF does not base decisions solely on automated processing of your personal data, including profiling;
- Object to the processing of your personal data.
- Contact Us
Inquiries concerning this Privacy Statement and TVCF’s data protection policy can be made in writing to TVCF’s privacy officer:
The VAT Consultancy Firm B.V.
GDPR privacy officer
Carolina van Nassaustraat 351
2595 SV The Hague
(Version: 21 May 2018)