Data Privacy and Protection Policy

1. Introduction

De Haan collects and processes personal data of customers, suppliers, business partners, (prospective) employees and other individuals with whom we have a relationship. This policy describes how we collect, use, store, secure and delete personal data, in accordance with: 

• the General Data Protection Regulation (GDPR);
• applicable Dutch and European laws and regulations;
• internal guidelines as set out in the KAM Manual and the Employee Handbook.

De Haan attaches great importance to the careful, secure and transparent handling of personal data. 

2. Purpose of this policy

Through this policy, De Haan ensures that we:

• comply with legal obligations regarding data protection;
• respect and protect the privacy rights of data subjects;
• are open and transparent about the processing and storage of personal data;
• minimize the risks of data breaches, misuse, loss or unauthorized access. 

3. Scope of this policy

This policy applies to:

• all De Haan employees (permanent, temporary, interns and on-call staff);
• all external parties providing services on behalf of De Haan, such as suppliers and subcontractors. 

This policy applies to all personal data processed by De Haan, including but not limited to:

• name, address, email address, date of birth, telephone numbers;
• identification numbers (such as BSN or insurance number);
• customer data, contract data, invoice data;
• HR data of employees;
• any other information that can be traced back to an individual. 

De Haan maintains a GDPR register in which, for each data category, the following is recorded:

• which data is processed;
• for what purpose;
• on which legal basis;
• how long it is retained. 

4. Roles and responsibilities

All employees
Anyone working with personal data is responsible for:

• handling data correctly, securely and carefully;
• preventing unwanted access or distribution;
• reporting potential incidents or data breaches. 

KAM & Facility Coordinator

• manages this policy and monitors compliance;
• maintains the GDPR register;
• supervises data breach investigations and notifications;
• provides periodic updates of this policy.

Functional Management / IT

• ensures appropriate technical security measures;
• manages systems, VPN connections, access rights and backups;
• supports users with questions regarding data security.

External processors

Any party processing personal data on behalf of De Haan must sign a data processing agreement, which includes:

• security measures;
• retention periods;
• purpose limitation;
• confidentiality obligations. 

5. Legal grounds for processing

De Haan processes personal data only when a legal basis exists, such as:

• performance of a contract (e.g., relocation, storage, HR agreements);
• legal obligations (tax retention periods, personnel records);
• legitimate interest (quality controls, IT security, planning);
• consent (for marketing or newsletters where required). 

6. Rights of data subjects

Under the GDPR, every data subject has the right to:

• access their personal data;
• rectify inaccurate data;
• erasure (“right to be forgotten”);
• restriction of processing;
• object to processing;
• data portability;
• withdraw consent where processing is based on consent.

De Haan facilitates these rights within statutory timeframes. 

7. General guidelines for employees

• Access to data is limited to employees who require it for their role.
• Data is not shared informally.
• Strong, unique passwords are mandatory and never shared.
• Unauthorized access must be reported immediately.
• Employees follow privacy and security training.
• Data is regularly checked for accuracy and relevance.
• Data is not retained longer than legally or operationally necessary.
• Use of private devices for processing company data is not permitted unless explicitly approved and secured. 

8. Data storage and security

8.1 Paper records

• are stored in locked cabinets or rooms;
• are never left unattended on printers or desks;
• are destroyed using certified destruction methods when no longer required. 

8.2 Digital data

• is stored on secure servers, systems and network drives;
• is protected by access control, firewalls and security software;
• is never stored on laptops, phones or tablets unless encrypted and approved;
• is regularly backed up, and backups are tested according to IT procedures;
• devices that are no longer in use are physically destroyed in accordance with procedure. 

9. Use, sharing and disclosure of data

• Data is used solely for the purpose for which it was collected.
• Employees lock their screens when leaving their workstation.
• Copies are not stored locally on personal devices.
• Data is only shared with certified and approved suppliers.
• External parties receive only the data necessary for their task. 

10. Retention periods

De Haan applies retention periods based on GDPR, tax legislation and operational necessity. Examples:

• Customer data: as long as necessary for execution + legal retention obligations.
• HR records: in accordance with legal terms (core data 7 years, applications max. 4 weeks unless consent is given).
• Invoices: statutory tax retention period of 7 years.

All retention periods are recorded in the GDPR register. 

11. Data breaches

A data breach is any situation in which data:

• has been lost;
• has been accessed by unauthorized persons;
• has been altered;
• or was accessible without authorization.

Data breach procedure

• Immediate reporting to the KAM & Facility Coordinator and/or IT.
• Analysis of nature, scope and impact.
• Registration in the data breach register.
• If necessary, notification to the Dutch Data Protection Authority within 72 hours.
• Communication to affected individuals if required.
• Documentation of measures to prevent recurrence.

Intentional violations may lead to disciplinary measures, including summary dismissal. 

12. Use of AI, automation and digital tools

De Haan follows the European AI Act (EU 2024/1689) and internal guidelines:

• AI systems may not be used to process confidential data without approval.
• Employees may not enter privacy-sensitive information into external AI tools without permission from the KAM Coordinator.
• Decisions impacting employees are always reviewed by a human.
• Transparency: data subjects are informed when AI is used.
• AI must not generate discriminatory outcomes. 

13. Supervision, evaluation and enforcement

• This policy is available in the KAM Manual under Work Instructions.
• Annual evaluation by the KAM & Facility Coordinator.
• Employees are reminded of this policy at least once per year.
• Updates are published via hyperlink on the website. 

---

In case of privacy-related complaints or disputes, these can be reported to our KAM & Facility Coordinator.
Phone: +31-78-69.20333 or email: quality@dehaan.nl