GITP aims high when it comes to the quality of its services. One important aspect of this quality is the protection of information and the privacy of (potential) clients and participants and careful handling of their (personal) data, in accordance with what is provided for in the Dutch Personal Data Protection Act, and the professional, sector-specific and/or ethical codes of conduct applicable to particular services (including those of NIP, ROA and NRTO).
These privacy rules relate to the processing of personal data by GITP B.V. and its subsidiaries PiCompany B.V. and Medezeggenschap B.V. ¨Processing of personal data¨ means amongst other things the collection, storage, recording, editing, accumulating, requesting, consulting or deletion of personal data.
GITP B.V. and its subsidiaries PiCompany B.V. and GITP Medezeggenschap B.V. (hereafter: ¨GITP¨) collect personal data of clients, participants, suppliers and visitors of our websites.
General Data Protection Regulation
The General Data Protection Regulation, also named GDPR, is European legislation with direct effect in the European Economic Area. Starting 25 May 2018, these rules replace the Personal Data Protection Act.
GDPR and the protection of personal data
In 2016, GITP acquired the ISO 27001:2013 certification with a view to the introduction of this Regulation as extra security for its clients and participants. To this end we have established a management system for information security policies.
The introduction of this standard has been accompanied by a (mandatory) awareness programme regarding privacy and information security for all (new) employees. It comprises our system of technical and organisational security measures and procedures for reporting incidents, control mechanisms, education of employees, evaluation of activities and continuous improvement. The management owns this programme and is assisted by a Security Officer and a Data Protection Officer.
As Controller (GITP is the Controller for almost all the processing; a number of processes of daughter PiCompany are performed in a Processor role), GITP has a data processing administration. Relevant aspects can be found in these privacy rules. This register is part of the Information Security Policy and will be evaluated regularly, as will the other documents, and updated where necessary.
The protection of privacy has traditionally played an important part in our organisation. All assessment psychologists are obliged to be a member of the NIP (Netherlands Institute of Psychologists) and bound to very carefully handle assessment data (under penalty of disciplinary action).
In all the processes within our organisation, we handle personal and client data very carefully; the principles as mentioned in the GDPR are a starting point, as are the ones in the professional codes GITP complies with or regards itself to be bound by.
This implies amongst other things that GITP:
- Informs you in a comprehensible and transparent way how and for what purposes the personal data is processed;
- Only processes personal data for warranted and specific purposes, and bases the processing of data on one of the principles mentioned in the GDPR;
- Takes appropriate organisational and technical security measures to protect personal data against unauthorised or unwarranted processing and against inadvertent loss, deletion or damaging.
- Informs you about your rights regarding the personal data that GITP processes.
- Does not process more or longer than necessary.
Purposes and bases
GITP collects personal data for various purposes and on different bases: for instance for supplying services as agreed with you and/or your employer, for pre-contractual activities (like giving quotes) or for processing the request that you send us via one of the forms on our website. At that point we have a warranted interest to process your data: it is necessary to process the data for the adequate treatment of your request. Several pages on the website ask for personal data, for example when you try to get in touch with us or request information. Certain processes are exclusively performed with your permission, where you can withdraw that permission at any moment.
In the following chapters, we inform you in more detail.
What are cookies? Cookies are small, simple text files and are sent to your computer, tablet or mobile phone when you visit a website. Cookies increase the user friendliness when you visit a website or use a GITP app.
What happens when cookies are turned off? If you turn off your cookies, we have less insight in the use of our website and can not optimise it to be of even better service to you in the future.
To grant visitors of websites more choice in how their data is collected by Google Analytics, you can also download the Google Analytics Opt-out Browser Add-on.
III. Your personal data - purposes, bases and use of your data
Providing (pre-)contractual services. GITP processes your personal data to provide our services to you. We use the data, for instance, to give you a quote at your request, and subsequently implement the agreement, to maintain our relations with you regarding the assignment, to process and confirm an order for registration or to send an invoice. We also use the data to reply to requests for information; it is our legitimate interest to process your data for that purpose.
Involvement of and sharing with third parties. GITP can engage other parties as Controller to perform an aspect or part of the service to you; this could be an external consultant, a trainer or assessment psychologist, for instance, or an external (test) system as part of the assessment, or an IT system of platform we use for our services, for instance, a crm system or e-learning platform. As far as these third parties need access to personal data to perform these services, GITP has contracted the correct, contractual, technical and organisational security measures to ensure these third parties use or process your data solely for the intended purposes and conform the instructions we agreed to with these third parties.
Sharing with third parties for legal reasons. We can share your personal data with third parties if we determine that access to and use of the personal data is reasonably necessary to (i) conform to the applicable laws and regulations and/or court order; (ii) prevent, detect or solve fraud, (future) security issues or technical problems; and/or (iii) protect the interests, features or safety of GITP, our users or the public to the extend consistent with the law
Marketing and sales activities. GITP likes to inform clients about offers, innovations and other relevant (professional) content relating to our services, conform the applicable regulations, or because you explicitly permitted it. We can do this by phone, e-mail, newsletter or via direct personal contact. Naturally, you always have the right to indicate that you (no longer) appreciate it.
Processing of your data on the GITP website. We collect and use your personal data on our website to provide you with (personalised) web content and to communicate with you in the most targeted manner. Your data will also be used for research and analysis to improve our services and websites, as explained above. We can also use the data submitted on our websites to send information by e-mail about other services of GITP, provided you gave permission to do so. Naturally, this permission can be withdrawn at any moment.
Application purposes for vacancies at GITP or our clients. On the website we offer the possibility to send us your motivation letter and CV in the context of (open) applications at GITP or one of our clients, to subscribe to our job alert or for inclusion in our talent pool. Your data will be stored in a database managed by GITP and hosted by a third party. At that point we have a legitimate interest to process your personal data. Processing the data is necessary to properly carry out the application procedure or to provide you with job alerts.
Scientific research. Pseudonymised test data can be applied by the scientific department of GITP for validation and standardisation of tests as well as for benchmarking purposes and statistical analyses. The data is protected with additional security measures. At that point we have a legitimate interest to (keep) safeguard(ing) the quality of tests.
Under no circumstance will GITP sell your data to third parties.
IV. Storage periods
GITP stores your personal data no longer than necessary for the purposes for which the data is collected. This storage period depends on the nature of the information and the purposes of the processing.
Below we specify the storage periods of personal data for various purposes and services.
- As far as personal data is involved in the tax retention obligation: 7 years
- Participants´ data in our administration or marketing system: 5 years after the last registration or activity, so we can advise and inform you of future developments based on prior activities. Or to verify your right to a participation certificate (when lost), in short: provide you with services.
- For application procedures: 4 weeks, unless you indicate your desire for a longer storage period of 1 year. You can extend this annually.
- Inclusion in the talent pool or subscription to job alerts: 1 year, with annual renewal option.
- Your assessment file and test data: 2 years. The final report will only be shared with the client with your permission. Prior to this you have access to it and the possibility to request a clarification.
- Your coaching file: 2 years.
- Learning activities as part of e-learning or blended learning: 1 year or 90 days, depending on the agreement.
- Your personal participation portal - if any, within a service - remains open for you as a service, in principle, unless you indicate it can be removed. We will inform you in a timely manner about the removal of, for instance, your assessment report, so you can download it to your own computer at any time.
V. Your rights
You have the right to write a request to:
Access to your personal data. You can ask us whether we process your personal data. If that is the case, we will explain which personal data of yours we process, how we process it and for which purposes. You can also request a copy of your personal data we process;
Correction of your personal data. If you feel that your personal data we process is incorrect or incomplete, you can request us to supplement or edit your data;
Deletion of your personal data. You can request us to delete your personal data we process. We will delete your data without unreasonable delay after receiving such a request, if: the data is no longer needed for the purpose we processed it; you no longer give us permission to process it, if that was the base for processing it; the data was processed by us as part of direct marketing; you object against the processing of it and there is no reason (anymore) why we should still be permitted to process the data; there is a legal reason to delete the personal data.
Limitation to processing your data. In some cases you might want a limitation to the processing of your personal data. In that case, you can request us to limit the data we process. We will comply with such a request if, after investigation it turns out to be possible, for example, if you do not want all your data deleted, but other data is no longer necessary for the original purpose.
Portability of your personal data (data portability). You can request a copy of your personal data we process.
You can also indicate your right to object if you do not agree with our processing of your data.
Questions, requests, complaints and supervision
It is possible you have a question, request or complaint. Please contact us in this respect via this form. Or via the contact details below:
For the attention of the Data Protection Office
T: 0031 (0)88 – 448 70 00
You will receive a written response within 2 weeks.
File a complaint with the Dutch Data Protection Authority
The Dutch Data Protection Authority (DPA) is the Dutch regulatory body to supervise the compliance with the GDPR. You have the right to file a complaint with the DPA when you believe your rights have been violated. You can see how to do that on the website of the Data Protection Authority (www.autoriteitpersoonsgegevensp.nl).
Version management of these privacy rules
GITP reserves the right to change these privacy rules. Modified versions will be dated and published on our website.
These privacy rules were last updated in April 2018.