Privacy statement

Privacy Statement Kepco

We process personal data for the provision of our service. We may receive this data from you, for example through our website, e-mail, phone or app. In addition, we may obtain your personal data through third parties, in the context of our services. In this privacy statement, we inform you about our use of your personal data.
Processing of personal data and purposes

If we process Personal Data, this will be done in accordance with the requirements of the General Data Protection Regulation (GDPR) and related laws and regulations.
Which personal data we process depends on the specific service and circumstances in question. It usually concerns the following data:
• Name and address details;
• Contact details (e-mail addresses, phone numbers)
• Data about your activities on our website, IP address, internet browser and device type.

Purposes of and bases for processing
In some cases, we process personal data in order to comply with a legal obligation, but mostly we do so in order to perform our services. Some data are recorded for practical or efficiency reasons, which we may assume are also in your interest, such as:
• Communication and information provision;
• Providing our services as efficiently as possible;
• Improving our services;

Specifically, the above also means that we may use your personal data for marketing purposes or send you advertising materials or messages about our services, if we think these may be of interest to you. We may also contact you to request feedback on services provided by us or for market or other research purposes.
Where appropriate, we may wish to process personal data for reasons other than those listed above and we will request your explicit consent to that end. If we ever wish to process personal data that we are allowed to process on the basis of your consent for other purposes, we will first request your consent again.
Finally, we may also use your personal data to protect our own and our users’ rights and property and, where necessary, to comply with legal proceedings.

Provision to third parties
In the context of our services, we may use the services of third parties, for example if these third parties possess specialised knowledge or resources that we do not have in-house. These may be processors or sub-processors, who will process the personal data on the basis of your exact instructions. Other third parties who will or may have access to your personal data, although they are not the processors of the personal data strictly speaking, include our system administrator, suppliers of online software or hosting partners, or advisors from which we have sought advice regarding your order. If engaging third parties results in them having access to the personal data or recording and/or otherwise processing personal data themselves, we will agree in writing with those third parties that they will comply with all obligations of the GDPR. Naturally, we will only engage third parties whom we can and may assume are reliable parties who will handle personal data properly and can and will comply with the GDPR. This entails, among other things, that these third parties may process your personal data only for the purposes stated above.

Of course, we may also be required to provide your personal data to third parties in connection with a legal obligation.
Under no circumstance will we provide your personal data to third parties for commercial or charitable causes without your explicit consent.

Retention periods
We will not process your personal data for longer than is useful for the purpose for which it was provided (see the section “Purposes of and bases for processing” above). This means that your personal data will be retained for as long as they are required to achieve these purposes. Certain data must be retained longer (usually seven years) because we are required to comply with the statutory retention obligation (for example the tax-related retention obligation) or the regulations of our professional association.

To protects the personal data, we have taken appropriate technical and organisational measures, in so far as this can reasonably be required of us, considering the interest to be protected, the state of the art and the costs of the relevant security measures.
We require our employees and any third parties who are required to have access to the personal data to observe confidentiality. In addition, we ensure that employees receive correct and complete instructions regarding the scope of the personal data and that they are sufficiently familiar with the responsibilities and obligations of the GDPR. If you wish us to do so, we are ready to provide more information about how we have implemented the security of the personal data.

Your rights
You have the right to inspect, rectify or delete the personal data that we have received from you (naturally, except if doing so would be in breach of any statutory obligation). Furthermore, you have the right to object to the processing of all or part of your personal data by us or one of our processors. You also have the right to have us transfer the data provided by you to yourself or directly to another party if you wish us to do so.
Incidents with personal data
In the event of an incident regarding the relevant personal data (i.e. a data breach) we will inform you of this without delay if there is a real chance that this might have negative consequences for your privacy and the realisation thereof. We strive to do so within 48 hours after we have discovered the data breach or informed our processors or sub-processors of this.

If you have a complaint about the processing of your personal data, please contact us about this. If this does not result in a satisfactory outcome, you always have the right to file a complaint with the Dutch Data Protection Authority (the supervisory authority for matters related to privacy).

Processing within the EEA
We will only process the personal data within the European Economic Area, except if you and we agree otherwise in writing. Exceptions to this are situations in which we wish to identify opportunities for interaction through our website and/or social media pages (i.e. Facebook and LinkedIn). Examples of this include visitor numbers and web page requests. Third parties store your data outside the EU when Google Analytics, LinkedIn or Facebook is used. These parties are “EU-US Privacy Shield”-certified, so that they must observe European privacy legislation. It should be noted that this only concerns a limited range of sensitive personal data, in particular your IP address.

Our privacy policy will undoubtedly be amended from time to time. The most recent version of our privacy statement is logically the applicable version and can be found on our website.

In conclusion
We hope that this privacy statement has given you a clear picture of our privacy policy. However, if you have any questions about how we handle personal data, please let us know. The first point of contact on matters concerning privacy at our organisation is Willem Steltenpool,