Ver. No. 1.0
Change: Rewritten document (replaces all previous privacy policy versions)
Author: Aniek Bierhoff
Effective date: 25 April 2023
This document is TMC's official Centralized Privacy Policy. This Policy prescribes how TMC ensures the accomplishment of TMC's vision and goals on privacy. The Policy is set up according to the ISO standards of continuous improvement, using the ‘plan (Chapter 1), do (Chapter 2), check (Chapter 3), act (Chapter4)’ principle. Furthermore, the Policy builds on the EU GDPR, The Policy refers to TMC privacy procedures. These procedures explain in detail how the subjects in this Policy are to be executed.
If you have any questions regarding the processing of personal data within our organization or if you have any privacy-related questions please contact the Privacy Officer, reachable by e-mail: Lisette.van.Zanten@TMC.nl, or with our privacy team, reachable by e-mail: privacy@TMC.nl
This policy applies to all TMC Group Companies and their subsequent contracted employees, hereinafter also ‘TMC’.
“DPO” means Data Protection Officer
“PO” means Privacy Officer
“Employeneur” means anyone working at TMC
“DPA” means Data Processing Agreement
TMC Environmental Social Governance - Privacy
Privacy Implementation Guide
Privacy Way of Working
Privacy Officer
Privacy Way of Working Business Manager
Privacy Way of Working Holding
Privacy Way of working Office Manager
Procedure 5.2.1 Informing Data Subjects
Procedure 5.2.2.1 Processing
Procedure 5.2.2.2 New Processing
Procedure 5.2.3 Privacy Education
Procedure 5.2.4 Data Breach and Incidents
Procedure 5.3.1 Privacy Audit
Procedure 5.4.1 Privacy Improvement
Richtlijnen voor functionarissen voor de gegevensbescherming van de AP
This Policy may be revised yearly as a result of the outcome of the audit (Chapter 3.1) and the board evaluation (Chapter 3.2). This privacy policy was changed on 6 March 2023. The most current version of the policy will always be available through this website of TMC. Changes will be published on our website accordingly.
TMC respects the privacy of our employees, customers, associates and visitors to our website. Personal data is therefore treated and secured with the utmost care and processing takes place in accordance with the applicable privacy legislation. TMC strive for long-term cooperation and appreciate that data subjects share their data with us. Personal data is in good hands with us, we take care of it every day.
TMC fully adheres to the relevant privacy legislation, TMC Central Privacy Policies, and Procedures that are relevant TMC Local Privacy Policies and Procedures, and contractual obligations.
Structure
TMC’s Privacy Governance Structure is based on a controller and processor contractual bond between Triple B.V (controller) and the TMC Group Companies (processors). This means TMC is one group of undertakings, with one Data Protection Officer. Independence of the DPO should be guaranteed. This means in particular that this officer cannot have a position in the organization that leads to this officer (partly) determining the purpose and means of processing personal data. Moreover, the Dutch Privacy Authority is the leading Privacy Authority for the whole group. In accordance to this governance structures, DPA’s between the controller and the processors are in place (Chapter 2.2). Non-compliance with the DPA, this Central Privacy Policy and the related Privacy Policies (see Chapter 0.4) by (an Employeneur within) a TMC Group Company will be subject to disciplinary action and may also be subject to civil or criminal liability if their conduct violates legislation.
Privacy standards
TMC always applies the strictest privacy standards to ensure a uniform and compliant execution of the privacy principles in every TMC entity, regardless of the location of the entity.
Purpose limitation
TMC uses personal data. We do so only when necessary to connect candidates and clients. This is called purpose limitation. It means in this case that the processing is necessary for the performance of an agreement. We have a legal basis for this (GDPR Article 6). TMC is a specialist in the secondment of technicians, we connect candidates and clients. In order to provide these services in a professional manner, the processing of personal data of our candidates and clients is necessary. This includes processing your application and bringing your resume to the attention of clients. In other words, the processing of personal data is necessary for the performance of a task as laid down in laws and regulations, such as, for example, the payroll tax execution regulation.
Data minimization
The personal data processed by TMC are limited to what is necessary for the purposes for which they are processed. This is done from the principle of data minimization whereby no more personal data may be processed than is strictly necessary for the purposes for which they are processed. It also follows from this principle that personal data should only be used if the processing cannot reasonably be achieved by other means.
Accuracy
Personal data should be accurate and, where necessary, updated; reasonable measures should be taken to ensure that personal data that are inaccurate, taking into account the purposes for which they are processed, are deleted or rectified in a timely manner.
Safeguarding the security of personal data
In order to secure personal data against loss or against any form of unlawful processing, we have taken appropriate technical and organizational measures. Persons who have access to this data on behalf of TMC are (among other things, based on the rules of conduct and profession applicable to them) bound to secrecy. We maintain high and generally accepted standards of technological and operational security to protect the information provided from loss, misuse, unauthorized access, unwanted disclosure, unauthorized modification or destruction. TMC’s security approach is broken down into the following e.g. subjects:
Policies and procedures for processing personal information are established as follows:
Triple B.V.'s Privacy Officer shall establish TMC Central Privacy Policies and supporting procedures, manuals and tools, including, for example, privacy assessment tools, template notices, consents and contractual provisions. These Central Privacy Policies are based on the Privacy Principles referred to in Article 5 of the EU GDPR. Each entity, taking into account its own business operations, collection and processing activities and risks, shall implement these policies and procedures. Such implementation is the responsibility of each entity and will be supported by the PO.
Other TMC Central Policies regarding processing personal information can be established by IT regarding Information Security. Each entity is responsible for adhering to and implementation of IT Information Security Policies.
TMC Group Companies may establish additional policies, standards, procedures, manuals and/or tools to meet their own specific privacy requirements as long as these do not contradict the TMC Central Privacy Policy. TMC Group Companies make additional policies available to the Privacy Officer.
TMC is committed to ensuring that data subjects are informed in a proper, understandable and transparent manner when their personal data are processed, and what the purposes of such processing are. The Privacy Officer is responsible for ensuring the possibility of informing data subjects according to Procedure ‘5.2.1 Informing Data Subjects.’ internal staff is responsible for informing data subjects according to their Privacy Way of Working.
TMC only processes personal data in accordance to the GDPR. Employeneurs are responsible for following the Procedure ‘5.2.2.1 Processing’ whilst processing personal data, and the Procedure ‘5.2.2.2 New Processing’ for initiating a new type of processing. TMC processes data in the ways described in the paragraphs below.
Use of personal data
To perform our services, we need personal data in certain cases. What data we process depends on the type of service we provide. Only the personal data necessary for the service in question will be processed. We process personal data for the purpose of personal administration, payroll administration, recruitment and selection, social gestures for our employees, privacy, procedures, internal and external communications, front office, finance, marketing, IT, management, and customer agreements. Per situation, we indicate to our clients, candidates and employees which personal data are necessary or required and what the (possible) consequences are if the data are not provided. In the performance of our work, if necessary, processing of data may be involved such as:
For maintaining the business relationship, providing information about our services and providing information about the online tools used by clients, candidates and employees, we process the names, contact details and positions of the relevant persons employed by our business relations. In addition, in line with the e-privacy directive, TMC collects data about visitors to its website. This gives us insight into information such as:
The mentioned data are anonymized; therefore, it is not possible for TMC to identify a website visitor.
TMC only collects personally identifiable information that has been explicitly made available by the respective website visitor himself. This is the case, for example, when a visitor fills out a contact form on the website. This information may include the name, position, company address, e-mail address, telephone number(s) and data related to internet behavior as described in this statement.
Cookie Policy
In addition, based on the e-privacy directive, the TMC website also uses cookies and there are social media icons and hyperlinks on various web pages. TMC uses technical, functional and analytical cookies that do not invade your privacy. A cookie is a small text file that is stored on your computer, tablet or smartphone the first time you visit this website. The cookies we use are necessary for the technical operation of the website and your ease of use. They ensure that the website works properly and remember, for example, your preferences. They also allow us to optimize our website. You can opt out of cookies by configuring your Internet browser to stop storing cookies. In addition, you can also delete any information previously stored via your browser settings.
Sharing of personal data to third parties
By virtue of a legal obligation or if it is necessary for the execution of services, personal data may be provided to third parties. Think of providing the data to government agencies, such as the Tax Office. TMC will never, unless after explicit consent of the data subject, provide personal data to third parties from a commercial point of view. The data provided as a result of the use of our website will also only be passed on to third parties if this is necessary for the use or optimization of the website. For example, we provide this data to, among others, our website and system administrator and the (online) marketing agency.
When we provide personal data to a third party, we ensure that the correct privacy measures and legal agreements are in place, in accordance with article 26 and 28 GDPR. For (sub)processors within the EEA we conclude DPAs. For joint controllers within the EEA we conclude JCAs. For (sub)processors and joint controllers outside the EEA (cross border transactions) we conclude Standard Contractual Clauses when lawful. TMC does not provide personal data to a third party when this is not legally allowed. Through the lawful agreements, we ensure that the processing of personal data is aligned with the GDPR privacy principles.
TMC performs privacy due diligence on their processors and joint controllers for taking the correct privacy measures. These third parties must have at least the same security measures as TMC and a demonstrable privacy program in line with the GDPR.
The provision of the personal data to third parties is done on the basis of a legitimate interest, legal obligation and/or for the execution of the agreement in accordance with the purposes as mentioned under 'Purpose limitation’, or on the basis of the data subject's consent. Processing based on legitimate interest is relevant in case of optimization or improvement of the services of TMC. If personal data are processed on the basis of consent, the data subject may always withdraw consent. In that case, TMC will no longer process the personal data in question. The withdrawal of consent has no retroactive effect.
Retention periods of personal data
Within TMC we do not retain personal data received as part of our services for longer than necessary to fulfill the purposes for which the data are collected. This means that your personal data are kept for as long as they are necessary to achieve the purposes in question, or must be kept in accordance with legal retention obligations. Also data that TMC obtains from website visitors will not be kept longer than necessary to realize the purposes for which the data are collected. Upon expiration of the retention period, or in response to successful deletion requests from data subjects, TMC will delete the personal data from its systems.
For the two situations below, TMC applies the following retention periods:
Inspection, correction or deletion of personal data, right to object, right to restriction and right to data portability
Our data subjects have the right to request inspection, correction or deletion of personal data, to object, to restriction and to data portability. These rights are not absolute and are considered individually by TMCs Privacy Officer. Data subjects can submit their request, objection or question to privacy@tmc.nl. A respond will be given to the data subject within one month at the latest. The execution of the data subject request, objection or question may be prolonged two times by a month after notifying the data subject before each prolonging.
Complaint about the use of your personal data
Data subjects may complain about the use of their personal data by TMC be contacting privacy@tmc.nl. The Privacy Officer is responsible for addressing any privacy complaints by contacting the data subject within two business weeks and solving the complaint within a month. The addressing of a complaint may be prolonged two times by a month after notifying the data subject before each prolonging. If the Privacy Officer cannot address a complaint, the Privacy Officer may refer the data subject to the Dutch Data Protection Authority. More information about this can be found at https://www.autoriteitpersoonsgegevens.nl.
TMC ensures their Employeneurs are trained to understand and execute TMC Privacy Policies and Procedures. The PO is responsible for providing trainings, tools, and support regarding education on the TMC Central Privacy Policy and Procedures to the TMC Group Companies. The TMC Group Companies’ CEOs are accountable for ensuring their Employeneurs receive appropriate training that enables them to perform their jobs in accordance with legal requirements and internal rules and procedures, upon entry into service and periodically, as described in Procedure ‘5.2.3 Privacy Education.’ Employeneurs are responsible for doing the relevant training, as described in Procedure ‘5.2.3 Privacy Education.’
TMC handles data breaches and incidents in accordance to the EU GDPR. Employeneurs are responsible for following Procedure ‘5.2.4 Data Breach and Incidents’ in case they are involved in or aware of an incident or data breach.
TMC internally audits the execution of TMC Central Privacy Policy and Procedures by its Employeneurs at least yearly. The PO, TMC Group Companies’ CEOs and the TMC Board are responsible for following Procedure ‘5.3.1 Privacy Audit.’
TMC evaluates the execution of TMC Central Privacy Policy and Procedures to ensure due diligence and the possibility to improve the privacy at TMC according to Procedure ‘5.3.2 Privacy Evaluation.’
TMC improves the execution of TMC Central Privacy Policy and Procedure, when this is necessary according to the outcome of a Privacy audit and the evaluation. Improvements are made in accordance with Procedure ‘5.4.1 Privacy Improvement.’