Privacy policy
1. Introduction
This internal privacy policy (“Policy”) provides information and obligations on the (internal) personal data processing by (employees of) Leat Technologies United Kingdom Ltd and its affiliates ("Leat").
Leat can be reached via the following contact details:
Address: Bisonspoor 3002, B901, 3605 LT Maarssen
Telephone number: 085- 773 7177
E-mail: martha@leat.com
This Policy is established for employees of Leat, and applies to all data processed by Leat and/or on behalf of Leat, which identify or may identify a natural person (“Personal Data”).
This Policy applies to the processing (including, but not limited to, collection, transfer and storage) of Personal Data of (potential, current and former) employees, contractors, (prospective) customers, business partners and other third parties. These natural persons involved are hereinafter collectively referred to as data subjects (“Data Subjects”).
Questions about this Policy or the Processing of Personal Data in general, may be directed to the privacy contact person at martha@leat.com.
1.1 Purpose of Policy
This Policy sets out the elements necessary for Leat’s compliance with applicable privacy legislation, principles and practice, including but not limited to the EU General Data Protection Regulation (“GDPR”).
For the interpretation of terms and obligations, the decrees and guidelines of the European Data Protection Board as well as other relevant supervisory authority (“Supervisory Authority”) shall be taken into account.
1.2 Scope
This Policy applies to the Processing of Personal Data, in which Leat acts as the controller, within the meaning of the GDPR. This is the case when Leat determines the purpose (e.g. the payment of salaries) and the means (e.g. via a digital portal) for the Processing of Personal Data.
The Policy is directed towards the employees of Leat, including directors, interns, and job applicants of Leat.
1.3 Evaluation and revision of Policy
Leat reserves the right to review and/or alter the Policy periodically (with a review at least once every two years), in order to comply with local legislation, and for any other purpose deemed reasonably necessary by Leat. Leat will notify the Data Subjects in case of any changes with respect to the Processing of their Personal Data.
2. Glossary
Controller
The natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, as defined in article 4(7) GDPR.
Data Breach
Breaches in the security of Personal Data that lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed, as defined in article 4(12) GDPR.
Data Subjects
The natural persons of whom the Personal Data is processed, e.g. Leat’s (potential, current and former) employees, contractors, (prospective) customers, business partners and other third parties.
Dutch DPA
The Dutch Supervisory Authority, ‘Dutch Data Protection Authority’ (in Dutch: Autoriteit Persoonsgegevens).
EEA
European Economic Area
External Privacy Statement
Leat’s external privacy statement, which provides information on the processing of Personal Data regarding (prospective) customers, contractors, business partners and other third parties.
Internal Privacy Statement
Leat’s internal privacy statement, which provides information on the processing of Personal Data regarding Leat’s (potential, current and former) employees.
Legal Ground
One of the six legal grounds for Processing of Personal Data as defined in article 6 of the GDPR.
Personal Data
In line with the provisions under the GDPR, “Personal Data” shall mean any information relating to an identified or identifiable natural person. Such Personal Data shall also refer to that personal data which is already in the possession of Leat or that personal data which shall be collected by Leat in the future.
Privacy Contact Person
Designated Leat employee appointed to act as contact person for any privacy related questions, inquiries or complaints.
Processing
Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, as defined in article 4(2) GDPR.
Processor
A natural or legal person which Processes Personal Data on behalf of the Controller, as defined in article 4(8) GDPR.
Retention Period
Retention periods that are defined in laws and regulations that are applicable to Leat as well as periods during which it is necessary to retain the Personal Data in respect of the purposes for which the Personal Data are being processed.
Rights of Data Subjects
The Data Subjects have the right of information, the possibility to exert the right of access, right to rectification, right to erasure, the right to data portability, to object against the data Processing, the right to restrict the data Processing, the right to lodge a complaint with the Supervisory Authority and the right to withdraw consent.
Register of Processing Activities
Internal record containing information on all Personal Data Processing activities carried out by Leat.
Security
Appropriate technical and organizational measures for the security of Personal Data, as required by article 32 of the GDPR.
Special categories of Personal Data
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, as described in article 9(1) GDPR.
Supervisory Authority
An independent public authority which is established by a country of the European Union pursuant to Article 51 of the GDPR, as defined in article 4(21) GDPR.
Internal Third Parties
Other affiliates of Leat acting as joint controllers or processors and provide IT and system administration services and undertake leadership reporting.
External Third Parties
Service providers acting as processors who provide services such as: (i) IT and system administration services; (ii) payroll services; or (iii) recruitment services. Professional advisers acting as processors or joint controllers including lawyers, bankers, doctors, auditors and insurers who provide consultancy, banking, legal, medical, insurance and accounting services. Dutch Tax and Customs Administration (Belastingdienst), regulators and other authorities acting as processors or joint controllers based in the Netherlands who require reporting of processing activities in certain circumstances.
3. Categories of Personal Data Processing
The categories of Personal Data Processed by Leat can be found in the Internal and External Privacy Statements, which can be found here:
4. Purposes, Legal Ground and Retention Periods of data Processing
Leat collects Personal Data in order to perform its business functions and to provide and/or to source services to and/or from third parties. Leat processes Personal Data in accordance with the responsibilities as described in paragraph 4.1. Furthermore, Leat is under a legal obligation to Process Personal Data in accordance with the (internal) purposes and in compliance with the GDPR. The Purposes and Legal Grounds to Process Personal Data, as well as the Retention Periods, can be found in Leat’s Internal and External Privacy Statements, which can be found here:
Internal Privacy Statement
External Privacy Statement
4.1 Responsibilities Leat
Purpose limitation
The Personal Data may only be Processed to the extent necessary for the described purposes. Personal Data may in principle not be Processed for other purposes. If there is a necessity or need to Process Personal Data for other purposes, this should be presented to Leat for approval. Leat shall investigate whether the purposes of the intended data Processing is compatible with the original purposes. Leat shall provide the Data Subject prior to that further Processing with information on that other purpose.
Legal Ground
It is not allowed to Process Personal Data beyond the Legal Ground on which the Processing of Personal Data is based. Personal Data can be Processed based on one of the following Legal Grounds:
Consent: the Data Subject has given consent to the Processing of his or her Personal Data for one or more specific purposes. Where Processing is based on consent, the Data Subject has the right to withdraw consent at any time. To withdraw consent please contact: martha@leat.com
Necessary for performance of a contract: Processing can be necessary for the performance of a contract to which the Data Subjects are party. The Personal Data Processed is necessary to enter into a contract. Without providing the Personal Data, the contract cannot be made;
Legal obligation: Processing can be necessary for compliance with a legal obligation to which Leat is subject;
Vital interests: Processing can be necessary in order to protect the vital interests of the Data Subject or of another natural person;
Performance of a public task: Processing can be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller; and
Legitimate interest: Processing can be necessary for the purposes of the legitimate interest that Leat has.
Special (categories of) Personal Data
Certain categories of Personal Data qualify as Special categories of Personal Data within the meaning of article 9 GDPR (e.g. medical data). It is prohibited to process Personal Data beyond the described legal provision (or exception) for which these Special categories of Personal Data are processed.
Accuracy and quality
Leat shall periodically evaluate whether the Personal Data are still adequate, relevant, correct, accurate and non-excessive, in relation to the purposes of the Data Processing activities. The correctness and accuracy of the Personal Data shall be verified periodically.
Security
Leat uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of the Personal Data (see paragraph 6.1 of this Policy for examples of safeguards Leat makes use of).
Confidentiality
The Personal Data should be treated confidentially. The employees and (employees of) Processors have a duty of confidentiality.
Retention Period
The Retention Periods of each of the categories of Personal Data must be complied with. After the Retention Periods have lapsed, the Personal Data should be erased or irreversibly anonymized.
Lawfulness, fairness and transparency
Leat shall Process Personal Data fairly, in a transparent manner in relation to a Data Subject and in accordance with this Policy and applicable laws. Applicable laws prevail where they exceed the standards of this Policy.
Data minimization
Leat will only Process Personal Data which are adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed.
Accountability
Leat is responsible for, and must be able to demonstrate compliance with, the aforementioned principles.
Principles of proportionality and subsidiarity
Leat shall Process Personal Data in accordance with the principles of proportionality and subsidiarity. Therefore, the intrusion in the personal life of the Data Subjects may be disproportionate in relation to the purpose of the data Processing and the purpose for the Processing of Personal Data must be reached in another, less far-reaching way for the Data Subjects if possible.
5. Rights of Data Subjects
Data Subjects have the following rights regarding the Processing of their Personal Data, as listed below:
the right of information;
the right of access;
the right to rectification;
the right to erasure;
the right to data portability;
the right to object against the data Processing;
the right to restrict the Personal Data Processing;
the right to withdraw consent; and
the right to lodge a complaint with the Supervisory Authority (in the Netherlands: Autoriteit Persoonsgegevens).
The procedures of Leat that enable the Data Subjects to exercise these rights, are described below. With regard to exercising Data Subject rights, and in case of any comments or questions regarding Personal Data, please contact Leat via: martha@leat.com.
5.1 Right of information
The Data Subjects are informed about the Processing of Personal Data that relates to them, before these Personal Data are being Processed (e.g. before the start date of an employment, in an employee handbook or welcome letter). The information should be brief and understandable for the employee.
5.2 Right of access
A Data Subject may file a request for access with Leat who will inform the Data Subject as soon as possible, and in any event within one (1) month after receiving the request. The request shall be complied with (in time), and if not, accompanied with the reasons for the delay or rejection. The request shall contain the following:
a) whether Leat holds any Personal Data relating to the respective Data Subject; and,
b) if so, information is provided on (i) the purposes of the Processing, (ii) the categories, (iii) the recipients (if applicable), (iv) the envisaged Retention Period, or the criteria used to determine the Retention Period, (v) the existence of the right to request rectification, erasure or restriction to such Processing, (vi) the right to lodge a complaint with a Supervisory Authority, (vii) the existence of automated decision-making, (viii) any available information as to their source where the Personal Data are not collected from the Data Subject and (ix) the appropriate safeguards taken where the data is transferred to a third country.
5.3 Other rights of Data Subjects
After a Data Subject has accessed the Personal Data, he/she may request Leat to correct, restrict, amend, add, erase and/or transport the Personal Data in a machine-readable format to the Data Subject or a third party, as requested by Data Subject.
Leat will comply with a legitimate request of a Data Subject if the Personal Data are factually incorrect, incomplete, or irrelevant for the purpose(s) of the data processing, or otherwise processed in violation with the applicable laws.
With regard to a request to erase Personal Data, it should be taken into account that Leat shall not comply with such request, if it is incompatible with any legal obligations of Leat.
If a request is allowed, Leat shall execute the decision to correct, restrict, amend, erase and/or transport the Personal Data as soon as possible.
In the event of concerns about the handling of Personal Data, or if requests of Data Subjects have not been handled timely and/or correctly by Leat, Data Subjects also have the right to lodge a complaint with a local Supervisory Authority (in the Netherlands: Autoriteit Persoonsgegevens).
6. Security measures and Data Breach notification
6.1 Security measures
Leat has taken adequate organizational and technical measures for the security of Personal Data, consisting of at least:
Physical security
Passwords (who are saved salted)
Role-based access controls, on a ‘need to know’-basis;
pseudonymization;
encryption;
2-factor authentication;
measures that prevent reading, copying, changing or removing during the storing, processing and transporting of personal data;
A further description of the security of Personal Data can be requested with Leat’s privacy contact person which contact details are martha@leat.com.
6.2 Data Breach notification procedure
Leat is obligated to notify Data Breaches to a data protection Supervisory Authority and - if the Data Breach may have negative consequences for Data Subjects – also to the Data Subjects involved.
6.2.1 Data Breach Analysis
All of Leat’s employees should notify a (suspected) Data Breach to Leat’s privacy contact person immediately, after discovering a suspected Data Breach, via the contact details: martha@leat.com. To the extent possible, this notification contains the following information:
the Personal Data involved;
the nature of the Data Breach;
the categories and approximate number of Data Subjects concerned;
the categories and approximate number of Personal Data records concerned;
the period in which the Data Breach occurred;
the likely consequences of the Data Breach;
a description of the actual and suspected negative consequences of the Data Breach;
the measures taken and/or proposed by data Processors to address the Data Breach, including measures to mitigate the possible adverse effects of the Data Breach; and
the name and contact details of relevant internal and external stakeholders where more information can be obtained.
If the privacy contact person is notified about a Data Breach, the privacy contact person shall investigate to establish whether an actual Data Breach has occurred.
After establishing that a Data Breach has occurred, the privacy contact person will assess whether the Data Breach falls within the scope of the GDPR. The GDPR applies when the Data Breach relates to the Processing of Personal Data in the context of the activities of Leat within the EU. Furthermore, the GDPR applies if the Data Breach relates to activities of Leat outside the EU, where Processing is related to:
the offering of goods or services to Data Subjects in the EU; or
the monitoring of the behaviour of Data Subjects, as far as the behaviour takes place within the EU.
Should the GDPR not be applicable, the privacy contact person will assess which laws and regulations are applicable to the Data Breach.
If according to this assessment of the applicable laws and regulations, the GDPR is applicable, the privacy contact person will assess whether Leat qualifies as a Controller or a Processor in respect of the Data Breach.
As Controller, Leat will notify, where appropriate, the Supervisory Authority and the Data Subjects in line with this Data Breach Procedure. As Processor, Leat shall first assess the relevant data processing agreement, liaise with the Controller and agree with the Controller on the next steps.
6.2.2 Notification to competent Supervisory Authority
After establishing that it concerns a Data Breach, the privacy contact person should notify the competent Supervisory Authority within 72 hours after becoming aware of the Data Breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
The privacy contact person will define the level of risk of a Data Breach based on the severity of the potential impact and the likelihood of this occurring. Furthermore, the privacy contact person will take into account the following factors:
type of Personal Data Breach;
the nature, sensitivity and volume of Personal Data;
ease of identification of Data Subjects;
severity of consequences for Data Subjects;
special characteristics of the Data Subjects; and
special characteristics of the data Controller.
Based on the assessment above, the privacy contact person shall establish and document whether the thresholds for notifying as described in this paragraph are met.
Once the privacy contact person has established that the Data Breach should be notified to a Supervisory Authority the privacy contact person should notify the Supervisory Authority. The competent Supervisory Authority for Leat in the Netherlands is the Dutch Data Protection Authority (in Dutch: Autoriteit Persoonsgegevens).
This notification includes at least:
a description of the nature of the Data Breach, including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
the name and contact details of the privacy contact person;
a description of the likely consequences of the Data Breach; and
a description of the measures taken or proposed to be taken by Leat to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
In case it is not feasible for the privacy contact person to provide the competent Supervisory Authority with the above mentioned information within 72 hours, the privacy contact person shall provide as much information as possible. The privacy contact person shall complement the notification with the required information as soon as possible. Where it is not possible to provide a notification within 72 hours, the privacy contact person shall provide the competent Supervisory Authority with an explanation for the delay.
6.2.3 Notification to Data Subject
Furthermore, notification to the Data Subjects is required, when the Data Breach is likely to result in a high risk to the rights and freedoms of Data Subjects, unless if any of the following exemption applies:
Leat has implemented appropriate technical and organizational measures in order to avoid unlawful access to Personal Data, and those measures were applied to the Personal Data affected by the Data Breach, in particular those that render the Personal Data unintelligible to any person who is not authorized to access it, such as encryption;
Leat had taken measures after discovering the Data Breach in order to prevent the consequences of the Data Breach, which ensure that the high risk to the rights and freedoms of Data Subjects is no longer likely to occur; or
it would involve disproportionate effort to notify the Data Subjects, in which case there shall be a public communication or similar measure whereby the Data Subjects are informed.
The information shall be provided to the Data Subjects without undue delay (soon as possible). The privacy contact person shall provide at least the following information (in clear and plain language) when notifying the affected Data Subjects:
a description of the nature of the Data Breach;
the name and contact details of the privacy contact person;
a description of the likely consequences of the Data Breach; and
a description of the measures taken or proposed to be taken by Leat to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
The notification to Data Subjects shall be done via a dedicated message, in order to ensure that the communication is clear and transparent. Where appropriate, the privacy contact person shall provide specific advice to Data Subjects to protect them from possible adverse effects of the Data Breach.
6.2.4 Registering Personal Data Breach
Per Data Breach (regardless of whether the breach should be notified) the privacy contact person shall describe and document the information as described in paragraphs 6.2.1 to 6.2.4 of this Policy, including the facts relating to the Data Breach, its effects and the remedial action taken. Where possible, all considerations, assessments and decisions in respect of the Data Breach that have been made, should be documented. The purpose of this documentation, is to enable Leat to meet the GDPR accountability requirements.
To facilitate this, all documentation regarding Data Breach shall be recorded in an internal register. It should be possible to hand this information over to a Supervisory Authority upon a request in this respect.
7. Disclosures of Personal Data
We may share your personal data with the parties set out below for the purposes set out in the table Purposes for which we will use your personal data above.
Internal Third Parties as set out in the Glossary.
External Third Parties as set out in the Glossary.
Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Policy.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
8. International Data Transfers
Leat aims to Process Personal Data within the European union/European Economic Area (“EU/EEA”) and limit its transfers of Personal Data to a third country or international organisations outside of the EU/EEA. However, due to the reliance on Third Parties, Leat is unable to fully exclude this. These transfers only take place in compliance with the Applicable Laws and where appropriate safeguards are in place that ensure the level of protection of Data Subjects as required by these Applicable Laws (e.g. transfers on the basis of an adequacy decision or standard EU Model clauses).
9. Training and awareness
Leat will maintain a program of training and review to ensure compliance with this Policy. To promote GDPR awareness to its employees, Leat facilitates ‘GDPR awareness trainings’. Leat’s management, in collaboration with the privacy contact person, is responsible for implementing and overseeing the administration of this Policy.
Employees whose responsibilities include the Processing of Personal Data are required to adhere to this Policy and any implementing policies. Failure to do so is deemed a serious offence, for which disciplinary action may be taken, potentially resulting in termination of employment. Inquiries or concerns about properly fulfilling the requirements of this Policy should be directed to the privacy contact person.
10. Changes to this Policy
Leat reserves the right to make changes to this Policy. It is recommended that you consult this Privacy Policy regularly so that you are aware of any changes.