As part of a service contract, CF Benelux B.V. (hereafter CFI) operating under its tradename of CFI Netherlands, collects and processes personal data for and on behalf of its clients, including names and addresses, gender, dates of birth, citizen service numbers, Chamber of Commerce details and copies of IDs.
CFI strictly complies with the General Data Protection Regulation (GDPR).
CFI also processes personal data on leads, prospects, suppliers, relations and job applicants, as well as on its own employees, subject to the provisions below.
How do we process personal data?
CFI processes personal data in the manner set out in this statement, unless we are legally obliged to do otherwise, for instance to comply with provisions under the Dutch Money Laundering and Terrorist Financing Prevention Act (Wet ter voorkoming van witwassen en financiering van terrorisme). If this is the case, we will always inform the client involved.
Unless we have made alternative written arrangements with the client, all personal data processed will remain within the EU.
All sub-processors, such as software suppliers or other third parties that process personal data on our behalf, must comply with GDPR regulations. Clients who agree a service contract with CFI agree to the use of these sub-processors.
Save, disclose, unsubscribe
Personal client data is kept for no longer than is necessary following termination of the assignment, unless such data must be stored for a longer period for post-contractual or legal reasons.
Personal data regarding CFI employees, trainees, hired or temporary employees, or freelancers is stored for no longer than legally necessary following the employment, internship, hiring, temporary employment or management contract, usually seven to ten years.
Personal details regarding job applicants will be stored for 12 months after the vacancy has been filled.
In view of the legal retention period and other professional regulations, we are generally unable to comply with client requests for the destruction or return of personal data upon completion of our services. However, we aim to fully cooperate with any request made. Any costs are for the client’s account.
Clients who do not wish to receive any direct mail can unsubscribe or indicate that they no longer wish to receive any mail.
CFI will observe requests for the disclosure of personal data only if made by an authorised authority, and will inform the client accordingly.
All CFI employees are contractually obliged to observe confidentiality. This also applies to sub-processors.
Appropriate technical and organisational security measures are in place to prevent the abuse of or unauthorised access to personal data. Access to your data is restricted to specific employees only. In addition to system security measures, we ensure that employees with access to personal data are properly instructed on handling personal data and that they are familiar with their responsibilities and legal obligations.
How do we deal with data leaks?
A data leak is a breach of security that inadvertently or unlawfully leads to – or where it can not reasonably be excluded that it may lead to – the destruction, loss, modification or unauthorised disclosure of or unauthorised access to transmitted, stored or otherwise processed personal data.
CFI has created an email address (firstname.lastname@example.org) where clients, employees, sub-processors and third parties can report incidents. CFI responds to notifications promptly, no later than 72 hours, and will take every action necessary to prevent further damage. As required by law, all data leaks with possibly major implications are reported to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and to the party whose personal data is involved. Incidents detected by CFI are also reported to the Dutch Data Protection Authority.
General terms and conditions
Our general terms and conditions apply to all of our services. By accepting our services, clients agree that they are in the possession of, are familiar with, and agree to our general terms and conditions as well as this privacy statement.
How do we deal with liability?
Clients who transfer any of their employees’ personal details to us must inform these employees in accordance with applicable legislation. We cannot be held liable for any damage resulting from any non-compliance by our clients with regard to the GDPR or any other legislation. Clients shall also indemnify us against any third-party claims for any material or immaterial damage suffered by such third parties, and any costs incurred by us due to clients’ non-compliance.
Additions or changes to the privacy statement
CFI shall keep this privacy statement up-to-date at all times by adjusting it as and when necessary. We will inform our clients if we make any significant changes or additions to this statement following new or amended legislation. If we are no longer confident that we meet a certain standard of protection, we may terminate the service contract.
Upon request, parties shall cooperate with regulatory services in the performance of their duties.
Dutch law is applicable to these provisions. The Dutch court has jurisdiction to hear any disputes arising from or related to these provisions.
This privacy statement forms an integral part of our service contracts and is binding upon all parties. This privacy statement takes precedence over the provisions of our general terms and conditions, unless explicitly stated otherwise.
 The client is the person(or entity) with whom CFI has entered into an oral or written agreement for services.