This is the Privacy Statement for users of our Select service and our other solutions to align the supply and demand of a contingent workforce. Select is an online hiring platform where independent professionals and suppliers of professionals can meet. Select is provided by HeadFirst B.V. and its affiliated entities. In what follows, we will use HeadFirst, we, our and us to refer to the data controllers in this Privacy Statement.
We process your personal data when you use Select, when you visit one of our websites, including www.headfirst.nl, and when you contact us. For example, you can contact us via email, request information and chat with us via our website. We may also process your personal data when a supplier you work with enters your personal data in Select.
Carefully handling your personal data is important to us and we like to be clear about this to all Select users and other persons whose personal data we process (hereinafter referred to as “Data Subjects”). In this Privacy Statement, we will explain how we handle your personal data.
Who are the controllers?
The controller is the party that determines how and why personal data are processed. The controller determines the purpose of and the means for the data processing. Under the General Data Protection Regulation (GDPR), most obligations rest with the controller and it is also the first point of contact for you as the Data Subject.
HeadFirst has joint data controllers. This means that several parties jointly determine how your personal data are processed. We have designated a principal controller to make sure it is clear to Data Subjects who they can contact if they have queries or complaints. This is HeadFirst B.V., with its registered office at Polarisavenue 33, 2132JH in Hoofddorp. You can reach us by telephone on +31 (0)23 568 56 30 and by email via firstname.lastname@example.org. Other entities from our group that may process your personal data as a controller are the following:
- Associates B.V.
- Designated Professionals B.V.
- HeadFirst Germany GmbH
- HeadFirst IT B.V.
- HeadFirst Poland sp. z o.o.
- Jenrick Nederland B.V.
- Jenrick Payroll Services B.V.
- Myler B.V.
- Oyster Coast B.V.
- Proud ICT B.V.
- Proud Payroll B.V.
- Source Automation B.V.
- Source Automation BV. (Belgium)
- Source Automation Luxemburg SA
- Source Payroll Services B.V.
If you are a professional whose personal data are provided to us by a supplier and you yourself are therefore not using Select, that supplier is classified as an independent controller. In that case, the supplier determines the purpose and the means, and is the first point of contact for you if you want to exercise your rights under the GDPR. The supplier may have its own privacy statement and its own terms and conditions. We advise you to read them.
What personal data do we process?
What personal data we process depends on the services you are using and the capacity in which you are using those services.
Visitors to our Websites, readers of our mailings
- Data you disclose to us. We use several websites including headfirst.nl (hereinafter referred to as the “Websites”). If you visit our Websites, you may disclose personal data to us, e.g. because you send us an email with a query or request, or because you are using a chat function or fill in a contact form on our Websites. In that context, we may process your name, email address, or other contact details. We will also process other personal data insofar as you disclose such data in your query or request or during the chat.
- Personal data generated by our Websites or via emails. When you visit the Websites, certain data will be processed and generated, e.g. your IP address, browser data, surfing behaviour, the date and time of your visit and how you navigate our Websites. If you open a newsletter or commercial email from us, we may record when you opened it and which segments you clicked on. To do so, we process your email address, IP address, time of receipt, time of opening and clicking behaviour.
Independent professionals who use Select
- Sign up. When you sign up as an independent professional with Select, we will in any event ask you to disclose the following personal data: first and last name, sex, address and postcode, email address, country of origin and nationality, telephone number, mobile telephone number, date of birth, the type of assignments that you would like to be eligible for, the name of your company, Chamber of Commerce number, password and whether you would like to avail yourself of our additional services. We also offer you the opportunity to upload a photo to your account.
- Profile. Once you have signed up, we will ask to you complete your profile and disclose data that allow us to introduce you to clients or to respond to assignments. Aside from the personal data that you disclose when you sign up, we also process other personal data such as: data relating to your account, e.g. your profile number, the dates on which it was created and its status. You can also add more data on your professional background, cv, availablity, rates and assessment results to your profile. In addition, we process some data about your company, such as its name and address, but you can also upload an audit opinion and add data regarding your g-account and turnover tax. We will also ask you for your bank details and VAT number for invoicing purposes. Where permitted or required by law, we may ask you for your BSN (citizen service number). If you make use of our additional services (Premium or Excellent), we will ask you for certain data on professional or business liability insurance.
Where required by law, we will check your identity by means of a valid identity document. We may also call in the assistance of an external service provider to check your identity document on our behalf. This will be done digitally. The service provider processes the personal data on your passport, your photo and your email address. We will receive the outcome of that check and the date on which it was carried out. If you do not want your identity document to be checked digitally, you can opt to come by our office for the ID check. We will record when your ID was checked and information about the identity document that was checked, such as the type of document, country of issue, number and term of validity. If you are a national of a country outside the European Economic Area (EEA) or Switzerland or if you have Croatian nationality, we may ask you for a work permit. In that case, we may store a copy of your passport and a copy of the permit concerned.
- Digital Vault. Important documents are stored in your Digital Vault. In that safe we may process personal data that are stated in the documents you have uploaded, e.g. your audit opinion, certificate of good conduct (including an application for said certificate), pre-employment screening, codes of conduct, NDAs, security clearances, accreditations and diplomas. The Digital Vault also stores the outcome of the ID check and a copy of your passport and work permit, when we are required to record those.
Clients who use Select
Clients may put assignments in Select. We process personal data of the contacts of our clients. If you are the contact for a client, we may process the following personal data: data about the organisation where you work, your email address, telephone number, mobile telephone number, password, profile number, data about the creation of your client account and its status, and data about the contact you have had with us.
Suppliers who use Select
Suppliers are organisations who provide professionals they work with through Select to the organisations affiliated with us in their role as client. If you are the contact for a supplier, we may process the following personal data: data about the organisation where you work, your email address, telephone number, mobile telephone number, password, profile number, data about the creation of your supplier account and its status, and data about the contact you have had with us.
Professionals who are signed up by a supplier or another third party
If you did not sign yourself up to Select, but were signed up by a supplier who put your personal data in our system, we may process those personal data in line with this Privacy Statement. We may process your personal data for the purposes specified in this Privacy Statement under ‘Services’ and ‘Compliance and security’. We have a legitimate interest in this further processing, i.e. to be able to provide our customary services, to comply with agreements with and assignments from suppliers and clients, and to be able to meet the applicable market quality standards. We also have a legitimate interest in ensuring that the supplier who works with us can fulfil its obligations to you and in ensuring that you can be used for the selected assignment. We always weigh up our interests and your privacy interests as a Data Subject. If you want more information on this weighing up of interests, please contact us via the contact details stated under ‘Who are the controllers’ in this Privacy Statement.
If you were signed up by a supplier, you do not have your own account with your own password. The supplier provides your personal data to us and is the controller in that respect. If you want to know more about how the supplier handles your personal data and which of your personal data it discloses to us, we advise you to read the supplier’s privacy statement or to ask the supplier for information. We are neither responsible nor liable for the personal data that the supplier processes. This Privacy Statement solely covers the further processing of personal data by us.
For what purposes do we process personal data?
Our core activity is to mediate in the hiring of external professionals and contract management. Select facilitates simple matchmaking between professionals and clients. In that context we process your personal data for the following purposes:
- Registration of the independent professional, the supplier and the client.
- Creation of the Select account.
- Account management, dealing with queries and requests from the professionals, clients and suppliers.
- Verification of the account, check on its completeness.
- Presenting professionals to clients, making professionals available.
- Finding the best match between the client’s assignment and the most suitable professional.
- Concluding agreements with professionals, suppliers or clients for the client’s assignment.
- Contract management, financial handling of contracts, cost and expense calculation.
- Providing services to professionals, clients and suppliers as agreed.
- Supporting professionals, clients and suppliers in meeting their administrative obligations and implementing agreements.
- Contract maintenance, answering queries and requests.
- Providing supplementary services, improving services.
- Providing information about the services of HeadFirst and its partners and relevant development in the market.
- Marketing and promotion of our services and measuring their effectiveness.
Compliance and security
- Internal audit and security. Preventing, detecting and investigating infringements of our security system.
- Compliance with laws and regulations; preventing, detecting and investigating fraud and illegal activity.
- Handling claims and complaints.
- Compliance with court rulings and orders, implementing requests from public authorities.
- Compliance with tax obligations resting with us or our suppliers/clients, limiting liability.
- Protecting our activities, our rights, security and property.
On what grounds do we process personal data?
We process personal data only if there is a legal basis for doing so.
- Performance of the agreement. We conclude agreements with professionals, suppliers and clients on the basis of which we process personal data. These agreements relate to the services we provide. It is also conceivable that we request personal data from you before concluding an agreement to enable us to form the agreement.
- Consent. In certain situations, we may ask for your consent prior to the data processing. For example, we ask for your consent before sending you certain news reports. After giving your consent, you may revoke it at any time, following which we will refrain from any further processing of your personal data for the purposes covered by the consent.
- Legal obligation. In some cases we are required by law to process certain personal data. For example, pursuant to the Foreign Nationals Employment Act (Wet arbeid vreemdelingen) or tax obligations. A legal obligation may also mean that we are required to share certain personal data with clients, supervisory authorities or other third parties for further processing.
- Legitimate interest. We may process personal data because we have a legitimate interest in doing so, or because the organisation to which we disclose your personal data has a legitimate interest. For example, to prevent tax liability or reduce the risk of such liability, or to prevent and investigate fraud. We also have a legitimate interest in further processing personal data of professionals who are signed up to Select with their consent in order to be able to provide our services and to put the professional on an assignment. We always weigh up our interests and those of the Data Subjects. If you want more information on this please contact us via the contact details stated under ‘Who are the controllers’ in this Privacy Statement.
We carry out pre-employment screening for some assignments. We do so because the client requests it, e.g. because it is required by law (e.g. under the Financial Supervision Act (Wet financieel toezicht)) or because it follows from the nature of the assignment. Where necessary, we will inform you that screening is part of the selection procedure for the assignment you are eligible for and we will explain how we are going to carry out the screening.
If a client indicates that screening is desired or required, we will always check the nature of the assignment, how the screening needs to be carried out and what the client’s legitimate interests are. We will weigh up the client’s interests and your privacy interests. We will only carry out the screening if your privacy interests do not impede it.
If we carry out screening, we will process data about your suitability, reliability and integrity that are relevant to the performance of the assignment. The extent of the screening depends on the assignment. We may, in any event, check the data that you or the supplier completed in Select as part of the screening. Added to that, and depending on the nature of the screening, we may process information about references, former employers/clients, antecedents, data on previous performance, suspension or dismissal, a certificate of good conduct or a certificate of no-objection and a list of ancillary positions.
Depending on the nature of the screening, we disclose your personal data to the client. We may also ask you to fill in a screening form provided by the client. The information completed on the form is only processed for the deployment at the client stated on the form and shared with this client, unless otherwise agreed. It is also conceivable that we carry out screening and only let you know whether you completed the screening with a positive result. In that case, we will not share any other data with the client.
If you are a professional, we may analyse the personal data you have disclosed which relate to your professional background and prepare profiles based on those data. That helps us to ascertain which assignments and which clients would best suit your knowledge and experience. We prepare profiles using the keywords you have filled in and one of our staff members will check the result. Added to that, we may use special software to match the text in your profile and CV with an assignment.
We will not take fully automated decisions (without human intervention) that significantly impact you as a professional on the basis of the profiles prepared by us and the outcomes of the matching software.
We offer you the option to subscribe to our newsletters and to other direct-marketing communications from us or from other companies within our group. If you have consented to this, we may also send you messages about initiatives taken by our associate partners. You can easily unsubscribe from our communications at any time by using the unsubscribe link in the emails or by updating your preferences in your profile environment.
We use conventional tracking techniques that provide information on the reach and effectiveness of our direct marketing communications. This enables us to improve our service provision and to focus our information and communications on the relevant target groups.
Who can access your personal data?
Our staff members can access your personal data on a need-to-know basis. This also means that people working for the companies affiliated to us can access your personal data to the extent necessary to provide our services.
In certain situations, we may share personal data with third parties. We will do so only if this is necessary to provide our services and if it is in keeping with the purposes described in this Privacy Statement.
- From within our group, we may share personal data with affiliated entities, whether or not they qualify as joint controllers. We may also share personal data with legal successors (including envisaged legal successors) as well as with potential and new group entities and/or their shareholders if they intend to work with us or continue to provide our services.
- We may share professionals’ personal data with our clients and with any supplier who has registered the professional in Select. These parties can be classified as independent controllers.
- We may share personal data with service providers we work with who qualify as independent controllers, such as financial service providers, legal advisers, consultants, auditors and credit and security providers. We may also use services provided by a third party for pre-employment screening. We always decide in advance which personal data need to be disclosed to such parties to enable them to provide their services. If necessary, we make additional arrangements about the division of responsibilities.
- We use service providers for aspects such as managing Select and for hosting. We also use service providers to check your identity document on our behalf, and we use software solutions for the automated processing of CVs and to match CVs with assignments. Where such service providers process personal data on our behalf as processors, we set out the arrangements in a processing agreement.
- We only share personal data with supervisory authorities, tax authorities and investigative bodies if and to the extent that we are obliged to do so by law.
Will your personal data be safe?
We have taken appropriate technical and organisational security measures in order to protect the personal data we process against loss or unlawful use. For example, we secure our systems and applications in accordance with the information security standards currently in force. In addition, we have made arrangements with our service providers and obliged them to take adequate security measures.
Will your personal data be processed outside the EEA?
In principle, we process your personal data within the European Economic Area (EEA). We use servers that are in Europe and our group companies are established in the EEA. Because we may use the services of processors who have their main establishment outside the EEA, it cannot be ruled out that we may share personal data with organisations outside the EEA, either directly or indirectly. Where this is the case, we will take appropriate measures to legitimise such processing, including entering into a transfer agreement on the basis of standard contractual clauses (SCCs) approved by the European Commission. If required, we will take additional measures to ensure an adequate level of protection. If you want to know more about the transfer of personal data and how this is legitimised, contact us using the contact details provided in this Privacy Statement.
How long do we retain your personal data for?
We retain personal data only for as long as this is necessary for the purposes described in this Privacy Statement. We have drafted a retention policy in this regard. This includes the following retention periods:
- We retain personal data of our business customers, including suppliers, clients and professionals, for up to two years after our business relationship with them has ended. This applies inter alia to the profiles in Select.
- We retain business agreements and any correspondence about them for seven years after the contractual relationship has ended unless there are still disputes or proceedings pending in that regard.
- We retain personal data relating to the verification of your identity for five years after our business relationship has ended.
- We retain registration data for the newsletters until you have unsubscribed from them, up to a maximum of two years after our business relationship ends.
- We retain complaints, correspondence about disputes and reports on incidents for seven years after they have been fully dealt with.
- We retain documents on payrolling as well as salary records for seven years.
- We refer you to our Cookie Statements on the Websites for the retention periods that apply to cookies.
What are your rights regarding your personal data?
Under privacy legislation, you have a number of rights in relation to your personal data and their processing. You can invoke your rights by contacting us using the contact details provided in this Privacy Statement under the heading “Who are the controllers?” We will assess your request and handle it within one month. If we need more time to comply with your request, we will let you know within one month that we will need another two months. We may ask you additional questions after you have submitted your request in order to establish your identity. Alternatively, we may ask you to specify your request.
Access to personal data
You have the right to hear from us about whether we are going to process your personal data and, if so, to be granted access to those personal data and to obtain additional information about the processing of your personal data. If you are a supplier or a professional, you can access your personal data clearly and easily by logging in to Select. If you want a more complete overview or more information about the data processing, you can submit a request for access to us.
Right to rectification
You are entitled to the rectification of incorrect or incomplete data. You may also supplement your personal data. If you have access to Select as a professional, you can supplement or alter your personal data in it.
Right to be forgotten
In certain circumstances, you are entitled to the deletion of your data. At your request, we will remove your personal data if processing is no longer necessary. If you have access to Select as a professional, you can delete your personal data in it.
Right to restriction of processing
In some instances, you are entitled to restrict the processing of your personal data, for example if you are of the opinion that your personal data are not correct. If we grant your request for a restriction, we will not be allowed to process your personal data for as long as that restriction applies.
Right to data portability
You have the right to receive the personal data you have disclosed to us in a structured, commonly used and machine-readable format and you have the right to transmit those data to another controller, where the processing is based on your consent or an agreement.
Right to object
You have the right to object to the processing of personal data based on HeadFirst’s legitimate interests. HeadFirst will then no longer process the personal data unless we can demonstrate that there are grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of a legal claim.
Where personal data is processed for direct marketing purposes, you can unsubscribe in any communication.
If you have any complaints about how we deal with your personal data, you can telephone us on +31 (0)23 – 568 5630. Alternatively, or you can send an email to email@example.com. We would be happy to help you find a solution. If you are not satisfied, then you can always contact the Dutch Data Protection Authority.
Events evolve rapidly, which can sometimes lead to changes in your personal data which we ask of you and process. Laws and regulations can also change. Consequently, we may amend this Privacy Statement from time to time. The amended Privacy Statement will be published on our website, stating the date when the amended version becomes effective. If there are substantial or material changes that could considerably affect one or more Data Subjects, we will also endeavour to inform the Data Subjects in question about that directly. This Privacy Statement was most recently amended on 15 December 2020.