Privacy Policy

Table of Contents

1. Objective

2. Scope and governance

3. Key definition

4. Processing of personal data

4.1 Personal data processed by BSC

4.2 Business purposes

4.3 Principles

4.4 Processing special categories of Personal Data

5. Register

6. Disclosure of personal data to third-party

7. Transfer of data outside the EEA

8. Rights of Data Subject

8.1 Transparency - information

8.2 Request

8.3 Complaint

8.4 Procedure

9. Security and other control measures

9.1 New processing and changes in processing

9.2 PIA

9.3 Security

10. Data retention

11. Reporting Data Leak

Appendix: Legal Retention Scheme

1. Objective

Black Swan Capital B.V. (herinafter: BSC) processes Personal Data from individuals in its business operations. This concerns Personal Data from amongst others past, current and potential Employees and Clients, other stakeholders such as business partners, and any other individuals with whom BSC interacts for business purposes.

BSC considers it important that Personal Data is handled carefully and treated confidentially. The processing of Personal Data must be done with the utmost care in order to prevent damage caused by abuse. Any incidents involving Personal Data may lead to loss of confidence, a disturbed relationship and can damage the reputation of BSC. Violations of privacy legislation may lead to penalties and or claims for damages imposed by the Data Protection Authority (Autoriteit Persoonsgegevens (AP)) to BSC.

This document describes the Privacy Policy of BSC and outlines the manner in which Personal Data is collected and to be handled within BSC. The objective is to provide clear standards and instructions for the processing of Personal Data within BSC, in order to comply with applicable privacy legislation.

This policy furthermore includes:

Legal Retention Scheme (Annex)

2. Scope and governance

This Privacy Policy applies to the processing of all Personal Data within BSC. It is mandatory for any Employee who, in the performance of their role within BSC, processes Personal Data from individuals based within the EU. To have a consistent process, BSC has decided to make the Privacy Policy applicable to all Personal Data, including Personal Data collected outside the EU from individuals outside the EU.

The Privacy Policy is based on the General Data Protection Regulation (2016/679/EC, hereinafter: GDPR).

The Board of Directors is responsible for the implementation of the Privacy Policy. The policy is evaluated annually and revised if necessary.

The following tasks relating to privacy are carried out by the General Manager:

Contact point for the Data Protection Authority
Point of contact for individuals when exercising their rights
Advisory role in implementing Privacy Impact Analyses, if applicable
Drafting and evaluation of the Privacy Policy

3. Key definition

GDPR

General Data Protection Regulation

Data Subject

Any natural person to whom Personal Data relates and whose Personal Data is processed.

Personal Data

Any information relating to an identified or identifiable natural person (‘Data Subject’).

An identifiable natural person

Any natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Sensitive Personal Data

Personal Data revealing a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex, criminal convictions and offences or related security measures.

Processing

Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor

A natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

Data Leak

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Employee(s)

For practical reasons, the word ‘employee’ will have a broad scope in this policy and will include any potential, current or former employee (including board memer), temporary (agency) worker, volunteer, intern or other non- permanent employee or worker.

European Economic Area (EEA)

Currently including the following countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Republic of Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, The Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the UK.

Client (s)

Under Client(s) it is understood any current, former or future party BSC is servicing and/or with which BSC has entered into a Client Agreement.

Controller

A person or organization which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. In the context of this policy, BSC is a Controller.

Consent

Any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data related to him or her.

4. Processing of Personal Data

4.1. Personal Data processed by BSC

BSC processes the following Personal Data in its business operation:

Clients and individuals in the role of representatives, Ultimate Beneficial Owner’s (UBO’s), board members or senior-managers of the Client - Personal details: name, address, place of residence, gender, date of birth, nationality, images of signatures, location. Contact details: address, telephone number, fax number, email address. Employment details: Profession and employment,function/role. Judicial data. Identification number. Copy passport. Biometrical data as shown in passport

Other business relations, including prospects - Name, address, place of residence, gender, birth date, nationality, contact details, location data

Employees - Name, address, place of residence, gender, birth date, nationality, contact details, country registration numbers (BSN, ID nr), personal financial information, information related to health, training and education, profession and employment, copy passport/ID, screening info, family composition, image material, location data, psychological data.

Applicants - Name, address, place of residence, gender, birth date, nationality, contact details, training and educations, profession and employment, family composition, image material, location data

4.2. Business purposes

BSC only uses Personal Data for legitimate business reasons. BSC uses the Personal Data in the following ways:

When entering relationship with Clients.
Managing the relationship with Clients.
To ascertain that individuals are authorized to represent the Clients BSC does business with.
When executing the contract; this includes: investment advice, the receipt and tranmission of client orders, portfolio management, and reporting about the investment(s) and other administrative issues.
For the detection and prevention of fraud, money laundering and terrorist financing. This includes KYC and CDD. BSC is obliged to collect Personal Data, for example to comply with regulations against money laundering, terrorism financing and tax fraud.
To complete any requests of individuals.
For marketing purposes.
For archiving purposes. BSC stores data for legal proceedings, or for historic or statistical purposes.
For the execution of employment contracts and the recruitment and selection of (potential) Employees.

4.3. Principles

All Employees in performing their role and carrying out their responsibilities within BSC, must process Personal Data only in accordance with the following basic privacy principles.

Fairly, transparently and lawfully - The processing of data by BSC is done fairly, transparent and lawful. Lawful means that processing only takes place if and to the extent that at least one of the following applies:

the Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes;
processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which BSC is subject;
processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
processing is necessary for the purposes of the legitimate interests pursued by BSC or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data, in particular where the Data Subject is a child.

Purpose limitation - Personal Data are collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data minimisation - Personal Data are adequate and relevant and are limited to what is necessary for the purposes for which they are processed.

Correctness - Personal Data are correct and are erased or rectified if necessary.

Storage limitation - Personal Data is kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed.

Integrity and confidentiality - Personal Data are processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

Accountability - Personal Data are processed under the responsibility of BSC, which ensures and can demonstrate that processing complies with the provisions of the GDPR.

4.4. Processing special categories of Personal Data

The legal grounds necessary to process special Personal Data are more restrictive. In principle, BSC does not process any Special Personal Data, namely a person's religion or belief, race, political preference, health, sexual life, membership of a trade union as well as criminal record.

There are exceptions, for example the use of special Personal Data under the act for the prevention of laundering and financing of terrorism, know your client investigation.

In the case of modified or new processes or systems, when performing a data assessment (see paragraph 9.2), it is assessed whether Special Personal Data are processed and whether the processing of these Personal Data is necessary and what control measures need to be taken.

The use of Special Personal Data must in all cases first be submitted to the Compliance Officer who makes an assessment.

5. Register

The Compliance Officer maintains a register containing the processing activities for which BSC is responsible. The register contains all of the following information:

The name and contact details of BSC;
The contact details of the Compliance Officer;
Where applicable the name and contact details of parties with whom BSC is jointly responsible for the processing;
The purposes of the processing;
A description of the categories of Data Subjects and of the categories of Personal Data;
The categories of recipients to whom the Personal Data have been or will be disclosed including recipients in third countries;
Where applicable, transfers of Personal Data to a third party;
The intended deadlines within which the different categories of data must be deleted;
A general description of the technical and organizational security measures taken.
When BSC proceeds to new forms of processing of Personal Data or adjustments to existing processing of Personal Data, the register is adapted accordingly.

6. Disclosure of Personal Data to third-party

For the execution of its services, BSC may share Personal Data with third parties. BSC remains the Controller for these Personal Data. A processor agreement must always be concluded with these parties where necessary or an addendum is added to existing contracts.

BSC records every Processor in its register. When BSC proceeds with new Processors of Personal Data, the register is adjusted accordingly.

7. Transfer of data outside the EEA

Anyone within BSC shall think carefully before sending Personal Data outside the organization. It is not allowed to disclose Personal Data to persons outside the EEA unless it is certain that are authorized to receive it and have a proper purpose.

The transfer of Personal Data to non-EEA countries, including group entities in non-EEA countries, is only allowed if a sufficient level of protection is guaranteed as set out below:

The receiving party of the data is located in a country recognised by the European Commission as offering an adequate level of protection; or
The receiving party of the data has agreed to process these data in accordance with the ‘Standard Contractual Clauses’ (SCC) for data controllers or data processors approved by the European Commission;
Any other safeguards allowed under the GDPR.

When it is uncertain how best to handle Personal Data, when receiving an unusual request from an unusual source or any other queries about the handling of Personal Data, employees shall seek guidance from the Compliance Officer.

8. Rights of Data Subject

Data Subjects have a number of rights. BSC shall facilitate the exercise of Data Subject rights and shall not refuse to act on the request of the Data Subject for exercising his or her right.

The rights of Data Subjects and the procedures to follow are described below.

8.1. Transparency - information

Any person whose Personal Data are being processed by BSC, has to be provided with information as to the nature of the Personal Data processed or stored about him or her. When gathering Personal Data or establishing new data protection activities, it needs to be ensured that individuals whose data are being processed have received appropriate notice informing them how the data will be used.

Information to be provided where Personal Data is collected form the Data Subject
Where Personal Data is collected from Data Subjects, BSC must, at the time when Personal Data are obtained, provide each Data Subject with all of the following information:

a) the contact details of BSC acting as the Controller of an individual’s Personal Data;

b) the purposes of the processing for which the Personal Data are intended as well as the legal basis for the processing;

c) the recipients of the Personal Data;

d) the disclosure of Personal Data to third-party recipients and where applicable the intention to transfer Personal Data outside Europe;

e) the legal safeguards justifying transfers to third parties or outside Europe;

f) the relevant retention periods;

g) the individual’s rights regarding their Personal Data, including their right to withdraw consent at any time and their right to lodge complaints with a supervisory authority.

Information to be provided where Personal Data have not been obtained from the Data Subject himself In addition to the information referred to above, BSC must provide the Data Subject with the following information:

h) from which source the Personal Data originate, and if applicable, whether it came from publicly accessible sources;

i) if applicable the existence of automated decision-making, including profiling.

Previous information (under a) to i)) does not have to be provided if the Data Subject already has this information and the provision of such information proves impossible or would involve a disproportionate effort or where the Personal Data must remain confidential subject to an obligation of professional secrecy.

Where the intention is to further process the Personal Data for a purpose other than that for which the Personal Data were obtained, prior to that further processing the Data Subject has to be provided with information on that other purpose and with any relevant further information as referred to under a) to i).

If it is uncertain as to whether a notification should be given, the Compliance Officer should be contacted.

8.2. Request

Access - Data Subjects have the right to request and obtain access to the Personal Data concerning him or her that is being processed by BSC.

Restriction of processing - Data Subjects have the right to request and obtain restriction of processing Personal Data concerning him or her by BSC. When receiving a request to this end, it must always be determined whether this can be done on legitimate grounds.

Data portability - Data Subjects have the right to request and receive the Personal Data concerning him or her, which he or she has provided to BSC, in a structured, commonly used format and has the right to transmit those data to another Controller without hindrance from BSC.

Object - Data Subjects have the right to object at any time to processing of Personal Data concerning him or her. When receiving a request to this end, it must always be determined whether this can be done on legitimate grounds.

Rectification and erasure - Data Subjects have the right to request and obtain without undue delay the rectification of inaccurate Personal Data concerning him or her. Taking into account the purposes of the processing, the Data Subjects shall have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement. When receiving a request to this end, it must always be determined whether this can be done on legitimate grounds.

Data Subjects also have the right to request and obtain the erasure of Personal Data concerning him or her without undue delay and BSC shall have the obligation to erase Personal Data without undue delay. When receiving a request to this end, it must always be determined whether this can be done on legitimate grounds.

In case of rectification or deletion of data, and in case of processing restriction; any recipient to whom Personal Data have been provided must be informed of any rectification, erasure of Personal Data or restriction of the processing, unless this proves impossible or requires a disproportionate amount of effort.

8.3. Complaint

If a Data Subject has complaints relating to the processing of their Personal Data, the Data Subject should raise these in the first instance with the Compliance Officer. Alternatively, the Data Subject may also raise complaints with the Data Protection Authority.

8.4. Procedure

BSC shall provide information on action taken on a request to the Data Subject as quickly as possible without undue delay and in any event within one month of receipt of the request.

That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. BSC shall inform the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the Data Subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the Data Subject.

Handling the Data Subject's request is free of charge unless the request is unfounded or excessive. In the latter case, the request may also be rejected for that reason.

If there is doubt about the identity of the natural person making the request, BSC may request additional information necessary to confirm the identity of the Data Subject.

Every request of a Data Subject must be forwarded to the Compliance Officer within 3 working days.

9. Security and other control measures

With every processing of Personal Data, appropriate technical and organizational control measures are taken as described in the register, taking into account the risks of the processing. The appropriate technical and organizational control measures are periodically evaluated and updated where necessary.

9.1. New processing and changes in processing

With regard to every new processing or for every change in the processing of Personal Data, the probability (likelihood) and impact (severity) of the risks of the processing for the Personal Data is determined in advance, during and afterwards. This also includes new agreements with third parties that will process Personal Data on behalf of BSC. Before entering into agreement with a third party that will process Personal Data on behalf of BSC, the Compliance Officer must be consulted.

9.2. PIA

Where processing operations are likely to result in a high risk to the rights and freedoms of persons, BSC will carry out a Data Protection Impact Assessment (PIA) to evaluate, in particular, the origin, nature, particularity and severity of that risk. A PIA shall for example be required in the case of the development, modification, or implementation of new systems, the outsourcing of processing or systems to third parties, the testing of systems or equipment, as part of risk assessments etc.

The outcome of the PIA will be presented to the Board of Directors and taken into account when determining the appropriate measures. Where a PIA indicates that processing operations involve a high risk which the BSC cannot mitigate by appropriate measures in terms of available technology and costs of implementation, the Data Protection Authority must be consulted prior to the Processing.

9.3. Security

Control measures include security of equipment, access security, information security, awareness, also to prevent unauthorized access to or unauthorized use of personal Data and the equipment used for the Processing.

Equipment and Information Security

To safeguard against unauthorized access to Personal Data by third parties, all electronic personal data held by BSC are maintained on systems that are protected by up-to-date secure network architectures that contain firewalls and intrusion detection devices. The data saved in servers is “backed up” to avoid the consequences of any inadvertent erasure, destruction or loss otherwise. The servers are stored in facilities with high security, access protected to unauthorized personnel, fire detection and response systems. The location of these servers is known to a limited number of BSC’s employees.

Access security

The importance of security for all Personal Data associated with BSC is of highest concern. BSC is committed to safeguarding the integrity of personal information and preventing unauthorized access to information maintained in BSC’s databases. These measures are designed and intended to prevent corruption of data, block unknown and unauthorized access to our computerized system and information, and to provide reasonable protection of Personal Data in BSC’s possession. Access to the computerized database is controlled by a log-in sequence and requires users to identify themselves and provide a password before access is granted. Users’ access rights are limited to data required to perform their job function. Security features of software and developed processes are used to protect personal information from loss, misuse, and unauthorised access, disclosure, alteration, and destruction. Question in relation to this section, can be addressed to IT via the General Manager.

Passwords and logins: password changes are regularly and when required. Strong passwords are to be used that consist of at least eight characters that are a combination of letters (both uppercase and lowercase), numbers and symbols.

Lock screens: screen must be locked when employees are away from their desk to prevent unauthorised users from accessing data.

Encryption and password protection: of all laptops, memory sticks, phones and other mobile devices the passwords need to be protected and have approved encryption enabled. Employees must take care of these devices and keep them physically secure at all times, should a device be lost or compromised, this must be reported immediately to the Compliance Officer.

Use of personal devices: Employees must not save data in connection with their work on their personal laptop or other device which has not been provided by BSC.

Sending emails: when sending an email, it must be ensured that it is addressed to the person to whom it is intended to send to. Employees are not allowed to respond to emails from recipients which are not recognised. These emails must be reported to the Compliance Officer if there is a suspicion of phishing attempts or if Employees have any concerns.

Printers: if documents with Personal Data are scanned or printed, Employees shall not leave it on the printer where others may see it.

Confidentiality
The confidentiality obligation for Personal Data is laid down in the Code of Conduct of BSC. In the development of new applications, the involved parties are taken into account and alternatives are chosen which are the least inconvenient for them according to the principles of 'privacy-by-design' and 'privacy-by-default'.

Need-to-know principle
Employees have access to Personal Data on the basis of the need-to-know principle. This means that Employees only have access to Personal Data if they need it to be able to carry out their work.

10. Data retention

Statutory retention periods apply to the data retention of tax-relevant data, Financial Intelligence Unit (FIU) notifications, Anti-Money Laundering and Terrorist Financing (Wwft) notifications, complaints, Client Due Diligence and Employees data.

Statutory retention periods also apply in the Financial Supervision Act (Wft) for among others inventoried information and advice given to clients, transaction and administration data.

Personal data may not be kept longer than strictly necessary for the purpose for which the data were collected. In the register of processing per category personal data has been determined after which term they must be destroyed and procedures have been set up to ensure this. Where there is a relationship with processors of Personal Data (third parties), agreements are made about this in a processor agreement.

A detailed legal retention scheme applicable for Clients and Employees data is attached to this policy (Annex Legal Retention Scheme).

11. Reporting Data Leak

In the event that Personal Data of the Data Subject(s) are unknowingly or unlawfully leaked (Data Leak), the Data Protection Authority (AP) must be informed within 72 hours after the moment of discovery if the breach is expected to involve a high risk for the rights and liberties of natural persons. In addition, a duty may arise to inform the Data Subject of the breach.
In addition, Data Leaks are recorded in a separate (incidents) register by the Compliance Officer.

Examples of Data Leak:

a lost USB stick or lost tablet containing client data;
a stolen laptop with client data;
a burglary by a hacker, in which personal details of clients are stolen;
a lost suitcase containing portfolio overviews of clients;
the use of an incorrect e-mail address through which client data is passed on to a person or organization who should not have received it.

What to do with a data breach?

In the event of a Data Leak, Employees must report the Compliance Officer immediately – and preferably within one hour after the data breach is discovered. Depending on the context, further information to the circumstances of the leak may be needed.

The report to the Compliance Officer must at least provide (1) insight into the incident that has occurred, (2) when the incident has been reported, (3) which Personal Data have been leaked, (4) or Sensitive Personal Data leaked. On the basis of this information, the Compliance Officer will assess whether it is a serious data breach that must be reported to the AP.

The outcome of the assessment will be presented to the Board of Directors.

Data breaches will be reported to the AFM within 72 hours of occurrence.

Report to AP

The AP has a notification form on their website that must be completed. Data that must be completed in any case are:

Information about the contact person at BSC in case the AP wants further information about the report;
Data about the Data Leak itself such as:
- A brief description of the Data Leak;
- The Data Leak procedure;
- How many people are likely to be affected by the data breach;
- Where and when the data breach took place and when the data breach was discovered;
- The nature of the data breach (theft, destruction, copying, reading, changing, etc);
- The type of Personal Data that has been affected by the data breach;
- The probable consequences of the data breach for the privacy of those concerned;
- The follow-up actions that BSC undertook in connection with the data breach, such as the meeting of possible measures to address the infringement and to prevent it in the future.

Not all Data Leaks involving Personal Data need to be reported to the AP. Only if there is a Data Leak with serious adverse consequences for the protection of Personal Data. For example, is there Personal Data that could be attractive to the criminal circuit.

In any case, the nature and extent of the affected data must be considered. Is there Special Personal Data within the meaning of GDPR, such as health data or other data of a sensitive nature, such as information about the financial or economic situation of the person(s) concerned.

The AP considers the following data as Personal Data of a sensitive nature:

Special Personal Data as referred to in the GDPR. This includes, for example, information about a person's health and personal data;
Information about the financial situation. This includes, for example, salary data, payment data and data on the asset situation;
User names, passwords and other log-in details;
Data that can be misused for (identity) fraud. This includes, for example copies of identity documents and BSN numbers.

The leakage of these data will often lead to a notification to the AP.

If no or insufficient follow-up is given to the duty to report, the AP can impose fines to the amount of maximum € 20.000.000 or 4% of the worldwide turnover.

Registration of Data Leak

BSC is obliged to record every Data Leak, regardless of whether it is reported to the AP. All Data Leaks must be recorded digitally in the incident register by the Compliance Officer.

Controlling and corrective measures

As a result of a Data Leak, suitable measures can be taken that are aimed at ensuring that the integrity of the operations is unhindered.

Third parties

Third parties who process Personal Data for the benefit of BSC must also provide BSC with timely and adequate information about security incidents occurring in order to comply with the Data Leak reporting obligation. The security incidents and Data Leaks that are reported by third parties (Processors or by any sub-processors) are assessed by IT in consult with the board of directors.

Appendix I Legal Retention Scheme

Client Data Retention Period

Client Agreement - End of client relationship + 7 years

Legal conditions on (and a description of) the financial services/products
Amendments to the agreement 
Conditions applicable to the agreement (e.g. general terms and conditions)
Authorization details Signature cards 
Authorization responsibilities

Record on investment advising. Data regarding the clients - After services are provided + 5 years

financial position
financial knowledge, experience, objectives, risk appetite 
the nature of the financial product

Record on unusual transaction Data regarding the clients - As of notifying the transaction + 5 years

identity 
the identity of the ultimate beneficial owner 
the nature, timing and place of the transaction
the circumstances under which the transaction is considered unusual

Records of transactions - After termination client agreement + 7 years

Data of all the transactions investment services investment activities

Client identification - As of termination of the client relationship or execution of the transaction + 5 years

Family name, first name
Date of birth
Address and place of residence or place of business of the client and of the person acting on behalf of the client
Copy of the document containing a personal identification number
Registration number at Chamber of Commerce
Nature, number and date and place of issue of the document by which the identity was verified
Nature of the financial product.

Client surveys - As of termination of the client relationship or execution of the transaction + 5 years

All relevant data concerning the client survey

Employees (including potential employees) Data Retention Period

Standard/general personal data (e.g. name, hiring date, position) - End of the fiscal year the employment is terminated + 7 years

Hiring records (e.g. background checks, CV, hobbies and interests for both non-hired and hired persons - End of the process when the applicant is not hired + 4 weeks. With the candidate’s consent it is possible to keep the data for a longer period, e.g. to inform the candidate about other vacancies or to avoid that the same assessments should be redone: End of the process when the applicant is not hired + 1 year. With regard to applicants that are hired by BCS: after the application process + 2 years

Employee ICT ID and email account(s) - after the end of the employment agreement + 2 years

Employee medical records - Pursuant to Dutch law BSC is not allowed to keep records related to the nature of the medical condition of employees. However, administrative sick leave data (such as moment of reporting ill, expected sickness period and recovery date) should be retained for a maximum period of 2 years. The 2 year period may be extended if there is a (threatened) conflict/dispute with the employee or the relevant entity which requires that these data are kept.

Payroll, salary records, etc. - after the end of the fiscal year the employment is terminated 7 years. For notifications of salary changes, a retention period of 2 years after the end of employment is reasonable.

Visa/work permit records of foreign nationals (copies of work permits, identity cards and passports) - Must be kept for 7 years after the end of the fiscal year the employment is terminated. For other documents of foreign nationals, a retention period of maximum 2 years after the end of the employment is reasonable.

Records regarding termination of employment - It is common that an employer deletes these documents at the latest 2 years after termination. However, when the employee leaves BSC due to an employment conflict, or when BSC and (ex)-employee are in a dispute, it is recommended to keep the documents until the conflict is solved or judged by court. With regard to official documents such as court verdicts, covenants, original testimonies and settlement agreements, a retention period of 10 years after the end of employment is recommended.

Timetables and records of planned and actual worked hours - A retention period of 7 years after the end of the fiscal year the employment is terminated, is required.

Records regarding absence (holidays, maternity leave, etc.) - As most of these documents will be part of the working records as well, a retention period of 7 years after the end of the fiscal year the employment is terminated, is required. With regard to information regarding holidays that does not fall under the fiscal retention obligation of 7 years, a retention period of 5 years is recommended as pursuant to Dutch law employees with additional holidays can take these holidays until 5 years after the year they are accrued in. For all other documents related to absence, a retention period of 2 years after the end of employment is recommended

Whistle blowers data - In case of a report of abuse, personal data related to the investigation to this abuse, must be deleted within 2 months after the investigation, unless disciplinary measures will be taken. All other personal data related to the report made through a Whistle-blowers process, should be deleted a least 2 years after the last activities.