This Privacy Statement informs you, as a data subject, about the reasons why and the way in which Validata Group BV (‘Validata’) handles your personal data. This statement applies to all processing of personal data in the context of a screening performed by Validata. Validata complies with all requirements of the General Data Protection Regulation (GDPR).
Why does Validata process personal data?
Validata is specialised in screening individuals by means of a digital screening process. We process your personal data in order to perform a screening of relevant data at the request of a client. ‘Relevant’ means that only data is checked that is in relation to the position or the reason why you enter into a new agreement. In addition, Validata processes personal data in order to keep it available so that it can be used for a subsequent screening.
Is Validata the data controller for the personal data?
Validata is the independent data controller in the context of the processing of personal data within the meaning of the GDPR. Our contact details are:
Validata Group BV
Address - Emmaplein 10, 1075 AW Amsterdam
Telephone - +31 (0)20 5356898
Email - email@example.com
Chamber of Commerce no. 34346504
Validata has a Data Protection Officer (‘DPO’) who is registered with the Dutch Personal Data Protection Authority (Autoriteit Persoonsgegevens). The DPO can be contacted via firstname.lastname@example.org.
On what legal basis does Validata process personal data?
Our client has a legitimate interest (as defined in Article 6, paragraph 1, point (f) GDPR) to have your integrity assessed and therefore determines whether, and if so, to what extent, certain parts of your personal data need to be screened. The components of the screening have been determined by the client based on its policies, taking into consideration the applicable requirements set out in the GDPR. These include the requirements of proportionality and subsidiarity, meaning that the screening should only verify data that relate to the risks associated with the (planned) employment in a specific job or with the rental or sale of a home. Our client uses the online application of Validata to initiate your screening.
What personal data does Validata process?
For each screening, Validata processes the following personal data, which we receive from you or from our client:
- Data concerning your name and address, sex, email address and telephone number.
In addition, depending on the client’s screening policy and the resulting components of the screening, the following personal data and/or documents may be processed:
- Curriculum Vitae (CV);
- Date of birth (age);
- Identity document: processing of a scan of a valid identity document or (Dutch) identity card in order to verify the document;
Processing BSN: Validata is not authorised to process your Citizens Service Number (BSN), so we ask that you black it out;
- Certificate of Good Conduct (VOG);
- Data concerning your educational background;
- Data concerning your work experience;
- Data provided by referees;
- Data from sector and/or professional registers;
- Data concerning your financial situation; including data from the register of persons under guardianship, data from the insolvency register, the ratio of your personal financial liabilities to your earnings or assets, and your credit rating;
- Data from declarations you have made, or from your integrity statement:
i. data concerning outside activities and/managerial positions;
ii. data concerning circumstances that cast doubt on your reliability, competence or integrity;
iii. data concerning convictions for a criminal or corporate offence or being treated as a suspect in an inquiry into a criminal or corporate offence;
- Data concerning legal entities: legal status, business information, financial information and/or managerial powers;
- Data from social media and/or public sources;
- Data from international terrorist watchlists, politically exposed persons (PEP) lists and sanctions lists, and;
- Data relating to additional documents that are gathered, verified or checked at the request of our client, such as a payslip, confidentiality statement, employer’s statement, disciplinary law statement (Verklaring Onderwerping Tuchtrecht (VOT)) and/or a code of conduct.
From whom does Validata receive personal data?
In order to perform specific components of a screening or to verify data, Validata receives personal data from the following parties:
2. our client(s);
3. data suppliers in the context of performing a screening;
4. relevant educational institutions (within and/or outside of the Netherlands);
5. relevant sector and/or professional registers, such as the BIG register (for healthcare professionals);
6. employers and/or other persons submitted by you as referees.
With whom does Validata share personal data?
In order to perform specific components of a screening or to verify data, Validata shares the necessary personal data with the following parties:
1. data suppliers;
2. relevant educational institutions (within and/or outside of the Netherlands);
3. relevant sector and/or professional registers, such as the BIG register (for healthcare professionals);
4. employers and/or other persons submitted by you as referees;
5. our client.
With which data suppliers are personal data shared?
Validata has concluded agreements with its data suppliers that set out arrangements to ensure a correct and secure processing of your personal data. Validata’s data suppliers are:
- DUO (Education Executive Agency)
- Qualifícation Check
- Dun & Bradstreet
- KvK (Chamber of Commerce)
Are special categories of personal data processed?
In some cases, Validata processes special categories of personal data. This depends on which components are included in the screening. The components of the screening have been determined by the client based on its policies, taking into consideration the potential risks associated with a specific job, a membership, specific work activities, or with the rental or sale of a home. Prior to the screening, you will be informed about the (special categories of) personal data that need to be processed.
Validata has a licence under the Act on Private Security Firms and Detective Agencies (POB): POB licence no. 1533. Based on this licence, and provided that certain conditions are met as set out in the GDPR, Validate may process data concerning criminal convictions or treatment as a suspect in a criminal inquiry.
Processing identity document (ID card)
Validata processes identity documents to enable our client to meet its legal obligation to verify a person’s identity. This involves checking the authenticity of a scan of the identity document based on a number of security features. In addition, the document number is checked to establish that the document has not been reported stolen or missing. Validata is not authorised to process your Citizens Service Number (BSN), so we ask that you black it out before uploading a scan of your identity document into our secure environment.
Is submitting to the screening mandatory?
You have the right not to be screened. Chances are though, that this limits your chances to enter upon a new agreement or position that requires a screening. If you object to (all or parts of) the screening or have any questions, please contact the client. After all, the client has determined the composition of the screening in its policy.
Are my data secure?
Validata has taken appropriate technical and organisational measures to protect personal data against loss or any form of unlawful processing.
How long will my data be stored?
Validata retains personal data for a period of five years from the date of completion of your last screening. Your data are stored in your personal environment and can only be used in the context of performing screening(s) , provided that you approve this. Validata will anonymise the data after a period of five years. The ID Card will be retained for 2 weeks following the completion of the screening and then will be deleted.
Will my personal data be transferred to other countries within or outside of the EEA?
Validata processes your personal data within the European Economic Area (EEA). Under certain circumstances, (all or parts of) your personal data may be transferred to a ‘third country’ outside of the EEA. This is the case, for example, if you are based in third country outside of the EEA, or if the client, a data supplier, or another party with whom we share your personal data, is based in such a third country.
Under the GDPR, an adequate level of protection must be ensured when transferring personal data within the EEA. The transfer of personal data to a third country outside of the EEA is permitted, provided that an adequate level of data protection or appropriate safeguards are ensured. In the absence of this, the transfer of personal data is permitted if the transfer is necessary for the performance of a contract concluded in your interest as a data subject between Validata and the client (Article 49, paragraph 1, point (c) GDPR).
Please be advised of your (privacy) rights:
- Right of access: To access the personal data gathered on you by Validata, please login via your personal account at Validata.
- Right to rectification: To request changes or additions to the personal data gathered on you, please send an email to Validata.
- Right to erasure (‘right to be forgotten’): You can request Validata to erase your personal data from Validata’s systems; for example, if Validata no longer needs the personal data in the context of the business activities agreed with the client.
- Right to restriction of processing: You can request Validata to (temporarily) stop processing your personal data.
- Right to object: You can object to the processing of your personal data.
- Right to lodge a complaint: If you have a complaint about our services, you can lodge a complaint with Validata using the complaint form available on Validata’s website.
Please also be advised that you can lodge a complaint with the Dutch Personal Data Authority about how Validata handles your personal data.
If you have any queries concerning the above matters, please contact Validata Support via email@example.com.