Privacy Policy

1. Purpose

This policy outlines how Asset Family collects, uses, stores, shares, and protects personal data incompliance with applicable data protection laws and ISO/IEC 27001 requirements. The policy isintended to ensure the confidentiality, integrity, and availability of personal information.

2. Scope

This policy applies to:

• All employees, contractors, and third parties of Asset Family
• All systems and processes involving personal data
• All locations where personal data is processed, including cloud and on-premise systems

3. Definitions

Personal Data: Any information relating to an identified or identifiable natural person
Data Subject: An individual whose personal data is processed
Processing: Any operation performed on personal data (e.g., collection, storage, use)
Controller: The entity that determines the purposes and means of processing
Processor: The entity that processes data on behalf of the controller

4. Legal Basis for Processing

Personal data is processed lawfully, fairly, and transparently. Legal bases may include:

• Consent
• Performance of a contract
• Legal obligation
• Legitimate interests
• Vital interests
• Public task

5. Types of Data Collected

We may collect and process the following categories of personal data:

• Identification data (e.g., name, email, phone)
• Employment data (e.g., job title, department)
• System access logs
• Communication records

6. Data Collection and Use

Personal data is collected for specific, explicit, and legitimate purposes, including:

• Managing employment or contractor relationships
• Providing services to clients
• Ensuring information security and access control
• Meeting legal or regulatory obligations

7. Data Sharing and Transfers

Personal data may be shared with:

• Authorized internal personnel
• Trusted third-party service providers under data processing agreements
• Regulatory authorities, if required by law

International data transfers will follow applicable data protection laws (e.g., GDPR Article 44+) and be protected with appropriate safeguards such as Standard Contractual Clauses.

8. Data Retention

Personal data is retained only as long as necessary for the purposes outlined in this policy, or as required by legal obligations or contractual commitments. A data retention schedule is maintained and reviewed annually.

9. Data Subject Rights

Data subjects have the right to:

• Access their personal data
• Request correction or deletion
• Restrict or object to processing
• Port their data (where applicable)
• Withdraw consent (if processing is based on consent)

Requests can be submitted to: Jeroen van Proosdij
jeroen.van.proosdij@assetpeople.com

10. Data Protection and Security Measures

In accordance with ISO/IEC 27001 controls, Asset Family implements:

• Role-based access controls
• Encryption of data at rest and in transit
• Multi-factor authentication (MFA)
• Security awareness training
• Incident response procedures

11. Breach Notification

In the event of a data breach:

• Internal notification to the Information Security Officer or DPO is immediate
• Regulatory notification (e.g., to the supervisory authority) will occur within 72 hours if required
• Affected data subjects will be informed when there is a high risk to their rights and freedoms

12. Roles and Responsibilities

DPO / Information Security Officer: Oversight of data protection program
IT Department: Ensuring secure infrastructure and systems
Employees: Following policies, reporting incidents

13. Policy Review and Maintenance

This policy will be reviewed annually or after any significant changes in processing activities, regulatory requirements, or ISO/IEC 27001 updates.

14. Related Documents

• Information Security Policy
• Data Retention Policy
• Access Control Policy
• Incident Response Plan
• Supplier Security Policy

15. Contact Information

Data Protection Officer (DPO)

Jeroen van Proosdij
jeroen.van.proosdij@assetpeople.com
+31655408560