Reverse IT uses the collected data for the following data processing activities:

• Company names, contact person names, business email addresses, business phone numbers, and business delivery addresses are required to create purchase or sales orders, deliver services, and generate invoices;

• Payment is made by transferring funds to Rabobank IBAN: NL55RABO0132178249;

• To receive the newsletter, individuals must actively subscribe and give consent for its distribution. There is always the option to unsubscribe at any time;

• Data collected through the completion of the contact form on the website is only used for the purpose for which the data was provided;

• Reverse IT also processes personal data when legally required, such as data needed for tax reporting;

• Reverse IT analyzes the behavior of visitors to its website in order to improve its services and tailor its product and service offerings to the preferences of website visitors. For this purpose, Reverse IT uses Google Analytics.

Reverse IT uses data exclusively for the purpose of providing its services. This means that the purpose of the data processing is always directly related to the assignment given. Data is not used for targeted marketing unless consent has been given.

• Your data will not be shared with third parties, except for the purpose of fulfilling accounting and other administrative obligations. These third parties are all bound to confidentiality under the agreement between them and Reverse IT or a legal obligation.

• Automatically collected data: Data automatically collected by the website is processed to further improve our services. This data (e.g., IP address, web browser, and operating system) is not considered personal data.

• Cooperation with fiscal and criminal investigations: In certain cases, Reverse IT may be required to share data due to a legal obligation in relation to fiscal or criminal investigations by the government.

Reverse IT collaborates with the following parties:

• Rabobank: This is where names and IBAN numbers of employees and relations are recorded.

• AFAS Software: This is used for processing incoming and outgoing orders and invoices from both customers and suppliers. Business email addresses, phone numbers, and addresses are only used for the purposes for which the individual provided these details.

• Hubspot: This is used to log business calls, leads, and opportunities. Business email addresses, phone numbers, and addresses are only used for the purposes for which the individual provided these details.

• Hubspot: This is used for sending the Reverse IT newsletter. Registered email addresses can always unsubscribe at any time.

• Google Analytics: This is a service from Google that collects and presents website statistics in detail. The goal of this service is to provide insights into, among other things, visitor flows and bounce rates. To comply with the GDPR, Google Analytics has introduced data retention management options and a tool for removing users. User and event data is automatically deleted after the 26-month retention period. You can read Google's Privacy Policy here.

Reverse IT retains personal data no longer than necessary for the purpose of processing.

• Payroll data is retained for 7 years in accordance with the tax retention requirement.
• Employee data is destroyed 2 years after termination of employment.

Under the GDPR, the following rights apply:

• Right of access

• Right to rectification and supplementation

• Right to erasure (Right to be forgotten)

• Right to data portability

• Right to restriction of processing

• Rights related to automated decision-making and profiling

• Right to object

When a data subject submits a request to exercise any of these rights, Reverse IT will respond to the request within 1 month. Specifically, this means that within this period:

• The request will be fulfilled

• The data subject will be informed when the request has been fulfilled

• The data subject will be informed why the request has not been fulfilled

If personal data falls into the hands of third parties who should not have access to that data, it is considered a data breach. All security breaches must be reported to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), unless it is unlikely that the breach will result in a privacy risk to individuals. The notification must be made within 72 hours of the discovery of the breach. The breach must also be reported to affected individuals if it is likely to result in a high privacy risk.

To assess the privacy risk, factors such as the nature and scope of the processing are important. The privacy risk is greater when large amounts of personal data, including sensitive data, are involved.

Reverse IT will document all breaches, the consequences, and the measures taken to address them.

This document was last updated on: November 28, 2019.