Gelber Europe Privacy Notice

February 2022

1. Introduction

Gelber Europe (Gelber, we or us) values the privacy of our job applicants, suppliers, vendors and website users and strives to protect the privacy and the confidentiality of Personal Data that we use in our business. 1 This Gelber Europe Privacy Notice (Notice) describes how we may use your Personal Data. We collect, use, disclose and otherwise process your Personal Data where this is necessary for the purposes identified in this Notice and where permitted by the GDPR and local data protection laws. Please read this Notice carefully to understand how we process your Personal Data.

Capitalized terms used in this Notice and not defined within the text of the Notice have the meaning set forth in Appendix A.

2. Identity of Data Controller and Contact for Queries

Gelber is the Data Controller in respect of the Personal Data we receive about our job applicants, suppliers, business partners and website users. Gelber has a General Counsel who should be contacted if you have any queries regarding the operation of this Notice or if you want to exercise any of your data subject rights. You can contact our General Counsel using the following email address: legal@gelbergroup.com.

3. Personal Data We May Collect

We may collect and process the following Personal Data about you, whether such information is provided by you or a third party, to the extent permitted under local law:

(a) Your contact information ► Including your name, address (and proof of address, where necessary) and other contact details (such as your email address and telephone number).

(b) Your identification details ► Identification numbers issued by government bodies or agencies (e.g., depending on the country you are in, social security, citizen service or national insurance number, passport number, ID number, tax identification number, driver’s license number), a copy of your identification document.

(c) Our correspondence with you ► If you contact us, we may keep a record of that correspondence.

(d) Information you provide to us when visiting our websites ► Personal Data that you provide to us, such as when using the contact form on our website, including your name, email address, and other contact details.

Additionally, for job applicants:

(e) Your employment history and experience ► Including your CV or resumé, application form details, qualification certificates, training certificates, licenses, information available on LinkedIn, permission to work documentation, references from other employers and other data collected through interviews or other forms of assessment.

(f) Information required for pre-employment checks ► To conduct pre-employment checks, we will ask you to provide proof of your identity and qualifications.

(g) Results of pre-employment screening checks ► If we make an offer to you for which a pre-employment check is required, we will process the results of any such pre-employment screening checks (including criminal record checks, where permitted under applicable law) that we may carry out as part of the hiring process.

(h) Materials produced during recruitment ► Materials produced during the course of recruitment processing, including any video and presentations you provide us for the purposes of a recruitment assessment and any interview notes.

4. Use of Your Personal Data

In this section, we explain how we may share your Personal Data, identify the “legal processing grounds” on which we rely to process the Personal Data, and set out the purposes for which we may use your Personal Data.

Gelber stores your Personal Data on our IT systems located in Amsterdam and the United States. Gelber engages various Data Processors for the processing of your Personal Data on our behalf, including IT service providers and other business service providers. We have contracts in place with our Data Processors. This means that these Data Processors cannot do anything with your Personal Data unless we have instructed them to do so. They will not share your Personal Data with any other organisation (unless legally required to do so, or with our permission or upon our request) apart from us. They will hold it securely and retain it for the period that we instruct.

Gelber may be legally required to disclose your Personal Data in response to requests from regulators and law enforcement or security agencies, in which case these regulators and law enforcement or security agencies will be acting as a Data Controller as well. Gelber will assess the legitimacy of such requests before disclosing any Personal Data and will only disclose the Personal Data required to comply with such request.

We, as Data Controller, are permitted to process your Personal Data when such processing can be based on one or more “legal processing grounds” in the GDPR. The table below provides a description of relevant legal processing grounds.

Legal Processing Ground Details
Performance of our contract with you Where your Personal Data is necessary to enter into a contract with you or for the preparation of a contract
Compliance with legal and regulatory obligations Where we need to use your Personal Data to comply with our legal obligations under applicable law
For our legitimate business interests Where we use your Personal Data to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights
For legal claims Where your Personal Data is necessary for us to defend, prosecute or make a claim against you, us or a third party
Consent Where you have consented to our use of your Personal Data
  1. Suppliers, Vendors and Website Users

We may use your Personal Data in the following ways. For each use, we note the legal bases on which we rely to justify use of your Personal Data.

(a) To manage our relationship with you ► To manage our relationship with you and all communications related thereto.

Use justification: performance of our contract with you and for our legitimate business interests.

(b) To defend our legitimate interests and to change our business structure ► We may disclose Personal Data in connection with legal proceedings or investigations anywhere in the world to third parties, such as public authorities, law enforcement agencies, regulators and third-party litigants. (Such third parties are not our Data Processors and will process Personal Data for their own purposes.) We may also provide your Personal Data to any potential acquirer of or investor in any part of our business for the purpose of that acquisition or investment, in which case we will make sure to minimise the disclosure of your Personal Data to what is strictly necessary under the circumstances.

Use justification: performance of our contract with you, legitimate interests (to enable us to cooperate with law enforcement and regulators and to allow us to change our business), and for legal claims.

(c) To conduct certain checks on you, such as anti-fraud checks before we establish a relationship, and where required, during our relationship with you ► We and other organisations engaged by us for this purpose may access and use your Personal Data to conduct checks to, among other things, prevent fraud. If false or inaccurate information is provided and fraud is identified or suspected, details may be passed to the relevant authorities including fraud prevention agencies. We will record this. Law enforcement agencies may access and use this information.

Use justification: compliance with legal obligations (which may include laws outside your country of residence), and for our legitimate business interests (to assist with the prevention of crime and fraud).

(d) To comply with our legal obligations and cooperate with regulators ► We may process and disclose your Personal Data to cooperate with requests from law enforcement and regulators (including but not limited to the Netherlands Authority for the Financial Markets and the Dutch Data Protection Authority), which may include such authorities outside your country of residence.

Use justification: compliance with legal obligations (which may include laws outside your country of residence), and for our legitimate interests (for Gelber’s interests and to ensure the integrity and security of the financial sector).

  1. Job Applicants

In general, Gelber processes your Personal Data in order to assess your application for employment. This processing is a necessary pre-condition of any employment relationship. Gelber may also process Personal Data when we have a legitimate interest to do so and provided specific conditions are met. Where we rely on this legal processing ground, we will mitigate the effect(s) this may have on your privacy by appropriately minimising our use and putting in place adequate access and security safeguards to prevent unauthorised use. Gelber shall only process criminal Personal Data when the processing is authorised by applicable law that provides for appropriate safeguards for the rights and freedoms of data subjects.

We may use your Personal Data in the following ways. For each use, we note the legal bases we use to justify each use of your Personal Data.

(a) To handle your job application and to communicate with you ► To communicate with you about the recruitment process and your application.

Use justification: for our legitimate business interests (the solicitation, evaluation, and selection of applicants for employment), and (if you are offered employment) for the preparation and performance of our contract with you.

(b) To assess your suitability for a role at Gelber ► We may access and use your Personal Data to assess your skills, qualifications and interests.

Use justification: for our legitimate interests (the solicitation, evaluation, and selection of applicants for employment), and (if you are offered employment) for the preparation and performance of our contract with you.

(c) If we make a conditional offer of employment, information to carry out pre-employment checks ► If you are offered a job where a pre-employment check is required, we will ask you for information so that we can carry out pre-employment checks, which may include (in the Netherlands) requesting a certificate of good conduct (verklaring van goed gedrag). This information is necessary to enable us to confirm the identity of job applicants, their right to work in the relevant jurisdiction and to seek assurance as to their trustworthiness, integrity and reliability. Gelber may also carry out conduct criminal background checks, for which purpose Gelber may process Personal Data relating to criminal convictions and offences. Gelber will notify you prior to carrying out a criminal background check.

Use justification: for our legitimate interests (to assess your trustworthiness, integrity and reliability) and (if you are offered employment) for the preparation and performance of our contract with you. Gelber shall only process criminal Personal Data when such processing is authorised by applicable law.

(d) To comply with our legal obligations and cooperate with regulators ► We may process and disclose your Personal Data to cooperate with requests from law enforcement and regulators (including but not limited to the Netherlands Authority for the Financial Markets and the Dutch Data Protection Authority), which may include such authorities outside your country of residence.

Use justification: compliance with legal obligations (which may include laws outside your country of residence), and for our legitimate interests (for Gelber’s interests and to ensure the integrity and security of the financial sector).

(e) To defend our legitimate interests and to change our business structure ► We may disclose Personal Data in connection with legal proceedings or investigations anywhere in the world to third parties, such as public authorities, law enforcement agencies, regulators and third party litigants (these third parties are not Data Processors on behalf of Gelber and will process Personal Data for their own purposes). Gelber may also provide your Personal Data to any potential acquirer of or investor in any part of Gelber’s business for the purpose of that acquisition or investment.

Use justification: performance of our contract with you, compliance with legal obligations, for legal claims, and for our legitimate interests (to enable us to cooperate with law enforcement and regulators and to allow Gelber to change its business).

5. Sources of Personal Data

We may obtain Personal Data from various sources, including:

  • you directly, via forms on or interactions with our website, by telephone or by means of written correspondence;
  • public sources such as newspapers and the internet; and
  • third parties including but not limited to, where permitted, regulatory authorities, professional bodies, sanctions and politically exposed person screening lists or public registers; and
  • for job applicants, other third parties including but not limited to, where permitted, previous or current employers, educational institutions, credit reference and anti-fraud agencies, and other background check agencies/organizations.

If an individual elects to not give Gelber their Personal Data, Gelber may be unable to employ them, procure services from or otherwise engage with the individual.

6. Transfer of Personal Data Overseas

We hold your Personal Data in Amsterdam and the United States, which is outside the EEA. U.S. laws may not always offer the same level of protection for Personal Data as offered in the EEA. We will, in all circumstances, safeguard Personal Data as set out in this Notice.

Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections as EEA data protection laws, and therefore no additional safeguards are required to export Personal Data to these jurisdictions. In countries which have not had these approvals, 2 including the United States, we use EU-approved “Model Clauses” to ensure that data protection safeguards equivalent to those required within the EEA are applied. For more information regarding these measures, you can contact our General Counsel (see Section 2 of this Notice).

7. Storage and Usage Limits

We will retain your Personal Data for as long as necessary for the processing purpose(s) for which they were collected and any other permitted linked purpose. If Personal Data is used for two or more purposes, we will retain it until the purpose with the longest retention period expires, but we will stop using it for any purpose with a shorter period once that period expires. We restrict access to your Personal Data to those persons who need to use it for the relevant purpose(s).

Our retention periods are based on business needs and relevant laws. Records that are no longer needed are securely destroyed.

8. Securing Your Personal Data

Gelber has implemented appropriate technical and organisational measures to secure the processing of Personal Data. These safeguards vary depending on the sensitivity, format, location, amount, distribution and storage of the Personal Data, and include measures designed to keep Personal Data protected from unauthorized access. If appropriate, these safeguards may include the encryption of information during storage, firewalls, access controls, separation of duties, and/or similar security protocols.

We restrict access to Personal Data to personnel and third parties that require access to such information for legitimate, relevant business purposes.

All our staff members, contractors and third parties who will have access to Personal Data on our instructions will be bound to confidentiality and we use access controls to limit access to individuals that require such access for the performance of their responsibilities and tasks.

9. Updating Your Personal Data

We will use reasonable efforts to ensure that your Personal Data is accurate. In order to assist us with this, you should notify us of any changes to your Personal Data that you have provided to us by contacting the General Counsel (see Section 2 of this Notice).

10. Your Rights

As Gelber is located within the EEA, you have the following rights in relation to your Personal Data:

(a) Subject access: You have a right to be provided with access to any data held about you by Gelber, generally within 1 month of your request.

(b) Rectification: You can ask us to have inaccurate Personal Data amended.

(c) Erasure: You can ask us to erase Personal Data in certain circum-stances and we will take reasonable steps to inform other Data Controllers that are processing the data that you have requested the erasure of any links to, copies or replication of it.

(d) Withdrawal of consent: You can withdraw any consents to processing that you have given us and prevent further processing if there is no other ground under which Gelber can (and does) use to justify the processing of your Personal Data.

(e) Restriction: You can require certain Personal Data to be marked as restricted while complaints are resolved and restrict processing in certain other circumstances.

(f) Portability: You can ask us to transmit the Personal Data that you have provided to us and we still hold about you to a third party electronically.

(g) Raise a complaint: You can raise a complaint about our processing with the Data Protection Authority (see further details below).

(h) Prevent processing: You can require Gelber to stop any processing based on the legitimate interests ground unless Gelber’s reasons for undertaking that processing outweigh any prejudice to your data protection rights.

Certain exceptions apply to the exercise of these rights; you will not be able to exercise them in all situations. We will respond to most requests within one month.

If you are not satisfied with our use of your Personal Data or our response to any exercise of these rights, we ask you to first contact our General Counsel using the contact details in Section 2 of this Notice. You also have the right to complain to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens or AP), which can be contacted at:

Autoriteit Persoonsgegevens
P.O. BOX 93374
2509 AJ The Hague
The Netherlands

Telephone: (+31) – (0)70 – 888 85 00

The AP’s contact details can also be found on the AP’s website at https://autoriteitpersoonsgegevens.nl/en/contact-dutch-dpa/contact-us.

  1. Gelber Europe means Gelber Coöperatief U.A. based in Amsterdam (Keizersgracht 555, 1017 DR Amsterdam, the Netherlands and registered with the Trade Register of the Dutch Chamber of Commerce under number 71324925).
  2. A list of such countries is available at http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm.

APPENDIX A: DEFINITIONS

Data Controller: The legal person, administrative body or any other entity which, alone or in conjunction with others, determines the purpose of and means for processing of Personal Data.

Data Processor: The person or body which processes Personal Data on behalf of the data controller, without being subject to the Data Controller’s direct control.

EEA: The European Economic Area.

GDPR: The European General Data Protection Regulation (EU) 2016/679.

Personal Data: Any information relating to an identified or identifiable natural person (e.g., a person whose identity can be established reasonably without disproportionate effort by means of name, address and date of birth). By way of example but not limitation, video images and voice recordings are also Personal Data if the video images or voice recordings are identifiable to a natural person. If financial data (such as bank statements) relate to an identifiable natural person, such information is also considered Personal Data.

Processing (of Personal Data): Any operation or any set of operations concerning Personal Data, including in any case the collection, recording, organisation, storage, updating or modification, retrieval, consultation, use, dissemination by means of transmission, distribution or making available in any other form, merging, linking, as well as blocking, erasure or destruction of Personal Data.