Privacy Policy

Article 1. Definitions of terms
‍

For the purposes of this policy and the attachments, the following definitions shall apply:

a. General Data Protection Regulation (GDPR): the Regulation;

b. Personal Data Authority: supervisory authority, as referred to in Article 51 of the GDPR;

c. File: any structured set of personal data accessible according to specific criteria, whether centralized, decentralized or disseminated on functional or geographical grounds;

d. Data subject: the person to whom the personal data relates (a job applicant, a current or former Fliteline employee, all other persons working for or on behalf of Fliteline, including members of supervisory bodies, customers, suppliers and service providers, tenants, and finally, visitors to Fliteline premises);

e. Third party: the person, not being the processor or the person working under the authority of the controller, who has been authorized by the data processor to process personal data (the company doctor, for example);

f. Management Board: the board of management of Fliteline B.V. which is represented by Mr. J.E. Plaisier;

g. Group: an economic entity in which legal entities are organizationally affiliated (Section 2:24 of the Dutch Civil Code);

h. Staff: an employee who is employed or hired by Fliteline in any way whatsoever;

i. Staff number: a unique number used for the efficient processing of personal data;

j. Personal data: any information about an identified or identifiable natural person ('the data subject');

k. Privacy impact assessment: an assessment of the impact of the envisaged processing on the protection of personal data;

l. Fliteline: all operating companies belonging to Fliteline B.V., hereinafter referred to as Fliteline;

m. Consent of the data subject: any free, specific, informed and unambiguous expression of will by means of a statement or active unequivocal act, by which the data subject accepts the processing of personal data relating to themselves;

n. Regulation: EU 2016/679 regulation from April 27, 2016 concerning the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC;

o. Processing of personal data: any operation or set of operations which is performed upon personal data or a set of personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, alignment, interconnection, blocking, erasure or destruction of data;

p. Data processor: the person who, on the basis of an agreement, processes personal data on behalf of the data controller, without being subject to their direct authority;

q. Data controller: Fliteline.

Article 2. Responsibilities
‍

2.1 Fliteline is responsible for determining the purpose, content and use of the processing of personal data and for compliance with the GDPR, the provisions of these regulations and the policy established within the organization.

2.2 Fliteline takes measures to ensure that personal data is correct and accurate with respect to the purposes for which it is processed.

2.3 Fliteline ensures that its employees are aware of their responsibilities and obligations in the processing of personal data.

2.4 Fliteline informs the administrators and users periodically to ensure that they understand the personal data processing operations, the applicable rules and their own role in this.

2.5 Fliteline provides a privacy impact assessment for the processing of special or sensitive personal data that is processed with a view to, for example, sick leave and reintegration of personnel.

2.6 Fliteline has a register of processing activities for the data processing it carries out for the different categories of data subjects.

2.7 Fliteline is advised by the Privacy Officer on the above tasks.

Article 3. Privacy Officer

‍

3.1 The Privacy Officer performs their duties and obligations independently of the Management.

3.2 The Privacy Officer monitors internal compliance with laws and regulations and Fliteline' or the data processor's policies regarding the protection of personal data.

3.3 The Privacy Officer advises on processing operations and supervises their implementation and evaluation.

3.4 The Privacy Officer advises on the appropriate level of security for information management within the organization and on measures aimed at limiting the processing of personal data.

3.5 The Privacy Officer works together with the supervisory authority (Personal Data Authority).

3.6 Data subjects may contact the Privacy Officer on all matters relating to the processing of their data and the exercise of their rights under this policy and under the Regulation. Data leaks, as referred to in Article 9, must also be reported to the Privacy Officer.

3.7 The Privacy Officer reports their activities and findings to the data controller annually.

3.8 The investigative powers of the Privacy Officer are specified in the job description and include:

- The authority to enter rooms;
- The authority to request information and access and to investigate matters;
- The facilities made available to the Privacy Officer to enable them to exercise their powers properly.

3.9 The Privacy Officer is bound to secrecy and confidentiality in relation to their duties.

Article 4. Information and access to personal data

‍

4.1 Fliteline informs data subjects prior to or during the collection of the personal data or, if the data originates from third parties, within a reasonable period of time after receipt, about the personal data that is processed, for what purpose, on what basis, with whom the data is shared (internally and externally), how long and where the data is stored, a general description of the technical and organizational measures as prescribed in the GDPR, information about possible transfer of data to countries outside the EU, and about the rights of data subjects under the GDPR.

‍

4.2 Anyone who is involved in the implementation of this policy and who is aware of or can reasonably suspect the confidential nature of the personal data to which they have access, and not already subject to a duty of confidentiality with regard to personal data by virtue of their profession, position or statutory regulation, shall be obliged to keep this confidential and shall sign a non-disclosure agreement if not already apparent from their employment contract or other agreement. This shall not apply if any statutory provision requires their disclosure or if disclosure is necessitated by their task in implementing this policy.

Article 5. Categories of stakeholders

‍

5.1 Staff

5.1.1 Processing of personnel data serves the following purposes:

a. Entering into an employment contract (GDPR Article 6.1b);

b. Determining the salary and other employment conditions (GDPR Article 6.1b);

c. Payment of salary, taxes and contributions (GDPR Article 6.1b and 6.1c);

d. Fulfilling a condition of employment applicable to the data subject and communication with the data subjects about the applicable employment conditions (GDPR Article 6.1b);

e. Collection of claims, including the assignment of these claims to third parties (GDPR Article 6.1b);

f. Termination of employment (GDPR Article 6.1b);

g. Transfer of the data subject to a (temporary) position in another part of the group, as referred to in Section 2:24b of the Dutch Civil Code to which the data controller is attached (GDPR Article 6.1b);

h. Management and supervision of the data subject, maintaining contact with family members in the event of an emergency and supporting the data subject during special events (birthday/marriage, etc.) (GDPR Article 6.1b);

i. Provision of company medical care to the data subject and fulfillment of reintegration obligations in the event of absence (GDPR Article 6.1c);

j. Granting access to the company network (GDPR Article 6.1b);

k. Settlement and investigation of claims to benefits in connection with termination of employment (GDPR Article 6.1b);

l. Election of members of a representative body (GDPR Article 6.1c);

m. Resolution of disputes (GDPR Article 6.1b);

n. Staff matters other than those referred to under items a. to m. (GDPR Article 6.1b);

o. Performance of financial audits and establishment of entitlement to compensation (GDPR Article 6.1c);

p. Securing and monitoring of persons, property and buildings entrusted to the care of Fliteline (GDPR Article 6.1f);

q. Publication of information about the organization on the organization's website (GDPR Article 6.1f).

‍

5.1.2 No other personal data will be processed than:

a. Surname, first names, initials, titles, gender, date of birth, address, postcode, place of residence, telephone number and similar information necessary to communication, such as the business or private e-mail address and bank account number of the data subject;

b. Social security number;

c. Copy of ID/passport;

d. A personnel number not containing any information other than the information referred to under a.;

e. Nationality, place of birth;

f. Data on completed and future education, courses and placements;

g. Data on working conditions;

h. Data relating to the calculation, recording and payment of salaries, allowances and other sums of money and benefits in kind;

i. Data relating to the calculation, recording and payment of taxes and premiums;

j. Data concerning the position or former position(s), as well as the nature, content and termination of previous employment contracts;

k. Data for the purpose of recording the presence of the data subject at the place of work and their absence due to leave, reduction of working hours, childbirth or illness, with the exception of data on the nature of the illness;

l. Data recorded in the interest of the data subjects for the purposes of their working conditions and safety;

m. Data, including data concerning family members and former family members of the data subject, which is necessary with a view to agreed employment conditions and with a view to disasters/accidents (duty of care);

n. Data relating to the performance of duties, staff appraisal and career guidance, insofar as this data is known to the data subject;

o. Login data for the company network;

p. Photos and videos with or without sound of the organization's activities;

q. Camera images of the company premises and the generally accessible areas of the organization;

r. The details of the time, date and place at which the camera images were recorded;

s. Data other than the data referred to under items a. to r., the processing of which is necessitated by another, unspecified law or its application.

Applicants

‍

5.1.3 Processing of job applicant data serves the following purposes:

a. Assessment of the suitability of the data subject for a job vacancy (GDPR Article

‍

‍6.1a and 6.1b);

b. Assessment of the suitability of the data subject for a potential job vacancy in the near future (GDPR Article 6.1a and 6.1b);

c. Processing of expenses incurred by the job applicant (GDPR Article 6.1a);

d. Securing and monitoring of persons, property and buildings entrusted to the care of Fliteline (GDPR Article 6.1f);

e. Implementation or application of legislation (GDPR Article 6.1c).

‍

5.1.4 No other data will be processed than:

a. Surname, first names, initials, titles, gender, date of birth, address, postcode, place of residence, telephone number and similar information necessary to communication, such as the e-mail address and bank account number of the data subject;

b. Nationality and place of birth;

c. Data on completed and future education, courses and placements;

d. Details of the position applied for;

e. Data concerning the nature and content of the current employment, as well as its termination;

f. Data concerning the nature and content of previous employment, as well as its termination;

g. Other data needed to fulfill the position (e.g. information in the context of a minority preference policy or reintegration policy);

h. Photos and videos with or without sound;

i. Camera images of the company premises and the generally accessible areas of the organization;

j. The details of the time, date and place at which the camera images were recorded;

k. Other data with a view to the performance of the position, provided by or after permission from the data subject (assessments, psychological examinations, medical examination results);

l. Data obtained through Internet research;

m. Data other than the data referred to under items a. to r., the processing of which is necessitated by another law or its application.

‍

5.2 Customers

5.2.1 Processing of customer data serves the following purposes:

a. Issuing of ad hoc requests and quotations and the receipt of consignments or orders from customers (GDPR Article 6.1b);

b. Execution of agreements or assignments (GDPR Article 6.1b and 6.1f);

c. Calculation and recording of income and expenditures and the making of payments (GDPR Article 6.1b);

d. Collection of claims, including the assignment of these claims to third parties and other internal management activities (GDPR Article 6.1b);

e. Maintenance of contact between the data controller and the customers (GDPR Article 6.1b);

f. Resolution of disputes and performance of financial audits (GDPR Article 6.1c);

g. Implementation or application of further legislation (GDPR Article 6.1c);

h. Securing and monitoring of persons, property and buildings entrusted to the care of Fliteline (GDPR Article 6.1f).

‍

5.2.2 No other personal data will be processed than:

a. Surname, first names, initials, titles, gender, date of birth, address, postcode, place of residence, telephone number and similar information necessary to communication, such as the e-mail address and bank account number of the data subject;

b. Data for the purpose of processing customer consignments or orders;

c. Data necessary for the execution of the agreement or assignment;

d. An administration code containing no other information than that referred to under items a. to b.;

e. Camera images of the company premises and the generally accessible areas of the organization;

f. The details of the time, date and place at which the camera images were recorded;

g. Data other than the data referred to under items a. to f., the processing of which is necessitated by another, unspecified law or its application.

‍

5.3 Visitors

5.3.1 Processing data for visitors to Fliteline premises serves the following purposes:

a. Internal management (GDPR Article 6.1f);

b. Securing and monitoring of persons, property and buildings entrusted to the care of Fliteline (GDPR Article 6.1f).

‍

5.3.2 No other personal data will be processed than:

a. Surname, first names, initials, titles, gender, date of birth, address, postcode, place of residence, telephone number and similar information necessary to communication, such as the e-mail address and the organization to which the visitor belongs;

b. Data concerning the person and department that the data subject wishes to visit;

c. Details of the reason for the visit;

d. Details of the date and time of arrival and departure of the visitor;

e. Data relating to the visitor's identity document;

f. Camera images of the company premises and the generally accessible areas of the organization;

g. Details of the time, date and place at which the camera images were recorded;

h. Data other than the data referred to under items a. to h., the processing of which is necessitated by another law or its application.

‍

5.3.3 Website

When visiting the Fliteline website(s), Fliteline informs visitors to the Fliteline website(s) about the data that is processed when they visit the website and to which purpose by means of a privacy statement posted on the Fliteline website(s).

‍

5.4 Suppliers / Service Providers

5.4.1 Processing data from Fliteline suppliers serves the following purposes:

a. Placement of orders or provision of instructions to service providers (GDPR Article 6.1b);

b. Calculation and recording of income and expenditures and the making of payments (GDPR Article 6.1b);

c. Collection of claims, including the assignment of these claims to third parties and other internal management activities (GDPR Article 6.1b);

d. Maintenance of contact between the data controller and the suppliers (GDPR Article 6.1b);

e. Resolution of disputes and performance of financial audits (GDPR Article 6.1c);

f. Implementation or application of further legislation (GDPR Article 6.1c);

g. Securing and monitoring of persons, property and buildings entrusted to the care of Fliteline (GDPR Article 6.1f).

‍

5.4.2 No other personal data will be processed than:

a. Surname, first names, initials, titles, gender, date of birth, address, postcode, place of residence, telephone number and similar information necessary to communication, such as the e-mail address and the organization to which the data subject belongs;

b. Data with a view to placing orders or awarding contracts to service providers;

c. Camera images of the company premises and the generally accessible areas of the organization;

d. Details of the time, date and place at which the camera images were recorded;

e. Data other than the data referred to under items a. to d., the processing of which is necessitated by another law or its application.

Article 6. Rights of data subjects
‍

6.1 Privacy statement

6.1.1 Fliteline has privacy statements available which inform data subjects in clear, comprehensible and easily accessible form about which data of theirs are processed, by which means and for which reasons.

‍

6.2 Right to information

6.2.1 Data subjects whose personal data are being processed, or – if they have not yet reached the age of sixteen – their legal representatives, have the right to inspect and have a copy of the data recorded about them or their pupil respectively and the following information about them:

a. The processing purposes and the legal basis for the processing;

b. The categories of personal data concerned;

c. The recipients and/or categories of recipients to whom the personal data have been or will be disclosed;

d. The period during which the personal data is expected to be stored or, if that is not possible, the criteria for determining that period;

e. The origin of the data processed if it does not originate from the data subject;

f. The existence of automated decision-making and the importance and expected impact of such processing on data subjects.

‍

6.3 Right of rectification and erasure

6.3.1 Data subjects have the right to have inaccurate personal data corrected.

‍

6.3.2 Data subjects are entitled to erasure of data ('right to forgetfulness') in the following situations:

a. The personal data is no longer needed;

b. The data subject withdraws the consent on which the processing is based and there is no other legal basis for such processing;

c. The data subject objects to the processing and there are no overriding mandatory forms of processing;

d. The data has been unlawfully processed;

e. A legal obligation to delete personal data.

‍

6.3.3 When the data have been made public and Fliteline is required to delete the data, Fliteline shall take reasonable measures, including technical measures, taking into account the available technology and implementation costs, to inform data controllers processing personal data that the data subject has requested the deletion of any link to, copy or reproduction of this data.

‍

6.3.4 Articles 6.3.1 and 6.3.2 do not apply where processing is necessary for the exercise of the right to freedom of expression or for the performance of a legal obligation to process, or for the performance of a task in the public interest, for reasons of public interest in the field of public health, for the purpose of archiving in the public interest, scientific or historical research, in so far as the law referred to in 6.3.1 and 6.3.2. threatens to render impossible or seriously jeopardize the attainment of these objectives.

‍

6.4 Right to restrict the processing of data

6.4.1 Under the Regulation, the data subject has a right to restrict the processing of their data in certain specified situations. This means that Fliteline only processes personal data, with the exception of storage, with the consent of the data subject or for the institution, exercise or substantiation of a legal claim or for the protection of the rights of another natural person.

‍

6.5 Right to data portability

6.5.1 The data subject has the right to obtain the personal data concerning themselves which they have provided to Fliteline in a structured, common and machine-readable form and the right to transfer such data to another data controller in cases where personal data have been provided by them on the basis of consent given (GDPR Article 6.1a) or on the basis of an agreement (GDPR Article 6.1b) and processing is carried out by automated means.

‍

6.5.2 In exercising their right to data portability under the previous paragraph, the data subject shall have the right, where technically possible, to have data transferred directly from one data controller to another.

‍

6.5.3 The right shall not apply to processing operations which are necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.

‍

6.6 Submission of a request

‍

6.6.1 A request as referred to in this article is addressed to Fliteline for the attention of the Privacy Officer.

‍

6.6.2 A request is free of charge. However, where requests made by a data subject are manifestly unfounded, or excessive, in particular because of their repetitive nature, Fliteline may:

- charge a reasonable fee in light of the administrative costs associated with the request; or
- refuse to comply with the request.

6.6.3 Fliteline shall provide the data subject with information on the action taken on the request within one month of receipt of the request.

‍

6.6.4 If the data subject makes a request because certain recorded data would be incorrect or incomplete, if they have an interest in the termination of the processing that outweighs that of the organization, or if the processing is not (any longer) necessary in view of the objective of the policy, or is in conflict with this policy, the Privacy Officer shall take a written decision on behalf of the data subject within one month after the data subject has submitted this request.

‍

6.6.5 Depending on the complexity of the requests and the number of requests, this period may be extended by a further two months if necessary. Fliteline shall notify the data subject of any such extension within one month. If a data subject submits a request electronically, the information shall be provided electronically where possible, unless the data subject requests otherwise.

‍

6.6.6 If Fliteline has any doubts about the identity of the requester, Fliteline will ask the requester as soon as possible to provide further information about their identity in writing or to present a valid identity document. The request shall suspend the time limit for processing the request until such time as the evidence requested has been provided.

‍

6.6.7 If Fliteline does not wish to comply with a request under this article, Fliteline shall inform the data subject in writing, giving reasons, within one month of receipt of the request.

‍

6.7 Limitations

6.7.1 The scope of Fliteline' obligations on the one hand and the rights of data subjects on the other hand may be limited by laws and regulations applicable to Fliteline and/or its data processors.

‍

6.8 Right to submit a complaint

6.8.1 The data subject who does not agree with the rejection of their request as referred to in this article can contact the Privacy Officer of Fliteline via privacy.officer@nl.rhenus.com.

Article 7. Security

‍

7.1 Fliteline shall provide appropriate security measures and an appropriate level of security, taking into account the state of the art and the costs of implementation, in view of the risks involved in the processing and the nature of the data to be protected. The measures are also aimed at preventing unnecessary collection and further processing of personal data.

Article 8. The data processor

‍

8.1 The data processors are those who process data on the basis of an agreement for or on behalf of Fliteline.

‍

8.2 The data processor shall process the data in the manner agreed in a data processor's agreement.

‍

8.3 The data processor is responsible for the proper use of the necessary facilities to adequately guarantee the protection of the privacy of the persons whose data is included in the personal data registration, as indicated and described in the data processor agreement.

‍

8.4 The Privacy Officer shall ensure that the provisions referred to in the previous paragraph are made and observed.

Article 9. Data leaks

‍

9.1 If a data leak occurs within Fliteline's organization or with a data processor employed by Fliteline, with a significant risk of loss or unlawful processing of personal data processed by Fliteline, or such loss or unlawful processing actually occurs, the Privacy Officer will notify the Personal Data Authority, unless it can be demonstrated that such a breach is unlikely to pose a risk to the rights and freedoms of individuals.

‍

9.2 The Privacy Officer shall document any breach of security referred to in article 9.1, whether or not it is reported to the Personal Data Authority.

‍

9.3 If the breach poses a high risk to the rights and freedoms of the data subject, Fliteline shall also notify the data subject of the infringement without delay. This communication may be omitted if:

- The personal data is encrypted and not accessible to third parties;
Measures have been taken to eliminate the high risk;
- The communication requires a disproportionate effort; public communication will then suffice.

9.4 In determining whether there is a breach of security and whether a notification thereof should be made to the Personal Data Authority, Fliteline shall use the procedures set out in the Data Leaks Manual.

Article 10. Complaints

‍

10.1 If the data subject is of the opinion that the provisions of the GDPR and/or other laws and regulations and/or codes of conduct are not being complied with by Fliteline, they should contact the Privacy Officer.

‍

10.2 If the complaint submitted does not lead to a result acceptable to the data subject, they may apply to the Personal Data Authority or to the court.

Article 11. Entry into force, amendment and citation title

‍

11.1 This policy may be referred to as the 'Fliteline Privacy Regulations' and will enter into force on the date stated on the back of the brochure.

‍

11.2 The policy is established by Fliteline and replaces any previous versions.

‍

11.3 The policy shall be evaluated periodically and can be changed if this is desired or necessary to properly comply with the GDPR.

Fliteline B.V.
Phone +31 (0)20 754 1475
privacy.officer@nl.rhenus.com

June 2026

‍