Login
Start today

Privacy policy

This is our Privacy Policy
Last updated: 30-09-2024

1. Introduction

This internal Privacy Policy (“Policy”) establishes the principles and responsibilities related to how Moolaah manages personal data. It is specifically aimed at guiding the handling of personal data by Moolaah’s employees and representatives on behalf of the organization.

Contact Information:

  • Office Location: Helftheuvelweg 11, 5222AV, ‘s-Hertogenbosch
  • Email: info@moolaah.io

This Policy governs all personal data processed by or for Moolaah, which may be used to directly or indirectly identify an individual (“Personal Data”).

It applies to Personal Data related to (prospective, current, and past) employees, contractors, clients, business associates, and other relevant third parties, collectively referred to as “Data Subjects.”

For inquiries regarding this Policy or questions about the handling of Personal Data, please reach out to us via info@moolaah.io.

1.1 Policy Objective

The objective of this Policy is to outline the measures Moolaah takes to comply with applicable data protection laws, including the EU General Data Protection Regulation (GDPR). It aligns with the recommendations from the European Data Protection Board and other regulatory bodies (“Supervisory Authorities”).

1.2 Policy Scope

This Policy is applicable whenever Moolaah acts as the data controller under the GDPR, which means Moolaah is responsible for determining the purposes (e.g., payroll management) and the means (e.g., use of digital systems) of processing Personal Data.

It applies to all Moolaah employees, management, interns, and applicants.

1.3 Policy Updates and Amendments

Moolaah retains the right to update or modify this Policy as needed to ensure continued compliance with legal obligations or to reflect business developments. In the event of significant changes in data processing activities, Data Subjects will be informed accordingly.

2. Key Terms

Controller: The individual or organization responsible for determining the purpose and means of processing Personal Data (GDPR Article 4(7)).

Data Breach: Any security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data (in accordance with GDPR Article 4(12)).

Data Subjects: Individuals whose Personal Data is handled by Moolaah, including current, former, or prospective employees, contractors, customers, business partners, and other third parties.

Dutch DPA: Refers to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), the regulatory body in the Netherlands responsible for enforcing data protection laws.

EEA: European Economic Area

Internal and External Privacy Statements: Documents that outline Moolaah’s data privacy practices for internal stakeholders (such as employees) and external parties (like customers, contractors, and business partners).

Legal Ground: One of the six legal bases outlined in GDPR Article 6 that justify the processing of Personal Data.

Personal Data: Any information that can be used to identify an individual, as defined by the GDPR. This includes data already collected and any future data that Moolaah may gather.

Privacy Contact Person: An appointed Moolaah staff member responsible for addressing privacy-related questions, concerns, or complaints.

Processing: Any action or series of actions performed on Personal Data or groups of Personal Data, whether automated or manual. This includes activities such as collection, recording, organization, structuring, storage, modification, retrieval, consultation, use, sharing through transmission, dissemination or other means of making data accessible, as well as alignment, combination, restriction, deletion, or destruction, as outlined in Article 4(2) of the GDPR.

Processor: An entity or individual who processes Personal Data on behalf of the Controller, as specified by GDPR Article 4(8).

Retention Period: The duration during which Personal Data must be stored, based on legal or business requirements.

Rights of Data Subjects: The set of rights granted to individuals regarding their Personal Data. These include the right to be informed, access their data, request corrections (rectification), ask for their data to be deleted (erasure), request data portability, object to data processing, restrict processing, lodge complaints with the Supervisory Authority, and withdraw consent at any time.

Register of Processing Activities: An internal log that documents all Personal Data processing activities conducted by Moolaah.

Security: The safeguards and measures taken to protect Personal Data and ensure its confidentiality and integrity, as required by GDPR Article 32.

Special Categories of Personal Data: Sensitive information such as health data, racial or ethnic background, political opinions, or union memberships, as defined by GDPR Article 9(1).

Supervisory Authority: A public authority established by an EU Member State under GDPR Article 51 to oversee data protection compliance.

Internal and External Third Parties: Refers to either Moolaah’s internal teams or external service providers involved in services such as IT, payroll, recruitment, or legal services.

3. Types of Personal Data Processed

The specific types of Personal Data that Moolaah handles are outlined in both the Internal and External Privacy Statements provided by the organization.

4. Purpose, Legal Basis, and Data Retention

Moolaah processes Personal Data to carry out core business activities, deliver services, and meet legal obligations. The purposes, legal justifications, and applicable retention periods for this data are listed in the Internal and External Privacy Statements.

4.1 Moolaah’s Responsibilities

  • Purpose Restriction: Personal Data will only be used for the purposes initially specified. Any new or additional processing must be pre-approved by Moolaah and must comply with GDPR’s guidelines on purpose compatibility. Data Subjects will be notified in advance if their data is processed for any other purposes.
  • Legal Basis: All Personal Data processing must be based on one of the legal grounds defined in GDPR Article 6, such as:

    Consent: The Data Subject has provided permission for their Personal Data to be processed for one or more defined purposes. When processing is based on consent, the Data Subject retains the right to revoke this consent at any time. To withdraw consent, please contact: info@moolaah.io.

    Contractual necessity: Personal Data may be processed to fulfill a contract or agreement involving the Data Subject. If this data is not provided, the contract may not be executed.

    Legal obligations: Processing may be required to comply with a legal obligation that Moolaah must adhere to.

    Vital interests: Processing may be necessary to protect the vital interests of the Data Subject or another individual.

    Public interest: Processing may be carried out to perform tasks in the public interest or in the exercise of official authority granted to Moolaah.

    Legitimate interests: Processing may be essential to protect the legitimate interests of Moolaah, provided that the rights and interests of the Data Subject are not overridden.

  • Special Categories of Personal Data: Sensitive Personal Data such as health or racial information, will only be processed in line with GDPR Article 9, under legally permitted exceptions.
  • Data Accuracy: Moolaah ensures that the Personal Data it holds is accurate and up to date, conducting regular reviews to maintain data integrity.
  • Data Security: Moolaah applies robust technical, physical, and organizational safeguards to protect Personal Data from unauthorized access, as detailed in Section 6.1.
  • Confidentiality: All Personal Data is to be treated with strict confidentiality, and employees and third-party processors are bound by confidentiality obligations.
  • Data Retention Period: Personal Data will be deleted or anonymized after the relevant retention period has expired, in line with legal and operational requirements.
  • Fairness and Transparency: Moolaah processes all Personal Data with full transparency, ensuring compliance with the applicable data protection laws and providing clear information to Data Subjects.
  • Data Minimization: Moolaah ensures only the necessary amount of Personal Data is collected and processed for legitimate purposes.
  • Accountability: Moolaah is responsible for demonstrating compliance with these privacy principles and ensuring that data protection measures are fully documented and enforced.
  • Proportionality and Subsidiarity: The processing of Personal Data must be proportionate to its purpose and must not unnecessarily infringe on the Data Subject’s rights or privacy.

5. Rights of Data Subjects

Individuals whose Personal Data is processed by Moolaah are entitled to various rights regarding how their data is handled, including:

  • The right to information
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to data portability
  • The right to object to the data Processing
  • The right to restrict the Processing of Personal Data
  • The right to withdraw consent
  • The right to lodge a complaint with the Supervisory Authority (in the Netherlands, this is the Autoriteit Persoonsgegevens)

The procedures established by Moolaah to enable Data Subjects to exercise these rights are detailed below.

For inquiries or comments regarding the exercise of Data Subject rights or Personal Data, please reach out to Moolaah at: info@moolaah.io.

5.1 Right to Information

Data Subjects will be informed about the Processing of their Personal Data prior to such Processing occurring (e.g., before the commencement of employment, in the employee handbook, or in a welcome letter). This information will be concise and easily understandable.

5.2 Right of Access

Data Subjects have the right to request access to their Personal Data held by Moolaah. Upon receiving such a request, Moolaah will respond within one (1) month. If the request cannot be met within this timeframe, or if it is denied, Moolaah will provide an explanation for the delay or refusal. A request for access may include:

a) Confirmation that Moolaah processes Personal Data related to the Data Subject; and

b) Details on:

  • (i) The purposes of Processing
  • (ii) The types of Personal Data being processed
  • (iii) The recipients of the data (if applicable)
  • (iv) The anticipated Retention Period or the criteria used to determine it
  • (v) The right to request correction, deletion, or restriction of processing
  • (vi) The right to lodge a complaint with a Supervisory Authority
  • (vii) Information about automated decision-making processes, if applicable
  • (viii) Any available information regarding the source of the Personal Data if not collected from the Data Subject
  • (ix) The protections in place for transferring data to third countries or international organizations

5.3 Additional Rights of Data Subjects

After accessing their Personal Data, Data Subjects may request Moolaah to correct, restrict, amend, add, erase, or transfer their Personal Data in a machine-readable format to themselves or a designated third party.

Moolaah will accommodate legitimate requests when the data is inaccurate, incomplete, irrelevant to its purpose, or processed in violation of applicable laws.

However, requests to erase Personal Data may be denied if doing so would conflict with legal obligations that Moolaah is required to fulfill.

Once a request is approved, Moolaah will promptly take the necessary actions, whether it’s correcting, restricting, amending, deleting, or transferring the data.

Should there be concerns about the handling of Personal Data or if requests from Data Subjects have not been addressed in a timely or correct manner, Data Subjects have the right to file a complaint with the local Supervisory Authority (in the Netherlands: Autoriteit Persoonsgegevens).

6. Security Measures and Data Breach Notification

6.1 Security Measures

Moolaah has established comprehensive technical and organizational safeguards to protect Personal Data. These measures include, but are not limited to:

  • Physical security measures
  • Secure storage of passwords
  • Role-based access control (RBAC), ensuring access is limited to those with a legitimate need
  • Data pseudonymization
  • Data encryption techniques
  • Two-factor authentication for enhanced access security
  • Measures to prevent unauthorized access, copying, modification, or removal during the storage, processing, and transport of Personal Data

For additional details on Moolaah’s security measures, please reach out to our privacy contact person at info@moolaah.io.

6.2 Data Breach Notification Procedure

In the event of a Data Breach, Moolaah is responsible for notifying the relevant data protection Supervisory Authority. If the breach poses a significant risk to the rights of Data Subjects, Moolaah must also inform the affected individuals.

6.2.1 Data Breach Analysis

All employees of Moolaah are required to promptly report any (suspected) Data Breach to the privacy contact person at info@moolaah.io. The report should contain as much relevant information as possible, such as:

  • The Personal Data involved
  • The nature of the Data Breach
  • The categories and estimated number of impacted Data Subjects
  • The categories and approximate number of affected Personal Data records
  • The timeframe of the Data Breach
  • The potential consequences for affected Data Subjects
  • Descriptions of actual and suspected negative outcomes
  • Measures taken or proposed by data processors to mitigate adverse effects
  • Contact details for further communication

Upon receiving a notification, the privacy contact person will investigate to confirm whether a Data Breach has occurred.

Once a breach is confirmed, they will assess whether the incident falls under GDPR, which applies if the breach relates to Personal Data processing within the context of Moolaah’s EU operations or involves services provided to individuals in the EU.

If GDPR is not applicable, the privacy contact person will refer to other relevant legal frameworks.

If GDPR applies, the privacy contact person will determine Moolaah’s role—whether as Controller or Processor. As a Controller, Moolaah is responsible for notifying the Supervisory Authority and affected Data Subjects. If Moolaah is acting as a Processor, it will consult the Controller and follow the agreed-upon steps outlined in the data processing agreement.

6.2.2 Notification to the Supervisory Authority

Upon confirming a breach, Moolaah must notify the relevant Supervisory Authority within 72 hours, unless the breach presents a minimal risk to the individuals involved.

The privacy contact person will evaluate the level of risk based on potential impacts and likelihood, considering factors such as:

  • The type of Personal Data Breach
  • The nature, sensitivity, and volume of affected Personal Data
  • The ease of identifying affected Data Subjects
  • The severity of potential consequences for Data Subjects
  • Specific characteristics of the Data Subjects
  • Moolaah’s responsibilities as the data Controller

Based on this assessment, the privacy contact person will determine whether the criteria for notification have been met.

If notification to the Supervisory Authority is required, the privacy contact person will ensure that the report includes:

  • A description of the Data Breach, including categories and approximate numbers of affected Data Subjects and records
  • Contact information for further communication
  • An overview of the breach’s potential impact
  • Measures taken or proposed to mitigate its adverse effects

If it is not possible to provide all details within 72 hours, the privacy contact person will supply as much information as available and update the report as new information is uncovered.

6.2.3 Notification to Data Subjects

When a Data Breach is likely to have a significant impact on the rights and freedoms of individuals, Moolaah must promptly inform the affected Data Subjects, unless:

  • Moolaah has implemented effective technical and organizational measures to prevent unauthorized access to Personal Data, which were applied to the affected data, such as encryption.
  • Measures were taken post-discovery to mitigate the consequences of the Data Breach, ensuring that the risk to Data Subjects is no longer significant.
  • Notification would require disproportionate effort, in which case a public announcement or similar means will inform Data Subjects.

Notifications to affected Data Subjects will be made without undue delay. The privacy contact person will provide clear and comprehensible information, including:

  • A description of the Data Breach
  • Contact details for the privacy contact person
  • A description of the likely consequences of the Data Breach
  • Steps being taken to manage and mitigate the breach

Notifications will be communicated through a dedicated message to ensure clarity and transparency. If appropriate, the privacy contact person will offer specific guidance to Data Subjects on how to protect themselves from potential adverse effects.

6.2.4 Documentation of Data Breaches

For each Data Breach, regardless of whether notification is required, the privacy contact person will document relevant information as described in sections 6.2.1 to 6.2.4, including the details of the breach, its effects, and remedial actions taken. All considerations, assessments, and decisions regarding the Data Breach will also be documented to support Moolaah’s compliance with GDPR accountability requirements.

All documentation related to Data Breaches will be recorded in an internal register, which can be presented to the Supervisory Authority upon request.

7. Disclosure of Personal Data

We may disclose your Personal Data to the following parties for the purposes listed in the “Purposes for Which We Will Use Your Personal Data” section:

  • Internal Third Parties: As defined in the Glossary.
  • External Third Parties: As specified in the Glossary.
  • Business Partners: This includes any third parties with whom we may choose to sell, transfer, or merge parts of our business or assets. In the event of a business change, the new owners may use your Personal Data in accordance with this Policy.

We require all third-party partners to protect your Personal Data and to treat it in line with applicable regulations. We do not allow our service providers to use your Personal Data for their own purposes; they are only permitted to process it according to our instructions and for the specified purposes.

8. International Data Transfers

Moolaah aims to process Personal Data within the European Union/European Economic Area (EU/EEA) and seeks to limit the transfer of Personal Data to countries outside the EU/EEA or to international organizations. However, due to the involvement of third-party service providers, some data transfers outside the EU/EEA may occur. When such transfers are necessary, they will comply with relevant legal requirements and include appropriate safeguards, such as those based on an adequacy decision or the use of standard contractual clauses (EU Model Clauses), to ensure Data Subjects’ Personal Data remains protected.

9. Policy Updates

Moolaah reserves the right to amend this Privacy Policy at any time. We encourage you to periodically review this document to stay updated on any changes or modifications.