Introduction

MaxGrip is specialist in consultancy services in the field asset management. Currently, the services we provide are not intended to store any personal data and don’t create risks for the privacy of individuals. Nevertheless, as organization we commit ourselves to the prevention of the abuse of personal data and any inappropriate interferences with the privacy of our clients and employees.

In order to build relations we need to gather and use certain information about individuals. The processing of these data is not part of our economic activities. As such, many of the obligations of the data protection regulations in force do not apply to MaxGrip or only apply to employment or B2B relation.

In all cases, if suppliers and partners handle our personal data we ensure they have appropriate security and organizational measures in place and act in accordance with the data protection laws. Our strategic and corporate pillars follow the principles of transparency, simplicity and ethics in all we do.

This policy summarizes how the personal data is collected, handled and stored by MaxGrip to meet the requirements of the applicable data protection laws, especially the EU General Data Protection Regulation (GDPR).

1. Scope of the Policy

This policy applies to:

  • Visitors of our website;
  • Clients of MaxGrip;
  • Prospective Customers;
  • People who want to contact us for information;
  • People applying for newsletters, events and webinars;
  • Our suppliers, partners and their employees.

It applies to all data that the MaxGrip holds relating to identifiable individuals. This can include:

  • Names of individuals
  • Postal addresses
  • Email addresses
  • Telephone numbers
  • Plus any information relating to individuals, as described in the data protection laws.

2. Principles implementation

MaxGrip collects and uses personal data fairly, stored it safely and not disclosed it unlawfully. Maxgrip adheres to all important principles applicable to the protection of the personal data and is committed to ensure that personal data will:· Be processed fairly and lawfully;

  • Be obtained only for specific, lawful purposes;
  • Be adequate, relevant and not excessive;
  • Be accurate and kept up to date;
  • Not be held for any longer than necessary;
  • Processed in accordance with the rights of individuals;
  • Be protected in appropriate ways;
  • Not be transferred outside the country where the data is collected, unless that country or territory also ensures an adequate level of protection.

Besides, MaxGrip is committed to apply data security measures to avoid:

  • Breaches of confidentiality. For instance, information being given out inappropriately.
  • Failing to offer choice. For instance, when individuals are not free to choose how MaxGrip uses data relating to them.
  • Reputational damage. For instance, damages MaxGrip could suffer if hackers successfully gained access to personal data.

In order to correctly accommodate the implementation of the aforesaid principles and obligations MaxGrip has a group compliance team consisting of a data protection lead and key members of each department at the Head Office of MaxGrip. A relevant strategy is set up to define the goals and steps for compliance as well as to monitor the results in a way of an internal audit yearly.

3. Responsibilities

Everyone who works for or with Maxgrip has some responsibility for ensuring that personal data is collected, stored or handled appropriately. The group compliance team involved in the implementation of the data protection must ensure that it is handled and processed in line with this policy.

The following persons have key areas of responsibility:

a) The board of directors: ultimately responsible for ensuring that MaxGrip meets its legal obligations.

b) The data protection lead:

  • Keep the board updated about data protection regulations, risks and issues that may affect the business;
  • Coordinate the implementation of the regulations by conducting project teams meetings and advising on how to proceed;
  • Review all data protection procedures and related policies, in line with an agreed schedule;
  • Arrange data protection training and advice for the staff covered by this policy;
  • Handle data protection questions from staff and anyone else covered by this policy;
  • Deal with requests from individuals to see the data MaxGrip holds about them (also called ‘subject access requests’), in close consultation with the HR manager and the Board.
  • Check and approving any contracts or agreements with third parties that may govern the processing of personal data;
  • Implement the annual internal audit.

c) The IT manager:

  • Ensure all systems, services and equipment used for collecting and storing data meet the security standards and policies;
  • Perform regular checks and scans to ensure security hardware and software is functioning properly;
  • Evaluate any third-party services and equipment the company is considering using to process personal data.
  • Draft relevant materials, such as guidelines and co-work with data protection lead to align security and privacy policies.

d) The Marketing Global Manager:

  • Approve data protection statements, text or references, attached to communications (such as emails and letters) used for marketing and external communication purposes;
  • Address data protection queries from media or third parties in respect to public campaigns.
  • Ensure that marketing initiatives abide by data protection principles, such as previous consent, transparency and purpose.
  • Ensure marketing databases are checked against industry suppression files regularly.

e) The VP Human Resources:

  • Ensure that personal data of the employees is protected in the staff files, registers, digital tools and programs or applications used by HR;
  • Ensure that the personal data of the employee is protected according the data protection regulations in employment agreements, plans, actions, strategy and policies of HR;
  • Deal with requests from staff in respect to the data MaxGrip holds about them.
  • Ensure the participation of the Works Council in the decisions related to the protection of the personal data of staff.

4. Employment

  • MaxGrip has implemented a data protection policy for its employees. Besides, rules on how to deal with personal and sensitive data is described in the employees’ handbook;
  • The only people able to access personal data are those who need it for their work.
  • Personal Data is not shared informally. When access to confidential information is required, MaxGrip’s employees are instructed to request it from their line managers.
  • Employees should keep personal data secure, by taking sensible precautions and following the guidelines herein set forth.
  • In particular, strong passwords are used and they are not shared. All devices used by MaxGrip’s employees are protected by a passcode.
  • Personal data are regularly reviewed and updated in the internal systems. If no longer required, it is deleted and disposed of.
  • Employees are instructed to request help from their line manager or the data protection lead if they are unsure about any aspect of data protection.
  • MaxGrip has implemented a GDPR- Recruitment Policy.

5. Data storage

When personal data is stored on paper, it will be kept in a secure place where unauthorized people cannot see it. Otherwise, they are kept in a locked drawer or filing cabinet;

  • Employees should make sure paper and printouts are not left where unauthorized people could see them, like on a printer.
  • Data printouts should be shredded and disposed of securely when no longer required;

When personal data is stored electronically, it is protected from unauthorized access, accidental deletion and malicious hacking attempts:

  • Personal data is protected by strong passwords that are changed regularly and not shared between employees. The rules for passwords are described in the security policies available.
  • If personal data is stored on removable media (like CD or DVD), these should be kept locked away securely when not being used.
  • Personal data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing services. MaxGrip’s cloud providers are the only one’s permitted to store MaxGrip’s data in the cloud.
  • Servers containing personal data should be sited in a secure location, away from general office space.
  • Personal data should be backed up frequently, as advised by the IT manager. Those backups should be tested regularly, in line with the company’s standard backup procedures.
  • All servers and computers containing data are protected by approved security software.
  • MaxGrip has entered into a data processing agreement with its suppliers of storage of personal data.

Retention period:

  • For marketing purposes: MaxGrip holds personal data for a maxium period of 6 years with a review every 3 years from the date it is collected. Individuals have the opportunity to opt out or update at any point of their data, should they need to do so and/or choose their preferences.
  • For contracted services: MaxGrip holds personal data for 7 years, except if otherwise mandatory by regulatory requirements.
  • Recruitment: No longer than 1 month after the candidate has contacted MaxGrip for the last time.

6. Data collection and use

The collection and processing of personal data, does not occur in MaxGrip business as a primary assignment but happens as collateral activity, such as: for the update and enhancing of clients records, the analysis for management purposes, legal and regulatory compliance. We don’t collect, use or process personal data on behalf of our clients and consequently we don’t have a commercial arrangement with them to handle their personal data.

The commercial terms and conditions applicable to our business have been reviewed according to the data protection regulations. This includes, between others, contracts with clients, marketing activity suppliers and

processors of personal data. We want to ensure that third parties dealing with personal data provided by MaxGrip follow the security requirements as required by applicable laws. All suppliers of MaxGrip have to sign a data protection agreement whenever they collect and process personal data of our employees or clients.

The storage of our internal data is made through a cloud provider. Business contacts (names, e-mail address and function) are currently stored in the CRM system of MaxGrip, which is owned by the could provider. Our cloud provider leads the industry standards for information security and loss prevention. The CRM system permits MaxGrip to have total control of the manner the data is stored and processed by the cloud provider. We determine the appropriate programs and tools as made available by the could provider to perform this processing activity including how to fill the data in the system, correct errors, erase the data and who has access to it. We are proud to say that the roll-based security in our systems allows us to achieve high levels of compliance with the data protection laws.

7. Data accuracy & Securit

It is the responsibility of all employees who work with personal data to take reasonable steps to ensure it is kept as accurate and up to date as possible.

  • Data will be held in as few places as necessary. Staff is instructed to not create any unnecessary additional data sets.
  • Staff should take every opportunity to ensure data is updated. For instance, by confirming customers’ detail when they call.
  • MaxGrip makes it easy for data subjects to update the information MaxGrip holds about them.
  • Personal data is updated as inaccuracies are discovered and, for instance, be removed from database the data that is not needed.
  • MaxGrip has implemented an IT and data security policy. In this (separate) document the technical measures taken to protect personal data against data leak and unauthorize intrusions in MaxGrip’s systems is set forth, among other relevant technical information.

Technical measures

We have selected IT systems that provide high levels of safety and quality for what we do. Currently, we have a comprehensive set of security capabilities including a formal registration and deregistration procedure for assigning access right into computer systems. Relevant information establishing security rules are also in place, such as strong password policies, secure network, intrusion detection and clear screen & clear desk policy. Besides, we have protocols for confidentiality and intellectual property matters applicable for the use and access of computer systems. Any access to contact persons data (business contacts) happens in a need to know basis and after granted permission by the client. The data centers we use are protected by leading standards of security including protection against accidental destruction and a disaster recovery plan. In our IT policy is described the entry and exit procedure, including our access rights to perform regular security checks. All personal data is collected is encrypted before being transferred electronically. More detailed information about technical measures is available upon request (gdpr-info@maxgrip.com).

Physical Security

MaxGrip has an adequate physical security which includes authentication mechanisms, visitors identification and daily reception desk. Only specific persons within MaxGrip have physical access to the place where personal data is stored.

Cloud

MaxGrip confirms that all storage units owned by our cloud provider are fully compliant with the privacy and data protection regulations globally. A security operation center and artificial intelligence team is available by our partners to support MaxGrip, monitor and protect against threats in the cloud that may affect our business. Detailed information on service levels and storage of data in the cloud are available upon request (gdpr-info@maxgrip.com).

8. Marketing

MaxGrip has implemented a data protection policy for marketing activities. We collect personal data when individuals access our website, apply for newsletters and webinars and also when they want to participate in

MaxGrip events. The information we collect is consensually provided by the individual in an open and fair manner. In no circumstance we disclose the personal data collected for marketing purposes to third parties. MaxGrip only selects marketing partners that are GDPR compliant. If personal data is processed by a third party MaxGrip ensures that a data processing agreement is signed

In our cookie statement we explain how this data is collected and managed.

Consent is the central rule of our marketing activities, no matter if they involve phone calls, marketing texts, emails or online publicity, whenever such consent is required. MaxGrip has implemented a Recording Policy applicable for example when we use photo’s or videos for marketing activities.

Our requests for consent respect the conditions and principles, as established in the GDPR:

  • Freely given
  • Clear
  • Specific
  • Unambiguous

For all marketing activities individuals concerned have the opportunity to choose marketing preferences, which includes the right to withdraw their consent whenever they want.

MaxGrip makes direct marketing by using previously collected e-mails address of individuals, such as business contacts and persons that have signed up for our newsletter or account. Direct marketing within MaxGrip occurs only for information related our products and services.

More information can be provided by request to gdpr-info@maxgrip.com

9. Subject access requests

All individuals who are the subjects of personal data held by MaxGrip are entitled to:

  • Ask what information MaxGrip holds about them and why;
  • Ask how to gain access to it;
  • Be informed how to keep it up to date;
  • Be informed how we meet data protection obligations;

If an individual contacts MaxGrip requesting this information, this is called a subject access request, which is free of charge. Subject access request should be made by email, addressed to gdpr-info@maxgrip.com.

Last updated: April 2020