- 1. Privacy and Data Protection at IBFD
1.1. ResponsibilityIBFD is the International Bureau of Fiscal Documentation (officially: Stichting Internationaal Belasting Documentatie Bureau; Stichting = Foundation), a Dutch legal entity with offices in the Netherlands, the United States of America, China and Malaysia. Responsibility for the processing and protection of your personal data lies with IBFD’s headquarters, of Rietlandpark 301, 1019 DW Amsterdam, The Netherlands, registered at the Chamber of Commerce of Amsterdam under number 41197411.IBFD complies with the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in the European Economic Area (EEA) with regard to the processing of personal data and the free movement of such data. As required by the GDPR, IBFD maintains a comprehensive register of its data processing activities in electronic form. IBFD has assigned a privacy officer who deals with all matters related to data protection, but is not a formal data protection officer in the sense described in the GDPR (see Chapter 9. Contact Us).In the event that ownership of (parts of) IBFD is transferred to a third party, your personal data may be transferred to that third party. IBFD will inform you of this upfront, whereby you will be given the opportunity to object to such transfer of data.1.2. DefinitionsPersonal data: Any information that relates to a living individual who can be identified from that data. Different pieces of information that can lead to the identification of a particular person when they are collected together also constitute personal data (e.g. an IP address in combination with a name).Data subject: The identifiable person whose personal data is collected.Data controller: A person or organization that decides why and how the collected personal data is processed, and is responsible for the protection of that data. Unless otherwise stated, IBFD is a data controller for personal data we collect through the services subject to this statement.Data processor: An external person or organization that processes the personal data on behalf of the data controller.Data processing: Any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.Cookies: Small text files (up to 4KB) created by a website that are stored on the user's device, either temporarily in the web browser for that session only, or permanently on the hard disk (‘persistent cookie’). Cookies provide a way for a website to recognize you when you return to it, and keep track of your preferences. Cookies are ‘passive’ as they contain retrievable information, but do not contain programmes, viruses or malicious software.
- 2. Personal Data Collection
2.1. Personal data we collectWe may collect the following personal data from you:
We do not collect or process any of the personal data classified in the Regulation as ‘special categories’, such as race, political opinions or religious beliefs (See Article 9 of the GDPR for a full list). We do collect and process ‘sensitive’ financial and location data, to fulfil our obligations towards authors, customers and suppliers.2.2. When we collect personal data
- Your personal contact details (name, postal address, e-mail address and telephone number);
- Your professional contact details (company, position, postal address, e-mail address and telephone number);
- Your device’s Internet Protocol (IP) address;
- Your user ID’s and passwords;
- Your invoice and payment details, including your credit card number;
- Your reported interests and preferences;
- Your ordered products or subscriptions;
- Information regarding the equipment you use, such as a unique device ID, the version of your operating system and the settings of the device you use to gain access to a product or service;
- Information regarding the use of a product or service, such as the type of product or service you use and the specific time you use it;
- Location details derived from your device or IP address, that may be automatically transferred when you use a product or service;
- Information that is available via external sources, such as your social media profile; Information that is transferred via external sources, for example when you access a product or service via another company’s website.
Your personal data may be collected in the following situations:
2.3. How we collect personal data
- When you take out a subscription to an IBFD product or service, either from IBFD or via a third party;
- When you purchase a single IBFD product or service, either from IBFD or via a third party;
- When you use one of IBFD’s websites or online platforms (incl. social media), either directly or via a third party;
- When you create a personal account to one of IBFD’s websites or platforms;
- When you sign up for one or more of IBFD’s free services, such as newsletters or mailings;
- When you participate in a panel or survey conducted by IBFD or one of IBFD’s trusted partners;
- When you register for one of IBFD’s digital products or services, such as an online course or webinar;
- When you send documents, images and other content containing personal data to IBFD;
- When you sign into IBFD’s Library and Information Centre;
- When you contact IBFD.
- We collect personal data through various channels:
- We obtain some of the data from you directly, for example when you subscribe to a product, create a My Account or sign up to a newsletter;
- We get some of it by recording how you interact with our products, for example by using cookie technology or obtaining usage data through web analytics;
- We obtain some personal data from third parties, such as social media platforms and trusted partners.
- 3. Personal Data Processing
3.1. Why we process personal data
At IBFD, we process personal data for the basic purposes we must achieve to operate our business: to provide our products and services, and to send communications about our products and services. We need to process personal data for these purposes, to be able to provide you with the products and services outlined in your agreement(s) with us (e.g. Customer Relationship Management), to keep you up-to-date on the products and services of your interest (e.g. marketing communications), and to continuously improve our products and services and your experiences with them (e.g. usage analytics).
We also process personal data for certain carefully considered purposes (‘legitimate interests’), which are in the interest of our business and our customers, as they enable us to fulfil our contractual obligations, enhance the services we provide and protect your privacy. The processing of data for these purposes occurs with the highest regard for your rights and interests. You have the right to object to these forms of processing, but keep in mind that this may affect our ability to carry out certain tasks for your benefit.
We process personal data based on the following (non-accumulative) bases for ‘lawful processing’:
You have consented to the processing by means of an affirmative statement or clear action, such as by ticking a checkbox in your My Account in order to receive a certain IBFD newsletter.
You can withdraw your consent at any time, e.g. by un-ticking the afore-mentioned checkbox or by informing us by telephone; please allow 30 days for your request to be processed. Note that we may not be able to comply with such a request in all cases, as we still may need to process your personal data on a different legal basis (see below).
Processing is necessary for the performance of a contract, or to take steps to enter into a contract.
Processing is necessary for compliance with a legal obligation to which IBFD may be subject as data controller, such as a court order.
Processing is necessary for purposes of legitimate interests pursued by IBFD or a third party used by IBFD, except where such interests are overridden by your interests, rights or freedoms.
Legitimate interests for which IBFD processes personal data are:
- Fraud detection and prevention;
- IT security measures to protect IBFD’s network and information systems, e.g. to prevent data breaches or leaks;
- Intra-organization transfer of data, such as for the processing of orders and payments by IBFD’s headquarters that come in via other IBFD locations or third parties;
- Employment relationship management, for operational, administrative, HR and recruitment purposes;
- Corporate operations and due diligence, such as business intelligence, risk assessment, strategy planning and reporting;
- Credit management, such as the transfer of data to a debt collection agency in case of non-payment;
- Product development and enhancement, such as monitoring website usage and conducting analytics (e.g. pages and links clicked, time at page, navigation patterns, devices used, where users are coming from) to improve our products and services;
- Communications, marketing and intelligence, such as for personalized services and communications, direct marketing, targeted advertizing, event planning, and conducting profiling and business intelligence analytics to e.g. create trend reports, analyse the effectiveness of a marketing campaign or determine the most effective channels and messages.
3.2. How we process and use personal data
Your personal data is stored in dedicated Content Management Systems, such as for processing subscriptions, orders and payments, providing customer and author support, and workflow processing for our publications.
We process only the minimum amount of personal data necessary to achieve our purposes. This makes it easier for us to keep data accurate and up-to-date, and limits the amount of data accessible to an unauthorized party in the event of a data breach. We may combine data we collect to enhance or personalize your user experience, for example based on a course you followed or a previous purchase.
At IBFD, we do not use ‘automated decision-making’: we may use profiling – i.e. gathering data about an individual, or group of individuals, and evaluating their characteristics and behaviour patterns to analyze or make predictions about their interests or behaviour –, for example to improve or personalize our offering, but we do not base decisions or actions solely on this automatically generated information.
Financial information (‘sensitive data’) is processed solely for payment processing, debt collection, fraud prevention and financial audits.
- 4. Personal Data Sharing
4.1. Why we share personal data
We have agreements with third parties that may receive your personal data, as they need it to carry out certain business activities for us.
As IBFD in its role of data controller is responsible for the personal data we collect from you, we only work with parties that are GDPR-compliant. We (will) have detailed data processing agreements in place with these parties, that outline that any personal data obtained from IBFD is to be kept confidential, and that personal data may only be processed at the direct and precise instruction of IBFD and solely for the purpose defined by IBFD. In case such an agreement is terminated, any personal data in the possession of the third party is either returned to IBFD or deleted.
Recipients of your personal data can be other data controllers, data processors, third party licensees, third countries and international organizations.4.2. Who we share personal data with
Other data controllers
IBFD has concluded content licenses with other organizations, whom we provide with our published material. The organizations provide us with the personal data of their users (e-mail or IP addresses) that we require to fulfil our obligations, and we provide IBFD content to these end users.
If the content license specifies that IBFD shall determine the means and purpose of the processing of the users’ data, then IBFD is the data controller for the personal data of the organizations’ users.
Note to the end user:
If you use an e-mail or IP address provided by an organization you are affiliated with, e.g. your employer, to access IBFD products and services, that organization may access and process your personal data. IBFD may report to your organization on your usage of our products and services. Please direct your privacy inquiries to your organization’s administrator.
IBFD makes use of various types of companies that process data on behalf of IBFD to help us with our daily operations. As stated above, IBFD has concluded or will conclude a GDPR-compliant data processing agreement with such companies.
Categories of data processors used by IBFD:
- Printing companies
- Distributors (for delivery of print content)
- Marketing agencies
- IT service providers
- Hosting companies
- Web analytics services
- Translation agencies
- Legal consultants
- HRM administration companies
- Debt collecting agencies
Third party licensees
IBFD has license agreements with several carefully selected third parties, allowing them to use or sell IBFD content in order to attain a wide spread of IBFD’s information and maximum exposure for its authors. Vice versa, IBFD has agreements in place with third parties that deliver content to IBFD for further use or distribution. These parties may need to obtain personal data from IBFD, or send personal data to IBFD, for example for the purpose of order fulfilment.
Categories of third parties licensed by IBFD:
- Publishing companies
- Academic institutions
- Online training developers
IBFD will not share your personal data with any third parties other than those we have license agreements with, without your prior consent.
Third countries and international organizations
As an international organization with offices in four countries and with a global network of clients (e.g. customers, third party licensees) and suppliers (e.g. authors, printers), IBFD may need to transfer your personal data to (international organizations operating in) countries outside the European Economic Area (EEA).
The countries in the EEA are covered by the GDPR: they all have to comply with the data protection principles set out in the Regulation, which guarantees the protection of your personal data when transferred between EEA countries. The European Commission (EC) has declared that the transfer of data to countries outside the EEA may only take place if the level of protection guaranteed by the GDPR is not undermined.
The EC has taken a number of ‘adequacy decisions’ for non-EU countries that the EC considers to have an adequate level of protection: a full list can be found here.
To enable the transfer of data to countries that have not (yet) been labeled ‘safe’, the European Commission has established a number of Standard Contractual Clauses that can be used in agreements with parties in these countries, in order to safeguard the protection of your personal data.
In cases where IBFD may need to transfer your personal data to (international organizations operating in) third countries, we will ensure that an agreement is in place that includes the relevant Standard Contractual Clauses and outlines precisely which data may be processed, how it may be processed and for which purpose, and which laws and regulations apply.
- 5. Cookies
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. The overview below explains the cookies we use and why.
These are used to make our websites function well, for example to offer such functionality as Single Sign On and our shopping cart.
A cookie can be classified by its lifespan and the domain to which it belongs.
By lifespan, a cookie is either a session cookie, which is erased when the user closes the browser, or a persistent cookie, which remains on the user's computer/device for a pre-defined period of time.
IBFD does not use third-party cookies and will therefore not collect any data from sites other than IBFD’s own websites and platforms.
Please note that if you disable cookies in your browser, some of IBFD’s services may no longer be available to you.
- 6. Personal Data Retention
We do not store personal data for longer than is necessary for the purposes for which the personal data is processed. We have a regular review process in place to cleanse our databases of obsolete personal data.Once we no longer need personal data for the purpose for which it was collected, we will delete it unless we are obligated by law to keep it. We may archive a minimum amount of personal data for historical, statistical or research purposes, for example to defend possible future legal claims or to comply with employment law or financial audits.IBFD uses both session cookies and persistent cookies. Session cookies are stored for the duration of the user’s session on an IBFD website. Persistent cookies used for website statistics are stored for no more than two years; persistent cookies used for the IBFD web shop expire after one day.Job application information is deleted 4 weeks after the application procedure is finalized, unless the applicant has given us permission to retain the information for future reference, in which case the information is stored for a maximum of one year.We are obligated by law to store payroll records for a minimum of 7 years. This also applies for author payments into private accounts.IBFD does not retain credit card information.
- 7. Personal Data Protection
Information security at IBFD is based on generally accepted ‘good practices’ in Information Security Risk Management. Information security refers to the ways and means to protect printed, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.
7.1. Data security
IBFD offers its services and processes personal data both on its premises and in data centres. All connections to such data centres are secured by encryption (VPN) and where possible restricted to parts of the organization via a Virtual Local Area Network (VLAN). All data centres IBFD uses are ISO certified (e.g. ISO 27001).
Within IBFD, all possible measures to protect information, both technical and organizational, are implemented:
- Multi-tier firewall protection (main firewall, ‘Intrusion Detection System’ in the network, firewalls on all servers) ensures an overall protection from external threats, as well as a limitation in potential damage;
- VLAN’s are used for logical and technical separation of access rights and risks;
- The wireless access to resources is separated from the main internal network;
- Virus scanners are used within the network and on all workstations and servers;
- Remote access to the offices can only be gained via VPN;
- Development, test and acceptation environments are fully separated from production environments;
- Where possible, data used in non-production environments is encrypted and pseudonimized, and additional security measures are implemented to prevent the risks of data loss or data breach in these environments.
Organizational measures include, but are not limited to, a security officer, security policies including a patch and password policy, separation of duties and access, monitoring and communication policies.
IBFD ensures that our security controls remain effective in protecting data and mitigating existing threats over time. Log files are checked on a daily basis, our processing operations and security tools are regularly monitored and we perform yearly audits and security tests.
An IT audit is performed each year by our accountants, whereby all IT processes (e.g. backups, restores, user management) are audited. In addition, a yearly security test (also known as a ‘penetration test’) is executed by external specialists.
7.3. Data breaches
IBFD has breach detection, investigation and reporting procedures in place.
The procedure in case of a data breach consists of the following steps, worked out in detail in the IBFD Data Breach Policy:
- Determine the likeliness of a high risk to the rights and freedoms of the data subjects;
- If relevant, notify without undue delay, but no later than 72 hours after becoming aware of the breach, the supervisory authority. IBFD has agreements in place with all Data Processors to ensure that this period can also be met when the breach occurs at a Data Processor’s location;
- Inform the affected data subjects;
- Take all necessary measures to limit any damage caused by the breach and prevent further damage or the breach from happening again.
The Data reach Policy is published internally and IBFD staff is made aware of this policy. IBFD maintains an internal data breach register.
7.4. How we handle and protect sensitive data
In case IBFD does process sensitive data, this is done by qualified and trained staff only, and proper technical (role-based access) and organizational measures (e.g. segregation of duties) are implemented to secure such data.
IBFD staff is made fully aware of the importance of privacy. All department heads have been instructed to implement necessary measures within their departments. In addition, policies and statements regarding privacy are published on IBFD’s Intranet.
- 8. How to Access and Control Your Personal Data
The GDPR provides you, the data subject, with various rights to guarantee the fair and correct processing of personal data. In case you wish to exercise any of these rights, please get in touch with us (See Chapter 9. Contact Us). Your request will be assessed in light of the standards and recommendations outlined in the GDPR.In case you disagree with the outcome or the way IBFD has handled your request, or with the way IBFD processes your personal data, you can lodge a complaint or request for arbitration with the supervisory authority in the Netherlands, the ‘Autoriteit Persoonsgegevens’.8.1. Data subject rights pertaining to the personal data collected by IBFDAt all times, you have the right to:
8.2. Data subject rights pertaining to the processing of the personal data collected by IBFDAt all times, you have the right to:
- Request that IBFD allows you to inspect your personal data;
- Request that IBFD provides you with an electronic copy of your personal data;
- Request that IBFD rectifies your personal data (within 30 days);
- Request that IBFD erases your personal data (within 30 days).
- Request that IBFD provides you with information regarding the processing of your personal data;
- Request that IBFD applies a (temporary) restriction to the processing of your personal data;
- Request that IBFD does not base decisions solely on automated processing of your personal data, including profiling;
- Object to the processing of your personal data.
- 9. Contact Us
Inquiries concerning this Privacy Statement and IBFD’s data protection policy can be made to IBFD’s privacy officer:
Mr. Ties Jongsma
IBFD, IT department
1019 DW Amsterdam
Telephone: +31 (0) 20 5540 100