IBFD is the International Bureau of Fiscal Documentation (officially: Stichting Internationaal Belasting Documentatie Bureau; Stichting = Foundation), a Dutch legal entity with offices in the Netherlands, the United States of America, China and Malaysia. Responsibility for the processing and protection of your personal data lies with IBFD’s headquarters, at Rietlandpark 301, 1019 DW Amsterdam, The Netherlands, registered at the Chamber of Commerce of Amsterdam under number 41197411.
IBFD is committed to complying with all applicable data protection laws, including the General Data Protection Regulation (Regulation (EU) 2016/679) (the GDPR), the e-Privacy Directive (Directive (EU) 2002/58/EC) and any other applicable legislation. As required by the GDPR, IBFD maintains a comprehensive register of its data processing activities in electronic form. IBFD has assigned a Privacy Officer who deals with all matters related to data protection but is not a formal Data Protection Officer in the sense described in the GDPR (see Contact Us).
Personal data: Any information which can directly or indirectly identify an individual, such as names, (email) addresses, telephone numbers and IP addresses.
Data subject: The identifiable person to whom the personal data relates.
Data processing: Any operation that is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data controller: The person or organization that decides why and how the collected personal data is processed and that is responsible for the protection of that data. Unless otherwise stated, IBFD is a data controller for the personal data that we collect for the provision of our services.
Data processor: An external person or organization that processes the personal data on behalf of the data controller.
Personal data we collect
The type of personal data that we collect depends on your relationship with us and the services we deliver to you. In the performance of our services, we may collect the following personal data from you:
- your personal contact details (such as your name, postal address, email address and telephone number);
- your professional contact details (such as your company, position, postal address, email address and telephone number);
- your device’s Internet Protocol (IP) address;
- your user IDs and passwords;
- your invoice and payment details, including your credit card number;
- your reported interests and preferences;
- your ordered products or services;
- information regarding the equipment you use, such as a unique device ID, the version of your operating system and the settings of the device you use to gain access to a product or service;
- information regarding the use of a product or service, such as the type of product or service you use and the specific time you use it;
- location details derived from your device or IP address, which may be automatically transferred when you use a product or service;
- information that is available via external sources, such as your social media profile;
- information that is transferred via external sources, for example when you access a product or service via another company’s website; and
We do not collect or process any personal data classified as “special categories” in the GDPR, such as race, political opinions or religious beliefs (see article 9 of the GDPR for a full list).
When we collect personal data
Your personal data may be collected in the following situations:
- when you take out a subscription to an IBFD product or service, either from IBFD or via a third party;
- when you purchase an IBFD product or service, either from IBFD or via a third party;
- when you use one of IBFD’s websites or online platforms (including social media), either directly or via a third party;
- when you create a personal account on one of IBFD’s websites or platforms;
- when you sign up for one or more of IBFD’s free services, such as newsletters or mailings;
- when you participate in a panel or survey conducted by IBFD or one of IBFD’s trusted partners;
- when you register for one of IBFD’s digital products or services, such as an online course or webinar;
- when you send documents, images and other content containing personal data to IBFD;
- when you sign in to IBFD’s Library and Information Centre;
- when you sign up for one or more of IBFD’s events;
- when you submit a piece of work or become an author for IBFD; and
when you contact IBFD.
How we collect personal data
We may collect personal data through various channels:
- from you directly, for example when you purchase or subscribe to a product, create a My Account or sign up to a newsletter;
- from third parties, such as social media platforms and trusted partners.
Why we process personal data
We process your personal data for the purposes for which it has been collected. These include processing your personal data to provide you with the products and services outlined in your agreement(s) with us (Customer Relationship Management), to keep you up to date on the products and services of your interest (Marketing Communications), and to continuously improve our products and services and your experiences with them (Usage Analytics). In addition, we may use your personal data to fulfil legal obligations.
We also process personal data for certain carefully considered purposes (“legitimate interests”), which are in the interest of our business and our customers, as they enable us to fulfil our contractual obligations, enhance the services we provide and protect your privacy. The processing of data for these purposes occurs with the highest regard for your rights and interests. You have the right to object to these forms of processing; however, please note that this may affect your ability to fully enjoy the benefits of our products and services.
We process personal data based on one of the following bases for “lawful processing”:
You have consented to the processing by means of an affirmative statement or clear action, such as by ticking a checkbox in your My Account to receive a certain IBFD newsletter.
You can withdraw your consent at any time, either by unticking the aforementioned checkbox or by informing us via email. Please allow 30 days for your request to be processed. Note that we may not be able to comply with such a request in all cases, as we may still need to process your personal data based on one or multiple of the legal bases outlined below.
Processing is necessary for the performance of a contract or to take steps to enter into a contract.
Processing is necessary for compliance with a legal obligation to which IBFD may be subject to, such as a court order.
Processing is necessary for one of IBFD’s or a trusted third party’s legitimate interest, except where such interests are overridden by your interests, rights or freedoms.
Legitimate interests for which IBFD processes personal data are:
- fraud detection and prevention;
- IT security measures to protect IBFD’s network and information systems, e.g., to prevent data breaches or leaks;
- intra-organization transfer of data, such as for the processing of orders and payments by IBFD’s headquarters that come in via other IBFD locations or third parties;
- employment relationship management, for operational, administrative, HR and recruitment purposes;
- corporate operations and due diligence, such as business intelligence, risk assessment, strategy planning and reporting;
- credit management, such as the transfer of data to a debt collection agency in case of non-payment;
- product development and enhancement, such as monitoring website usage and conducting analytics (e.g., pages and links clicked, time at page, navigation patterns, devices used, where users are coming from) to improve our products and services; and
- communications, marketing and intelligence, such as for personalized services and communications, direct marketing, targeted advertising, event planning and conducting profiling and business intelligence analytics to, e.g., create trend reports, analyse the effectiveness of a marketing campaign or determine the most effective channels and messages.
How we process and use personal data
Your personal data is stored in dedicated content management systems dependent on the purpose of the processing, such as for processing subscriptions, orders and payments, providing customer and author support, and workflow processing for our publications.
We process only the minimum amount of personal data necessary. This helps us ensure that the data is accurate and up to date and limits the amount of data accessible to an unauthorized party in the event of a data breach. We may combine data we collect to enhance or personalize your user experience, for example based on a course you followed or a previous purchase.
At IBFD, we do not use “automated decision-making”: we may use profiling – i.e., gathering data about an individual, or group of individuals, and evaluating their characteristics and behaviour patterns to analyse or make predictions about their interests or behaviour, for example, to improve or personalize our offering – but we do not base decisions or actions solely on this automatically generated information.
Financial information is processed solely for payment processing, debt collection, fraud prevention and financial audits.
Why we share personal data
We have agreements with trusted third parties that may receive your personal data, if they need this to carry out essential business functions on behalf of IBFD. Recipients of your personal data can be other data controllers, data processors, third-party licensees, third countries and international organizations.
As a data controller, IBFD is responsible for the personal data we collect from you and only works with parties that are GDPR compliant. We have detailed data processing agreements in place with all parties that process personal data on our behalf, which outline that any personal data obtained from IBFD is to be kept confidential and that personal data may only be processed at the direct and precise instruction of IBFD and solely for the purpose defined by IBFD. In case such an agreement is terminated, any personal data in the possession of the third party is either returned to IBFD or deleted.
Who we share personal data with
Other data controllers
IBFD has concluded content licences with other organizations, whom we provide with our published material (i.e. our clients). These organizations provide us with the personal data of their users (email or IP addresses) that we require to fulfil our obligations, and we provide IBFD content to these end users. This content includes personal data of IBFD authors and editors (such as names and professional affiliations).
In its relationship with these organizations, IBFD and the organization are separate controllers, and as such must both comply with the obligations for data controllers under the GDPR.
Note to the end user:
If you use an email or IP address provided by an organization you are affiliated with, e.g. your employer, to access IBFD products and services, that organization may access and process your personal data. IBFD may report to your organization on your usage of our products and services. Please direct your privacy inquiries to your organization’s administrator.
IBFD makes use of various types of companies that process data on behalf of IBFD to help us with our daily operations. Prior to transferring any personal data to a third-party data processor, IBFD will conclude a GDPR-compliant data processing agreement with the company.
Categories of data processors used by IBFD:
- printing companies;
- distributors (for delivery of print content);
- marketing agencies;
- IT service providers;
- hosting companies;
- web analytics services;
- translation agencies;
- legal consultants;
- HRM administration companies; and
- debt collecting agencies.
IBFD has licence agreements with several carefully selected third parties, allowing them to use or sell IBFD content in order to attain a wide spread of IBFD’s information and maximum exposure for its authors. Vice versa, IBFD has agreements in place with third parties that deliver content to IBFD for further use or distribution. These parties may need to obtain personal data from IBFD, or send personal data to IBFD, for example for the purpose of order fulfilment.
Categories of third parties licensed by IBFD:
- publishing companies;
- academic institutions; and
- online training developers.
IBFD will not share your personal data with any third parties other than those we have licence agreements with, without your prior consent.
Third countries and international organizations
As an international organization with offices in four countries and with a global network of clients and suppliers, IBFD may need to transfer your personal data to (international organizations operating in) countries outside the European Economic Area (EEA).
The countries in the EEA are covered by the GDPR: they must comply with the data protection principles set out in the Regulation, which guarantees the protection of your personal data when transferred between EEA countries. The European Commission (EC) has declared that the transfer of data to countries outside the EEA may only take place if the level of protection guaranteed by the GDPR is not undermined.
The EC has identified a number of non-EU countries that are considered to have an adequate level of data protection: a full list can be found here.
To enable the transfer of data to countries that have not (yet) been labelled “safe”, the EC has established a number of Standard Contractual Clauses that can be used in agreements with parties in these countries, in order to safeguard the protection of your personal data.
In cases where IBFD may need to transfer your personal data to (international organizations operating in) third countries, we will ensure that an agreement is in place that includes the relevant Standard Contractual Clauses and outlines precisely which data may be processed, how it may be processed and for which purpose, and which laws and regulations apply.
Once we no longer need your personal data for the purpose for which it was collected, we delete it, provided that we are not prevented from doing so by a legal obligation. We may archive a minimum amount of personal data for historical, research or legal purposes, for example to analyse patterns in purchasing and improve existing products, and to defend possible future legal claims or to comply with financial audits.
Job application information is deleted 4 weeks after the application procedure is finalized, unless the applicant has given us permission to retain the information for future reference, in which case the information is stored for a maximum of 1 year.
We are obligated by law to store payroll records for a minimum of 7 years. This also applies for author payments into private accounts. IBFD does not retain credit card information.
Information security at IBFD is based on generally accepted “good practices” in information security risk management. Information security refers to the ways and means utilized to protect printed, electronic or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification or disruption.
IBFD offers its services and processes personal data both on its premises and in data centres. All connections to such data centres are secured by encryption (virtual private network (VPN)) and, where possible, restricted to parts of the organization via a virtual local area network (VLAN). All data centres used by IBFD are ISO certified (e.g. ISO 27001).
Within IBFD, all possible measures to protect information, both technical and organizational, are implemented:
- multi-tier firewall protection (main firewall, “Intrusion Detection System” in the network, firewalls on all servers) ensures overall protection from external threats, as well as a limitation in potential damage;
- VLANs are used for logical and technical separation of access rights and risks;
- wireless access to resources is separated from the main internal network;
- virus scanners are used within the network and on all workstations and servers;
- remote access to the offices can only be gained via VPN;
- development, test and acceptance environments are fully separated from production environments; and
- where possible, data used in non-production environments is encrypted and pseudonymized, and additional security measures are implemented to prevent the risk of data loss or data breach in these environments.
Organizational measures include, but are not limited to, a security officer, security policies including a patch and password policy, separation of duties and access, monitoring and communication policies.
IBFD ensures that our security controls remain effective in protecting data and mitigating existing threats over time. Log files are checked on a daily basis, our processing operations and security tools are regularly monitored, and we perform yearly audits and security tests.
An IT audit is performed each year by our accountants, whereby all IT processes (including backups, restores and user management) are audited. In addition, a yearly security test (also known as a “penetration test”) is executed by external specialists.
IBFD has breach detection, investigation and reporting procedures in place.
The procedure in the event of a data breach consists of the following steps:
- determine the likelihood of a high risk to the rights and freedoms of the data subjects;
- if relevant, notify without undue delay, but no later than 72 hours after becoming aware of the breach, the supervisory authority. IBFD has agreements in place with all data processors to ensure that this period can also be met when the breach occurs at a data processor’s location;
- inform the affected data subjects; and
- take all necessary measures to limit any damage caused by the breach and prevent further damage, or to prevent the breach from happening again.
This procedure is published internally, and IBFD staff is made aware of this procedure. IBFD maintains an internal data breach register.
How we handle sensitive information
Where IBFD processes sensitive information, such as financial information, this is done by qualified and trained staff only, and proper technical (role-based access) and organizational measures (e.g. segregation of duties) are implemented to secure such information.
The GDPR provides you, the data subject, with various rights to guarantee the fair and correct processing of personal data. In case you wish to exercise any of these rights, please get in touch with us (see Contact Us). Your request will be assessed in light of the standards and recommendations outlined in the GDPR.
If you disagree with the outcome or the way IBFD has handled your request, or with the way IBFD processes your personal data, you can lodge a complaint or request for arbitration with the supervisory authority in the Netherlands, the Autoriteit Persoonsgegevens.
Data subject rights pertaining to the personal data collected by IBFD
At all times, you have the right to:
- request that IBFD allows you to inspect your personal data;
- request that IBFD provides you with an electronic copy of your personal data;
- request that IBFD rectifies your personal data (within 30 days); and
- request that IBFD erases your personal data (within 30 days).
Data subject rights pertaining to the processing of the personal data collected by IBFD
At all times, you have the right to:
- request that IBFD provides you with information regarding the processing of your personal data;
- request that IBFD applies a (temporary) restriction to the processing of your personal data;
- request that IBFD does not base decisions solely on automated processing of your personal data, including profiling; and
- object to the processing of your personal data.
Inquiries concerning this Privacy Statement and IBFD’s data protection policy can be made to IBFD’s Privacy Officer:
Ms Paula Gabriel
1019 DW Amsterdam
Telephone: +31-20-554 0100