Privacy statement of HeadFirst Group – Version 12-03-2024

About us
HFBG Holding B.V.(HeadFirst Group, we, our, us) connects self-employed professionals, suppliers of professionals and clients. Self-employed professionals and suppliers offer their expertise through the platform (hereafter: the “Platform“), of HeadFirst Group, with the starting point: the right person at the right time in the right place for the right period. Everything from insurance, contracts to administrative handling is provided through the Platform. The Platform is an online marketplace for temporary capacity. It allows third parties (hereafter: “Clients“) and suppliers/self-employed people to find each other, with the contracting going through HeadFirst Group. Subsequently, administrative actions can be completed quickly and conveniently within the Platform.

Our relationship with you
Your privacy is important to us. This statement explains what personal data HeadFirst Group processes, how HeadFirst Group processes it and for what purposes. Please read this privacy statement and our Platform Terms of Use (found on the Platform) carefully, as they are both integral to our relationship with you.

We process your personal data when you use our services (intermediary services and/or additional services), when you visit one of our websites and when you contact us. For example, through our websites you can contact us by e-mail, request information or chat with us. Prior to using intermediary services, we may process personal data when you or your employer enters it into our systems. This data can be used to bid for jobs.

  1. Who are the data controllers

The controller determines the purpose and means of data processing. Pursuant to the General Data Protection Regulation (AVG), most of the obligations lie with the controller and they are also the first point of contact for you as a data subject. Below is a breakdown. In almost every case, HeadFirst Group qualifies as an independent data controller, with the exception of the situation where your employer has entered your data into our system and you were never subsequently placed on an assignment through HeadFirst Group.

Three variants are conceivable:

  • Are you self-employed? Then you have to deal with two controllers of your data (the Client and HeadFirst Group).
  • Are you employed by a supplier of a Client? Then you have to deal with three data controllers (your employer, HeadFirst Group and the Principal).
  • Do you use premium and/or excellent services? Then the insurer from whom you receive the certificate is independently responsible for the processing of its services.

v the Principal as the data controller

Do you have a privacy-related question and/or request to the Principal? If so, you can contact the Principal directly for that purpose. You can do so by contacting them using the contact information found in the Principal’s privacy statement.

v The employer as data controller

Do you have a request to your employer? Then you can contact your employer directly. You can do this by using the contact information you can find in the privacy statement of your employer. Have you not yet completed an assignment through HeadFirst Group, no offer has been made and no start has been made with that? Then your employer can remove your data in the Platform through his or her account.

v THE INSURER as processing controller

Do you have a question and/or request to the insurer? Upon contracting, you or your employer have been informed where to find the insurer’s privacy statement. Do you have a question and/or request to the insurer? Then you can contact the insurer directly for that. You can do that by contacting them using the contact information in your insurer’s privacy statement.

v HeadFirst group as (Joint) controller

In the context of HeadFirst Group’s services.
We process personal data when services are used (both intermediary services and any additional services). HeadFirst Group provides services from multiple entities, each 100% part of the same concern (HFBG Holding B.V.). HeadFirst Group has joint processing responsibility. To ensure that it is clear to whom you can turn with questions and complaints, we have designated a primary controller. That is HeadFirst B.V., located at Taurusavenue 18, 2132 LS in Hoofddorp. You can reach us by phone at 023 – 568 56 30, by email at support@headfirst.nl. Other entities that are part of HeadFirst Group and which may process your personal data – via the Platform – as data controllers include but are not limited to (subsidiaries and sister companies of): Associates B.V., Between Staffing B.V., Designated Professionals B.V., Fast Flex B.V., Fast Flex Sourcing B.V., HeadFirst Germany GmbH, HeadFirst IT B.V., HeadFirst Poland sp. z o.o., Jenrick Nederland B.V., Jenrick Payroll Services B.V., Myler B.V., Oyster Coast B.V., Open Technologies B.V., Proud ICT B.V., Proud Payroll B.V., Source Automation B.V., Source Automation BV. (Belgium), Source Automation Luxemburg SA, Source Payroll Services B.V., Sterksen B.V., StarApple B.V. and Yellow Friday B.V. Each of these entities, in addition to being part of this group, is also contractually bound to handle data responsibly, entirely in line with this privacy statement. By registering on the Platform, your profile can be found by each of these entities for potential assignments.

In connection with other activities, including customer contact, direct marketing and website visits
We also collect personal data for our own purposes (including customer contact, direct marketing, website visits, which are explained under purposes) in addition to personal data for intermediary services. Because we determine the purpose and means, we qualify as an independent data controller.

Employees of the Principal
We also process data of the Client’s contact persons. With respect to this data, HeadFirst Group qualifies as a data controller.

  1. Contact Center

If you have any questions or requests regarding what happens to your personal data on the Platform, please contact HeadFirst Group. Unsure about which party qualifies as a data controller or where to go with your question about data processing by or through HeadFirst Group? For your privacy questions you can reach us by phone at 023-5685630 or by email at privacy@headfirst.nl. We are happy to help you find a solution. Should that still not succeed, you can turn to the Personal Data Authority (https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/gebruik-uw-privacyrechten/klacht-melden-bij-de-ap).

  1. What type of personal data are processed? For what purpose and on what basis?

We process different types of personal data about you, for example, because you have created a profile on the Platform and uploaded a CV. When you use the Platform, different categories of personal data are collected in the process. Which data is collected is primarily determined by law and also depends on the additional service chosen and the Client’s requirements for flexible staff.

We process personal data only when there is (or are) one (or more) basis(s) for doing so:

(1) Execution of the contract.
As an intermediary, we are the contractual intermediary in the hiring of flexible staff. We conclude and manage agreements with professionals, suppliers and clients on the basis of which we process personal data. In addition to the personal data from the agreements themselves, this also covers the personal data required by the contracts. Thus, it is also conceivable that we request personal data from you prior to the conclusion of an agreement so that we can establish it. Subsequently, it is also possible that surveys are sent out in order to be able to improve our services and/or (gain) insights into (the circumstances of the execution of) contracts with Clients.

(2) Consent.
We may ask you for your consent prior to data processing in certain cases. For example, we will ask you for your consent before we send you certain news items. Once you have given your consent, you may withdraw your consent at any time, after which we will not process your personal data for the purposes for which the consent was given. You can revoke your consent by clicking the unsubscribe button at the bottom of the relevant news item.

(3) Legal obligation.
As an intermediary we are obliged to process certain personal data. Examples are obligations under the Wet allocatie arbeidskrachten door een intermediair (Waadi), the Wet arbeid vreemdelingen (Wav) or tax obligations. A legal obligation may also mean that we are obliged to share certain personal data with Clients, supervisors or other third parties for processing. When we are obliged to do so, we share this data with the relevant party.

(4) Legitimate interest.
We may process personal data because we have a legitimate interest in doing so, or because the organization to which we provide your personal data has a legitimate interest. This is for example the case when we want to prevent tax liabilities or minimize the risk thereof, or when we want to detect and prevent fraud, but also when we want to promote new products/services related to the current services provided by HeadFirst Group. We also have a legitimate interest to further process personal data of professionals listed in the Platform in order to carry out our services and to deploy the professional on an assignment. We also have a legitimate interest in aggregating and anonymizing personal data to conduct market analysis so that we can improve our services. Another conceivable legitimate interest is the processing of personal data through artificial intelligence (within HeadFirst Group’s environment) by, for example but not limited to, transcribing interviews, performing cross-checks on certain information and giving advice based on the available information. Final decisions are all made through human intervention. This is all for the purpose of improving our service to the professional and Suppliers. We always strike a balance between our interests and those of the parties involved. If you would like to receive more information about this, please contact us using the contact details under ‘Contact Center’ in this privacy statement.

  1. Visitors to our websites and/or readers of our mailings.

We use several websites (collectively, the Websites). When you visit our Websites, you may provide us with personal data, for example, because you send us an e-mail with a question or request, or because you use a chat function or a contact form on our Websites. We may process your name, e-mail address or other contact information in this context. In addition, we process other personal data insofar as you provide these with your question or request or in the chat conversation. We collect this personal data because, when applicable, we need to perform the agreement we have with you. If an agreement has not yet been concluded (and the question concerns, for example, how registration with the Platform works), these data are processed on the basis of the legitimate interest that the question can be answered adequately.

We offer you the opportunity to sign up for our newsletters and other direct marketing messages coming from us and/or other entities within our group. We may also, with your consent, send you communications about initiatives by partners with whom we work. You can easily unsubscribe from the messages we send you at any time by using the unsubscribe link in the emails or by adjusting your preferences in the area of your profile. We use common tracking techniques that provide insight into the reach and effectiveness of our direct marketing messages. If you open a newsletter or commercial e-mail from us, we can track when you opened it and which parts you clicked on. We process your e-mail address, IP address, time of receipt, time of opening and click behavior. The first purpose is to inform you about services of HeadFirst Group and its partners and relevant developments in the market. The second purpose is to conduct marketing and promotional activities of our services and measure their effectiveness. In this way we can improve our services and tailor our information and communication to relevant target groups. Newsletters and other direct marketing messages are sent pursuant to “consent,” which can be revoked at any time (by going to the profile on the Platform and “unchecking” consent there or by clicking the “unsubscribe” button at the bottom of the email). In addition, data collected is analyzed and processed on the basis of legitimate interest in order to measure the effectiveness of marketing and promotional activities.

  1. Personal data generated by our Websites.

We use cookies and similar techniques on our Websites and within the environment of our apps. When you visit the Websites, certain data are processed and generated, such as your IP address, data about your browser, data about browsing behavior, date and time of your visit and the way you navigate through our websites. Consent is requested for preference cookies, analytical cookies and marketing cookies. Because we want to guarantee your privacy and improve the usability of the Platform, we think it is important that you know how and why we use cookies. We encourage you to consult the cookie statements on our Websites. The data are partly based on ‘consent’, partly on ‘legitimate interest’ to operate the Website and the Platform.

  1. Users of the platform

When you register or are registered on the Platform, personal data is collected from you, divided into stages for the purpose of data minimization. Here a distinction is made between independent professionals and employees of suppliers.

v Independent professionals and (professionals from) suppliers using the platform

Phase 1: Register as a self-employed professional
When you register as an independent professional on the Platform, we ask you to provide the following personal data: first and last name, gender, address and postal code, e-mail address, country of origin and nationality, (mobile) phone number, date of birth, the name of your company, Chamber of Commerce number and password. We also offer you the opportunity to upload a photo to your account. In addition, you can indicate whether you want to use our additional services.

The purpose of this registration is to execute the Terms of Use of the Platform. The basis is the performance of the agreement and the legitimate interest of both parties (i.e. visibility into the online marketplace for you and an up-to-date database for HeadFirst Group). In addition, HeadFirst Group can verify that the account is set up correctly.

Phase 1: Register as a supplier.
If you are a supplier contact person, we may process the following personal data from you: your first and last name, gender (signatory), signatory name, signatory position, e-mail address, (mobile) phone number, password, profile number, data about the creation of your supplier account and its status and data about contact you have had with us. The purpose of recording this is to record with whom what contact is maintained (legitimate interest) and to be able to contract quickly and correctly when a contract is awarded to a professional employed by the supplier (performance of the contract).

Phase 2: Completing your self-employed profile.
Once you have registered, we ask you to complete your profile and to provide information that will enable us to introduce you to Clients or to respond to assignments. In addition to the personal data you provided when you registered, we process information about your account such as your profile number. Furthermore, you can supplement your profile with information about your professional background, CV (including all information contained therein such as social media channels, educational level and whether you have previously carried out assignments or worked for this Client) and assessment results. We additionally process data about your company, such as name and business address. You can also upload an accountant’s statement/statement of compliance and add information about your taxes. For invoicing purposes we ask for your bank details and your VAT number. To the extent permitted or required by law, we may ask you for your BSN (depending on the chosen service, for example when you also take out disability insurance through HeadFirst Group). When you use our additional services (Premium or Excellent) we ask the data that the insurer will request us to provide for the conclusion of a professional and corporate liability insurance. Only when we are legally obliged to do so (i.e. in the run-up to an assignment) will we verify your identity on the basis of a valid identity document. We may also engage an external service provider to verify your identity on our behalf. This is done digitally. The service provider processes the personal data on your proof of identity, a photo of you and your e-mail address. We obtain the result of the check and the date the check was performed. If you do not want your proof of identity to be checked digitally, you can choose to come to our office for the identity check. We will note when the check took place and information about the identity document checked such as the type of document, country of issue, number and period of validity. If you are a national of a country outside the European Economic Area (EEA) or Switzerland or if you are a Croatian national, we may ask you for a work permit. In this case, we may store a copy of your passport and a copy of the relevant permit.

Within the environment of your profile, we process information about your assignments and agreements we have made with you in this regard. We may use unique identifiers, such as an assignment number, for this purpose. The basis is the execution of the agreement (if an assignment is awarded to you) and the legitimate interest of both parties (i.e. the ability for you to quickly apply for a portion of the assignments and an up-to-date file for HeadFirst Group. After all, HeadFirst Group will need to check data such as identity only once in case of successive assignments).

Its goals are:

  1. Being able to quickly compare available professionals so that the right person gets to the right place (legitimate interest);
  2. To be able to provide the right match between the Client’s assignment and the professional best suited to it (legitimate interest);
  3. Being able to quickly present and make professionals available to Clients (legitimate interest);
  4. Closing an agreement with the correct data (data quality) when an assignment arises, both towards you and the ultimate client.

If an assignment has not yet been awarded and has not been fulfilled in the past, these data are editable on the Platform. Once awarded, this data can be modified and reused (to the extent still current) for future assignments (except for the verified identifying data).

Phase 2: Providing Profile as a Supplier.
As a supplier, you can register an employee as a professional (and as an employee of a supplier, you can be registered) on the Platform and offer (or be offered) assignments to Clients through the Platform. The personal data of the completed profiles of professionals (or you) will also be processed in accordance with this privacy statement. The professional (or you) will receive a separate email pointing out this privacy statement. With respect to the professional, the following applies. When the supplier registers you as a professional on the Platform, we ask the supplier to fill in the following personal data (required): first and last name, gender, address and postal code, e-mail address, country of origin and nationality, (mobile) phone number, date of birth. With regard to the profile, the following three retention options can be chosen: Profile for mediation by HeadFirst Group; Delete/anonymize after 60 days; Delete/anonymize after 1 year. We also offer the supplier the opportunity to upload a CV (including educational level, social media channels, whether you have previously performed or worked for this Client and other data) and upload a photo. We will process your personal data to facilitate your application by the Supplier and to include you in the Platform’s database. In the first place, we have a legal obligation (art. 7c paragraph 2 of the Law on allocation of labor forces by intermediaries) to identify you. We may also process your BSN. By law, this must be done prior to the nomination for mediation. It is of course possible that you have been registered in the Platform by your employer without being successfully offered assignments. In that case, it is up to your employer to remove the profile, for example when you leave the company or a long-term assignment elsewhere. You can contact your employer for this. If you have since left your employment or are dealing with an unusual situation, please feel free to contact us using the contact details provided under the heading Contact Center. We also have a legitimate interest in ensuring that the supplier working with us can fulfill its agreements with you and that you can be deployed on the desired assignment. We always weigh our interests against the privacy interests of you as a data subject. If you would like more information about this balancing of interests, please contact us via the contact details provided under ‘Contact Center’ in this privacy statement. We also have a legitimate interest in processing your personal data, which lies in being able to perform our usual services, to fulfill the agreements and orders of suppliers and clients and to comply with (quality) standards applicable in the market.

Its goals are:

  1. Being able to quickly compare available professionals so that the right person gets to the right place (legitimate interest);
  2. To be able to provide the right match between the Client’s assignment and the professional best suited to it (legitimate interest);
  3. Being able to quickly present and make professionals available to Clients (legitimate interest);
  4. Closing an agreement with the correct data (data quality) when an assignment arises, both toward the supplier and toward the ultimate client.

Stage 3: Upon award of a contract.

When a contract is awarded, the data is checked again by our contract management department. The Platform contains a digital vault. The digital safe stores data that must be supplied when a contract is awarded. The advantage of the digital safe is that this data remains in the safe, so it does not have to be up-loaded again for a new order. We can process personal data contained in the documents you have uploaded, such as your audit report, VOG application and statement, pre-employment screening, codes of conduct, confidentiality and reliability statements, accreditations and diplomas. The languages you speak can also be stored. Your digital safe also stores the outcome of the identity check and the copy of your passport or identity card and your work permit, if we are required to record them. We may also store the document number of your passport or identity card. The legal regulation invoked is the Uitvoeringsregeling verplicht gebruik BSN, article 1 sub b.

Its goals are:

  1. Establishing a clear agreement with the correct data (data quality) when a contract is awarded, both towards the supplier and/or independent contractor and towards the ultimate Client.
  2. Performing contract management, financial processing and cost and expense calculations by HeadFirst Group.
  3. Capturing and providing services by HeadFirst Group to professionals, Clients and suppliers (e.g. Premium or Excellent services).
  4. Supporting professionals, Clients and suppliers in meeting administrative obligations, such as the delivery of agreed documents (for example, a required Statement of Payment History compliance with tax obligations or an auditor’s report) and the conclusion of the agreements.
  5. Maintaining contact, answering questions and requests.
  6. Offering additional services and improving services. We may process personal data related to assignments on which you have been deployed in order to analyze and understand the market for independent professionals in order to better align our services with demand (Clients) and supply (independent professionals).
  7. Complying with laws and regulations, detecting, preventing and combating fraud and illegal activities.
  8. Handling claims and complaints.
  9. Complying with legal judgments and orders and responding to government requests.
  10. Complying with tax obligations imposed on us or our suppliers/clients and limiting (chain) liability.
  11. Ensure compliance with our terms of use and agreements.
  12. Protecting our operations, our rights, security and property.

v Clients using the platform


When Principals, who want to place (or have placed) assignments on the Platform, register (or have registered) on the Platform, personal data of the employees of Principals (in case of approvals/additional agreements. If you are a contact person of a Client, we may process the following personal data of you: your email address, your (mobile) phone number, password (in case of an account on the Platform), profile number and data about the contact you have had with us. In doing so, HeadFirst Group has a legitimate interest (being able to carefully record required information). In addition, these data serve the performance of the contract. HeadFirst Group also has an accountability towards its own accountant and tax authorities in the sense of the administration obligation in Article 2:10 of the Dutch Civil Code.

Would you like to make a request regarding your data? If so, please feel free to contact us using the contact information under item 2. Contact Center.

v As part of a pre-employment screening process

For some assignments we perform a pre-employment screening. We do this because the client asks us to, for example when this is required by law (think of the Financial Supervision Act, Wft) or because it arises from the nature of the assignment. Where necessary, we will inform you that the assignment for which you (or the employee of a supplier) are eligible will include screening as part of the selection procedure and explain how we or a third party engaged by us will conduct the screening.

If a Client indicates that screening is desired or required, we always verify the nature of the assignment, the manner in which the screening is to be conducted, and the legitimate interests of the Client. We balance the interests of the client against your privacy interests. Only when your privacy interests do not interfere with this will we proceed to conduct a screening.

When we conduct a screening, we process data about your suitability, reliability and integrity that are relevant to the performance of the assignment. The severity of the screening depends on the assignment, the requirements of the Principal and the requirements and obligations of the law, even if those requirements and obligations rest with the Principal. In any case, we may check the data entered by you or by the supplier as part of the screening. In addition, depending on the nature of the screening, we may process information from references, former employers/clients, antecedents, data on previous performance, suspension or dismissal, a certificate of good conduct (VOG) or a declaration of no objection (VGB) and a list of ancillary positions.

Depending on the nature of the screening, we will provide personal information about you to the Principal. We may ask you to complete a screening form provided by the Client. The information entered on the form will be processed only for the purpose of the deployment with the Client listed on the form and will be shared with that Client, unless otherwise agreed. It is also conceivable that we conduct a screening where we only pass on whether you have completed the screening with a positive result. In that case, we do not share any further data with the Principal. It depends on the assignment what we share. If you have any questions about this, please contact the contact person associated with the assignment.

  1. Why are your personal data being processed (Purposes)?

In addition to the above purposes, personal data may be processed for the following purposes, as applicable:

Administration

  • HeadFirst Group has an accountability and administration obligation towards its own accountant and the tax authorities within the meaning of Article 2:10 of the Dutch Civil Code. This includes the performance and administration of agreements to be made and concluded, all agreements and all payment actions following agreements concluded (legal obligation). All documents relating to an agreement also form part of the mandatory administration.
  • HeadFirst Group is required under art. 7c Waadi to identify a (prospective) worker (legal obligation).

Services

  • The (core) service of HeadFirst Group (finding, presenting and contracting the right matches for Clients and vice versa) starts with facilitating the Platform and making the online marketplace connected to it accessible. In doing so, HeadFirst Group facilitates that the self-employed person or supplier can create a profile. With that profile, the self-employed person can immediately access (part of) the marketplace. The supplier can also immediately (partly) enter the marketplace with that profile and can upload a profile based on what he can find there. The purpose of processing this personal data is that HeadFirst Group can offer its services and that the self-employed person/supplier/client can use them (legitimate interest).
  • To quickly compare, present and make available the right matches on a Client assignment (legitimate interest).
  • Being able to provide account management and handling of questions, requests, claims and complaints from the professionals, Clients and suppliers (legitimate interest and, as applicable, performance of the agreement).
  • For HeadFirst Group, data quality is important (both for its Clients and correct contracting), so part of the service is checking the account. Especially when a concrete offer is made, HeadFirst Group performs a check on completeness. The purpose is to conclude a contract with the correct data (data quality) when an assignment occurs. The performance and administration of all actions, agreements and arrangements related to the contracting is part of this (legitimate interest).
  • Performance of contract management, financial processing and calculation of costs and expenses by HeadFirst Group (contract performance).
  • Capturing and providing services by HeadFirst Group to professionals, Clients and suppliers (e.g. Premium or Excellent services) (execution of the agreement).
  • Supporting professionals, Clients and suppliers in meeting administrative obligations, such as the delivery of agreed documents (for example, a required Statement of Payment History compliance with tax obligations or an auditor’s report) and the conclusion of agreements (execution of an agreement)
  • Offering additional services and improving services. We may process personal data related to assignments on which you have been deployed in order to analyze and gain insight into the market for independent professionals in order to better align our services with demand (Clients) and supply (independent professionals) (legitimate interest and performance of an agreement, if concluded).
  • Ensure compliance with our Terms of Use and agreements (performance of an agreement and legitimate interest).
  • Protecting our operations, our rights, security and property (legitimate interest).
  • To fulfill the obligations to the Client, for example, by conducting a pre-employment screening (performance of the contract).

Marketing

  • Inform about services provided by HeadFirst Group and its partners and relevant developments in the market (consent).
  • Marketing and promotion of our services and measuring their effectiveness (newsletters) (consent and legitimate interest).
  • Collection of ratings through Ratecard.io (privacy statement available through ratecard.io).

Compliance and security

  • Complying with laws and regulations, detecting, preventing, recording and combating fraud and illegal activities (legal obligation and legitimate interest)
  • Complying with legal judgments and orders and responding to government requests (legitimate interest).
  • Compliance with tax obligations incumbent on us or our suppliers/clients and limiting (chain) liability (legitimate interest and a legal obligation, to be found in the Implementing Regulation Mandatory Use of BSN, article 1 sub b).
  • Internal monitoring and security. To prevent, detect and investigate possible breaches of our security (legitimate interest).
  1. What makes processing operations lawful under the law?

Some of our processing operations are based on the basis that we are required to process your data by law. In addition, we actively (for example, by minimizing data collection on the Platform to what is necessary in stages) limit the amount of data. We have taken appropriate technical and organizational security measures to protect the personal data we process from unwanted alteration, loss or unauthorized use. For example, we secure our systems and applications in accordance with applicable information security standards (ISO27001). We have also made agreements with our service providers and required them to implement adequate security measures.

  1. Do we process data outside the EEA?

No, we process your personal data in principle within the European Economic Area (EEA). We use servers located in Europe and our group companies are located within the EEA. Because we may use processors that have their principal place of business outside the EEA, it cannot be excluded that we directly or indirectly share personal data with organizations outside the EEA. To the extent this is the case, we take appropriate measures to legitimize such processing, including entering into a transfer agreement based on standard contractual clauses (SCCs) approved by the European Commission. If required, we thereby take additional measures to ensure an adequate level of protection. If you would like to know more about the transfer of personal data and how this is legitimized, please contact us using the contact details in this privacy statement.

  1. How long do we keep your personal data?

The data on the Platform.
As long as the self-employed person or supplier has a contractual relationship with HeadFirst Group, including using the Platform, HeadFirst Group will keep the personal data. After this relationship has ended (i.e. the supplier or self-employed person has unsubscribed and deleted the profile), HeadFirst Group may retain the personal data for up to 7 years unless longer retention is required, for example, for tax obligations or civil claims. The self-employed person and/or supplier themselves can delete their profile and a profile of an employee of the supplier at any time via the Platform. The profile cannot be removed (completely) if there are only agreements with an age of between zero and seven years and/or there are ongoing and/or future agreements or bids.

HeadFirst Group further applies the following rules of thumb:

  • We retain business agreements and correspondence about them for a period of seven years after the end of the contractual relationship, unless they are subject to ongoing disputes or litigation.
  • We retain personal data with respect to the verification of your identity for seven years after the end of our business relationship.
  • We retain subscription data for newsletters until you have unsubscribed from them, with a maximum of two years after the end of our business relationship.
  • We will always consider whether the (longer) processing of the personal data is necessary. If it is not, the personal data in question will be deleted.
  • We retain complaints, correspondence regarding disputes and incident reports for seven years after they have been fully resolved. We retain documents with respect to payroll and payroll records for seven years.

For cookie retention periods, please refer to our Cookie Statements on the Websites.

  1. What rights do you have?

Under privacy laws, you have a number of rights regarding your personal data and its processing. You can exercise your rights by contacting us using the contact details provided in this privacy statement under ‘Who are the controllers’. We will assess your request and comply with it within one month. If we need more time to comply with your request, we will let you know within one month that we will need another two months. We may ask you additional questions in response to your request in order to establish your identity or to ask you to specify your request.

Right of access
You have the right to hear from us whether we are processing your personal data. If so, you have the right to access that personal data and to receive additional information about the processing of your personal data. If you are a supplier or independent professional, you can access your personal data in a simple and clear manner by logging into the Platform. If you would like a more complete overview, or more information on data processing, you can send us a request for inspection.

Right of rectification
You have the right to rectification of inaccurate or incomplete personal data. You can also supplement your personal data. If you have access to the Platform as an independent professional, you can supplement or change your personal data here. Do you not have access to the Platform? Please contact the party that entered your data. Does that not provide a solution? Then contact the details under no. 2 of this privacy statement.

Right to be forgotten
You have the right to data erasure under certain circumstances. At your request, we will delete your personal data when its processing is no longer necessary. If you have access to the Platform as an (independent) professional, you can delete personal data herein.

Right to restriction
In some cases, you have the right to restrict the processing of your personal data, for example, if you believe that your personal data is inaccurate. If we honor your request for restriction, we may no longer process your personal data for the duration of the restriction.

Right to data portability
You have the right to receive the personal data you have provided to us in a structured, common and machine-readable form, and you have the right to transfer that data to another data controller, where the processing is based on your consent or on an agreement.

Right of Objection
You have the right to object to the processing of personal data based on the legitimate interests of HeadFirst Group. HeadFirst Group will then no longer process the personal data unless we can demonstrate that there are grounds for the processing which outweigh your interests, rights and freedoms or which are related to the establishment, exercise or support of a legal claim.