Privacy statement

Processing of Your Data
By using various forms on the Colourful jobs website, you Colourful jobs us with certain information. This may include personal data, such as your name and email address. We store and use only the personal data that you provide directly or that is clearly intended to be provided to us for processing when submitted. By entering your data, you thereby give us permission to process and use this data within the framework of the GDPR. If you fill out a form or send us an email or letter, the data you send us will be retained for as long as necessary, depending on the nature of the form or the content of your email or letter, to fully respond to and process it, with a maximum of 3 years. The data is processed only within the EU.

What else do we do with your data?
We use your data for various purposes. The specific purposes are outlined below. We use both the data you provide to us and data we collect ourselves, such as information about your visit to our website.

• In order to establish a relationship with you if you express interest in us or wish to become a client of Colourful jobs, we need your personal information.
• To maintain our relationship with you and fulfill your orders: as our customer, we naturally want to provide you with excellent service. To do so, we process personal data. We use this data to stay in touch with you.
• To develop and improve our services: to continue providing you with excellent service, we are working to develop and improve our products. In some cases, we process personal data for this purpose, for example, when you ask a question about our services.
• For our business operations: as a service provider, we believe it is important and necessary to maintain a clear overview of our customer relationships. To achieve this, we process personal data.
• For archival purposes: we do not collect more personal data than is necessary for the purposes mentioned above. Even if we no longer retain the data for those purposes, we may still retain it for archival purposes. This means that it will only be used in legal proceedings or for historical, statistical, or scientific purposes.
• To optimize our services: Colourful jobs collects Colourful jobs data on the use of our website for the purpose of measuring website statistics. By analyzing the collected data, we can improve the website and further optimize Colourful jobs services. The collected data is not used for any other purpose or made available to third parties. This includes the following data: your IP address, the address of your internet service provider, the browser you use (such as Internet Explorer or Firefox), the time and duration of your visit, and which pages you visited. The website uses temporary session cookies. These cookies are deleted after your visit to the website ends. Cookies contain only a unique number and no personal data. Colourful jobs not Colourful jobs IP addresses or cookies to personally identify you. Cookies cannot be used to identify you on third-party websites. If you object to the use of cookies, you can adjust your browser settings accordingly.

Disclosure to Third Parties
Your data is Colourful jobs by Colourful jobs . Your data will not be disclosed to third parties unless you have given your consent or Colourful jobs is required Colourful jobs by law.

Security We implement security measures to prevent, to the extent possible, the misuse of and unauthorized access to personal data. Colourful jobs , together with its sub-processors, Colourful jobs appropriate organizational and technical security measures for its files in which your personal data is stored. In this way, we ensure that this data is only accessible to individuals who are authorized to do so by virtue of their position and that the data is only used for the purposes for which it was collected.

Data Processing Agreement with Website Administrator
Our website was developed and is managed by Plate Website BV. We have entered into a data processing agreement with Plate Website BV that complies with all GDPR requirements and guidelines. The text of this agreement can be found in the attachment.

Accessing and Updating Your Information
If you have any questions about our privacy policy or would like to access, update, or delete your personal information, please feel free to contact us at any time. If any information is incorrect or if you would like to view or have your information deleted, please contact us at info@colourfuljob.nl.

Attachment: Data Processing Agreement between Colourful jobs and Plate Websites BV

Colourful jobs has entered into a data processing agreement with Plate Websites BV, the developer and administrator of the Colourful jobs . The Processor (Plate Websites BV) provides services on behalf of the Controller (Colourful jobs ), as described in the Agreement between the Parties;
a) The services entail the processing of Personal Data by the Processor, for which the Controller is responsible within the meaning of the Personal Data Protection Act (Wbp) and the General Data Protection Regulation (GDPR);
b) The Processor processes the relevant data on behalf of and in accordance with the instructions of the Controller and not for its own purposes. The Processor is a Processor within the meaning of the Wbp and the GDPR;
c) The Parties wish to set forth the agreements regarding the processing of Personal Data in the context of the services through this Data Processing Agreement.
d) This Data Processing Agreement is an agreement within the meaning of Article 14(2) of the Wbp and Article 28(3) of the GDPR.

Article 1. Definitions
1.1 In this Data Processing Agreement, terms defined in the GDPR have the same meaning. The definition of “Data Controller” in the GDPR corresponds to the term “Controller” in this agreement.

Article 2. Subject Matter and Performance of this Data Processing Agreement
2.1 The Processor processes Personal Data on behalf of the Controller for the duration of the services specified in the Agreement between the Parties. The Processor processes Personal Data on behalf of the Controller and to comply with any legal obligation.
2.2 The Personal Data will be processed by the Processor for the following purposes:
a. Processing and emailing contact forms that are filled out by website visitors and sent to site owners, so that the site owner can be contacted via the website.
b. Storing contact forms filled out and submitted by website visitors in the Plate database, so that they can also be viewed in the Plate Dashboard, in addition to the email itself.
2.3 The following categories of Personal Data will be processed:
a. Name
b. IP address
c. Email
2.4 During processing, the following categories of Personal Data may potentially be processed, depending on the composition of the contact forms referred to in paragraph 2 of this article:
a. Name and address details
b. Phone number
c. Date of birth
d. Gender
e. Administrative data, such as bank account or credit card numbers
2.5 When compiling the contact forms referred to in paragraph 2 of this article, the Controller shall refrain from explicitly requesting Special Categories of Personal Data, as defined in Article 9 of the GDPR.
2.6 The Personal Data will be processed only to the extent necessary for the provision of the services. Any other processing shall take place exclusively on the basis of written instructions from the Controller, unless a legal obligation to process applicable to the Processor requires it. In that case, the Processor shall inform the Controller of that legal requirement prior to processing.
2.7 Unless the Processor has obtained express prior written consent—whether or not subject to conditions—from the Controller, the Processor shall not process Personal Data or have it processed by itself or by third parties in countries outside the European Economic Area (EEA) that do not provide an adequate level of protection. The Processor shall inform the Controller of any change in the location where the Controller’s data is stored, as well as the identity of any third parties involved in this.

Article 3. Confidentiality
3.1 All Personal Data made available under this Data Processing Agreement is subject to a duty of confidentiality vis-à-vis third parties. The Processor shall not use this information for any purpose other than that for which it was obtained, even if it has been processed in such a way that it cannot be traced back to the Data Subject. The Processor shall also impose this duty of confidentiality on all its employees and any third parties it may engage, whether or not they are Subprocessors.
3.2 The Parties mutually undertake not to disclose to third parties any data designated as confidential, or data that should reasonably be considered as such, concerning the other Party, unless the information is already in the public domain.
3.3 The parties undertake to impose the same confidentiality obligation on persons they engage in the performance of this agreement.
3.4 In the event of a breach of this article, the non-breaching party shall be entitled to compensation from the breaching party.

Article 4. Obligations of the Controller
4.1 The Controller is responsible, within the meaning of the GDPR, for the personal data to be processed under the Agreement.
4.2 The Controller is responsible for other obligations arising from the GDPR, such as notifying the Dutch Data Protection Authority (AP) of the processing of personal data.
4.3 The Controller warrants to the Processor that the content, use, and/or processing of Personal Data is not unlawful and does not infringe upon any rights of a third party. The Processor is not responsible for the lawfulness of the processing of Personal Data by the Controller.
4.4 The Controller is obligated to install (or have installed) the (security) updates for the software on which the Personal Data is processed; failing to do so, the Controller shall have no claims against the Processor.
4.5 The Processor shall notify the Controller as soon as updates essential for security become available.
4.6 The Controller indemnifies the Processor against all damages and claims from any party arising from a breach of Article 4.4 of the Processing Agreement.
4.7 The Processor shall not be liable to the Controller for any failure to fulfill the obligations under this Data Processing Agreement if the Controller fails to comply with Article 4.4 of this Data Processing Agreement.

Article 5. Obligations of the Processor
5.1 The Processor shall process the Controller’s Personal Data in a manner logically separate from the Personal Data it processes for itself or on behalf of third parties.
5.2 The Processor shall, provided a timely request is made, enable the Controller at all times to comply within the statutory time limits with the obligations under the Wbp and the GDPR that relate to the processing by the Processor, such as—but not limited to—a request for access, correction, supplementation, deletion, or blocking of the Personal Data, and the execution of a valid, registered objection.
5.3 If a Data Subject contacts the Processor directly for information, the Processor shall immediately report such a request to the Controller and shall otherwise refrain from providing information to the Data Subject.
5.4 The Processor shall take appropriate technical and organizational measures—to the extent possible—to assist the Controller in complying with requests from Data Subjects to exercise their rights under Chapter III of the GDPR.
5.5 The Processor shall actively monitor for breaches of security measures.
5.6 The Processor shall process Personal Data only on the instructions of the Controller and shall follow all instructions from the Controller in this regard, subject to any conflicting legal obligations.
5.7 The Processor is fully responsible for any Sub-processor(s) and shall impose on such Sub-processor(s), within the scope of the overall service provision, at least the same obligations toward the Controller as those arising for itself under this Data Processing Agreement.
5.8 The Processor shall not engage any Subprocessor without the prior specific or general written consent of the Controller in accordance with Article 28(2) of the GDPR.
5.9 The Processor shall notify the Controller without delay of any security incidents;
5.10 The Processor shall comply with Article 32 of the GDPR, further elaborated in Article 6 of this Data Processing Agreement.
5.11 The processing of data shall never result in the Processor’s databases being enriched with data derived from the Controller’s datasets. Combining data originating from the Controller is not permitted.
5.12 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the GDPR and this Data Processing Agreement. The Processor shall facilitate audits, including inspections by the Controller or an auditor authorized by the Controller, once a year and shall cooperate in every possible way. The costs thereof shall be borne entirely by the Controller.

Article 6. Security of Personal Data
6.1 The Processor shall implement appropriate technical and organizational security measures, which, given the current state of the art and the associated costs, are commensurate with the nature of the Personal Data to be processed, to protect the Personal Data against loss, destruction, or unlawful processing, as well as to ensure the (timely) availability of the data. These measures shall in any case include:
a. Measures to ensure that only authorized persons have access to the Personal Data for the specified purposes;
b. Measures whereby the Processor shall provide adequate access security to the Personal Data, so that only authorized persons have access. The Processor grants access to the Personal Data only through named accounts, whereby the use of those accounts is adequately logged and whereby the relevant accounts grant access only to that Personal Data to which access is necessary for the person concerned;
c. Measures to protect the Personal Data against accidental or unlawful destruction, accidental loss or alteration, unauthorized or unlawful storage, processing, access, or disclosure;
d. Measures to identify vulnerabilities regarding the processing of Personal Data in the systems used to provide services to the Controller;
e. Securing the services through the use of an SSL access certificate, which the Controller is required to use;
f. Maintaining an adequate and up-to-date mechanism to detect and appropriately handle malicious software, including computer viruses;
6.2 The Processor has the right to monitor (or have monitored) compliance with the aforementioned measures. The Processor shall provide the Controller with an opportunity to do so once a year. The costs of the audit shall be borne by the Controller.
6.3 The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvement of outdated security measures. The Processor’s security policy may therefore change unilaterally over time. The Processor will keep the Controller informed of this.

Article 7. Security Incidents and Data Breaches
7.1 As soon as an incident relating to the processing of Personal Data occurs, has occurred, or is likely to occur, or a data breach has taken place (in accordance with the most recent guidelines/policies regarding the AP’s obligation to report data breaches and/or any regulation that replaces them), the Processor is obligated to notify the Controller thereof without delay and to provide all relevant information regarding:
a. The nature of the incident;
b. The data (potentially) affected;
c. The observed and suspected consequences of the incident, and
d. The measures that have been or will be taken to resolve the incident or to limit the consequences as much as possible.
7.2 Without prejudice to its other obligations, the Processor is required to take measures that can reasonably be expected of it to resolve the incident as quickly as possible or to limit further consequences as much as possible. The Processor shall immediately consult with the Controller to make further arrangements regarding this matter.
7.3 The preceding paragraphs also apply to a data breach or security breach involving any Subprocessor(s).
7.4 The Processor shall cooperate with the Controller at all times and shall follow the Controller’s instructions, with the aim of enabling the Controller to conduct a proper investigation into the incident, formulate an appropriate response, and take appropriate follow-up steps regarding the incident, including informing the Dutch Data Protection Authority (AP) and/or the data subject.
7.5 The Processor shall at all times have written procedures in place that enable it to provide the Controller with an immediate response to an incident and to cooperate effectively with the Controller to handle the incident (data breach protocol), and shall provide the Controller with a copy of the data breach protocol if the Controller so requests.
7.6 The Controller shall, if deemed necessary in its judgment, inform the Data Protection Officer and/or data subjects of a data breach. The Processor is not permitted to disclose information about incidents to data subjects or other third parties, except to the extent that the Processor is legally required to do so.

Article 8. Subprocessors and Chain Clause
8.1 The Processor shall not outsource the processing of Personal Data on behalf of the Controller to a third party (Subprocessor) without the prior written consent of the Controller.
8.2 The Processor shall impose on the Subprocessor engaged by it the same or stricter obligations as those arising for the Processor itself from this Data Processing Agreement and the law. The Processor shall monitor the Subprocessor’s compliance with these obligations. The relevant agreements with the Subprocessor shall be set forth in writing. The Processor shall provide the Controller with a copy of this agreement upon request.
8.3 The Processor also undertakes to include this chain clause in the Sub-Processor Agreement, as a result of which the Sub-Processor is also obligated to ensure that any third party or parties it engages comply with the obligations arising from Articles 5, 6, and 7 of this Processing Agreement.
8.4 If the Processor fails to fulfill the obligations set forth in the preceding articles, the Controller shall be entitled to compensation.

Article 9. Liabilityof the
9.1 Each Party is responsible and liable for its own actions. For any breaches arising from this Data Processing Agreement, the Processor’s liability is limited to a maximum of the amount for which the Processor is insured and which the liability insurer is actually willing to pay out.
9.2 The Processor hereby indemnifies the Controller against all claims by third parties arising from the Processor’s violation of applicable lawsand regulations regarding the protection of Personal Data by the Processor.
9.3 The Controller hereby indemnifies the Processor against all claims by third parties arising from a violation of the applicable laws and regulations regarding the protection of Personal Data by the Controller.

Article 10. Term and Termination
10.1 The term of this Data Processing Agreement shall correspond to the term of the Agreement between the Parties.
10.2 The Data Processing Agreement forms an integral and inseparable part of the Agreement. Termination of the Agreement, for whatever reason, shall result in the termination of the Data Processing Agreement as well.
10.3 Termination, rescission, or cancellation of the Agreement, in any manner whatsoever, shall not affect the obligations of the parties that, by their nature, are intended to survive such termination. These obligations include, among others, those arising from the provisions regarding confidentiality, liability, and applicable law.
10.4 Each party is entitled to terminate this Data Processing Agreement and/or the Agreement with immediate effect and without judicial intervention, without any demand or notice of default being required and without any obligation to pay any compensation, if:

• the other party files for a stay of payments or is granted a stay of payments;
• The other party is declared bankrupt, or the other party or a third party files for bankruptcy on behalf of that party;
• The other party's business is being liquidated;
• The other party's business operations will be suspended.

10.5 Notwithstanding paragraphs 1 and 2 of this Article, this Data Processing Agreement shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller.

Article 11. Retention Periods, Return, and Destruction of Personal Data
11.1 The Controller is obligated to ensure that Personal Data is not retained for longer than is necessary for the purposes specified in Article 2.2. The Controller shall instruct the Processor in advance regarding the retention periods.
11.2 Upon termination of the Processing Agreement, the Processor shall, at the Controller’s discretion, irrevocably destroy the Personal Data or return it to the Controller. Any costs associated with this shall be borne by the Controller. Any return of data shall take place electronically in a generally accepted, structured data format.
If return, irrevocable destruction, or deletion is not possible, the Processor shall immediately notify the Controller thereof. In that case, the Processor guarantees that it will store the Personal Data confidentially and securely and will not process it further.
11.3 Upon termination of the Processing Agreement, the Processor shall notify all Sub-processors involved in the processing of Personal Data of the termination. The obligations under the preceding paragraph apply mutatis mutandis to these Subprocessors. The Processor shall ensure that all Subprocessors involved comply with these obligations.

Article 12. Miscellaneous Provisions
12.1 The Parties are not permitted to transfer any rights or obligations under this Data Processing Agreement to third parties without the written consent of the other party.
12.2 All industrial or intellectual property rights relating to the Personal Data to be processed or processed under this Data Processing Agreement shall at all times remain with the Controller.
12.3 Amendments to this Data Processing Agreement must be agreed upon in writing.
12.4 If, for any reason whatsoever, a provision of this Data Processing Agreement is or becomes void or voidable, this shall only affect that provision. The remainder of the Data Processing Agreement shall remain in full force and effect, and the parties shall endeavor to replace the void or voidable provision, by mutual agreement, with one that most closely reflects the spirit of the aforementioned provision.
12.5 If changes in legislation necessitate an amendment to the Data Processing Agreement, the parties shall enter into open and sincere consultations to ensure that the Data Processing Agreement complies with these new legal requirements as soon as possible. If these consultations do not yield a result and the Processor refuses to cooperate on unreasonable grounds, the Controller is entitled to unilaterally amend the Data Processing Agreement so that it once again complies with the requirements imposed by law.
12.6 In the event of a conflict between the provisions of this Data Processing Agreement and the provisions of the Agreement, the provisions of the Data Processing Agreement shall prevail to the extent that they relate substantively to the tasks and responsibilities between the Parties regarding the processing of Personal Data.
12.7 This Agreement is governed by Dutch law