Skip to content

HR Privacy Policy – Employees and Applicants 

HR Privacy Policy – Employees and Applicants 

1. Introduction 

Smart Nes Holding B.V., established at Vasteland 110, 3011 BP, Rotterdam, is the holding company of the “Youwe”-entities and is the controller for the processing of personal data of its employees, former employees and job applicants. 

We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable national laws. 

If you have any questions about this policy or the way we handle your personal data, you can contact mr. Mark Krul, e.g. “Privacy Officer” at m.krul@youweagency.com

This policy is written for all Youwe employees in the Netherlands and also applies to applicants and former employees insofar as their data are still being processed. 

2. Definitions 

In this policy, the following terms have the meanings set out below: 

  • Personnel: all persons working for or on behalf of a Youwe company (employees, temporary workers, interns, contractors, etc.). 

  • Personal data: any information relating to an identified or identifiable natural person. 

  • Processing: any operation performed on personal data, such as collection, recording, organisation, storage, alteration, retrieval, consultation, use, disclosure, erasure or destruction. 

  • Burgerservicenummer (BSN): the unique citizen service number assigned to a natural person under Dutch law. 

  • File: any structured set of personal data accessible according to specific criteria, whether centralised, decentralised or distributed. 

  • Controller: Smart Nes Holding B.V., which determines the purposes and means of processing personal data. 

  • Processor: a party that processes personal data on behalf of Smart Nes Holding B.V. under a written agreement. 

  • User: a person authorised to access specific personal data for the performance of their duties. 

  • Data subject: the person to whom the personal data relates (e.g. employee, applicant). 

  • Third party: anyone other than the data subject, Youwe, a processor or persons authorised to process personal data under the direct authority of Youwe or a processor. 

  • Recipient: a natural or legal person, public authority or other body to which personal data are disclosed. 

  • Dutch Data Protection Authority: the authority supervising compliance with data protection law in the Netherlands. 

  • Consent: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies agreement to the processing of personal data. 

3. Purposes and Legal Bases 

We process personal data only for specified and legitimate purposes and on one of the legal bases provided by the GDPR. The main categories are: 

3.1 Job applicants 

Purposes include: 

  • Assessing suitability for a position and conducting the recruitment process. 

  • Communicating about the application and potential followup procedures. 

  • Keeping an applicant file for a limited period (with your consent). 

Legal bases: 

  • Taking pre-contractual steps at your request prior to entering into an employment contract. 

  • Our legitimate interest in recruiting suitable personnel. 

  • Your consent for retaining data longer than the standard period; you can withdraw this consent at any time.  

3.2 Employees (HR and payroll administration) 

Purposes include: 

  • HR and personnel administration. 

  • Payroll administration, tax and social security obligations. 

  • Managing the employment relationship (performance, development, training, evaluation). 

  • Ensuring compliance with labour, tax and social security law. 

Legal bases: 

  • Necessary for the performance of the employment contract. 

  • Compliance with legal obligations (such as tax and social security legislation). 

  • Our legitimate interest in efficient HR management and internal control.  

3.3 Absence, health and reintegration 

Purposes include: 

  • Registration of absence and (sick) leave. 

  • Providing guidance and reintegration in cooperation with the company doctor and occupational health service. 

  • Complying with social security and health and safety obligations. 

Legal bases: 

  • Compliance with legal obligations. 

  • Our legitimate interests in proper management of absence and reintegration. 

  • Health data are only processed by or under the responsibility of the  company doctor/occupational health service, in accordance with Dutch law. 

3.4 IT, security and access control 

Purposes include: 

  • Granting and managing access to buildings, systems and applications. 

  • Ensuring the security and continuity of IT systems and networks. 

  • Detecting and investigating security incidents, misuse or policy violations. 

Legal bases: 

  • Our legitimate interests in protecting systems, data and assets. 

  • Compliance with applicable legal security requirement, where relevant. 

3.5 Communication and marketing (internal and external) 

Purposes include: 

  • Internal communication (intranet, newsletters, team updates). 

  • External communication and marketing (website, social media, promotional materials) where you may be visible. 

Legal bases: 

  • Our legitimate interest in communicating about our organisation and services. 

  • Your consent where legally required (for example, clearly identifiable photos/videos in external campaigns). You may withdraw your consent at any time, without negative consequences for your employment. 

3.6 Former employees 

Purposes include: 

  • Maintaining contact with former employees (e.g. alumni networks). 

  • Handling and resolving disputes and claims.  

  • Complying with legal retention obligations and audits. 

Legal bases: 

  • Our legitimate interest (for example, in defending legal claims, maintaining alumni relations). 

  • Compliance with legal obligations. 

3.7 Obligation to provide personal data 

For certain data, you are required to provide them in order to enter into and perform an employment contract with Youwe (such as address details, BSN, bank account number, tax data). If you do not provide these data, we cannot pay your salary or meet our legal obligations, which may affect the conclusion or continuation of your employment. 

4. Categories of Personal Data 

Depending on your relationship with Youwe (applicant, employee, former employee), we may process the following categories of personal data: 

  • Identification and contact details: name, initials, title, gender, date of birth, address, postal code, town/city, country, telephone number, email address, nationality, place of birth. 

  • Personnel and employment information: employee number, job title, department, work location, employment status, start and end date of employment, working hours, evaluations and performance reviews, training and development data. 

  • Payroll and financial data: salary, allowances, bank account number, tax information, pension details, expense claims. 

  • Legal and compliance data: righttowork documents, copy of identity document (where legally required), work permits, information from bailiffs related to wage garnishments, relevant information in the context of disputes or investigations. 

  • Absence and healthrelated data: data on absence (dates, duration, type of absence) and, where necessary, limited information about employability and work restrictions. Detailed medical information is processed only by the company doctor/occupational health service. 

  • Application data: CV, cover letter, references, interview notes, assessment results, correspondence relating to the application. 

  • IT and security data: login details, user IDs, access logs, access card data, IP addresses, device identifiers, security logs, CCTV images (where applicable). 

  • Communication data: photos and videos of employees for internal and, where consented, external communication. 

Where possible, we use data in aggregated or anonymised form. 

5. Recipients and Processors 

We only share personal data with third parties where this is necessary for the purposes described, where required by law, or where you have given consent. 

Categories of recipients include: 

  • Payroll and HR service providers. 

  • Occupational health services and company doctors. 

  • Pension providers and other employee benefit providers. 

  • IT service providers (hosting, support, security, collaboration tools). 

  • Insurers and advisors (legal, tax, health & safety). 

  • Public authorities and regulators such as the tax authorities, where legally required. 

  • Other Youwe entities within the group for HR, finance or IT purposes 

Where we engage third parties to process personal data on our behalf, we conclude written agreements that meet the requirements of the GDPR. 

6. International Data Transfers 

Where personal data are transferred to countries outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place, such as: 

  • An adequacy decision by the European Commission; or 

  • Standard Contractual Clauses issued by the European Commission; and 

  • Additional technical and organisational measures where required. 

7. Access to Personal Data within Youwe 

Access to personal data is limited to persons who need it to perform their duties: 

  • HR staff and direct managers for HRrelated purposes. 

  • Payroll, finance and related support staff for financial and administrative processing. 

  • IT staff for system management, security and support. 

  • Management, compliance and legal for legitimate business and compliance purposes. 

These persons are bound by confidentiality obligations, either by contract or by law. 

8. Security and Confidentiality 

We take appropriate technical and organisational measures to protect personal data against loss or any form of unlawful processing. Measures may include: 

  • Access controls and authorisation management. 

  • Encryption and secure communication. 

  • Logging and monitoring of access to systems. 

  • Regular backups and secure storage. 

  • Policies and procedures for information security and data protection. 

  • Confidentiality obligations for employees and contractors. 

Anyone who has access to personal data in the course of their work and is not already bound by a duty of confidentiality by profession or law is required to maintain confidentiality. 

9. Data Breaches 

A personal data breach is a breach of security that leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. 

  • Suspected or actual data breaches must be reported immediately in accordance with the internal data breach procedure. 

  • Where a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the Dutch Data Protection Authority. 

  • Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will also inform the affected individuals without undue delay. 

We maintain a register of data breaches, as required by the GDPR. 

10. Information Duty 

We inform employees and applicants about the processing of their personal data: 

  • At the time we collect the data from you (for example, when you join or apply), or 

  • Before recording data that we receive from third parties (such as references, where allowed). 

This policy forms part of our information to you about the processing of your personal data. Additional information may be provided in the employment contract, staff handbook, specific notices or internal policies. 

11. Your Rights 

As a data subject, you have the following rights under the GDPR: 

  • Right of access: you can request information about whether we process your personal data and, if so, access to those data and additional information. 

  • Right to rectification: you can request correction of inaccurate personal data and completion of incomplete personal data. 

  • Right to erasure: you can request deletion of your personal data in certain cases (for example where data are no longer necessary for the purposes for which they were collected, or where processing is based on consent and you withdraw your consent), subject to legal retention obligations. 

  • Right to restriction of processing: you can request restriction of processing in specific cases (e.g. while the accuracy of data is being verified, or in the context of a dispute). 

  • Right to data portability: where processing is based on consent or contract and carried out by automated means, you can request to receive your personal data in a structured, commonly used and machinereadable format and have the data transmitted to another controller, where technically feasible. 

  • Right to object: where we process data on the basis of legitimate interests, you may object on grounds relating to your particular situation. We will then assess the objection and stop processing unless we have compelling legitimate grounds that override your interests, rights and freedoms or the processing is necessary for legal claims. 

  • Right to withdraw consent: where processing is based on your consent, you may withdraw that consent at any time. This does not affect the lawfulness of processing before withdrawal. 

You can exercise your rights by sending a request to m.krul@youweagency.com. We may ask you to provide additional information to verify your identity. We aim to respond within one month of receiving your request. 

You also have the right to lodge a complaint with the Dutch Data Protection Authority if you believe that your personal data are processed in breach of data protection law. 

12. How long we keep your data (retention periods) 

We do not keep personal data longer than necessary for the purposes for which they were collected, unless a longer retention period is required or permitted by law. 

In general: 

  • Payroll and tax data (including salary information and underlying records): kept for at least seven years as part of our statutory tax administration, after which they are securely destroyed. 

  • Copy of your identity document: kept in our payroll records for at least five years after the end of the calendar year in which your employment ends, in line with our statutory tax obligations, after which the copy is securely destroyed. 

  • Payroll tax forms and related tax records (including the payroll tax declaration forms you sign when you start working for us): kept for at least seven years as part of our statutory tax administration. After this period, these records are securely destroyed. 

  • Key HR documents (contracts, performance documents): kept for a limited period after your employment ends, for example to deal with possible legal claims, after which they are deleted or anonymised. 

  • Application data: usually deleted within 180 days after the recruitment process ends, unless you agree that we may keep your data longer (up to 1 year). 

  • Absence data: kept as long as needed for reintegration, legal duties and limitation periods, then deleted or anonymised. 

More detailed retention periods can be included in an annex (Retention Schedule Personnel Data, Appendix 1), which may be updated from time to time. 

13. Automated DecisionMaking 

We do not make decisions about you that are based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you. 

If this ever changes, we will inform you separately about the logic involved, the significance and the envisaged consequences of such processing, and about your associated rights. 

14. Complaints and Contact 

If you believe that we are not processing your personal data in accordance with this policy or applicable law, we ask you to contact us first so that we can attempt to resolve your concerns: 

  • Email: m.krul@youweagency.com 

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) via www.autoriteitpersoonsgegevens.nl

15. Changes to this Policy 

We may amend this HR Privacy Policy from time to time. The most recent version will always be available on the intranet or otherwise communicated internally. Where changes are substantial, we will actively inform you.

Appendix 1 - RETENTION PERIODS OF PERSONNEL DATA     

Type of document Retention period Retention period starts
General employee information (name, address, contact details, bank account, etc.) Maximum 5 years After termination of employment
Payroll administration Mandatory 7 years -
Tax data (commuting, benefits, pension) Mandatory 7 years -
Payroll tax statements Mandatory 5 years After calendar year of termination
Identity documents & work permits Mandatory 5 years After end of employment / internship
Employment contract Maximum 2 years After termination
Salary & employment agreements Maximum 2 years After termination
Works council agreements Maximum 2 years After membership ends
Bailiff documents (attachments) Until lifting of attachments -
Performance reviews Maximum 2 years After termination
Training & internship data Maximum 2 years After termination
Absenteeism records Short-term: max 2 years After termination
Sickness data (Ziektewet / WGA) 5–10 years depending on case After termination
Job application data 4 weeks / max 1 year (with consent) After end of application process
Application data (current employees) Up to 1 year After recruitment
Dismissal & severance documentation 2–5 years After termination
Expats & foreign worker administration Maximum 2 years After termination
Photo & video Until consent is withdrawn -

* The General Data Protection Regulation does not specify retention periods. The starting point is that personal data may be processed for as long as necessary for the purpose of the acquisition. On the basis of other legislation, there may be an obligation to keep certain personal data for a certain minimum period. 

** For some data within the payroll administration a different retention period of 5 years applies. 

*** If there is or has been a dispute with an employee, the personnel file may be kept for as long as necessary. For example, if the employee could still claim certain rights arising from the employment contract. Or in the event of a non-competition or relationship clause that is still valid for x years after the end of the employment contract. 

Youwe logoHomepage
AboutCareersContactPrivacy policy