This privacy statement applies to the processing of personal data by Risqui bv, including its potential subsidiaries and affiliated companies, hereinafter collectively referred to as Risqui.

Processing of Personal Data by Risqui

Risqui does not process a lot of personal information, nor a lot of sensitive information. It is not our business in dealing with this and from a privacy by design point of view, we try to limit all personal data processing to the bare minimum. However, we still want to be as open, honest, and transparent as possible. In this context, we find it important that you know exactly what personal data Risqui collects and for what purposes we use this data. This privacy statement outlines this information in a clear manner. Risqui ensures that personal data is collected, used, and deleted in a careful manner and in accordance with the applicable laws and regulations.

This privacy statement may change from time to time due to new developments. The most current privacy statement can be found on our website (which you are probably on right now): https://www.risqui.com/nl/privacy/

What Do We Use Your Personal Data For?

Your personal data is processed by Risqui for the following purposes. The data is only used and stored for these purposes.

• To enable our customers to run their risk management and to show compliance.
  We may process your data on behalf of the organization you work for. Risqui the tool is meant to manage risks, which have risk owners and measure/action owners. Also we log user actions to show evidence during audits. This is all processed to keep our side of the contract we have with an organization. Risqui does not independently decide to process your data within the Risqui application.
• Business administration.
  To function as a company, comply with legal requirements, and communicate with stakeholders, we use personal data. This includes data from customer contacts, contact details of organizations we collaborate with, and Risqui employees, partially processed due to legal obligations. We do not use user data for this purpose.

Lawfulness of processing

Risqui only processes personal data if there is a legal basis for doing so, as required by the General Data Protection Regulation (GDPR). The following legal bases apply:

Performance of contracts.
This applies to personal data we process from clients with whom we have entered into an agreement for services.

Legitimate interest.
Collecting and using certain personal data is necessary to fulfill business interests and operations. This includes commercial purposes, such as maintaining our customer portfolio and stakeholders. Risqui has a legitimate interest in acquiring customers and maintaining relationships, and therefore, collects personal data for these purposes.

Compliance with legal obligations.
Risqui is required to process personal data due to several legal obligations, such as:

• General Data Protection Regulation (GDPR)
• Telecommunications Act
• Archives Act
• Tax Retention Obligation
• Collection of State Taxes Act 1990
• Foreign Nationals Employment Act
• Compulsory Identification Act
• Deregulation and Simplification of Labour Relations Act (DBA)
• Sham Employment Arrangements Act (WAS)

We have tried to provide as comprehensive an overview as possible of the personal data that we process or have processed on your behalf, including the purposes and legal grounds. However, we also realize that it is impossible to do this fully and in every detail. Especially since in the future, other or unforeseen purposes may come into play where personal data must be processed. We want to emphasize that in such cases, we will continue to handle your personal data diligently and carefully.

With whom does Risqui share your data?

In principle, we do not share your data with others. Sharing your data only occurs when necessary for the execution of our services or if we have a legal obligation to do so. In such cases, we share data with:

• Clients.
  We share data with our clients from whom we have received the data. We present the same data in a different way.
• Own employees.
  We share data with employees when the processing purpose aligns with their role.
• Suppliers and subcontractors working for Risqui.
  We collaborate with service providers who provide technical enhancements to our services. We make clear agreements with them about their obligations and authorities. Risqui has stringent security requirements agreed upon with its suppliers and monitors compliance with these requirements. These are laid down in (processing) agreements.
• Tax authorities.
  In the case of tax requests, data may be shared with the tax authorities.
• Government institutions.
  If there is a legal obligation, we may provide your personal data to government institutions.

How long does Risqui retain your personal data?

Risqui retains your data no longer than necessary to achieve the purposes stated in this privacy statement.

• The retention period for our administration is seven years, in accordance with legal obligations. This includes agreements made with you, and the term starts after the agreement is terminated.
• When you send us an email or ask a question via a contact form, the data you send us will be retained as long as necessary for the full response and handling of your request.
• Data for marketing activities is retained for a maximum of 1 year after contact has been made in the context of offering products or services.
• If a longer retention period is required or appropriate under the law, other regulations, or due to legitimate interests, we may apply a longer retention period.
• As a processor for clients, we retain data as long as agreed upon with the client. In principle, the retention obligation does not apply to Risqui. As a standard, Risqui does not retain this data for more than 90 days, based on the principle of data minimization.

Cookies

Cookies are active on Risqui.nl; these are 'functional'. This means they are necessary, for example, for using our font or logging in. We do not use tracking cookies or third-party cookies. Therefore, we do not have a cookie banner and do not ask for consent, because you don’t want that, and neither do we.

Access, modification, deletion, or restriction of personal data

If you want to know which personal data Risqui has collected and used about you, you can request this information. You also have the right to:

• Correct or delete your personal data.
• Withdraw your consent for data processing
• Object to the processing of your personal data by Risqui.
• Data portability (This means you can request us to send the personal data we hold about you in electronic form to you or another organization specified by you).

You can send a request for access, correction, deletion, objection, or data transfer to [email protected]. In the case that Risqui is the processor, we will contact the controller to handle the request, since we are not able to do so as a processor. We will respond to your request within four weeks.

If you have a complaint about how Risqui processes your personal data, you can report this to [email protected]. If this does not lead to the desired result, you can also file a complaint with the national supervisory authority, the Dutch Data Protection Authority. You can reach them via the following link: https://autoriteitpersoonsgegevens.nl/nl/contact-met-de-autoriteit-persoonsgegevens/tip-ons.

Contact information

Risqui
Email: [email protected]