Privacy Statement and Cookie Policy of the Management Drives Group

(hereinafter referred to as: ‘Privacy Statement‘ and ‘Cookie Policy’)

I.     Privacy Statement

The Management Drives group, hereinafter referred to as: ‘Management Drives’, is the supplier of the Management Drives System and associated applications, hereinafter referred to as: the ‘MD System’. Management Drives respects the privacy of all its customers and processes all personal data processed by it in accordance with the General Data Protection Regulation, hereinafter referred to as: the ‘GDPR’, the Privacy Statement and Cookie Policy and all other applicable legislation and regulations.

By means of this Privacy Statement, Management Drives wishes to inform all parties that come into contact with Management Drives or with the MD System about the way in which Management Drives handles the personal data of individuals, hereinafter referred to as: the ‘Data Subjects’, which data are processed by Management Drives in its capacity as Processor or Controller within the meaning of the GDPR.

Management Drives sets out the following in this Privacy Statement:

  1. 1. General contact information;
  2. 2. Collecting personal data;
  3. 3. Purpose of processing personal data;
  4. 4. Basis for processing personal data;
  5. 5. Categories and types of personal data;
  6. 6. Retention periods;
  7. 7. Subprocessors;
  8. 8. Sharing personal data;
  9. 9. General information about security measures taken; and
  10. 10. Rights of data subjects.

1.   General (contact) information

Name and contact details Management Drives:

Management Drives International B.V., Herenlaan 2, 3701 AT  Zeist

Info@managementdrives.com, +31 30 635 54 00

Name en contact details Subprocessors:

1.           Bitlibre B.V., Prins Mauritslaan 25, 1171 LP Badhoevedorp

2.           Amazon Web Services (Frankfurt am Main)

2.   Collecting personal data

Management Drives obtains the personal data from the Data Subjects, whether or not via an authorised third party, by the Data Subject:

  1. 1. using or intending to use of the services of Management Drives;
  2. 2. completing the questionnaires;
  3. 3. using the MD System;
  4. 4. having a business relationship with Management Drives;
  5. 5. completing a contact form on the Management Drives website;
  6. 6. leaving his or her data at one of the Management Drives offices or through other usual channels such as email and/or telephone;
  7. 7. enrolling for a course at Management Drives;
  8. 8. applying for a job at Management Drives; and
  9. 9. visiting the Management Drives website. 

Most of the data are provided by the Data Subject, whether or not through an authorised third party. The data involved depends on the specific services provided. Management Drives also collects personal data via the cookies in the MD System and on the Management Drives website (www.managementdrives.com/en). (For more information, see ‘II – Cookie Policy’).

3. Purpose of processing personal data

Management Drives processes the personal data for the following purposes:

  • Maintaining the data collection in the MD System;
  • Sending a link for the questionnaire to the Data Subjects;
  • Logging into and securing the MD System;
  • Generating profile reports on Data Subjects;
  • Visually displaying Management Drives individual or team profiles;
  • Using the MD Admin and MD Viewer;
  • Providing management functions to a Controller so that it can use the MD Admin;
  • Making the MD App and the texts therein user-friendly;
  • Saving the entered and completed data;
  • Exchanging e-mail addresses of an authorised third party to another authorised third party;
  • Exchanging e-mail addresses and profile reports of Data Subjects, whether or not by an authorised third party, to an authorised third party;
  • Communication;
  • Acquisition (to bring Management Drives to the attention of potential customers);
  • Performing the agreement;
  • Selection procedures;
  • Legislation and regulations;
  • Tracking website visits and surfing behaviour;
  • Providing a good and efficient service;
  • Improving the service;
  • Marketing analysis and research; and
  • Direct and indirect marketing.

4. Principles governing the processing of personal data

Management Drives is the provider of the MD System with the associated applications. Management Drives processes the personal data of Data Subjects in order to enter into or perform the agreement which is concluded, directly or indirectly, with Data Subjects. Management Drives also processes personal data if required to do so by law, because it has a legitimate interest in doing so or if permission has been given.

If a Data Subject has given Management Drives permission to process his or her personal data for certain purposes, the Data Subject may revoke this permission at any time in the same manner as it was provided by him or her.

If Management Drives collects personal data on the basis of its legitimate interest, it will ensure by means of pseudonymisation or anonymisation that the personal data cannot be traced back to the Data Subject.

In the event that Management Drives processes personal data on the grounds of its legitimate interest, the Data Subject has the right not to complete these data or to object free of charge to the processing.

5. Categories and types of personal data

Management Drives will process the following categories of personal data for the purposes described above:

  • Name and address details such as first and last name, initials, title, gender (salutation), email address, address, postcode, town/city, telephone number and similar information required for communication;
  • An administration number that is linked and does not contain any other information than the data described above;
  • Login details and passwords, such as usernames, email address and first and last name;
  • The results of the questionnaires completed by the Data Subjects to create a Management Drives profile;
  • Nationality, level of education, job level, sector and age category (optional);
  • The results of the completed questionnaires, nationality, the generated end user profile, level of education, job level, sector and age category. These data together and/or combined with other data may be regarded as personal data;
  • Curriculum Vitae (CV);
  • Use of the Management Drives website and the MD System website; and
  • Surfing behaviour.

Special personal data will not be processed.

6. Retention period

If Management Drives acts as a Processor, it will apply the same retention period as the Controller, with the proviso that Management Drives has instructed the Controllers to apply a retention period of 10 years.

In the case of processing where Management Drives acts as a Controller, it will not retain the data longer than necessary for the purpose for which they were collected. Management Drives applies a retention period of 10 years in this respect. After this period the data will be destroyed by Management Drives, unless it is required to retain the data for a longer period of time in order to comply with a statutory obligation.

If the agreement between an authorised third party and the Data Subject ends, Management Drives will take over the role of Controller as data controller. From that moment, Data Subjects should address Management Drives directly. In that case, Management Drives will retain the personal data and profile reports of the Data Subjects, using the above mentioned retention period. Management Drives will take appropriate organisational and technical measures to protect the personal data of the Data Subjects.

Data of job applicants will be retained for a maximum of one month after completion of a selection procedure, unless the Data Subject has given permission for the data to be retained for a longer period or the job application results in an employment contract. In that case, the data will be deleted at the latest after 10 years, unless a statutory obligation obliges Management Drives to retain the data for a longer period of time.

7. Sub processors

Management Drives uses the following subprocessors for hosting and maintaining the MD System:

Bitlibre

Bitlibre is a hosting provider and software developer. Management Drives uses Bitlibre’s services to manage, maintain and develop the MD system. Bitlibre is ISO 27001 certified. The data from the MD System is stored by Bitlibre in the Netherlands.

Amazon Web Services Frankfurt am Main:

Amazon is a cloud provider that provides storage services. Management Drives uses Amazon’s services to store data from the MD System. The data from the MD System is stored by Amazon in the data centre of Amazon in Frankfurt am Main.

Amazon is committed to privacy. An overview of all privacy measures taken can be found at: https://aws.amazon.com/blogs/security/all-aws-services-gdpr-ready/. In addition, Management Drives has signed a subprocessor agreement with Amazon. The subprocessor agreement between Management Drives and Amazon can be found at: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf. Finally, Amazon in turn uses processors. An overview of all the processors used by Amazon can be found at: https://aws.amazon.com/compliance/sub-processors/. The agreements may be amended from time to time. Management Drives therefore recommends to check the above websites regularly.

8. Sharing personal data

Management Drives is a Dutch company that also operates internationally. All data processed by Management Drives, whether or not via the MD System, are processed and stored only in the data centres of its subprocessors and only in the European Economic Area (EEA).

In addition, Management Drives may share the data of Data Subjects with third parties engaged by Management Drives, such as printing firms and email and mail processors. This data is shared solely for the purpose of meeting Management Drives’ contractual obligations or for direct or indirect marketing purposes.

9. General information about the security measures taken

The following measures are taken by Management Drives to ensure the ‘availability’, ‘integrity’ and ‘confidentiality’ of the MD System in order to prevent a personal data breach.

Access

Only authorised employees of Management Drives responsible for managing the database have access to the personal data. Employees will only have access to personal data if they have signed a non-disclosure agreement and comply with the other security regulations applied by Management Drives. Employees of Management Drives are aware of the security risks and their obligations with regard to the protection of personal data.

Clean Desk Policy

Management Drives works with a Clean Desk Policy which means that all papers and notes are cleared from the desks at the end of the working day. In addition, the rooms in which servers or computers with stored personal data are located can be locked.

Security measures

  • The Management Drives website is secured with an SSL certificate. It transmits confidential information in encrypted form;
  • The software of the MD System and other systems is up to date;
  • Management Drives uses appropriate antivirus software;
  • The data originating from the MD System are stored in encrypted form, with the copy of this data being stored at another, also physically and electronically highly secure location;
  • Management Drives has drawn up a protocol which it uses in the event of an actual or possible data breach;
  • Management Drives has deployed and instructed sufficient personnel and resources within its organisation to protect personal data from loss, unauthorised access or unauthorised use;
  • Access to the MD System and all other electronic systems is password protected so that only authorised persons have access to the MD System;
  • Personal data is only shared with third parties via a secure connection.

Conclusion of agreements

In order to safeguard the privacy of Data Subjects, Management Drives enters into processing and other agreements with third parties who, whether or not on behalf of Management Drives, process personal data of Data Subjects.

Audits

Management Drives ensures that both internal and external audits are carried out on a frequent basis in order to demonstrate that the obligations under the GDPR are being met.

10. Rights of Data Subjects

Under the GDPR, the Data Subject has the following rights:

  • The right to data portability.

(This is the Data Subject’s right to receive personal data and to transmit the data unhindered to another Controller or the right to request that personal data be transmitted directly to another Controller);

  • The right to be forgotten.

(This is the Data Subject’s right to be ‘forgotten’ in the MD System);

  • Right of access.

(This is the Data Subject’s right to access the personal data concerning them which are being processed);

  • The right to rectification and supplementation.

(This is the Data Subject’s right to modify or supplement the Data Subject’s personal data which are being processed);

  • The right to restriction of processing.

(This is the Data Subject’s right to have less of his or her data processed);

  • The right with regard to automated decision-making and profiling.

(This is the Data Subject’s right to human intervention in automatic decisions with legal effect);

  • The right to object to the data processing.

 

Management Drives has adjusted its systems, processes and internal organisation to these rights so that it can respond properly, whether or not via an authorised third party, to the requests of Data Subjects.

 

In the event of complaints relating to the manner in which Management Drives processes personal data, the party concerned must first contact Management Drives (see above under 1. ‘General contact information’). In addition, the parties concerned have the right to submit a complaint to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) via its website: https://autoriteitpersoonsgegevens.nl/en.

11. Amendments

Management Drives reserves the right to amend its Privacy Statement and Cookie Policy. At the time of the amendment, the new policy will automatically be in force and replace the previous version. Since amendments may be made, Management Drives advises all parties that come into contact with Management Drives or the MD System to regularly review the Privacy Statement and Cookie Policy. This statement was last amended on 13 November 2019.

12. Contact details

For questions and/or comments about this Privacy Statement and Cookie Policy, please contact results@managementdrives.com.

Cookiebeleid

When the Management Drives website (www.managementdrives.com/en) is consulted or the MD System is used, cookies are stored on the user’s computer, laptop, tablet or telephone. Cookies are text files that contain a small amount of information. The server sends this to a browser, so that the server can identify the browser on each page. Management Drives uses cookies to gain insight into the preferences of its users, in order to improve its services and service provision.

Some functions on the Management Drives website are only accessible if the cookies are accepted. To the extent that cookies contain identifiable information (which means that they can be traced back to a person), the Privacy Statement of Management Drives also applies to them.

A. Types of cookies

Technical cookies

The Management Drives website and the software applications of the MD System use technical cookies. These cookies are necessary for the website and/or the MD System to operate, for example to create an account or to log in.

Functional cookies

The Management Drives website and the MD System use functional cookies. These are used to remember personal preferences regarding whether or not to allow cookies, the country from where the Management Drives website or the MD System is visited and/or consulted, the choice of language, etc. These cookies can be used to make the use of the website and system easier.

Analytical cookies

The Management Drives website and the MD App and MD Pro App of the MD System use analytical cookies via Google Analytics. These cookies collect anonymous information about the manner in which the website and/or the MD System are used. For example, visitor statistics are collected, it is possible to see how a visitor enters the Management Drives website and see how a visitor uses the website and/or the MD System, to enable Management Drives to gain a better insight into their operation.

 

Management Drives has adjusted its settings in Google Analytics such that collected data is treated in a privacy-friendly manner. The identity of the visitor cannot be derived from the data collected. Google Analytics can be deactivated by downloading a tool from Google via the following link: https://tools.google.com/dlpage/gaoptout?hl=en/ .

B. Deletion of cookies

Some cookies are automatically deleted when the web browser is closed. In some cases, the cookies must be actively deleted if they are not or no longer desired. It is possible that if cookies are deleted, certain functions or parts of the websites will no longer be accessible or functional. An explanation by the Dutch Consumers’ Association (Consumentenbond) about the removal of cookies can be found via the following link: https://www.consumentenbond.nl/internet-privacy/cookies-verwijderen.

***