A careful processing of personal data is of great importance to VOICT. In doing so, we comply with the requirements of the General Data Protection Ordinance (AVG). In this privacy statement, we explain which personal data we collect and use and for what purpose.
ISO/IEC 27001 certified
VOICT is ISO 27001 (information security) certified.
Customers can expect us to handle their data with care and that this data is protected. By being certified, we can also demonstrate that we have set up, monitor and continuously improve Information Security Management in a professional manner.
ISO/IEC 27001 is an ISO standard for information security that describes how information security could be organised in a process-based way in order to implement security measures. The standard specifies requirements for establishing, implementing, executing, controlling, assessing, maintaining and improving a documented Information Security Management System (ISMS) within the framework of the general business risks for the organization. The ISMS is designed to ensure the choice of adequate and proportionate security measures that protect the information and provide confidence to stakeholder
The customer is the legal entity that decides whether, and if so, what data will be processed, for what purpose and in what way. The customer of VOICT is therefore – according to the definition of the AVG – the Responsible Party. VOICT is deemed to be a Processor that processes personal data on behalf of the Responsible Party without VOICT being under the direct authority of the Customer. VOICT has no knowledge of what other legislation its Customers must comply with and cannot take any responsibility for this or surrender it.
VOICT lays down the mutual rights and obligations between it and its Customers within the framework of the GDPR in a separate agreement.
Network and Information Systems Security Act (Wbni)
VOICT offers its product as a SaaS service and qualifies as an online cloud service provider. However, according to the guidelines of the Wbni, we are not regarded as a digital service provider within the meaning of the law. This does not exclude the fact that we will not do everything in our power to meet security requirements as much as reasonably possible.
Recording and processing of data
VOICT will process the data of its Customers properly and carefully in accordance with the AVG. We only store and use those personal details that are entered directly into our systems, either manually or automatically, by or on behalf of our Customers. These personal details will not be manipulated, processed or linked by VOICT to other data than is necessary for the proper functioning of the system, unless explicitly requested otherwise by our Customers. In principle, we only record data that is necessary for the delivery of goods and services between supplier and customer. No so-called special personal data are recorded. VOICT does not provide data to third parties. The storage periods of the data will be agreed separately with each customer. VOICT will not store any data outside the agreed storage periods. As the personal data are necessary for the distribution of goods, we assume that there is unambiguous consent of the person(s) concerned. VOICT maintains no relationship with individual addressees. Requests for modification or deletion of data (the right to forgetfulness) by addressees must be addressed to the Customer. The customer can then make a request to delete data of an addressee. There is a standard procedure for this.
All Data of our products is stored on our own servers in the Netherlands. No use is made of Cloud services outside the EEA.
Data is stored and managed within VOICT’s SaaS system on behalf of its Customers. This also includes usernames and passwords. The management of usernames and passwords is the Customer’s responsibility. To this end, it must appoint a so-called super-user or application manager. After registration VOICT saves the username and personal data, such as name, email address and password. We keep these data so that they do not have to be filled in again and again. We will not pass on the data linked to a user name to third parties unless this is required by law or expressly requested by the customer. In all cases, the provision to third parties will only take place via the customer. Within the system data of Customers and sub-contractors can be stored. This data is only used for (self)billing and financial settlement within the system or via an interface agreed by the customer. C.O.D. data can be recorded within the system. This recording is purely for the proper settlement of the C.O.D. payment. Bank details are not known within the system. At the customer’s request, this financial data can be made available to another system via an interface in order to ensure correct settlement.
Username and password
A username is linked to a password. Users are responsible for handling the password with care. Customers of VOICT are responsible for the correct use and establishment of a security policy in this area. We assume that a person who logs in with a user name and password is authorised to use the user name. If it is suspected that the password is known to unauthorized persons, the super-user can block the account and/or set a new password. Usernames are personal, the use of so-called functional usernames for use by more than one person is discouraged but is the responsibility of the customer.
Security of personal data
We use strict security procedures, among other things to prevent unauthorised access to personal data. In particular, we use secure connections (Secure Sockets Layer or SSL) which shield all information between users and our web applications from the moment the user logs on (with username and password).
Duty to report data leaks
In the event of a data breach, the personal data is exposed to loss or unlawful processing. A data breach must be reported to the Personal Data Authority if it poses a risk to the rights and freedoms of data subjects. We assume that the data recorded in our systems for distribution does not fall under these criteria and therefore does not have to be reported to the Authority Personal Data nor to data subjects. Where appropriate, we will always inform our customers.
Capturing visit behavior
Within the applications of VOICT, general visit data are maintained and are used for statistical analyses of visit and user interaction on the site/application. In this context, only part of the IP address of the user’s computer is recorded and the remaining data is anonymised as far as possible. For the analysis of this behaviour, self-hosted (which means that this data is stored on our own servers) program Matomo is used. This data may be shared with our Customers under certain conditions, but will not be passed on to others or used for commercial purposes.
Cookies are used within the web applications. A cookie is a simple small file that is stored on the hard disk of the computer. We use temporary cookies. These cookies contain no personal data and are only used to make the use of the web application easier. After logging in with the username and password, our server sends a cookie to recognize the user during the rest of a session. Through this cookie we can also keep track of which pages are requested. Cookies are not used for other (commercial) purposes
Third party websites
This statement does not apply to web applications or third party sites linked to our applications.
The way in which we record and process data applies in full to our mobile apps. In order to log in, you may be asked for your e-mail address. This e-mail address will only be used for access to the system and in any communication from the system to users. This is at the customer’s discretion.
The mobile app will not use data, including data that can be made available from the device such as GPS data and photos, other than that required for the proper operation of the system.
Privacy statement changes
We reserve the right to make changes to this statement.
Inspection and modification of data
ii Special personal data are all personal data that provide information about a person’s: religion or belief; race; political affiliation; health; sexual life; membership of a trade union; personal data under criminal law; and personal data about unlawful or obnoxious acts for which a prohibition has been imposed (e.g. a restraining order).