- Bizcuit B.V. is a limited liability company established under the laws of the Netherlands, registered in Dutch trade register at the Chamber of Commerce under number 68122853, hereinafter “Bizcuit”.
- Bizcuit Payments B.V. is a limited liability company established under the laws of the Netherlands, registered in the Dutch trade register at the Chamber of Commerce under number 73395579, hereinafter “Bizcuit Payments”.
- All shares of Bizcuit are held by Bizcuit Holding B.V., a limited liability company established under the laws of the Netherlands, registered in the Dutch trade register at the Chamber of Commerce under number 62135325, hereinafter “Bizcuit Holding”.
- Bizcuit Payments was incorporated by Bizcuit, but is a ‘stand-alone’ limited liability company that offers its services through the Bizcuit platform and because of its affiliation with Bizcuit and Bizcuit Holding, is for the purpose of this policy considered as part of the Bizcuit ‘family’.
Hereinafter jointly referred to as Bizcuit Group.
Bizcuit develops, manages and sells a platform for enterprises (“End Users”). Bizcuit developed an app (the “Bizcuit app”) to enable its End Users to, amongst other things, create sales invoices, process purchase invoices and receipts, and pay sales invoices. In the Bizcuit app an additional application is made to provide account information services (“AIS”) and payment initiation services (“PIS”), which is services by Bizcuit Payments. In addition, the platform connects accounting and payroll software with banks.
Bizcuit Payments is established in 2018 to become a payment service provider providing PIS and AIS, which are regulated under the PSD2 by various regulators including the Dutch Central Bank (“De Nederlandsche Bank N.V.”, hereinafter “DNB” ).
- General rule
2. Information collected by Bizcuit Group
Bizcuit Group collects and processes information from natural persons (“Personal data”), when it regards:
- Its employees to execute the employment agreement with them;
- Candidates for an employment agreement;
- Information of natural persons who are using Bizcuit as a End User, and/or who represent a legal entity that is configured in the Bizcuit app, making use of the Bizcuit platform or app and/or want to make use of the payment services provided by Bizcuit Payments (AIS and PIS);
- Natural persons with whom any Bizcuit Group company is engaged in doing business.
3. Data controller
Bizcuit Payments is a licensed company (after receiving the PSD2 license covering AIS and PIS) and a data controller and therefore responsible for the collection, processing, storage and security of any data as meant in the current privacy legislation.
Bizcuit Payments is always processing as a data controller for instance but not limited to comply with the Act on Financial Supervision (“Wet op het financieel toezicht”, or “WFT”) and to comply with the Act against money laundering and financing of terrorism (“Wet ter voorkoming van witwassen en financieren van terrorisme”, or “WWFT”).
All legal entities that are part of the Bizcuit Group are a data controller if the applicable entity determines the means and purposes of processing, and otherwise take the role of data processor.
4. Legal ground and purpose for processing of personal data
Personal data are processed for the following purposes:
- Human Resources Management;
- Business relation administration;
- Finance administration;
- To offer the services of the platform and app (Bizcuit);
- To offer AIS and PIS (Bizcuit Payments);
- For responding to queries and providing relevant information;
- For events and knowledge sharing purposes;
- To fulfil legal obligations such as tax obligations.
The legal ground for these processing activities is:
- To execute agreements (such as employment agreements and agreements with Customers and/or End Users);
- Bizcuit Group’s legitimate interest as a (group of) professional software provider(s) to communicate with business relations and to operate (in the case of Bizcuit Payments) as a DNB licensed payment service provider. Bizcuit Group processes Personal data when a natural person applies for a job (“Candidate”) and thereby gives its consent for processing. In addition, Bizcuit Group has a legitimate interest to process this information to process the job application and may disclose such information for example to take up a reference when Bizcuit Group obtained consent from the Candidate;
- For Bizcuit Payments to comply with applicable laws and regulations and for Bizcuit to comply with applicable laws and regulations and to comply with the outsourcing agreement concluded with Bizcuit Payments.
The Personal data that are collected are adequate, relevant and limited to what is necessary in relation to the purposes.
Bizcuit Group does not sell any information or Personal data, or offer any direct marketing services without explicit consent from the Data Subject. It does not share any information or Personal data with third parties without prior written consent of the natural person involved, unless required by law and/or required by official Authorities such as the police and the Court of Justice. A written consent can also be given electronically.
It does not use technologies to collect, process, follow and store private information of natural persons. When private persons interact with the website, the Bizcuit Group does not use anonymous identifiers to identify the visitors of the website.
5. What kind of personal data are collected?
- Name of End User and of legal entity representative(s), as well as their address, postal code, country, location and/or date of birth;
- Other contact details such as telephone and e-mail address;
- Contact persons or legal representatives of legal entities configured in the Bizcuit app;
- Bank account numbers;
- Payment behaviour;
- Trade register numbers in so far this tracks to a natural person (sole proprietorship or partnership);
- Information provided by End Users through use of platform or app of Bizcuit or the use of AIS and PIS provided by Bizcuit Payments such as not limited to contact persons of End Users’ suppliers or other information mentioned in for instance invoices;
- KYC information of End Users and legal entity representatives using Bizcuit Payments’ services as required by Anti-Money Laundering (‘AML’) directives and legislation such as for example whether the individual qualifies as PEP and details of the UBO);
- Information received by performing transaction monitoring to comply with AML laws and regulations;
- When it regards Recruits: copy ID necessary for screening, resume, certificates/diplomas, remuneration details of former Employee, background check results, marital status, requested benefits;
- When it regards Employees: social security numbers and details shown on copy ID, resumes, excerpts of criminal record, certificates/diplomas, marital status, holiday leaves and sick leave, salary and other remuneration elements, bank account numbers, functions, appraisals;
- When it regards business relations: bank account numbers and when it regards a legal entity: its legal representatives.
A total overview of data that are collected/processed is registered in the data register in which the Bizcuit Group records the processing of Personal data per company that belongs to its group.
Bizcuit Group does not collect, process or store any sensitive personal information such as race, membership of a trade union, religion, sexual preferences, etc.
6. Data minimization
- All information is stored for a definite period of time (as long as necessary) or for a period of seven years after termination of an agreement as required by the Tax laws and regulations.
- Only Personal data necessary for the execution of agreements or to fulfil legal obligations or for which a legitimate interest of Bizcuit Group exists is recorded and stored.
- Personal data will be destroyed or deleted if no longer necessary.
7. Third parties/data processors
Bizcuit Group may use third parties for certain services that need the processing of Personal data, such as a specialized KYC service provider, a specialized GRC service provider, a specialized IT-security provider, payroll processors, insurers, IT-providers and auditors. If they qualify as a data processor, all data processors must comply with the General Data Protection Regulation (‘GDPR’) and additional rules and regulations concerning data protection and will only process Personal data when necessary to execute agreements. Most of the experts hired by entities belonging to Bizcuit Group qualify as a data controller.
8. Rights of data subjects and accuracy
The persons of whom Bizcuit Group collected data (“Data subjects”) have certain rights, such as:
- the right to information and access their Personal data that is processed: a Data subject may request more information about processing activities of Bizcuit Group and has the right to be informed about the processing activities that involve the handling and processing of personal data of one of the Bizcuit Group legal entities;
- the right to ask for rectification of their Personal data or to delete their data: When requested Bizcuit Group will complete or change inaccurate or incomplete Personal data. If processing of Personal data is no longer necessary for achieving the purposes for which they are collected or when processing is unlawfully or when consent is withdrawn, a Data subject may request to delete the Personal Data. By way of exception Bizcuit Group may refuse the deletion of Personal Data for compliance reasons such as but not limited to compliance with tax or AML legislation or KYC purposes;
- the right to restriction, which means that you have the right to restrict how much data the Bizcuit Group legal entities can use in the future, unless that restriction is such that Bizcuit Payments for instance will be unable to comply with the legal requirements of several Dutch laws under which it is regulated such as the WFT and the WWFT. In that case restriction would cause that Bizcuit Payments can no longer provide the services AIS and PIS to the person requesting restriction;
- the right to ask for a copy of their Personal data that are recorded by Bizcuit Group. The Bizcuit Group will in that case provide data in a structured and generally accepted file format;
- the right to object or to complain about the collection, processing and storage of their Personal data.
9. How to exercise rights
Data subjects can exercise their rights by sending their personal written request to Bizcuit Group.
Requests and complaints can be sent to:
Bizcuit Holding B.V., Bizcuit B.V. and/or Bizcuit Payments B.V.
For the attention of the Data Protection Officer
3905 NW Veenendaal
Personal data will be deleted as soon as these are not needed anymore (as required by law or for tax purposes). Correction of data will be carried out for free. If access to Personal data is requested, Bizcuit Group can give an overview of processed and stored data for free, except in those cases where it would require a disproportionate effort.
All Bizcuit Group legal entities will in case a Data Subject would like to exercise its rights, reply within one month after receipt of a Data Subject’s request to exercise its rights. In case they expect that their reply will take more time, they will inform the Data Subject and the expected timeframe to answer. If the request is complicated, Bizcuit Group legal entities may extend its respond time with two months. Data Subjects will be informed accordingly as soon as possible and in all instances if possible within one month after receipt of a request.
In case a Data Subject is not satisfied with the complaint handling of Bizcuit Group, or in case a Data Subject chooses not directly to complain to the Bizcuit Group, the Data Subject has the right to submit its complaint to the Data Protection Authority of the Netherlands: https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/privacyrechten/klacht-over-gebruik-persoonsgegevens.
10. Information security/protection of Personal data
Bizcuit Group implemented the necessary administrative, technical and organisational measures in order to ensure a level of security, which is appropriate for the specific risks that are identified. Bizcuit Group will thus protect Personal data against destruction, loss, unauthorised use, disclosure or access.
Bizcuit Group applies the following information security measures to protect Personal data against unauthorized access by:
- Physical access control: the office is only accessible with a key. Keys are only provided to Employees and cleaning staff. Visitors are only permitted on appointment and are accompanied by an Employee at all times. The office is secured by an alarm system with direct link to a security firm;
- Only those persons are authorized to have access to Bizcuit Group’s information when they have signed an agreement with Bizcuit Holding, Bizcuit or with Bizcuit Payments and are subject to strict confidentiality obligations. Those who fail to meet the obligations, may be disciplined or their contract may be terminated;
- Bizcuit Group requires a ‘Verklaring omtrent gedrag (VOG)’ statement (certificate of good conduct) for all employees and contractors of Bizcuit Holding, Bizcuit and Bizcuit Payments before allowing any access or authorization;
- Logical access control: Access to laptops and to files is only allowed for authorized persons (mainly restricted to Employees and/or contractors), and controlled and secured against unauthorized access by username/password or other appropriate security measures;
- Banking data (account information and payments data) are restricted to people who need to have access to this data to perform their jobs, and in order to access the application source code or the Production environment 2-factor authentication is required;
- All data stored on servers are protected against data loss by regular backups;
- Additional protection by applying standards that are common in the Fintech industry to protect the Bizcuit application. For more detail Bizcuit and Bizcuit Payments have an IT security policy to which reference is made.
11. Data breach
Bizcuit Holding, Bizcuit and Bizcuit Payments have a data breach protocol that will be followed in case any security incident is detected in the IT system and/or a data breach is suspected.