In this statement, Van Hoesel de Blaey explains how it deals with personal data and privacy on a daily basis, and what is legally justified and not justified. The name Van Hoesel de Blaey indicates the following: Van Hoesel/De Blaey Accountancy B.V., Van Hoesel/De Blaey Belastingadviseurs B.V, both located on Brouwerstraat 6, 3364 BE Sliedrecht, telephone 0184-200020, email

Privacy plays an important role in our current data-based society and in terms of the relationship between consumers and business. Companies and organisations have a responsibility with regard to personal data and data exchange in all areas in which they operate. They are obliged to collect, store and manage consumers' personal data carefully and securely, proportionately and confidentially. Protecting privacy is complex and is becoming increasingly complex due to technological developments and new European legislation. That is why we think it is important to be transparent about the way we handle personal data and to guarantee privacy.

Legislation and definitions

Currently, each member state of the European Union has its own privacy law, based on the European directive of 1995. The Personal Data Protection Act (Wbp) regulates the legal framework for handling personal data in the Netherlands. On 25 May 2018, the Wbp expires and the European Regulation comes into effect: the General Data Protection Regulation (GDPR), together with the Implementation Act. The GDPR builds on the Wbp and ensures, among other things, the strengthening and expansion of privacy rights with more responsibilities for organisations. 

The following terms are used in the GDPR:

Data subject: The person to whom the personal data relates. The data subject is the person whose data is to be processed.

Processor: The person or organisation that processes the personal data on behalf of another person or organisation. 

Personal data: All data that relates to people and through which you can recognise a person as an individual. This not only concerns confidential data, for example about someone's health, but also any information that can be traced back to a specific person (for example; name, address, date of birth). In addition to ordinary personal data, the law also includes special personal data. This concerns information about sensitive subjects, such as ethnic background, political preferences or the Citizen Service Number (BSN). 

Data protection impact assessment: A data protection impact assessment assesses the impact and risks of new or existing processing on privacy protection. This is also known as a Privacy Impact Assessment (PIA).

Controller: A person or agency who, alone or together with another person, determines the purpose and means of the processing of personal data. 

Processing: A data processing cycle is everything you do with personal data, such as: recording, storing, collecting, combining, forwarding to third party, and deleting. 


The statement applies to all the processing of personal data by the organisation. In other words: all processing that takes place within a company or organisation.


The company or organisation is responsible for the processing operations carried out by or on behalf of the company or organisation.

Data processing

The processing of personal data is any action or set of actions with personal data, whether or not performed via automated processes. In the GDPR, processing includes: Collecting, recording and organising, storing, updating and changing, retrieving, consulting, using, providing by means of forwarding, distribution or any other form of making available, collating, connecting, protecting, erasing or destroying data. This summary shows that everything you do with personal data is a processing stage. 


According to the law, personal data may only be collected if there is a purpose to do so. The purpose must be explicitly described and justified. The data may not be processed for other purposes. For the implementation of some laws, such as the Dutch Money Laundering and Terrorist Financing (Prevention) Act (Wwft), the purposes for processing can already be specified in the law, as can the personal data that may be requested and processed.

Lawful basis

The law says that for any personal data to be processed, there must be a lawful basis. This means that the processing is only permitted:

  • When the data subject has given permission for the specific processing;
  • When necessary to fulfil an obligation laid down in the law;
  • When necessary to fulfil an agreement the data subject is a part of;
  • When necessary to protect the vital interests of the data subject or to perform a task of general interest;
  • Necessary for the representation of the legitimate interests of the controller or of a third party.

In practice, this also means, for example, that van Hoesel de Blaey can use your personal data:

  • in order to call/email/write to you if this is necessary for the execution of our services;
  • to inform you about changes in legislation and services;
  • for sending our newsletters, mailings etc.

Method of processing

The main rule for processing personal data is that it is only allowed in accordance with the law, and in a careful manner. Personal data is collected as much as possible from the person concerned. The law assumes subsidiarity. This means that processing is only allowed when the goal cannot be achieved in any other way.  The law also mentions proportionality. This means that personal data may only be processed if this is proportionate to the purpose. When the same goal can be achieved using no, or less (onerous) personal data, this must always be chosen. 

Van Hoesel de Blaey ensures that the personal data is correct and complete before it is processed. This data is only processed by employees with a confidentiality agreement. Van Hoesel de Blaey also protects all personal data. This is to prevent the personal data from being viewed or changed by someone who is not authorised to do so. How Van Hoesel de Blaey does this is specified in the information security policy / security plan.

Sharing and transfer

Van Hoesel de Blaey does not sell your data to third parties. It will only provide your data to third parties (for example, the Tax Department, Health and Safety Service or the pension fund) if this is necessary for the execution of our agreement with you or to comply with a legal obligation. We have a processing agreement with organisations and/or companies that process your data on our behalf, in which the same level of security and confidentiality with regard to your data is guaranteed.

As a rule, Van Hoesel de Blaey does not generally pass on personal data to a country outside the European Economic Area (EEA) or an international organisation.

Transparency and communication

Obligation to provide information

Van Hoesel de Blaey informs data subjects about the processing of personal data. When data subjects provide data to Van Hoesel de Blaey, they will be informed of how Van Hoesel de Blaey intends to handle personal data. This can be done, for example, via a privacy declaration or statement when entering into a partnership agreement, an order confirmation or other agreement or via a privacy declaration or statement on the Van Hoesel de Blaey website.

If the data is obtained in another way, i.e. not via the data subject, the data subject will be informed when it is processed for the first time.


Van Hoesel de Blaey does not store the personal data longer than is necessary for the execution of the work it has been assigned. If personal data is still stored that is no longer needed to achieve the objective it was intended for, it will be deleted as soon as possible. This means that this data is erased or modified so that the information can no longer be used to identify someone.

Data subjects’ rights

The law not only defines the obligations of those who process the personal data, but also determines the rights of the persons whose data is processed. These rights are also known as data subjects' rights and contains the following:

  • Right to information: Data subjects have the right to ask van Hoesel de Blaey whether their personal data is being processed.
  • Right of inspection: Data subjects have the opportunity to check whether and how their data is processed.
  • Right of correction If it becomes clear that the data is incorrect, the data subject can submit a request to van Hoesel de Blaey to correct it.
  • Right to refrain: Data subjects have the right to ask van Hoesel de Blaey go no longer use their personal data.
  • Right to be forgotten: Cases where the data subject has given permission to process data, the data subject has the right to have the personal data deleted.
  • Right to object: Data subjects have the right to object to the processing of their personal data. Van Hoesel de Blaey will comply with this, unless there are justified grounds for the processing.

Submit a request

The data subject can submit a request to exercise their rights. This request can be submitted in writing or by email. Van Hoesel de Blaey has four weeks as of receipt of the request to assess whether the request is justified. Van Hoesel de Blaey will provide feedback within four weeks as to the outcome of the request. If the request is not followed up, the option is there to object to Van Hoesel de Blaey, or to file a complaint with the relevant Authority. On the basis of a request, Van Hoesel de Blaey can request additional information to be sure of the identity of the person concerned.

Automated processing


Profiling is carried out when an automated processing of personal data takes place, whereby personal data is used to look at certain personal aspects of a person in order to categorise and analyse this person, or to be able to predict matters. Examples of personal aspects can be: financial situation, interests, behaviour or location.

In order to clarify profiling, the following example applies: When a visitor views a certain service on the Van Hoesel de Blaey website, Van Hoesel de Blaey may not take any action to offer the service. Van Hoesel de Blaey may check how often a particular service has been viewed, but not offer specifically targeted advertising. In addition, the law states that no decision may be made on the basis of profiling.

Van Hoesel de Blaey only uses profiling by monitoring visits to its website, by means of Google Analytics.

Big data and tracking

By means of Big data research and tracking, data may only be processed if it cannot be traced back to a natural person. In addition, it can only collected for research carried out by, or on behalf of, Van Hoesel de Blaey. The data collected by Big data research and tracking only includes the data collected by authorised persons. Data minimisation will be applied when the data is converted into a data set. This means that only the data that is really necessary to achieve the goal will be used. In addition, personal data can be pseudonymised so that it cannot be traced back to a person.

Van Hoesel de Blaey does not make use of Big data and tracking.

Duties of Van Hoesel de Blaey

Register of processing operations

Van Hoesel de Blaey is responsible for keeping a register of all processing operations of which Van Hoesel de Blaey is the controller. Each register contains a description of what happens during a processing operation and what data is used for it:

  • The name and contact details of the controller and, possibly, the joint controller;
  • Principles of processing;
  • A description of the type of personal data and the data subjects involved;
  • A description of the recipients of the personal data;
  • A description of the process of sharing of personal data to a different country or international organisation;
  • The timeframe in which the various personal data must be erased;
  • A general description of the security measures.


Van Hoesel de Blaey takes the protection of your data very seriously and takes appropriate security measures, both organisational and technical, to prevent misuse, loss, unwanted disclosure and unauthorised modification of and/or unauthorised access to your personal data. If you have any questions about the security of your data, or if there are indications of abuse, please contact van Hoesel de Blaey at

Data protection impact assessment

A data protection impact assessment (PIA) assesses the effects and risks of new or existing processing on privacy protection. Van Hoesel de Blaey carries this out when there is an automated processing operation, a large-scale processing operation, or when large-scale monitoring of public files takes place. This is especially true for processing operations using new technologies.

Data breaches

A data breach occurs when personal data falls into the hands of third parties who are not allowed access to that data. Van Hoesel de Blaey shall notify the Authority without undue delay of any data breach within 72 hours after the breach has been discovered. If this takes longer than 72 hours, an explanation for the delay will be added to the notification. The infringement may pose a high risk to the rights and freedoms of data subjects. In this case, Van Hoesel de Blaey reports this to those involved in simple and clear language. Existing data breaches are prevent future data breaches.

Change in privacy statement

Van Hoesel de Blaey reserves the right to amend this privacy statement. We therefore recommend that you check this statement regularly/periodically, so that you are aware of any changes that have been made.