Privacy Policy

1. General information

Symphony Solutions BV (hereinafter referred to as “SSBV”, “Company” or “we”) with a registered office at Laarderhoogtweg 25, 1101 EB, Amsterdam, The Netherlands, processes personal data in accordance with the General Data Protection (hereinafter referred to as GDPR). SSBV takes care of the privacy of the data subjects by respecting their right for privacy, observance of the principles and provisions for the protection of personal data and their legal processing, using numerous technical and organizational controls, measures and mechanisms which are continuously being upgraded.

Data Controller and Data Processor: Symphony Solutions BV



Data Protection Officer (DPO): Aleksandar Gacevski, Mykola Zaika

Direct DPO Contact:

Regulatory Body/Authority: Autoriteit Persoonsgegevens

Address: PO Box 93374, 2509 AJ, DEN HAAG



Phone number: +31708888500

This Privacy Policy is published on SSBV’s web page. By doing so, SSBV is willing not just to comply with the GDPR regulation but also to demonstrate a high level of transparency to data subjects regarding data processing.

This Privacy Policy may be updated periodically and without prior notice to you to reflect changes in our information practices or relevant laws. We will post a notice on our web page that points to this document to notify you of any substantive changes to the way we collect and process personal information.

2. Applicable data protection legislation

  • The General Data Protection Regulation, EU 2016/679 (GDPR)

SSBV continually strives to follow the principles of the GDPR that are based on legitimate processing of personal data, processing that has a definite purpose, avoiding over-processing/excessive processing, whilst maintaining integrity of personal data and ensure their secrecy and disclosure to unauthorized persons.

3. Reason for creation of this Policy

This Privacy Policy was created in order to demonstrate that SSBV:

  • is aware of the importance of the GDPR and protecting the privacy of data subjects, regardless of the role
  • has implemented numerous technical and organizational measures and controls in order to secure the processing of personal data / personal identifiable information (PII)
  • that it is open and transparent to the data subjects whose data are being processed
  • has undertaken multiple protective measures with other Controllers, Processors and Sub-Processors
  • continuously raises awareness among its staff regarding the processing of personal data
  • acts proactively in terms of protecting the privacy of the data subjects by the principle ‘Privacy by Design’ that the GDPR promotes.

4. Definitions and terms used in this Policy

Privacy is a fundamental human right that implies protection against unnecessary disclosure of one’s identity. Privacy is closely linked to one’s physical security and freedom.

Privacy Policy is a document describing how the Controller / Processor / Sub-Processor collects, uses, processes, discloses and manages the personal data of the data subjects involved in the processing.

Personal Data is personal identifiable information that refers to an identified natural person or identifiable natural person or natural person that can be identified as a person whose identity can be determined directly or indirectly, based on only unique ID number of the citizen or based on one or more characteristics specific to his physical, mental, economic, cultural or social identity. The following categories of data are considered to be treated as personal: name, surname, address, date of birth, citizen’s ID number, ID card number, passport number, photo ID, telephone number, email address and other data through which you can directly or indirectly reveal the person’s identity.

Processing of personal data means an operation or set of operations performed on personal data by manual, automated, electronic or other means, such as: collection, recording, organizing, structuring, storing, adapting or changing, retrieving, consulting, use, disclosure by transferring, posting or otherwise making available, combining, blocking, deleting or destroying.

A data subject is a natural person whose personal data is processed by SSBV.

A data processing agreement (DPA) is a legally binding document to be entered into between the controller and the processor in writing or in electronic form. It regulates the particularities of data processing – such as its scope and purpose – as well as the relationship between the controller and the processor.

Controller of personal data (Data Controller / Controller) is a natural or legal person, body of state authority or other body, which independently or together with others determines the purposes and the manner of personal data processing. SSBV has in some cases the role of Data Controller (for example: staff, applicants).

Processor of personal data (Data Processor / Processor) is a natural or legal person or a government authority which processes personal data on behalf of the Data Controller. The data processor processes the data in accordance with the applicable legislation, as well as in accordance with the guidelines and instructions obtained in the DPA signed with the Controller. In case of existence of a sub-processor, the Processor is obliged to inform the Controller, and to conclude with the sub-processor a DPA where the rights and obligations of the Processor are transferred/shared in relation to the Controller. SSBV in some cases acts as a data processor (for example: clients’ PII where in this case clients are data controllers).

Sub-processor of personal data (Sub-Processor) is a natural or legal person or authorized state agency that processes personal data on behalf of data processor and the data controller. The Sub-Processor shall process the data in accordance with the applicable legislation, as well as in accordance with the guidelines and instructions obtained in the DPA concluded with the Processor. SSBV in some cases acts as a sub-processor of personal data.

Data Protection Officer (DPO) is a person appointed by SSBV in order to implement and continuously maintain the level of compliance of SSBV with the regulations in the field of data protection. The DPO reports directly to the highest management body of SSBV. The DPO should have relevant knowledge in the field of personal data protection, act independently and act as part of a team of DPOs. In order to allow the DPO to act and deliver its opinion in a timely manner, DPO should be involved in SSBV’s activities in a timely manner (for example, involved in projects, information risk analysis, recruitment process in coordination with HR and other processes that are in any way connected to processing of personal data).

Special categories of personal data (sensitive data) are personal data that reveal racial or ethnic origin, political, religious, philosophical or other beliefs, union membership, and data on human health, including genetic data, biometrics data or data relating to sex life.

Data registry is a structured set of personal data that is accessible according to specific criteria, whether centralized, decentralized or disseminated on a functional or geographical basis.

Authorized staff are staff/personnel engaged by the Controller who has authorized access to documents containing PII and who have access to information systems where PII is being processed.

The General Data Protection Regulation, EU 2016/679 (GDPR or Regulation) is a European legal framework whose primary purpose is to enhance and unify the protection of privacy, personal data and their complete processing. It is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also refers to the transfer of personal data outside the EU and EEA areas.

Dutch data protection authority (Autoriteit Persoonsgegevens) is a regulatory body of state authority whose role is to ensure the right of privacy of data subjects.

A data protection impact assessment (DPIA) is a privacy-related impact assessment whose objective is to identify and analyze how data privacy might be affected by certain actions or activities.

Direct marketing is any form of communication made in any way for the purpose of sending advertising, marketing or propaganda material that is directed directly to a particular subject of personal data.

Cookies are text files that the web browser has stored in the user’s device and are used by websites to authenticate, preserve the information / preferences for the website, other information on browsing and to another which can help the web browser while accessing certain web servers. 

Artificial intelligence (AI) is intelligence demonstrated by computers, as opposed to human intelligence. encompasses the ability to learn and to reason, to generalize, and to infer meaning.

5. Legal basis and purposes for processing personal data

Under GDPR, there are six different legal bases under which personal data can be processed. SSBV uses a few of them, and these are briefly described below:


SSBV will collect and process data subjects PII with the statement of consent as legal ground only in situations when a contract or service agreement cannot be used as such (for example, job applicants). Such consent can be revoked at any point of time by the data subject by using minimal effort.

Performance of a contract / service agreement

In case personal data is required to fulfil a legal contract / service agreement with the data subject or to take necessary steps at the request of those concerned prior to entering into the contract, explicit consent is not required. This also applies to cases when SSBV signs a legal contract with a client for the provision of our IT and Consultancy services and solutions and the data subjects’ personal data is necessary to complete the contract.

Legal Obligations

When SSBV acts as Data Controller, it is required to collect and process the data subject’s personal data in order to comply with legal obligations such as the EU member state’s employment or taxation legislation. Examples of those purposes are tax and financial documents and health and safety protocols.

Legitimate Interests

If processing specific personal data is in the legitimate interest of SSBV and a proportionality assessment determines that it is not overridden by the interests or fundamental rights and freedoms of the data subject, then this may be defined as a lawful basis for processing. Possible uses are monitoring, access control (for safety purposes), conducting background criminal checks of personnel, storing the feedback of interviews with applicants (to maintain quality and consistence of our recruitment process) and cookies on the website (to analyze website usability).

6. Processing of personal data within SSBV

Depending on the situation, SSBV can have the role of a Data Controller, Data Processor or Sub-Processor.

In each of the cases above, the processing of personal data must have an appropriate legal basis for processing.

SSBV always aims to minimize the amount of processed personal data regardless of the purpose of processing.

DPIA will be conducted in cases when there is a potential risk of compromised processing of PII.

6.1 SSBV as a Data Controller       

In cases where SSBV acts as a Controller, SSBV collects personal data directly from the data subjects and then structures them into appropriate data sets. Each data set contains information on the legal basis of the processing, the purposes of the processing, categories of personal data processed, information on the data transfers, information on data retention. Examples of data sets where SSBV is in the role of Controller are data set of employees, private entrepreneurs, engaged persons, contractors, business associates, applicants, interns, visitors, individuals writing via our online contact form, the chatbot, our related landing websites etc. The data we collect using these channels can be stored on SSBV’s servers but also cloud services like Amazon, Azure or Google Cloud. When SSBV collects personal data for specific purposes or on-time activities (for example: marketing activities, social media campaigns, trainings for externals), SSBV provides Privacy Notice to the audience/invitees in order to inform them about data processing activities such as filming or photographing.

The meta-data about the collected PII is organized and stored into a data registry containing multiple data sets.

The default retention period for the PII of applicants (most often included in a form of CV) is 2 years, unless we have permission from the data subject to keep his/her PII in order to get in contact for other job openings.

The default retention period for the PII of visitors and data subjects who contact us via online forms is 2 years.

 6.2 SSBV as a Data Processor

SSBV has the role of Data Processor in cases when it processes PII of data subjects on behalf of other Controllers. Most often, the purpose of processing is the realization of contractual obligations between the Controller (usually a client or HR agency) and SSBV. The manner of processing is regulated within the service agreement or by signing a separate DPA between such Controller and SSBV.

SSBV is committed to providing equal level of protection for the PII regardless of its role.

 6.3 SSBV as a Sub-Processor

SSBV has the role of a sub-processor in cases when it processes the PII of data subjects from other Controllers and Processors, on behalf of the Controller, the Processor or the data subjects. The purpose of such processing is usually the realization of contractual obligations between the Controller / Processor and SSBV. The manner of processing is regulated within the service agreement or by signing a separate DPA between the Controller / Processor and SSBV. SSBV is committed to providing equal protection and treatment for each PII regardless of its role.

7. Security of information systems and securing the processing of PII

Article 32 from the GDPR is all about security of processing. SSBV is committed to ensuring an appropriate level of information security by following the principle of providing confidentiality, integrity and availability to all information assets including the PII.

The information security objectives are set out as one of the Company’s strategic directions as SSBV is ISO 27001 certified company. Some of the controls aimed to protect valuable Company’s assets, including the PII are:

  • Personnel security
  • Access control
  • Asset management
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Communications security
  • System acquisition, development and maintenance
  • Supplier relationships
  • Information security incident management
  • Information security aspects of business continuity management
  • Internal audits

By implementing these numerous technical and organizational measures, the Company ensures that the PII that is being processed is processed in a secure environment and in a way that is compliant with the applicable data protection legislation.

8. Staff processing PII on behalf of SSBV

Before commencing their work with SSBV and starting processing PII on behalf of the Company, all staff are required to:

  • sign a labor contract or a service agreement
  • sign a Non-Disclosure Agreement (NDA)
  • sign a Data Processing Agreement (DPA)
  • comply with all the internal policies and procedures
  • undergo trainings related to information security and protection of PII

Besides this, training related to information security and protection of privacy is organized for staff on an ongoing basis.

9. Transferring PII

When transferring personal data, SSBV acts in accordance with Article 46 of the Regulation.

When acting as the Controller, SSBV may transfer personal data to entities in countries inside EU / EEA and in third countries when there is secured an appropriate level of data protection but not lower than that SSBV has. When in the role of Controller, SSBV may transfer personal data to entities in EU / EEA member states as well as to third countries (outside of EU / EEA). Every such transfer of personal data is regulated by a DPA.

When acting as the Processor, SSBV may transfer personal data to entities in countries EU / EEA and in third countries (outside of EU / EEA) when there is secured an appropriate level of data protection, but not lower than that the Controller and SSBV have. Transferring data to third countries, SSBV may only perform in cases when that is being previously agreed with the Controller through a DPA. In such a case, the Controller is obliged to notify the subjects of personal data about the transfer which carries the data to the Processor and sub-Processor. When in the role of Processor, SSBV transfers personal data to entities in EU / EEA member states as well as to third countries (outside of EU / EEA). Every such transfer of personal data is also governed by a separate DPA.

When acting as a sub-Processor, SSBV may transfer personal data to entities in countries EU / EEA and in third countries (outside of EU / EEA) when there is secured an appropriate level of data protection, but not lower than that the Controller and Processor has. Transferring data to third countries SSBV may only perform in cases when that is being previously agreed with the Controller through a DPA. In such a case, Controller and Processor are obliged to notify the data subjects in relation to the transfer performed by the data to sub-processors. SSBV, when acting as a Sub Processor, transfers personal data to entities in EU / EEA member states as well as to third countries (outside of EU / EEA). Each transfer of personal data where SSBV is a sub-processor is governed by a separate DPA.

10. Data Retention

SSBV and its staff are fully aware of the GDPR principles and of the obligations related to data retention. The Company manages multiple data sets that are organized in the form of a Data Registry.

Depending on the purpose of processing and as well as on the obligations arising between the Controller and the data subjects, each data set may have a different retention period.

Upon fulfillment of the purpose of processing or after the expiry of the retention period of the PII whether SSBV is in the role of Controller, Processor or Sub-Processor, the records containing PII shall be destroyed in accordance with SSBV’s Data Retention Policy or according to a defined retention schedule with the Controller (most often a client of SSBV) in a manner that does not allow the PII to be further used or reconstructed. This applies not only to personal data stored in digital/electronic form but also to PII stored as hard copy documents.

11. Data subject rights

One of the main objectives of SSBV regarding processing of PII is to be proactive and transparent to the data subjects as possibly can. In regard to this the Company has established Procedure for exercising data subject rights.

The rights of data subjects with regard to their privacy and legality of processing their PII are according to Articles 13, 14 and 15 of the Regulation and are the following

  • Right to object to incompliances on data processing
  • Right for correction of personal data
  • Right to restrict processing
  • Data portability
  • Right to access personal data

Such request may be addressed directly to the DPO’s email where it will be further processed.

12. Children’s privacy

Our services are not intended for children under 18 years of age (or such greater age required in the applicable jurisdiction for you to be bound by a contract without guardian consent). We do not knowingly collect, maintain, or use Personal Information from children under 18 years of age, and no part of the services is directed to children under the age of 18. If you learn that your child has provided us with Personal Information without your consent, then you may alert us at If we learn that we have collected any Personal Information from children under 18, then we will promptly take steps to delete such information.

13. Privacy and AI

SSBV collects a variety of information that you provide directly to us. For example, we collect information from you when you:

  • Request a demo.
  • Communicate with us within chatbot.
  • Interact with us when we reach out to you by email in our sales and marketing efforts.

SSBV may use third-party AI tools such as chatbots or other AI technologies for the following purposes:

  • Provide, maintaining and improving our Website and Services
  • Respond to your inquiries and requests for information, and provide you with more effective and efficient customer service
  • personalizing user experiences
  • enhancing data analysis.

The types of data we collect directly from you may include:

  • First and last name
  • Business contact information (email address)
  • Your position and role in your company or organization

Please refrain from sharing any additional personal information within the chatbot. Your understanding and cooperation help us ensure your privacy and security.

14. Direct marketing

SSBV may conduct direct marketing only to data subjects who have given their consent for this specific purpose.

15. Cookies

Cookies are small pieces of text sent to your browser by a website you visit, in this case Symphony Solution’s (SSBV’s) website. They help our website remember information about your visit, which can both make it easier to visit the site again and make the site more useful to you. SSBV analyses data on how users found us, where they clicked, what parts of web page was found most interesting and how it was navigating through it. This is used to optimize the design and improve the user’s experience. SSBV does not use cookies to track users when they leave the website. Also, we do not try to identify users by capturing personal data.

Note that it is up to you if you want to accept or decline the cookies. If accepted, cookies may stay on your computer after you finish browsing a page, and even after you close the browser or shut down your device. 

Also note that all modern web browsers can be configured to decline cookies or clear them upon request. For details, please follow the instructions provided by the vendor of the browser you use.

16. Breach notification

In case of a security incident linked to the compromise, loss or disclosure of personal data to unauthorized persons, SSBV, if it owns contact details of the data subjects involved in the breach, shall directly inform the data subjects and/or other concerned parties about the incident.

In case the compromised personal data is inherited from another Controller, SSBV shall inform that Controller about the breach not later than 72 hours after SSBV became aware of the incident.

If there is a large-scale data breach, SSBV shall deliver a public announcement or an appropriate posting on its website or other public media, not later than 72 hours after SSBV becomes aware of the incident.

This obligation is also very often included in the DPAs signed between SSBV and the Controllers / Processors, where also the point of contact (name, email, phone) is defined

Symphony Solutions BV

SSBV – Privacy policy – 01.04.2024 – v7