Privacy Policy

of Symphony Solutions Netherlands BV
Effective as of September 19th, 2025 – Version 9

1. Introduction

Symphony Solutions Netherlands BV (“SSNBV”, “we”, “our”, or “the Company”) is committed to safeguarding your personal data in accordance with the General Data Protection Regulation (EU 2016/679) (“GDPR”). With our registered office at Laarderhoogtweg 25, 1101 EB Amsterdam, The Netherlands, we uphold the highest standards of transparency, security, and accountability in the processing of personal information.

This Privacy Policy explains how we collect, use, disclose, and secure your personal data.

We regularly update this document to remain aligned with evolving legal and technological standards.

2. Contact Information

Data Controller & Data Processor:
Symphony Solutions Netherlands BV
www.symphony-solutions.com
info@symphony-solutions.com

Data Protection Officer (DPO):

dpo@symphony-solutions.com

Supervisory Authority:
Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
PO Box 93374, 2509 AJ, The Hague
autoriteitpersoonsgegevens.nl
+31 70 888 8500

3. Legal Framework

This policy reflects our adherence to the GDPR, particularly regarding:

  • Lawful, fair, and transparent data processing
  • Purpose limitation and data minimization
  • Accuracy and integrity of personal data
  • Storage limitation and accountability

4. Purpose and Scope

This Policy serves to:

  • Confirm SSNBV’s firm commitment to GDPR compliance
  • Highlight technical and organizational measures for secure data processing
  • Reinforce our dedication to privacy by design and by default principles
  • Inform individuals of their rights and the mechanisms available to exercise them

5. Key Definitions

Some of the principal terms used herein include:

  • Personal Data: Information identifying or capable of identifying an individual directly or indirectly.
  • Processing: Any operation performed on personal data, from collection to destruction.
  • Controller / Processor / Sub-Processor: Entities responsible for defining or acting upon the purposes of data processing.
  • Data Subject: The individual to whom the personal data relates.
  • DPO: Internal advisors ensuring organizational compliance with data protection laws.
  • DPA: Legally binding agreement defining data processing terms between relevant parties.
  • Controller of personal data (Data Controller / Controller) is a natural or legal person, body of state authority or other body, which independently or together with others determines the purposes and the manner of personal data processing. SSNBV has in some cases the role of Data Controller (for example: staff, applicants).
  • Processor of personal data (Data Processor / Processor) is a natural or legal person or a government authority which processes personal data on behalf of the Data Controller. The data processor processes the data in accordance with the applicable legislation, as well as in accordance with the guidelines and instructions obtained in the DPA signed with the Controller. In case of existence of a sub-processor, the Processor is obliged to inform the Controller, and to conclude with the sub-processor a DPA where the rights and obligations of the Processor are transferred/shared in relation to the Controller. SSNBV in some cases acts as a data processor (for example: clients’ PII where in this case clients are data controllers).
  • Sub-processor of personal data (Sub-Processor) is a natural or legal person or authorized state agency that processes personal data on behalf of data processor and the data controller. The Sub-Processor shall process the data in accordance with the applicable legislation, as well as in accordance with the guidelines and instructions obtained in the DPA concluded with the Processor. SSNBV in some cases acts as a sub-processor of personal data.
  • Special categories of personal data (sensitive data) are personal data that reveal racial or ethnic origin, political, religious, philosophical or other beliefs, union membership, and data on human health, including genetic data, biometrics data or data relating to sex life.
  • Data registry is a structured set of personal data that is accessible according to specific criteria, whether centralized, decentralized or disseminated on a functional or geographical basis.
  • Authorized staff are staff/personnel engaged by the Controller who has authorized access to documents containing PII and who have access to information systems where PII is being processed.
  • The General Data Protection Regulation, EU 2016/679 (GDPR or Regulation) is a European legal framework whose primary purpose is to enhance and unify the protection of privacy, personal data and their complete processing. It is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also refers to the transfer of personal data outside the EU and EEA areas.
  • Dutch data protection authority (Autoriteit Persoonsgegevens) is a regulatory body of state authority whose role is to ensure the right of privacy of data subjects.
  • A data protection impact assessment (DPIA) is a privacy-related impact assessment whose objective is to identify and analyze how data privacy might be affected by certain actions or activities.
  • Direct marketing is any form of communication made in any way for the purpose of sending advertising, marketing or propaganda material that is directed directly to a particular subject of personal data.
  • Cookies are text files that the web browser has stored in the user’s device and are used by websites to authenticate, preserve the information / preferences for the website, other information on browsing and to another which can help the web browser while accessing certain web servers. 
  • Artificial intelligence (AI) is intelligence demonstrated by computers, as opposed to human intelligenceencompasses the ability to learn and to reason, to generalize, and to infer meaning.

6. Legal Bases for Data Processing

SSNBV processes data under the following lawful bases:

  • Consent: Voluntary agreement from the data subject (e.g., job applicants).
  • Contractual Necessity: Fulfillment of contractual obligations.
  • Legal Obligation: Compliance with statutory requirements (e.g., tax, employment law).
  • Legitimate Interests: For internal operations such as recruitment analytics or cybersecurity, where data subjects’ rights do not override the Company’s interests.

7. SSNBV’s Roles in Data Processing

7.1 As a Data Controller

SSNBV collects and manages personal data from a variety of individuals, including employees, business associates, job applicants, clients, visitors, and users of our digital platforms. The types of personal data we collect will always be limited to what is necessary for the relevant purpose and may include basic identification details, contact information, and interaction history.

We collect personal data through several channels, such as:

  • Contact forms completed on our website or in other contexts.
  • Chatbot interactions that provide support, guidance, or service information.
  • Marketing campaigns and related initiatives where individuals choose to engage with us.

In addition, for specific purposes or one-time activities—such as marketing initiatives, social media engagement, corporate events, or external trainings—SSNBV may issue a dedicated Privacy Notice. This notice clearly informs participants of the scope of data processing activities, which may include the use of filming, photography, or other recordings. Such notices are designed to provide transparency, explain how the data will be used, and outline the rights available to individuals under applicable data protection laws.

Categories of Personal Data

The categories of personal data collected by SSNBV may vary depending on the purpose of processing. In general, they may include:

  • Identification and contact information (e.g., name, address, phone number, email).
  • Employment-related data (e.g., CV details, qualifications, professional history, performance information).
  • Business relationship data (e.g., contractual information, communication records, billing details).
  • Digital interaction data (e.g., website usage logs, chatbot transcripts, marketing engagement metrics).
  • Event or training participation data (e.g., attendance lists, recordings, photography, feedback forms).

Only the data relevant and necessary for the stated purpose will be collected and processed.

7.2 As a Data Processor or Sub-Processor

SSNBV also processes data on behalf of other Controllers (clients or partners). These engagements are governed by signed Data Processing Agreements (DPAs) and ensure parity in data protection regardless of our operational role.

8. Information Security

We are ISO 27001 certified and maintain robust security controls, including:

  • Information security policies
  • Organization of information security
  • Human resource security
  • Asset management
  • Access control
  • Cryptography
  • Physical security
  • Operations security
  • Communications security
  • Supplier relationships

These measures uphold the confidentiality, integrity, and availability of personal data in our care.

9. Personnel Compliance

All personnel processing PII must:

  • Sign binding legal agreements (NDA, DPA)
  • Follow internal security policies
  • Complete regular privacy and security trainings

10. Data Transfers

We conduct cross-border data transfers in accordance with Article 46 of the GDPR. Transfers occur only where an adequate level of protection is ensured, and all such transfers are governed by DPAs and, where necessary, Standard Contractual Clauses (SCCs).

Recipients of such transfers may include, for example, cloud service providers, IT infrastructure hosts, sub-processors, business partners, and other trusted service providers who support our operations.

11. Data Retention

Personally Identifiable Information (PII) is retained in accordance with our internal Data Retention Schedule. It is stored only for as long as necessary to fulfill the intended purpose of processing. Upon expiration of the applicable retention period, data is securely deleted or destroyed in line with our Data Retention Policy and any relevant contractual obligations.

An excerpt from our Data Retention Schedule is provided below:

  • Job applicants: 2 years
  • Visitors: 1 year
  • Data subjects contacting us via website forms: 1 year

12. Rights of Data Subjects

Under GDPR Articles 13–15, you have the following rights:

  • Access your personal data
  • Delete your personal data
  • Rectify inaccurate information
  • Object to or restrict processing
  • Port your data to another controller
  • Withdraw consent at any time

Requests should be directed to: dpo@symphony-solutions.com

13. Children’s Privacy

Our services are not intended for individuals under 18 years of age. If we learn that we have collected personal data from a child, we will promptly delete it. If you believe this has occurred, please contact us immediately.

14. Use of AI

SSNBV may utilize approved AI-driven tools to enhance both our services and internal processes. These tools are carefully selected, vetted, and operated in compliance with applicable data protection regulations and our internal governance standards.

We may apply AI solutions for the following purposes:

  • Improving user experience and customer service: For example, by enabling smarter chat support, faster response handling, or intuitive navigation features.
  • Personalizing content delivery: To ensure that communications, recommendations, and services are tailored to the preferences and interests of users.
  • Optimizing internal analytics: Supporting data-driven decision-making, efficiency improvements, and resource allocation within our organization.

Whenever AI tools process personal data, SSNBV ensures that:

  • Human oversight is maintained to prevent fully automated decisions with legal or significant effects on individuals.
  • Transparency and fairness guide the use of AI, avoiding discriminatory or harmful outcomes.
  • Data minimization and security measures are applied to protect the integrity and confidentiality of personal data.

Only AI technologies that meet SSNBV’s ethical, legal, and security standards are approved for use.

15. Direct Marketing

We will only send marketing communications to individuals who have explicitly opted in. You may opt out at any time by following the unsubscribe instructions included in each message.

16. Use of Cookies

Our website uses cookies to enhance functionality and analyze user behavior. You may disable cookies via your browser settings. We do not track users across other websites or use cookies to capture personal identifiers.

17. Data Breach Notification

In the event of a security incident involving the compromise, loss, or unauthorized disclosure of personal data, SSNBV will directly inform affected data subjects and/or relevant parties, provided their contact details are available.

If the compromised data originates from another Controller, SSNBV will notify the Controller within 72 hours of becoming aware of the breach.

For large-scale data breaches, SSNBV will issue a public announcement—via its website or other media—within 72 hours of awareness.

These obligations are frequently formalized in Data Processing Agreements (DPAs) between SSNBV and Controllers/Processors, which also specify the designated point of contact (name, email, and phone number).