Privacy policy

In this Privacy Policy we inform you about how we handle your personal data. This Privacy Policy applies to the processing of the personal data of (the contact people at) our clients, business relations and referrers, recipients of our communications and those who attend our events, as well as to the visitors to our websites.

Envoy Exploitatie N.V. (“Company”, “we” “us” and/or “our”), a limited liability company (naamloze vennootschap) existing under the laws of Curaçao, registered in the Commercial Register of the Curaçao Chamber of Commerce & Industry under number 157630, is the controller for the processing of your personal data. We may amend this Privacy Policy from time to time, if there are changes to how we process your personal data, for instance, or if this is necessary on the basis of regulations. We shall inform you of essential changes.

Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

1. To whom does this Privacy Policy apply?

This Privacy Policy applies to everyone who visits our website and to people whose personal data are processed by us in the context of its provision of our services.

People whose personal data are processed by us in the context of its provision of our services are:

  • Contact persons at our clients;

  • Contact persons at our potential clients;

  • Contact persons at our business relations;

  • Contact persons at our referrers;

  • Recipients of our communications, such as our newsletters and invitations to events organised by

    or in cooperation with us;

  • People who contact us otherwise or whose personal data we process otherwise in the context of

    our service provision;

  • Visitors to our websites.

    2.What personal data do we process in relation to you?

    The personal data we process in relation to you are:

  • Personal data you have provided to us;

  • Personal data obtained from other sources;

  • In case cookies are placed on the website, personal data that give insight into the use of our

    website or other electronic means of communication; Personal data provided by you:

  • this is information about you that you give us directly when you interact with us and includes your username, and your email address or Twitter handle if you choose to give us this information;

  • contact details and other personal data which are needed for you to be able use our services. These include details such as your name, address, telephone number, email address, job title(s) and (details of) your identification documents (identification data), and also other specific special details;

  • contact details and other personal data filled in on contact forms or other web forms. The precise content of the data depends on the content of the contact forms and web forms;

  • contact details provided during initial meetings, events, seminars, etc. These may include details provided on business cards;

  • other personal data that are provided by you.
    Personal data obtained from other sources could include (to the extent required):

  • personal data available on public professional social media platforms such as LinkedIn. These are names and contact details;

  • personal data obtained from the Trade Register of the Chamber of Commerce and the Land Registry Office. This could include a Chamber of Commerce number and contact details; and

  • personal data available on public professional websites, such as company websites. 3. For what purposes do we process your personal data?
    We may use your personal data for the following purposes:

  • To perform a contract in which you have engaged us to provide you with our services.

  • If you engage us to use our services, your contact details will be requested in that context. Other personal data may also be necessary for the handling of the matter, depending on the nature of

    your request. Data from other parties involved may also be processed.

  • To invoice for services rendered.

  • To comply with our statutory obligations, including local tax legislation.

  • To identify our clients or their representatives.

  • To stay in contact with you. We feel it is important to contact you with information that is relevant

    for you. We combine and analyze the personal data available to us in order to be able to do so. Based on this, we determine what information and channels are relevant and which moments are most suitable for providing information or making contact. In conducting marketing campaigns, we do not process any special personal data or any confidential data.

  • To evaluate. We may send you an email including a link to the evaluation or an online questionnaire. Participation is on a voluntary basis and can be done anonymously. Prior to the evaluation, you will receive further information on how we shall handle the obtained information.

  • To improve and secure our website.

  • To prepare analyses and user statistics.

  • To perform audits.

    4. What is the legal basis for the processing of your personal data?

    We process your personal data only when this is permitted on grounds of one of the legal bases cited in the general data protection regulation (GDPR). We are guided by the following legal bases:

  • -  Consent

    • We ask your consent for participation in a client satisfaction survey.

    • We may ask your consent for direct marketing purposes, which will be specified in detail when

      you give your consent You can find more information on this subject in this Privacy Policy.

    • Where required, we ask your consent for the use of cookies on our website.

      If we have requested and obtained your consent to process your personal data, you have the right to withdraw such consent at any time. You can do this here or by contacting us via the contact details in this policy.

  • -  The processing is necessary in order to establish a contract or in the run-up to the establishment of a contract.

  • -  Statutory obligation
    The personal data we collect may be used to comply with a legal obligation to which we are subject,

    such as supervisory bodies, fiscal authorities or investigation bodies.

  • -  Legitimate interest

    We may also process personal data if we have a legitimate interest and this does not breach your privacy disproportionately, such as:

    • to contact you for direct marketing or other commercial purposes;

    • to analyze and improve the quality of our products and services;

    • to understand you as a customer (customer optimalization);

    • to operate and expand our business activities;

    • to generate aggregated statistics about the users of our products and services;

    • to facilitate our business operations;

    • to operate company policies and procedures;

    • to enable us to make corporate transactions, such as any merger, sale, reorganization, transfer of

      our assets or businesses, acquisition, or similar event.

      5.How long do we keep your personal data?

      We will not keep your personal data longer than strictly necessary for the purposes for which they are processed, unless statutory requirements obligate us to keep your personal data longer. More specifically, the applicable retention periods are listed below.

a) We will delete your personal data if you have withdrawn your consent or have decided to opt out.

  1. b)  We will keep your personal data in our contact database for up to five years from the day the business relationship ends. After this period of five years we shall delete your personal data.

  2. c)  The personal data that were processed to verify the identity of a client or its representative will

    be kept for five years from the day the business relationship ends.

  3. d)  The retention period of the client files is subject to several factors, including the type of matter it

    concerns. We usually keep client files for a period of five or twenty years after the file is closed. It depends on the applicable time limit of the file in question. We shall keep certain documents in accordance with the statutory retention periods.

  4. e)  Any camera footage will be destroyed within four weeks, unless there is an incident which requires us to hold on to the footage for longer.

  5. f)  We will delete visitor registration details within seven weeks from the date the right to access the information expires or from the date of the visit.

6. Who has access to your personal data?

Your personal data are only accessible to people at the Company authorized to access them on a ‘need- to-know’ basis. Outside of the situations mentioned in this Privacy Policy, we will not disclose your personal data unless we deem this disclosure necessary in order to satisfy our statutory obligations, to protect our rights or someone else’s rights, or to enforce compliance with this Privacy Policy.

Sometimes it is necessary to share your personal data with third parties. Depending on the circumstances of the case, this may be necessary in order to handle your file. There are also statutory obligations which mean that personal data must be passed on to third parties.

Personal data are provided to third parties in the following cases, among other things:

  • When handling a file, it may be necessary to share your personal data with third parties. For example, when litigating against another party, concluding a contract or for a notarial deed involving several parties.

  • If a court order requires us to provide personal data to third parties, we must comply with that.

  • Your personal data are not shared with third parties for commercial purposes. There is one exception to this. We sometimes work with other organizations to organize a joint activity, such

    as an event or seminar. In that case, only the necessary contact details will be exchanged.

  • Personal data may also be provided to third parties in the event of a reorganization or merger of

    our business or sale of (part of) our business.

  • We may engage service providers (processors) for the processing of your personal data, who

    process personal data exclusively on our instructions. We conclude processing agreements with these processors which fulfil the requirements of the general data protection regulation.

    7. Transfer of personal data to foreign countries

    The files handled by us will be documented and saved in Curaçao. The personal data contained in these files are not transferred to other countries unless this is necessary for the establishment, exercise or defense of legal claims.

    When your personal data are processed, your personal data may be shared with third parties. These parties may be located outside Curaçao. In the case that personal data is passed on to countries outside

of the European Union, we will ensure that your privacy remains protected in the best way possible. We work with official model contracts, which are especially set up to safeguard your privacy.

8. How do we secure your personal data?

We do our utmost to take appropriate technical and organizational security measures to protect against the loss, abuse and alteration of your personal data for which we are responsible. To ensure the security of your personal data, we have taken the following technical and organizational measures, among other things:

  • Availability and continuity: We do our utmost to ensure optimal availability and continuity of our website and our systems.

  • Device management and security: Exclusively devices managed by us have direct access to our systems.

  • Physical security: Our building is secured by physical access control and camera security. Only people authorised to access our building may enter.

  • Authorisations: The access to our systems is protected via role-based security.

  • Encryption: We use encryption to secure our laptops and the exchange of data with you can, on

    request, also take place using encryption.

  • Monitoring of our systems: Our systems are constantly checked for suspicious behavior via

    monitoring by a certified third party.

  • Periodic penetration testing: A certified third party regularly conducts penetration tests on our

    network for internal and external vulnerabilities.

  • Thread protection: Various systems have been put in place to prevent unauthorized access and

    exchange of personal data.

  • Data protection: Every new system we consider adopting must be tested in advance for the

    principles of privacy by design and privacy by default. Before we put a new system into use, we

    will also subject that system to a data protection impact assessment, if required by law.

  • Data Leaks: We have established a Data Leak Team to detect and report data leaks.

    9. Your Rights

    You have various privacy rights pursuant to the privacy regulation.

    Would you like to access your personal details or receive a copy for free? Or would you like to edit your details, delete or restrict usage, or adjust your email preferences? You can do this by sending us your request via mail or email (see our contact details in this Privacy Policy). In this way you can object to the usage of your information for marketing purposes, or let us know that you feel your privacy weighs more heavily than our interests. We will review the situation in this case. Do you want us to transfer your information to another party? Send your request via mail or email (see our contact details in this Privacy Policy) and we will make it happen.

    You can easily unsubscribe from our newsletter through the link at the bottom of the newsletter itself.

    If you send us a request to exercise your privacy rights, we want to make sure it is really you. We could ask additional information to establish your identity. We also do this when we receive unclear requests.

    10. Our contact details

Please contact us, if you have any questions or comments with regard to how we handle your personal data: info@envoy.art.

You have at all times the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of your personal data infringes the applicable law including the EU General Data Protection Regulation (GDPR).