GDPR Statement on Privacy

RIFF processes your data because RIFF has concluded a services agreement with you. We hereby observe the rules as they have been established by the general data protection regulation or ‘General Data Protection Regulation' (GDPR). We have also concluded a processor agreement with you.

What are the implications for you?
We are a performance based marketing firm. That means that our team of specialists deals with customer data for a wide range of clients in both commercial and non-profit sectors daily. Our team of experts collects and analyses customer data, so it can it can provide you with sound on-line marketing advice. In addition, our specialists are trained to handle personal data in a secure manner.

As a client, you ask for on-line advice, based on your customer data. Whether this regards the setting up of a newsletter, analysing an advertising campaign or the tagging of words for an SEO campaign, 9 times out of 10 such data are at play.

As the owner of that data, a client must also observe GDPR and you are the ‘Data Controller’ in the sense of GDPR. So before we at RIFF get started on your data, we expressly request for access to certain accounts.

Examples of accounts are:

  • Social media accounts (Facebook, Instagram, LinkedIn)
  • Google Analytics Accounts
  • Advertising Accounts
  • E-mail Marketing Tools (e.g. Copernica/Spotler/Mailchimp)

At RIFF we work according to the four-eye principle and we make sure that there always are multiple specialists involved with a single client. When data must be transferred from specialist 1. to specialist 2., we make sure this is done in accordance with GDPR.

Personal data is only processed in the way we have established with you.

In this context we further refer to the arrangements we have made for this in the processor agreement. In the following you can find an explanation of our privacy policy with reference to some important subjects from GDPR.

Receiving and returning personal data

Receiving
Our purpose as marketers is to make your customer data give superior yield by offering advice for your on-line marketing strategy. When we start processing your Personal Data, we receive this data through a secured web portal or SFTP server (secured FTP). If you are unable to set up a secure environment, we can do it for you. In the context of the transfer of data the following rule applies: we exclusively receive relevant data from you. We only receive the information which is necessary to issue sound on-line marketing advice.
One of the main measures of GDPR is this: to minimise access to your personal data. The specialists on our client teams only have access to the data they need to prepare thorough marketing advice for you. Such access is encrypted and only available for the specialists who are working for you.
These actions, taken by our staff on a daily basis, are logged and can be traced afterwards.

Returning
It may be that certain data must be modified or enriched. This means that at that point the data has been ‘processed’ by you, the client. We establish with you what method to use for this. We also establish which specialists are authorised to receive this newly processed data.

Removal of data
Most data is kept by us for 30 more days after processing – unless we make different arrangements for this in the processing agreement. After this period, the data is definitively removed. During this retention period, it is only possible to answer questions regarding the processing.

Data leaks and other security incidents
In case a data leak were to occur, it is reported by us within 24 hours, in conformity with the arrangements concerning in the processor agreement.

RIFF Non-disclosure statement
The RIFF collaborators have all signed a statement saying that they understand what GDPR means and that they will maintain the secrecy of and handle with due diligence the personal data of clients. Our RIFF collaborators are fully aware of this and receive training regularly to remain alert.

RIFF Security measures
Naturally, we have also taken our own measures to stop malicious actors. This means that our offices have been optimally secured, that collaborators are obligated to store their laptops in lockers or to take them home in the evening and, where possible, we work with personal usernames and passwords.

When is data covered by GDPR?
According to the general data protection regulation, Personal Data is any piece of information on an identified or identifiable natural person. This means that the information either regards someone directly, or that it can be traced back to that person. And it always regards a natural person. Besides personal data, also special personal data is identified. Those receive additional protection from the legislator.

Examples of personal data:
• Name, address, place of residence • Passport photo with name • Company information • Logos, printed material or graphical designs • Database with numbers or generic data • Discount or gift-card codes

Examples of special personal data:
• Religion or personal convictions • Race • Political preference • Health • Sexual orientation • Membership of a labour union • Criminal past • name and address information or passport photo combined with any of the above data

The data which is most confidential is the social security number (BSN) and bank information, such as bank account numbers, in combination with the data indicated above.

Addendum: Definitions
We have encountered a few terms in the preceding announcement. In the following you can find an explanation of these terms:
Person concerned or data subject: the person Personal Data is in regard to.

Personal Data: any data regarding an identified or identifiable natural person.

Data Leak: a breach of the security as intended in GDPR which leads to a considerable risk of seriously adverse effects, or which has seriously adverse effects on the protection of Personal Data.

Third Parties: others than Client and Contractor and our Collaborators.

Reporting Duty Data Leaks: the obligation to report Data Leaks to the personal data protection agency ‘Autoriteit Persoons gegevens’ and (in some cases) to data subject(s), pursuant to GDPR.

Collaborators: persons working at or for the Processor, either under employment or temporarily hired.

Processing: process in the sense of GDPR. Process comprises any action (or series of actions) regarding Personal Data, including in any case the collecting, recording, ordering, keeping, updating, modifying, requesting, perusing, provision by way of forwarding, distribution or any other form of making available, aggregating, mutually linking, as well as the shielding, deleting, or destruction of data.

Data Controller: the person determining the purpose and the means for the Processing of Personal Data. The Data Controller is the person who has control over what is processed. Characteristic for the Data Controller is that he can issue instructions for the purpose of the processing of data and therefore has effective control over this. Generally this is the proprietor of the data.