Data Pro Statement

  

This Data Pro Statement, together with the Standard clauses on data processing in section 2 of the NLdigital Terms 2020, forms the processing agreement for the products and services of WSB Solutions B.V.

General information

1. This Data Pro Statement has been prepared by the following data processor:

WSB Solutions B.V.
Kade 30
3371 EP Hardinxveld-Giessendam
The Netherlands

If you have any questions about this Data Pro Statement or data protection, please contact our Security & Privacy Officer; privacy@wsb-solutions.nl. Tel. +31 184 618837.

2. This Data Pro Statement applies from December 02, 2025

We regularly update this Data Pro Statement and the security measures described therein in order to remain prepared and up-to-date with regard to data protection. We publish the current version of this Data Pro Statement on our website.

3. Applicability of the Data Pro Statement

All services of WSB Solutions B.V. (hereinafter referred to as WSB) are listed in our Service Description (Dutch). This Data Pro Statement applies to all processing of Personal Data carried out by WSB in the context of the provision of the services listed in the Service Description and to all our agreements and offers for these services.
The services that WSB provides to you are partly outsourced by WSB to third parties; the so-called “sub data processors” or “sub-processors” according to the General Data Protection Regulation (GDPR). In article 8, this Data Pro Statement contains an overview of the sub-processors that WSB uses. The agreement(s) that WSB enters into with you will indicate which services WSB provides to you and which third parties WSB uses in those specific agreement(s).
The most important party that WSB provides services from is Microsoft. For all products and services provided by Microsoft, a direct agreement, the so-called Microsoft Customer Agreement, is concluded between you as a customer and Microsoft. This means that Microsoft, and not WSB, should be regarded as a “Processor” and that Microsoft is not a “sub-processor” of WSB. However, for the sake of clarity, we have mentioned Microsoft in the overview of sub-processors in article 8. In the Microsoft Customer Agreement and in the Microsoft Trust Center, you can find all the information you need about how Microsoft handles security and privacy and complies with the GDPR as a Processor of personal data.

4. Description of services

In our Service Description you will find a description of all available services of WSB. The Service Description determines what you can expect from each service. In each of the agreement(s) that WSB concludes with you is indicated which of the available services WSB provides to you. Any deviations or exceptions to the Service Description are stated in the agreement(s) that WSB enters into with you.

5. Intended Use

WSB’s services are not intended for the processing of special categories of personal data or data relating to criminal convictions and offences or personal numbers issued by the government. The processing of this data with the services of WSB by the Client is at the Client’s own discretion.

6. Standard clauses on data processing

WSB uses the Standard clauses on data processing, which are included in Section 2 of the NLdigital Terms 2020. The NLdigital Terms 2020 are included with each agreement.

7. Processing of personal data within and outside the EU/EEA

For all services that WSB performs itself, WSB processes the personal data of its clients within the EU/EEA. For the services that WSB subcontracts to sub-processors, Article 8 lists for each sub-processor whether it processes personal data within and/or outside the EU/EEA and how the relevant sub-processor complies with the GDPR.

8. Sub-processors

WSB uses the following sub-processors:

9. Supporting the client with requests from data subjects:

The Client can easily create a ticket via the WSB Support Desk with requests for an export, modification or deletion of data. The procedure for this is included in our Service Level Agreement, which can be found on our website.

10. Deletion of personal data after termination of the agreement with a client

After termination of the agreement with a client, WSB will in principle delete the personal data within 3 months in such a way that they can no longer be used and are no longer accessible (render inaccessible). Exceptions to this are:

• Personal data that is subject to a legal retention obligation (such as invoicing data).
• Personal data of a person who has indicated that certain personal data may be processed by WSB (opt-in, e.g. for marketing information).

Security policy

11. Security measures

WSB has implemented the following security measures. These security measures may be adjusted from time to time to reflect changing circumstances.

Obligation of confidentiality
WSB is obliged to maintain the confidentiality of all confidential information, including personal data, of the Controller, that its employees see during the performance of the agreement(s). This is described in the NLdigital Terms that apply to all agreements that WSB enters into with you. To ensure compliance with this confidentiality obligation, WSB requires all its employees to sign a confidentiality agreement upon commencement of employment. This non-disclosure agreement is part of the employment contract. Failure to comply with the confidentiality agreement is subject to a penalty clause.

Quality and Information Security Management System
WSB uses a certified Quality and Information Security Management System that meets the standards of ISO 9001 and ISO 27001 respectively.

To ensure that only authorized employees have access to its systems and data, WSB has policies in the following areas that are laid down in the Management System. Compliance with the policy is verified periodically by internal audits and by external audits, by an independent and accredited party.

• Mobile Device and Telework Policy
• Screening Policy
• Information Classification Policy
• Access security policy; both for digital and physical access
• Password Policy
• Policy on the use of cryptographic controls
• Clean desk and clear screen policy
• Backup Policy
• Information Transport Policy
• Secure development policy
• Vendor Information Security Policy
• Information Security Incident Reporting Policy
• Sanction Policy
• Information security in project management

Within the password policy, the following measures have been taken, among others.

• User identities are centrally managed in our Microsoft Entra environment.
• Entra has a password policy that requires users to choose a strong password. Users are also required to change their passwords regularly.
• Multi Factor Authentication (MFA) has been set up. In order to be able to log in outside the office, in addition to username and password, access to an authenticated device (smartphone) is also required.

Manage customer passwords
In order to be able to carry out its work, WSB may need to have passwords, including the Admin password, of the client. These passwords (and things like encryption keys) are stored centrally and encrypted in the data vault of our password management application. Only WSB employees whose user identity has been verified via Entra and who, by virtue of their position, must have access to these passwords, have access to the data in this data vault.

12. WSB has conformed to the following Information Security Management System (ISMS):

• ISO 27001

13. WSB has the following certifications:

• ISO 9001
• ISO 27001

Data Breach Protocol

14. WSB uses the following data breach protocol to ensure that the client is aware of incidents:

WSB uses the following monitoring tools/practices to identify and respond to potential security incidents:

• Threat & Vulnerability information from multiple sources (including Microsoft, National Cyber Security Center and Blackpoint Cyber) is actively monitored to identify potential security incidents at the earliest possible stage.
• The security measures taken in WSB’s IT environment, based on the information security policy, are continuously monitored and enforced. Deviations are largely corrected automatically.
• WSB’s IT environment is continuously and actively monitored in order to detect potential security incidents as quickly as possible and to be able to take necessary countermeasures.
• There is a security awareness program in place to alert WSB employees to phishing attempts.
• There is a Business Continuity Plan and an accompanying scenario with the steps on how to respond if a security incident occurs in WSB’s internal IT environment.

There is a procedure for internally reporting security incidents and data breaches. Security incidents and data breaches are registered in a designated register.

In the event of a data breach, WSB will, as far as possible, provide the following information to the Client within 72 hours of the discovery of the data breach.