HeadFirst Group Privacy Statement – Version July 23, 2025

About Us
HFBG Holding B.V. (HeadFirst Group, we, our, us) connects freelancers, professional staffing agencies, and clients. Freelancers and suppliers offer their expertise via HeadFirst Group’s platform (hereinafter: the“Platform”), based on the principle of having the right person in the right place at the right time for the right period. Everything from insurance and contracts to administrative processing is handled via the Platform. The Platform is an online marketplace for temporary staffing. It enables thirdparties(hereinafter:“Clients”) and suppliers/freelancers to connect with one another, with contracting handled through HeadFirst Group. Subsequently, administrative tasks can be completed quickly and efficiently within the Platform.

 

Our Relationship with You
Your privacy is important to us. This statement explains what personal data HeadFirst Group processes, how HeadFirst Group processes it, and for what purposes. Please read this Privacy Statement and our Terms of Use for the Platform (available on the Platform) carefully, as they both form an integral part of our relationship with you.

We process your personal data when you use our services (intermediary services and/or additional services), when you visit one of our websites and when you contact us. For example, through our websites you can contact us by e-mail, request information or chat with us. Prior to using intermediary services, we may process personal data when you or your employer enters it into our systems. This data can be used to bid for assignments.

 

1. Who are the data controllers?

The data controller determines the purposes and means of data processing. Under the General Data Protection Regulation (GDPR), most obligations rest with the data controller, who is also the first point of contact for you as a data subject. The responsibilities are outlined below. In virtually every case, HeadFirst Group qualifies as an independent data controller, with the exception of (i) the situation where your employer has entered your data into our system and you were subsequently never placed on an assignment through HeadFirst Group, or (ii) when the contract between a supplier or self-employed individual is entered into directly with the Client and HeadFirst Group has only played an intermediary role in that process. In the latter case, HeadFirst Group is the processor acting on the instructions of the Client, who is then designated as the data controller.

 

There are five possible options:

• Are you self-employed? Then you have to deal with two controllers of your data (the Client and HeadFirst Group).
• Are you employed by a supplier of a Client? Then you have to deal with three data controllers (your employer, HeadFirst Group and the Principal).
• If HeadFirst Group is acting as an intermediary to help you join a Client’s workforce or enter into a direct contract, then HeadFirst Group (only for the intermediary phase) and the Client (for the hiring/direct contracting) are the data controllers.
• If HeadFirst Group acts as a processor on behalf of the Client, for example in the context of “recruitment process outsourcing” (“RPO”), then the Client is the data controller.
• Do you use the Premium and/or Excellent supplemental services? In that case, the insurer from whom you receive the certificate is the independent data controller with respect to its services.
• the Client as the data controller

 

Do you have a privacy-related question and/or request to the Principal? If so, you can contact the Principal directly for that purpose. You can do so by contacting them using the contact information found in the Principal's privacy statement.

 

The employer as the data controller

Do you have a request to your employer? Then you can contact your employer directly. You can do this by using the contact information you can find in the privacy statement of your employer. Have you not yet completed an assignment through HeadFirst Group, no offer has been made and no start has been made with that? Then your employer can remove your data in the Platform through his or her account.

 

The insurer as the data controller

Do you have a question and/or request to the insurer? Upon contracting, you or your employer have been informed where to find the insurer's privacy statement. Do you have a question and/or request to the insurer? Then you can contact the insurer directly for that. You can do that by contacting them using the contact information from your insurer's privacy statement.

 

HeadFirst Group as (joint) data controller

In connection with the services provided by HeadFirst Group
We process personal data when you use our services (both intermediary services and any additional services). HeadFirst Group provides services through multiple entities, each of which is a wholly-owned subsidiary of the same group (HFBG Holding B.V.). HeadFirst Group operates under joint controller arrangements. To ensure clarity regarding who to contact with questions or complaints, we have designated a primary data controller. This is HeadFirst B.V., located at Taurusavenue 18, 2132 LS in Hoofddorp. You can reach us by phone at 023 – 568 56 30, or by email at support@headfirst.nl. Other entities that are part of the HeadFirst Group and that may process your personal data as data controllers—via the Platform—include, but are not limited to, (subsidiaries and sister companies of): Associates B.V., Between Staffing B.V., Designated Professionals B.V., Fast Flex B.V., Fast Flex Sourcing B.V., HeadFirst Germany GmbH, HeadFirst IT B.V., HeadFirst Poland sp. z o.o., Jenrick Nederland B.V., Jenrick Payroll Services B.V., Myler B.V., Oyster Coast B.V., Open Technologies B.V., Proud ICT B.V., Proud Payroll B.V., Source Automation B.V., Source Automation BV. (Belgium), Source Automation Luxemburg SA, Source Payroll Services B.V., Staffing Management Services B.V., Staffing MS Broker B.V., StarApple B.V., Sterksen B.V., and Yellow Friday B.V. In addition to being part of this group, each of these entities is contractually obligated to handle data responsibly, in full accordance with this Privacy Statement. By registering on the Platform, your profile may be found by any of these entities for potential assignments.

 

In connection with other activities, including customer contact, direct marketing, and visits to the website
In addition to the personal data collected for the purpose of providing intermediary services, we also collect personal data for our own purposes (including customer contact, direct marketing, and website visits, which are explained under “Purposes”). Because we determine the purpose and means of processing, we qualify as an independent data controller.

 

Employees of the Client
We also process data regarding the Client’s contact persons. With respect to this data, HeadFirst Group acts as the data controller.

 

2. Contact Center

If you have any questions or requests regarding what happens to your personal data on the Platform, please contact HeadFirst Group. Unsure about which party qualifies as a data controller or where to go with your question about data processing by or through HeadFirst Group? For your privacy questions you can reach us by phone at 023-5685630 or by email at privacy@headfirst.nl. We are happy to help you find a solution. Should that still not succeed, you can turn to the Personal Data Authority (https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/gebruik-uw-privacyrechten/klacht-melden-bij-de-ap).

 

3. What types of personal data are processed? For what purpose and on what legal basis?

We process different types of personal data about you, for example, because you have created a profile on the Platform and uploaded a CV. When you use the Platform, different categories of personal data are collected in the process. Which data is collected is primarily determined by law and also depends on the additional service chosen and the Client's requirements for flexible staff.

 

We process personal data only when there is (or are) one (or more) basis(s) for doing so:

 

(1) Performance of the agreement.
As an intermediary, we act as the contractual link in the hiring of flexible staff. We enter into and manage agreements with professionals, suppliers, and clients, on the basis of which we process personal data. In addition to the personal data contained in the agreements themselves, this also includes the personal data required by the contracts. It is therefore also possible that we may request personal data from you prior to entering into an agreement so that we can finalize it. Subsequently, we may also send out surveys to improve our services and/or to gain insights into (the circumstances surrounding the execution of) assignments at Client companies.

 

(2) Consent.
In certain cases, we may ask you to provide consent prior to processing your data. For example, we ask for your consent before sending you certain news updates. Once you have given your consent, you may withdraw it at any time, after which we will no longer process your personal data for the purposes covered by that consent. You can withdraw your consent by clicking the “unsubscribe” button at the bottom of the relevant news update.

 

(3) Legal obligation.
As an employment agency, we are required to process certain personal data. This includes obligations under the Act on the Allocation of Labor by an Employment Agency (Waadi), the Foreign Nationals Employment Act (Wav), or tax obligations. A legal obligation may also require us to share certain personal data with Clients, regulators, or other third parties for processing. When we are required to do so, we will share this data with the relevant party.

 

(4) Legitimate interest.
We may process personal data because we have a legitimate interest in doing so, or because the organization to which we provide your personal data has a legitimate interest. This is the case, for example, when we wish to prevent tax liabilities or limit and/or minimize the risk thereof, or when we wish to detect and prevent fraud, but also when we wish to promote new products/services related to the current services provided by HeadFirst Group. We also have a legitimate interest in further processing the personal data of professionals listed on the Platform in order to provide our services and to assign the professional to an assignment. We also have a legitimate interest in aggregating and anonymizing personal data to conduct market analyses so that we can improve our services. Sending messages highlighting our new services and/or products also falls under this legitimate interest. Another conceivable legitimate interest is the processing of personal data (within the HeadFirst Group environment) using artificial intelligence (hereinafter“AI”) (within the HeadFirst Group environment) by, for example but not limited to, transcribing conversations, performing cross-checks on certain information, and providing advice based on the available information. Final decisions are all made through human intervention.

 

See Chapter 9 for further details on the use of AI. The purpose of all this is to improve the services we provide to professionals and Suppliers. We always balance our interests against those of the individuals involved. If you would like to receive more information about this, please contact us using the contact details listed under “Contact Center” in this Privacy Statement.

 

A. Visitors to our websites and/or readers of our email newsletters

We use several websites (collectively, the Websites). When you visit our Websites, you may provide us with personal data, for example, because you send us an e-mail with a question or request, or because you use a chat function or a contact form on our Websites. We may process your name, e-mail address or other contact information in this context. In addition, we process other personal data insofar as you provide these with your question or request or in the chat conversation. We collect this personal data because, when applicable, we need to perform the agreement we have with you. If an agreement has not yet been concluded (and the question concerns, for example, how registration with the Platform works), these data are processed on the basis of the legitimate interest that the question can be answered adequately.

 

We offer you the option to sign up for our newsletters and other direct marketing communications from us and/or other entities within our group. We may also, if you have given your consent, send you messages about initiatives from partners with whom we collaborate. You can easily unsubscribe from the messages we send you at any time by using the unsubscribe link in the emails or by adjusting your preferences in your profile settings. We use standard tracking techniques that provide insight into the reach and effectiveness of our direct marketing messages. If you open a newsletter or commercial email from us, we can track when you opened it and which parts you clicked on. For this purpose, we process your email address, IP address, time of receipt, time of opening, and click behavior. The primary purpose of this is to inform you about the services of HeadFirst Group and its partners, as well as relevant market developments. The secondary purpose is to conduct marketing and promotional activities for our services and to measure their effectiveness. This allows us to improve our services and tailor our information and communications to the relevant target groups. Newsletters and other related direct marketing messages are sent based on “consent,” which can be withdrawn at any time (by going to your profile on the Platform and “unchecking” the consent box there, or by clicking the “unsubscribe” button at the bottom of the email). In addition, the data collected is analyzed and processed on the basis of legitimate interest, so that the effectiveness of marketing and promotional activities can be measured.

 

B. Personal Data Generated by Our Websites

We use cookies and similar techniques on our Websites and within the environment of our apps. When you visit the Websites, certain data are processed and generated, such as your IP address, data about your browser, data about browsing behavior, date and time of your visit and the way you navigate through our websites. Consent is requested for preference cookies, analytical cookies and marketing cookies. Because we want to guarantee your privacy and improve the usability of the Platform, we think it is important that you know how and why we use cookies. We encourage you to consult the cookie statements on our Websites. The data are partly based on 'consent', partly on 'legitimate interest' to operate the Website and the Platform.

 

C. Platform Users

When you register or are registered on the Platform, personal data is collected from you, divided into stages for the purpose of data minimization. Here a distinction is made between independent professionals and employees of suppliers.

 

Freelancers and professionals from supplier companies who use the platform

Phase 1: Registering as a self-employed professional
When you register as a self-employed professional on the Platform, we ask you to provide the following personal information: first and last name, gender, address and ZIP code, email address, country of origin and nationality, (mobile) phone number, date of birth, your company name, Chamber of Commerce number, and password. We also offer you the option to upload a photo to your account. Additionally, you can indicate whether you wish to use our additional services.

 

The purpose of this registration is to execute the Terms of Use of the Platform. The basis is the execution of the agreement and the legitimate interest of both parties (i.e. visibility into the online marketplace for you and an up-to-date database for HeadFirst Group). In addition, HeadFirst Group can verify that the account is set up correctly.

 

Phase 1: Register as a supplier.
If you are a contact person for a supplier, we may process the following personal data about you: your first and last name, gender (authorized signatory), name of authorized signatory, position of authorized signatory, email address, (mobile) phone number, password, profile number, information regarding the creation of your supplier account and its status, and details of any contact you have had with us. The purpose of recording this information is to document who we are in contact with (legitimate interest) and to be able to contract quickly and correctly when an order is awarded to a professional employed by the supplier (performance of the agreement).

 

Phase 2: Completing your profile as a freelancer.
Once you have registered, we will ask you to further complete your profile and provide information that allows us to introduce you to Clients or to respond to assignments. In addition to the personal data you provided during registration, we process data related to your account, such as your profile number. You can also supplement your profile with information about your professional background, your resume (including all information contained therein, such as social media channels, educational background, and whether you have previously performed assignments for or worked at this Client), and assessment results. We also process data about your company, such as the name and business address. You can also upload an auditor’s report or a statement of compliance with tax obligations and add information about your taxes. For invoicing purposes, we request your bank details and your VAT number. To the extent permitted or required by law, we may ask for your Social Security Number (depending on the selected services, for example, if you also purchase disability insurance through HeadFirst Group). If you use our additional services (Premium or Excellent), we will request the information that the insurer will require us to provide for the purpose of taking out professional and business liability insurance. Only when we are legally required to do so (i.e., in the lead-up to an assignment) will we verify your identity using a valid ID. We may also engage an external service provider to verify your ID on our behalf. This is done digitally. The service provider processes the personal data on your ID, a photo of you, and your email address. We receive the result of the verification and the date on which the verification was performed. If you do not want your ID to be verified digitally, you can choose to visit our office for the identity verification. We record when the verification took place and information about the verified ID, such as the type of document, country of issue, number, and validity period. If you are a national of a country outside the European Economic Area (EEA) or Switzerland, or if you are a Croatian national, we may ask you for a work permit. In that case, we must be able to store a copy of your passport and a copy of the relevant permit.

 

Within the environment of your profile, we process information about your assignments and agreements we have made with you in this regard. We may use unique identifiers, such as an assignment number, for this purpose. The basis is the execution of the agreement (if an assignment is awarded to you) and the legitimate interest of both parties (i.e. the ability for you to quickly apply for a portion of the assignments and an up-to-date file for HeadFirst Group. After all, HeadFirst Group will need to check data such as identity only once in case of successive assignments).

 

Its goals are:

• Being able to quickly compare available professionals so that the right person gets to the right place (legitimate interest);
• To be able to provide the right match between the Client's assignment and the professional best suited to it (legitimate interest);
• Being able to quickly present and make professionals available to Clients (legitimate interest);
• Closing an agreement with the correct data (data quality) when an assignment arises, both towards you and the ultimate client.

 

If an assignment has not yet been awarded and has not been fulfilled in the past, these data are editable on the Platform. Once awarded, this data can be modified and reused (to the extent still current) for future assignments (except for the verified identifying data).

 

Phase 2: Submit your profile as a supplier.
As a supplier, you can register an employee as a professional (and, as an employee of a supplier, you can be registered) on the Platform and, through the Platform, bid on (or be offered) (part of) the assignments from Clients. The personal data from the completed profiles of professionals (or from you) will also be processed in accordance with this Privacy Statement. The professional (or you) will receive a separate email referring to this Privacy Statement. The following applies to the professional. When the supplier registers you as a professional on the Platform, we ask the supplier to provide the following personal data (required): first and last name, gender, address and ZIP code, email address, country of origin and nationality, (mobile) phone number, date of birth. Regarding the profile, the following three retention options are available: Profile for placement by HeadFirst Group; Delete/anonymize after 60 days; Delete/anonymize after 1 year. We also offer the supplier the option to upload a resume (including educational background, social media channels, whether you have previously performed assignments or worked for this Client, and other information) and to upload a photo. We will process your personal data to facilitate your registration through the supplier and to include you in the Platform’s database. First and foremost, we have a legal obligation (Art. 7c(2) of the Act on the Allocation of Workers by Intermediaries) to identify you. We may also process your Social Security Number (BSN). By law, this must be done prior to the referral for placement. It is, of course, possible that your employer has registered you on the Platform without you having been successfully offered assignments. In that case, it is up to your employer to remove the profile, for example, upon termination of employment or a long-term assignment elsewhere. For this, you can contact your employer. If you have since left the company or are dealing with a different situation, please feel free to contact us using the contact details listed under the Contact Center heading. We also have a legitimate interest in ensuring that the supplier working with us can fulfill its commitments to you and in ensuring that you can be assigned to the desired assignment. We always balance our interests against your privacy interests as the data subject. If you would like more information about this balancing of interests, you can contact us using the contact details under “Contact Center” in this Privacy Statement. In addition, we have a legitimate interest in processing your personal data, which is based on our ability to perform our usual services, fulfill agreements and assignments from suppliers and clients, and comply with applicable market (quality) standards.

 

Its goals are:

• Being able to quickly compare available professionals so that the right person gets to the right place (legitimate interest);
• To be able to provide the right match between the Client's assignment and the professional best suited to it (legitimate interest);
• Being able to quickly present and make professionals available to Clients (legitimate interest);
• Closing an agreement with the correct data (data quality) when an assignment arises, both toward the supplier and toward the ultimate client.

 

Stage 3: Upon award of a contract.

When an assignment is awarded, the data is checked again by our contract management department. The Platform may include a digital vault. The digital vault stores data that must be submitted once an assignment has been awarded. The advantage of the digital vault is that this data remains in the vault, so it does not need to be uploaded again for a new assignment. We may process personal data in this vault that is included in the documents you have uploaded, such as your auditor’s report, Certificate of Good Conduct (VOG) application and certificate, pre-employment screening, codes of conduct, confidentiality and reliability statements, accreditations, and diplomas. We may also store information about the languages you speak. Your digital vault also stores the results of the identity check, as well as a copy of your passport or ID card and your work permit, when we are required to record them. We may also store the document number of your passport or ID card. The legal regulation invoked is the Implementation Regulation on the Mandatory Use of the BSN, Article 1(b).

 

Its goals are:

• Establishing a clear agreement with the correct data (data quality) when a contract is awarded, both towards the supplier and/or independent contractor and towards the ultimate Client.
• Performing contract management, financial processing and cost and expense calculations by HeadFirst Group.
• The documentation of and provision of services by HeadFirst Group to professionals, clients, and suppliers (such as the additional Premium or Excellent services).
• Supporting professionals, Clients and suppliers in meeting administrative obligations, such as the delivery of agreed documents (for example, a required Statement of Payment History compliance with tax obligations or an auditor's report) and the conclusion of the agreements.
• Maintaining contact, answering questions and requests.
• Offering additional services and improving services. We may process personal data related to assignments on which you have been deployed in order to analyze and understand the market for independent professionals in order to better align our services with demand (Clients) and supply (independent professionals).
• Complying with laws and regulations, detecting, preventing and combating fraud and illegal activities.
• Handling claims and complaints.
• Complying with legal judgments and orders and responding to government requests.
• Complying with tax obligations imposed on us or our suppliers/clients and limiting (chain) liability.
• Ensure compliance with our terms of use and agreements.
• Protecting our operations, our rights, security and property.

 

Processing of personal data in the context of mediation

When professionals are introduced to Clients through HeadFirst Group with the aim of entering into an employment contract with the Client or directly fulfilling an assignment for the Client, HeadFirst Group acts as the data controller in the context of the placement. In this regard, only the personal data necessary for the placement will be processed. This includes: first and last name, gender, email address, (if necessary) country of origin and nationality, (mobile) phone number, and the resume. The Client may request additional information for the placement. HeadFirst Group will always strive to limit the processing of personal data to a minimum.

• If the placement is successful, the Client, as the employer, will become the data controller. If the placement is not successful, HeadFirst Group will, provided the professional has given consent, retain the personal data for two (2) years following the conclusion of the initial placement process for the purpose of achieving a successful placement (legitimate interest).

 

Clients who use the platform

When Principals, who want to place (or have placed) assignments on the Platform, register (or have registered) on the Platform, personal data of the employees of Principals (in case of approvals/additional agreements. If you are a contact person of a Client, we may process the following personal data of you: your email address, your (mobile) phone number, password (in case of an account on the Platform), profile number and data about the contact you have had with us. In doing so, HeadFirst Group has a legitimate interest (being able to carefully record required information). In addition, these data serve the performance of the contract. HeadFirst Group also has an accountability towards its own accountant and tax authorities in the sense of the administration obligation in Article 2:10 of the Dutch Civil Code.

 

Would you like to make a request regarding your data? If so, please feel free to contact us using the contact information under item 2. Contact Center.

 

As part of a pre-employment screening

For some assignments we perform a pre-employment screening. We do this because the client asks us to, for example when this is required by law (think of the Financial Supervision Act, Wft) or because it arises from the nature of the assignment. Where necessary, we will inform you that the assignment for which you (or a supplier's employee) are being considered will include screening as part of the selection procedure and explain how we or a third party engaged by us will conduct the screening.

 

If a Client indicates that screening is desired or required, we always verify the nature of the assignment, the manner in which the screening is to be conducted, and the legitimate interests of the Client. We balance the interests of the client against your privacy interests. Only when your privacy interests do not interfere with this will we proceed to conduct a screening.

 

When we conduct a screening, we process data on your suitability, reliability and integrity that are relevant to the performance of the assignment. The severity of the screening depends on the assignment, the requirements of the Principal and the requirements and obligations of the law, even if those requirements and obligations rest with the Principal. In any case, we may check the data entered by you or by the supplier as part of the screening. In addition, depending on the nature of the screening, we may process information from references, former employers/clients, antecedents, data on previous performance, suspension or dismissal, a certificate of good conduct (VOG) or a declaration of no objection (VGB) and a list of ancillary positions.

 

Depending on the nature of the screening, we will provide personal data from you to the Principal. We may ask you to complete a screening form provided by the Client. The information entered on the form will be processed only for the purpose of the deployment with the Client listed on the form and will be shared with that Client, unless otherwise agreed. It is also conceivable that we conduct a screening where we only pass on whether you have completed the screening with a positive result. In that case, we do not share any further data with the Principal. It depends on the assignment what we share. If you have any questions about this, please contact the contact person associated with the assignment.

 

4. Why is your personal data processed (Purposes)?

In addition to the above purposes, personal data may be processed for the following purposes, as applicable:

 

Administration

• HeadFirst Group has a duty of accountability and a record-keeping obligation toward its own accountant and the tax authorities within the meaning of Article 2:10 of the Dutch Civil Code. This includes the execution and administration of agreements to be concluded and those already concluded, all arrangements, and all payment transactions pursuant to concluded agreements (legal obligation). All documents pertaining to an agreement are also part of the mandatory record-keeping.
• HeadFirst Group is required under art. 7c Waadi to identify a (prospective) worker (legal obligation).

 

Services

• The (core) service of HeadFirst Group (finding, presenting and contracting the right matches for Clients and vice versa) starts with facilitating the Platform and making the online marketplace connected to it accessible. In doing so, HeadFirst Group facilitates that the self-employed person or supplier can create a profile. With that profile, the self-employed person can immediately access (part of) the marketplace. The supplier can also immediately (partly) enter the marketplace with that profile and can upload a profile based on what he can find there. The purpose of processing this personal data is that HeadFirst Group can offer its services and that the self-employed person/supplier/client can use them (legitimate interest).
• To quickly compare, present and make available the right matches on a Client assignment (legitimate interest).
• To provide account management and handle questions, requests, claims, and complaints from professionals, clients, and suppliers (legitimate interest and, where applicable, performance of the agreement).
• Data quality is important to HeadFirst Group (both for its clients and for accurate contracting), which is why account verification is part of its service offering. HeadFirst Group always performs a completeness check, especially when a specific offer is made. The purpose of this is to ensure that an agreement is entered into with the correct information (data quality) when an assignment arises. Carrying out and administering all actions, agreements, and contracts related to the contracting process is part of this (legitimate interest).
• Performance of contract management, financial processing and calculation of costs and expenses by HeadFirst Group (contract performance).
• The recording of and provision of services by HeadFirst Group to professionals, clients, and suppliers (such as the Premium or Excellenta supplementary services) (performance of the agreement).
• Supporting professionals, Clients and suppliers in meeting administrative obligations, such as the delivery of agreed documents (for example, a required Statement of Payment History compliance with tax obligations or an auditor's report) and the conclusion of agreements (execution of an agreement)
• Offering additional services and improving services. We may process personal data related to assignments on which you have been deployed in order to analyze and gain insight into the market for independent professionals in order to better align our services with demand (Clients) and supply (independent professionals) (legitimate interest and performance of an agreement, if concluded).
• Ensure compliance with our Terms of Use and agreements (performance of an agreement and legitimate interest).
• Protecting our operations, our rights, security and property (legitimate interest).
• To fulfill the obligations to the Client, for example, by conducting a pre-employment screening (performance of the contract).
• Maintaining contact during an assignment or following a successful mediation with the aim of optimizing service delivery and, when necessary, providing support to professionals and clients should any irregularities arise (legitimate interest).

 

Marketing

• Inform about services provided by HeadFirst Group and its partners and relevant developments in the market (consent).
• Marketing and promotion of our services and measuring their effectiveness (newsletters) (consent and legitimate interest).
• Collecting reviews via Ratecard.io (privacy statement available atwww.ratecard.io).

 

Compliance and security

• Complying with laws and regulations, detecting, preventing, recording and combating fraud and illegal activities (legal obligation and legitimate interest)
• Complying with legal judgments and orders and responding to government requests (legitimate interest).
• Compliance with tax obligations incumbent on us or our suppliers/clients and limiting (chain) liability (legitimate interest and a legal obligation, to be found in the Implementing Regulation Mandatory Use of BSN, article 1 sub b).
• Internal monitoring and security. To prevent, detect and investigate possible breaches of our security (legitimate interest).

 

5. What makes processing lawful under the law?

Some of our data processing activities are based on the fact that we are required by law to process your data. In addition, we actively limit the amount of data collected (for example, by minimizing data collection on the Platform to what is necessary at each stage). We have implemented appropriate technical and organizational security measures to protect the personal data we process against unauthorized alteration, loss, or misuse. For example, we secure our systems and applications in accordance with applicable information security standards (ISO 27001). This includes the use of multi-factor authentication, access rights profiles, logging, and various policies. In addition, backups are made, and our servers are located in Frankfurt. We have also entered into agreements with our service providers and require them to implement adequate security measures.

 

6. Who has access to your personal data?

Our employees have access to your personal data on a need-to-know basis. This also means that employees of our affiliated entities may have access to your personal data to the extent necessary to provide our services.

 

In certain cases, we may share personal data with third parties. We do so only when necessary for the provision of our services and for the purposes described in this Privacy Statement.

• We may share personal data with entities with which you enter into an agreement related to your work on an assignment and arising from your use of the Platform.
• We may share personal data of professionals with our Clients and, where applicable, with the supplier through whom the professional was registered on the Platform. These parties are considered independent data controllers.
• We use service providers for purposes such as managing a staffing desk (in addition to the Platform, which we manage ourselves) and for hosting. We use, among other things, the Vendor Management System from Netive VSM’s BV and Salesforce.com Inc. We also use service providers who verify your identification on our behalf, and we use software solutions that enable the automated processing of resumes and the matching of resumes with job assignments. To the extent that these service providers process personal data on our behalf as processors, we set out the terms in a data processing agreement.

 

7. Do we process data outside the EEA?

No, in principle, we process your personal data within the European Economic Area (EEA). We use servers located in Europe (Frankfurt), and our group companies are based within the EEA. However, since we may use processors whose principal place of business is outside the EEA, it cannot be ruled out that we may share personal data, directly or indirectly, with organizations outside the EEA. To the extent that this is the case, we take appropriate measures to legitimize this processing, including entering into a data transfer agreement based on standard contractual clauses (SCCs) approved by the European Commission. If required, we will take additional measures to ensure that an adequate level of protection is guaranteed. If you would like to know more about the transfer of personal data and how this is justified, please contact us using the contact details provided in this Privacy Statement.

 

8. How long do we retain your personal data?

Data on the Platform
HeadFirst Group will retain personal data for as long as the independent contractor or supplier has a contractual relationship with HeadFirst Group, including while they use the Platform. After this relationship has ended (i.e., the supplier or self-employed individual has unsubscribed and deleted their profile), HeadFirst Group may retain the personal data for up to 7 years unless longer retention is required, for example, for tax obligations or civil claims. The self-employed individual and/or supplier may delete their own profile and the profile of an employee of the supplier at any time via the Platform. The profile cannot be (completely) deleted if there are only agreements with a duration of between zero and seven years and/or there are still current and/or future agreements or bids.

 

HeadFirst Group further applies the following rules of thumb:

• We retain business agreements and correspondence about them for a period of seven years after the end of the contractual relationship, unless they are subject to ongoing disputes or litigation.
• We retain personal data related to the verification of your identity for five to seven years after the end of our business relationship.
• We retain subscription data for newsletters until you have unsubscribed from them, with a maximum of two years after the end of our business relationship.
• We will always consider whether the (longer) processing of the personal data is necessary. If it is not, the personal data in question will be deleted.
• In the event of a placement, HeadFirst Group retains the data for the first two years of the assignment or employment with the Client for the purpose of providing follow-up support.
• We retain complaints, correspondence regarding disputes, and incident reports for seven years after they have been fully resolved. We retain documents related to payroll services and payroll administration for seven years after the end of the fiscal year.
• VOG and client-specific documents, such as integrity and confidentiality agreements, will be deleted one year after the end of the assignment.
• Any other data that is not deleted will be anonymized seven years after the end of the fiscal year.

 

For cookie retention periods, please refer to our Cookie Statements on the Websites.

 

9. Use of artificial intelligence (AI)

We use AI in our services. AI is primarily used to optimize certain processes. AI is used to support, not to replace, human decision-making. Below is an overview of our use of AI in accordance with the AI Regulation.

 

Goals

• AI is used to analyze a resume in order to further complete a professional’s profile. In addition, based on the information provided by the professional, an introductory text can be generated and presented to clients. AI can also make suggestions based on previous correspondence or contact;
• AI helps rank candidates for relevant assignments;
• AI is used to transcribe phone calls and create summaries of them.

 

Responsibility

• HeadFirst Group is responsible for the proper use of AI. The AI tools used by HeadFirst Group are all developed and made available by third parties;
• HeadFirst Group will never process personal data if such processing is incompatible with the purposes;
• Although AI is used to generate recommendations and rankings, HeadFirst Group employees always make the final decision, with human review serving as a mandatory step.

 

Transparency

• To the extent that it is technically feasible and reasonably explainable, HeadFirst Group will be able to provide an explanation of how the AI systems used work;
• Upon request, information can be provided regarding how the AI processes work;
• AI never makes the final decision; that will always be the responsibility of a HeadFirst Group employee.

 

Security and Evaluation

• The security measures described in Section 5 of this privacy statement also apply to the use of AI;
• AI is used (almost) exclusively within our managed cloud environment. When personal data is shared with third parties outside of this environment, appropriate measures are taken in accordance with the requirements of the GDPR, and a data processing agreement is entered into;
• The AI systems are continuously evaluated to ensure that they continue to meet legal requirements. In this way, the AI systems are constantly updated and monitored to prevent bias and ensure a fair, non-discriminatory process.

 

Risk level

• Under the AI Regulation, AI systems used in the field of employment are classified as “high-risk”;
• HeadFirst Group has conducted risk assessments for this purpose, which include measures to mitigate any risks.

 

If you would like to receive more information about this, or if you have any complaints, questions, or requests, please contact us using the contact information listed under “Contact Center” in this Privacy Statement.

 

10. What are your rights?

Under privacy laws, you have certain rights regarding your personal data and its processing. You can exercise your rights by contacting us using the contact information provided in this Privacy Statement under “Who are the data controllers?” We will review your request and respond within one month. If we need more time to address your request, we will notify you within one month that we will need an additional two months. In response to your request, we may ask you additional questions to verify your identity or to ask you to clarify your request.

 

Right of Access
You have the right to ask us whether we are processing your personal data. If we are, you have the right to access that personal data and to receive additional information about the processing of your personal data. If you are a supplier or an independent professional, you can easily and conveniently view your personal data by logging into the Platform. If you would like a more complete overview or more information about data processing, you can submit a request for access to us.

 

Right to Rectification
You have the right to have inaccurate or incomplete personal data corrected. You may also supplement your personal data. If you have access to the Platform as an independent professional, you can supplement or modify your personal data there. Do you not have access to the Platform? In that case, please contact the party that entered your data. If that does not resolve the issue, please contact us using the information provided in section 2 of this Privacy Statement.

 

Right to be forgotten
Under certain circumstances, you have the right to have your data erased. At your request, we will delete your personal data when its processing is no longer necessary. If you have access to the Platform as a (self-employed) professional, you can delete personal data there.

 

Right to restriction
In some cases, you have the right to have the processing of your personal data restricted, for example, if you believe that your personal data is inaccurate. If we grant your request for restriction, we may no longer process your personal data for the duration of the restriction.

 

Right to Data Portability
You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and you have the right to transmit this data to another controller where the processing is based on your consent or on a contract.

 

Right to Object
You have the right to object to the processing of personal data based on HeadFirst Group’s legitimate interests. HeadFirst Group will then no longer process the personal data, unless we can demonstrate that there are grounds for the processing that outweigh your interests, rights, and freedoms or that are related to the establishment, exercise, or defense of a legal claim.