Dataplace manages modern TIER III datacenters at multiple locations in the Netherlands. At these sites we co-locate large and not-so-large IT environments alike for a variety of different customers. Inspired by a clear philosophy, centred on reliability, efficiency, sustainability and continuity, our datacenters operate to accomplish our mission: to provide continuity and high-quality datacenter services 24/7. In this privacy statement, Dataplace explains to you how it complies with the General Data Protection Regulation in its role as processor. In addition, in its role as independent controller Dataplace processes data about you, your employees and any suppliers, when you contact us, visit our website or when you or your employees require access to one of our datacenters. For further details, see the second section of this statement.
Dataplace as processor
Dataplace offers organisations the possibility to co-locate their servers at one of its four datacenters in the Netherlands. Dataplace cannot access the personal data stored on your servers. Dataplace does not make any back-ups, nor does it provide any updates or maintenance for the operating system or applications running on your servers. As we don't actually do anything at all with the personal data on your servers, we therefore are not a processor within the meaning of the General Data Protection Regulation. However, for the avoidance of uncertainty among our customers regarding compliance with the GDPR, we nonetheless consider ourselves as a processor and, where applicable, we will enter into a data processing agreement with you or one of your suppliers who has co-located a server in one of our datacenters.
The terms used in this Privacy Statement and their definitions are as set forth in Article 4 of the GDPR. Dataplace can and will not use the personal data that are processed on your servers for its own purposes. Dataplace also cannot provide the personal data from your servers to third parties, nor can it transfer such personal data to third countries.
As our customer, you are the controller within the meaning of the GDPR. This means, for example, that you must ensure that you have a basis for processing personal data and that you inform your customers in a proper and intelligible manner which personal data you process and for what purposes. You also determine yourself, as our customer, for how long the personal data are retained on your servers.
Technical and organisational security measures
Dataplace takes appropriate technical and organisational measures to secure your servers holding personal data against loss or any form of unlawful processing. Dataplace ensures that these measures can be considered as providing an appropriate level of security within the meaning of the GDPR. Various technical and organisational measures have been implemented both because it is in our DNA to do so and to meet our certification (e.g. ISO 27001 and NEN 7510) requirements. To retain our certification, Dataplace is obliged to review the measures at scheduled, regular intervals.
Employees' duty of secrecy
Dataplace is aware that our customers' servers may hold highly secret sensitive privacy and proprietary data. For this reason, all (permanent and temporary) employees of Dataplace must sign a separate non-disclosure agreement on commencing employment with us. Furthermore, each employment contract includes a non-disclosure clause. Dataplace additionally updates its employees at scheduled, regular intervals on the importance of complying fully with our privacy and security policy.
Strict access policy
Dataplace observes a very strict access policy. Dataplace uses physical as well as digital access control, records who entered and left the building at what times, and checks these logfiles at regular intervals. Digital control measures include general camera monitoring, digital registration for occasional visits or the issuing of badges for structural access rights. All visitors must register at the access terminal. An access badge may be issued to regular visitors, subject to certain conditions.
Dataplace does not use sub-processors. Should we wish to engage another company as a sub-processor, Dataplace will first request consent from the customer or customers to whom this would apply. Where Dataplace engages a sub-processor, it will by means of a separate agreement impose on the sub-processor the same obligations regarding data protection as those included in the agreement with the customer. This applies in particular to the application of appropriate technical and organisational security measures as well as to the notification of any data incident. In the event that the sub-processor fails to fulfil its data protection obligations, Dataplace will be fully liable toward the controller for fulfilment of the sub-processor's obligations.
Responding to data incidents
Dataplace registers all security incidents and deals with them according to a standard procedure. Adherence to registration and our response to security incidents are assessed at regular intervals. In addition, incidents are analysed as part of our commitment to continuously improving our organisation. As well as this being part of our policy, we are also obliged to do so under the terms of our ISO 27001 and NEN 7510 certification.
Dataplace will provide you, as our customer, with timely, correct and full information on relevant data incidents, to enable you in your role as controller to meet your legal obligations to notify any data breach to the Dutch Data Protection Authority and also to inform the people affected (the data subjects), where applicable.
Dataplace will inform the contact person of the subscription/contract of a potential data breach. It is your responsibility as controller to keep the name and contact details of your contact person up-to-date via the Dataplace customer portal.
Examples of data incidents include irreparable damage caused to hard disks, theft of data on servers following a physical intrusion or successful hacking into the datacenter or a catastrophe, such as fire in a datacenter.
Dataplace will endeavour to provide you immediately, and in any event within 48 hours, with all the information which you need to make a complete notification, where necessary, to the Dutch Data Protection Authority and/or the data subject(s). If this information is not yet known, because the data breach is being investigated by Dataplace, for example, Dataplace will in any event provide you as soon as possible with the information which you need to make a provisional notification yourself to the Dutch Data Protection Authority and/or inform the data subject(s) within the stipulated 72 hours. Dataplace will inform you in any event about the nature of the (potential) breach, and where possible will provide a description of the observed and probable consequences of the breach and the action to be taken by you to mitigate and remedy the adverse effects of the data breach.
Dataplace will keep you (your contact person) informed about the progress and the measures that are taken. Dataplace will always inform you of any change in the situation and in the event further information becomes available.
In the event you, as our customer, make a (provisional) notification to the Dutch Data Protection Authority and/or the data subject(s) regarding a data breach at Dataplace, although it is quite clear to you that there is no data breach at Dataplace, you shall be liable for any and all loss and/or damage as well as costs sustained by Dataplace. You shall additionally be obliged immediately to withdraw such notification.
Dataplace as independent controller
Dataplace respects your privacy and ensures that all the personal data you give us, or which we collect about you, are treated as confidential.
You provide personal data yourself to Dataplace when you contact us by telephone or email, when you enter personal data about yourself via the customer contact portal and when you visit one of our datacenters. Dataplace also collects personal data about you when you visit our website, when your employer or client requests that you be enabled to access a datacenter and when you visit a datacenter. Dataplace effectively only processes the personal data that are necessary to enter into and perform the agreement with you. Where it is required to do so by law, Dataplace will also provide personal data to competent authorities. And where Dataplace wishes to distribute newsletters to you or processes personal data via tracking cookies, we will first request your specific consent to do so.
Types of personal data
Dataplace keeps the volume of personal data of and about its customers that it collects to a minimum. Dataplace mainly collects contact and payment details. Dataplace does not collect any special categories of personal data of customers, as referred to in Article 9 and Article 10 of the GDPR.
The data required to obtain (temporary) access to the Datacenter are:
- Your full name
- Your date of birth
- Your mobile phone number
- Your email address
- The number of your identity document
- A copy of your identity document
- The expiry date of your identity document
- Your fingerprint (not applicable in case of escorted access)
After authentication, the scan of your identity document will be deleted. Other information is stored in our systems in encrypted form. After leaving the Datacenter, your fingerprints are erased. One month after your visit, your identity document number and its expiry date are erased. After 12 months, your name and date of birth also are erased from our systems.
If you have become a customer, you can enter data of your employees and suppliers via our customer portal to grant them access to the datacenter. The data required to obtain access to the Datacenter are the same as those listed above.
BSNs (citizen service numbers) are never requested and/or stored.
In summary, Dataplace processes the personal data referred to above for the following four purposes:
- To enable authorised representatives of our customers to access their server equipment in one of our datacenters
- To perform the services contractually agreed with you
- To prepare and send invoices
- To distribute by email service communications (not direct marketing)
The main basis for most processing of personal data is the need to conclude and perform the agreement. This also applies to the distribution by email of service communications. Dataplace will only provide personal data in response to a request by authorities such as the Netherlands Authority for the Financial Markets, the European Central bank or De Nederlandsche Bank N.V. where it is legally obliged to do so. They may require personal data for the performance of their tasks pursuant to the Dutch Financial Supervision Act (Wft). It is also possible that Dataplace is ordered to terminate the provision of its services by law enforcement or investigating authorities. In these cases, Dataplace processes personal data on the basis of mandatory compliance with a statutory obligation. Where Dataplace is jointly responsible with other organisations for the processing of personal data by allowing tracking cookies to be installed and read, Dataplace will first request your specific consent jointly on behalf of those other organisations.
Personnel and processors
As explained in the first section of this privacy statement, Dataplace considers it important that all its employees treat the personal data of its customers with due care. For this reason, Dataplace has all its (permanent and temporary) employees sign a separate non-disclosure agreement, for example.
Dataplace has also entered into data processing agreements with suppliers who process customers' personal data on our behalf, e.g. for the purpose of invoicing, access control, office IT systems and software development on the customer portal.
The personal data via processors or independent controllers will not be transferred outside the EU.
Security and responding to data breachs
Dataplace will, in case of doubt, always notify data breachs in its own systems and the systems of its processors and suppliers to the Dutch Data Protection Authority as well as the data subjects concerned. Dataplace relies on the GDPR and the guidelines of the European supervisory authorities concerning data breachs to determine whether a data breach has occurred. A data breach covers all security incidents causing the protection of personal data to be breached or compromised at a given moment or resulting in the personal data being exposed to loss or unlawful processing.
Dataplace will notify potential data breachs within 72 hours to the Dutch Data Protection Authority. Dataplace will ensure that its employees are able to identify a data breach. Dataplace expects its processors and contractors to enable Dataplace to meet this commitment. For the sake of clarity: Dataplace will naturally also notify you, as our customer, of any data breach that occurs at a supplier of Dataplace. Dataplace is the point of contact for the customer. The customer therefore does not need to contact Dataplace’s suppliers or processors.
Your rights based on the processing of personal data
The General Data Protection Regulation (GDPR) gives you certain rights to protect your interests where your personal data are processed, as follows:
How to contact us
If you would like more information, or if you have a complaint about how your personal data are used and/or treated, please contact Dataplace's quality manager.