general

Privacy Policy for Employees

Introduction

At Green Giraffe Group we are aware of the trust you are placing in us, and we are committed to protecting your privacy. Therefore, this privacy notice for employees and job applicants (hereafter “Privacy Notice”) is intended specifically to explain how we collect, handle, store, and protect the personal data when you visit our website to apply for a job via our recruitment platform or have an active employment relationship at Green Giraffe Group. Any reference in this Privacy Notice to “you” or “your” therefore refers to you as an employee of Green Giraffe Group or a job applicant applying for a job at Green Giraffe Group. This Privacy Notice applies to (but is not limited to) our current and former employees, workers, and contractors. This Privacy Notice does not form part of any contract of employment or other contract to provide services.

If you are not an employee or job applicant applying for a job at Green Giraffe Group, we kindly refer you to the Privacy Notice for Business Partners, Clients and Suppliers.

As used in this Privacy Notice, “Green Giraffe Group” refers to one or more of Mama Giraffe B.V. member firms and/or their related entities. Green Giraffe Group and each of its member firms are legally separate and independent entities registered under the laws of each country where the business is developed. When used in this Privacy Notice, “Green Giraffe Group”, “we”, “us” and “our” refer to Mama Giraffe B.V. and its member firms and/or their related entities as a group. All entities within Green Giraffe Group have adopted this Privacy Notice.

Mama Giraffe B.V. is a private company with limited liability (besloten vennootschap met beperkte aansprakelijkheid) organized and existing under the laws of the Netherlands and registered with the trade register of the chamber of commerce in the Netherlands under number 76132307. Its registered office and principal place of business is at Plompetorengracht 19, 3512 CB Utrecht, the Netherlands.

Some definitions:

Data Controller: a data controller is an entity that determines the purposes, conditions, and means of processing personal data. Employers are responsible for collecting, managing, and safeguarding employee data, including data regarding recruitment, onboarding, performance assessments, and payroll. The data controller for the processing of your personal data described in this notice depends on who you have a formal (employment) relationship with. As Green Giraffe Group has multiple entities with whom employment contracts may be concluded, please refer to your employment contract or the job description in which you can find the relevant Green Giraffe Group entity. This entity shall be regarded as the Data Controller that determines the purposes, conditions, and means of processing your personal data.

GDPR team: the team responsible within Green Giraffe Group for the personal data protection policies and procedures and making sure that Green Giraffe Group is acting in accordance with all personal data protection regulations. If you have any questions or concerns relating to your personal data, please contact the GDPR team via the contact details stated in section 15 of this policy.

The kind of information we hold about you

Personal data means any information about a living individual (data subject) from which that person can be identified. It does not include data where features which could identify individuals have been removed (anonymous data).

We will collect, store and use the following categories of personal information about you:

Identity and Contact Data include name, date of birth, employee ID or passport copy, photo identification, email, telephone number and address.
Social security number
Recruitment Data include the information collected in the process of recruiting you, e.g., your application and CV, documentation and information about your education, previous work experience and employment, qualifications, and skills as well as any photos, videos, or other recorded material which you at your own discretion choose to make available to us etc.
Work Permits include information on your passport and citizenship, residence and, where needed, work permit or visa.
Financial Information includes information relating to compensation, benefits and pension arrangements, such as details of salary, commission and bonus, bank account, tax codes, expenses and outlays, public refunds and subsidies, insurance and employee purchases.
Employment Administration Information such as employment and career history, employment contract details, location of work, working hours and schedule, holiday and sickness absence records, appraisals, traveling information, performance and development reviews, use of employer owned mobile phone, IT equipment, company car and credit cards (where applicable), disciplinary measures, resignation and dismissal.
Qualification Records include education information, authorisations and certifications, professional experience, qualifications and training records.
Health and Safety Records include information on your health, declarations from health professionals, records of accidents and injuries, health and safety training records.
IT Log and Use Data include records of authorisations to access IT systems and data, and information about your use of our information and communication systems.
Test Data include your replies to aptitude, skills, or personality tests.
CCTV Data include video recordings from cameras in certain office areas for security reasons. You will be informed if CCTV is being used in the offices in each jurisdiction where Green Giraffe Group is located.
Pictures and Content include pictures, comments and stories related to our employees
References include information obtained from previous employers or other references at our request.
Notifications Data include information included in whistleblowing notifications.
Sanctions Data may include information included in international sanctions lists regarding restriction or suspension of economic or commercial relations, or other areas, any criminal conviction or offences. These types of data may be obtained if needed for legally required background checks before we enter into an employment agreement with you.

As can be viewed in the above list, we may also collect, store and use the “special categories” of personal data which are more sensitive and so require a higher level of protection. They include:

Information about your race, ethnicity or religion if included in the information you provide to us, however we will never actively ask this information from you and believe these cases to be incidental; and
Information about your health, including any medical condition, health and sickness records, which is required for us to assess your fitness for work.

How is your personal information collected?

We collect personal information about job applicants, employees, workers and contractors through the application and recruitment process or when you are entering into an employment contract with us. More concretely, we obtain your personal data through the following means:

If you complete a job application via our (online) recruitment platform;
If you provided your consent, we can obtain personal data from third party references;
If you provided your personal data directly to us in relation to your employment agreement;
Through our employees if you attended social and (young professionals) networking events; and
We may sometimes collect additional information from third parties including former employers, online sources.

We will collect additional personal data in the course of job-related activities throughout the period of you working for us.

What is the legal basis for processing your personal data?

Green Giraffe Group operates its business in several jurisdictions worldwide and as such we have to comply with the local regulations of those jurisdictions.

We will only use your personal information when the law allows us to do so and where we have identified a lawful basis for the processing. The lawful bases that we most commonly rely upon are:

we have received your consent to process your personal data;
performance of a (employment) contract that we have entered into with you;
compliance with a legal obligation, such as having to comply with a legal or regulatory claim, for the establishment, exercise or defense of a legal claim or exercising your or our specific rights in the field of employment; and
for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

In Annex 1 to this Privacy Notice, you will find an exact and (more) elaborate list, in which we describe all the purposes for which we will use your personal data and the legal basis on which we process your personal data. The column ‘Type of data’ follows the same personal data groupings as described in section 2 of this Privacy Notice.

In Annex 2 to this Privacy Notice, you will find an overview of the relevant data protection laws for Green Giraffe Group.

For which purposes will we use information about you?

Most commonly we will use your personal information in the following circumstances:

to maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of an emergency), and records of employee contractual and statutory rights;
to operate and keep a record of disciplinary and grievance processes, to ensure acceptable conduct within the workplace;
to operate and keep a record of employee performance and related processes, to plan for career development, and for succession planning and workforce management purposes;
to operate and keep a record of absence and absence management procedures, to allow effective workforce management and ensure that employees are receiving the pay or other benefits to which they are entitled;
to obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities, meet its obligations under health and safety law, and ensure that employees are receiving the pay or other benefits to which they are entitled;
to operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental leave), to allow effective workforce management, to ensure that the organization complies with duties in relation to leave entitlement, and to ensure that employees are receiving the pay or other benefits to which they are entitled;
to ensure effective general HR and business administration;
to provide references on request for current or former employees;
to respond to and defend against legal claims; and
to maintain and promote equality in the workplace.

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to perform under the contract we have entered into with you. We may also be prevented from complying with our legal obligations (such as to ensure the health and safety of our employees).

Change of purpose

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. In principle we do not use automated decision-making when it comes to the recruitment process we apply or the employment relationship we may have with you. You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have notified you. If we notify you that automated decision making will take place with respect to your personal information you have the right to object to the automated decision making process and request human intervention.

Sharing personal data within Green Giraffe Group and with third parties

We may have to share your data with third parties, including third-party service providers. We require third parties to respect the security of your data and to treat it in accordance with the law. Additionally, Green Giraffe Group operates in multiple jurisdictions, and consequently it may occur that personal data has to be shared internationally within the group, but outside the European Economic Area (EEA).

Why is my personal data being shared within Green Giraffe Group?

Green Giraffe Group member firms rely on each other to provide intra-group services. The group has certain corporate functions (IT, HR, Finance, Legal etc.) spread across its international offices, therefore your employing entity within Green Giraffe Group may need to share personal data with other Green Giraffe Group member firms to properly administer its contractual obligations (i.e. under your employment agreement) or to assess its obligations towards its data subjects.

Why might my personal information be shared with third parties?

We will share your personal information with third parties where required by law, where it is necessary to administering our contractual working relationship with you or where we have legitimate interest in doing so. Where legitimate interest is applied, we assess whether your interests and fundamental rights do not override our interests.

Which third-party service providers process my personal information?

“Third parties” includes third-party service providers (including contractors and designated agents) used by Green Giraffe Group for business related reasons. The following activities are carried out by third-party service providers:

service providers who provide us with administration, payroll, tax and expense administration support and (personal) data destruction services;
providers of our HR platform, including our recruitment platform;
service providers who provide, support and maintain our IT, security, and communications infrastructure (including data storage purposes) and/or provide business continuity services;
service providers who assist in the coordination and provision of relocation, travel and/or travel permit services (in connection with work-related travel);
service providers who provide services in relation to staff training and/or qualifications and staff surveys, e.g.;
service providers in the business of employee benefit or pension plans; and
auditors, advisors, legal representatives and similar agents in connection with the advisory services they provide to us for legitimate business purposes and under a contractual prohibition of using your personal data for any other purpose.

If you wish to receive a list of third parties with whom we share your personal data with, please do not hesitate to contact the GDPR team via the contact details stated in section 15 of this policy.

How secure is my information with third-party service providers?

All of our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

We do not sell the personal data we collect from and about you.

Transferring information (outside the EEA)

We will not transfer your personal data to recipients outside the EU or EEA unless we have ensured compliance with Chapter V of the EU GDPR.

We operate in an international environment and therefore, some personal data may be transferred outside the EEA in order to enable the functioning of our daily work and business operations. These kinds of transfers may include, for example, email exchange required by certain work assignments.

In order to ensure that your personal data receive an adequate level of protection, we have ascertained that sufficient safety measures have been implemented to allow for the transfer, including where the European Commission have deemed the country to provide an adequate level of protection for personal data, or by use of specific contracts approved by the European Commission (Standard Contractual Clauses) which give personal data essentially equivalent protection as it has in the EEA.

Furthermore, for our Japanese employees and job applicants, specific consent may be requested for data transfers outside Japan if the jurisdiction to which the personal data is being transferred to, has not been assessed by the Japanese data protection authorities to have adequate privacy protection regulations. This means that – in such case – if we want to transfer your personal data even with other Green Giraffe Group companies we will need to obtain your consent for such transfers. Such consent can always be freely retracted by you.

If you require further information, you can request it from the GDPR team via the contact details stated in section 15 of this policy.

Data security

We have put in place appropriate security measures to prevent your personal information from being accidently lost, used or accessed in an unauthorised way, altered or disclosed. Examples of such measures include:

Physical security of access to our offices;
Your data is stored on servers in controlled, secure (web-based cloud) environments;
A range of data flow detection and prevention methods;
Restrictions on connecting non-approved devices to the Green Giraffe Group network;
Regular training of our employees on data protection and privacy matters.

In addition, we limit access to your personal information to those employees, contractors and other third parties who have a need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.

We have procedures to deal with any suspected data security breaches and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. If you are an employee, you can find our data breach policy in our Big Book.

If you become aware of any suspected data security breach, please contact the GDPR team via the contact details stated in section 15 of this policy and inform them of the (potential) incident.

Data retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Kindly note that the retention periods for personal data may differ between jurisdictions in which Green Giraffe Group’s entities are located.

To determine the appropriate retention period for personal data we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable (local) legal requirements for each Green Giraffe Group entity.

The retention period for personal data provided by you to us in relation to a job application (for example provision of CV’s/resumes), whereby the job application is unsuccessful, is one (1) year upon receipt of the personal data, unless we have requested and received your written consent that we can keep such personal data for one (1) additional year for the purpose of contacting you for future job openings.

Retention periods for different aspects of your personal data are available in our personal data retention file, an extract of which can be requested from the GDPR team via the contact details in section 15 of this notice.

Your rights

Depending on your local data protection regulations, you have certain rights available to you when it comes to your personal data that we process. Below is a summary of those rights as well as information on how to exercise them and any limitations to them.

Right to request access to your personal data. This right enables you to receive a copy of the personal data we hold about you and to check that we are processing your personal data lawfully.
Right to request rectification of the personal data that we hold about you. This right enables you to have any incomplete or inaccurate personal data we hold about you corrected. Please note that the local regulations may prohibit that we delete entries in certain cases. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your employment with us.
Right to request erasure of your personal data. This right enables you to ask us to delete or remove personal data where there is no good reason for us to continue processing it.
Right to object to processing of your personal data where we are relying on our legitimate interest (or that of a third party) as a legal basis for processing and there is something about your particular situation which makes you want to object to processing. You also have the right to object where we are processing your personal data for direct marketing purposes.
Right to request the restriction of processing of your personal data. This right enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish accuracy of the data or the reason for processing the data.
Right to request that we transmit your personal data to another party (also known as data portability).
Where our processing is solely based on your specific consent, the right to withdraw your consent at any time. Such withdrawal will not affect the lawfulness of processing based on consent before its withdrawal. It is important to note that if the processing activity is not solely based on your consent, and there is another legal justification or obligation to continue the processing, we may – depending on the type of legal justification – continue to process the personal data.
Right to human intervention in automated decision-making processes, please refer to section 8.
For French and Spanish data subjects: you have the right to give instructions regarding the storage, deletion and communication of your personal data after your death. If you have not given any instructions, your heirs can exercise certain rights, in particular:
- The right of access, if it is necessary for the settlement of the succession.
- The right to request an update of the personal data of the deceased.
- The right to close the deceased’s accounts and to cease the processing of his/her personal data.

For certain personal information requests, we must first verify your identity before processing your request. To do so, we may ask you to provide us with your full name, contact information, and relationship to us. Depending on your request, we may ask you to provide additional information. Once we receive this information, we will review it and determine whether we are able to match it with the information we maintain about you to verify your identity. In order for us to efficiently handle your request we kindly ask you to provide as much detail about the nature of your request, where relevant, to what processing activities the request sees. We aim to get back to your request within 30 days upon receipt of the request.

If you wish to exercise one or more of the above-mentioned rights, kindly send an email to the GDPR team via the contact details stated in section 15 of this policy.

Disclaimer

Although Green Giraffe Group is committed to providing a high level of personal data protection and equal treatment for all of its employees and job applicants, in this regard it is important that you are aware that the above-mentioned rights are based on EU GDPR and UK GDPR regulations. In this respect, certain rights may not be legally enforceable by you towards Green Giraffe Group in case you are based in another non-EU and/or non-UK jurisdiction (where different data protection regulations apply) or if you are not covered as a data subject under the EU GDPR and UK GDPR regulations. Our GDPR team is happy to answer any questions you might have in this respect.

Cookies used on our websites

Green Giraffe Group uses cookies on its group’s websites. A cookie is a simple text file that is stored on your computer by a web browser. Please refer to our cookie policy published on our website for more information.

Complaints and queries

If you have any questions, comments or complaints in relation to this privacy notice or the processing of your personal data by Green Giraffe Group, please feel free to contact your regular contact within our firm or our GDPR team via forgetme@greengiraffegroup.com.

Country	Data Protection Authority	Website
Netherlands	Autoriteit Persoonsgegevens (AP)	https://autoriteitpersoonsgegevens.nl/
France	Commission Nationale de l’Informatique et des Libertés (CNIL)	http://www.cnil.fr/
Germany	Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit	http://www.bfdi.bund.de/
Spain	Agencia Española de Protección de Datos (AEPD)	https://www.aepd.es/
United Kingdom (non-EU)	Information Commissioner’s Office (ICO)	https://ico.org.uk/
South Africa (non-EU)	Information Regulator	https://inforegulator.org.za/
Japan (non-EU)	Personal Information Protection Commission Japan (PPC)	https://www.ppc.go.jp/en/
Australia (non-EU)	Office of the Australian Information Commissioner (OAIC)	https://www.oaic.gov.au/
Massachusetts (non-EU)	Data Privacy and Security Division	https://www.mass.gov/data-privacy-and-security-division
Singapore (non-EU)	Personal Data Protection Commission Singapore (PDPC)	https://www.pdpc.gov.sg/

Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and we will provide you with an updated privacy notice when we make any substantial updates. Any updated privacy notice will be shared via our website.

ANNEX 1

Type of Personal Data	Description (What exactly this data is)	Purpose of Use (Employees)	Lawful Basis for Processing (Employees)	Purpose of Use (Job Applicants)	Lawful Basis for Processing (Job Applicants)
Identity and Contact Data	Name, date of birth, employee ID, passport copy, photo identification, email, phone number, and home address.	To manage employment contracts, communications, and emergency contacts.	Performance of a contract, legal obligation	For contacting applicants and processing their job applications.	Legitimate interest (recruitment process), consent (for contact purposes)
Social Security Number	National ID number, social security number, or tax identification number.	For payroll, taxation, and social security contributions.	Legal obligation (e.g., tax and social security laws)	N/A	N/A
Recruitment Data	Job application, CV, education, previous work experience, qualifications, and any media provided (photos, videos).	For internal records, talent management, and potential future internal positions.	Legitimate interest (recruitment and staffing), performance of a contract	For assessing suitability, qualifications, and experience for the role applied for.	Legitimate interest (recruitment), consent (for sensitive data if needed)
Work Permits	Passport and citizenship information, residence permits, work visas, or other proof of eligibility to work.	To verify work eligibility and comply with immigration regulations.	Legal obligation (immigration laws)	To verify eligibility to work and compliance with immigration laws.	Legal obligation (immigration laws), legitimate interest (recruitment)
Financial Information	Salary details, commission, bonuses, bank account details, tax codes, expenses, pension, insurance, and subsidies.	To manage salary, pension, benefits, and expenses; payroll processing.	Performance of a contract, legal obligation	N/A	N/A
Employment Administration	Work history, employment contracts, work hours, location, absences, appraisals, use of company assets, and travel.	To manage employment history, contracts, schedules, absences, and performance reviews.	Performance of a contract, legitimate interest	N/A	N/A
Qualification Records	Education certificates, professional qualifications, licenses, training records, and certifications.	To verify qualifications for employment or career development.	Legal obligation (compliance with professional standards), legitimate interest	To assess education, certifications, and experience for a job role.	Legitimate interest (recruitment decisions), consent (if sensitive data is shared)
Health and Safety Records	Sick leave records, medical certificates, accident and injury reports, health and safety training records.	To manage sick leave, occupational health, and ensure compliance with health and safety regulations.	Legal obligation (health and safety laws), explicit consent (health data)	N/A	N/A
IT Log and Use Data	Access logs, data on the use of IT systems, internet usage, and software activity on company devices.	To monitor IT system access, ensure security, and prevent unauthorized access to sensitive data.	Legitimate interest (IT security and compliance)	N/A	N/A
Test Data	Responses to aptitude, skills, and personality tests during recruitment or internal assessments.	For performance evaluations, skills assessments, and career development.	Legitimate interest (performance assessments and career development)	To evaluate competencies, skills, and cultural fit during the recruitment process.	Legitimate interest (hiring decisions), consent (for personality or aptitude tests)
CCTV Data	Video footage from security cameras in office areas.	To ensure workplace security and monitor access to sensitive areas.	Legitimate interest (workplace security)	N/A	N/A
Pictures and Content	Photos, comments, or stories shared internally, such as for company newsletters, events, or social media use.	For internal communications, marketing, and event promotion.	Consent, legitimate interest (corporate communications)	N/A	N/A
References	Information from previous employers or other references collected during recruitment.	To evaluate candidates during the recruitment process and manage ongoing employment.	Legitimate interest (hiring decisions, promotions)	To verify qualifications and prior experience during the recruitment process.	Legitimate interest (recruitment decisions)
Notifications Data	Whistleblowing notifications and records, including any associated investigations or reports.	For handling whistleblower reports and conducting necessary investigations.	Legal obligation (compliance with whistleblower laws), legitimate interest	N/A	N/A
Sanctions Data & Background checks	Information regarding any legal sanctions, criminal records, or regulatory breaches (where required).	To ensure compliance with legal and regulatory obligations, including criminal record checks.	Legal obligation (compliance with regulations), consent (if explicit consent is required for such checks)	For regulatory checks or criminal records (if required for specific job roles).	Legal obligation (when required), consent (if explicit consent is required for such checks)
Data Transfers	Personal data transfers to other Green Giraffe Group entities	To administer the contractual relationship with the employee Green Giraffe Group may need to share personal data internally with other offices as its corporate functions are spread out in different jurisdictions.	Contractual obligation, unless processing happens in Japan, then consent may be required prior to data transfers.	To administer the pre-contractual relationship with the job applicant Green Giraffe Group may need to share personal data internally with other offices as its corporate functions are spread out in different jurisdictions.	Pre-contractual obligation, unless processing happens in Japan, then consent may be required prior to data transfers.

ANNEX 2

The Netherlands	Algemene verordening gegevensbescherming (AVG) Implementatiewet AVG
Germany	Datenschutz-Grundverordnung German Federal Data Protection Act Bundesdatenschutzgesetz (BDSG)
France	Règlement général sur la protection des données (RGPD) French Data Protection Act, Loi n° 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés, modifée par la loi n° 2018-493 du 20 juin 2018 relative à la protection des données personnelles
Spain	Reglamento general de protección de datos (SP RGPD) Ley Orgánica de Protección de Datos Personales y garantía de los derechos digitales (NLOPD)
United Kingdom	UK General Data Protection Regulation (UK GDPR) UK Data Protection Act
Japan	Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2016) (APPI)
Australia	The Privacy Act 1988
Singapore	The Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA)
South Africa	Protection of Personal Information Act, 2013 (Act 4 of 2013) (POPIA) Promotion of Access to information Act (PAIA)
Boston (Massachusetts) USA	Massachusetts General Laws (MGL) c.93H Security breaches MGL c.149, § 52C Personnel records: inspection by employee MGL c.214, § 1B Right of privacy MGL c.271, § 51 Taking or transmitting images of crime victims by first responders prohibited without consent MGL c.272, § 99 Interception of wire and oral communications 201 Code of Massachusetts Regulations (CMR) 17 Standards for the protection of personal information of residents of the commonwealth 205 CMR 257 Sports wagering data privacy 940 CMR 27 Safeguard of personal information

January 2025