Privacy statement 2018

Value Procurement Centre B.V. respects the privacy of all users of its website and ensures that the personal information you provide is always treated confidentially. We only use your data for the services you have requested.

Who are we?

Value Procurement Centre B.V. is registered with the Chamber of Commerce under Chamber of Commerce number 65468678 and is a Dutch private limited company based in Eindhoven. Value Procurement Centre B.V. is responsible for collecting and using your personal information as described in this privacy statement.

For questions, comments or complaints regarding the processing of your personal data, please contact us via

+31 (0)40 747 0148


We never collect or use your personal information for purposes other than the purposes described in this privacy statement, unless we have obtained your consent in advance.

Commercial use

Value Procurement Centre B.V. will not sell your personal information to third parties. It may happen that we call in third parties to perform a service or project (for example IT or software experts). Value Procurement Centre B.V. will only give these third parties access to systems with data if this is necessary for the execution of the assignment or service. The third parties engaged by us are obliged to sign a confidentiality statement in which they undertake to respect the confidentiality of your data.

Security and storage period

Value Procurement Centre B.V. take the necessary technical and organizational measures to protect your personal data against loss or unlawful use. Value Procurement Centre B.V. does not store personal data longer than for the realization of the purposes for which they were collected and processed. The storage of personal data may be necessary in order to be able to carry out tasks properly or to be able to comply with legal obligations.


Value Procurement Centre B.V. does not use cookies itself. We have no control over the activities of third parties. When you visit our website, the servers automatically save information such as the URL, IP address, browser type and language, and the date and time of your visit. These companies may use information (not your name, address, e-mail address or telephone number) about your visit (on this or other websites) to display advertisements about goods and services that you may be interested in.

Rights of the person involved

As a relationship of Value Procurement Centre B.V. you have the opportunity to view your personal data after written request. If the overview provided by us contains factual inaccuracies, you can request us to change the data or have it removed. In addition, if you do not wish to be contacted, you can inform us of this in writing.


You can invoke the following rights:

Right to view your data;

Right to delete your data;

Right to adjust your data;

Right to object to the processing of your data;

Right to transfer your data;

Right to withdraw the consent granted;

Right to lodge a complaint with the Dutch Data Protection Authority.

If you wish to invoke one or more rights, you can contact Value Procurement Centre B.V. via

+31 (0)40 747 0148


The information provided on or via this website is only general in nature. Although the information has been carefully compiled, Value Procurement Centre B.V. do not guarantee the correctness, completeness and topicality of the information provided. The information provided can be changed at any time without further notice. Value Procurement Centre B.V. is entitled to terminate the availability of the information on this website or to restrict access to it. This website may contain references (for example by means of a hyperlink, banner or button) to the websites of third parties such as Value Procurement Centre B.V. has no control over these websites nor is Value Procurement Centre B.V. responsible for the content of these websites.


This privacy statement can be changed without prior notice in the event of changes to the business operations of the Chamber of Commerce. It is therefore advisable to consult this privacy statement on a regular basis.

Do you have any suggestions, complaints or questions about our Privacy Statement? Send an e-mail to:


1. General

In this processor agreement the following definitions apply:

1.1 General Terms and Conditions: the General Terms and Conditions of Processor, which apply in full to every agreement between the Processor and the Controller and of which General Terms and Conditions this processing agreement is an integral part.

1.2 Processor: Value Procurement Center B.V, with registered office and office at the Flight Forum 3518, 5657DW Eindhoven.

1.3 Data: the personal data as described in Annex 1.

1.4 Client: the natural person or legal entity who has instructed Processer to perform Work, also Responsible.

1.5 Agreement: every agreement between the Client and the Processor for the preparation of tenders for the performance of Work by the Contractor for the benefit of the Client, in accordance with the provisions of the order confirmation.

1.6 Responsible: the Client who as a natural or legal person has instructed the Processor to perform Work.

1.7 Activities: all work commissioned or carried out by Processer for other reasons. The above applies in the broadest sense of the word and in any case includes the activities as stated in the order confirmation.

2. Applicability of processing agreement

2.1 This processing agreement applies to all data collected by the Contractor for the Client in the context of the execution of the Agreement with the Client, as well as all activities arising from the Contract for Processor and the data to be collected in that context.

2.2 The controller is responsible for the processing of the Data concerning certain categories of data subjects, as described in Annex 1.

2.3 In the execution of the Agreement, the Processor processes certain personal data for the Controller.

2.4 This is a processing agreement within the meaning of article 28 paragraph 3 General Data Protection Regulation (AVG), in which the rights and obligations with regard to the processing of the personal data are regulated in writing, including with regard to security. This processor agreement is binding on the Processor with respect to the Controller.

2.5 This processor agreement, like the General Terms and Conditions of Processor, is part of the Agreement and all future agreements between the parties.

3. Scope processor agreement

3.1 By giving the instruction to perform Work, the Controller has instructed the Processor to process the Data on behalf of the Controller in the manner described in Annex 1 in accordance with the provisions of this processor agreement.

3.2 The Processer processes the Data exclusively in accordance with this processor’s agreement, in particular with what is included in Annex 1. The processor does not acknowledge the data for other purposes.

3.3 The control of the Data will never rest with the Processor.

3.4 The Controller may give additional written instructions to the Processor due to modifications or changes to the applicable regulations regarding the protection of personal data.

3.5 The processor only processes the data in the European Economic Area.

4. Confidentiality

4.1 Processor and the persons employed by processor or perform work for him, to the extent that people have access to personal data, process the data only on behalf of charge, unless differing legal requirements.

4.2 Processor and the persons employed by processor or perform work for him, to the extent that people have access to personal data are obliged to keep the personal data they hear, except where any statutory regulation obliges them to communicate or the need for communication arises from a task.

5. No further dispensing

5.1 The processor shall not share the information with or provide it to third parties, unless the Processor has obtained prior written consent or instruction from the Controller or is obliged to do so by mandatory law. If pursuant to mandatory regulations, the Processor is obliged to share the Information with or to provide it to third parties, then the Processor will inform the Controller in writing, unless this is not permitted.

6. Security measures

6.1 Taking into account the state of the art, the implementation costs, as well as the nature, the size, the context and the processing objectives and the various risks and risks of the rights and freedoms of persons in terms of probability and severity, the Processor will take appropriate technical and organizational measures to to ensure a level of security tailored to the risk. The security measures that have now been taken are defined in Annex 2.

6.2 The processor shall take measures which are also intended to prevent unnecessary collection and further processing of personal data.

6.3 The Data will only be stored and processed within the European Economic Area.

7. Supervision of compliance

7.1 The Processor shall provide the Controller with information about the Processing of the Data by the Processor or Sub-processors at the latter’s request and on his account. The processor will provide the requested information as quickly as possible, but no later than five working days.

7.2 The responsible party has the right, once a year and for his own account, to have an independent third party jointly appointed by the Controller and the Processor to carry out an inspection to verify whether the Processor fulfills the obligations under the AVG and this processor’s agreement. The processor will provide all reasonably necessary cooperation. Processor has the right to charge the costs associated with the inspection to the Controller.

7.3 In the context of its obligation under paragraph 1 of this article, the processor will in any case either: (a) Responsible party or a third party engaged by the responsible party:

7.3.1 provide all relevant information and documents;

7.3.2 grant access to all relevant buildings, information systems and Data.

7.4 The Controller and the Processor will consult each other as soon as possible after the report has been completed in order to address the possible risks and shortcomings. At the expense of the Controller, the Processor will take measures to bring the identified risks and shortcomings to an acceptable level for the Responsible level, respectively, unless the parties have agreed otherwise in writing.

Data leak

8.1 As soon as possible after the Contractor becomes aware of an incident or data leak that (also) relates to the Data, Verwerker notifies the Controller of this via the contact details of the Controller who are known to the Contractor and will provide the Contractor with information about: the nature of the incident or the data leak, the affected Data, the determined and expected consequences of the incident or data leak on the Data and the measures that the Processor has taken and will take.

8.2 The processor will support the Responsible in case of notifications involved and / or authorities.

9. Sub-processors

9.1 The processor refers the Client to the URL for the sub-processors that have been activated

9.2 The processor shall ensure that the sub-processor is subject to this processor’s agreement or to a sub-processor’s agreement containing the same obligations as this processor’s agreement.

10. Participation duties and rights of data subjects

10.1 The Processor will provide the Controller with co-operation on request in the event of a complaint, question or request from a data subject, or investigations or inspections by the Dutch Data Protection Authority.

10.2 The Processor will assist the Controller at his / her request and at his expense in performing a data protection impact assessment.

10.3 If the Processor receives a request for access, correction or deletion of his or her Data from a data subject directly, the Processor will inform the Controller of the receipt of the request within two working days. The Processor will carry out as quickly as possible all instructions issued by the Controller in writing to the Processor as a result of such a request from the person concerned. The processor shall take the necessary technical and organizational measures necessary to comply with such instructions from the Controller.

10.4 If Instructions of Responsibility to Processor conflict with any legal provisions regarding data protection, then the Processor will report this to the Controller.

11. Duration and termination

11.1 This processor agreement is valid as long as the Processor has the instruction of the Controller to process Data on the basis of the Agreement between the Controller and the Processor. As long as Processing Work is performed for the Responsible Party, this processing agreement is on this relationship application.

11.2 Obligation to cooperate, Confidentiality and Applicable law and choice of forum will continue between parties after the termination or dissolution of this Agreement for an indefinite period.

11.3 To the extent that after the termination of the Contract, the Contractor still has Personal Data as received from the Processing Officer, it will destroy this Personal Data within a reasonable period, or – in consultation with the Processing Officer – return it to the Processing Officer, unless the Client is obliged to comply with applicable law. – or regulations are required to keep the Personal Data.

For the interpretation of this article, the possession of Personal Data includes, but not limited to, the Personal Data located on data carriers, server space hired or purchased by Processor, anywhere in the world, in sandboxes, on memory sticks, SSD cards or other means used to store or store Personal Data.

11.4 If the Processor is unable to return, destroy or delete the Personal Data for technical reasons, or if the applicable right prescribes longer storage of the Personal Data, the Processor will immediately inform the Processing Officer of this. In that case, the Processor takes all necessary measures to: a. to come as close as possible to a complete and permanent return, destruction or removal of the Personal Data, and to make the Personal Data unsuitable for further Processing.

b. The risk that the Personal Data will not be returned, destroyed or removed from the Processor and the Processor will remain bound to those articles that by their nature are intended to continue to apply after expiry or termination of this Processor Agreement.

11.5 The Processor will inform all third parties involved in the Processing of Personal Data of the expiry or termination of this Processor Agreement, and guarantees that all third parties will destroy the Personal Data, delete them or return them to the Processing Officer.

12. Invalidity

12.1 If one or more provisions of this processor agreement are null and void or are nullified, the other conditions remain fully applicable. If any provision of this processor agreement is not legally valid, the parties will negotiate the content of a new provision, which provision will approach the content of the original provision as closely as possible.

13. Applicable law and choice of forum

13.1 Dutch law applies to this processing agreement.

13.2 All disputes in connection with the processor’s contract or the performance thereof shall be submitted to the competent court in the District Court of Oost-Brabant.





The Controller will have the Processor process the following Data processed by the Processor within the framework of the assignment, including but not limited to personnel administration, payroll, financial reporting:

(1) Name (initials, surname)

(2) Telephone number

(3) E-mail address

(4) Date of birth

(5) Place of residence (address)

(6) Data ID-evidence (in connection with the Wwft)

(7) Financial data

(8) Name and address details and BSN of the employees of the Responsible Party



The activities for which the above-mentioned Data may be processed, only if necessary, are in any case:

(1) The work, to be regarded as the primary service, in the context of which the Controller has issued an order to the Processor;

(2) the maintenance, including updates and releases of the system made available by the Processor or sub-processor to the Controller;

(3) data and technical management, also by a sub-processor;

(4) the hosting, also by a sub-processor.



The Data processed for the following categories of data subjects:

(1) customers;

(2) employees of Responsible;

(3) relations of Responsible;

(4) contact persons of Responsible;



The Processor has in any case taken the following security measures:

  • • Privacy policy and regulations
  • • Continuous monitoring network
  • • Firewall
  • • Authorization management for assigning roles & rights
  • • Backup and recovery procedures
  • • Confidentiality statements in employment contracts / fringe benefits.
  • • Intruder alarm office spaces
  • • Logical access control such as passwords, 2-factor authentication, tokens and / or IP number
  • check
  • • Sub-processor agreements with third parties
  • • Safe way to store data files