At FRISS we value your privacy and do everything in our power to protect your data and enable you to control the data you have shared with us.
As trust is the cornerstone of our business mission, FRISS is committed to retaining your trust by properly protecting the personal data collected and used by our organisation/entrusted to us. We have temporary guardianship of your personal data and have the duty of care for them.
This version of the Privacy notice has been updated on 22/09/2020.
1.1 About FRISS
FRISS is a SaaS platform that provides the ability to our Clients to help assess their applicants and customers for a risk of fraud or the investigation thereof. We provide our services on a global scale and our customers are generally insurance companies, lease providers and mortgage banks who integrate our services in their business.
We only ask for personal data when we need it for our own business purposes or to provide you with relevant information. Whether you sign up for our newsletter or sign a Service Agreement, you provide your personal data to us for a particular purpose. Where it is applicable we will give you the option to explicitly agree to the collection, use, disclosure, and sharing of the information you’ve provided, i.e. with the newsletter or cookies. That applies even when you’re browsing our website, where you can manage your cookie preferences. You can review your personal data and change your settings at all times by contacting our office. If we need your data for the completion of a contract, we will only collect the least amount of data necessary.
Throughout this document you’ll encounter the mention of several roles and responsibilities. Below is a short overview of the different roles and responsibilities that influence the data processing.
A Controller is the company that an individual (or data subject) provides their personal data to. The Controller determines the purpose for the personal data (e.g. to receive important information or for sending invoices) and is responsible for the correct handling of the subject’s data.
A Processor is the company that provides part of the service of the Controller and needs specific personal data in control of the Controller in order to do so. To give an example: when one of our customers sends an insurance policy for FRISS to check, we might need personal data such as a name and vehicle information to fulfill the service. The Processor, in this case FRISS, only processes personal data according to the instructions of the Controller. We don’t use this data for anything else than requested so by your Insurance Company (the Controller).
Depending on your relationship with FRISS, we can be both Controller and Processor. If you have any questions about these terms or more general inquiries about how we handle your data, you can always contact us at firstname.lastname@example.org or send a written inquiry to:
FRISS | fraud, risk & compliance
Attn. Data Protection Officer
3528 BA, Utrecht
FRISS and its legal family
The main processor, and therefore controller, of your data is FRISS fraudebestrijding B.V. Sometimes it might be necessary to have your data processed by one of our subsidiaries, those will only process data if necessary and only for the purpose it was originally collected for.
All the personal data we process is lawfully obtained and with a legal basis. The purpose of the information we collect is so we can continue to conduct and expand our day-to-day business and enable you to use our services. Personal data can also help us to improve our products to fit the needs of our customers.
1.2. Purposes of data processing
There are several places on our website where you can fill in your (personal) data. We will explain the purposes of the various instances of data processing below.
Filling in the contact form or sending an e-mail
If you fill in the contact form on our website or send us an e-mail, we will only use the (personal) data you provide for the purpose or purposes for which you filled in the contact form or sent the e-mail.
If you download files on our website (such as e-books, whitepapers or reports), we will use the (personal) data you provide for one or more of the following purposes:
- for the execution of an agreement, for example to send you the e-book, whitepaper or report you have chosen;
- for the formation of an agreement, for example by contacting you by telephone or in writing.
If you fill in the application form for the newsletter on our website, your (personal) data will be used to send you the newsletter. Each newsletter contains a hyperlink at the bottom of the message that you can use to unsubscribe.
In addition to the personal data you provide to FRISS yourself, FRISS may collect, record and process additional (personal) data if you use the (web) services of FRISS. This concerns the following personal data:
- data from the used equipment, such as a unique device ID, version of the operating system and settings of the device you use to access a service;
- information about the use of a service, such as the time at which you use the service and the type of service that is used;
- location details from your device or derived from your IP address that is provided to us when you use a particular service;
- data available from external sources. We may receive information about you from public or commercially available sources.
1.3. Retention period for Personal Data
We keep Personal Data no longer than strictly necessary for the purposes for which the personal data are processed, or as long as necessary by applicable law, such as archiving laws.
1.4. Exchange of Data
The performance of a legal task can mean that FRISS shares data, including personal data, with others. This can be with sub-processors (see paragraph 1.12 Lists of Approved sub-processors) and also with auditors. If and whenever this is necessary we will make sure that only the least amount of data is shared as possibly. If required or possible we will inform you directly or indirectly about such an exchange of data.
1.5. International transfer of Data
In view of international trade and cooperation, it is essential to be able to also transmit data to other countries, also those that are outside the European Economic Area (EEA).
Whenever this happens, FRISS takes action to make sure your data is protected.
First, the data transfer itself must be legal. This can be based on consent by you, or on any of the further authorization reasons as mentioned in Art. 6 of the GDPR (i.e. fulfilling a contract). Secondly, we check whether or not transfer to the third country is permitted. There are secure and unsecure third countries. Secure third countries are those for which the European Commission has confirmed a suitable level of data protection.
If there is no suitable level of data protection for a country, there are other options to ensure that the personal data will be sufficiently protected by the recipient. We will use the appropriate technique to safe guard protection of your data.
- for data transfers within a Group through so-called “binding corporate rules,”;
Regarding International data transfer to the US, as of July 16, 2020 the Privacy Shield agreement is declared invalid. Therefore, this cannot be used anymore for international transfer between the EU and the US. Data transfers to the USA require other guarantees, according to Art. 44 et seq. GDPR, to create an appropriate level of data protection.
1.6. Informing Data Subjects
FRISS informs data Subjects in principle when they will process data from them, see Art. 13 and Art. 14 GDPR.
1.7. Security of data
FRISS respects your privacy and ensures that personal data are handled confidentially and with the utmost care. All processed (personal) data is stored securely. This data is only accessible to employees of FRISS, or our trusted partners, to the extent that this access is required by virtue of their position. FRISS makes every effort to secure these systems against loss and/or any form of unlawful use or processing.
1.8. Where we process your data
As a global, cloud-based enterprise, our usage of the internet almost always involves the international transmission of personal data, both within and outside the EEA (European Economic Area). If in our capacity as a Processor the Controller uses our services from outside of the EEA the legality, scope and responsibility is that of the Controller.
For our European business activities, both as a Processor and Controller we do our best to try and select providers within the EEA. If we can’t find a suitable processor in the EEA, we take care to ensure our partners outside the EEA have sufficient guarantees and safeguards in place to properly treat and protect your data. Whether we’re dealing with international mobile operators or other companies, we always make sure we contractually agree on data protection to protect the rights and freedoms of all individuals, inside and outside the EU, and ensure compliance with the GDPR.
1.9. Provision of (personal) data to third parties
Your (personal) data will never be provided to third parties without your permission unless we have an obligation to do so pursuant to legislation or regulations or you have given permission for this.
1.10 Exercising your rights as the data owner
We collect your data to make sure we only contact those who benefit from our services. As the data owner you always stay in control of your data and at any time you can instruct us about the data we process of you. In case we process your data on behalf of one of our clients or another controller, please read the section ‘FRISS as a processor’.
The right to access Art. 15: You have the right to request FRISS for copies of your personal data, under certain conditions.
The right to rectification Art. 16: You have the right to request that FRISS correct any information you believe is inaccurate. You also have the right to request FRISS to complete information you believe is incomplete.
The right to erasure (‘right to be forgotten’) Art. 17: You have the right to request that FRISS erase your personal data, under certain conditions.
The right to restrict processing Art. 18: You have the right to request that FRISS restrict the processing of your personal data, under certain conditions.
The right to data portability Art. 20: You have the right to request that FRISS transfer the data that we have collected to another organization, or directly to you, under certain conditions.
The right to object to processing Art. 21: You have the right to object to FRISS’s processing of your personal data, under certain conditions.
The right not to be subject to a decision based solely on automated processing (Art.22): you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, under certain conditions. You can view your data that is processed by FRISS at any time and free of charge and, if you so wish, modify this data or have it deleted. You can also object to receiving information about products, services or content of FRISS. If you wish to make use of one of these options, you can send an e-mail to the Data Protection Officer of FRISS via email@example.com or write to the following address:
FRISS | fraud, risk & compliance
Attn. Data Protection Officer
3528 BA, Utrecht
1.11 FRISS as a Processor
FRISS also processes information on behalf of others, referred to as our ‘Clients’. In order to help our clients with their business goals FRISS processes information. As such these Clients need to be addressed to exercise your rights. In case you contact us in regard to data we process on behalf of other we will gladly help you and identify and forward you to the actual controller of your data.
In case of a dispute
FRISS always does it upmost best to comply to all applicable legislation and help you exercise your rights. In case we are not able to come to a satisfactory resolution with you, you can bring your complaints to the applicable authorities. Since FRISS has its headquarters in The Netherlands, the responsible Data Protection Authority (DPA) is the Autoriteit Persoonsgegevens. They can be reached for complains at https://www.autoriteitpersoonsgegevens.nl/nl/klachtenformulier. In case you do not master the Dutch language, you can also contact your national authorities who will forward it to the Dutch authorities.
1.12 Lists of Approved sub-processors
|Solvinity||Solvinity B.V.||EU (The Netherlands)|
|OGD||Operator Group Delft B.V.||EU (The Netherlands)|
|Mailchimp||The Rocket Science Group LLC||USA|
|Netsuite||NetSuite Inc.||EU (Ireland and The Netherlands)|
|Levi9||Levi9 Global Sourcing B.V.||EU (The Netherlands and Romania)|
|A2A||A2 Antwoordservice B.V.||EU (The Netherlands)|
|LinkedIn Ireland Unlimited Company||EU (Ireland)|
|Microsoft (Sub-Contractor)||Microsoft B.V.||EEA|
*For security purposes we do not disclose our internally used sub-processer (such as payrollers) and therefore they are only available upon request and after identification.