Privacy Notice

This privacy notice ("Notice") describes how Protiviti BV (“we”, “us”, “our” or “ Protiviti”) may use, process, store and disclose Personal Data that we may collect about individuals, including if you interact with us through this website (“Site”) and from other sources, such as when joining a webinar that is hosted by us or when applying for a job with us. This Notice informs you how we collect, use and protect your Personal Data and informs you about your privacy rights. The Information is provided in a layered format so that you can click through the specific sections set out below. If you want to know the types of Personal Data we collect, they are described in the section ‘Personal Data, how we collect it, and the purposes for which we process it’.

We act as a data controller and we are responsible for the Personal Data we process.

It is important that you read this Notice together with any other Privacy Notice we may provide on specific occasions when we are collecting or processing your Personal Data, such as when you subscribe to a webinar or subscribe to KnowledgeLeader. This Notice supplements other Privacy Notices you may receive from us and is not intended to override them.

This Site is not intended for children and we do not knowingly collect Personal Data relating to children. If we become aware that we have done so, we will delete that data as soon as possible.

You can download a pdf version of the Privacy Notice here.

Table of contents

Contact Details

Protiviti has appointed a Global Privacy team with experts based in US, Australia, Singapore, Europe and the UK. If you have any questions about how we use your Personal Data or this Notice, please contact us at: [email protected].

Personal Data, how we collect it, and the purposes for which we process it

Protiviti processes Personal Data for a variety of purposes. We collect this Personal Data directly from you, for example, when visiting our Site, submitting your contact details to receive marketing communications and registering for Protiviti hosted events, submitting a job application, providing feedback or responding to surveys. We process business contact data including Personal Data in the context of providing consultancy services, for example, when we are conducting Client audits. We also may obtain Personal Data via publicly available sources, social media such as LinkedIn and other sources.

We have set out a short description of the main ways we will collect and process Personal Data and the legal bases we rely on to do so. We have also identified what our legitimate interests are, where appropriate. A legitimate interest is when we have a business or commercial reason to process Personal Data in conducting and managing our business. We will consider and balance any potential impact on individuals and their legal rights when we process Personal Data for our legitimate interests. We do not use Personal Data for activities where our interests are overridden by the impact on an individual (unless we have obtained consent or are otherwise required to do so for compliance with a legal or regulatory obligation or permitted to by law). Details about the right to object to processing of your Personal Data where we are relying on a legitimate interest (or those of a 3rd party) and to withdraw consent are provided in ‘Your Legal Rights’ below.

We collect different types of Personal Data depending on our relationship with you and you may be in one or more of these categories:

  • Visitors of our Site;
  • Subscribers to our KnowledgeLeader platform;
  • Job applicants applying for employed roles working for Protiviti;
  • Business contacts at clients
  • Contacts at suppliers of goods and services;
  • Individuals whose Personal Data we process when we are acting as a data processor when delivering services to our clients; 
  • Participants in webinars, meetings, conferences and events;
  • Alumni.

Website visitors

We may collect Personal Data that you provide through our Site, for example, when completing online forms, using the “contact us” function, downloading documents, subscribing to receive marketing communications from us (either directly or through our preference center), participating in surveys, registering for events and when you provide feedback. Depending on the nature of your enquiry or activities on our Site we collect the following categories of Personal Data from you:

  • your name;
  • your contact details;
  • professional business information, such as job title, professional areas of interest, the company employer and the industry you’re active in;
  • Other Personal Data that you voluntarily choose to provide to us, including in your enquiry, emails and/or through customer survey responses. 

We process the above data, depending on the nature of your interaction with us to: develop our business and services; administer events and webinars; allow for content download and lead capturing; provide for the effective delivery of services, information and marketing communications and to provide the functionalities offered by the Site. 

If you register on our Site, your Personal Data will be stored in our CRM system.

Cookies and IP related/device data

We collect limited Personal Data automatically from your device when you visit our Site, such as IP address, Media Access Control (MAC) address, computer type (Windows or Macintosh), screen resolution, operating system name and version, device manufacturer and model, language, Internet browser type and version and other technical information.

We also collect information about how devices interact with our Site, including browsing activity, Site cookies, links clicked on the Site, referring URL, geolocation data and internet activity.

This information enables us to better understand how visitors use our Site, where they come from and what content on our Site is of interest. We use this information to administer and manage our Site; to conduct benchmarking and data analysis; to improve the quality and relevance of the content on our Site and to personalize and enrich the visitor’s browsing experience. This information is collected through Cookies, please also see our Cookie Policy for further details.

The legal grounds for the processing of Personal Data from website visitors are:

  • Our legitimate interests in growing our business, in developing and improving our products/services/Site and keeping them up to date, in developing our marketing strategy, in the effective delivery of information and our services, and in maintaining the effective and lawful operation of our site and businesses.
  • Your consent to receive marketing messages and, if we have a pre-existing business relationship, we send marketing based on the ‘soft opt in’ principle.

Subscribing to KnowledgeLeader

When you subscribe to KnowledgeLeader through our Site we collect the following categories of Personal Data:

  • Identifiers such as name, email address, country, city, state, and zip/post code.
  • Billing details including name, company, phone number, email address, address, city, state, and zip code.
  • Professional information such as job title, position/role, company, and industry.

We process this information for the purposes of providing our KnowledgeLeader service and to manage your subscription.

Job Applicants

If you are applying for a role as our employee, we may collect Personal Data from and about you via your CV, identification and evidence of right to work documents, professional qualifications and memberships, business referees, professional and educational organisations and other sources (including emails, letters and during telephone calls and conversations).

We process your Personal Data for the purposes of administering your application, managing our internal hiring process and assessing your suitability for the role. We may collect special category data, such as health/disability data, for example when this is necessary for making interview arrangement and / or providing a suitable working environment

We may do criminal background, sanctions and terrorism checks when we have a legal obligation to do so or at the request of clients in connection with the delivery of our services.

We will obtain explicit prior written consent to process special category Personal Data for specific limited purposes. If you choose to provide us with special categories of Personal Data (e.g. in your CV) and we do not need it, we will disregard this data. Special categories of Personal Data will be processed in accordance with the restrictions imposed by law and will be retained for no longer than necessary before being deleted.

We may ask you to provide original documentation in paper format, including proof of identity, evidence of immigration, right to work and qualifications and we may verify some or all of the information you provide in relation to your application for a job. We may use a third party to perform background screening and verification services and we will inform you at the time, and, where necessary, obtain your consent to do so.

If we engage a third party to provide pre-employment screening, verification and/or testing services, we will ensure that access is limited to the Personal Data that is compatible with those services and the service provider is contractually obliged to comply with applicable data privacy laws, confidentiality and provides adequate safeguards to keep your Personal Data secure until it is deleted or anonymized so you can no longer be identified.

Personal Data about job applicants and employees is stored securely in our online HR tool and is confidential and can only be viewed and accessed by members of the HR department and other staff if they are connected to the hiring process, such as interviewing, assessing your suitability for the role and for the purposes of managing the employment relationship if the application is successful. Depending on the role these people may be located within or outside the EEA/UK. Additional requirements and policies will apply if we enter into an employment relationship and the relevant Privacy Notices and other details will be provided during the onboarding process.

Personal Data about unsuccessful job applicants will be retained in accordance with local retention rules. At the end of the retention period, the Personal Data will be automatically deleted.

Currently we do not use automated decision-making technologies to make final or conclusive decisions about your employment and a member of our staff will always be involved in your application process.

Contractors:

We may engage contractors to assist in the delivery of our services. We will collect name and business contact details and financial data so that we can pay invoices. We may perform additional background checking and verification services or ask third parties to perform these checks on our behalf e.g. criminal background, sanctions and terrorism checks if these are requirements for engagement. We will obtain prior written explicit consent and process this data to the extent that it is necessary and relevant. 

The legal grounds for the processing of Personal Data from job applicants and contractors are:

  • Your consent. By applying for employment with us, you consent to us processing your Personal Data for these purposes. You have the right to withdraw your consent at any time. Please note that if you withdraw your consent, we will not be able to continue with your application.
  • Fulfillment of a contract.
  • Our legitimate interests in attracting, identifying and sourcing talent; in processing and managing job applications for roles at Protiviti, including the screening and selecting of applicants and contractors; in hiring and onboarding employees and contractors and administering and managing these relationship.
  • Compliance with a legal or regulatory obligation (e.g. when carrying out eligibility to work, criminal convictions, sanctions and terrorism verification checks).

Client contacts

We process Personal Data about former, existing and potential clients and individuals appointed as business contacts for such clients in connection with the promotion and provision of consultancy services, to fulfill our contractual obligations, issue invoices and collect payments, to develop our business, for accounting and tax purposes and to administer our business relationship.

Usually the Personal Data we process is limited to name, job title/position, business contact data, company name and industry. If Protiviti is engaged to provide risk management and consultancy services, additional Personal Data might be collected, the nature of which depends on the services provided.

We may also process identification and background information as part of our client acceptance, finance and administration processes, including audit independence, anti-money laundering, conflicts of interest checks, reputational and financial checks, and to fulfill any other legal or regulatory requirements to which we are subject.

The source of the business contact data may be the individual themselves, or their name and business details may be provided to us by a member of their organisation or an existing business contact. We may also obtain these details from websites, social media such as LinkedIn, public and other sources. 

Your Personal Data will be stored in our Customer Relationship Management system [e.g. Salesforce, Pro Connect, Other databases] (“CRM”) which is globally accessible by our staff and hosted in the US.

Client contacts in our CRM systems may be sent newsletters, marketing materials, learning opportunities, surveys and invitations to events, in accordance with marketing preference and local marketing laws. Contacts can unsubscribe from marketing at any time by clicking the ‘unsubscribe’ link included in our marketing emails or by contacting: [email protected] 

The legal grounds for the processing of Personal Data from client contacts are:

  • To fulfill a contract.
  • Our legitimate interests in growing our business, in developing and improving our business, in developing and improving our products and services and our marketing strategy, in administering our relationship, in the effective delivery of services, and in maintaining the effective and lawful operation of our businesses. 
  • Compliance with a legal or regulatory obligation.
  • Your consent in order to receive marketing messages (except in circumstances where we have a pre-existing business relationship and we are email marketing based on the ‘soft opt in’’ principle).

Participants in webinars, meetings, conferences and events

Personal Data about individuals registering and participating in Protiviti hosted events will be shared within the Protiviti group including for the purpose of facilitating your participation in the event and, where applicable establishing a business relationship. To the extent required for a specific event we may collect Personal Data such as: name, business/personal contact details, job title, position/role, company, industry and credit or debit card number.

We use various US cloud based marketing automation tools to manage the event registration process. More information about our third party automation tools can be found here: Marketing automation tools – Protiviti Privacy Notice.

These third party suppliers are appointed as our Processors and their platforms contain their own privacy notices explaining why and how your Personal Data is collected and processed on our behalf. We encourage participants to refer to the privacy notices available on the platform during registration.

The Legal grounds for processing Personal Data of participants are:

  • Your consent.
  • Our legitimate interest in publicizing and organizing events, sending invitations and communications to participants, managing the registration process and promoting Protiviti’s services.

Alumni

Protiviti hopes to maintain a lifelong, mutually beneficial relationship with Protiviti alumni (i.e. former employees).

Our alumni platform is hosted in the US by a third party and you can read the alumni Privacy Notice here: Protiviti Alumni Network Privacy Policy. If you would like details about our alumni program, contact: [email protected]. You can join our alumni here: Protiviti Alumni Network 

The legal grounds for processing Personal Data of our alumni are:

  • Your consent.

Suppliers

We process Personal Data about our suppliers in order to manage our relationship and contract, and to receive goods and services.

The Personal Data we process is generally limited to name and business contact data including company name, phone, business email and other contact details, and financial and transaction data.

We also process data about suppliers to check whether we have a conflict of interest or audit independence restriction to appointing a supplier. Before we engage new supplier, we also carry out background checks required by law or regulation, for example, adverse media, compliance with bribery and corruption and modern slavery legislation, and financial crime checks.

Legal grounds for processing Personal Data of our suppliers are:

  • Fulfill a contract. 
  • Compliance with a legal or regulatory obligation.
  • Our legitimate interest in managing payments and supplier management.

Protiviti as a data processor

Besides collecting and processing Personal Data as a data controller for the purposes described above, Protiviti acts as a data processor on behalf of its clients with regards to Personal Data collected through our engagement.

As part of the consultancy and risk management services Protiviti provides to its clients, Protiviti may process Personal Data of individuals with whom we do not have a direct (contractual or other) relationship. For example, if we perform an audit, our engagement team may be required to audit our client’s books, which could include for example, payroll data for employees of the client, supplier data, customer data, financial administration, data regarding claimants and legal proceedings.

We obtain contractual confirmation from our clients that they have the authority and legal grounds to provide and/or grant us access to their Personal Data for the purposes of performing the services and that any Personal Data they provide to us has been collected and processed in accordance with applicable law.

Protiviti will only process this Personal Data in connection with the provision of the service for which the data was collected and will not use this Personal Data for its own purposes. The Personal Data will only be processed in accordance with the instructions of our client and the Personal Data will be retained in accordance with contractual or legal obligations.

As Protiviti processes this Personal Data solely as a data processor the rest of this Notice does not apply to this category of data. 

The legal grounds for processing Personal Data of individuals whose Personal Data we obtain in connection with providing services to our clients are:

  • Compliance with a legal or regulatory obligation.
  • Fulfill a contract.

Change of Purpose

We will only use your Personal Data for the purposes for which we collected it as described above, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to process your Personal Data for a purpose unrelated to the original purposes, we will notify you and explain the legal basis which allows us to do so and obtain your consent if needed. 

We may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law or where your Personal Data is anonymized to the extent where we can no longer identify you.

Transferring Personal Data outside of the EEA / UK

Protiviti is part of an international group of companies operating globally. We may share Personal Data with our group companies, including Robert Half, a recruitment firm, our parent company Protiviti Inc., and our ultimate parent company Robert Half Inc., a specialized talent solutions firm based in the United States, and other group companies located within or outside the European Economic Area (EEA), the UK and countries with laws that have not been determined to provide an adequate level of protection for the processing of Personal Data under the laws of the EU/UK, who may use and process your Personal Data for similar purposes as described in this Notice.

Protiviti risk management and/consultancy engagements may span more than one jurisdiction, and in these circumstances Personal Data may be accessed by the Protiviti group companies and Member Firms working on the specific project/engagement. 

The data protection laws outside the EEA/UK may not provide an equivalent level of protection to those inside Europe and the UK and in these circumstances, we will take steps to ensure that your Personal Data is adequately protected, secure, kept confidential and that we have a lawful basis for the transfer. This means we require the 3rd party recipient to sign the standard contractual clauses approved by the European Commission and UK as providing Personal Data with the same protection that Personal Data has when it is processed within the EEA/UK. Where required, we will ensure supplementary technical and organizational security measures are imposed on the 3rd party recipients to protect Personal Data from surveillance and monitoring by public authorities in the third country where the recipient is located.

We will ensure these recipients will be subject to appropriate contractual, security, confidentiality and other applicable obligations and we will only permit them to process Personal Data in accordance with the law and our instructions. 

You can contact us if you require further information on the mechanism we use when transferring Personal Information out of the EEA/UK.

Disclosing your Personal Data to 3rd Parties

To the extent necessary or appropriate and without notifying you, Protiviti may disclose Personal Data to external 3rd Parties (who are not members of the Protiviti group of companies) located both within and outside the EEA/UK in the following circumstances:

  • to companies and individuals we employ to perform business functions and services on our behalf. Examples of such business functions include: hosting our Web servers; marketing automation platforms; providing IT services; analyzing data; counting ad impressions to unique visitors; detecting security incidents; protecting against malicious, deceptive, fraudulent, and illegal activity; providing legal, accounting and marketing services; customer relationship management services; performing employment verification screening, sanctions and terrorism checks; credit reference agencies; customer satisfaction surveys; processing payment; and providing other support services.
  • to government agencies including: tax authorities, Police and other law enforcement agencies and regulatory and supervisory authorities (such as the competent data protection authority).
  • to comply with applicable laws, the service of legal process, or if we reasonably believe that such action is necessary to: (a) comply with the law requiring such disclosure; (b) protect the rights or property of Protiviti and/or its group companies; (c) prevent a crime, protect national security or for fraud detection or prevention; or (d) protect the personal safety of individuals using our site or members of the public.
  • to 3rd parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, we will let you know.

Where applicable, we will impose appropriate contractual, security, confidentiality and other obligations on the 3rd party service providers and processors we have appointed, based on the nature of the services they provide to us. We will only permit them to process your Personal Data in accordance with the law and our instructions. We do not allow them to use your Personal Data for their own purposes and when our relationship ends we will ensure your Personal Data is securely returned or destroyed.

Some of these 3rd parties are also controllers responsible for processing Personal Data for their purposes, for example, the local tax authority is a controller for tax purposes. We may not be able to impose obligations or restrictions on these controllers in connection with how they process Personal Data.

The legal grounds for transferring Personal Data to 3rd parties are: 

  • To fulfill a contract.
  • Our legitimate interests in growing our business, in developing and improving our business, in developing and improving our products and services and our marketing strategy, in administering our relationship, in the effective delivery of services, and in maintaining the effective and lawful operation of our businesses.

Protiviti Member firms

Protiviti works with a network of independently owned Member Firms located in countries around the world, which provide a variety of services to us, such as providing assistance on client engagements and performing business functions and services on our behalf.

Protiviti Member Firms operate as separate and independent legal entities, are not agents of Protiviti Inc. or other firms in the Protiviti network.

These Member firms are subject to similar obligations as imposed on 3rd party service provides, as described above.

The legal grounds for transferring Personal Data to Protiviti Member firms are: 

  • To fulfill a contract.
  • Our legitimate interests in growing our business, in developing and improving our business, in developing and improving our products and services and our marketing strategy, in administering our relationship, in the effective delivery of services, and in maintaining the effective and lawful operation of our businesses.

Keeping Personal Data Secure

We have put in place appropriate organizational, technical, and administrative security measures to prevent Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to Personal Data to those employees, contractors and other third parties who have a business need to do so. 

We have implemented procedures to deal with Personal Data breaches and we will notify affected individuals and the applicable supervisory authority of a breach where we are legally required to do so.

If you have reason to believe that your interaction with us is no longer secure, please immediately inform your Protiviti contact or notify us at: [email protected].

How long we retain Personal Data

Protiviti will retain your Personal Data for as long as necessary to fulfil the purposes that we collected it for.

In order to meet our professional and legal requirements, to establish, exercise or defend our legal rights, and for archiving and historical purposes we retain your Personal Data for a longer period.

Where there is no retention period stated in law, we determine the appropriate retention period for Personal Data by considering the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of the data, the purposes for which we process it and whether we can achieve those purposes through other means, and the applicable legal requirements. 

Details about our retention periods are available upon request by contacting us at: [email protected].

Your Legal Rights

You have the right to:

  • Make a Data Subject Access Request to access your Personal Data at any time. This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
  • Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate Personal Data we hold about you corrected.
  • Request erasure / deletion / removal of your Personal Data. This enables you to ask us to delete or remove your Personal Data where we do not have a valid reason to continue to process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to processing, where we may have processed your Personal Data unlawfully or where we are required to erase your Personal Data to comply with local law. Please Note: we may not always be able to comply with your request for erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a 3rd party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your data which override your rights and freedoms.
  • Request restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of your Personal Data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of your data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to process it.
  • Data Portability / Request the transfer of your Personal Data to you or directly to another controller. This right only applies to automated data which you initially provided consent for us to use or where we used the Personal Data to perform a contract with you. We will (unless there is an exemption) assist you by securely transferring your Personal Data directly to another controller where technically feasible or by providing you with a copy in a structured commonly used machine readable format.
  • Withdraw your consent at any time where we are relying on your consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.

We may request specific information to help us confirm your identity and verify your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person other than the individual who has the right to receive it. We may also contact you to ask you for further information in relation to your request to help us locate your data and to speed up our response.

We try to respond to all legitimate requests within one month. It may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. 

You will not have to pay a fee to exercise any of these rights. However, we may charge a reasonable fee if your request is unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

If you wish to exercise any of these rights, please speak to the person you usually deal with at Protiviti or contact Protiviti’s data protection office at: [email protected]

Privacy Complaints 

You have the right to make a complaint at any time to the Dutch supervisory authority for data protection issues, the Autoriteit Persoonsgegevens, (https://autoriteitpersoonsgegevens.nl/en). We would ask you to provide us with the opportunity to discuss your concerns with you before you contact the Autoriteit Persoonsgegevens so please contact: Data Protection Office at [email protected] 

Marketing Messages

When you have consented to receive marketing communications, for example when registering with a webinar, promotional or networking event, or where there is a pre-existing business relationship and we can rely on the ‘soft opt in’’ principle, we may use your Personal Data to send you automated email messages, marketing materials or market research and quality surveys.

You have the right to withdraw your consent to marketing at any time by:

  • Visiting our Site and checking or unchecking the relevant box to change your email marketing preference;
  • following the opt out links contained in our marketing email messages;
  • Sending an email with “UNSUBSCRIBE ME” in the subject field to: [email protected].

If you opt-out of Protiviti publications and e-mail marketing your marketing preference will be recorded in Eloqua, our marketing preference centre, which is integrated with our CRM system and updates every 15 minutes.

Please note that opting out of receiving marketing messages does not apply to:

  • Personal Data that you have provided to us in connection with a job application.
  • Personal Data that you have provided to us in connection with the performance of a contract between us.

We will never sell or disclose Personal Data to any 3rd parties to use for marketing.

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this site may become inaccessible or not function properly. For more information about the cookies we use, and to manage your cookie settings please see our Cookies Policy.

The legal grounds for processing Personal Data obtained from the use of non-essential cookies, tracking your activities on our websites and during events and collecting analytics data is:

  • Your consent.

Links to other Sites

Our Site may include links to 3rd party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these 3rd party websites and are not responsible for their privacy statements.

Feedback

If you would like to provide feedback about Protiviti services, this Site or its content, please contact us through our webform: https://www.protiviti.com/NL-en/contact-us.

Changes to this Notice

We will update this Notice to reflect changes in our business operations, practices and services. When we post changes to this Notice, we will revise the “last updated” date of this Notice. If we make any material changes in the way we collect, use, and share Personal Data, we will notify you by posting details of the changes on our home page for 30 days. We recommend that you check this page from time to time to inform yourself of any changes in this Notice.

This Notice was last updated: 16 May 2023.

Loading...