070 - 31 31 000 info@vastrecht.com

Privacy Policy


In the context of our services, we process personal data. We may have received data from you personally, for instance, via our website, email, telephone or app. In addition, we may obtain your personal data in the context of our services via third parties (for instance family members or your employer). In this privacy statement we inform you about how we treat this personal data.

Personal data to be processed

Which personal data we process depends on the service in question and the circumstances. Usually it regards the following data:

  • Name and address details;
  • Function / job title;
  • Date and place of birth;
  • Gender;
  • Contact details (email addresses, telephone numbers) and name and function of the contact persons;
  • Copy of identification documents;
  • Age;
  • Salary and other details that may be required for tax returns, salary calculations etc.;
  • Marital status, details of partner and information about children (if any) insofar as required for tax returns and advice;
  • Bank account number;
  • Details about your activities on our website, IP address, internet browser and device type.


Purposes of and basis for processing

In a number of cases, we process personal data in order to comply with a statutory obligation, but mainly we do so to be able to perform our services. Some data are recorded for practical or efficiency reasons, of which we (may) assume that they are in your interest as well, such as:

  • Communication and providing information;
  • Providing our services as efficiently as possible;
  • Improving our services;
  • Invoicing and collection.

The above also means that we use your personal data to inform you about our services if we think that they may be relevant to you. Additionally it may occur that we contact you to ask for feedback about services in order to be able to improve the way we provide our services to you and other relations. Finally, we may also use your personal data to protect our rights or properties and those of our users and, if necessary, to comply with court decisions.

Contact form

You can use the contact form to ask us questions or make requests. Please include your name, telephone number, email address and message on the form. We will not place your email address on the mailing list of our newsletter until you become a client, or upon special request.


We process your name and email address to send you the newsletter. We send you these newsletters when you have given us permission to do so; for example when you become a client you give such permission – this is also stated in the order confirmation that you signed. We will retain the data we process for that purpose until you unsubscribe for the newsletter or for a maximum of one year after we last sent you a newsletter.


We offer various types of services. Listed below is a general overview of these services, the data we process for the purpose of these services and the retention periods we use. Please note that deviations from this privacy statement are possible as separate arrangements on the subject can be made with you. In case you have any questions about this, please contact us.

Tax returns

For preparing your tax returns we process your name and address data, contact data, salary data, company data, VAT number, citizen service number and all other information that is financially relevant. We do so to execute the agreement we have made with you. In principle we will retain this data up to 7 years after you are no longer a client with us, unless we think we need this data for a longer period (see below `retention periods`).

Consultancy practice

We offer a variety of subjects and cases in which we can provide advice. The data we receive from you in connection to that may therefore vary widely. We process the data we receive from you only for this purpose, to provide you with sound legal advice. In principle we retain this data up to 7 years after you are no longer a client with us, unless we think we need this data for a longer period (see below `retention periods`).

Administrative services

We can also take care of your administration: business administration and payroll administration and also registration of income and expenditure for private individuals (for instance in case of guardianship).  We process the data we receive from you for this purpose, only to take care of your administration. In principle we remove this data once you are no longer a client. Regarding payroll administration, we are usually considered a processor, and for that reason we will also conclude a processor agreement with you.

Disclosure to third parties

In some types of services we make use of the services of external colleagues (third parties), if it is appropriate for more timely requests, cost efficiency or because such third parties have special know-how or means. It may regard processors or sub-processors who in the context of the assignment will process the personal data. Other third parties who strictly speaking are not processors of the personal data, but have or may have access to them nonetheless, are for example our system manager, suppliers or hosting parties of online software, or advisers whose advice we seek in connection with your assignment. If engaging third parties means they will have access to the personal data or record them themselves and/or process them otherwise, we will conclude a written agreement with those third parties that they will comply with all GDPR stipulations. Naturally we will only engage third parties of whom we can and may assume that they are reliable parties who treat personal data properly and who can and will comply with the GDPR: Vastrecht has a permanent network (“flexible shell”) of valued colleague advisers who will be engaged for such purposes. Our agreement with such third parties among other things means that they are only allowed to process your personal data for the activities in which they are asked to perform. It may also be that we need to provide your personal data to third parties in connection with a statutory obligation. Under no circumstances will we provide your personal data to third parties for commercial or charitable purposes without your explicit permission.

Retention periods

We will process your personal data no longer than appropriate for the purpose for which they were provided (see above paragraph `Purposes of and basis for processing`). This means that your personal data will be retained as long as they are required to achieve the goals in question. Certain data must be retained longer (usually 7 years) because we must comply with statutory retention obligations (for instance the retention obligation for tax purposes) or in connection with provisions issued by our professional association or in the context of pending legal proceedings or because we expect that they may become relevant in questions of whatever nature that will emerge in the future.


We have taken appropriate organisational and technical measures for the protection of personal data in so far as such can reasonably be expected of us, taking into account the interest to be protected, the state of the art and the costs of the relevant security measures. We require our employees and any third parties who necessarily have access to the personal data to keep them confidential. Furthermore, we ensure that our employees have received accurate and complete instructions on how to handle personal data and that they are sufficiently familiar with the responsibilities and requirements ensuing from the GDPR.

Your rights

You are entitled to access, rectify or remove personal data we have of you (except, of course, where this interferes with any statutory obligations). Furthermore you may raise objections against processing your personal data (or a part thereof) by us or by one of our processors. You are also entitled to have the data you provided, transferred by us to you or directly to another party should you wish so.

Incidents with personal data

In the event of an incident (a so-called data leak) regarding the personal data in question, we will inform you immediately, subject to compelling reasons, if there is an actual risk of negative consequences for your private life and attaining such. We strive to do so within 72 hours of discovery of this data leak or having been informed about it by our (sub-)processors.


Should you have a complaint about the processing of your personal data, please contact us. If this does not lead to a satisfactory outcome, you will at all times have the right to file a complaint with the Dutch Data Protection Authority, the supervisory authority in the field of privacy.

Processing within the EEA

We will only process personal data within the European Economic Area, except when we have agreed on different arrangements on that subject with you. Exceptions to this are situations in which we wish to chart contact moments via our website and/or social media pages (such as Facebook and LinkedIn). Take for instance numbers of visitors and requested webpages. Your data may be stored by third parties outside the EU when use is made of Google Analytics, LinkedIn or Facebook. These parties are EU-US Privacy Shield certified, and they therefore must comply with the European privacy regulations. For that matter, it only regards a limited number of sensitive personal data, in particular, your IP address.


Undoubtedly our privacy policy may be altered. The most recent version of the privacy statement is the version that applies. It can be found on our website.

(May 2018 version)