​Privacy statement

External Privacy Policy

While processing your personal data, Northpool respects your right to privacy and will only process your personal information in accordance with applicable data protection laws.
This Privacy Statement explains how we collect and use personal information about you during and after your relationship with us.

This statement does not form part of any contract to provide services. We may update this Statement at any time.


Article 1 – Legal definition

Controller:
Northpool B.V. established in 3e Binnenvestgracht 23N, 2312 NR, Leiden, The Netherlands, Chamber of Commerce number 56443838 is a ‘data controller’ (hereinafter: “the controller”).
This means we are responsible for deciding how we hold and use personal information about you. We are required under GDPR to notify you of the information contained in this Privacy Statement.

Personal information in the context of GDPR (AVG):

Personal data, or personal information, means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.


Article 2 – Data subjects

Data subject under Northpool’s Privacy Statement is any natural person whose data can be processed. This Statement applies to following subjects:

1) (Potential) counterparties and customers, such as Exchanges, TSO’s, traders;

2) Suppliers;

3) Applicants (job seekers);

4) Occasionally other individuals such as visitors;

5) Northpool.nl website visitors


Article 3What categories of personal data do we process

We process the following categories of personal information about you:

1) (Potential) counterparties and business partners, such as Exchanges, TSO’s, brokers and traders;

Name (and company name)

(Business) address

Telephone number(s)

Email address

Banking details

IP addresses

Voice recording


2) Suppliers:

Name (and company name)

(Business) address

Telephone number(s)

Email address

Banking details


3) Applicants:

Name

Address

Telephone number(s)

Email address

Details mentioned in your CV and application form


4) Other individuals / visitors to our office:

Name (and company name)

CCTV camera images


5) Northpool.nl website visitors:

Name

Address

Telephone number(s)

Email address

IP address

Geographical location when you have enabled location tracking

Information from cookies (e.g. Google Analytics)


Special categories of sensitive personal information
We do not collect, store and use the ‘special categories’ of sensitive personal information of you. When we do need to process sensitive personal data, it is with the consent of the individual unless it is obtained indirectly for legitimate purposes. Sensitive personal data we may obtain are dietary restrictions or physical health access requirements e.g. when visiting our office.


Article 4 – Sources of personal data

We collect this information:

Directly
We obtain personal information directly from you in a variety of ways, including obtaining personal data from individuals who provide us their business card, complete our online forms, register for trainings and seminars, attend meetings or events we organize or visit our office. We may also obtain personal data directly when, for example, we are establishing a business relationship, performing our services through a contract or through our trading platform.

Indirectly
We obtain personal data indirectly from a variety of sources. We may attach personal data to our customer relationship and trades database to better understand and serve our counterparties and individuals, satisfy a legal obligation, or pursue our legitimate interests.

Public sources
Personal data may be obtained from public registers (such as Companies House, Chamber of Commerce), news articles and Internet searches.

Social and professional networking sites
If you register or login to our website using social media (e.g. LinkedIn, Twitter or Google) to authenticate your identity and connect your social media login information with us, we will collect information or content needed for the registration or login that you permitted your social media provider to share with us. That information may include your name and email address and depending on your privacy settings, additional details about you – so please review the privacy controls on the applicable service to set how much information you want to share with us.

Business Partners
Our business partners may engage us to perform services which involves sharing personal data they control as part of that engagement. For example, we will have access to your location or IP address.


Article 5 – Purposes of processing


We will collect and use your personal information for the following purposes:

• Managing Northpool’s business operations and complying with our internal procedures and policies including monitoring of compliance to our rules, procedures and policies (e.g. internal and external audits or investigations).

• Assessing and processing any applications or requests made by counterparties and business partners for services offered by Northpool;

• Sending invitations and providing access to guests;

• Processing (online) requests, including responding to communications from individuals;

• Informing data subjects of changes and updates in our terms and conditions, administrative information and policies;

• Administration, maintenance, management and operation of services offered to counterparties and business partners or to the company of which this person is a representative;

• Verification of your identity (e.g. via secured password and login data) for the purpose of entrance to Northpool’s data portal;

• Responding to queries, requests and complaints;

• Maintaining records or instructions of counterparties, business partners and suppliers, such as recordings, contact details of staff for contact and communication and provision of data;

• Promoting our professional services and capabilities to existing and prospective business partners;

• Improving the contents and use of our website;

• Participation in Northpool’s marketing initiatives or branding activities;

• Records of voice recording for confirmation of our trading activities with counterparties (brokers, traders);

• Physical security purposes (e.g. images on CCTV used for security reasons in our office, registration of visitors);

• For recruitment and future personnel management purposes;

• For business operations, like managing IT and communications, product and service development;

• For the purposes of our legitimate interests or for compliance with a legal obligation, but only if these are not overridden by your interests, rights and freedoms.

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.


Article 6 – Lawful reasons

We may rely on the following lawful reasons when we collect and use personal data to operate our business and provide our products and services:

Contract
We may process personal data in order to perform our contractual obligations.

Consent
We may rely on your freely given consent at the time you provided your personal data to us.

Legitimate interests
We may rely on legitimate interests based on our evaluation that the processing is fair, reasonable and balanced. These include:

o Delivering services in the context of our business;

o Marketing: to deliver information about our products and services, market insights and specialty knowledge we believe is welcomed by our counterparties and business partners, and individuals who have interacted with us.

Legal obligations
We may process personal data in order to meet regulatory obligations or mandates.


Article 7 – Recipients

We may have to share your data with trusted third parties to help us deliver efficient and quality services. We require third parties to respect the security of your data and to treat it in accordance with the law.

Northpool reserves full ownership over the information and data collected. We will not sell or share personal information or data to third parties in other ways than disclosed as below:

• In reasonable need to offer our services and perform our business

• When you have provided us consent for the purpose

• When we are legally obliged to do so

Which third-party service providers process your personal information?
“Third parties” include third-party service providers (including contractors) and other entities related to Northpool B.V. The following activities are carried out by third-party service providers:

• Software Product Development Services

• Financial Services

• IT system support services

• Marketing services providers

• Recruitment service providers

• Other parties that support us in providing our services e.g. providers of telecommunication systems, archiving services, data management and cloud-based software services.

All our third party service providers and other entities directly related to Northpool B.V. are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

We may share your personal information with other third parties, for example in the context of a possible sale or restructuring of the business. We may also need to share your personal information with a regulator or to otherwise comply with the law.

Sharing with other legal entities directly related to Northpool B.V.

We may share your personal information with other entities for administrative purposes and to provide professional services, as part of our regular reporting activities on company performance, for system maintenance support and hosting of data.

Data sharing outside the EEA

We store personal data on servers located in the European Economic Area (hereinafter: “EEA”). We may share your personal data with trusted reputable third party organisations situated inside and outside the EEA when we have a business reason to engage these organisations.

Northpool guarantees an appropriate level of protection of personal data with those parties. If we forward your data to other parties outside Northpool B.V. and outside the EEA, we evaluate on a case-by-case basis how the data will be processed and what the appropriate measures to adequately protect your data must be. If we use third parties outside the EEA and the country or international organisation within which this party is located does not, in the opinion of the European Commission, offer adequate protection in the processing of personal data, then we will only transfer personal data to them if there are adequate other safeguards, for example contractual arrangements approved by the European Commission (the ‘EU model clause’), Corporate Binding Rules and/or EU-US Privacy Shield certificate. If the processing to the country or international organisation outside the EEA does not offer an adequate level of protection and the conditions given below are also not met, the personal data will not be forwarded. If we do so, you have a right to know and in that case, you may obtain a copy of the applicable safeguards at Northpool B.V., who is appointed as the ‘controller’ for the processing of personal data.


Article 8 - Cookies, websites and company systems

Cookies

Our website uses cookies. Cookies are small pieces of information (small files) which a website leaves on your equipment (e.g. your computer). The website instructs the web browser with which you view websites (e.g. Internet Explorer) to store these cookies on your equipment. On the websites of the controller two kinds of cookies are used:

Functional cookies: these cookies are necessary to make a website function. The controller uses functional cookies to facilitate navigation on the websites and to store specific user settings or user preferences, so as to optimize your use of the websites;

Analytical cookies: Northpool uses Google Analytics. Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our website. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network.

Northpool company systems
All information, including personal information, placed on or sent using Northpool’s systems (including third party systems provided by Northpool or accessed through Northpool’ssystems) may be monitored, examined, recorded, copied, disclosed and used in accordance with Northpool’s security policies and applicable law.
From a business perspective your personal details e.g. your name, business email and business telephone number may be used in reports, emails, business correspondence and Northpool documentation systems. Northpool has a lawful reason for holding this information on you to operate our business and provide our products and services. We cannot delete records of communication that hold personal data on you.


Article 9 – Your rights regarding information

Inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.

Your rights in connection with personal information

Your data protection rights are highlighted here:

1) Request access to your personal information (known as a ‘data subject access request’).

2) Request correction of the personal information that we hold about you.

3) Request erasure of your personal information.

4) Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.

5) Request the restriction of processing of your personal information.

6) Request the transfer of your personal information to another party.

7) Object to use for Marketing purposes. You can object to our use of your personal data for marketing purposes, including profiling. We may need to keep some minimal information to comply with your request to cease marketing to you.

8) Withdrawal of Consent. You can withdraw your consent that you have previously given to one or more specified purposes to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. It may mean we are not able to provide certain products or services to you and we will advise you if this is the case.

Northpool does not conduct any automated decision making as referred to in the GDPR.

To submit a data request, as mentioned above, please follow this link privacy@northpool.nl

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

You will not have to pay a fee to access your personal information or to exercise any of the other rights. However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

There are a small number of cases where we do not have to give you the information you have asked for. For example, if we are using data for the purposes of investigating or detecting crime.

What we may need from you

We may need to request specific information from you to help us confirm your identify and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

For how long will we retain your information?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and theapplicable legal requirements.

By law we have to keep contractual information about you (including offers, contracts and financial details) for legal, regulatory and tax purposes.

Personal data of applicants will be retained for one month, unless we have received your permission to keep it in file for a longer duration (1 year), or unless data are anonymized.

We will dispose of personal data in a secure manner when we no longer need it.


Article 10 – Data Protection Officer


Should you have any questions about this Statement, if you have any concerns as to how your personal data is processed or if you wish to exercise your rights mentioned under article 9, please contact our Data Protection Officer (hereinafter: “DPO”), on the following address:

Northpool B.V.
Att. Petra Brouwer

3e Binnenvestgracht 23 N

2312 NR Leiden

Or email privacy@northpool.nl
We aim to respond within 30 days from the date we receive privacy-related communications.


Article 11 – Complaints

If you consider that your personal data has been misused or mishandled, you may raise a complaint to the Data Protection Supervisory Authority, who is an independent regulator.

Northpool’s Lead Supervisory Authority is:
Autoriteit Persoonsgegevens
Bezuidenhoutseweg 30
2594 AV THE HAGUE
Tel.: +31-88-1805250

Complaints can be submitted via following link:

https://autoriteitpersoonsgegevens.nl/nl/zelf-doen…

Any complaint to the Supervisory Authority is without prejudice to your right to seek redress through the courts.


Article 12 – Applicable law

These conditions are governed by Dutch law. The court in the district where the collector has its place of business has the sole jurisdiction if any dispute regarding these conditions may arise, save when a legal exception applies.


Article 13 – Changes to this Privacy Statement

We reserve the right to update this privacy statement at any time, and will post any updates on this webpage. This privacy statement was last updated 22nd February 2019.


Contact us