1. Who is Flynth?

Under the name Flynth fall Flynth Holding N.V. and the following affiliated entities:

Flynth adviseurs en accountants B.V.
Flynth Audit B.V.
accon belastingadvies B.V.
accon avm werkgeversservices B.V.
Meander OG C.V.
Bosch & Van Rijn B.V.
Rombou B.V.

2. Protection of Your Personal Data
Legal framework

Clients, suppliers, business relations and employees are entitled to expect that Flynth handles their data with due care. Flynth has developed a privacy policy aligned with the (European) General Data Protection Regulation (GDPR) and the Dutch GDPR Implementation Act (UAVG). This policy is implemented through agreements, codes of conduct, and (security) measures.

Processing principles

Flynth adheres to the core principles of personal data processing as defined by privacy legislation:

Lawful, fair and transparent: Your personal data is processed in accordance with legal requirements. Flynth handles your data carefully and informs you appropriately.
Purpose limitation: Personal data is processed only for specific purposes and on valid legal grounds as defined in the GDPR.
Data minimisation & storage limitation: Flynth processes no more data than necessary. Data is securely deleted when no longer required.
Accuracy, integrity and confidentiality: Personal data is treated confidentially and regularly checked for accuracy. Employees and third parties acting on behalf of Flynth (see section 5) are bound by confidentiality obligations.
Security: Flynth has implemented appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, loss, damage or destruction, and requires the same from its suppliers.
3. What Personal Data Does Flynth Use

Flynth only processes personal data necessary for proper service delivery and business operations. These data are obtained from clients and may relate to the clients themselves, their employees or business relations.

For relationship management and communication, Flynth processes contact details such as:

First and last name
Initials and title
Gender
Address, postal code and city
Email address
Telephone numbers

Additional data, such as financial information or a citizen service number (BSN), is processed only where necessary for contractual obligations, legal compliance, or operational security.

Special categories of personal data

Flynth does not intentionally process special categories of personal data (as defined by the GDPR), such as data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, or data concerning sexual orientation.

However, such data may be indirectly inferred from documents such as invoices, bank statements or transaction descriptions. Flynth considers itself not responsible for such indirect processing.

Sensitive data

Financial reports, tax returns, payroll records and advisory files are considered sensitive data and are handled with utmost care. Login credentials (usernames and passwords) are also treated as sensitive data.

Flynth is legally required to process the BSN for tax filings, benefits applications and payroll administration. A full copy of an identity document is required under Dutch wage tax legislation. Under the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act (Wwft), Flynth must verify and retain proof of identity.

Confidentiality towards third parties is always a core principle.

4. Why Flynth Processes Personal Data (Purpose and Legal Basis)

Flynth processes personal data only where a legal basis under the GDPR applies and does not use data for purposes other than those for which they were collected, unless compatible or based on explicit consent.

Legal bases
a. Performance of a contract
Processing is necessary for delivering services, managing supplier agreements, employment contracts and related operations such as HR, financial administration, collections and IT processes.
b. Legal obligation
Processing is required for compliance with laws such as financial administration, tax obligations, and the Wwft (including identity verification and UBO registration). Data may also be obtained from external sources such as the Trade Register or information providers like Graydon.
c. Legitimate interest
Processing is necessary for efficient and secure business operations, professional obligations, liability protection, and informing clients about relevant developments (e.g. legal updates, events, webinars).
d. Consent
Consent is used only where no other legal basis applies, typically for individuals who are not (yet) clients.
5. Third-Party Service Providers

Flynth engages third parties to ensure efficient and secure service delivery, such as:

Software and IT providers
Archiving and document destruction services
Specialist advisors

Where necessary, data processing agreements are concluded to ensure confidentiality and security.

6. Disclosure to Third Parties

Personal data is never shared with third parties without your consent, unless legally required.

Examples include:

Reporting obligations to tax authorities (e.g. DAC6)
Reporting unusual transactions to the Financial Intelligence Unit (FIU)
Requests from authorities such as the Tax Administration, FIOD, AFM or Dutch Data Protection Authority
Quality reviews by professional bodies such as the NBA

Data intended for banks, authorities or other institutions (e.g. tax returns, financial reports) is only shared based on your authorisation. Preferably, you submit these documents yourself.

7. Your Rights

Under privacy legislation, you have several rights:

Right to information

You have the right to be informed about data processing before it occurs.

Right of access

You may request access to your personal data.

Right to rectification or erasure

You may request correction or deletion of your data, unless legal obligations prevent this.

Right to restriction and objection

You may object to processing or request restriction, based on your specific situation.

Requests can be submitted in writing or by email (see section 10). Your identity will be verified before processing your request.

8. Security

Flynth takes all necessary measures to protect your privacy. Data is only processed when necessary and deleted when no longer required. Retention periods depend on legal requirements and purposes.

Employees are bound by confidentiality. Systems, networks and buildings are secured appropriately, and the same standards apply to partners and suppliers.
9. Personal Data Breaches

Despite the technical and organisational measures implemented by Flynth, a personal data breach cannot be entirely excluded.

Flynth has established procedures to detect, assess and respond to incidents that may result in a personal data breach. Reported incidents are investigated by a dedicated incident response team, which will take appropriate measures to mitigate risks and prevent further harm to data subjects and to Flynth.

Where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, Flynth will notify the competent supervisory authority in accordance with Article 33 GDPR. Where required, affected data subjects will also be informed in accordance with Article 34 GDPR.

If you become aware of a suspected personal data breach at Flynth, you are requested to report this without undue delay via the dedicated email address:
meldpunt_datalekken@flynth.nl

(please include your telephone number to enable follow-up contact)

10. Questions and Complaints

If you would like more information about your rights or about how Flynth processes your personal data, you may submit a request to the Flynth Privacy Team by post or email.

Flynth will respond to your request or complaint as soon as reasonably possible and in any event within four (4) weeks.

Flynth adviseurs en accountants
Attn. Privacy Team
P.O. Box 9221
6800 KB Arnhem
The Netherlands
privacyteam@flynth.nl

Supervisory Authority

If you have a complaint regarding the processing of your personal data and Flynth has not resolved this to your satisfaction, you have the right to lodge a complaint with the competent supervisory authority:

Dutch Data Protection Authority (Autoriteit Persoonsgegevens)