PRIVACY STATEMENT

This is the Privacy Statement of Golden Arrow Olieproducten Amsterdam B.V. (Golden Arrow), established at Dukdalfweg 60, 1st floor, 1041 BE in Amsterdam, the Netherlands. Golden Arrow is a subsidiary of ACT Commodities Group B.V. We consider data protection of utmost importance. In this Privacy Statement we set out how we process personal data, which we do with all possible care.

With regards to the processing of personal data by Golden Arrow, Golden Arrow is the Controller. If, after reading this Privacy Statement, you have any questions about how we handle your personal data, or if you wish to exercise your rights under the General Data Protection Regulation (“GDPR”) mentioned in this Privacy Statement, or under any other data protection legislation, or if you wish to make a complaint about our use of your personal data, you may contact us at telephone number +31(0)20-2199268 or by email at HStrikwerda@actcommodities.com. If you are not satisfied about the way we have handled your complaint, or if you prefer not to make your complaint to us, you may also submit a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), via the website autoriteitpersoonsgegevens.nl.

Processing of personal data

Clients

We process contact details of suppliers and customers, such as name, company name, phone number, email.  We process personal data of its suppliers and customers for the purposes of:

• Administrative purposes;
• Communication about the order;
• To carry out the order.

The legal basis for this is that the data are necessary to perform the contract concluded with the client.

Prospects

We process the contact details (name, company name, telephone number, email) of contacts at prospective and former clients to contact them in order to offer our services to them, and to send them holiday wishes. We process this personal data in view of our legitimate interest to perform our activities and to obtain new orders. We do not send unsolicited commercial communications by email without the explicit consent of the intended recipient.

Contact

If we are contacted via the contact form on our website, by email, social media or telephone, we process the data that is provided to us. This typically includes the name, email and telephone number and the content of the contact (e.g. a question). We use this information, where relevant, to contact the person concerned, for instance, to answer a question. We may add this data to our prospects’ files (please see above). We process this personal data in view of our legitimate interest to perform our activities and obtaining new orders.

Recruitment and application procedures

We process the personal data provided to us by prospective employees or obtained from a recruitment agency or via Linkedin. This may include name, address, email, telephone number, CV and all information it contains (including information about education and previous experience) and information posted on Linkedin.

If an applicant is invited for an interview, we process, in addition to the information mentioned above, all other information the applicant provides us with. This may include information about education, work experience and references.

For the purpose of the second round of the application procedure, we may process data from a personality test, and data concerning motivation, talent, and competencies in order to decide whether the applicant would fit in with the organization.

During the final phase of the application procedure, we may instruct an external agency to screen the applicant within the context of an integrity review. Obtaining a Certificate of Conduct (Verklaring Omtrent het Gedrag) is part of this screening. We only conduct the screening if this is necessary for the position concerned. The screening is highly secure and is conducted with all possible care and consideration.

The legal basis for processing personal data within the context of recruitment and application procedures is that this processing is a necessary step to enter into an agreement, and in view of Golden Arrow’s legitimate interest to recruit and hire new staff.

Visitors of the website

Finally, we process information about the visitors of our website (or rather about their computers), by placing cookies every time they visit our website. The legal basis for this is the consent we ask each visitor upon their first visit to our website. You may withdraw this consent at any time.

Retention periods

Personal data of clients and their contacts

We keep the personal data of our contact persons at clients and prospects only for as long as necessary for the purposes for which the data is provided. We keep our administration, including invoices and other documents that include the personal data of parties, for a period of seven years after the end of the financial year, in order to comply with our statutory retention obligation for tax purposes.

Recruitment and application procedures

Information about applicants that are not hired are kept for a period of one year after the end of the application procedure. This term is necessary for us to evaluate the applicant’s application, to create a talent pool which is of great value to us and to possibly contact the applicant about future opportunities consistent with this policy and the expressed

Sharing personal data to third parties

Where necessary, we may also share personal data with our group entities who are located outside the EEA. We have concluded an agreement with our group entities based on the standard contract clauses approved by the European Commission in Commission Decision of 4 June 2021 (EC 2021/914C) and other applicable laws.

Personal data is stored electronically and may be included in emails we send or receive and is consequently stored (and processed) by our ICT providers. We have concluded data processing agreements with these providers that stipulate at least the same level of security and reliability that you may expect from ourselves.

Our accountant may have access to the personal data of contact persons at clients. We may also share this data with firms that conduct customer satisfaction surveys for us.

We may also share the data of contact persons at clients with third parties where this is necessary in order to execute your order. We may for instance share your data with sellers and regulators.

Recruitment and application data is stored in our recruitment software from Greenhouse Software, Inc., a cloud services provider located in the United States of America and engaged by ACT to help manage its recruitment and hiring process on Golden Arrow’s behalf. Accordingly, if the applicant is located outside of the United States, the personal data will be transferred to the United States. We have concluded a data processing agreement with that party. Because the European Union Commission has determined that United States data privacy laws do not ensure an adequate level of protection for personal data collected from EU data subjects, the transfer will be subject to appropriate additional safeguards under the standard contractual clauses. When an applicant proceeds to the next phase in the application procedure, his/her personal data may also be shared with an assessment agency and if necessary, and in consultation, with CV-OK, the agency that conducts screenings for us. CV-OK has a license from the Dutch Data Protection Authority.

The data collected via cookies is processed by the providers of those cookies. Please see our cookie statement for more information.

Apart from the situations mentioned above, we do not share personal data with third parties, unless we are obliged to provide certain data under the applicable laws or regulations, for instance to the police under a warrant.

Security

We have a strict security policy in place and Golden Arrow has taken appropriate technical and organizational measures to protect your personal data, such as:

• All employees of Golden Arrow who can have access to personal data are bound to the confidentiality of this information;
• A strict username and password policy on all systems;
• Access authorizations, both online and offline;
• Regular back-ups of personal data so the personal data can be restored in case of a physical or technical incident;
• Testing and evaluating all our measurements on a regular basis;
• Awareness of our employees about the protection of personal data.

Your rights

You have the following rights:

1. the right to access your personal data and to receive a copy thereof.
2. the right to have your personal data rectified if they are incorrect or incomplete.
3. the right to object to the processing and/or (in certain circumstances) to restrict the processing of your personal data.
4. in certain circumstances, the right to have your personal data erased (‘right to be forgotten’).
5. the right to receive your personal data in a structured, commonly used and machine-readable form and to transmit that data to another controller.

For more information about these rights and when you may exercise them, see Articles 15 – 20 of the GDPR.

You may exercise your rights by contacting us via the email or telephone number mentioned at the beginning of this Privacy Statement or through the contact details hereunder.

Changes

Sometimes changes may occur in the personal data we process or in the applicable legislation. In that event, we may amend this Privacy Statement. In the event of major changes, we will post an announcement on the website or inform you of those changes by email.

Contact details Golden Arrow

Company name                       Golden Arrow Olieproducten Amsterdam B.V.

Address                                    Dukdalfweg 60, 1st floor

Zip code                                   1041 BE

City                                          Amsterdam

Country                                   The Netherlands

E-mail                                      accounts@goldenarrow.nl

Version October 2022