Legal document

GDPR

Version valid as of 1 January 2025

Questions?

Contact us for clarification on this policy.

Get in touch

WasteDesk has been developed with privacy by design as a starting point. Vesta Group B.V. processes personal data in line with the General Data Protection Regulation (GDPR). On this page we explain how we, as data controller and processor, fulfil GDPR requirements.

Data controller and processor

Vesta Group B.V. acts as data controller for personal data processed in the context of our own business operations (such as contact details of prospects and customers).

For personal data that customers enter into the WasteDesk application (such as data of drivers, customers and senders), Vesta Group B.V. acts as a data processor. In that case the customer is the data controller. We conclude a data processing agreement (DPA) with each customer.

Legal bases for processing

We process personal data only on the basis of one of the following legal bases:

  • Performance of a contract — for delivering the WasteDesk service
  • Legal obligation — for compliance with tax and industry-specific regulations (such as AMICE/LMA reports)
  • Legitimate interest — for security, fraud prevention and product improvement
  • Consent — for marketing communications, only after explicit opt-in

Data within the EU

All data is stored and processed within the European Union. WasteDesk uses Hetzner Cloud, based in Germany, as its primary hosting partner. No personal data is transferred outside the EEA.

Retention periods

  • Customer and transaction data: 7 years (statutory tax retention)
  • Log files and session data: maximum 90 days
  • Contact form data: maximum 2 years after last contact
  • After agreement termination: 30 days, then permanent deletion

Data Processing Agreement (DPA)

As a data processing agreement we use a standard DPA that meets the requirements of the GDPR (art. 28). Customers can request the DPA via info@wastedesk.io. The agreement covers among other things:

  • The nature, purpose and duration of processing
  • The categories of personal data and data subjects
  • The obligations and rights of the controller
  • Technical and organizational security measures
  • Arrangements for sub-processors

Technical and organizational measures

  • Encryption of all data transfer via TLS 1.2+
  • Encryption of data at rest
  • Role-based access control (RBAC) per user
  • Two-factor authentication available for all users
  • Regular backups with automated restore testing
  • Penetration tests and security audits
  • Staff trained in data security and the GDPR

Your rights as a data subject

Under the GDPR you have the following rights:

  • Right of access (art. 15)
  • Right to rectification (art. 16)
  • Right to erasure (art. 17)
  • Right to restriction of processing (art. 18)
  • Right to data portability (art. 20)
  • Right to object (art. 21)

You can submit requests via info@wastedesk.io. We respond within 4 weeks. You can also file a complaint with the Dutch Data Protection Authority via autoriteitpersoonsgegevens.nl.

Data breaches

Vesta Group B.V. has an internal protocol for handling data breaches. In the case of a breach likely to result in a risk to the rights and freedoms of data subjects, we report it within 72 hours to the Dutch Data Protection Authority. Data subjects are informed if the breach is likely to result in a high risk to them.

Contact and data protection officer

For GDPR-related questions you can contact:

Questions about this document?
info@wastedesk.io · +31 165 751 341
Send a message