Image 2026 04 15 T12 35 53

Legal Document

Privacy Policy

For candidates and seconded employees
McFly & Brown Netherlands B.V.
Version 3.0 | Date: 20-03-2026

Who are we?

McFly & Brown is a recruitment and secondment agency that connects technical professionals with innovative organizations in the Dutch manufacturing industry. We support both parties in creating sustainable matches.

How do we obtain your personal data?

We collect and use personal data in the context of our recruitment and secondment activities. This may occur when you are registered with us as a candidate or when we have contact with organizations for which we recruit professionals. We may also obtain data from public sources or third parties where necessary to carry out our services properly.

What personal data do we process?

At McFly & Brown, we may process the following personal data:

  • name, address, and place of residence;

  • contact details, such as email address and phone number;

  • date and place of birth;

  • citizen service number (BSN);

  • copy of identification document;

  • bank account number;

  • salary details and other financial information;

  • employment-related data, such as position, contract type, work schedule, and working hours;

  • performance and evaluation reports;

  • education and development data, such as completed training and certifications;

  • absence and sick leave data, where necessary (e.g., in the context of reintegration via an occupational health service);

  • signature;

  • driver’s license details (if relevant, for example when using a company car);

  • company car usage data, such as lease information;

  • any data you provide to us or that is necessary for the performance of your role.

If you work with us as a self-employed contractor (ZZP), we may additionally process:

  • Chamber of Commerce (KvK) number and extract;

  • VAT number;

  • business contact and invoicing details;

  • insurance information;

  • entrepreneur assessment.

The exact personal data we process depends on the situation. Please refer to “Why do we process your personal data?” for more information.

Special categories and criminal data

In principle, we do not process special categories of personal data unless this is necessary and permitted by law.

Health data is only processed when necessary for absence management and reintegration, typically through an occupational health service or company doctor (Dutch Gatekeeper Improvement Act, Working Conditions Act, GDPR Article 9).

Data relating to criminal records is only processed when required for your role, for example for screening purposes or obtaining a Certificate of Conduct (VOG) (GDPR Article 10 and applicable legislation).

We handle such data with care and process it only when strictly necessary, applying appropriate technical and organizational safeguards.

Why do we process your personal data?

We collect and use personal data in the context of our recruitment and secondment services. This includes situations where you register as a candidate, apply for a vacancy, or are approached based on your profile on a professional network such as LinkedIn. We may also receive data from third parties, such as references, or use publicly available data where necessary to perform our services.

On what legal grounds do we process your personal data?

1. Performance of a contract

We process personal data when necessary to perform a contract with you, such as arranging an employment or secondment agreement. Without this processing, we cannot provide our services.

2. Legitimate interest

We process personal data where necessary for our legitimate business interests, such as matching candidates with organizations or approaching organizations for vacancies. These interests are always carefully balanced against your privacy.

3. Legal obligation

We process personal data where necessary to comply with legal obligations, such as tax or administrative requirements related to employment and contracts.

4. Consent

We process personal data based on your consent when required for specific purposes, such as marketing communications. You may withdraw your consent at any time. From that moment, we will stop processing your data unless another legal basis applies.

How long do we retain your personal data?

We do not retain your personal data longer than necessary for the purposes for which it was collected. The following retention periods apply:

Retention periods

Candidate file (active process)
During the duration of the cooperation

Candidate data (completed process, not placed)
Maximum of 2 years after last contact

Candidate pool data (with consent)
Maximum of 4 years after last contact, or until consent is withdrawn

Financial data and contracts
7 years (statutory retention obligation)

Application data (direct rejection, no active process)
4 weeks after completion of the procedure, unless you consent to longer retention

Camera footage
Maximum of 4 weeks, unless required for an incident

With your consent, we may retain your data longer in our candidate database to contact you about future opportunities. You may withdraw your consent at any time.

With whom do we share your personal data?

We only share your personal data with third parties when necessary for the performance of recruitment or secondment services, to comply with legal obligations, or based on legitimate interest. This includes:

Clients
Only after informing you and only where necessary for assessing your candidacy or executing your assignment.

External service providers (processors)
Such as Bullhorn (ATS), Microsoft (email and storage), Spadework AI (CV processing), and TestGroup (assessments). These parties are contractually obligated to protect your data.

Government authorities
Where required by law.

If you are seconded to a client, absence management may also be handled via the client’s occupational health service. In such cases, McFly & Brown only receives the data necessary to fulfill its role as employer.

Is your data transferred outside the EEA?

We use several services where personal data may be processed outside the European Economic Area (EEA), including:

Bullhorn, LinkedIn, Microsoft Office 365, Microsoft Copilot, ChatGPT/OpenAI, Fireflies, Lusha, and WhatsApp (all based in the United States).

For all such transfers, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

The following parties process data within the EEA: Kirema, Dashlane, Cloud Salaris (Van Eeden ABC B.V.), Spadework AI, TestGroup, and KPN.

Who has access to your data?

Within McFly & Brown, employees only have access to personal data if authorized. All employees with access are bound by confidentiality agreements and use the data solely for recruitment and secondment purposes.

How do we protect your personal data?

We take appropriate technical and organizational measures to protect your personal data against loss, misuse, or unauthorized access.

We work with Kirema as our IT partner for system security. Access to our systems is secured via Single Sign-On (SSO) and two-factor authentication using Microsoft Authenticator. Passwords are managed via Dashlane. Additionally, our devices and applications are configured to restrict access from outside the Netherlands.

We comply with applicable laws and regulations, including the GDPR, and ensure that third parties also process your data securely.

Sensitive personal data

Certain data requires extra protection, such as your BSN, financial data, and identity documents. We use this data only where legally permitted or required and apply strict security measures to ensure only authorized access.

Use of cookies

We use cookies and similar technologies on our website. A cookie is a small text file stored on your device upon your first visit. We request your consent for non-essential cookies and allow you to manage your preferences.

We use:

  • Functional cookies (necessary for website functionality) – retention: session / up to 1 year

  • Analytical cookies (e.g. Google Analytics) – retention: up to 2 years

  • Marketing cookies (advertising and campaign tracking) – retention: up to 1 year

Your privacy rights

You have the following rights:

  • Right of access

  • Right to rectification

  • Right to erasure

  • Right to restriction of processing

  • Right to object

  • Right to withdraw consent

  • Right to data portability

Automated decision-making

We do not use fully automated decision-making that has legal or significant effects on you. Candidates are always assessed by our employees.

Questions or complaints

If you have questions or wish to exercise your rights, please contact our Privacy Officer via dpo@mcflybrown.com.

You may also write to:

McFly & Brown
Attn. Privacy Officer
Kabelweg 37
1014 BA Amsterdam
The Netherlands

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).