privacy statement

1. Purpose


In the course of business HEMA collects personal information about its customers, website visitors and employees via its shops, website(s), application(s), special offers, loyalty programme and other services. HEMA is convinced that the protection of personal data is of essential importance.

This document contains the foundation of HEMA’s policy with regards to privacy, privacy sensitive information and data protection. In order to protect privacy, privacy sensitive information and personal data, effective security is a top priority for HEMA. HEMA has therefore taken adequate technical and organisational measures to secure personal data against loss or any form of unlawful processing.

The purpose of this privacy policy is to provide tools to anyone working for HEMA to comply with the various privacy and data protection regulations.


2. Context

Besides national laws and regulations the European Union also dictates strict privacy laws. Examples are the European Convention for the protection of Human Rights (everyone is entitled to respect for their private life) and the General Data Protection Regulation. This regulation provides new and more strict rules regarding privacy and how it should be protected.


3. Definitions


Autoriteit Persoonsgegevens, the Dutch authorative body checking compliance with privacy laws and issuing fines.


Data Breach

a security incident causing Personal Data to be stolen, leaked or copied.


Data Breach Response Team 

the HEMA team consisting of (i) Head Legal, Audit & Risk, (ii) the Privacy Officer and (iii) the Information Security Officer that assesses and responds to notifications of Data Breaches.


Data Minimalisation

the general principle reflected in the GDPR to keep the personal data You gather & store to a minimum.


Data Processing Agreement an agreement signed between the responsible party(HEMA) and a party processing personal data on HEMA’s behalf


Data Subject

the private person whose personal data is being processed.


Purpose Limitation

the general principle reflected in the GDPR to only use personal data for the purpose for which it is given.


Personal Data

all data which might provide information on an identifiable person. Examples are: name, address, e-mail, customer database, characteristics, opinions, actions of people, photo’s and other visual data, special personal data such as data on religion, beliefs, race, political preference, health, sexsual life, union memberships, criminal records.


Privacy Statement

the information document on for website visitors and customers detailing how HEMA handles personal data of visitors and customers. The statement is being amended from time to time if so prompted by new developments.


Security Incident

every incident that resulted or could have resulted in loss of or damage to data or which has caused a breach of security procedures.


4. Guidelines

When working for HEMA with access to personal data it is of great importance that you adhere to the following guidelines:

  1. Limit the collection of personal data as much as possible à Data Minimalisation

  2. Only use personal data for prior set purposes à Purpose Limitation

  3. Limit the duration of storage of personal data to a minimum

  4. Share and provide access to personal data on a strict need-to-know-basis

  5. Keep personal data confidential

  6. Do not share log in or passwords

  7. When processing personal data you must only use the HEMA network, e.g. do not use USB sticks or personal cloud services

  8. When third parties are given access to personal data a Data Processing Agreement (DPA) is required. Please contact the Legal department to have a DPA drafted.

  9. Always consider encryption, anonymisation or pseudonymisation when processing personal data

5. Responsibilities

It is important to HEMA that its services are transparent and reliable. Therefore the various responsibilities surrounding privacy and data protection are set out below:

It is the responsibility of the person working with privacy sensitive information (e.g., customer service department, HR department, e-commerce department, etc) to comply with the guidelines in order to keep this sensitive information secure.

It is the responsibility of the person detecting a data breach to inform the Data Breach Response Team.

It is the responsibility of the Data Breach Response team to report to the AP.

The Privacy Officer is responsible for the Privacy Policy of HEMA.

The Information Management department is responsible for the security of the HEMA network and systems.

The Information Security Officer is responsible for monitoring the security of the HEMA network and systems.


6. Data Breach / Security Incident


Security incident / Data breach

A security incident becomes a data breach in case personal data (e.g. name, address, email, phone numbers, IP addresses etc. etc.) have been lost, deleted, hacked or if unauthorized access/viewing became possible. Examples are: losing a USB stick or mobile device, malware on PC’s connected to the HEMA network, emailing personal data files to unintended addressees. Also the complete loss of data (for instance: a fire without any backup of data) is considered a data breach.

HEMA takes adequate measures to prevent data breaches, for instance by means of encryption techniques.

Incidents with other data than personal data are not considered data breaches.


What to do in case of a data breach?

The GDPR dictates that companies must promptly notify the authorities in case of a data breach. So if you become aware of a data breach:

  1. immediately contact the audit & risk department (Security Officer) + the legal department (Privacy Officer)

  2. Data Breach Response Team’ starts protocol

  3. please act fast and be co-operative ; the AP must be notified by us within 72 hours

  4. If a data breach occurs at a company and this is not timely reported to the authorities, fines of 2% of our annual turnover or EUR 10.000.000,- may be imposed!


7. Contact list


This Privacy Policy is maintained at the Legal Department. In case you have any questions, need more information or wish to report a security incident, please contact us:



© HEMA - February 2017