Controller and contact

This privacy statement is issued by Nucleaire Energie Organisatie Nederland B.V. / Nuclear Energy Organisation Netherlands (NEO NL B.V.) (“NEO NL”, “we”, “us”) with registered office at Carel van Bylandtlaan 5, 2596HP The Hague, Netherlands.

NEO NL acts as controller for the processing described in this privacy statement.

Privacy contact:

E: privacy@neonl.com

P: Carel van Bylandtlaan 5, 2596HP The Hague

Scope

The aim of this Privacy Statement is to provide you with all the relevant information regarding the collection and further processing of your personal data by NEO NL.

In particular, in relation to the collection and processing of information which may result from your use of:

the NEO NL website – www.neonl.com – (hereinafter, “the website”), or

other online and offline interactions (e.g., correspondence, recruitment, visitor management, and contractual/business relationships).

Personal data we process

Depending on how you interact with us, we may process:

A. Contact and correspondence data

name, job title, organisation, address, email address, telephone number, and the content of your message/request.

B. Business relationship data

contact details of persons working for (prospective) customers, suppliers and partners; communications; meeting notes; contractual and operational information necessary to manage and perform agreements; and (where relevant) invoicing/procurement administration.

C. Recruitment data

CV, cover letter, work history, education, information you provide during interviews, and notes from the recruitment process. If you voluntarily provide special categories of data (e.g. health information), we will only process this to the extent permitted by law and where necessary.

D. Visitor, access and security data

visitor name, organisation, contact details, date/time of visit, host, badge/access credential information, access logs.

E. CCTV data

camera images and related metadata (date/time/location), where CCTV is used.

F. Website technical data

IP address, device/browser information, log data, and data necessary to maintain and secure the website. If we use analytics or third-party embedded content, additional data may be processed (see cookie statement).

We do not intentionally collect personal data from children under 16 via our website.

Purposes and legal bases

NEO NL processes personal data only where permitted under the GDPR and applicable Dutch law. Depending on the context, we rely on one or more of the following legal bases: performance of a contract, legal obligation, legitimate interests, and consent.

4.1 Handling questions, requests and correspondence

Purpose: responding to enquiries, providing information, and communicating with you.

Legal basis: legitimate interest (efficient communication and service), and/or steps prior to a contract where applicable.

4.2 Recruitment and selection

Purpose: processing applications, assessing suitability, communicating during the process, and making a hiring decision.

Legal basis: legitimate interest (recruitment) and/or steps prior to a contract.
Retention “talent pool”: only with your consent (see Section 8).

4.3 Managing relationships and performing agreements

Purpose: entering into and performing agreements, managing contacts, meetings and communications, and operational administration.

Legal basis: performance of a contract and/or legitimate interests (relationship management, business operations).

4.4 Visitor management, access control and security (including CCTV)

Purpose: safeguarding people and assets, managing reception/access, preventing and investigating incidents, and ensuring continuity and security.

Legal basis: legitimate interest (security and safety). If a specific legal obligation applies in a concrete case (e.g., based on sector-specific rules or a binding instruction by a competent authority), we may additionally rely on legal obligation for that processing.

4.5 Compliance, governance and legal claims

Purpose: compliance with applicable laws, handling complaints, audits, information security, and establishing/exercising/defending legal claims.

Legal basis: legal obligation (where applicable) and/or legitimate interests (governance, security, claims).

4.6 Recipients

We do not sell personal data. We may share personal data with:

Service providers (processors) acting on our instructions, such as IT/hosting providers, security service providers, recruitment support providers, and professional advisers (e.g., auditors, legal counsel), to the extent necessary.

Public authorities or regulators where we are legally required or permitted to do so.

Other third parties only where necessary for a specific purpose and in accordance with the GDPR.

Our website may include links to third-party websites, plug-ins services and applications. Those third parties are responsible for their own processing of personal data and cookie practices. If you use third-party services, their terms and privacy/cookie information apply.

Where required, we enter into a data processing agreement with processors.

International transfers

Personal data may be processed in the EEA and, depending on our suppliers and tooling, may be accessed or processed outside the EEA.

Where personal data is transferred outside the EEA, NEO NL ensures appropriate safeguards as required by the GDPR, such as:

an adequacy decision by the European Commission; and/or

the European Commission’s Standard Contractual Clauses, supplemented where necessary by additional measures.

Security

NEO NL implements appropriate technical and organisational measures to protect personal data, taking into account the nature of the processing and risks. Measures typically include access controls, role-based authorisations, logging, secure configuration and patching, and confidentiality obligations.

Retention

We retain personal data no longer than necessary for the purposes described, unless a longer retention is required or permitted by law (e.g. statutory administrative retention periods) or needed for legal claims.

Indicative retention periods:

Enquiries/correspondence: for as long as needed to handle the request and any follow-up

Business relationship records: for the term of the relationship and thereafter as required by law and/or for limitation periods relevant to claims.

Recruitment (not hired): up to 4 weeks after the end of the recruitment procedure.

Recruitment talent pool: up to 12 months only if you have given consent; you can withdraw consent at any time, after which we will delete the data unless we must retain it for another lawful reason.

Visitor registration/access logs: 3–6 months, unless needed for incident follow-up.

CCTV recordings: up to 28 days, unless an incident requires longer retention for investigation or legal proceedings.

What are your rights and how can you exercise them?

Under the GDPR, you have the right to:

• access;
• rectification;
• erasure (in certain cases);
• restriction (in certain cases);
• objection to processing based on legitimate interests;
• data portability (where applicable);
• withdraw consent (where processing is based on consent).

How to exercise your rights: contact us via privacy@neonl.com. We may request additional information to verify your identity. We aim to respond within one month, unless the GDPR allows an extension.

NEO NL does not make decisions with legal or similarly significant effects solely by automated means (without human involvement) in the contexts covered by this statement.

If you have concerns, contact us first via privacy@neonl.com.

You also have the right to lodge a complaint with the Autoriteit Persoonsgegevens (Dutch Data Protection Authority).

NEO NL has not appointed a statutory Data Protection Officer. For privacy matters, contact privacy@neonl.com.

Notification of changes to this Policy

To ensure the highest standard of our compliance program, we will continuously monitor its adherence with the regulation and best practices and update this privacy statement regularly. The latest version will be published on our website with the updated date.