EMPIQ PRIVACY NOTICE – Version 8 April 2026

Introduction

This Privacy Notice is provided by EMPIQ BV, a company with limited liability incorporated under the laws of the Netherlands. We have our official seat in Amsterdam and our registered office is at Keizersgracht 62, 1015 CS Amsterdam, the Netherlands. Trade register number: 82912521.

Our services are directed at businesses and professionals. We do not knowingly collect or process personal data of individuals under 16 years of age. In accordance with Article 8 GDPR and the UAVG, if we become aware that personal data of a child under 16 has been provided to us without the consent of a parent or legal guardian, we will delete that data promptly. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately at privacy@empiq.nl.

This Notice describes how we collect, use and otherwise process your personal data, and for what purposes we may use your personal data in the context of offering and providing our legal services.

Pursuant to the General Data Protection Regulation (GDPR) — in Dutch: Algemene Verordening Gegevensbescherming (AVG) — we qualify as controller with respect to the personal data that we process. As controller, we have certain duties and responsibilities regarding our processing activities. This means that we only process personal data that is reasonably necessary in connection with the purposes set out in this Notice.

This Notice also includes information regarding your rights with respect to the processing of your personal data.

We have not appointed a data protection officer, as our processing activities do not meet the mandatory criteria set out in Article 37 of the GDPR.

How do we collect your personal data?

In the context of EMPIQ’s offering and providing legal services, we may collect your personal data in the following ways:

Directly from you

• Contact details that you provide to us as a representative of our contractual business relationship, for example as a client, supplier or service provider.
• Personal data that you provide to us as an applicant for a job at EMPIQ.
• Personal data that you provide to us when being hired by EMPIQ as an employee or as an independent professional.
• Personal data that you provide to us by filling out a request form on our website, www.empiq.nl.

Indirectly from you

• Your contact details, as provided to us by our client.
• Your contact details, as provided to us by our supplier or service provider.

Otherwise

• Information that we automatically collect from your use of our website, for example by using cookies or other technologies.

For what purposes do we use your personal data and what is our legal basis for processing?

Personal data client

Purposes and legal basis for processing activities

Contact information, including name, company, position, business email address and business or mobile phone number. Company and billing information, including VAT number, bank account number, Chamber of Commerce registration number and website. Communication, including letters and email messages with contact persons. Information on the legal services provided to our clients and information on the subject matter.

We rely on the performance of a contract with our client for: - management of our business relationship; - performance of contracted legal services; - financial management and administration of contracted services; - maintaining up-to-date contact information in our systems. We rely on our legitimate interest for: - ensuring network and information security; - legal compliance purposes; - providing updates to our clients about our legal services; - dealing with possible complaints; - establishing, defending and exercising our legal position.

Personal data supplier or service provider

Purposes and legal basis for processing activities

Your contact details, including name, company, business email address and business or private mobile number. Business-related information, including VAT number, Chamber of Commerce registration number, bank account number and website.

We rely on the performance of a contract for: - performance of contracted services, including day-to-day operational purposes; - administrative purposes, including payment of invoices; - maintaining up-to-date contact information in our systems; - invitations to business events and/or receiving business-related information. We rely on our legitimate interest for: - dealing with possible complaints; - establishing, defending and exercising our legal position.

Personal data of a job applicant

Purposes and legal basis for processing activities

Your personal contact information, including name, surname, postal address, job title, title, home number and/or mobile phone number and email address. Basic information in the recruitment procedure, including your curriculum vitae, application letter, assessment and/or other information, such as references.

We rely on your consent for using your personal data for: - recruitment activities and handling of job applications; - assessing the suitability of the applicant; - offer and acceptance details. We rely on our legitimate interest for: - security purposes or protection of our interests, the interests of other personnel or clients, such as preventing fraud, corruption or other offences or illegal activities.

Personal data employee

Purposes and legal basis for processing activities

Your contact details, including name, surname, email address, home address and business or mobile number. Basic onboarding data, including nationality, marital status, birth date, bank account information, copy passport and tax identification number. Job-related data, including work permit if applicable, compensation and allowances, information related to pensions, insurance information and sick leave related information, excluding health information. Information collected in the application procedure and during employment, including certificate of conduct, development assessments and other relevant information. Security-related data, such as logging records of your use of our IT systems and records of internal awareness training.

We rely on a legal obligation as an employer for: - withholding taxes and paying social security premiums; - establishing, exercising or defending legal claims in the context of EMPIQ’s liability as employer. We rely on the performance of a contract with our employees for: - keeping, maintaining and administering personnel records, payroll and salary records; - determining and paying out salaries and other remuneration; - withholding and paying out the required wage taxes to the competent tax authorities; - executing pension arrangements; - arranging insurances; - assisting you and helping you reintegrate after sickness or accidents; - evaluating your performance; - optimising your work activities; - terminating your employment. We rely on our legitimate interest for: - security purposes or protection of our interests, the interests of other personnel or clients, such as preventing fraud, corruption or other offences or illegal activities; - ensuring compliance with our code of conduct, internal policies, procedures and other instructions.

Personal data independent professional

Purposes and legal basis for processing activities

Your contact details, including name, surname, company, address, email address and business or mobile number. Business-related information, including VAT number, Chamber of Commerce registration number, bank account number and website. Security-related data, such as logging records of your use of our IT systems and records of internal awareness training.

We rely on the performance of a contract with you for: - performance of contracted services; - administrative purposes, including payment of invoices; - maintaining up-to-date contact information in our systems; - invitations to business events and/or receiving business-related information. We rely on our legitimate interest for: - security reasons or protection of our interests, the interests of our personnel or clients, such as preventing fraud, corruption or other offences or illegal activities; - ensuring compliance with our code of conduct, internal policies, procedures and other instructions.

Personal data visitors to our website

Purposes and legal basis for processing activities

Your contact details, including name, title, company, email address and business phone number. Technical information, such as your IP address, device type, browser type and settings, and dates and times of connecting to our website. Consent records, including records of consent that you have given, together with date, time and related information. Necessary cookies for usage statistics and usage data.

We rely on your consent for: - communicating with you in relation to your visit to our website; - tracking and analysing your surfing behaviour; - using your contact details for marketing purposes. We rely on legitimate interest for: - improving our services and the quality thereof; - aggregate statistical information.

Explanatory notes to the legal bases for processing

• We may use your personal data for the performance of a contract in the context of our business relationship and/or in the context of the performance of contracted services.
• We may use your personal data for our legitimate interests, to the extent these legitimate interests are not overridden by your interests, fundamental rights or freedoms.
• We may process your personal data based on your consent only for processing that is completely voluntary and based upon your explicit confirmation, such as ticking a box or signing a document, based upon clear and transparent information. Your consent can be withdrawn at any time.
• We may use your personal data to comply with a legal obligation in accordance with applicable law.

With whom do we share your personal data?

• We may share your personal data with our contracted service providers, suppliers and other third-party data processors who act on our behalf and only process personal data in accordance with our prior documented instructions. These recipients are authorised to use personal data only as necessary to provide us with their services.
• For applicants, we may share personal data with suppliers who have information on your suitability, such as assessment and employment agencies, or with parties who provide us with information at your request, such as current or former employers.
• For employees, we may share personal data with administrative bodies or organisations, such as social security and pension funds.
• For clients, we may share personal data with parties involved in our services, such as legal professionals and translation agencies.
• For website users and visitors, we may share personal data with suppliers that maintain the user statistics of our website.
• We may share personal data with other third parties where visitors have given consent.
• A list of our third-party data processors to whom we disclose personal data, including the associated purpose, can be requested from our operations manager. Please see the contact details below.
• We will only share personal data with third parties that guarantee the implementation of appropriate security measures to ensure that the processing activities meet the requirements of applicable data protection legislation and protect your individual rights.
• We may share personal data with legal authorities and external advisors as necessary in connection with legal proceedings and for investigating, detecting or preventing criminal offences.

Where we transfer your personal data from the Netherlands to recipients located in countries outside the EEA that are not recognised by the European Commission as having an adequate jurisdiction, we will do so on the basis of the European Commission’s Standard Contractual Clauses, latest version dated 4 June 2021. The applicable Standard Clauses set out the rights and obligations for us as responsible data controller and for the receiving data processing party to ensure appropriate data protection safeguards for the transfer to the receiving party.

The Standard Clauses will also include specific technical and organisational measures implemented by the receiving party to ensure that the security of your personal data will be essentially equivalent to GDPR requirements. Where transfers are made to countries that the European Commission has determined provide an adequate level of data protection, no additional safeguards are required. You have the right to request further information about the international data transfers we make and to obtain a copy of the applicable transfer safeguards. Please contact our operations manager at privacy@empiq.nl to exercise this right.

How do we secure your personal data?

We have taken appropriate technical and organisational security measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure and unauthorised access. The measures ensure the confidentiality of your personal data and the maintenance of the integrity and availability of your personal data.

Measures include event logging of user activities on data processing systems, restricted access to networks and systems, and ensuring automatic backup of personal data and its availability in the event of a security incident.

Unfortunately, no data storage system or data transmission can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure, please notify us immediately. Please see the contact details below.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also communicate the breach to you without undue delay, in accordance with Article 34 GDPR, unless we have implemented appropriate technical and organisational protection measures, such as encryption, that render the data unintelligible to any unauthorised person, or we have taken subsequent measures that ensure the high risk is no longer likely to materialise.

How long do we retain your personal data?

We will not retain your personal data for any longer period than necessary or permitted by law to fulfil the purposes for which your personal data was obtained. The criteria for determining our retention periods include:

• The duration of our ongoing business relationship with you.
• The period during which we provide services and/or carry out a contract with you and/or your employer.
• The period during which you are lawfully included in our mailing list and have not unsubscribed.
• The period during which we have a legitimate interest in processing the personal data for the purposes of operating our business and fulfilling our obligations with you and/or your employer.
• In compliance with legal obligations to which we are subject in the Netherlands, we apply statutory retention periods.
• Seven years after the end of the relevant tax year for payroll, salary administration and tax requirements.
• A minimum period of five years after the end of the employment contract for keeping your employment contract.
• A minimum period of two years after the end of the employment contract for keeping employment-related records.
• A limited period of four weeks after the recruitment period for applicants that are not hired. If the applicant has consented to keeping the personal data longer, a maximum period of 12 months applies.
• For protecting our legal position.
• For preserving evidence during any applicable limitation period under Dutch law, including any period during which any person could bring a legal claim against us in connection with your personal data, or to which your personal data is relevant for defending our interests in the context of judicial proceedings.
• Client and supplier contact data is retained for the duration of the business relationship and for a period of seven years thereafter, to comply with legal obligations, including tax and accounting requirements, and to establish, exercise or defend legal claims.
• Website usage and analytics data, including cookies, is retained in accordance with the cookie retention periods set out in the applicable cookie information.
• Correspondence and support records are retained for three years following the end of the relevant matter or relationship, to provide support and to establish, exercise or defend legal claims.

What are your rights and how can you exercise them?

Under data protection legislation, you have the following rights that you may exercise in the context of our processing of your personal data:

• The right to information about the personal data that we process about you. This includes the right to request access to, or receive copies of, your personal data, together with information regarding the nature and purposes of processing and with whom we have shared your personal data.
• The right to request rectification of any inaccuracies in your personal data.
• The right to request, on legitimate grounds, the erasure of your personal data and/or the right to be forgotten.
• The right to request restriction of processing of your personal data, for example for direct marketing purposes.
• The right to have your personal data transferred to another organisation in a structured, commonly used and machine-readable format, to the extent applicable.
• The right to object to processing of your personal data.
• Where processing of your personal data is based on consent, the right to withdraw your consent to such processing. This does not affect the lawfulness of any processing prior to the date of such withdrawal.
• The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. We do not currently make decisions based solely on automated processing that produce legal effects or similarly significantly affect you.

Our contact details

If you wish to exercise any of your rights, you can reach us by contacting our operations manager at privacy@empiq.nl.

If you are not satisfied with the way we respond to your request, please let us know.

If you feel your rights have been violated, you may file a complaint with the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens: Postbus 93374, 2509 AJ Den Haag, the Netherlands. Telephone: +31 (0)70 888 8500. Website: https://www.autoriteitpersoonsgegevens.nl. You may also lodge a complaint with the supervisory authority in the EU member state of your habitual residence, place of work or place of the alleged infringement.