Data Protection

G3 Prime Consulting is committed to protecting the personal data we encounter during our consulting engagements. As IT consultants working within client organizations, we frequently access, analyze, and handle systems that contain personal data. We take this responsibility seriously.

Our data protection practices are designed to meet the requirements of the General Data Protection Regulation (GDPR) and the Dutch implementation of the GDPR (Uitvoeringswet AVG). We maintain these standards regardless of the specific framework a client is working toward, because data protection is not a compliance checkbox — it is a fundamental part of how we operate.

Every consultant at G3 Prime is trained in data protection principles and understands their responsibilities when handling personal data in the course of client work.

Under the GDPR, the distinction between data controller and data processor is critical. In most of our consulting engagements, the roles are as follows:

• The client is the data controller. The client determines the purposes and means of processing personal data within their organization. They decide what data is collected, why it is processed, and how long it is retained.
• G3 Prime acts as a data processor. When our consultants access or handle personal data as part of an engagement, we do so on behalf of and under the instructions of the client. We do not determine the purposes of processing — we carry out activities as directed by the client within the scope of the engagement agreement.

In certain limited situations, G3 Prime may act as a joint controller — for example, when we collaborate with a client on defining the purposes and means of a specific data processing activity. In such cases, the respective responsibilities are documented in a joint controller arrangement as required by Article 26 of the GDPR.

When G3 Prime provides advisory services that do not involve direct access to personal data (e.g., policy review, framework design), neither controller nor processor roles apply to that aspect of the engagement.

G3 Prime maintains the following technical and organizational measures to protect personal data encountered during client engagements:

G3 Prime engages the following sub-processors in the course of our business operations:

We vet all sub-processors for adequate data protection measures before engagement. Our client engagement agreements include provisions requiring client consent before engaging new sub-processors that would process client personal data.

If a client objects to a specific sub-processor, we will work with the client to find an alternative arrangement or, where necessary, cease using that sub-processor for the relevant engagement.

In the event of a personal data breach involving data processed on behalf of a client, G3 Prime will:

1. Notify the client without undue delay and no later than 24 hours after becoming aware of the breach. This notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
2. Cooperate fully with the client in their assessment of whether the breach must be reported to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within the 72-hour window required by Article 33 of the GDPR.
3. Assist the client in notifying affected data subjects if the breach is likely to result in a high risk to the rights and freedoms of individuals, as required by Article 34 of the GDPR.
4. Document the breach including all facts, effects, and remedial actions taken, and retain this documentation for the client's records and for audit purposes.
5. Conduct an internal review of the incident within 10 business days to identify root causes and implement measures to prevent recurrence.

G3 Prime has not experienced a personal data breach to date. We maintain an incident response procedure that is tested annually.

G3 Prime enters into a Data Processing Agreement (DPA) with every client whose engagement involves the processing of personal data. Our standard DPA covers:

• The subject matter and duration of processing
• The nature and purpose of processing
• The types of personal data processed
• The categories of data subjects
• The obligations and rights of the controller
• Technical and organizational security measures
• Sub-processor management
• Data breach notification procedures
• Data return and deletion upon engagement completion
• Audit rights

Our standard DPA is compliant with Article 28 of the GDPR and incorporates the European Commission's Standard Contractual Clauses where applicable.

If you are a prospective or current client and would like to review our standard DPA, please contact us at [PLACEHOLDER — insert DPO email address].

G3 Prime is based in the Netherlands and primarily operates within the European Economic Area (EEA). However, some of our sub-processors are based in the United States (see Section 4 above).

When personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): We have entered into SCCs with relevant sub-processors as approved by the European Commission.
• Data processing region selection: Where possible, we configure sub-processors to store and process data within the EU. For example, our Google Workspace instance is configured to use the EU data region.
• Transfer Impact Assessments: We conduct transfer impact assessments for each sub-processor to evaluate the risks of transferring data to their jurisdiction and the effectiveness of the supplementary measures in place.

For client engagements that involve cross-border operations (e.g., pan-European programs), the applicable data transfer mechanisms are documented in the engagement-specific DPA.

Every G3 Prime consultant receives data protection training as part of their onboarding process and annually thereafter. Our training program covers:

• GDPR principles and key concepts (lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality)
• The distinction between controller and processor roles and what it means in practice
• How to identify personal data and special category data in the systems we work with
• Secure data handling practices during consulting engagements
• Data breach identification and reporting procedures
• Client confidentiality obligations

Training records are maintained and available for audit upon client request.

In addition to formal training, data protection is a standing agenda item in our monthly team meetings, where we discuss emerging risks, regulatory developments, and lessons learned from recent engagements.

G3 Prime has designated a Data Protection Officer (DPO) who is responsible for overseeing our data protection practices and serving as the point of contact for data protection inquiries.

• Email: [PLACEHOLDER — insert DPO email address]
• Postal address: G3 Prime Consulting, [PLACEHOLDER — insert registered address], The Netherlands

The DPO can be contacted for:

• Questions about how G3 Prime handles personal data
• Requests to exercise data subject rights (in coordination with the client as data controller)
• Requests to review our Data Processing Agreement
• Reporting a data protection concern or incident

This Data Protection page is reviewed and updated at least annually, or more frequently when there are material changes to our data protection practices, sub-processor list, or applicable regulations.

Version history:

• [PLACEHOLDER — insert date]: Initial publication

When material changes are made, we will update the “Last updated” date at the top of this page and, where appropriate, notify active clients directly.