Privacy Statement Somogy
Somogy is a trading name of Grudanov Werkmaatschappij B.V., registered office at Van Moerkerkenlaan 11, 9721 TA Groningen, the Netherlands, registered with the Dutch Chamber of Commerce under number 42004919, VAT number NL869244140B01 (hereinafter: “Somogy”).
This is a translation of the Dutch original, provided for ease of reading. In case of any inconsistency between the two language versions, the Dutch text prevails.
This statement describes how Somogy processes personal data when Somogy acts as controller under the GDPR: for visitors of somogy.nl, for (prospective) customers who reach out, and for Somogy’s own customer administration. For personal data Somogy processes on behalf of business customers as a processor (for example the content of hosted mailboxes or WordPress sites), the separate data processing agreement applies.
1. Controller
The controller within the meaning of Article 4(7) GDPR is:
- Grudanov Werkmaatschappij B.V. (trading as Somogy)
- Van Moerkerkenlaan 11, 9721 TA Groningen, the Netherlands
- Dutch Chamber of Commerce 42004919 · VAT NL869244140B01
- Privacy contact: privacy@somogy.nl
Somogy has no legal obligation to appoint a Data Protection Officer (DPO). Questions, requests and complaints regarding personal data can be directed to the privacy address above.
2. Personal data Somogy processes
Depending on your interaction with Somogy, the following categories of personal data may be processed:
- Customer administration (business customers): company name, contact person’s name and address, e-mail address, phone number, billing and payment data, correspondence, contract data.
- Website contact form / e-mail contact: name, e-mail address, message and any additional information you provide.
- Server-side access logs for somogy.nl: IP address, date and time of visit, requested URL, HTTP status code, referring page and browser useragent.
Somogy does not process special categories of personal data (Art. 9 GDPR) or Dutch citizen-service numbers (BSN). Somogy uses no analytics tool, no tracking pixels and no advertising cookies - see also section 9 and the separate cookie statement.
Source of personal data (Art. 14 GDPR). Where Somogy does not receive personal data directly from the data subject, the data originates from Somogy’s business customer in its role as controller (for example contact details of that customer’s end users), or arises from technical use of somogy.nl (for example IP addresses in server-side access logs).
Automated decision-making (Art. 13(2)(f) GDPR). Somogy does not engage in automated decision-making or profiling within the meaning of Article 22 GDPR.
3. Purposes and legal bases
Per processing activity, the following purposes and legal bases apply:
| Processing | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|
| Customer administration | Performing the contract: service delivery, support, account management and communication | Art. 6(1)(b) - performance of a contract |
| Invoicing and accounting | Issuing, sending and archiving invoices, and complying with the Dutch tax retention obligation | Art. 6(1)(c) - legal obligation (Art. 52 AWR) |
| Contact form / leads | Responding to questions and following up on prospective customer contacts | Art. 6(1)(f) - legitimate interest (customer acquisition and communication) |
| Server-side access logs | Security, abuse detection, debugging and capacity management of somogy.nl | Art. 6(1)(f) - legitimate interest (IT security) |
For processing based on a legitimate interest, Somogy has performed a balancing test; you may object under Article 21 GDPR (see section 7).
4. Retention periods
Somogy does not retain personal data longer than necessary for the purpose for which it was collected. Specifically:
| Data category | Period |
|---|---|
| Invoices and accounting records | 7 years after the end of the financial year (Dutch tax retention obligation) |
| Customer contracts and related correspondence | 7 years after the end of the contract (statutes of limitation and tax) |
| Contact form submissions and leads | 1 year after last contact, unless converted into a customer relationship |
| Server-side access logs for somogy.nl | 30 days |
The retention periods are recorded in and reviewed annually. For personal data that Somogy processes on behalf of business customers (mailbox content, WordPress content), the periods in the data processing agreement apply.
5. Sharing with third parties and sub-processors
Somogy shares personal data with third parties only where necessary for service delivery or on the basis of a legal obligation. A current and complete list of sub-processors - with country of processing, purpose and DPA link - is published at somogy.nl/partners.
The standing sub-processors for Somogy’s own operations are, at a high level:
- Hetzner Online GmbH (Germany, EEA) - hosting of somogy.nl and of the underlying services.
- Moneybird B.V. (Netherlands, EEA) - bookkeeping and invoicing.
- Hosting Concepts B.V. (OpenProvider, Netherlands, EEA) - domain registrar for somogy.nl.
- rsync.net, Inc. (Switzerland, EU adequacy decision) - off-site encrypted backups.
- Cloudflare, Inc. (United States) - applied only to WordPress hosting (standing sub-processor for that service); not used for email hosting or for somogy.nl itself.
Somogy discloses personal data to government authorities only pursuant to a valid, legally binding order.
6. Transfer outside the EEA
Most personal data stays within the European Economic Area. For transfers outside the EEA the following safeguards apply:
- Switzerland (rsync.net, backups): transfer based on the EU adequacy decision for Switzerland. Additional safeguard: backups are client-side encrypted with BorgBackup before they leave the Somogy environment; rsync.net cannot decrypt the content.
- United States (Cloudflare, only for WordPress hosting): transfer based on the Standard Contractual Clauses (SCC) in the Cloudflare DPA and on Cloudflare’s EU-US Data Privacy Framework certification, to the extent valid at the time of processing. Somogy assesses transfer risks in a Transfer Impact Assessment that is maintained internally.
7. Your rights
Under the GDPR you have the following rights regarding your personal data:
- Access (Art. 15 GDPR) - obtain the personal data Somogy processes about you.
- Rectification (Art. 16 GDPR) - have incorrect or incomplete data corrected.
- Erasure / “right to be forgotten” (Art. 17 GDPR) - have your data deleted, unless a legal retention obligation or other overriding interest applies.
- Restriction of processing (Art. 18 GDPR).
- Data portability (Art. 20 GDPR) - receive the data you provided to Somogy in a common format.
- Objection to processing based on legitimate interest (Art. 21 GDPR).
- Withdrawal of consent (Art. 7(3) GDPR) - where applicable: Somogy currently does not rely on consent as a legal basis (see section 3). If consent is used for a specific processing activity in the future, you may withdraw it at any time; withdrawal takes effect from that moment on and does not affect the lawfulness of earlier processing.
You can send your request to privacy@somogy.nl. Somogy will respond within the statutory period of one month (extendable by two months for complex requests, Art. 12(3) GDPR). Somogy may ask for additional information to verify your identity.
If you believe Somogy does not handle your personal data correctly, you always have the right to lodge a complaint with the Dutch data protection authority - the Autoriteit Persoonsgegevens - via autoriteitpersoonsgegevens.nl.
8. Security
Somogy takes appropriate technical and organisational measures to protect personal data against loss or unlawful processing, in accordance with Article 32 GDPR. The measures are documented in Annex B (TOM) of the data processing agreement and include, among others: encryption of backups, least-privilege access, MFA on administrative accounts, active patch management and periodic recovery tests.
9. Cookies
Somogy uses only strictly necessary cookies on somogy.nl (such as a session or security cookie). Somogy does not place any analytical, tracking or advertising cookies. Because only strictly necessary cookies are used, no consent banner is required under Article 11.7a of the Dutch Telecommunications Act. See the cookie statement for the full list.
10. Changes
Somogy may amend this privacy statement from time to time, for instance due to new laws and regulations or changes in its service offering. The most recent version is always available on somogy.nl. For material changes affecting existing customers, those customers are also informed directly.
11. Contact
For all questions, requests and complaints regarding personal data:
- E-mail: privacy@somogy.nl
- Post: Grudanov Werkmaatschappij B.V., Van Moerkerkenlaan 11, 9721 TA Groningen, the Netherlands
12. Version
- Version: 1.0
- Effective date: 2026-05-01
- Change history: first publication.