Privacy statement

At PNO Innovation we believe that knowledge, expertise, and trust form the foundation of our services. This Privacy Statement explains how and why we collect and use personal data, and outlines the rights individuals have with regard to their personal information. PNO Innovation refers to all legal entities owned and operated by PNO Group Topholding B.V.

Who does this Privacy Statement apply to?
This Privacy Statement applies to all individuals whose personal data are processed by PNO, including

• clients of PNO,
• prospective clients with whom PNO has or seeks to establish contact,
• visitors to PNO’s websites,
• recipients of newsletters and commercial e-mails from PNO, and
• any other person who contacts PNO or whose personal data is processed by PNO.

This Privacy Statement does not apply to PNO employees and temporary staff. Separate privacy arrangements apply for these persons.

Which personal data do we process?
We process personal data, meaning collecting, storing, using, updating, and deleting any information that relates to an identified or identifiable person. We do not store personal data for longer than is strictly necessary for the execution of the purposes. If legal regulations apply to the storage, the personal data will not be kept longer than prescribed by law.

We collect personal data from the following sources:
1. Personal data you provide to us directly, such as:
• Contact details and other information required to carry out our services,
• Information entered in web forms (e.g. contact or registration forms),
• Details shared during meetings, events, or via business cards.

2. Personal data we collect automatically, including:
• IP address,
• Website usage (e.g. visit timestamps, pages viewed, navigation patterns),
• Interaction with newsletters and emails (e.g. opens and clicks).
See our cookie policy for more information.

3. Personal data from public or third-party sources, such as:
• Public business profiles on platforms like LinkedIn,
• Data from the Trade Register (e.g. Chamber of Commerce),
• Information published on public websites.
Please note: Our website may contain links to third-party websites and social media buttons. We are not responsible for the content, services, privacy policies, or cookie use of those external sites or platforms.

What do we use your personal data for?
PNO processes personal data primarily as a data controller. In specific cases, we may act as a processor on behalf of our clients. Below, we explain the main purposes for which we process personal data.
a. To perform our services
If you engage us for funding and innovation consultancy services, we use your data to manage and carry out the assignment. This includes:
• Contacting you about the project,
• Requesting any relevant personal data needed to deliver our services,
• Invoicing and contract administration.
Where necessary for the execution of our services, we may also share relevant personal data internally between PNO Group companies, in accordance with applicable data protection laws.

b. To comply with legal obligations under applicable laws and regulations
c. To stay in contact and inform you
We may use your contact details to send updates, newsletters, event invitations, or other relevant information about our services. To make our communications more relevant to you, we may analyze your interactions with our website, emails, or past contacts with PNO. We do not use sensitive personal data for this purpose. Where required, we will request your consent, which you can withdraw at any time. See our cookie policy for more information.
d. To conduct client satisfaction research
We may invite you to take part in voluntary surveys about our services. These are conducted via online questionnaires. Each invitation includes details on how your responses will be used.
e. To improve and secure our websites
We use website analytics to measure performance and enhance usability. These statistics are aggregated and do not identify individual users.
f. For physical access control and security

If you visit one of our offices your name may be recorded at reception and security cameras may operate at entrances and in common areas. Recordings are used for safety purposes and are usually deleted after 10 working days.

On what legal grounds do we process personal data?
We only process personal data where we have a valid legal basis, as required under the General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act. The legal bases we rely on are:
a. Consent
If you have given us your explicit consent to process your personal data for a specific purpose, we will only process that data within the scope of your consent. You have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before withdrawal.
b. Performance of a contract
If you engage us to provide funding and innovation consultancy services, we process your personal data as necessary to prepare, enter into, and perform that agreement.
c. Legal obligation
In certain cases, we are required by law to process personal data—for example, to comply with tax or regulatory obligations, or when responding to lawful requests from public authorities. In such cases, we take appropriate measures to safeguard your personal data.
d. Legitimate interest
We may also process personal data where it is necessary for our legitimate interests, provided these do not override your fundamental rights and freedoms. For example, we may use your contact details to send you invitations to events or relevant updates about our services.

Security
PNO Innovation takes the security of your personal data seriously. We implement appropriate technical and organizational measures, based on the level of risk, to protect personal data against unauthorized access, loss, misuse or disclosure. These include access controls, secure servers, and internal policies on data access and confidentiality. Multiple companies of PNO are ISO 27001 certified and we ensure that our service providers and partners meet equivalent security standards where applicable.

Sharing personal data with third parties and service providers
As part of our operations and service delivery we may share personal data with third parties where necessary to perform our services, comply with legal obligations, or support our internal processes. These third parties include:

• Service providers acting as processors, such as providers of cloud software (SaaS), hosting services, IT support, and email distribution tools. These parties only process personal data on our behalf and under our instructions. Where required under the General Data Protection Regulation (GDPR), we conclude appropriate data processing agreements to ensure that such processors apply adequate safeguards, including confidentiality and security measures aligned with industry standards.
• Third parties involved in client assignments, such as funding authorities and project partners, or other parties necessary to fulfil contractual obligations. In such cases, personal data is shared only as needed for the specific purpose.
• Subsidiaries within the PNO Group, with whom we may share limited contact information to coordinate consultancy opportunities across Europe.
• Authorities or courts, where we are legally obliged to disclose personal data based on a binding legal request or judgment.
• Event or seminar partners, where we occasionally co-organize activities. In such cases, only essential contact details are shared, and only where relevant.
• In the context of corporate transactions, such as mergers, reorganizations, or sales, where personal data may be transferred as part of due diligence or business continuity.

We do not sell your personal data to third parties. We also do not use your data for third-party marketing purposes, unless you participate in a joint event as described above.
No automated decisions with legal or similarly significant effects are made based on your data.

Transfer outside the (European Economic Area) EEA
As part of an international group of companies, and in collaboration with professional service providers, we may transfer personal data to countries outside the European Economic Area (EEA). This includes transfers to jurisdictions that may not offer the same level of data protection as within the EEA.

We take appropriate steps to ensure that all personal data transferred outside the EEA is adequately protected and that such transfers comply with applicable data protection laws, including the General Data Protection Regulation (GDPR).

Where personal data is transferred to countries that are not subject to an adequacy decision by the European Commission, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs). These agreements ensure that the data receives a level of protection that is essentially equivalent to that within the EEA.

If required, we also assess the legal and practical risks associated with the transfer and implement additional measures where necessary.

Your rights and how to contact us
Depending on the service provided, PNO may act either as a data controller or as a processor acting on behalf of a client. In either case, we handle personal data with the same care and in compliance with applicable data protection laws. For the purposes of the GDPR, PNO’s main establishment is located in Rijswijk, the Netherlands.

If you have any questions about how we handle your personal data, or if you wish to exercise your rights, you can contact us at:
? +31 (0)88-838 13 81
? servicedesk@pnoinnovation.com

Under the General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act, you have the right to:

• Access the personal data we hold about you,
• Rectify inaccurate or incomplete data,
• Request erasure of your personal data (the ‘right to be forgotten’),
• Restrict or object to the processing of your personal data,
• Withdraw consent, where processing is based on your consent,
• Request data portability, allowing you to receive your data in a machine-readable format and transmit it to another controller (where technically feasible).

We aim to respond to any request, question, or complaint promptly — and in any case, within four weeks, and in any case in line with applicable legal time limits.

If you believe that your personal data is being processed in violation of the GDPR or other applicable data protection laws, you have the right to lodge a complaint with a supervisory authority. You may contact the authority in the EU or EEA member state of your habitual residence, place of work, or where the alleged violation occurred. For concerns relating to PNO Group’s activities, you may also contact the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at www.autoriteitpersoonsgegevens.nl.

Changes to this privacy statement
We may update this Privacy Statement from time to time to reflect changes in laws, our services, or how we process personal data. The most recent version is always available on our website.

We encourage you to review this Privacy Statement regularly so that you stay informed about how we protect your data. Where material changes occur, we will notify you through our website or, where appropriate, by direct communication.