The Dutch Data Protection Authority specifies that our organisation is obliged to draw up a data protection policy if this is proportionate to our processing activities on the basis of article 5 paragraph 2 GDPR. A data protection policy is also known as a privacy policy.

Our organisation applies the following concise privacy policy, which is further reflected in our register of processing activities.

Personal data categories

We process the personal data categories mentioned in our separate register of processing activities.

Principles of processing

We only process personal data on the basis of the principles of Article 6 of the GDPR, i.e. based on the consent of the data subjects or on the basis of necessity. The principles are listed in our separate register of processing operations.

Starting points of processing

We comply with the principles with regard to processing under Article 5 paragraph1GDPR in the following way:

Sub a

Legitimate; We will observe the rules of the GDPR when processing. See also under 2.

Sub a

Fairly; We will observe the rules of the GDPR when processing.

Sub a

Transparent; Insofar as the processing operation is not immediately evident, such as with contact or payment details, we will inform the data subject about the purpose and method of processing (possibly with a so-called privacy statement).

Sub b

Purpose limitation; We will not process personal data other than for the purposes of the processing operation.

Sub c

Data minimisation; We will not request or process more personal data than is required for the purposes of the processing operation.

Sub d

Correctness; We give data subjects the option to contact us via the contact details provided on our website. This way they can view or request their data and where necessary we will correct this data. If we use a digital portal, we give the option to those involved to do this online themselves .

Sub e

Storage limit; We will not process any personal data that isn’t necessary for the purpose for which it was obtained, or for any longer than is required. Insofar as we want to conduct statistical or telemetric research, we anonymise the personal data irreversibly.

Sub f

Integrity and confidentiality; We take appropriate technical and organisational measures against unlawful processing, loss, destruction and damage. See also under 5.

Data subjects rights

We recognise the rights of data subjects to, among other things, access, correction, limitation and removal. See also under 3 (d) with regard to how data subjects can contact our organisation to exercise these rights.

Technical and organisational measures

To the extent required by law, we register our technical and organisational measures in our separate register of processing activities.

Processing time

We do not process personal data longer than is necessary for the purpose of the processing operation and ensure that when the personal data is no longer needed, it is deleted or irreversibly anonymised. See under 3 (e) for more information and see our separate register of processing operations for the processing time.

Data Protection Officer

We have not appointed a Data Protection Officer within our organisation because we believe that we do not meet any of the following conditions:

  • The organisation is a government agency or body;
  • Processing personal data that consists of regular systematic observation of data subjects on a large scale;
  • The core activity consists of large-scale processing of special categories of personal data or personal data of a criminal nature.

Privacy Impact Assessment (PIA) or Data Protection Impact Assessment

We do not perform a Data Protection Impact Assessment in our organisation because we do not process data that is likely to pose a high risk to the rights and freedoms of data subjects. If this is different in the long term or in some cases, our organisation will of course comply with its obligations according to the instructions in this privacy administration.