Personal data categories
We process the personal data categories mentioned in our separate register of processing activities.
Principles of processing
We only process personal data on the basis of the principles of Article 6 of the GDPR, i.e. based on the consent of the data subjects or on the basis of necessity. The principles are listed in our separate register of processing operations.
Starting points of processing
We comply with the principles with regard to processing under Article 5 paragraph1GDPR in the following way:
Legitimate; We will observe the rules of the GDPR when processing. See also under 2.
Fairly; We will observe the rules of the GDPR when processing.
Transparent; Insofar as the processing operation is not immediately evident, such as with contact or payment details, we will inform the data subject about the purpose and method of processing (possibly with a so-called privacy statement).
Purpose limitation; We will not process personal data other than for the purposes of the processing operation.
Data minimisation; We will not request or process more personal data than is required for the purposes of the processing operation.
Correctness; We give data subjects the option to contact us via the contact details provided on our website. This way they can view or request their data and where necessary we will correct this data. If we use a digital portal, we give the option to those involved to do this online themselves .
Storage limit; We will not process any personal data that isn’t necessary for the purpose for which it was obtained, or for any longer than is required. Insofar as we want to conduct statistical or telemetric research, we anonymise the personal data irreversibly.
Integrity and confidentiality; We take appropriate technical and organisational measures against unlawful processing, loss, destruction and damage. See also under 5.
Data subjects rights
We recognise the rights of data subjects to, among other things, access, correction, limitation and removal. See also under 3 (d) with regard to how data subjects can contact our organisation to exercise these rights.
Technical and organisational measures
To the extent required by law, we register our technical and organisational measures in our separate register of processing activities.
We do not process personal data longer than is necessary for the purpose of the processing operation and ensure that when the personal data is no longer needed, it is deleted or irreversibly anonymised. See under 3 (e) for more information and see our separate register of processing operations for the processing time.
Data Protection Officer
We have not appointed a Data Protection Officer within our organisation because we believe that we do not meet any of the following conditions:
- The organisation is a government agency or body;
- Processing personal data that consists of regular systematic observation of data subjects on a large scale;
- The core activity consists of large-scale processing of special categories of personal data or personal data of a criminal nature.
Privacy Impact Assessment (PIA) or Data Protection Impact Assessment
We do not perform a Data Protection Impact Assessment in our organisation because we do not process data that is likely to pose a high risk to the rights and freedoms of data subjects. If this is different in the long term or in some cases, our organisation will of course comply with its obligations according to the instructions in this privacy administration.