The Dutch Data Protection Authority indicates that our organization is only obliged to draw up a data protection policy if that is in proportion to our processing activities on the basis of article 5, paragraph 2, GDPR. A data protection policy is also called a privacy policy. The obligation to draw up such a privacy policy depends on the specific circumstances, such as the nature, scope, context and purpose of the data processing, according to the Dutch Data Protection Authority. Our organization applies the following concise privacy policy, which is further reflected in our register of processing activities:
We process personal data of the categories mentioned in our separate register of processing activities.
We process personal data solely on the basis of the principles from Article 6 of the GMS, or on the basis of the consent of the parties involved or on the basis of a necessity. The bases are stated in our separate register of processing activities.
We comply with the principles concerning the processing from Article 5, paragraph 1, GTC in the following way:
| Rule | Principle | How | Supplement |
| Sub a | Rechtmatig | We will take the AVG rules into account when processing. See also under 2 for this. | |
| Sub a | Behoorlijk | We will take the AVG rules into account when processing. | |
| Sub a | Transparant | Insofar as processing is not immediately evident, such as with contact or payment data, we will inform the data subject about the purpose and method of processing (possibly with so-called privacy statement). | |
| Sub b | Doelbinding | We will not proces personal data other then the purposes of processing. | |
| Sub c | Dataminimalisatie | We will not request or process more personal data than is sufficient for the purposes of the processing. | |
| Sub d | Juistheid | We offer those involved the opportunity to contact us via the contact details on our website this way they can view or request their data and where necessary we will correct this data. If we use a digital portal, we offer the parties involved the opportunity to do this online themselves | |
| Sub e | Opslagbeperking | We will no longer process personal data if this is no longer necessary for the purpose for which they were obtained. To the extent we want to perform statistical or telemetric research, we anomyze the personal data irreversibly. | |
| Sub f | Integriteit en vertrouwelijkheid | We take appropriate technical and organizational measures against unlawful processing, loss, destruction and damage. See below under 5 |
We acknowledge the rights that those involved have, among other things, access, correction, restriction and removal. See above under 3 (d) about the way in which those involved can contact our organization to exercise these rights.
To the extent required by law, we record our technical and organizational measures in our separate register of processing activities. If we have certain certifications or adhere to certain codes of conduct or binding company regulations, these are listed below.
We process personal data no longer than is necessary for the purpose of the processing and ensure that when the personal data is no longer needed, it is deleted or irreversibly rendered anonymous. See for this under 3 (sub e) for more information and see our separate register of processing activities for the processing time.
We have not appointed a Data Protection Officer in our organization because we believe that we do not meet one of the following conditions:
- De organisatie is een overheidsinstantie of –orgaan;
- Processing of personal data consisting of systematically observing data subjects on a large scale on a regular basis;
- The core activity consists of the large-scale processing of special categories of personal data or personal data of a criminal nature.
We do not perform a Data Protection Impact Assessment in our organization because we do not do any processing that is likely to pose a high risk to the rights and freedoms of those involved. If this is different in the long term or in certain cases, then our organization will of course fulfill the obligation.