Version: November 2022
Version: November 2022
Do you have questions about how we process your personal data? Then please contact us.
3.2 Our website contains links to third-party websites. We are not responsible for the content of these third-party websites, the services they offer or the way in which they process personal data.
4.1 We collect personal data in various ways:
a. Information that you have provided to us. This is the case, for example, when you contact us or apply for a job.
b. Information collected automatically when you visit our website. This is due to the cookies we use on our website. For
c. Information we obtain from third parties. This is the case, for example, when we request information about you.
4.2 In some cases, there is a legal or contractual requirement to provide us with certain personal data. This may also be necessary in order to be able to enter into an agreement with us. If this is the case, we will inform you accordingly. We will also tell you what the consequences are if you do not provide the personal data.
5.1 It depends on the processing activity which personal data we process, on what basis personal data are processed and for what purposes we do so. A summary is given below.
5.2 Insofar as our processing activities are based on our legitimate interests, it is possible to request information from us about the so-called ‘balancing test' that we performed to determine whether we could use this ground for processing. You will find our contact details at the bottom of this page.
5.3 If we process your personal data beyond the purposes for which these were obtained, we will inform you of this in good time.
6.1 Below is an overview of the cookies we use:
6.2 Via the browser settings, you can set your cookie preferences - for all websites. It differs for each browser which preferences you can set. For more information, go to: www.aboutcookies.org/how-to-control-cookies
6.3 Please note that the functionality of the website may be affected when you refuse certain cookies.
7.1 We only share personal data with third parties if this is necessary for the performance of our services. In that case, we share personal data with the following parties:
8.1 When processing personal data, we do not use parties located outside the European Economic Area (EEA). If this is the case in the future, we will take the necessary measures to protect your personal data adequately and we will inform you in good time.
8.2 Transfers to outside the EEA are permitted on the basis of a so-called adequacy decision. This is a decision of the European Commission in which it is established that the level of data protection in the receiving country is of a similar level to the GDPR. This link contains an overview of countries with an adequacy decision. In other cases, we use the Standard Contractual Clauses as drawn up by the European Commission. Further information on transfers outside the EEA and a copy of the measures taken by us may be requested from us.
9.1 To protect your personal data against loss, misuse and/or unauthorised changes, we take sufficient technical and organisational measures. In addition, we only give individuals access to personal data in so far as this is necessary for the performance of our services. These persons are also bound by an obligation of confidentiality pursuant to an employment contract.
9.2 Examples of technical measures we have taken:
a. Logical physical security measures (e.g. a safe, security personnel, firewalls and segmentation of networks);
b. Technical verification of authorisation in systems (the roles are kept as limited as possible) and the use of log files;
c. Management of technical vulnerabilities (patch management);
d. Keeping software up to date (such as browsers, virus scanners and operating systems);
e. Backing up personal data to ensure availability and access;
f. The automatic deletion of dated data;
g. Encrypting personal data;
h. Applying hashing or (other) forms of pseudonymisation to personal data; and
i. Offering secure storage options to end users (e.g. file server storage).
9.3 Examples of organisational measures we have taken:
a. Assigning responsibilities and roles in the context of information security;
b. Increasing privacy awareness among current and new employees;
c. Drawing up procedures for periodically testing, assessing and evaluating security measures;
d. Regularly checking log files;
e. Using a protocol to deal with data breaches and other security incidents;
f. Concluding confidentiality, processing and data protection agreements;
g. Investigating and applying possibilities for data minimisation;
h. Only making personal data accessible to as few people within the organisation as possible; and
i. Drawing up considerations and decisions with regard to each individual processing activity.
9.4 Our internal protocols describe how a sufficiently appropriate level of security is offered. We also have a data breach protocol that describes how we deal with a data breach or security incident.
10.1 In principle, we will not retain your personal data longer than necessary for the purposes for which they are processed. In order to ensure that personal data are deleted on time, we have drawn up a retention policy.
10.2 We use the following retention periods:
11.1 With regard to our processing activities, you have the following rights.
a. Right to withdraw consent: insofar as our processing activities are based on your consent, you have the right to withdraw your consent at any time.
b. Right of access: you have the right to access the personal data we process about you. This right gives you the possibility of receiving a copy of the personal data we process about you. We will also provide you with additional information about our processing activities.
c. Right to rectification: you have the right to rectify incorrect data without delay. As a result, inaccurate personal data processed by us may be modified or supplemented.
d. Right to erasure: you have the right to ‘be forgotten'. The right to be forgotten applies if (i) the personal data is no longer required, (ii) you have withdrawn your consent, (iii) you have objected to the processing of your personal data, (iv) we process personal data unlawfully, (v) personal data must be deleted based on EU or Member State law or (vi) we have collected your personal data in the context of information society services. In so far as the processing of personal data is necessary (i) for the exercise of our right to freedom of expression and information, (ii) for the performance of a legal task in the public interest or a task in the exercise of public authority, (iii) for reasons of public interest in the field of public health, (iv) for archiving purposes in the public interest and/or (v) for the lodging, exercise or substantiation of legal claims, we may refuse to invoke the right to erasure.
e. Right to object: where our processing activities are based on our legitimate interests, you have the right to object. To the extent that your personal data are processed in the context of direct marketing, your request will in any case be honoured. In other cases, we also stop processing your personal data unless there are compelling legitimate grounds for the processing of your personal data, which override your interests.
f. Right to restriction of processing: you have the right to restrict processing if (i) you have disputed the accuracy of the personal data, (ii) we process your personal data unlawfully and you do not want them to be deleted, (iii) we no longer need your personal data, but you want to use these for the lodging, exercise or substantiation of legal claims and/or (iv) you have objected to the processing of your personal data. If we have honoured your request, your personal data will only be stored by us. We will not process your personal data in any other way, unless you have given your consent, this is necessary for the lodging, exercise or substantiation of legal claims, this is necessary for the protection of third-party rights or for important reasons of public interest.
g. Right to portability: if our processing activities are based on your consent or on the performance of a contract and are performed by automated means, you have the right to obtain and transfer your personal data in a structured, commonly used and machine-readable form or to have it transferred to another controller.
h. Automated decision-making: you have the right not to be subject to a decision based solely on automated processing which has legal consequences or which otherwise significantly affects you. We do not use automated decision-making.
i. Filing a complaint: in addition to the above rights, you also have the right to submit a complaint to the relevant data protection authority. In the Netherlands, this is the Dutch Data Protection Authority. However, we will be happy to resolve complaints together with you. We therefore ask you to contact us first.
11.2 You may exercise any of the above rights by contacting us. You may invoke the above rights free of charge, unless your requests are manifestly unfounded or excessive. In those cases, we ask for reasonable compensation or we refuse to comply.
11.3 We may ask for additional information to establish your identity before we respond to your request.
11.4 We will provide information about the follow-up as soon as possible and in any event within one month after receipt of your request. That period may be extended by another two months if necessary depending on the complexity of the requests and the number of requests. We will inform you of this within one month of receipt of the request.
12.1 If you have any questions about how we handle your personal data, please contact us via firstname.lastname@example.org.
13.1 We are entitled to delete your personal data at any time. In that case, we will not owe you any compensation whatsoever.
14.2 Other terms as defined in relevant privacy legislation, such as 'personal data', '(joint) controller', 'processor', 'data subject' and 'processing' have the same meaning as in the relevant privacy legislation.