Privacy Statement
This privacy statement, drawn up in accordance with the General Data Protection Regulation (AVG), applies to all personal data and all manual or automated processing of personal data which IDD and IADS Headoffice, hereinafter referred to as 'the organisation', carries out independently on behalf of its members, employees, volunteers, customers, donors etc. hereinafter referred to as 'data subject', or has carried out by processors on the basis of a processing agreement.
This privacy statement describes which categories of personal data of which categories of people involved are processed by whom and for which purposes, who is responsible and how the legitimacy of these processes and the protection of personal data is guaranteed.
Please read this privacy statement carefully before you agree to give the organisation explicit permission to process your personal data in line with this privacy statement.
1. Controller
Refers to a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
The data controller of the processing of personal data is the legal entity IDD KvK 33275784 and IADS KvK 41202293 situated at Bloemendaalseweg 277A, 2051 GE Overveen.
2. Principles of data processing
As the person responsible for processing, the organisation undertakes to ensure that personal data relating to the person concerned is processed:
- processed in a lawful, proper and transparent manner;
- collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
- adequate, relevant and limited to what is necessary for the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
are processed in a manner which ensures their adequate security, by the implementation of appropriate technical or organisational measures, and that they are protected, inter alia, against unauthorised or unlawful processing and against accidental loss, destruction or damage.
3. Data processing
As the data controller, the organisation carries out both manual and automated data processing of personal data, solely in support of the services and/or products agreed with the organisation by the party concerned:
- Employment
- Membership
- Volunteer
- Sponsorship
4. Personal data
The organisation processes the following categories of personal data for the purposes of the data processing described in point 3:
- First name, last name, middle name
- Phone number, email address
- Address, city, postal code (only if post and visit)
- Date of birth and gender (only explicit permission)
The organisation does not process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership. Nor does the organisation process any data with a view to the unique identification of a person, about health or sexual orientation. Such processing is prohibited unless the person in question has given the organisation express permission to do so.
5. Parties concerned
The organisation processes the personal data described in point 4 for the purpose of providing its services to the following categories of data subjects:
- Employees
- Volunteers
- Members
- Customers
- Suppliers
- Donors
6. Processors
A natural or legal person, a government agency, a service or another body that processes personal data on the instructions of the controller.
The organization provides personal data obtained from data subjects on the basis of processor agreements to the following categories of processors:
- Zicht verzekeringen, if members have indicated that they wish to purchase insurance.
- ABN and ING concerning product orders.
7. Lawfulness
As the data controller, the organization shall ensure lawful processing of the personal data of the data subject by complying with at least one of the conditions below:
- the data subject has given consent to the processing of his/her personal data for one or more specific purposes, for example as part of an online newsletter subscription;
- The processing is necessary for the performance of a contract to which the data subject is a party, or in order to take action at the request of the data subject prior to the conclusion of a contract, for example as part of the online processing of a purchase;
- the processing is necessary in order to protect the vital interests of the data subject or of another natural person, for example in the case of a medical emergency concerning a data subject;
- the processing is necessary for the legitimate interests of the controller or of a third party, insofar as it does not conflict with the interests or fundamental rights and freedoms of the data subject.
8. Measures
As the data controller, the organization shall implement appropriate technical and organizational measures to ensure risk-based data security, which shall include, where appropriate, the following:
- the pseudonymisation and encryption of personal data;
- the ability to ensure, on an ongoing basis, the confidentiality, integrity, availability and resilience of the processing systems and services;
- the ability to restore the availability of and access to the personal data in a timely manner in the event of a physical or technical incident;
- not recording more personal data than necessary for the purpose of processing;
- not storing personal data longer than necessary;
- a procedure for regular testing, evaluation and assessment of the effectiveness of the technical and organisational measures to secure processing.
The organization also provides for the foregoing by standardizing its working methods and technical infrastructure, encrypting connections and housing applications and data with a professional cloud service provider.
9. Rights
The organization respects and provides for the following rights of data subject with respect to applicable personal data processing:
- Inspection: The data subject has the right to obtain from the controller access to the processing of personal data applicable to the data subject, including information on the processing purposes, lawfulness of the processing, categories of personal data involved, recipients or categories of recipients, third parties, storage periods and data protection measures;
- Rectification: Subject to the purposes of the processing, the data subject shall have the right to obtain rectification of inaccurate or incomplete personal data, including by providing a supplementary statement;
- Data erasure: The data subject has the right to obtain from the controller the erasure of personal data relating to him and the controller is obliged to erase personal data without unreasonable delay;
- Transferability: The data subject has the right to obtain the personal data relating to him that he has provided to a controller in a structured, accessible and machine-readable form, and has the right to transfer that data to another controller;
- Restriction: The data subject has the right to obtain from the controller a temporary restriction on processing, during which time the controller may only process the data concerned with the data subject's consent;
- Automated decision-making: The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or significantly affects him in some other way;
- Objection: The data subject will have the right to object at any time, on grounds relating to their particular situation, to the processing of personal data relating to them. The controller will cease processing the personal data unless it establishes compelling legitimate grounds for doing so which override the interests, rights and freedoms of the data subject.
To exercise one or more of the above rights, please contact the data controller or the data protection officer referred to in point 1.
10. Obligations
As the data controller, the organisation facilitates the timely and correct exercise of the rights of the data subject in the context of its obligations described below:
- Accountability: data controller shall implement and maintain appropriate technical and organizational measures to ensure and be able to demonstrate that processing is carried out in accordance with the law;
- Notification obligation: the controller shall notify any recipient to whom personal data have been disclosed of any rectification or erasure of personal data or restriction on processing;
- Register obligation: the party responsible for processing will maintain a register of data processing which provides an up-to-date overview of the purposes of processing, categories of personal data, data subjects, recipients, retention periods and security measures;
- Obligation of secrecy: the controller will maintain secrecy with respect to personal data obtained in the course of an activity covered by the obligation of secrecy;
- Obligation to report: the controller documents and reports every data breach that occurs in the context of its data processing operations. This documentation must enable the Personal Data Authority (AP) to check whether the obligation to report has been fulfilled.
11. Permission
In order to be able to use our (online) services, we ask you to carefully read this privacy statement before completing and submitting your personal data (online). With your agreement, you give the organisation explicit permission to process your personal details in line with this privacy statement.
12. Contact
To contact the organisation about this privacy statement, please use the contact details under point 1.