- A GENERAL
This includes the following types of personal data:
Personal data of consumers (customers)
Personal data of employees
Personal data of website visitors of Dutch Heritage Travel
Personal details of app users
Personal data of (employees of) suppliers
A.3. USED TERMS
- B LEGAL FRAMEWORK
B.1. GENERAL PROVISION OF DATA PROTECTION
The General Data Protection Regulation applies to the use ("processing") of personal data by Dutch Heritage Travel as of 25 May 2018. From that day on, the GDPR will replace the Dutch Personal Data Protection Act ("Wbp").
The General Data Protection Regulation applies to:
the "automated" processing of personal data, "automated" means, in short, processing via a computer or other electronic device such as a smartphone, tablet, digital camera or via a server.
Common examples include creating customer databases, sending and receiving e-mails, collecting data via a website or an app, taking camera shots, recording employee records;
the processing of personal data on paper in an "ordered whole" (in a searchable file).
An example of the latter is the physical folder administration of personnel files.
Dutch Heritage Travel has on the basis of the GDPR as "responsible" certain obligations concerning the processing of the personal data. The persons whose data are concerned (the "data subjects") have certain rights under the GDPR regarding the processing of their personal data. This policy describes in general terms what those obligations and rights are.
B.2. OTHER SPECIFIC LAWS AND REGULATIONS
In certain specific situations, such as the use of personal data of employees, medical data or criminal data, additional legislation and regulations may apply.
- C BASIC PRINCIPLES
In general, "careful" handling of personal data is required. Employees of Dutch Heritage Travel Therefore, when using personal data during their daily work, they must remember that the privacy rules of the GDPR are respected.
C.2. COLLECT, RECEIVE AND INTERNAL USE OF PERSONAL DATA
When collecting / creating personal data, receiving personal data from external parties and the further internal processing thereof within Dutch Heritage Travel , is provided by Dutch Heritage Travel made a decision whether that is allowed and, if so, how far it can be used.
The following questions are at least taken into account (the terms used are explained in Appendix 1):
Is it about "special personal data"? Then they may only be collected, received and processed on the basis of a legal exception. If the special personal data may be processed, extra care must be taken with these personal data.
Is it personal data of children (persons under the age of 16)? Then extra care must also be taken with the data and extra rules apply.
Is there a "basis / legal basis" to collect, receive and use the personal data? There must be a basis / legal basis for each processing (every type of use).
For what purposes are the personal data collected, received and processed? The goals must be clear.
Is it necessary to collect, receive and process the personal data for the established purposes? If it is not necessary for those purposes or for compatible purposes, the data should not be collected, received or processed.
Is "exclusively automated individual decision-making" being used, including profiling, which has legal consequences for the persons concerned or which affects the persons in a significant way in another way? This is only allowed under certain conditions.
Where necessary, Dutch Heritage Travelperforms a privacy test to answer the above questions.
C.3. OVERVIEW PROCESSING
Dutch Heritage Travel keeps an internal overview of the various processing operations for which Dutch Heritage Travelis to be regarded as responsible. If Dutch Heritage Travel is to be regarded as the "processor" of certain personal data, an overview is also kept of the processing operations for which Dutch Heritage Travelis to be regarded as the processor.
Employees of Dutch Heritage Travel keep the personal data secret and use it only in the context of their work for Dutch Heritage Travel . They hereby commit themselves in writing towards Dutch Heritage Travel .
C.5. DATA QUALITY
Personal data are kept accurate, complete and up-to-date as much as possible.
C.6. PRIVACY BY DESIGN AND BY DEFAULT
When developing (new) products or services, including IT systems, use is made as much as possible of "privacy by design" and "privacy by default".
Privacy by design means, in summary, that the protection of personal data is taken into account where possible, for example by pseudonymizing data, and that data minimization and compliance with the privacy rules are ensured.
Privacy by default means, in summary, that care is taken to ensure that only necessary personal data is used as a starting point, in view of the amount of personal data, the way in which they are used, the period within which they are stored and the accessibility thereof. The measures must ensure that the personal data is not taken as a starting point without a Dutch Heritage Travel an unlimited audience is made available, for example on the internet.
C.7. PIAs (PRIVACY IMPACT ASSESSMENTS) AND PRIVACY BUTTONS
When using personal data with a high risk, such as at least large-scale use of special personal data, automated individual decision-making, including profiling, that has legal consequences for the persons involved or that affects the persons in a different way or systematically monitoring a public space on a large scale, a privacy impact assessment (PIA) is carried out.
In new projects where personal data are processed, a privacy test is made to check whether the privacy rules are met.
The Data Protection Officer is involved in the execution of the PIA and the privacy test.
C.8. EXTERNAL USE OF PERSONAL DATA
As a starting point, Dutch Heritage Travel uses the personal data only for itself.
In certain cases, however, it may be necessary to pass on personal data to external parties. When passing on the personal data to external parties, it must be considered whether this is possible and, if so, under which conditions:
Is the external party to be regarded as a "processor" acting exclusively on behalf of Dutch Heritage Travel when receiving and using personal data? Then agreements are made in a processor agreement with such a party about how they deal with the personal data. Such parties may not use the personal data for their own purposes.
Is the external party itself to be regarded as "responsible" - for example the insurer of Dutch Heritage Travel ? In that case, it must be checked whether the transmission of personal data to this external party corresponds to the established purposes, which personal data are necessary for this and whether there is a basis for the transmission of the data. Where possible, arrangements are made about the exchange of personal data.
Is the external party to be regarded as responsible for the relevant processing of personal data together with Dutch Heritage Travel ? Then the agreements on the personal data are recorded in an agreement between Dutch Heritage Travel and the other responsible.
Is the external party a government agency? Dutch Heritage Travel only provides personal data to government authorities when it is legally obliged to do so. In certain specific situations, Dutch Heritage Travel however, it is also necessary to pass on personal data to a government body if there is no legal obligation. An example of this is passing on information about a person to the police as Dutch Heritage Travel report this person. No more data is transmitted than necessary.
C.9. TRANSFER TO OUTSIDE THE EEA
If personal data are passed on to a country outside the European Economic Area ("EEA"), (the EEA consists of the countries of the European Union, Norway, Iceland and Liechtenstein), where there is no adequate level of protection for privacy, measures are taken to to make such transfer legally possible.
C.10. SECURITY AND DATA COVERS
Personal data must be secured technically and organisationally in an appropriate manner, taking into account the nature of the personal data, the risks of the use of the personal data, the costs of security and the state of the art. Dutch Heritage Travel applies a security policy for this.
If data leaks occur in which personal data are involved, they will be reported to the Dutch Data Protection Authority and the persons concerned if necessary. There may be special circumstances under which notification does not take place.
C.11. KEEP PERSONAL DATA
Personal data are not kept longer than necessary for the purposes for which they were collected. Where applicable, a retention policy and / or storage protocol will be drawn up.
C.12. RIGHTS OF THE PERSONS
The persons whose personal data are involved may have certain rights with respect to their personal data to Dutch Heritage Travel exercise.
It concerns the following rights:
To receive an overview of the personal data in an understandable form.
To receive information about the use of personal data by Dutch Heritage Travel .
To receive a copy of the personal data.
In certain cases, to obtain the data in a structured, current and machine-readable form and to have it forwarded on request to another "responsible person".
Correction of incorrect data and addition of incomplete data.
In certain cases request the removal of their personal data.
In certain cases to request "restriction" of their personal data.
In certain cases to object to the processing of their personal data.
When using personal data for direct marketing purposes, the person can always oppose and that use is discontinued.
As a starting point to withdraw a permission once granted.
To file a complaint with the Dutch Data Protection Authority.
In certain cases, Dutch Heritage Travel reject a request, for example if the person requests the removal of certain personal data, but this still has to be retained for the purposes of a legal obligation. Dutch Heritage Travel Does the person know this. Where applicable, a protocol is made for dealing with requests from the persons.
C.13. INFORMING PERSONS
The persons are informed where necessary about the use of their personal data, for example through privacy statements.
C.14. PROTOCOLS / GUIDELINES / CODES OF CONDUCT
When using personal data with a radical character or another activity that significantly affects the privacy of the persons, the starting point is a protocol, guideline and / or code of conduct which specifies how the data and privacy are dealt with.
C.15. TRAINING AND "AWARENESS"
Dutch Heritage Travel tries to create as much "awareness" as possible about how to deal with personal data. Where appropriate, training courses are given to inform employees.
C.16. DATA PROTECTION OFFICER (DPO)
Dutch Heritage Travel has appointed a Data Protection Officer (DPO). The DPO serves (at least) as a source of information for questions about the use of personal data (both for employees of Dutch Heritage Traveland the parties involved), provides advice on PIAs to be carried out and supervises compliance with them, supports projects where personal data are used and supervises internally the use of personal data by Dutch Heritage Travel.
- E COMPLAINTS
If a person whose personal data is involved has a complaint about the use of his or her personal data, the person can submit a complaint to Dutch Heritage Travel A contact point is designated for this, where applicable per category of persons or personal data. The DPO is informed of the complaint.
If the complainant and the contact point (with the help of the DPO) fail to deal with the complaint, the person can escalate the complaint to the manager of the contact point or to the DPO. If the manager or the DPO fails to handle a complaint with the complainant, the complaint can be escalated to management.
If the management can not handle the complaint, the person could decide to ask the judge to make a decision or ask the Dutch Data Protection Authority for mediation.
Specific complaints regulations, such as for employees or consumers, go before this complaints procedure.
ANNEX 1 - CONCEPTS
Personal data: these are data (information) relating to an identified or identifiable person.
Only automated individual decision-making: this is decision-making about the person who is only created automatically, so without a person involved in that decision-making.
Special personal data: are the following types of personal data:
- about health,
- about a person's race or ethnic background,
- about a person's belief,
- about a person's sexual behavior or focus,
- about a person's political opinions,
- about someone's membership of a trade union,
- genetic characteristics,
- biometric features intended to identify someone.
The National Insurance Number and criminal law data also count as special personal data that can only be used if there is an exception mentioned in the GDPR.
Responsible: the "responsible" is the party that determines what happens to the personal data and how that happens (this determines the "purpose and means").
Data subject: a "data subject" is a person to whom the personal data relate.
Processing: a "processing" is an act with the personal data. This includes: collecting, recording, organizing, structuring, storing, updating or modifying, retrieving, consulting, using, providing by means of forwarding, distributing, combining, blocking or deleting.
Basis / legal basis: for each processing with personal data one of the following bases (also called "legal grounds") is needed:
- informed, free and specific consent,
- because it is necessary for the preparation or execution of an agreement with or for the benefit of the person concerned,
- because it is necessary to comply with a legal obligation resting on the responsible person,
- because it is necessary to protect the vital interests of the person (or another person),
- because it is necessary for the fulfillment of a task of general interest or of a task in the exercise of the public authority entrusted to the responsible party, or
- because it is necessary for a legitimate interest of the controller or a third party to go before the interests of the person concerned.