Privacy

Privacy policy

Introduction

In this respect, careful handling of the recording and exchange of personal data is a prerequisite for responsible financial services. Confidentiality is an important aspect of our organisation and of the professionals working within it.

For the effective execution of our services, it is necessary that we exchange personal data with providers such as financial institutions and other involved parties. This is inherent to our role as a financial service provider. Additionally, we may provide information to authorities such as the Dutch Tax and Customs Administration (Belastingdienst) or the Dutch Authority for the Financial Markets (AFM) where this is required by law.

We have documented the personal data administration maintained by us in an internal processing register. Clients and other involved parties may request a copy of this register. It contains information about the data we process and the parties with whom we may share this data.

1. Definitions

In this statement the following definitions apply:

The law
The General Data Protection Regulation (GDPR) and the Dutch GDPR Implementation Act.

Personal data
Any information relating to an identified or identifiable natural person.

Processing of personal data
Any operation or set of operations performed on personal data, including collection, recording, organisation, storage, updating, modification, retrieval, consultation, use, disclosure by transmission, distribution or otherwise making available, alignment, restriction, erasure or destruction of data.

File
Any structured set of personal data, whether centralised or distributed in a functional or geographical manner, accessible according to specific criteria and relating to different persons.

Controller
The natural or legal person, or any other entity or administrative authority, that determines the purposes and means of processing personal data.

Processor
A party that processes personal data on behalf of the controller without being subject to its direct authority.

Data subject
The person to whom the personal data relates.

Third party
Any party other than the data subject, the controller, the processor, or persons authorised under the direct authority of the controller or processor to process personal data.

Recipient
The party to whom personal data is disclosed.

Consent of the data subject
Any freely given, specific and informed indication of the data subject’s wishes by which they agree to the processing of personal data relating to them.

Supervisory authority
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Provision of personal data
Making personal data known or available.

Collection of personal data
Obtaining personal data.

2. Scope

  1. This statement applies to the fully or partly automated processing of personal data. It also applies to non-automated processing of personal data that forms part of a filing system or is intended to form part of such a system.
  2. This statement applies within ADVIES VAN JORD and concerns the processing of personal data of clients, employees and other individuals involved.

3. Purpose

The purpose of collecting and processing personal data is to obtain the information necessary to achieve the objectives described in the statutes, annual plans and other policy documents of ADVIES VAN JORD, to comply with legal obligations and to manage and administer our services accordingly.

4. Representation of the Data Subject

If the data subject is a minor under the age of sixteen or an adult placed under legal guardianship, consent must be provided by their legal representative. This consent is recorded in writing.

Consent may be withdrawn at any time by the data subject, their authorised representative, or their legal representative.

5. Responsibility for Management and Liability

The controller is responsible for the proper functioning of data processing and the management of the data. Under the responsibility of the controller, an administrator may be appointed for the actual management of personal data.

The controller ensures appropriate technical and organisational measures are taken to protect personal data against loss or unlawful processing.

These responsibilities also apply when processing is carried out by a processor. This is regulated through an agreement between the controller and processor.

The controller is liable for damages resulting from failure to comply with legal obligations or this statement. The processor is liable for damages caused by its own actions.

6. Lawful Processing

Personal data are processed in accordance with the law and this statement in a proper and careful manner.

Personal data are collected only for the purposes described in this statement and are not further processed in a way incompatible with those purposes.

The data collected must be adequate, relevant and limited to what is necessary for the purpose of processing.

Personal data may only be processed if:

  • the data subject has given explicit consent
  • processing is necessary for the performance of a contract
  • processing is necessary to comply with a legal obligation
  • processing is necessary to protect vital interests of the data subject
  • processing is necessary for legitimate interests of the controller or a third party, unless these interests are overridden by the interests or fundamental rights of the data subject

Anyone acting under the authority of the controller or processor processes personal data only on instructions from the controller, unless required otherwise by law.

All persons involved are bound by confidentiality agreements.

7. Processing of Personal Data

Processing is carried out by employees of our organisation or by individuals working under our responsibility in the provision of financial services.

Processing generally takes place in the context of executing a service agreement. Where no such agreement exists, processing takes place only with the explicit consent of the data subject.

Processing is necessary for us to perform our work as advisor and intermediary in financial products and services.

8. Special Categories of Personal Data

Processing personal data relating to religion, beliefs, race, political opinions, health, sexual life, trade union membership or criminal records is prohibited unless the law explicitly allows such processing.

As a financial service provider we may process information about health if necessary for proper service delivery. Information about criminal records may only be requested if necessary for the execution of an agreement and with explicit consent.

9. Data Processing

Data obtained directly from the data subject

When personal data are obtained directly from the data subject, the controller informs the data subject of:

  • its identity
  • the purpose of the processing

Additional information is provided where necessary to ensure fair and transparent processing.

Data obtained from other sources

The controller may also obtain information from reliable external sources, such as:

  • Roy-data for insurance claim history
  • RDW for vehicle information
  • CIS Foundation for fraud prevention in the insurance sector

Only relevant and necessary data will be processed.

10. Right of Access

The data subject has the right to access personal data relating to them.

Upon request, the controller will inform the data subject within four weeks whether personal data concerning them are being processed.

If so, the controller will provide a written overview including:

  • the purposes of processing
  • the categories of data involved
  • recipients of the data
  • the origin of the data

Requests may be refused if necessary for criminal investigations or to protect the rights and freedoms of others.

11. Disclosure of Personal Data

Personal data will not be shared with third parties without consent unless required by law.

An exception applies where information exchange is necessary for the execution of an agreement, such as with:

  • insurers
  • banks
  • lenders
  • parties involved in claim handling

Personal data may also be shared with authorities such as the Dutch Tax and Customs Administration or the Authority for the Financial Markets.

12. Right to Correction, Addition or Deletion

The data subject may request correction, addition, deletion or restriction of personal data that are incorrect, incomplete or irrelevant.

The controller will respond within four weeks.

If the request is granted, the correction or deletion will be implemented within fourteen working days where possible.

13. Data Retention

Personal data will not be retained longer than necessary for the purposes for which they were collected.

Retention periods are determined by the controller.

Data will be deleted within three months after the retention period expires, unless:

  • retention is required by law
  • retention is necessary for the interests of others
  • retention is agreed upon with the data subject

14. Processing Register

All data processing activities are recorded in an internal processing register before processing begins.

Where automated processing may present high risks to individuals, a Data Protection Impact Assessment (DPIA) will be carried out.

The register includes:

  • the name and address of the controller
  • the purpose of processing
  • categories of data subjects and data
  • recipients of the data
  • retention periods

15. Data Breaches

If a data breach occurs, the controller investigates whether personal data have been lost or unlawfully processed.

If sensitive data have been compromised or there is a significant risk, the breach will be reported to the Dutch Data Protection Authority.

Where necessary, the breach may also be reported to the Authority for the Financial Markets and affected individuals.

16. Complaints Procedure

If a data subject believes this statement is not being followed, they may contact:

  • the controller
  • the Financial Services Complaints Institute (Kifid) in The Hague
  • the Dutch Data Protection Authority
  • a court of law

17. Amendments and Entry into Force

This statement may be amended by the controller.

Changes take effect four weeks after they have been announced to the relevant parties.

This statement came into effect on 1 October 2022.

A copy of this statement can be requested from the controller.

18. Unforeseen Circumstances

In cases not covered by this statement, the controller will decide in accordance with the law and the purpose of this statement.

More information about the GDPR:

Text of the regulation:
https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/verordening_2016_-_679_definitief.pdf

Website of the Dutch Data Protection Authority:
http://www.autoriteitpersoonsgegevens.nl