Privacy Statement

DE HOGE VELUWE NATIONAL PARK

MARCH 2019 VERSION

Introduction

Stichting Het Nationale Park De Hoge Veluwe, Stichting Horeca Het Nationale Park De Hoge Veluwe, Stichting Hoge Veluwe Fonds and Stichting Faciliteiten Het Nationale Park De Hoge Veluwe (hereinafter jointly: "The Park", "we" and "us") collect personal data about you and other persons ("data subjects"). We want to inform you about the processing of these personal data. The "processing" of personal data refers to everything that is done with personal data, including the collection, storage, use, consultation and removal of these data. In this Privacy Statement, you can read all about how we collect your data, how we use these data, the retention period for these data, the rights you have and how you can exercise these rights and ask questions about your privacy.

This Privacy Statement is structured according to the types of services that we offer you and the relationship we maintain with you. For instance, by clicking on "You visit The Park", you can read about the personal data that we process for our visitors, and why we do so. The information on data processing for specific data subject categories is followed by the general section containing information that is applicable to all categories of data subjects. The "data subject" is the person that the personal data relate to.

This Privacy Statement is partly based on the General Data Protection Regulation (the "GDPR") and therefore contains some legal texts. If you have any questions about this Privacy Statement or your personal data, you can contact us by sending an email to privacy@hogeveluwe.nl.

Data subject categories

This Privacy Statement applies to the processing of your personal data by The Park when you are in contact with The Park in one or more of the following ways:

1. You make use of our website and/or services

a. You visit our website;

b. You have purchased a ticket for The Park, one of our activities and/or the Kröller-Müller Museum or you have purchased or rented another product or service via our webshop;

c. You have completed a contact form on our website or have contact with us in some other way (by telephone, email or post);

d. You participate in Snapshot.

 

2. You visit The Park

a. You have purchased a ticket for The Park, one of our activities and/or the Kröller-Müller Museum at the ticket desk or entrance or have purchased or rented another product or service in our park shops or in one of our food & drink outlets;

b. You enter The Park;

c. Your image is shown on photos or videos published by The Park.

 

3. You support The Park

a. You support The Park as a private donor, Friend or Guardian;

b. You support The Park with your company as a Partner of The Park;

c. You support The Park through school fundraising.

 

4. You or the company you work for is a supplier or other type of business associate of The Park.

In addition to the processing operations for specific data subject categories, there are also General Processing Operations irrespective of the category. For more information, see "General Processing Operations" in this Privacy Statement.

Who are the controllers?

The Park consists of the following foundations that act as (joint) controllers for the processing of your personal data as defined in the GDPR, and all are established at Apeldoornseweg 250, 7351 TA Hoenderloo:

Name of controller

Chamber of Commerce number

Stichting Het Nationale Park De Hoge Veluwe

41151066

Stichting Horeca Het Nationale Park De Hoge Veluwe

62831119

Stichting Faciliteiten Het Nationale Park De Hoge Veluwe

09073663

Stichting Hoge Veluwe Fonds

08166709

The main activities of The Park are performed by Stichting Het Nationale Park De Hoge Veluwe. All catering & hospitality activities fall within the responsibility of Stichting Horeca Het Nationale Park De Hoge Veluwe. The sale of products in our park shop and, for instance, maps and other printed matter, the campsite and the Theekoepel fall within the responsibility of Stichting Faciliteiten Het Nationale Park De Hoge Veluwe. Finally, all fundraising activities are carried out under the responsibility of Stichting Hoge Veluwe Fonds.

Questions about privacy or data protection can always be directed to Stichting Het Nationale Park De Hoge Veluwe. The easiest way to reach us is by calling +31 (0)55-8330833 (on weekdays from 9am to 5pm) or sending an email to privacy@hogeveluwe.nl.

Lawfulness

Our lawful bases for processing personal data are the following:

·         the processing is necessary to perform a contract with you;

·         the processing is necessary to comply with one of our legal obligations;

·         the processing is necessary for a legitimate interest pursued by The Park or a third party. We do this insofar as your privacy interests do not outweigh our legitimate interest. You can contact us for information about how we made a balanced assessment of the various interests. You can object to this on the grounds of your specific circumstances;

·         the processing is necessary to perform a task carried out in the public interest;

·         the processing is necessary to protect the vital interests of a data subject (for instance, to provide urgent medical assistance or react effectively in life-threatening situations);

·         your consent. In this case, you have the right to withdraw your consent.

The lawful basis for processing personal data is mentioned in this Privacy Statement for each data subject category.

Your rights

Access: You have the right to request access to your personal data that are processed by us or on our behalf. In this connection, you can also request specific information about the processing of your personal data, such as:

·         the purposes for which personal data are processed;

·         the categories of personal data that are processed;

·         whether your personal data have been disclosed and to which recipients or categories of recipients;

·         the retention period for your personal data (or how that period is determined);

·         your right to submit a complaint to the Personal Data Authority;

·         the source of the personal data (if we did not receive your personal data from you);

·         whether we subject your personal data to automated decision-making (decision-making without any human intervention);

·         whether your personal data are transferred outside the European Economic Area and, if so, whether appropriate safeguards are in place to protect your privacy.

General information can also always be found in this Privacy Statement.

Rectification: If your personal data are incorrect or incomplete, you have the right to have these changed or supplemented.

Limitation: You can also limit our processing of your personal data, for instance during the period we need to check your request for rectification or assess your objection to a processing operation based on our legitimate interests.

Erasure of personal data: In certain cases, you have the right to request us to erase your personal data, for instance if you think your personal data are no longer necessary, withdraw your consent, object to a processing operation or believe that your personal data were unlawfully processed. However, the GDPR also specifies certain grounds on which we are allowed to retain your personal data – for instance, if we need your personal data to continue providing a service to you or if we have a legal obligation to retain the personal data.

Right to personal data portability: At your request, we will, in cases set out in the GDPR, provide you with a structured, commonly used and machine-readable copy of the personal data that you provided to us. You also have the right to transmit these data to a third party.

Right to object: You have the right to object at any time to the processing of your personal data by us. We can request you to provide grounds relating to your specific situation that justify this objection. We shall always comply with an objection relating to our use of your personal data for direct marketing purposes.

You can exercise all your rights by sending an email to privacy@hogeveluwe.nl or a letter to: Stichting Het Nationale Park De Hoge Veluwe, Antwoordnummer 2001, 7350 ZX Hoenderloo. We may ask you to identify yourself if you do so.

You have the right to submit a complaint to the Dutch Personal Data Authority.

If you have given us your consent for the processing of your personal data, you have the right to withdraw your consent. Withdrawal of your consent has no consequences for the lawfulness of the processing of your personal data before the withdrawal.

However, the law provides for various exceptions to the rights mentioned above. We will check on a case-to-case basis whether any exceptions are applicable.

Transfer of your personal data

We sometimes enlist the support of other parties for the processing of your personal data. Examples are IT providers, communication service providers (such as Mailchimp for our newsletters), payment service providers (such as Ingenico for the processing of online payments), our check-out supplier, a party that is hired by The Park to carry out visitor surveys, a printer, financial or legal advisers and auditors (e.g. in the case of an audit). If such a party is a "processor" (i.e. if that party processes the personal data on our behalf), we will enter into a data processing agreement with that party, stipulating, inter alia, that the personal data must be processed according to our instructions and that appropriate security measures are taken.

International transfer of personal data

We provide your personal data to other parties for the performance of our services. As a result, your personal data may also be processed in other countries within the European Economic Area (EEA).

We work wherever possible with service providers that process personal data in countries within the EEA, as these countries offer privacy protection in accordance with the GDPR. In some situations, we may opt to work with service providers that process data in countries outside the EEA, but only if these comply with the GDPR. This means that your personal data are only transferred to countries outside the EEA:

(i) if an adequacy decision of the European Commission confirms that the country or region offers an adequate level of protection, or

(ii) if appropriate safeguards are in place to protect your personal data, consisting of

(a) binding corporate rules;

(b) an agreement (based on standard provisions approved by the European Commission); or

(c) other appropriate statutory safeguards; or

(iii) if another lawful ground for exemption allows us to transfer your personal data.

How does The Park obtain your personal data?

As you can read below, we obtain most of the personal data directly from you, either via cookies (see 'You visit our website' under 'You make use of our website and/or services' below) or from other sources, such as the Kröller-Müller Museum (if you purchase your ticket for The Park via the website of the Kröller-Müller Museum), your partner, our trading partners, insurers or external websites on which you register for activities at The Park (such as inschrijven.nl and uitslagen.nl (Iwan.nl B.V.) for the Hoge Veluwe Run). We can also process personal data about you from public sources, such as the Trade Register, the internet and/or social media (e.g. when you ‘Like’ a message from The Park on social media).

Mandatory provision of personal data

Contractual or legal obligations may require you to provide personal data to us. In that case, we will inform you accordingly. Our paper and online forms, for instance, state whether requested personal data are mandatory or optional. If you fail to provide data that are mandatory (e.g. because these are necessary to provide our services or because the law requires us to process these data), we cannot provide our services and may decide to terminate our relationship with you as an individual or business.

Personal data of children

In cases where consent is required, The Park only processes personal data about children (up to age 16) with the consent of one or more of the child’s legal representatives/parents.

Changes to this Privacy Statement and our Cookies Statement

We reserve the right to make changes to this Privacy Statement and our Cookies Statement. The most recent version of this Privacy Statement is always posted on the website of The Park and you will be provided with necessary information in an appropriate manner wherever possible.

SPECIFIC SECTION PER DATA SUBJECT CATEGORY

1. YOU USE OUR WEBSITE AND/OR SERVICES

a. You visit our website

If you visit our website, we can process personal data about you via the cookies and other automatic data procedures that our website uses. More information about this can be found in our Cookies Statement.

The information about General Processing Operations applies in addition to the above.

b. You have purchased a ticket for The Park, one of our activities and/or the Kröller-Müller Museum or you have purchased or rented another product or service via our webshop

i. What personal data do we collect about you and for what purpose?

If you purchase a ticket for The Park, one of our activities, the Kröller-Müller Museum or purchase or rent another product or service via our webshop, we collect various personal data about you:

·         Your title, name and contact details (including address, email address and telephone number) are used to send your ticket, product or service to you and to contact you. This information can also be used to identify you and give you access to The Park;

·         Your payment information (including payment method, IBAN or credit card details) is used to perform the payment;

·         The information about your order (such as the amount, the purchased service or product, your order and debtor number, your e-ticket and when your e-ticket barcode was scanned) is used to deliver your ticket, product or service to you;

·         Certain annual visitor passes (Staff Passes, Park Associate Passes, Guardian Passes or Sponsor/Donor Passes) are sent automatically each year to your address.

The Park also processes personal data to determine whether you are eligible for a discount for a product or service that you purchase from us. For instance, by requesting visitors to state their date of birth, The Park can automatically check whether someone is old enough to purchase the product or service as well as check passes or tickets of children, students and holders of CJP, ICOM, Museum, BankGiroLoterij VIP, Rembrandt Vereniging, Disabled and Veteran Passes in The Park to make sure the holder is entitled to a discount. If you purchase a Guardian Pass via the webshop and are a resident of the municipality of Apeldoorn, Arnhem or Ede, the website of The Park will recognize your postcode and automatically award the 25% discount.

The information about General Processing Operations applies in addition to the above.

ii. What is our lawful basis for processing your personal data?

If you purchase a ticket for The Park, one of our activities, the Kröller-Müller Museum or purchase or rent another product or service via our webshop, we process your personal data to perform our contract. We also process your personal data for legitimate interests pursued by ourselves or a third party (such as other visitors of The Park), for instance to verify your identity and/or eligibility for a discount or to protect our economic interests and safety. Finally, we process your personal data to comply with our legal obligations, such as the obligation to keep accurate records.

You have the right to object to the processing of your personal data based on a legitimate interest on the grounds of your specific circumstances.

iii. How long do we keep your personal data?

Personal data are not kept longer than necessary for the purposes of the processing. Personal data must be removed if they are no longer necessary. We keep personal data to comply with the statutory retention periods as prescribed in e.g. tax legislation and the Dutch Civil Code (e.g. our recordkeeping systems are set to comply with the minimum retention periods of 7 and 10 years for data about corporate real estate). To protect your personal data against unlawful processing, we also make use of an archive/non-active records at the end of the set retention periods. Access to these records is restricted to authorized persons for lawful purposes.

c. You have filled in a contact form on our website or have contact with us in some other way (by telephone, email or post)

i. What personal data do we collect about you and for what purpose?

We use the personal data that you provide to us via a contact form on our website or send to us by email or post to contact you or to process your application, question or request. This also applies when you contact us by telephone. We can make notes about telephone calls. Certain correspondence with you is also kept in our records.

The information about General Processing Operations applies in addition to the above.

ii. What is our lawful basis for processing your personal data?

The personal data we process about you when you have contact with us is processed on the basis of our legitimate interest to have contact with you. You can also give your consent for the processing of your personal data. In that case, you have the right to withdraw your consent.

You have the right to object to the processing of your personal data based on a legitimate interest on the grounds of your specific circumstances.

iii. How long do we keep your personal data?

Personal data are not kept longer than necessary for the purposes of the processing. Personal data must be removed if they are no longer necessary. We keep personal data to comply with the statutory retention periods as prescribed in e.g. tax legislation and the Dutch Civil Code (e.g. our recordkeeping systems are set to comply with the minimum retention periods of 7 and 10 years for data about corporate real estate). To protect your personal data against unlawful processing, we also make use of an archive/non-active records at the end of the set retention periods. Access to these records is restricted to authorized persons for lawful purposes.

 

d. You participate in Snapshot

i. What personal data do we collect about you and for what purpose?

Snapshot Hoge Veluwe makes use of Zooniverse; the controller for this platform is the University of Oxford’s Department of Physics (hereinafter: "Zooniverse"). If you take part in Snapshot, you pass certain personal data (such as your name, username and email address) on to Zooniverse. The processing of your personal data by Zooniverse is subject to the Privacy Policy of Zooniverse (https://www.zooniverse.org/privacy).

The Park receives the following personal data from Zooniverse about Snapshot participants:

·         the username you have selected;

·         comments you have placed with observations;

·         messages you have posted on the forum.

 

The information about General Processing Operations applies in addition to the above.

 

ii. What is our lawful basis for processing your personal data?

The Park processes personal data from Snapshot based on the legitimate interest to manage The Park.

You have the right to object to the processing of your personal data based on a legitimate interest on the grounds of your specific circumstances.

iii. How long do we keep your personal data?

The Park does not keep the personal data about Snapshot users outside Snapshot.

 

2. YOU VISIT THE PARK

a. You have purchased a ticket for The Park, one of our activities and/or the Kröller-Müller Museum at the ticket desk or entrance or have purchased or rented another product or service in one of our park shops or food & drink outlets

i. What personal data do we collect about you and for what purpose?

The Park does not receive any personal data about individual transactions relating to the purchase of a ticket for The Park, one of our activities, the Kröller-Müller Museum or the purchase or rental of another product or service of The Park that takes place in The Park (at the ticket desk, at the entrance, in our park shops or in one of our food & drink outlets).

Personal data are processed in connection with the purchase of certain visitor passes (Staff Passes, Park Associate Passes or Sponsor/Donor Passes), including the name, contact details, payment details, date of birth and passport photo (which can also be taken in The Park).

The Park also processes personal data to determine whether you are eligible for a discount on a product or service that you purchase from us. For instance, the passes or tickets of children, students and holders of CJP, ICOM, Museum, BankGiroLoterij VIP, Rembrandt Vereniging, Disabled and Veteran Passes can be checked in The Park to verify that the holder is entitled to a discount. If you want to purchase a Guardian Pass in The Park and are a resident of the municipality of Apeldoorn, Arnhem or Ede, your postcode will also be processed in order to award your 25% discount.

If you make use of the campsite in The Park, The Park will record the name and address of the contact person of the booking in the night register as well as the day of arrival, day of departure, number of nights and payment method. We also keep a record of when you last visited The Park’s campsite, as there must be an interval of at least one month between your campsite stays. The night register is also maintained for your personal safety. In the event of calamities, we know who is staying at the campsite. It can also help to deter crime. The municipality (Ede) can ask us to supply data from the night register, for instance for tourist tax purposes.

The information about General Processing Operations applies in addition to the above.

 

ii. What is our lawful basis for processing your personal data?

Personal data are processed – insofar as these are collected – to perform our contract relating to the purchase of tickets for The Park, one of our activities, the Kröller-Müller Museum or the purchase or rental of another of our products or services in The Park.

We also process your personal data for legitimate interests pursued by ourselves and third parties (such as other visitors of The Park). This applies, for instance, to the verification of your identity in the case of visitor passes and to the verification of your eligibility for a discount and/or to identify you in order to protect our economic interests and safety.

Finally, we process your personal data to comply with our legal obligations, such as in relation to the campsite night register and the obligation to keep accurate records.

iii. How long do we keep your personal data?

Personal data are not kept longer than necessary for the purposes of the processing. Personal data must be removed if they are no longer necessary. We keep personal data to comply with the statutory retention periods as prescribed in e.g. tax legislation and the Dutch Civil Code (e.g. our recordkeeping systems are set to comply with the minimum retention periods of 7 and 10 years for data about corporate real estate). To protect your personal data against unlawful processing, we also make use of an archive/non-active records at the end of the set retention periods. Access to these records is restricted to authorized persons for lawful purposes.

 

b. You enter The Park

i. What personal data do we collect about you and for what purpose?

·         Camera surveillance is used in The Park to protect The Park, our employees, visitors, property and the Kröller-Müller Museum. You are informed of the presence of camera surveillance in The Park. You may be recorded on camera. These surveillance cameras fall partly under the management of the Kröller-Müller Museum. The Park can view this camera footage in real-time and for four weeks after the recording took place. We can request Kröller-Müller Museum to provide us with camera footage falling within its management if we have reason for doing so, such as criminal offences/vandalism. These can then be viewed by the enforcement staff of The Park. In certain cases, the camera footage can also be shared with authorities, for instance in the case of criminal offences;

·         Visitor surveys may be conducted in The Park. If you participate in such a survey, your name and contact details may be registered in order to contact you later. The answers you give in a visitor survey will be used to improve our services and products;

·         If you have an accident in The Park, we may process your name, contact details, information about the accident (including your condition after the accident) in order to call in the emergency services as quickly as possible and to inform others such as your partner or family members. We can also record these data internally when accidents occur in The Park in case further action or follow-up is required (with the Accident Report Form). We may also receive personal data from your insurer in this case;

·         If you make use of one of our Wi-Fi networks in The Park, we will receive certain details about the device you are using to make contact with the network (MAC address, your operating system, the name of your device and the access point of The Park that you are connected to).

The information about General Processing Operations applies in addition to the above.

 

ii. What is our lawful basis for processing your personal data?

·         We process the camera footage based on the legitimate interests of The Park, our employees, visitors and the Kröller-Müller Museum because this is necessary to ensure their safety. To this end, we make a balanced assessment of your privacy interests;

·         If you take part in a visitor survey in The Park, we process your personal data based on our legitimate interest in improving our products and services;

·         In the case of an accident, we process your personal data based on our legitimate interest in helping you as quickly as possible or protecting your vital interests, or in connection with any further action or follow-up that may be required. The internal recording of accidents is also based on our legitimate interest in improving the safety of The Park;

·         We process personal data in connection with our Wi-Fi networks based on our legitimate interest in offering an internet connection within The Park and in protecting our network.

You have the right to object to the processing of your personal data based on a legitimate interest on the grounds of your specific circumstances.

iii. How long do we keep your personal data?

Personal data are not kept longer than necessary for the purposes of the processing. Personal data must be removed if they are no longer necessary. We keep personal data to comply with the statutory retention periods as prescribed in e.g. tax legislation and the Dutch Civil Code (e.g. our recordkeeping systems are set to comply with the minimum retention periods of 7 and 10 years for data about corporate real estate). To protect your personal data against unlawful processing, we also make use of an archive/non-active records at the end of the set retention periods. Access to these records is restricted to authorized persons for lawful purposes.

Regarding the retention period for the camera footage, we refer you to the first paragraph (i. above). Camera footage may be retained for longer in the case of an incident.

The non-anonymized answers that you give in a visitor survey are not retained for longer than a reasonable period after the answers have been processed in the outcomes of the visitor survey.

The completed accident report forms relating to accidents in The Park are kept on paper by The Park (for 7 years) and access is restricted to authorized persons.

Personal data that we receive about you when you make use of one of our Wi-Fi networks can only be viewed during your usage.

c. Your image is shown on photos or videos published by The Park

i. What personal data do we collect about you and for what purpose?

The Park can publish a photo or video on which you are visible via, for instance, the website, social media, a brochure, other promotional materials or publications of The Park. The purpose can be to advertise The Park ('commercial usage') or to provide information on events or activities that have taken place at The Park ('journalistic usage'). In this connection, we also refer to our regulations (https://www.hogeveluwe.nl/nl/over-het-park/reglement-park).

The information about General Processing Operations applies in addition to the above.

ii. What is our lawful basis for processing your personal data?

The Park processes photos or videos on which you are visible based on our legitimate interest in advertising The Park and informing others about The Park and our activities.

You have the right to object to the processing of your personal data based on a legitimate interest on the grounds of your specific circumstances. If you recognize yourself on a photo or video and wish to object to this, please contact us.

We may also process/publish photos or videos of you with your consent. In that case, you have the right to withdraw your consent.

iii. How long do we keep your personal data?

After publication, photos and videos on which you are visible are kept for as long as necessary (for the purpose of the publication). If you object to the processing or publication of a photo or video on which you are recognizable or if you have withdrawn your consent, we will remove the photo or video or modify it by blurring the image so that you are no longer recognizable insofar as reasonably possible. The photo or video (in the publication material) may be placed in our archive, which is regularly reviewed and purged.

To protect your personal data against unlawful processing, we also make use of an archive/non-active records at the end of the set retention periods. Access to these records is restricted to authorized persons for lawful purposes.

 

3. YOU SUPPORT THE PARK

a. You support The Park as a private donor, Friend or Guardian

i. What personal data do we collect about you and for what purpose?

If you support The Park in a private capacity as a private donor or Friend, we process the following personal data about you:

·         Your title, name and contact details and your preferred means of communicating with us are used to contact you;

·         Financial information about your support, such as the donation amount and frequency (one-off or recurrent), your payment method (iDeal or direct debit) and your IBAN;

·         Information that you provide via a donation agreement (including, if required by law, your citizen service number);

·         If you are a Friend of The Park: the type of Friend (Bronze, Silver or Gold) that you are;

·         If you have made a bequest to The Park in your will: the documents relating to the bequest;

·         We also keep our correspondence with you in our records.

If you are a Guardian of The Park, the section "You have purchased a ticket for The Park, one of our activities and/or the Kröller-Müller Museum or you have purchased or rented another product or service via our webshop" of this Privacy Statement is applicable.

The information about General Processing Operations applies in addition to the above.

ii. What is our lawful basis for processing your personal data?

If we have entered into a contract with you, we process your personal data to perform that contract. We also process your personal data based on a legitimate interest, such as our legitimate interest in raising funds for The Park. Finally, we process your personal data in connection with legal obligations resting upon us, such as the obligation to keep accurate records.

You have the right to object to the processing of your personal data based on a legitimate interest on the grounds of your specific circumstances.

iii. How long do we keep your personal data?

Personal data are not kept longer than necessary for the purposes of the processing. Personal data must be removed if they are no longer necessary. We keep personal data to comply with the statutory retention periods as prescribed in e.g. tax legislation and the Dutch Civil Code (e.g. our recordkeeping systems are set to comply with the minimum retention periods of 7 and 10 years for data about corporate real estate). To protect your personal data against unlawful processing, we also make use of an archive/non-active records at the end of the set retention periods. Access to these records is restricted to authorized persons for lawful purposes.

b. You support The Park with your company as a Partner of The Park

The section "You or the company you work for is a supplier or other type of business associate of The Park" of this Privacy Statement is applicable to the processing of personal data in connection with companies that are a Partner of The Park.

The information about General Processing Operations applies in addition to the above.

c. You support The Park through school fundraising

i. What personal data do we collect about you and for what purpose?

If you support or want to support The Park through a school fundraiser, we process the following personal data:

·         Your title, name and contact details and your preferred means of communicating with us are used to contact you;

·         Correspondence and other information about the school fundraiser, such as the name of the school, a description of the activity and names of the participants, where we assume that you are allowed to process these personal data or have received the consent of the participant or his/her legal representative(s)/parent(s) if the participant is younger than 16. The correspondence is also kept in our records;

·         Financial information about the school fundraiser, such as the amount of a donation and IBAN.

 

The information about General Processing Operations applies in addition to the above.

ii. What is our lawful basis for processing your personal data?

In connection with school fundraisers, The Park processes personal data based on our legitimate interest in raising funds. We can also process your personal data in connection with our legal obligations, such as the obligation to keep accurate records.

You have the right to object to the processing of your personal data based on a legitimate interest on the grounds of your specific circumstances.

iii. How long do we keep your personal data?

Personal data are not kept longer than necessary for the purposes of the processing. Personal data must be removed if they are no longer necessary. We keep personal data to comply with the statutory retention periods as prescribed in e.g. tax legislation and the Dutch Civil Code (e.g. our recordkeeping systems are set to comply with the minimum retention periods of 7 and 10 years for data about corporate real estate). To protect your personal data against unlawful processing, we also make use of an archive/non-active records at the end of the set retention periods. Access to these records is restricted to authorized persons for lawful purposes.

 

4. YOU OR THE COMPANY YOU WORK FOR IS A SUPPLIER OR OTHER TYPE OF BUSINESS ASSOCIATE OF THE PARK

i. What personal data do we collect about you and for what purpose?

If you or the company you work for is a supplier or other type of business associate of The Park, we process the following personal data about you:

·         Your title, name, contact details (including business address, email address and telephone number), company name, Chamber of Commerce number and job title are used in our contacts with you. This information can also be used to identify you and give you access to The Park. We may also ask you to identify yourself in this connection. We keep a visitor list of the persons visiting The Park on your or your company’s behalf. The list states the visitor’s name, the company’s name, the reason for the visit or the name of the person with whom the visitor has an appointment, the date of the visit and, sometimes, the time of arrival at and departure from The Park;

·         Information from your business card, company website or the Trade Register are used in contacts with you;

·         Your payment information (including IBAN, credit card details and VAT number) are used to make or receive payments and to meet our tax and other obligations;

·         Invoices and other correspondence are kept in our records;

·         If you are a business client of ours, we also process information about your order (such as the amount, purchased service or product, event room reservation, number of persons, order and debtor number) in order to be able to deliver the tickets, products and/or services;

·         We also process a copy of your ID card or that of persons visiting The Park on your or your company’s behalf if this is required by law or prescribed and/or permitted pursuant to applicable laws and regulations.

The information about General Processing Operations applies in addition to the above.

ii. What is our lawful basis for processing your personal data?

Personal data about our suppliers or business associates (including our business clients) are processed to perform the contract (if the supplier or business associate is the data subject) or on the basis of our legitimate interest in performing our business contracts, conducting our business operations, or identifying our suppliers, business associates and/or their contact persons. We also process personal data about our suppliers or business associates (including our business clients) in connection with our legal obligations, such as the obligation to keep accurate records.

A supplier or business associate of The Park or any of their contact persons has the right to object to the processing of their personal data based on a legitimate interest on the grounds of their specific circumstances.

iii. How long do we keep your personal data?

Personal data are not kept longer than necessary for the purposes of the processing. Personal data must be removed if they are no longer necessary. We keep personal data to comply with the statutory retention periods as prescribed in e.g. tax legislation and the Dutch Civil Code (e.g. our recordkeeping systems are set to comply with the minimum retention periods of 7 and 10 years for data about corporate real estate). To protect your personal data against unlawful processing, we also make use of an archive/non-active records at the end of the set retention periods. Access to these records is restricted to authorized persons for lawful purposes.

GENERAL PROCESSING OPERATIONS

We also process personal data in the following situations; this applies in general and not per type of activity:

·         when we are required to process your personal data as part of our legal obligations. Examples are the obligation to keep accurate records for tax purposes, statutory retention periods, a demand for personal data from competent authorities or for an investigation, or compliance with privacy legislation if you wish to exercise one of your rights, if a security incident takes place or if an audit is carried out. In this case, the statutory obligation is also our lawful basis for processing. The statutory retention periods are also observed in all these instances;

·         if a change takes place in the organizational structure of The Park or if The Park enters into business transactions, such as to finance The Park. In these situations, it is possible that certain documents must be shared or access given to systems containing personal data. The lawful basis in this case is our legitimate interest in entering into this kind of transactions. In these cases, we will anonymize your personal data wherever reasonably possible;

·         for the maintenance, improvement and security of our facilities, systems, products and services. We do this on the basis of our legitimate business interest. We also automatically monitor our IT systems and emails for the following purposes: evidence gathering and archiving, systems and network security, protection of business secrets and information (data breaches), company reputation, prevention of negative publicity, prevention of sexual harassment, cost and staff management, the prevention and detection of criminal offences and audits;

·         for the security and protection of The Park and the Kröller-Müller Museum. See, for instance, also the "You enter The Park" section about our camera surveillance within The Park in this Privacy Statement. We process your personal data in this connection based on our legitimate interest in protecting The Park, the Kröller-Müller Museum, our employees, visitors and property. In this connection, we can also exchange personal data with the Kröller-Müller Museum and, in certain circumstances, with authorities such as the police and supervisors;

·         if The Park is involved in legal proceedings (e.g. if you have a claim against The Park or vice versa) or if The Park must meet a request from an authority or supervisor. In this case, we process the personal data based on our legitimate interest in the legal proceedings or on the grounds of a legal obligation or legitimate interest to share personal data with the authority or supervisor. We can also share your personal data with legal advisers, insurers and judicial authorities.
In the case of disputes and/or possible legal proceedings, we can keep your personal data for longer than the retention periods mentioned elsewhere in this Privacy Statement, whilst taking account of the statutory limitation periods.

You have the right to object to the processing of your personal data based on a legitimate interest on the grounds of your specific circumstances.