Privacy Policy
STICHTING DATA BESCHERMING NEDERLAND
Last update: December 2023
This English version of the Privacy Policy is a machine translation. In the event of any discrepancies or inconsistencies, the Dutch version shall prevail. We accept no liability for any errors or inaccuracies in the translation.
This privacy policy contains important information; it describes how we, Stichting Data Bescherming Nederland (“SDBN”), process your personal data when you (‘user’ or “you”) visit our website(s) or otherwise interact with us.
If you have any questions, please contact us using the details at the bottom of this policy.
1 About us
1.1 SDBN (“we,” “us,” “our”) is a Dutch non-profit foundation committed to a world in which the right to privacy and the right to protection of individuals' personal data by companies and governments are respected. SDBN's mission is (i) to protect the interests of victims who have been harmed as a result of a breach of their privacy and/or unlawful processing of their personal data, and (ii) to ensure that existing breaches are remedied and victims are adequately compensated. SDBN naturally attaches great importance to the protection of your personal data and your right to privacy.
1.2 This privacy policy explains how we collect, use, store, share, forward, or otherwise process personal data.
2 Applicability
This privacy policy applies to processing activities to which the General Data Protection Regulation (“GDPR”) and relevant national (implementation) legislation apply.
3 Responsibility
3.1 SDBN is the controller for the processing operations described in this privacy policy.
3.2 We only process personal data in accordance with relevant privacy legislation and as described in this privacy policy.
4 How do we collect personal data?
4.1 We process IP addresses and related data when you visit our website(s), based on our legitimate interests, namely to ensure that the websites function properly and so that we can keep these websites available in a consistent manner.
4.2 We process personal data that you provide to us when you register to participate in collective actions conducted by SDBN.
4.3 We also process personal data when you contact us. In that case, we process your name and contact details, insofar as you share them with us. We always process your email address, as well as the content of your message(s). We may also store information about how your message(s) are followed up.
4.4 We currently only use functional cookies. Functional cookies are necessary for a website to work properly. SDBN does not currently use analytical cookies. Should this change in the future, we will inform you of this via a cookie policy.
5 Processing purposes and basis
5.1 The personal data we process, the basis on which personal data is processed, and the purposes for which we do so depend on the processing activity. See below for an overview.
| Activities | Categories of personal data | Grounds for processing and purposes of processing |
| A visit to our websites | - IP address - User agent - URL preceding our website(s) - URL that led you to our website(s) - Date and time of your visit - Browser language settings - Country code | We collect your personal data based on our legitimate interests, namely improving our (online) services and being able to host our website(s) or have them hosted. We process your personal data for the following purposes: (i) improving our website (ii) providing consistent services, (i) increasing the protection and security of your personal data. |
| Setting up a mass claim on your behalf, which may involve you creating a registration on one of our websites. | - Your IP address - Your name and email address - Your address - Your date of birth - Confirmation that you were resident in the Netherlands between October 2013 and December 2021. - If you are registering a child under the age of 18: - Child's first and last name - Child's date of birth - Explicit consent of parent/guardian | We collect your personal data on the basis of the agreement we enter into with you. When you register, an agreement is formed between SDBN and you. We process your personal data for the purpose of performing the agreement we have entered into with you. |
| Customer service or communication with you | - Your name and email address - Your phone number - The content of your message - Information about the follow-up to our contact with you | We collect your personal data if this is necessary for the performance of our agreement with you or on the basis of our legitimate interests, namely establishing your identity for security purposes, improving our services and products, and providing customer service. We process your personal data for the following purposes: (i) following up on your questions, complaints, and claims, (ii) informing you about products or services that may be relevant to you, (iii) verifying your identity to establish that you are who you say you are, and (iv) increasing the protection and security of your personal data. |
| Sending a newsletter | - Your name and email address - Preferences regarding the information you wish to receive, such as your consent. | We collect your personal data based on your consent. We process your personal data for the following purposes: (i) to be able to inform you about products or services that may be relevant to you and (ii) to make offers. |
| Other general processing | Other information necessary for the achievement of the predetermined purposes | We collect your personal data to the extent necessary to comply with a legal obligation that applies to us or to the extent necessary for our legitimate interests, namely conducting our normal business activities and protecting our interests in the event of a dispute. When conducting research to substantiate the claim, it is conceivable that personal data will be processed. We process your personal data for the following purposes: (i) responding to requests from authorities, (ii) conducting criminal investigations, conducting legal proceedings, and enforcing judgments, (iii) protecting the rights of third parties, (iv) conducting investigations, and (v) other circumstances as set out in relevant legislation. |
5.2 Insofar as our processing activities are based on our legitimate interests, it is possible to request information from us about the so-called “balance test” we have performed to determine whether we could use this ground for processing. You will find our contact details at the bottom of this page.
5.3 If we process your personal data for purposes other than those for which it was obtained, we will inform you of this in a timely manner.
6. Cookies
6.1 Depending on the website you visit, we use the following cookies.
| Website | Cookie name | Purpose of the cookie | Is this a third-party cookie or is data shared with third parties? | Cookie duration | Toestemming vereist? | |
| Functional cookies | www.stichtingdatabescherming.nl / twitter.jestaattekoop.nl / amazon.jestaattekoop.nl / adobe.jestaattekoop.nl | n/a | n/a | n/a | n/a | n/a |
| Functional cookies | sdk.stichtingdatabescherming.nl amazon.stichtingdatabescherming.nl adobe.stichtingdatabescherming.nl | token | facilitates the registration process | No | Session | No |
| Functional cookies | sdk.stichtingdatabescherming.nl amazon.stichtingdatabescherming.nl adobe.stichtingdatabescherming.nl | selector | facilitates the registration process | No | Session | No |
| Functional cookies | sdk.stichtingdatabescherming.nl amazon.stichtingdatabescherming.nl adobe.stichtingdatabescherming.nl | node_id | facilitates the registration process | No | Session | No |
6.2 You can set your cookie preferences for all websites via your browser settings. The preferences you can set vary depending on your browser. For more information, please visit: www.aboutcookies.org/how-to-control-cookies/.
6.3 Please note that the functionality of the website you are visiting may be affected if you refuse certain cookies.
7. Sharing with third parties or outside the EEA
7.1 We only share personal data with third parties when this is necessary for the performance of our services. In that case, we share personal data with the following parties:
| Activiteiten | Recipients | Location |
| A visit to our website(s) | Subcontractors and service providers such as Catalyst Collective Redress Services B.V. Processors engaged by us or by our processors, such as hosting providers like WPEngine. | Catalyst Collective Redress Services B.V. facilitates the processes of SDBN. The processing of personal data takes place within the EU in that context. WPEngine is used to host the websites www.stichtingdatabescherming.nl, twitter.jestaattekoop.nl, amazon.jestaatekoop.nl, and adobe.jestaattekoop.nl. WPEngine stores IP addresses for a period of 7 days on servers in the EU. |
| Setting up a mass claim on your behalf, which may also involve you creating an account on one of our websites. | Subcontractors and service providers such as Catalyst Collective Redress Services B.V. Processors engaged by us or by our processors, such as hosting providers; Relevant authorities. | When you register via one of our websites, your registration is stored on servers in Frankfurt. This information therefore remains within the EU. Information about the hosting of our websites can be found in the row above. |
| Sending a newsletter | Subcontractors and service providers such as Catalyst Collective Redress Services B.V. Processors engaged by us or by our processors, such as hosting providers. | The SDBN email servers used to send the newsletter are hosted on servers in Frankfurt via Catalyst Collective Redress Services B.V. To ensure the protection of your personal data, we have chosen to store your personal data only within the EU. Information about the hosting of our websites can be found in the first row of this table. |
| Customer service or communication with you | Subcontractors and service providers such as Catalyst Collective Redress Services B.V. Processors engaged by us or by our processors, such as hosting providers, such as Google Workspace. | SDBN's customer service email servers are hosted by Catalyst Collective Redress Services B.V. via Google Cloud. To ensure the protection of your personal data, we have chosen to store your personal data exclusively within the EU. Any communication with you will take place via the Trengo application. This party is located in the Netherlands and uses servers in Frankfurt for its services, with storage within the EU. Information about the hosting of our websites can be found in the first row of this table. |
| Other general processing | Subcontractors and service providers such as Catalyst Collective Redress Services B.V., companies, and law firms; Processors engaged by us or by our processors, such as hosting providers; Relevant authorities. | Subcontractors and service providers such as Catalyst Collective Redress Services B.V., companies, and law firms; Processors engaged by us or by our processors, such as hosting providers; Relevant authorities. |
7.2 We will only disclose your personal data in line with the following conditions and insofar as generally accepted security measures have been taken in that context:
- At your request;
- Insofar as this is necessary on the basis of the legislation applicable to us;
- Insofar as this is necessary in the context of legal proceedings to which we are a party.
7.3 When processing personal data, we use parties located within the European Economic Area (EEA) as much as possible, or select the option of storing or otherwise processing personal data within the EEA. SDBN's email servers are hosted by Catalyst Collective Redress Services B.V. via Google Cloud. More information about their standards can be found at https://cloud.google.com/privacy/gdpr.
7.4 Insofar as SDBN processes personal data outside the EEA or has it processed, the following applies. Transfers outside the EEA are permitted on the basis of a so-called adequacy decision. This is a decision by the European Commission establishing that the level of data protection in the receiving country is comparable to that of the GDPR. This link contains an overview of countries with an adequacy decision. In other cases, we use the so-called Standard Contractual Clauses as drawn up by the European Commission. More information about transfers outside the EEA and a copy of the measures we have taken can be requested from us.
7.5 If SDBN's activities are to be continued by another organization in the future, your data may be transferred to this organization, provided that SDBN informs you in advance. You will then have the opportunity to object to such a transfer.
8. Security
8.1 We take adequate technical and organizational measures to protect your personal data against loss, misuse, and/or unauthorized changes. We also impose these requirements on our processors. In addition, we only grant access to personal data to persons insofar as this is necessary for the performance of our services. These persons are also bound by an obligation of confidentiality on the basis of an (employment) contract or on the basis of the law.
9. Retention periods
9.1 In general, we do not retain your personal data longer than necessary for the purposes for which it is processed or for as long as statutory periods require retention.
We apply the following retention periods to the processing operations listed below:
| Activities | Retention period |
| Visiting our website(s) | 7 days |
| Customer service or communication with you | 6 months after handling communication |
| Sending a newsletter | Up to 1 month after unsubscribing. |
| Claim handling | Up to 2 years after the claim has been settled or 1 month after you terminate your participation. Financial data is retained for a period of 7 years in accordance with legal obligations. |
| Other general processing | Depending on the processing |
10. Your rights
10.1 You have the following rights with regard to our processing activities.
- Insofar as our processing activities are based on your consent, you have the right to withdraw your consent at any time.
- You have the right to access the personal data we process about you. This right allows you to receive a copy of the personal data we process about you. We will also provide you with additional information about our processing activities.
- You have the right to rectify inaccurate data without delay. This allows inaccurate personal data processed by us to be corrected or supplemented.
- You have the right to be “forgotten.” The right to be forgotten applies if (i) the personal data is no longer necessary, (ii) you have withdrawn your consent, (iii) you have objected to the processing of your personal data, (iv) we are processing personal data unlawfully, (v) personal data must be deleted on the basis of Union or Member State law, or (vi) we have collected your personal data in the context of information society services. Insofar as the processing of personal data is necessary (i) for exercising our right to freedom of expression and information, (ii) for performing a task carried out in the public interest or in the exercise of official authority, (iii) for reasons of public interest in the area of public health, (iv) for archiving purposes in the public interest, and/or (v) for the establishment, exercise, or defense of legal claims, we may refuse to comply with the right to erasure.
- When our processing activities are based on our legitimate interests, you have the right to object. Insofar as your personal data is processed in the context of direct marketing, your request will be honored in any case. In other cases, we will also stop processing your personal data, unless there are compelling legitimate grounds for the processing of your personal data that outweigh your interests.
- You have the right to restriction of processing if (i) you have contested the accuracy of the personal data, (ii) we are processing your personal data unlawfully and you do not want it to be deleted, (iii) we no longer need your personal data, but you want to use it for the establishment, exercise, or defense of legal claims, and/or (iv) you have objected to the processing of your personal data. If we have complied with your request, your personal data will only be stored by us. We will not process your personal data in any other way, unless you have given your consent, it is necessary for the establishment, exercise, or defense of legal claims, it is necessary for the protection of the rights of third parties, or for reasons of substantial public interest.
- If our processing activities are based on your consent or on the performance of a contract and are carried out by automated means, you have the right to obtain your personal data in a structured, commonly used and machine-readable format and to transfer it to another controller.
- You have the right not to be subject to a decision based solely on automated processing that has legal consequences or otherwise significantly affects you. We do not use automated decision-making.
- In addition to the above rights, you also have the right to lodge a complaint with the relevant data protection authority. In the Netherlands, this is the Dutch Data Protection Authority. However, we would prefer to resolve any complaints together with you. We therefore ask you to contact us first at [email protected].
10.2 You can exercise any of the above rights by contacting us. You can invoke the above rights free of charge, unless your requests are manifestly unfounded or excessive. In such cases, we will charge a reasonable fee or refuse to comply.
10.3 We may request additional information to verify your identity before we comply with your request.
10.4 We will provide information about the follow-up to your request as soon as possible and in any case within one month of receiving your request. Depending on the complexity of the requests and the number of requests, this period may be extended by a further two months if necessary. We will inform you of this within one month of receiving the request.
11 Contact
If you have any questions, please contact us at [email protected].
12 Other
12.1 We are entitled to delete your personal data at any time. In that case, we will not owe you any compensation.
12.2 In the event that provisions in this privacy policy are contrary to the law, these conflicting provisions will, to the extent permitted by law, be replaced by provisions that have the same intention. In that case, the other provisions will remain in full force.
12.3 We reserve the right to change this privacy policy. If necessary, we will inform you of this. The current version is available at all times on our website(s). This current version was last updated in December 2023.
13 Definitions
13.1 The following definitions apply to this privacy policy:
| Relevant privacy legislation | General Data Protection Regulation (“GDPR”) and relevant national (implementation) legislation. |
| Privacy policy | This current privacy policy. |
| Stichting Data Bescherming Nederland | Stichting Data Bescherming Nederland Bergweg 25, 3701 JJ Zeist Nederland KvK-nummer: 84811498 |
| Website(s) | www.stichtingdatabescherming.nl / twitter.jestaattekoop.nl / amazon.jestaatekoop.nl / adobe.jestaattekoop.nl. |
13.2 Other terms as defined in relevant privacy legislation, such as “personal data,” “(joint) controller,” “processor,” “data subject,” and “processing,” have the same meaning as in relevant privacy legislation.