Global Data Protection Policy
Introduction
In the Netherlands, data protection is governed under the supervision of authorities such as the Dutch Central Bank (De Nederlandsche Bank, “DNB”), the Dutch Authority for the Financial Markets (Autoriteit Financiële Markten, “AFM”) and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP”). In other countries, data protection is subject to supervision of similar local authorities. As a result, we are bound to ensure that (i) there will be a high standard of technical and organisational security measures within our organisation and (ii) these technical and organisational security measures shall be applicable with regard to the Processing of the Personal Data of Clients and Employees.
The purpose for which Kaapenaar Coöperatief U.A. (hereinafter “Kaapenaar Coöp”) collects Personal Data revolves around its investment holdings’ business offerings, which is divided into the following sectors; Financial Technology, Commerce, Renewable Energy, Property Management and Development. Kaapenaar Coöp in itself does not offer any solutions directly to the public. Any reference to Kaapenaar Coöp in this policy is intended to refer to Kaapenaar Coöperatief U.A. and/or one of its sister companies. Kaapenaar Coöp operates a secure, networked orientated platform, which relies on the positive identification and authentication during interaction with Kaapenaar Coöp and it’s Clients. Kaapenaar Coöp provides personal financial management tools to its Clients and as such collects a variety of transactional data in order to present it to its Clients in a secure and confidential manner. Kaapenaar Coöp processes Personal Data of Clients and Employees as appropriate in connection with their business which includes, but is not limited to, the Processing of Personal Data in the context of the business relationship between Kaapenaar Coöp and its Clients on the one hand, and on the other, in the context of the relationship between Kaapenaar Coöp (as employer) and its Employees, and in relation to various supporting activities. Furthermore, Kaapenaar Coöp processes Personal Data for security purposes. Within the European Union the Processing of Personal Data is governed by the European Regulation (EU) 2016/679 of the European Parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereafter “the GDPR”). GDPR is in effect from May 25th 2018 and ids repealing Directive 95/46/EC (the “Data Protection Directive”). This Global Data Protection Policy (the “Policy”) is based on the GDPR and applies to all Processing of Personal Data by Kaapenaar Coöp and includes exchanges of Personal Data within Kaapenaar Coöp and transfers to third parties. Kaapenaar Coöp is aware of the different levels of Personal Data protection provided in the countries where Kaapenaar Coöp and such Third-parties are located. Kaapenaar Coöp acknowledges that the lawful transfer of Personal Data within the European Union, the European Economic Area (“EEA”) and to those countries which have been qualified by the European Commission as ensuring an adequate level of protection does not pose a threat to the privacy rights of the Data Subjects as these countries have adopted similar data protection standards as those set in the Data Protection Directive. The implementation of this Policy within Kaapenaar Coöp aims at ensuring an adequate level of protection as stated in Preamble, paragraph 100 of the GDPR. This Policy establishes minimum standards for the Processing of Personal Data within Kaapenaar Coöp. Kaapenaar Coöp must therefore comply with this Policy, without prejudice to European and local legislation. This means that in addition to this Policy, local legislation relating to data protection will be observed. However, in case the level of protection ensured by local legislation is lower than the level of protection provided for in this Policy, this Policy shall prevail.
Definitions
In this Policy, unless the context clearly indicates a contrary intention, the words and phrases herein below defined shall have the meanings assigned to them (defined terms begin with capital letters), and cognate expressions shall bear corresponding meanings: “Client” includes the Data Subject with whom Kaapenaar Coöp (i) has entered into a legal relationship, (ii) may wish to enter into a legal relationship or (iii) used to have a legal relationship; or (iv) a Data Subject who contacted Kaapenaar Coöp; or (v) a Data Subject whose Personal Data is obliged to be processed by Kaapenaar Coöp in connection with contractual or legal obligations with a customer or a Third-party; “Data Subject” means any individual to whom the Personal Data relates; “Data Subject’s Consent” means any freely given specific and informed indication of his or her wishes by which the Data Subject signifies his or her agreement to Personal Data relating to him or her being processed;
“Data Controller” means the European Community institution or body, the Directorate-General, the unit or any other organisational entity which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by a specific European Community act, the controller or the specific criteria for its nomination may be designated by such Community act; “Data Register” means a register maintained by Kaapenaar Coöp that states all data collected, from whom, for which purpose and shared with whom;“Employee” includes any Data Subject potentially, currently or formerly employed by any Kaapenaar Coöp company. This includes temporary workers, contractors or trainees of any Kaapenaar Coöp company;
“Kaapenaar Coöp” means Fairvalue Besloten Vennootschap with registered trade name Kaapenaar Coöp, a company incorporated under the laws of the Netherlands with registration number 84590610, and its direct and indirect subsidiaries, affiliates and branches and any (other) entities in which Kaapenaar Coöp holds a controlling interest or exercises management control (“Kaapenaar Coöp company” shall have a corresponding meaning);
“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
“Personal Data Transfer” means any disclosure of Personal Data by Kaapenaar Coöp to another Kaapenaar Coöp company, or by Kaapenaar Coöp to a Third-party; “Personal Data Filing System” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;“Policy” means this Global Data Protection Policy;
“Process” of Personal Data means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Processing and Processed” shall have a corresponding meaning); “Processor” means any individual or legal person, public authority, agency or any other body, being either Kaapenaar Coöp or a Third-party, which processes Personal Data on behalf of Kaapenaar Coöp;
“Recipient” means a natural or legal person, public authority, agency or any other body to whom data is disclosed, whether a Third-party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients; “Sensitive Personal Data” means Personal Data revealing an individual’s religion or philosophy of life, race, political persuasion, health and sexual life, or Personal Data concerning trade union membership, criminal behaviour, or unlawful or objectionable conduct connected with a ban imposed with regard to such conduct; “Third Country” means any country other than the Netherlands; “Third-party” means any natural or legal person, public authority, agency or any other body other than the Data Subject, Kaapenaar Coöp, the Processor, the Data Controller and the persons who, under the direct authority of Kaapenaar Coöp or the Processor, are authorised to process Personal Data.
Words importing the singular shall include the plural and vice versa, words importing the masculine gender shall include the other genders and vice versa and natural persons shall include juristic persons and vice versa.The head notes to the paragraphs of this Policy are inserted for purposes of reference only and shall not affect the interpretation of any provisions to which they relate. In the event that any definition (whether in this clause 2 or elsewhere in this Policy) contains substantive provisions, then such provisions shall be given effect to as if same were incorporated into the main body of this Policy. Where any term is defined within the context of any particular clause in this Policy, the term so defined, unless it is clear from the clause in question that the term so defined has limited application to the relevant clause, shall bear the meaning ascribed to it for all purposes in terms of this Policy, notwithstanding that that term has not been defined in this clause 2. Words and phrases defined in this Policy shall bear the same meanings in schedules or addenda to this Policy (if any), which do not themselves, contain their own definitions.
Overall policy statement
This Policy applies to the Processing of Personal Data by Kaapenaar Coöp and will be implemented through the procedures set out in Kaapenaar Coöp’s corporate policy. This means that this Policy is mandatory for all Employees of Kaapenaar Coöp. Kaapenaar Coöp shall, without prejudice to local legislation, comply with this Policy. This Policy is in force in addition to privacy policies or similar arrangements of Kaapenaar Coöp and local data protection legislation in force at the date hereof. If the terms of the Policy provide for a better level of data protection for Personal Data and Sensitive Personal Data, the terms of this Policy shall prevail. All existing policies, contracts, procedures and systems shall be made compliant with this Policy. The principles set out in this Policy will be further developed where required in order to facilitate the Policy’s implementation within Kaapenaar Coöp. Kaapenaar Coöp will decide whether the principles of this Policy need to be further developed and how this should occur. Any such further development will be compatible with the principles established in this Policy. Kaapenaar Coöp’s Employees will be provided with practical instructions on this Policy. Kaapenaar Coöp will submit a copy of this Policy to the European Commission’s Data Protection Supervisor and inform it of any amendments.
Limitation
Personal Data shall be Processed only for the specific purposes set out in 1.2 and 1.3 above and this clause 4, or for purposes which are compatible with these specific purposes. The Processing of Personal Data of Clients takes place in order to support efficient and effective management of Kaapenaar Coöp, especially in light of the following activities: assessing and accepting Clients, entering into and executing of agreements with Clients as well as carrying out payment transfers; performing analyses with respect to Personal Data for statistical, credit and scientific purposes; for commercial activities in order to establish a relationship with a Data Subject and/or continuing as well as extending a relationship with a Client; ensuring the security and integrity of the financial sector and the interests of Kaapenaar Coöp; complying with legal obligations. The Processing of Personal Data of Employees takes place in order to support efficient and effective management of Kaapenaar Coöp, especially in light of the following activities: supporting the activities of Kaapenaar Coöp aimed at a responsible, effective and efficient human resources management; ensuring the security and integrity of the financial sector and the interests of Kaapenaar Coöp; supporting the activities of Kaapenaar Coöp in relation to pension management; Complying with legal obligations.
Criteria for legitimate processing of personal data
Personal Data may only be Processed if at least one of the following criteria applies: the Processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract; the Processing is necessary for compliance with a legal obligation to which the Kaapenaar Coöp company is subject; the Processing is necessary in order to protect the vital interests of the Data Subject; the Data Subject has unambiguously given his specific and informed consent to the Processing; or the Processing is necessary for the purposes of the legitimate interests pursued by the Kaapenaar Coöp company or by the Third-party or Parties to whom Personal Data is disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the Data Subject. In case the consent of a Data Subject is required, Kaapenaar Coöp shall ensure that the Data Subject unambiguously provides his informed, specific and free consent to the Processing of Personal Data. To this end, Kaapenaar Coöp shall inform the Data Subjects of the purposes of the Processing for which consent is required, of the possible consequences of the Processing for the Data Subject as well as of such other information insofar as necessary to ensure a fair Processing of such Personal Data. Kaapenaar Coöp shall not seek the consent of Employees for Processing their Personal Data which is directly or indirectly connected to the employment of such Employee, unless there is clear records documenting the consent and such processing is necessary for the performance of the contract or for the purposes of the employer's legitimate interests of the relevant Kaapenaar Coöp company or to the extent it follows from applicable (domestic or foreign) law. Where specific and informed consent has been granted, the Data Subject may withdraw such consent at all times. In that case, Kaapenaar Coöp shall cease the Processing of the relevant Personal Data without undue delay upon receipt of such withdrawal. Where specific and informed consent has been provided by an Employee, no negative consequences will follow from withdrawing such consent, except where consent has been obtained mandatory by applicable (domestic or foreign) law. Kaapenaar Coöp shall determine the maximum period for which Personal Data shall be retained in a Personal Data Filing System, for which applicable local laws will be taken into account. The retention period shall not be longer than the time necessary to achieve the purposes for which the Personal Data have been collected or further processed. Once this period has lapsed, Kaapenaar Coöp shall ensure that the Personal Data is either: deleted anonymised, so they can still be used for statistical purposes; or transferred to an archive, where they can be used for historical, scientific or statistical purposes, dispute resolution, investigations or general archiving purposes. Access to these Personal Data will only be granted to an authorised limited number of Employees.
Data quality, proportionality and relevance
Personal Data shall be:
collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of personal data for historical, statistical or scientific purposes shall not be considered incompatible provided that the controller provides appropriate safeguards, in particular to ensure that the data are not processed for any other purposes or used in support of measures or decisions regarding any particular individual; adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which is inaccurate or incomplete, having regard to the purposes for which it was collected or for which it is further processed, is erased or rectified; kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed. Kaapenaar Coöp shall lay down that personal data which is to be stored for longer periods for historical, statistical or scientific use should be kept either in anonymous form only or, if that is not possible, only with the identity of the Data Subjects encrypted. In any event, the data shall not be used for any purpose other than for historical, statistical or scientific purposes. Without prejudice to the provisions of the foregoing provisions of clause 6.1, traffic data relating to Clients, which is processed and stored to establish calls and other connections over Kaapenaar Coöp’s communications service shall be erased or made anonymous upon termination of the call or other connection, unless specific and informed consent has been given by the Data Subject to store such data for its own use and/or Kaapenaar Coöp’s analysis. If necessary, traffic data as indicated in a list agreed by the European Data Protection Supervisor may be processed for the purpose of telecommunications budget and traffic management, including the verification of authorised use of the telecommunications systems. This data shall be erased or made anonymous as soon as possible and no later than six months after collection, unless it needs to be kept for a longer period to establish, exercise or defend a right in a legal claim pending before a court, or specific and informed consent has been given by the Data Subject to store such data for its own use and/or Kaapenaar Coöp’s analysis. Processing of traffic and billing data shall only be carried out by persons handling billing, traffic or budget management. Clients using Kaapenaar Coöp’s communication service shall have the right to receive non-itemised bills or other records of calls made.
Transparency
Kaapenaar Coöp must provide the Data Subject at the time of collection of the Personal Data with information as to: a) the purposes of the Processing; b) the identity of the Kaapenaar Coöp company; c) other information insofar as this is necessary to ensure fair Processing. If Kaapenaar Coöp has not collected Personal Data directly from the Data Subject, the above information must be provided before the Processing of the Personal Data but ultimately at the time of recording of the Personal Data or when the information is intended to be disclosed to Third Parties at the time of disclosure. Notwithstanding clause 16 of this Policy, Kaapenaar Coöp does not have to provide the information set forth above in so far the information was already known to the Data Subject or in so far the provision of such information proves impossible or would involve a disproportionate effort. This Policy will be published on Kaapenaar Coöp’s website and intranet.
Security and confidentiality
Kaapenaar Coöp shall take appropriate technical and organisational security measures to protect Personal Data against unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and against all other unlawful forms of Processing in accordance with adequate internal instructions adopted by Kaapenaar Coöp. Where local laws prescribe specific instructions and measures to be adopted for the purposes of this clause, local laws will prevail. Where Personal Data is Processed by automated means, measures shall be taken as appropriate in view of the risks in particular with the aim of: preventing any unauthorised person from gaining access to computer systems processing Personal Data; preventing any unauthorised reading, copying, alteration or removal of storage media; preventing any unauthorised memory inputs as well as any unauthorised disclosure, alteration or erasure of stored Personal Data; preventing unauthorised persons from using data-processing systems by means of data transmission facilities; ensuring that authorised users of a data-processing system can access no Personal Data other than those to which their access right refers; recording which Personal Data has been communicated, at what times and to whom; ensuring that it will subsequently be possible to check which personal data has been processed, at what times and by whom; ensuring that Personal Data being processed on behalf of Kaapenaar Coöp by Third-parties can be processed only in the manner prescribed by the contracting institution or body; ensuring that, during communication of Personal Data and during transport of storage media, the data cannot be read, copied or erased without authorisation; designing the organisational structure within an institution or body in such a way that it will meet the special requirements of data protection. Kaapenaar Coöp shall take appropriate technical and organisational measures to safeguard the secure use of the telecommunications networks and terminal equipment, if necessary in conjunction with the providers of publicly available telecommunications services or the providers of public telecommunications networks. Having regard to the state of the art and the cost of their implementation, these measures shall ensure a level of security appropriate to the risk presented. In the event of any particular risk of a breach of the security of the network and terminal equipment, Kaapenaar Coöp shall inform its Clients of the existence of that risk and of any possible remedies and alternative means of communication. In the event of a breach of the security and data protection Kaapenaar Coöp shall inform the Dutch Data Protection Authority, AP and will take all necessary measures to mitigate the breach. In the event of a higher risk associated with data processing, in accordance e with the GDPR a privacy impact assessment (PIA) will be set up.
Personal data transfers between Kaapenaar Coöp companies
Kaapenaar Coöp aims at ensuring that an adequate and consistent level of protection is in place when Personal Data is transferred between Kaapenaar Coöp companies. Kaapenaar Coöp will transfer Personal Data to other Kaapenaar Coöp companies abiding by the rules established in this Policy. Personal Data shall only be transferred to and further processed by Processors that are Kaapenaar Coöp where it has been established that Personal Data will be processed in accordance with the instructions of a Kaapenaar Coöp company acting as a Data Controller.
Personal data transfers between Kaapenaar Coöp and a Third-party.
Kaapenaar Coöp transfers Personal Data to Third-Parties. The details of the Third-Party and the purpose of the transfer is stated in Kaapenaar Coöp’s Data Register for each Third-Party that Personal Data is transferred to including the Personal Data that is transferred. A copy of the Data Register is available on request to any Client. To request a copy, please refer to the contact details listed below in paragraph 26.
Personal data transfers to parties outside the EEA
Kaapenaar Coöp establishes the following measures to ensure that Personal Data Transfers to, and further Processing by, Third-parties who may be established either in Third Countries, offering an adequate level of protection, or in Third Countries not offering an adequate level of protection, observe the principles established in the Data Protection Directive. Personal Data shall only be transferred to and further processed by a Third-party Processor who is not a Kaapenaar Coöp company in a Third Country where: arrangements have been made to require such Processor to Process Personal Data only in accordance with the instructions of Kaapenaar Coöp; sufficient guarantees are in place in respect of technical and organisational security and fulfilling the security obligations incumbent on Kaapenaar Coöp under the GDPR. a service level agreement has been concluded between Kaapenaar Coöp and such Processor whereby the terms and conditions are set out demanding a minimum standard that the Processor agrees to adhere to, including the provisions established in the European Commission’s model contractual clauses for Data Processors established in Third Countries contained in decision C(2004) 5721 for countries that do offer an adequate level of protection; and C(2010) 593 for countries that do not offer an adequate level of protection. The transfer to Third-parties (including a Processor who is not Kaapenaar Coöp or a public authority) in Third Countries not offering an adequate level of protection may only take place provided that the transfer is based at least on one of the following grounds and that the further limitations established in this clause are abided by: the transfer is necessary for the performance of a contract between the Data Subject and Kaapenaar Coöp or the implementation of pre-contractual measures taken in response to the Data Subject’s request; the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between Kaapenaar Coöp and a Third-party; the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims. Any transfer on this ground shall be authorised by Compliance in consultation with Legal. If Legal and Compliance allow the transfer, prior to such transfer additional appropriate measures to ensure that the privacy rights of Data Subjects are protected will be taken, if deemed necessary after consultation with the Dutch Data Protection Authority; the transfer is necessary in order to protect the vital interest of the Data Subject; the transfer is made from a public register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in local laws for consultation are met; the transfer is required by any foreign or domestic law to which Kaapenaar Coöp is subject. Any transfer on this ground shall be authorised by Kaapenaar Coöp’s Compliance division in consultation with Legal division and/or external corporate lawyers. If Legal and Compliance allow the transfer, prior to such transfer additional appropriate measures will be taken to ensure that the privacy rights of Data Subjects are protected, if deemed necessary after consultation with the Dutch Data Protection Authority; the transfer is required for upholding a legitimate business interest of Kaapenaar Coöp, except where the interests or fundamental rights and freedoms of the Data Subject, in particular the right to protection of individual privacy, prevail. This ground may be relied upon if appropriate safeguards are in place, such as the adoption of adequate arrangements or individual agreements or the signature of a contract based on the standard terms referred to in 11.1.3 above between Kaapenaar Coöp and the Third-party or having related companies who will process Personal Data on behalf of Kaapenaar Coöp in a country not ensuring an adequate level of protection. Kaapenaar Coöp may rely on the Data Subject’s specific and informed consent for the transfer, without prejudice of the provisions of clause 5.2 of this Policy. Where consent will be relied on according to this clause the following information shall be provided to the Data Subjects before such consent is provided: a) the purposes of the transfer, b) the identity of the party responsible for the transfer, c) the parties to whom data will be provided and the countries in which these are located, d) whether the Third Countries where Personal Data will be sent ensure an adequate level of protection e) the categories of Personal Data that will be transferred.
Conflict of laws
Where the terms of this Policy offer a higher level of protection to the Data Subjects than the provisions of applicable local laws, the terms of this Policy shall apply. Where provisions of local law offer a higher level of protection to Data Subjects, the provisions of the relevant local law will apply. A Kaapenaar Coöp company or Employee shall promptly inform Kaapenaar Coöp when it has reasons to believe that the legislation applicable to it, or any future legislation that comes into force, may prevent it from fulfilling its obligations under this Policy or under the Data Protection Directive and that would have a substantial adverse effect on the guarantees provided for under the Policy or under the Data Protection Directive. In this case, Legal will consult with local counsel how to proceed on a case by case basis. Where considered necessary, Kaapenaar Coöp shall inform the Dutch Data Protection Authority or other competent authorities.
Right of access, rectification, erasure and blocking of personal data
Data Subjects shall have the right to access their Personal Data. In the event the Personal Data of the Data Subjects are incorrect or are not Processed in compliance with applicable law or this Policy, Data Subjects have the right to have their Personal Data corrected, erased or blocked as appropriate. Data Subjects shall address requests for access, rectification, erasure or blocking to the Kaapenaar Coöp company in the country of their residence or, if no Kaapenaar Coöp company is established in such country, to Kaapenaar Coöp. The Data Subject shall have the right to obtain from Kaapenaar Coöp the blocking of Personal Data where: their accuracy is contested by the Data Subject, for a period enabling Kaapenaar Coöp to verify the accuracy, including the completeness, of the Personal Data, or; Kaapenaar Coöp no longer needs them for the accomplishment of its tasks but they have to be maintained for purposes of proof, or; the processing is unlawful and the Data Subject opposes their erasure and demands their blocking instead. In Kaapenaar Coöp’s Personal Data Filing System blocking shall in principle be ensured by technical means. The fact that Personal Data is blocked shall be indicated in the system in such a way that it becomes clear that the Personal Data blocked pursuant to this clause shall, with the exception of their storage, only be processed for purposes of proof, or with the Data Subject's specific and informed consent, or for the protection of the rights of a Third-party. The Data Subject who requested and obtained the blocking of his or her data shall be informed by Kaapenaar Coöp before the Personal Data is unblocked. In the event that a Data Subjects submits a request for access to their Personal Data, the local Kaapenaar Coöp company shall provide the Data Subject with the following information (except if the data Subject already has the information) as soon as possible, but in any event no later than three months after receipt of the request: communication in an intelligible form of the data undergoing Processing; confirmation as to whether or not data relating to the Data Subject are being processed; the existence of the right of access to, and the right to rectify, the data concerning the Data Subject; whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply; the purposes of the Processing; the identity of the Data Controller; the Recipients and/or categories of Recipients; the categories of Personal Data Subject of the Processing; the categories of Recipients of the Personal Data; the available information about the origin of the Personal Data; any further information such as: the legal basis of the processing operation for which the data is intended; the time-limits for storing the data; the right to have recourse at any time to the European Data Protection Supervisor; the origin of the data, except where the controller cannot disclose this information for reasons of professional secrecy. Insofar as such further information is necessary, having regard to the specific circumstances in which the data is processed, to guarantee fair processing in respect of the Data Subject. Notwithstanding clause 17, requests for access, correction, erasure or blocking may be denied if (i) the Data Subject is abusing his rights under this Policy and the Directive on Data Protection, (ii) the request for access, correction, erasure or blocking are unspecified or unreasonable; or (iii) Kaapenaar Coöp is obliged not to do so according to applicable law. Prior to providing access to Data Subjects to which a Third-party may be expected to object, the Kaapenaar Coöp company having received the request for access shall give the Third-party an opportunity to express its views where the information mentioned in clause 13.3 of this Policy contains data concerning that Third-party unless this appears to be impossible or would involve a disproportionate effort. In case of transfer of Personal Data within Kaapenaar Coöp or a Third-Party, the exporting Kaapenaar Coöp company shall undertake to assist the Data Subjects in exercising its rights vis-à-vis the recipient Kaapenaar Coöp company, or Third-Party. Further to the request of a Data Subject, the exporting Kaapenaar Coöp company shall investigate such requests and shall undertake appropriate action to review and where necessary grant such requests.
Sensitive Personal Data
Kaapenaar Coöp shall not Process Sensitive Personal Data, except where:
the Data Subject has given specific and informed consent, or;
the Processing is required or authorised by domestic law, or;
the Processing is necessary for the establishment, exercise or defence of legal claims, or; the Processing is necessary to protect the vital interests of the Data Subject, or; the Processing is necessary to comply with an obligation of international public law, or; the Processing is necessary with a view to an important public interest, where appropriate measures have been put in place to protect individual privacy and this is provided for by foreign or domestic law or the relevant Data Protection Authority has granted an exemption. the Personal Data has been made manifestly public by the Data Subject.
Notwithstanding clause 13.1 of the Policy and the provisions or restrictions of local laws on the Processing of health related data, Kaapenaar Coöp may process health related Personal Data of Employees only for (a) the proper implementation of law provisions, pensions, pension regulations or collective agreements which create rights dependent on the state of health of the Employee, or (b) the reintegration of or support for Employees or persons entitled to benefit in connection with sickness or work incapacity. Employee health related data will be treated as confidential. Notwithstanding clause 13.1 of the Policy and the provisions or restrictions of local laws on the Processing of health related data, Kaapenaar Coöp may process health related Personal Data of Clients, subject to the provisions of clauses 13.3 up to and including 13.9 of this Policy. Kaapenaar Coöp may process Personal Data relating to a person’s state of health insofar as this is necessary for: the assessment of a Client, the approval of a Client, the execution of an agreement with a Client and the settlement of payment transactions. Personal Data regarding a person’s state of health that are processed in order to make an assessment of a Client, in connection with the acceptance of a Client, the execution of an agreement with a Client with regard to a specific product or the settlement of a claim for damages of a Client shall not be used without the Client’s specific and informed consent for the assessment of a Client, the acceptance of a Client, the execution of an agreement with a Client for another product or the settlement of another claim for damages. If, in connection with the acceptance and/or the handling of claims a Client is requested to undergo a medical examination or an additional examination, Kaapenaar Coöp shall point out in the medical examiner’s documents and forms the importance of the identification in order to prevent mistaken identity. The Client shall then be informed that he has the right to make it known in writing that he wishes to be informed of the results and conclusion of the examination. Unless it concerns an insurance policy concluded under civil law, the Client has the right to demand that he shall be the first to be informed of this information in order that he may decide that the results and conclusions are not be communicated to others. The collection of Personal Data regarding a person’s state of health by a medical advisor of Kaapenaar Coöp from other parties than the Client shall only take place after the Client has given his permission and issued an authorisation for this. This authorisation may not be of a general nature, but must concern the Processing in connection with a concrete issue. The Client must be informed about the nature of the to be requested information as well as about the purpose thereof. This must be apparent from the authorisation. The information regarding a person’s state of health shall only be processed by persons who are bound to secrecy by virtue of their office, profession or legal regulations or by virtue of an agreement, except insofar as they are obliged to disclose this information by law or their task requires that this information should be disclosed to others who are authorised to process this information. Health related data will be handled confidentially. Access will only be granted to authorised persons within the organisation. Notwithstanding the provisions of clause 13.1 and any relevant specific provisions of national law prohibiting or imposing extra requirements to the Processing of criminal behaviour related personal data, criminal Personal data may be processed according to in accordance with clauses 13.11 up to and including clause 13.14. Kaapenaar Coöp may process Personal Data relating to criminal offences insofar as this is necessary for:
(a) the assessment of a Client, the acceptance of a Client, the execution of an agreement with a Client and the settlement of payment transactions;
(b) safeguarding the security and integrity of the financial sector, including also detecting, preventing, investigating and combating (attempted) (criminal or objectionable) conducts directed at the sector which Kaapenaar Coöp is part of, at the group to which Kaapenaar Coöp belongs, at Kaapenaar Coöp itself, at its Clients and Employees, as well as the use of and the participation in warning systems; or (c) to comply with legal obligations. In view of a sound acceptance Policy, Kaapenaar Coöp may enquire about facts relating to a possible criminal record of persons to be insured and others whose interest are also insured in the applied for insurance policy (including directors and shareholders of legal entities), insofar as these facts relate to a period of eight years prior to the date of the insurance application. In this regard, the disclosed criminal record may only be used for the assessment of the insurance application and legally obtained data relating to a criminal record may be used in connection with invoking non-compliance with the disclosure obligations. The prohibition on Processing other Sensitive Categories of Personal Data does not apply insofar as this is necessary in addition to the Processing of Personal Data relating to a criminal offence for purposes for which this Personal Data is being processed. Personal data that: relate to criminal offences that were perpetrated, or that, based on facts and circumstances of the case, are expected to be perpetrated, against one of the Kaapenaar Coöp companies; or serve to detect possible criminal conduct towards Kaapenaar Coöp, can be disclosed by Kaapenaar Coöp, provided that the information is only disclosed to officers who require this information in connection with the performance of their duties as well as to the police and judicial authorities.
Direct marketing
By “direct marketing” it is meant the transmission of unsolicited information by Kaapenaar Coöp or a Third-party to a Data Subject for commercial or charitable purposes.
Processing of Personal Data through automated means (opt-in)
Where Personal Data is Processed for direct marketing purposes through the use of automated means, electronic mail, or mobile services, Kaapenaar Coöp shall obtain the consent of Data Subjects, except where these have provided their Personal Data to Kaapenaar Coöp in the context of the sale of a Kaapenaar Coöp product or service. This is subject to the condition that: (i) when the Personal Data was obtained from the Data Subject, the possibility was explicitly offered to lodge an objection free of charge against the use of this Personal Data; and (ii) if the Data Subject has not made any use of this, at the time of each communication, the Data Subject shall explicitly be offered the possibility to lodge an objection free of charge against the further use of the Personal Data. Processing of Personal Data through non automated means (opt-out)
Where Personal Data is Processed for direct marketing purposes through the use other means than specified in clause 14.1 of this Policy, such as non- automated means such as, telephone non automatic calling and letters sent by post, the relevant Kaapenaar Coöp company shall (i) provide the Data Subjects at least with the possibility to opt-out from such use and (ii) not direct unsolicited commercial communications at Data Subjects enlisted with the so called “opt out” registries if required by law. Right to object
In the case a Data Subject objects to the use of his Personal Data for direct marketing purposes, his Personal Data shall be blocked for such use as soon as possible after the objection has been received by the relevant Kaapenaar Coöp company.
Automated decision making
Kaapenaar Coöp employs various automated business rules for risk and price based decisions. Data Subjects are entitled to query a decision and request the logic implemented to derive the decision, which is based solely on automated Processing of Personal Data, unless: the decision is taken in the course of the entering into or performance of a contract which contract was requested by the Data Subject and the decision was positive for the Data Subject; other measures are taken to safeguard the Data Subject’s legitimate interests, such as arrangements allowing the Data Subject to express his point of view or; the decision is authorised by law.
Compelling business interests
The requirements of clauses 4, 7 and 12, may be set aside if in the specific circumstances of the case at hand (especially in case of regulatory compliance) a pressing need exists which outweighs the fundamental rights and freedoms of the Data Subject in order to: protect the legitimate business interests of Kaapenaar Coöp, including: the security of an Employee; the protection of its trade secrets and reputation; the uninterrupted continuity of its business operations; the protection of confidentiality in for instance an (intended) sale or merger or acquisition of (its) business operations; involvement of trusted advisors or consultants for legal, tax, insurance or business consultancy purposes; prevent, detect, prosecute (including to cooperate with public authorities) breaches of (criminal) law or breaches of the terms of employment or other company rules or codes; protect and defend the rights and freedoms of Kaapenaar Coöp, its staff or other persons (including the Data Subject) hereinafter “Compelling (Business) Interests”); or protect the rights and freedoms of the Data Subjects or of a Third-party. The provisions of clause 13 may in specific cases be set aside if in the specific circumstances of the case at hand a pressing need thereto exists which outweighs the interests of the Data Subject for Compelling (Business) Interests described in clauses 16.1 only.
Supervision and compliance
Each Kaapenaar Coöp company shall designate a Data Protection Officer in accordance with Section 4 of the GDPR. Kaapenaar Coöp is aware of the provisions, requirements and limitations of term and restrictions of dismissal stated in Section 4 of the the GDPR and shall appoint a qualified Data Protection Officer, whom shall be registered with the European Data Protection Supervisor. The Data Protection Officer shall be selected on the basis of his or her personal and professional qualities and, in particular, his or her expert knowledge of data protection. The selection of the Data Protection Officer shall not be liable to result in a conflict of interests between his or her duty as Data Protection Officer and any other official duties, in particular in relation to the application of the provisions of the Data Protection Directive. Kaapenaar Coöp shall give prior notice, containing the information stipulated by Article 38 of the GDPR to the Data Protection Officer of any Processing operation or set of such operations intended to serve a single purpose or several related purposes. The Data Protection Officer shall maintain a register containing the information referred to in 18.5 above of all Data Processors, which will be available for inspection by the European Commission Data Protection Supervisor. Kaapenaar Coöp will regularly (at least on an annual basis) audit its systems used to Process Personal Data to ensure compliance with this Policy. Kaapenaar Coöp shall ensure that internal audits will take place on a regular basis within Kaapenaar Coöp. Kaapenaar Coöp shall ensure that those Employees that are responsible for ensuring compliance with data protection principles shall comply with this Policy and educate and inform them about the consequences of non-compliance. Kaapenaar Coöp shall develop and provide special training for Kaapenaar Coöp employees to promote privacy awareness and familiarity with the rules established in the Policy. A global complaint procedure for the effective protection of the rights established in this Policy will be set up upon implementation of the Policy. This global complaint procedure will be available to Employees and Clients of Kaapenaar Coöp.
​
Third-party beneficiary
The Data Subjects can enforce all obligations of Kaapenaar Coöp contained in this Policy which directly relate to the lawful or fair Processing of their Personal Data as Third-party beneficiaries. Any Kaapenaar Coöp company shall make available, upon request, a copy of this Policy to Data Subjects who are Third-party beneficiaries under this clause.
Compliancy procedures
If the Data Subject is of the opinion that Kaapenaar Coöp is not complying with the Policy or the privacy rights of the Data Subject are infringed according to applicable data protection legislation, the Data Subject may lodge a complaint. The Data Subject’s complaint must be lodged according to the complaint procedure for Clients or Employees, as applicable, adopted in every country where Kaapenaar Coöp is present. The country specific complaint procedure for Clients and Employees must comply with respectively with Kaapenaar Coöp’s corporate policy and applicable local law. A complaint shall be lodged by the Data Subject in accordance with the complaint procedure from the country where; the Data Subject has its habitual place of residence, or the Kaapenaar Coöp company which allegedly infringed the Policy or the Data Subject’s privacy rights is located, or the Kaapenaar Coöp company employing the Data Subject, who qualifies as Employee, is located. In the event that a Kaapenaar Coöp company wrongfully receives a complaint as referred to in this clause, such Kaapenaar Coöp company shall assist the Data Subject in lodging the complaint to Kaapenaar Coöp company which is charged with dispatching the complaint. Should the Data Subject be unsatisfied about the handling of the complaint, the Data Subject may address such concern to Kaapenaar Coöp by emailing complaints@Kaapenaar Coöp.co or calling +31 20 809 7511.
Right to be forgotten
In accordance with the mentioned conditions in article 17 of the GDPR the data subject will have the right to be forgotten. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.
In reference to the right to be forgotten by Data Subjects, the by Dutch law required retention period for personal data such as financial and customer identity data will be taken into regard. Kaapenaar Coöp shall comply with the minimum period for which Personal and Financial Data shall be retained in a Personal and Financial Data Filing System, for which applicable local laws will be taken into account. The retention period shall not be longer than the minimum period mentioned by local law or necessary to achieve the purposes for which the Personal and Financial Data have been collected or further processed. For Kaapenaar Coöp, in accordance with Dutch law, the following minimum retention periods apply: For Personal Data about the identity of a client, natural or legal person, for the prevention of money laundering and terrorism, the minimum retention period is 5 years upon registration of the data. For Financial Data such as Accounting, administration and finance documents (e.g. annual accounts, profit and loss accounts, debtors and creditors administration, inventory records, salary administration), the minimum retention period is 7 years upon creation of the document. Kaapenaar Coöp notes that it is crucial for a financial institution to retain this information for the length of the minimum retention period and/or as long as necessary to be able to prove the integrity of its balance sheet, of the processed transactions and for the prevention of money laundering, fraud detection, etc. In case the customer has revoked his consent and has requested for data erasure, processing of personal (financial) data for marketing purposes is no longer allowed, however due to the mentioned obligations the data itself cannot be erased instantly.
Liability
A Data Subject who has suffered direct damages as a result of any violation of the provisions of this Policy that directly relate to the lawful or fair Processing of his Personal Data, and only to the extent that the Data Subject can show that; it has suffered damage and the occurrence of such damage originates in the violation of the Policy, is entitled to receive compensation for the damage suffered. Kaapenaar Coöp and the relevant Kaapenaar Coöp company shall be jointly and severally liable for any direct damage suffered by the Data Subject resulting from any violation of this Policy by Kaapenaar Coöp or any Kaapenaar Coöp company. Kaapenaar Coöp or the relevant Kaapenaar Coöp company may be exempted from this liability only if they prove that neither of them is responsible for the violation of those provisions. If a Kaapenaar Coöp company is held liable before the competent courts, or mediation or arbitration institutions to which Kaapenaar Coöp are subject, by a Data Subject for a violation of this Policy by Kaapenaar Coöp, this Kaapenaar Coöp company will, to the extent to which it is liable, indemnify Kaapenaar Coöp for any costs, charge, damages, expense or loss it has incurred.
Enforcement of rights and mechanisms
The Data Subject has the right to address the courts or other competent authorities, including the Data Protection Authority in the Netherlands.
The provisions of this clause 21 apply without prejudice to the substantive rights and remedies or the dispute settlement procedures which are available to a Data Subject in accordance with other provisions of national or international law. All Kaapenaar Coöp companies are obliged to cooperate with the competent Data Protection Authority and any other lawful investigation or inquiry by a competent authority. The Kaapenaar Coöp company shall in a reasonable time and to the extent reasonably possible assist other Kaapenaar Coöp companies if this assistance is required in order to handle any request or complaint or claim of a Data Subject.
Notwithstanding the rights of the Data Subject as set forth in the above paragraphs of this Policy, the Dutch Data Protection Authority and the Dutch courts shall at all times be competent to supervise compliance with this Policy. Both the Dutch Data Protection Authority and the Dutch courts shall rule in accordance with Dutch law.
Data originating from countries outside EEA
Where a Kaapenaar Coöp company is established in a country outside the EEA Processes domestic Personal Data not originating in EEA countries, such Kaapenaar Coöp company may decide whether it will apply the level of protection set out in this Policy. Such Processing of Personal Data will as a minimum ensure that it complies with applicable local laws.
Amendments to this global data protection policy
The date of publication of this global data protection policy is 20 October 2025. Kaapenaar Coöp is not entitled to make any amendments to this Policy, or the purpose for which it collects Personal Data, as set out in 1.2, 1.3 and 4 hereof, without obtaining the consent of the Data Subjects. Any relevant amendments to this Policy shall be published and Data Subjects will be properly informed of the change.
The amendments shall only come into effect relative to each Client, after the amended Policy has been published in accordance with the relevant parts of Kaapenaar Coöp’s corporate policy and the Data Subject’s Consent has been obtained. Kaapenaar Coöp will inform the Data Protection Supervisor of any amendment to this Policy.
Inquiries
Inquiries relating to this Policy should be directed to:
The Data Protection Officer
Kaapenaar Coöperatief U.A.
Keizersgracht 62, 1015 CS, Amsterdam, the Netherlands
E-mail: info@kaapenaar.org
Telephone: +31 20 809 7511