Privacy en disclaimer

Full information about our privacy policy, our disclaimer, and cookies.

Privacy

The Museum of Bags and Purses Foundation uses the personal data of visitors, employees, partners, and chain partners for internal purposes. The Foundation primarily collects personal data for the correct performance of its duties and responsibilities. People should be able to trust that the Foundation will handle personal data carefully and securely. In these times, the Foundation is also keeping abreast of new developments. New developments in technology, innovative services, globalisation, and an increasingly digitalised government place further demands on the protection of data and privacy. The Foundation is aware of these demandsand will continue to guarantee privacy. It does this through measures in areas such as information security, data minimisation, transparency and user control.

The Foundation uses this policy to provide clear guidance on privacy and to show that it guarantees, protects and maintains privacy. This policy applies across the organisation to all the foundation’s processes, divisions, objects and data collection. The Foundation’s privacy policy is in line with the Foundation’s general policy and the relevant local, regional, national and European laws and regulations.

Legal frameworks for handling personal data

This policy is based on the following legal frameworks.

Personal Data Protection Act (Wet Bescherming Persoonsgegevens [Wbp]), replaced by the EU General Data Protection Regulation (GDPR) on 25 May 2018.

Implementation Act for the General Data Protection Regulation.

The Foundation handles personal data securely in accordance with the legal requirements and the Foundation respects the privacy of data subjects. In doing so, the Foundation adheres to the following criteria:

Legitimacy, adequacy, transparency
The Foundation processes personal data in accordance with the law and in an adequate, clear, transparent and careful manner.

Basis and purpose
The Foundation ensures that personal data is only collected and processed for clearly defined, explicitly described and legitimate purposes. Personal data is only processed under one of thelegal bases of the GDPR.

Legitimate basis
The law states that a legitimate basis under the law must apply to any processing of personal data. This means that data processing may only occur:

  • to comply with an obligation stated in the law
  • to perform an agreement to which the data subject is/was a party
  • to counter a serious threat to the health of the data subject
  • for the correct performance of the duty
  • when the data subject has given consent to the specific processing

When data subjects give consent, we are also able to demonstrate that we have actually been given this consent.

Data minimisation, Subsidiarity and Proportionality
The Foundation only processes the minimum amount of personal data required for the previously defined purpose. The Foundation aims for minimal data processing. Less or no personal data will be processed wherever possible, violations of the private life of data subjects will be kept to a minimum as far as possible and any violation of the data subject’s interests should not be disproportionate to the purpose of the processing. Where the same
purpose can be achieved without personal data or by using less sensitive data, this course of action must always be chosen.

Retention period
The Foundation will not retain personal data for any longer than is necessary. However, it may be required to retain personal data to correctly perform its duties or to comply with legal requirements.

Integrity, confidentiality and sharing with third parties
The Foundation will use personal data carefully and treat it as confidential. For instance, personal data will only be processed by people who are subject to a duty of confidentiality and for the purpose for which the data was collected. Furthermore, the Foundation will appropriately secure the personal data. This is set out in the Foundation’s Information Security Policy. The Foundation will share personal data with third parties as little as possible. If the Foundation does share personal data with external parties, it will enter into agreements with the third parties in order to at least comply with the respective requirements contained in the GDPR.

Rights of data subjects
The law does not only stipulate the obligations of the parties that process personal data; it also stipulates the rights of the persons whose data is processed. These rights are also referred to as the rights of data subjects and consist of the following:

  • Right to information: Data subjects have the right to ask the Foundation about whether their personal data is being processed.
  • Right of inspection: Data subjects have the possibility to check whether their data is being processed and if so, in which manner.
  • Right of correction: If the data is clearly incorrect, data subjects may submit a request to the Foundation to correct this data.
  • Right to oppose use: Data subjects have the right to ask the Foundation to stop using their personal data.
  • Right to be forgotten: If the data subject has given consent for the processing of their data, the data subject has the right to have their personal data removed.
  • Right to object: Data subjects have the right to object to the processing of their personal data. The Foundation will comply with this objection unless there are legitimate grounds for processing the data.

Submission of a request
Data subjects can submit a request to exercise their rights. The data subject may submit their request in writing or by email to the Data Processing Officer. The Foundation has a period of four weeks from the receipt of the request to evaluate whether the request is legitimate. The Foundation will inform the data subject about how their request will be handled within four weeks. If the request is not followed up, the data subject may submit an objection to the Foundation, or make a complaint to the Dutch Data Protection Authority (Dutch DPA). The Foundation may ask the data subject for further information, depending on the request, in order to confirm the identity of the data subject.

Register of data processing operations
The Foundation is responsible for maintaining a register of all data processing in which the Foundation acts as the data controller. Each register contains a description of what occurred during a processing operation and which data was used for this purpose, namely:

  • The name and contact information of the data controller, where possible the collective data controller(s);
  • The purposes of the data processing;
  • A description of the type of personal data and the data subjects associated with this data;
  • A description of the recipients of the personal data;
  • A description of the sharing of personal data with a third country or international organisation;
  • The periods in which the various personal data must be deleted;
  • A general description of the security measures;

Appointment of a Data Protection Officer (DPO)
The foundation has appointed a DPO. The DPO is involved with all matters related to the protection of personal data. The duties of the officer are to inform, advise, oversee, raise awareness and act as a contact person for the DPA. The DPO is not intended to assume the privacy protection duties of departments. Departments have their own person responsible for
the correct handling of private and sensitive data. The DPO first needs to be informed of any processing of personal data before processing can begin. The DPO is responsible for the systematic assessment of the implementation and performance of the legal requirements and the guidelines concerning privacy.

The Foundation works every day on the correct and careful handling of personal data. Protecting privacy is a complex matter. It is also becoming increasingly complex due to developments in technology, decentralisation, huge challenges in the field of security and new European legislation. That is why we consider it important that we are transparent about the way in which we handle personal data and guarantee privacy.

Personal Data:
All data that involves people and from which you can derive a person’s identity. This is not solely confidential data, such as data about a person’s health. It also includes all data that can be traced back to a particular person (for instance, a person’s name, address or date of birth).

In addition to standard personal data, the law also recognises special personal data. This is data about sensitive matters such as a person’s ethnic background, political preferences or Citizen Service Number (BSN).

Processing:
Processing is everything that is done with personal data.

Manner of processing
The key rule to processing personal data is that data processing is only permitted in accordance with the law and it must be done with care. Personal data is collected from the data subject in person wherever possible. The law is based on subsidiarity. This means that data processing is only allowed when its purpose cannot be achieved in another manner.

The law also refers to proportionality. This means that personal data may only be processed if it is in proportion to the purpose. The Foundation ensures that personal data is correct and complete before it is processed. Personal data is only processed by people who are subject to a duty of confidentiality. Furthermore, the Foundation protects all personal data. This should prevent personal data being viewed or amended by someone who is not entitled to do so.

Transmission
The Foundation does not transfer or share personal data with any third parties with whom it has not concluded a processor’s agreement.

If personal data is obtained via a different route, in other words not directly from the data subject, the data subject will be informed when their data is first used.

Automated processing

Profiling:
Profiling takes place whenever there is automated processing of personal data involving the use of personal data to consider certain private details of a person in order to categorise and analyse the person, or to make predictions. Examples of private details include a person’s financial situation, interests, behaviour or location.

Profiling is only permitted if it meets the conditions. The exceptions to the use of profiling are set out in article 22.2 of the GDPR: 1. It is necessary for entering into, or performance of, a contract between the data subject and a data controller 2. It is authorised under Dutch or EU law. 3. It is based on the data subject’s explicit consent.

The Foundation only uses profiling where the data is general data. This is data that can no longer be linked to a person because it is in an anonymous and pseudonymous form. Furthermore, the profiling does not have a legal effect and/or persons are not affected to any appreciable degree.

Big data and tracking
Data may only be processed using big data analysis and tracking when the data cannot be traced back to a natural person. Furthermore, the data is only be collected for analysis that is performed by or on behalf of the foundation. The data collected by big data analysis and tracking is only data collected by authorised persons. If the data is converted into a data set, data minimisation will be used. This means that only data that is absolutely necessary for achieving the purpose will be used. Furthermore, personal data can be pseudonymised so that it cannot be traced back to a person.

The Foundation only uses big data where the data is general data and can therefore no longer be linked to a person.

Deployment of CCTV
The Foundation uses CCTV monitoring under certain circumstances. CCTV monitoring is only used to increase security. CCTV can greatly intrude upon the privacy of the individuals filmed. To guarantee the best possible privacy, CCTV is only deployed when there are no other means to achieve the purpose. Furthermore, the following requirements are placed on the deployment of CCTV:

  • CCTV cannot be used on public highways unless this is unavoidable
  • CCTV footage cannot be shared with third parties, unless this is formally requested by the courts
  • Camera footage must only be kept for a maximum of between five and eight days
  • Camera footage must only viewed/replayed by authorised personnel

Camera footage may be kept for longer in the event of an incident or under special circumstances. This decision rests with the head of business operations. This footage must be stored on a standalone PC with the team leader for security.

Review of the effects of data protection
The effects of data protection are reviewed to assess the effects and risks of new and existing processing on the protection of privacy. The Foundation carries out this review when it uses automated processing, large-scale processing or large-scale monitoring of public areas. This applies in particular to data processing which uses new technologies.

Data breaches
A data breach occurs when personal data falls into the hands of third parties who should not have access to that data. If a data breach occurs, the Foundation will report the breach to the Dutch Data Protection Authority without any unreasonable delay, and no later than 72 hours of becoming aware of the breach. If the Foundation reports the breach later than 72 hours, it
will state the reasons for the delay. A data breach may bring a heightened risk to the rights and freedoms of data subjects. In this eventuality, the Foundation will notify the data subjects using straightforward and clear language. The Foundation will assess any data breaches that have occurred in order to prevent future data breaches.

Concluding remarks
If the Foundation does not comply with any of its legal obligations, the data subject may submit a complaint. Complaints will be handled through the Foundation’s complaints procedure. The management team or director will decide on cases not covered by the complaints procedure.

Disclaimer

The Museum of Bags and Purses Foundation (Stichting Tassenmuseum Hendrikje) and its affiliated companies cannot be held liable for any form of information placed by third parties on the websites www.tassenmuseum.nl and www.museumofbagsandpurses.com.

Furthermore, they cannot be held liable for information appearing in printed media that is based on the websites www.tassenmuseum.nl and www.museumofbagsandpurses.com (hereinafter: “these websites”).

The Museum of Bags and Purses Foundation cannot be held liable or responsible for the content of any offsite pages or pages linked to or derived from these websites. The greatest care is taken when placing information on these websites. The information is provided “as is”, without an express or implied warranty of any kind, including but not limited to warranties concerning saleability, possibilities of use, non-infringement, accuracy and currency of the information.

The Museum of Bags and Purses Foundation retains the right at all times to amend the content of these websites and to temporarily suspend the websites without prior notice.
The Museum of Bags and Purses Foundation and its affiliated companies cannot be held liable for any direct, indirect and/or consequential loss or damage and/or computer viruses arising from access to, use of, and reliance on these websites, the information on these websites or any website linked to them, except in the event of wilful misconduct or gross negligence.

All intellectual property rights regarding the information on these websites belongs to The Museum of Bags and Purses Foundation and its affiliated companies, or have been included with the consent of the owner of the respective intellectual property rights. All of the provisions and terms and conditions of the Museum of Bags and Purses are applicable.

Cookies

The Museum of Bags and Purses uses cookies on this website. Cookies are small, simple text files that your computer receives when you visit our website.

Functional cookies

Some cookies are essential for the correct functioning of the website. The websites, or parts of the websites, will not work without these cookies. In contrast to non-functional cookies, these cookies will be placed without consent.

Google Analytics

The Museum of Bags and Purses uses cookies for maintaining web statistics (Google Analytics). This includes information such as the number of visitors to the websites, which pages they view, where they come from and where they click, and the browser and screen resolution they use. This information cannot be traced back to an individual visitor.

Social media

The website incorporates functionality from AddThis for sharing images or pages on social networks such as Facebook, Twitter, Pinterest and Google+. This functionality works using code that comes from AddThis. The code is used to place cookies. The Museum of Bags and Purses has no influence over these cookies. For more information, see www.addthis.com/privacy.

Blocking cookies

Most internet browsers can be configured in such a way that they do not accept cookies or so that you are informed when you receive a cookie. The way to do this will depend on your browser. Please be aware that if you block cookies, certain parts of the website will not function, or they will not function optimally. The way to disable cookies will depend on your
browser.

Removing cookies afterwards

You can choose to delete the cookies from your computer after visiting our website. The way to do this will depend on your browser.

News & Updates