Delta Amsterdam – Privacy Statement

 

We process various personal data in connection with organising, facilitating, and carrying out activities. We believe it is important that the processing of personal data takes place in a lawful, careful, secure, and confidential manner. We also want to be clear and transparent about what we do and do not do with your personal data. In this Privacy Statement you can therefore read which personal data we process and why we do so. We explain the applicable legal obligations and responsibilities. You can also view what rights you have with regard to your personal data and how you can exercise these rights.

Legislation

Personal data is processed by us in accordance with the General Data Protection Regulation (GDPR) (Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data). The GDPR in the Netherlands has been applicable since May 25, 2018 and has replaced the Personal Data Protection Act that applied until then.
Responsible
Delta Amsterdam is the controller within the meaning of the GDPR. This means that the management of Delta Amsterdam decides which personal data is processed, for what purpose, in what way and by what means. Delta Amsterdam is responsible for ensuring that personal data is processed in accordance with the GDPR and in a proper and careful manner.

Personal data
Personal data is any data that can provide information about an identified or identifiable natural person.
Delta Amsterdam processes, among other things, the name, address, and place of residence details of clients. Additional information is also requested in connection with being able to make (international) payments for activities organised by Delta Amsterdam, such as optional excursions.

Register of processing activities
Pursuant to Article 30 of the GDPR, Delta Amsterdam keeps a register of all processing activities that take place under our processing responsibility.

Personal data security
Article 32 of the GDPR obliges us to take appropriate technical and organisational measures to prevent the loss of personal data or unlawful processing. The extent of the measures taken are in reasonable proportion to the limited risks of the processing and nature of the data and insofar as is possible with the current state of technology, with proportionate effort and at reasonable costs. We use regular ICT resources with access control to files and folders via username and password. Collected data is stored in WordPress, which runs on the servers of our website provider (aim.nu). These meet the GDPR standards. We also work with secure server communication (HTTPS/SSL).

Purpose of the processing
All personal data that Delta Amsterdam processes is important for the proper organisation and implementation of the ordered activities. Only data such as name, first name, and any (physical) limitations are communicated with external persons in order to carry out a program as desired, and also to filter which participants are registered for which program.

Basis of processing
Delta Amsterdam must be able to base the processing of personal data on one of the legal bases from Article 6 of the GDPR. The primary legal basis is Article 6(1)(b) GDPR, the processing of personal data is necessary for entering into and executing an agreement (or the customer). The secondary legal basis is Article 6(1)(f) GDPR, the processing of personal data is necessary to pursue legitimate interests (or to communicate them in favour of the practical implementation of activities). The basis for the lawful processing of special personal data about the health of participants is Article 6(1)(a) GDPR, the data subject (or his/her legal representative) has given prior explicit consent for this.

Internal management
We apply a careful and proportionate access and authorisation policy. Only a limited number of Delta Amsterdam employees have direct access to personal data contained in the files. Other Delta Amsterdam employees only have access to the data they need to perform their own tasks. For example, when planning activities, the designated colleagues and service providers only receive first names, last names, and payment reconfirmations. Relevant data about the health (such as physical limitations – for example, difficulty walking) of customers will only be made available to the colleague who is externally hired and works specifically for the execution of the activity/excursion in question, to the extent that this is for the good and safe conduct of the event is strictly necessary for them. Participants only receive the first names and in some cases the mobile numbers of the guidance (event manager, guide, driver, and/or host).

External recipients
Personal data is only provided and shared with others outside Delta Amsterdam to the extent that this is relevant in view of the processing purposes of Delta Amsterdam. If data is used for a new or different purpose in the future, prior permission will be requested from those involved.

Website and Social Media
Delta Amsterdam has its own website, as well as LinkedIn, Facebook, and Instagram accounts. Messages and photos of activities are sometimes posted here. We ensure that people are never included or are never recognisable in the picture. If reasonably possible, we ask the persons depicted in the photos (or their legal representative) for permission to take photos. Our policy, in principle, aims at preventing persons from being immediately recognisable and traceable. We do not use names on social media and do not use facial recognition techniques to ‘tag’ people in photos and link them to existing social media profiles. If you find images on our website or social media accounts in which you are recognisable that you would prefer to have removed, please feel free to contact us (see Contact). People who are present at events and excursions as a participant, supervisor, or bystander can also take photos themselves or copy publicly-posted photos from the website or the Facebook page or Instagram account of Delta Amsterdam and further distribute them via their own social media and networking sites. Delta Amsterdam is not responsible for this. We do ask our supervisors/guides/host(s) via our rules/house rules to respect the privacy of other attendees and to not take their own photos. The conditions set by the providers of these services in terms of privacy and liability apply to visitors and followers of our social media channels.

Retention period of personal data
Delta Amsterdam does not store your personal data for longer than is necessary for the purpose of the processing (Article 5(1)(e) GDPR). The retention periods differ per type of processing and purpose. We store our customers’ data for up to 2 years after the event/excursion. If a customer participates again after 2 years, he will have to provide all necessary information again. Excluded is data to which a minimum legal retention period of longer than 2 years applies. For example: financial or payment data in the context of invoices or declarations to which a tax obligation applies, these are kept for 7 years on the basis of a legal obligation.

Your Privacy Rights
More information about the protection of personal data and your rights can be found on the website: https://autoriteitpersoonsgegevens.nl/
You have the right to inspect the personal data processed about you (Article 15 of the GDPR) and the right to request rectification or deletion of personal data (Articles 16 and 17 of the GDPR). If you want to know what personal data Delta Amsterdam processes about you, you can submit such a request (see Contact).

Contact
Do you have any questions or would you like to know what personal data Delta Amsterdam processes about you? Please contact us at info@delta-amsterdam.nl

Determination date
This privacy statement was established on: March 11, 2024

Version control
Version number: 0.1
Version date: 0.1 11-03-2024
Comments: First draft Delta Amsterdam