Privacy policy

Introduction
When advising on and taking out financial products or services, we request a lot of confidential information from customers. Clients of Insure To Study must be able to assume that we handle the information a client provides us with care and that this information is not shared with others without the client’s explicit consent.

In this sense, careful handling of the recording and sharing of personal data is a prerequisite for careful financial services. Maintaining confidentiality is fundamental to our company and the conduct of its professionals.

For the effective execution of our tasks, it is necessary for us to exchange personal data with providers, such as repair services and opposing parties, as this is central to our role as a financial service provider. It is also possible that we have to provide information to, for example, the Dutch Tax Office or the Netherlands’ Authority for the Financial Markets on the basis of statutory obligations.

We have mapped and processed the personal data we hold in our internally kept processing register. Customers and other involved persons can receive this upon request. Here they will find information about the data we process and the parties with whom we may exchange this data.

1. Definitions
In these regulations, the following definitions apply:
– the law: the General Data Protection Regulation (AVG) and the AVG Implementation Act;
– personal data: any data relating to an identified or identifiable natural person;
– processing of personal data: any act or set of acts concerning personal data, including but not limited to the collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, provision by means of transmission, dissemination or any other form of making available, bringing together, linking, as well as blocking, erasure or destruction of data;
– file: any structured set of personal data, whether centralised or dispersed on a functional or geographical basis, accessible according to certain criteria and relating to different persons;
– controller: the natural or legal person or any other person or administrative body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
– processor: the person who processes personal data on behalf of the controller, without being subject to his direct authority;
– data subject: the person to whom a piece of personal data relates;
– third party: any person, other than the data subject, the controller, the processor, or any person authorised under the direct authority of the controller or the processor to process personal data;
– recipient: the person to whom personal data are disclosed;
– data subject’s consent: any freely-given, specific and informed expression of will by which the data subject accepts that personal data relating to them may be processed;
– supervisor: Authority for Personal Data;
– providing personal data: the disclosing or making available of personal data;
– collection of personal data: obtaining personal data.

2. Scope
1. These regulations shall apply to the wholly or partly automated processing of personal data. It shall also apply to the non-automated processing of personal data contained in a file or intended to be contained in a file.
2. These Regulations apply within Insure To Study and cover the processing of personal data of clients, employees and other natural persons concerned.

3. Purpose
1. The purpose of collecting and processing personal data is to have available the data necessary to realise the purposes set out in the articles of association, annual plans and other plans of Insure To Study , the realisation of legal purposes and the conduct of policy and management within the framework of these purposes.
2. The purposes for which data are collected and processed within Insure To Study are explicitly defined in the attachment.

4. Representation of data subject
1. If the person concerned is a minor and has not yet reached the age of 16 years or if the person concerned is of age and has been placed under guardianship, the consent of his/her legal representative shall be required instead of the consent of the person concerned. The consent shall be in writing. If the data subject has given a written authorisation in respect of his representative towards the processor, the co-authorisation by the written authorised representative shall be required.
2. A consent may be withdrawn at any time by the data subject, their authorised representative or their legal representative.

5. Management responsibility and liability
1. The controller shall be responsible for the proper functioning of the processing and management of the data; under the responsibility of the controller, an administrator shall usually be charged with the actual management of the personal data.
2. The controller shall ensure that appropriate technical and organisational measures are implemented to protect against any loss of or any form of unlawful processing of data.
3. The responsibility referred to in paragraph 1 and the provisions of paragraph 2 shall apply without prejudice if the processing is carried out by a processor, this shall be governed by a contract (or by another legal act) between processor and controller.
4. The controller shall be liable for any damage or harm caused by non-compliance with the requirements of the law or these regulations. The processor shall be liable for that damage or disadvantage to the extent that it has been caused by their actions.

6. Lawful processing
1. Personal data shall be processed properly and carefully in accordance with the law and these regulations.
2. Personal data shall be collected only for the purposes referred to in these regulations and shall not be further processed in a way incompatible with the purposes for which they were obtained.
3. Personal data – having regard to the purposes for which they are collected or subsequently processed – shall be adequate and relevant; no more personal data shall be collected or processed than is necessary for the purpose of registration.
4. Personal data may only be processed if:
– the data subject has unambiguously consented to the processing;
– the data processing is necessary for the performance of an agreement to which the data subject is a party (e.g. an agreement to conclude a financial product or service or the employment contract with the data subject) or for acts, at the request of the data subject, which are necessary for the conclusion, or assistance in the administration, of an agreement;
– the data processing is necessary to fulfil a legal obligation of the data controller;
– the data processing is necessary in connection with a vital interest of the data subject;
– the data processing is necessary in view of an interest of the responsible party or a third party, unless that interest conflicts with the interest of the person whose data are processed and that interest prevails.
– Registration of the citizen service number will only take place if there is a legal basis for doing so. In the vast majority of cases such a basis will not be present for our services.
– Anyone acting under the authority of the responsible party or the processor – and also the processor himself – will only process personal data on behalf of the responsible party, except in the event of deviating legal obligations.
– The data are only processed by persons who are bound to secrecy on the basis of an (employment) contract.

7. Processing of personal data
1. Processing is carried out by employees of our company or other natural persons engaged in financial services under our responsibility.
2. Processing is generally carried out in connection with the performance of an agreement, namely the service agreement. In those cases where there is no performance of such an agreement, then the processing takes place with the explicit consent of the data subject.
3. The processing is carried out for the purpose of carrying out our activities as advisor and/or intermediary in financial products and services.

8. Special personal data
1. The processing of personal data on a person’s religion or belief, race, political affiliation, health, sexual life, trade union membership or of personal data of a criminal nature is prohibited, except in the cases in which the law explicitly stipulates by whom, for what purpose and under what conditions such data may be processed (Articles 9 and with 10 of the AVG).
2. As a financial service provider, we may process information about your health in our records, provided this is necessary for the proper performance of our work. We may also request data about any criminal past from you, if this is necessary for the proper performance of the agreement, provided you expressly give your consent.

9. Data processing
Data obtained from data subject
1. If personal data are obtained from the data subject himself/herself, the data controller shall inform the data subject prior to the time of obtaining of:
– his identity;
– the purpose of the processing for which the data are intended, unless the data subject already knows that purpose.
– The data controller shall provide the data subject with further information insofar as this is necessary – given the nature of the data, the circumstances under which they were obtained or the use to which they are to be put – to ensure proper and careful processing towards the data subject.
Data obtained outside the data subject
1. In addition to information received from the data subject, the controller may, for the purposes described, obtain information from external sources that the controller deems reliable. Examples are Roy-data for the registration of your bonus/malus declaration, the RDW for your vehicle data and the CIS foundation for the purpose of preventing and combating fraud in the insurance sector.
2. The Controller shall ensure that in any processing of personal data, only those personal data are processed that are accurate, adequate, relevant and not excessive.

10. Right of inspection
1. The data subject shall have the right to access processed data relating to him/her.
2. The controller shall inform any person at his or her request – as soon as possible but no later than four weeks after receipt of the request – in writing whether personal data relating to him or her are being processed. A fee may be charged for providing such notice. In addition, the data subject who requests access to his/her personal data records may be asked for a copy of a valid identification document.
3. If so, the data controller shall, if so requested, provide the requester in writing – as soon as possible but no later than four weeks after receipt of the request – with a complete overview thereof with information on the purpose or purposes of the data processing, the data or categories of data to which the processing relates, the recipients or categories of recipients of the data as well as the origin of the data.
4. If a substantial interest of the applicant so requires, the Controller shall comply with the request in a form other than the written form appropriate to that interest.
5. The responsible party may refuse to comply with a request if and insofar as this is necessary in connection with:
– the detection and prosecution of criminal offences;
– the protection of the data subject or the rights and freedoms of others.

11. Provision of personal data
1. Provision of personal data to a third party shall, in principle, not take place other than with the consent of the data subject or the data subject’s representative, except in the event of a statutory provision or emergency.
2. An exception to this rule is the exchange of information with parties who need information for the execution of the agreement, such as insurance companies, banks, lenders or parties involved in claims handling.
3. Finally, we may provide personal data to comply with legal obligations, such as to the Dutch Tax Authorities and the Netherlands Authority for the Financial Markets.

12. Right to correction, addition, deletion
1. At the written request of a data subject, the data controller shall rectify, supplement, delete and/or block the personal data processed about the data subject if and insofar as such data are factually inaccurate, incomplete for the purpose of processing, irrelevant or include more than is necessary for the purpose of the registration, or are otherwise processed in violation of a statutory provision. The data subject’s request shall include the changes to be made.
2. The data controller shall inform the applicant in writing as soon as possible, but no later than four weeks after receipt of the request, whether it complies with it. If he does not or not fully comply, he shall give reasons for this. In this regard, the applicant has the option of contacting the responsible party’s Complaints Committee.
3. The responsible party will ensure that a decision to correct, supplement, delete and/or block is implemented within 14 working days, and if this does not reasonably appear possible otherwise as soon as possible thereafter.

13. Retention of data
1. Personal data shall not be kept in a form which enables identification of the data subject for longer than is necessary for the realisation of the purposes for which they are collected or subsequently processed.
2. The responsible party shall determine how long recorded personal data are retained.
3. If the retention period of the personal data has expired or the data subject requests deletion before the expiry of the retention period, the relevant data shall be deleted within a period of three months.
4. Deletion shall, however, not be carried out if it is reasonable to assume that
– the retention is of great importance to a person other than the data subject;
– retention is required by a statutory regulation (including the Financial Supervision Act) or
– if there is an agreement between the data subject and the controller on the subject.

14. Processing register
1. Any wholly or partly automated processing of personal data intended for the realisation of a purpose or related purposes has been identified and processed by us in an internally held processing register before the processing is started.
2. In those cases where an automated process for processing personal data deployed by us poses a high risk to the data subject, taking into account the nature and context of the personal data held, we shall carry out a data protection impact assessment before commencing such processing and ensure that we adequately manage the risks involved, so as to adequately safeguard the rights of data subjects.
3. The internally kept processing register shall include:
– the name and address of the controller;
– the purpose or purposes of the processing
– a description of the categories of data subjects and of the (categories of) data relating to them;
– the recipients or categories of recipients to whom the data may be disclosed;
– the retention periods observed.

15. Data breaches
1. If confronted with a data breach, the controller shall investigate whether personal data have been lost or whether unlawful processing cannot be ruled out.
2. If the aforementioned investigation reveals that personal data of a sensitive nature have been leaked or that there is a (significant risk of) adverse consequences for the protection of the personal data processed for some other reason, the responsible party will inform the Personal Data Authority about the data breach.
3. If Responsible did not (properly) encrypt all leaked personal data, or if the data leak is likely to have adverse consequences for the privacy of data subjects for other reasons, Responsible will also report the data leak to the Authority for the Financial Markets. It is possible that in consultation with the aforementioned regulators it may also be decided to inform the data subjects about the possible data breach.

16. Complaints procedure
If the data subject is of the opinion that the provisions of these regulations are not complied with, he may address himself to:
– the data controller;
– if the data subject is not satisfied with the outcome of the complaint, the data subject may apply to the Financial Services Complaints Institute in The Hague;
– the Personal Data Authority with the request to mediate and advise in the dispute between the data subject and the responsible party;
– the District Court.

17. Amendment entry into force and copy
1. Amendments to these regulations shall be made by the person in charge.
2. Amendments to the regulations shall come into force four weeks after they have been announced to those involved.
3. These regulations may be inspected at the manager’s office. Upon request, a copy of these regulations may be obtained at cost price.

18. Unforeseen
In cases not covered by these regulations, the responsible party will decide, with due observance of the provisions of the law and the purpose and purport of these regulations.

Information on the General Personal Data Regulation:
– text of the Act: https://autoriteitpersoonsgegevens.nl/uploads/imported/verordening_2016_-_679_definitief.pdf
– the website of the Personal Data Authority (https://www.autoriteitpersoonsgegevens.nl)