Privacy Statement

Stichting Pensioenregister Privacy Statement

About Stichting Pensioenregister

Pursuant to the Dutch Pensions Act (Pensioenwet), Stichting Pensioenregister (hereinafter: 'Pensioenregister'), is required to enable you, as a member[1] or pensioner, [2]to view your pension entitlements and/or pension benefits, including your Dutch state retirement pension (AOW-pensioen). A set of statutory rules ('Pensioenregister Rules'; hereinafter: 'Rules') has been drafted for this purpose.

We require a number of personal details from you in order to be able to adequately perform our legal and statutory duties, including your Dutch Citizen Service Number (Burgerservicenummer) and date of birth. It also includes the data and information you leave when visiting our Website. We refer to the collection, management and use of your data and information as 'processing'.

Purpose of the Privacy Statement

This Privacy Statement serves to inform you about the sensitive personal data we process and for what purpose(s) we do so, with the main priority being to protect your privacy. We treat all sensitive personal data, including your personal details, confidentially and with care, and we only process data and information which are necessary in order for us to be able to perform our legal and statutory duties. In doing so, we comply with the applicable laws and regulations. We only share your data with third parties if this is required for the proper performance of our legal and statutory duties.

This Privacy Statement contains the following information:

1. The purpose(s) for which we process your data;
2. Whose data we process;
3. The grounds for processing your data;
4. The types of data we process in relation to you;
5. With whom we share your data;
6. How long your data is retained;
7. How we protect your personal data;
8. How we handle personal data in relation to social media;
9. Your privacy rights;
10. How to contact us;
11. How and where you can submit complaints;
12. Where you can direct your questions;
13. Who supervises the processing of your personal data.

1. For what purpose(s) do we process your data?

We process your data in order to perform our legal and statutory information-related and other duties and, in doing so, enable pension beneficiaries and pensioners to consult their pension entitlements and/or pension benefits, including the Dutch state retirement pension (AOW-pensioen).

2. Whose data do we process?

We process data relating to the following individuals:

1. Members logging in to the Pensioenregister Website
2. Pensioners logging in to the Pensioenregister Website
3. Other visitors of the Pensioenregister Website

3. For what purpose(s) do we process your data?

We require a number of personal details from you in order to be able to adequately perform our legal and statutory duties. This is based on the premise that data processing is necessary in order to comply with legal and statutory obligations. If you choose not to share specific essential data or information with us, this could potentially affect our services and the quality thereof.

4. Which of your data do we process?

We process the following data:

1. Your Burgerservicenummer/BSN (Citizen Service Number);
2. Name;
3. Date of birth;
4. Pension data;
5. E-mail address;
6. Telephone number;
7. Login details, including your IP address.

Personal data processed in the reference index

In what is known as a 'reference index', Stichting Pensioenregister maintains and updates a list of the Burgerservicenummers/Citizen Service Numbers registered with the various pension administrators.

Personal data processed during your login session

During your login session, Stichting Pensioenregister processes your name and date of birth. If your spouse or domestic partner logs in to the Website at the same time as you, their name and date of birth will also be processed.

Personal data processed in technical logs

Stichting Pensioenregister processes the following data in technical logs, including the web server log:

1. IP address of the computer, laptop, tablet or smartphone you used to visit the Website
2. Time at which you visited the Website
3. Pages you visited on the Website
4. Website you visited prior to coming to the Website
5. The type of browser you are using
6. The type of operating system you are using

Data processed when interacting with the Stichting Pensioenregister Service Desk

If you contact the Service Desk (by telephone or e-mail) with a complaint, question, query or request and a ticket is opened for this purpose, the following data will be processed:

Your telephone number or e-mail address, Burgerservicenummer/Citizen Service Number, customer number and any other specific information you may have supplied will be stored in the Service Desk tool on a one-time basis.

This data must be processed in order to be able to handle your complaint or to be able to answer your question/query or respond to your request. Depending on the type of communication involved, your personal data may be retained for some time after the complaint, question/query or request has been handled (see Section 6 for further details).

5. With whom do we share your data?

We only share your data with third parties if this is required for the proper performance of our legal and statutory duties.

We will only depart from this rule if we are required to do so by law.

If we do share your personal data, this will be restricted to the data required to satisfy our obligations or the request to provide data.

Naturally, you can choose whether or not to share your data with third parties.

6. How long do we store your personal data?

Unless a legal retention period applies, your personal data will not be retained any longer than is necessary for the purpose for which it was collected or processed. We may retain some data because we are required to do so by law; in this case, we will abide by the legal retention period.

Stichting Pensioenregister uses the following retention periods:

1. Any data processed in the reference index: the Burgerservicenummer/Citizen Service Number will remain listed in the reference index for as long as the individual concerned has pension entitlements;
2. Any data processed when you (and your spouse or domestic partner, if applicable) log in to the Website: all data collected will be deleted as soon as you log out. The same applies if you download a file containing your pension data. No retention period applies in either of these cases.
3. Personal data processed in technical logs; the data collected is retained for 90 days, after which it is removed;
4. Data processed during your interaction with the Stichting Pensioenregister Service Desk: data contained in the Service Desk tool will be retained for a maximum of 100 days after the ticket is resolved, after which it is automatically deleted.

7. How do we protect your personal data?

In conjunction with our outsourcing partners, we have taken the necessary technical and organisational measures to protect your data from unwanted destruction, loss, and unauthorised access or modification. Offices and data centres are equipped with physical access control systems.

If you believe that your data is not securely protected or if there are indications of misuse, please contact our Service Desk or send an e-mail to info@mijnpensioenoverzicht.nl.

8. Your personal data in relation to social media

While Stichting Pensioenregister may use social media channels such as Facebook, Twitter and YouTube, it does not share any personal data on these channels. Pensioenregister cannot be held responsible or liable in any way whatsoever for the manner in which visitors to these social media channels use personal data. For this information, we refer you to the privacy statements of the social media channels you are using.

9. What are your privacy rights?

You have the following privacy rights:

1. Right of access, right to supplement incomplete data, and right to rectification
2. Right to object personal data processing
3. Right to erasure ('right to be forgotten')
4. Right to data portability
5. Right to clear information
6. Right in relation to automated decision making, including profiling

It is important to note that you can invoke these rights at any time. This is subject to one exception: If we are no longer able to fulfil our obligations under the law or the pension rules and/or implementing regulation, our obligations will prevail.

Right of access, right to supplement incomplete data, and right to rectification

This refers to your right to check whether we process your personal data and your right to gain access to this data, modify your personal data with us if it appears that we are processing inaccurate data from you, or the right to supplement your data if it turns out to be incomplete. You can direct any requests for access, supplementation and rectification of your data (including personal data) to the relevant pension administrator or the Sociale Verzekeringsbank (SVB).

If you would like to know what data we process in relation to you and whether this data is accurate, or if you find that your statement contains inaccuracies, you can contact our Service Desk with a request to access or a request for rectification. The Service Desk's contact details are contained in this Privacy Statement. We will provide you with a statement within four weeks of receiving your request.

Right to object to personal data processing

Based on special personal circumstances, in some cases you may be entitled to object the processing of your personal data. You may request us to process less of your data or (temporarily) cease processing your data is this processing is unlawful, if you have objected to the processing, if the processing is no longer necessary, or if the data processed is inaccurate. You must submit a request, including your reasons, to our Service Desk. The Service Desk's contact details are contained in this Privacy Statement. You will receive a decision within four weeks of receiving your request.

Right to erasure/right to be forgotten

You are entitled to submit a request to have your personal data erased (also known as the 'right to be forgotten'). You can choose to do this if you believe we are no longer authorised to use your data because this is no longer necessary. You can also arrange to have this done if you have revoked your consent, if you have made an objection, if data has been processed unlawfully, or because the agreed retention period has been exceeded. You must submit a request, including your reasons, to our Service Desk, whose contact details are contained in this Privacy Statement. You will receive a confirmation within four weeks of our receipt of your request; this confirmation will state whether – and if so, which – personal data was removed at your request.

Login details are deleted once the 90-day retention period has expired.

Right to data portability

If you intend to share your personal or other data with a third-party organisation, you can download your pension statement (containing your name and date of birth) as an XML or PDF file. You can also apply for this together with your partner if you would like to receive a comprehensive pension statement. If you share your personal data with a third-party organisation, we will not be responsible for the data processed at the organisation with which you have shared this data and/or the storage of your data in your personal files.

Right to clear information

This refers to the right you have to be informed in a comprehensive and accurate manner about, for example, how we process your personal data and our reasons for doing this. This Privacy Statement is an example of such information.

Right in relation to automated decision making, including profiling

You have the right to obtain human intervention in reviewing automated decisions which we might make and which relate to you and which affect you. Our company currently does not use automated decision-making processes or profiling.

10. How can you contact us?

Please feel free to contact us if you have any questions about our Privacy Statement:

Stichting Pensioenregister
Verrijn Stuartlaan 1F
2288 EK Rijswijk, the Netherlands
www.pensioenregister.nl
+31 (0)20 7512870
info@mijnpensioenoverzicht.nl

11. How and where can you submit complaints?

If you have a complaint regarding the use of your personal data, for example because you believe we are not handling this data with care or because you have requested access or rectification of your personal data but are not satisfied with our response, you have the option to submit a complaint to us. For further information, please refer to the Stichting Pensioenregister Complaints Procedure.

Stichting Pensioenregister would also like to remind you that you have the option to submit a complaint to the national regulator, the Autoriteit Persoonsgegevens (Dutch Data Protection Authority). You can do this by accessing the following link: https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/gebruik-uw-privacyrechten/klacht-melden-bij-de-ap.

If you are not satisfied with the outcome of the procedure, you have the option to file a petition with the cantonal court (also known as subdistrict court, or kantonrechter in Dutch).

12. Whom can you contact with any other questions?

On the website www.mijnpensioenoverzicht.nl, you will find details and amounts as supplied by the pension administrator(s). The accuracy and currency of this data and these amounts are the responsibility of these pension administrators. The date listed in the statements after stand per ('status as of') tells you when this data was prepared. If you have any questions about your data and these amounts, you must contact your pension administrator.

You will find a list of Frequently Asked Questions (FAQ) at the following link: www.mijnpensioenoverzicht.nl/faq.

If you have any other questions about personal data processing by Pensioenregister, please send an e-mail or letter to the Privacy Officer at Pensioenregister (see the address details below).

13. Who supervises the processing of your personal data?

This supervision is organised in two ways:

1. Pensioenregister has appointed a Privacy Officer
2. The Autoriteit Persoonsgegevens (Dutch Data Protection Authority) is the legal regulator for personal data processing.

Privacy Officer's details:

Albert de Jong
Nederlands Compliance Instituut (Netherlands Compliance Institute)
Jan Leentvaarlaan 61-63
3065 DC Rotterdam
+31 (0)88 99 88 100
a.dejong@compliance-instituut.nl

Contact details of the Autoriteit Persoonsgegevens (Dutch Data Protection Authority):

Autoriteit Persoonsgegevens
Postbus/PO Box 93374
2509 AJ Den Haag/The Hague, the Netherlands
0900 2001 201
www.autoriteitpersoonsgegevens.nl

Amendments

We reserve the right to amend this Privacy Statement, including in relation to amendments to laws and regulations or jurisdiction. We therefore recommend that you regularly consult this Statement when visiting our Website.

Version 2.0

Last updated: May 2022

[1] Member: a member as specified in the Pensioenwet/Dutch Pensions Act, Wet verplichte beroepspensioenregeling (Mandatory Occupational Pension Scheme Act) and the political office holder as specified in the Algemene pensioenwet politieke ambtsdragers (General Pensions Act for Political Office Holders).

[2] Pensioner: person who is entitled to a pension under a pension agreement, the Occupational Pension Rules and/or pursuant to the Algemene pensioenwet politieke ambtsdragers (General Pensions Act for Political Office Holders).