Privacy Policy

Introduction

When advising on and concluding financial products or services, we ask for a lot of confidential information from customers. OHAO customers should be able to trust that we handle the information provided to us by a customer carefully and that this information will not be shared with others without the customer's explicit consent.

In this sense, careful handling of the recording and exchange of personal data is a prerequisite for careful financial services. Confidentiality is an important aspect for our company and the attitude of the professionals working within it.

For effective execution of our work, it is necessary for us to exchange personal data with providers and, for example, repairers and counterparties, as this is at the core of our tasks as a financial service provider. Additionally, we may provide information based on legal obligations to, for instance, the Dutch Tax and Customs Administration or the Authority for the Financial Markets.

We have mapped out our personal administration and processed it in our internally maintained processing register. Customers and other parties involved can receive this upon request. Here, they will find information about the data we process and the parties with whom we may exchange this data.

1. Definitions

In this statement, the following terms mean:

  • The law: the General Data Protection Regulation (GDPR) and the GDPR Implementation Act;

  • Personal data: any information about an identified or identifiable natural person;

  • Processing of personal data: any operation or set of operations related to personal data, including collecting, recording, organizing, storing, updating, modifying, retrieving, consulting, using, distributing, disseminating, or making available, linking, blocking, erasing, or destroying data;

  • File: any structured set of personal data, whether centralized or dispersed based on specific criteria, accessible and related to different people;

  • Controller: the natural or legal person, authority, agency, or other body that, alone or jointly with others, determines the purpose and means of the processing of personal data;

  • Processor: the person who processes personal data on behalf of the controller without being subject to their direct authority;

  • Data subject: the person to whom personal data pertains;

  • Third party: anyone who is not the data subject, the controller, the processor, or any person authorized to process personal data under the direct authority of the controller or the processor;

  • Recipient: the person to whom personal data is provided;

  • Consent of the data subject: any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they agree to the processing of personal data relating to them;

  • Supervisory authority: the Dutch Data Protection Authority;

  • Providing personal data: the act of disclosing or making available personal data;

  • Collecting personal data: obtaining personal data.

2. Scope

  1. This statement applies to the wholly or partially automated processing of personal data. It also applies to non-automated processing of personal data that is part of a file or intended to be included therein.

  2. This statement applies within OHAO and relates to the processing of personal data of customers, employees, and other involved natural persons.

3. Purpose

  1. The purpose of collecting and processing personal data is to have the data necessary to achieve the goals described in the statutes, annual plans, and other plans of OHAO, fulfilling legal objectives, and managing and governing in the context of these goals.

4. Representation of the data subject

  1. If the data subject is a minor and has not yet reached the age of sixteen or if the data subject is an adult and placed under guardianship, the consent of their legal representative is required instead of the data subject's consent. This consent is recorded in writing. If the data subject has issued a written authorization to their representative regarding the processor, co-consent by the duly authorized representative is required.

  2. A data subject, their legally authorized representative, or their legal guardian can withdraw consent at any time.

5. Responsibility for management and liability

  1. The controller is responsible for the proper functioning of the processing and management of the data; under the controller's responsibility, a manager is generally assigned to the actual management of personal data.

  2. The controller ensures that appropriate technical and organizational measures are taken to secure against any loss or unlawful processing of data.

  3. The responsibility mentioned in paragraph 1 and the provisions in paragraph 2 apply regardless of whether processing is carried out by a processor, which is governed by an agreement (or another legal act) between processor and controller.

  4. The controller is liable for damage or loss caused by non-compliance with the provisions of the law or this statement. The processor is liable for such damage or loss to the extent that it arises from their actions.

6. Lawful processing

  1. Personal data is processed in accordance with the law and this statement in a proper and careful manner.

  2. Personal data is only collected for the purposes described in this statement and is not further processed in a way incompatible with the purposes for which it was obtained.

  3. Personal data must be adequate, relevant, and limited to what is necessary for the purposes for which they are collected or processed. No more personal data shall be collected or processed than required for the purpose of the registration.

  4. Personal data may only be processed if:

    • the data subject has given their unambiguous consent for the processing;

    • data processing is necessary for the performance of an agreement to which the data subject is a party (for example, an agreement to conclude a financial product or financial service, or an employment agreement with the data subject) or for actions, at the request of the data subject, that are necessary to conclude or assist in managing an agreement;

    • data processing is necessary for compliance with a legal obligation of the controller;

    • data processing is necessary to protect a vital interest of the data subject;

    • data processing is necessary for a legitimate interest of the controller or a third party, unless this interest conflicts with the interest of the person whose data is processed and that interest prevails.

  5. Anyone acting under the authority of the controller or the processor—including the processor themselves—processes personal data only at the controller's instruction, except in cases of deviating legal obligations.

  6. Data is only processed by persons bound to confidentiality based on an employment agreement or contract.7. Verwerking van persoonsgegevens

7. Processing of personal data

  1. Processing is carried out by employees of our company or other natural persons who are involved in financial services under our responsibility.

  2. Processing generally occurs in connection with the performance of an agreement, specifically the service agreement. In cases where there is no such agreement, processing occurs with the explicit consent of the data subject.

  3. Processing is necessary to perform our work as an advisor and/or intermediary in financial products and services.

8. Special categories of personal data

  1. Processing of personal data concerning someone’s religion, beliefs, race, political opinions, health, sexual life, trade union membership, or criminal records is prohibited, except in cases where the law explicitly permits such processing, specifying who, for what purpose, and under what conditions such data may be processed (Articles 9 and 10 of the GDPR).

  2. As a financial service provider, we may process health information in our administration if this is necessary for the proper execution of our duties. Information regarding any criminal record may also be requested from you if necessary for proper contract execution, provided you have given your explicit consent.

9. Data processing

Data obtained from the data subject

  1. When personal data is obtained from the data subject, the controller informs the data subject, before obtaining the data:

    • of their identity;

    • of the purpose of the processing, unless the data subject already knows this purpose.

  2. The controller provides the data subject with further information to ensure a fair and careful processing based on the nature of the data, the circumstances under which it was obtained, or its intended use.

Data obtained from sources other than the data subject

  1. In addition to information received from the data subject, the controller may obtain information from external sources deemed reliable by the controller for the described purposes. Examples include Roy-data for registering your bonus/malus statement, the RDW for vehicle information, and the CIS foundation for preventing and combating fraud in the insurance industry.

  2. The controller ensures that only personal data that is accurate, adequate, relevant, and not excessive is processed in each processing instance.

10. Right of access

  1. The data subject has the right to be informed of the processed data relating to them.

  2. Upon request, the controller informs the data subject as soon as possible, but no later than four weeks after receiving the request, in writing, whether personal data relating to them is processed. Costs may be charged for such a notification, and the data subject may be asked to provide a valid ID copy when requesting access to their personal administration.

  3. If data is being processed, the controller provides the requester, upon request, a complete overview in writing within four weeks, including information about the processing purposes, the data or categories of data involved, the recipients or categories of recipients, and the data source.

  4. If the requester has a substantial interest, the controller may fulfill the request in a format other than written, adapted to meet that interest.

  5. The controller may refuse a request if it is necessary in connection with:

    • the investigation and prosecution of criminal offenses;

    • the protection of the data subject or the rights and freedoms of others.

11. Provision of personal data

  1. The provision of personal data to a third party generally only takes place after obtaining consent from the data subject or their representative, except where there is a legal provision or emergency requiring it.

  2. An exception to this rule is the exchange of information with parties who need information to perform the agreement, such as insurance companies, banks, credit providers, or parties involved in claims handling.

  3. Finally, we may provide personal data to meet legal obligations, such as to the Dutch Tax and Customs Administration and the Authority for the Financial Markets.

12. Right to correction, addition, deletion

  1. Upon a written request from the data subject, the controller corrects, supplements, deletes, and/or restricts the processed personal data relating to the requester if the data is factually incorrect, incomplete for the purpose of processing, irrelevant, excessive, or otherwise processed in violation of a legal provision. The request of the data subject should specify the changes to be made.

  2. The controller informs the requester as soon as possible, but no later than four weeks after receiving the request, in writing, whether they will comply. If they do not fully comply, they will provide reasons. The requester may, in this case, refer to the controller's complaints committee.

  3. The controller ensures that a decision to correct, supplement, delete, and/or restrict is implemented within 14 working days or, if this is not reasonably possible, as soon as possible thereafter.

13. Data retention

  1. Personal data is not kept in a form that makes it possible to identify the data subject for longer than necessary to achieve the purposes for which it is collected or subsequently processed.

  2. The controller determines how long the stored personal data will be retained.

  3. If the retention period for personal data has expired or the data subject requests deletion before the retention period expires, the relevant data is deleted within three months.

  4. However, deletion does not occur if it is reasonably assumed that:

    • retention is of significant interest to someone other than the data subject;

    • retention is required by a legal provision (including the Financial Supervision Act); or

    • an agreement exists between the data subject and the controller regarding retention.

14. Processing register

  1. Any wholly or partially automated processing of personal data intended for the realization of a purpose or related purposes is mapped and processed in an internally held processing register before processing begins.

  2. In cases where an automated personal data processing process poses a high risk to the data subject, considering the nature and context of the data, we perform a data protection impact assessment before processing starts and ensure that the associated risks are sufficiently controlled to adequately safeguard the rights of data subjects.

  3. The internal processing register includes:

    • the name and address of the controller;

    • the purpose(s) of the processing;

    • a description of the categories of data subjects and the (categories of) data involved;

    • the recipients or categories of recipients to whom the data may be provided;

    • the applicable retention periods.

15. Data breaches

  1. If the controller encounters a data breach, they investigate whether personal data has been lost or whether unlawful processing cannot be ruled out.

  2. If this investigation reveals that sensitive personal data has been leaked or there is another reason for (a significant risk of) adverse consequences for the protection of processed personal data, the controller informs the Dutch Data Protection Authority about the data breach.

  3. If the controller has not encrypted all leaked personal data (adequately), or if the data breach is likely to have adverse consequences for the privacy of the data subjects for other reasons, the controller also reports the data breach to the Authority for the Financial Markets. In consultation with the mentioned supervisory authorities, it may also be decided to inform the data subjects of the possible data breach.

16. Complaints procedure

If the data subject believes that the provisions of this statement are not being complied with, they may contact:

  • the controller;

  • if the data subject is not satisfied with the outcome of the complaint, they can contact the Financial Services Complaints Institute in The Hague;

  • the Dutch Data Protection Authority with a request to mediate and advise in the dispute between the data subject and the controller;

  • the court.

17. Amendments, entry into force and copy

  1. Amendments to this statement are made by the controller.

  2. Changes to the statement take effect four weeks after they have been communicated to the data subjects.

  3. This statement entered into force on 25-05-2018.

  4. This statement is available for inspection at the controller's office. A copy of this statement can be obtained upon request for a fee.

18. Unforeseen cases

In cases not covered by this statement, the controller will decide, taking into account the provisions of the law and the purpose and scope of this statement.

Information on the General Data Protection Regulation