Model privacy statement Water Alliance
We process personal data as part of our service provision. The personal data we process comes either directly from you, for example, via our website, email, phone, or business card, or, in the context of our services, we may obtain your personal data from third parties (e.g. your employer). This privacy statement informs you about how we handle this personal data.
Personal data to be processed
The personal data we process depends on the exact services and circumstances. Most often it concerns the following data:
• Name and address information;
• Job title contact person;
• Contact information (email addresses, phone numbers), and name and job title of contact person;
• Information about your activities on our website, IP address, internet browser, and type of device.
Objectives and principles for processing personal data
In a number of cases, we process personal data to comply with a legal obligation, but most of the time we do so to be able to perform our services. Some data is recorded for practical or efficiency reasons, which we (may) assume are also in your interest, such as:
• Communication and information services;
• Being able to provide our services as efficiently as possible;
• To better our services;
• Billing and invoicing.
The above mentioned also means in concrete terms that we use your personal data for marketing purposes or for messages about our services if we think they may be of interest to you. We may also contact you to seek feedback on services provided by us or for market or other research purposes.
In some cases, we may wish to process personal data for reasons other than those mentioned above. If this is the case, we will ask you for your explicit consent. If we ever want to process personal data that we are allowed to process on the basis of your consent for other or more purposes, we will first ask for your consent again.
Lastly, we may also use your personal data to protect our and/or our users’ rights or property and, if necessary, to comply with legal proceedings.
Provision to third parties
In the context of our services, we may make use of services provided by third parties, for example, if these third parties have specialist knowledge or resources that we do not have in-house. These third parties are so-called processors or sub-processors, who will process the personal data on the basis of your exact order. Other third parties who are not strictly speaking personal data processors but do have or may have access to your personal data include our system administrator, suppliers or hosting parties of online software, or advisers whose advice we seek. If engaging third parties means that they have access to the personal data or that they themselves record and/or otherwise process, we will agree (in writing) with those third parties that they will comply with all obligations of the GDPR. Of course, we will only engage third parties whom we can and may assume to be reliable parties, who handle personal data adequately, and who can and will comply with the GDPR. This means, among other things, that these third parties may only process your personal data for the aforementioned purposes.
It is also possible that we have to provide your personal data to third parties in connection with a legal obligation.
Under no circumstances will we disclose your personal data to third parties for commercial or charitable purposes without your explicit consent.
We will not process your personal data longer than is useful for the purpose for which it was provided (see the section on Objectives and principles for processing personal data)). This means that your personal data will be kept for as long as it is necessary to achieve the objectives in question. Certain data must be kept for a longer period (usually seven years) because we must comply with legal retention obligations (e.g. the fiscal retention obligation).
We have taken appropriate organisational and technical measures for the protection of personal data in so far as these can reasonably be expected of us, taking into account the interests to be protected, technical innovations, and the costs of the relevant security measures.
We oblige our employees and any third parties who necessarily have access to personal data to maintain confidentiality. We also ensure that our employees have received correct and complete instructions on the handling of personal data and that they are sufficiently familiar with the GDPR’s responsibilities and obligations. If you would like to know more about this, we are happy to inform your further about how we have designed the protection of personal data.
You have the right to inspect, rectify, or delete any personal data that we have about you (except of course if it conflicts with any legal obligations). Furthermore, you can object to the processing of your personal data (or part thereof) by one of our processors. You also have the right to have the data provided by you transferred by us to yourself or directly to another party if so desired.
Personal data incidents
In the event of an incident (a so-called data breach) involving the relevant personal data, we will inform you immediately, unless there are serious reasons for not doing so, if there is a concrete risk of negative consequences for your privacy. We aim to do this within 48 hours after we have discovered this data breach or have been informed of it by our (sub)processors.
If you have a complaint about the processing of your personal data, we ask you to contact us. Should this not lead to a satisfactory outcome, you have the right to file a complaint with the Authority for Personal data, the supervising privacy authority.
Processing within the EEA
We will only process personal data within the European Economic Area, unless you agree otherwise in writing with us. Exceptions to this are situations in which we want to map out contact moments via our website and/or social media pages (e.g. Facebook and LinkedIn). Examples are visitor number and the number of web pages requested. Your data will be stored by third parties outside the EU when using Google Analytics, LinkedIn, or Facebook. These parties are EU-US Privacy Shield certified so they must comply with European privacy regulations. This only concerns a limited number of sensitive personal data, in particular, your IP address.