Privacy Policy

Introduction

When advising on and concluding financial products or services, we ask for a lot of confidential information from customers. Customers of organization name general (variable) should be able to assume that we handle the information provided to us in a careful manner and that this information is not shared with others without the express consent of the customer.

In this sense, careful handling of the recording and exchange of personal data is a prerequisite for a careful financial service. Confidentiality is an important aspect for our company and the attitude of the professionals working in it.

In order to carry out our work effectively, it is necessary that we personally exchange the data with providers and, for example, claims handlers and counterparties, because this goes to the heart of our tasks as a financial service provider. In addition, it is possible that we provide information to, for example, the Dutch Tax Authorities or the Netherlands Authority for the Financial Markets on the basis of legal obligations.

We have mapped out the personal records we have kept and processed them in our internally held processing register. Customers and other data subjects can receive them upon request. Here they will find information about the data we process and about the parties with whom we can exchange this data.

1. Definitions

For the purposes of this Regulation:

- the law: the General Data Protection Regulation (GDPR) and the GDPR Implementation Act;
- personal data: any data about an identified or identifiable natural person;
- processing of personal data: any act or set of acts relating to personal data, including in any case the collection, recording, arranging, storage, updating, modification, retrieval, consultation, use, provision by transmission, dissemination or any other form of making available, bringing together, linking, as well as the blocking, erasure or destruction of data;
- 'file' means any structured set of personal data, whether centralised or disseminated in a functionally or geographically defined manner, accessible according to certain criteria and relating to different persons;
- 'controller' means the natural person, legal person or any other person or administrative body which, alone or together with others, determines the purpose and means of processing personal data;
- processor: the person who processes personal data on behalf of the controller, without being subject to his direct authority;
- 'data subject' means the person to whom a personal data relates;
- third party: any person, other than the data subject, the controller, the processor, or any person authorised to process personal data under the direct authority of the controller or processor;
- recipient: the person to whom the personal data are provided;
- 'consent of the data subject' means any free, specific and information-based expression of will by which the data subject accepts that personal data concerning him or her are being processed;
- supervisory authority: Dutch Data Protection Authority;
- providing personal data: disclosing or making available personal data;
- collection of personal data: obtaining personal data.

2. Range

1. These regulations apply to the fully or partially automated process of personal data. It also applies to the non-automated processing of personal data contained in a file or intended to be included therein.

2. These regulations apply within the organization name general (variable) and relate to the processing of personal data of customers, employees and other natural persons involved.

3. Purpose

1. The purpose of collecting and processing personal data is to have the data necessary for the realization of the purposes as described in the articles of association, the annual plans and other plans of Icen Risk B.V., the realization of legal purposes and the conduct of policy and management in the context of these purposes.

2. The purposes for which general Icen Risk B.V. data is collected and processed within the organization name are explicitly described in the Annex.

4. Representation of the person concerned

1. If the person concerned is a minor and has not yet reached the age of 16 or if the person concerned is of age and has been placed under guardianship, the consent of their legal representative is required in the place of the consent of the data subject. The consent is recorded in writing. If the data subject has issued a written authorisation in respect of his representative vis-à-vis the processor, the co-authorisation by the written agent is required.

2. Consent may be withdrawn at any time by the data subject, service in writing or their legal representative.

5. Responsibility for management and liability

1. The controller is responsible for the proper functioning of the processing and management of the data; under the responsibility of the controller, an administrator is usually entrusted with the actual management of the personal data.3 June 2021

2. The controller shall ensure that pass and technical and organisational measures are implemented to protect against any loss or any form of unlawful processing of data.

3. The responsibility referred to in paragraph 1 and the provisions of paragraph 2 shall apply without prejudice if the operation takes place by a processor, this shall be governed by an agreement (or by another legal act) between the processor and the controller.

4. The controller is liable for damage caused or the disadvantage caused by non-compliance with the regulations of the law or these regulations. The processor is liable for that damage or disadvantage, insofar as it/that was caused by its actions

6. Lawful processing

1. Personal data will be processed in a proper and careful manner in accordance with the law and these regulations.

2. Personal data is collected only for the purposes referred to in these regulations and is not further processed in a way that is indispatitable to the purposes for which they were obtained.

3. Personal data should be adequate and relevant, taking into account the purposes for which they are collected or subsequently processed; no more personal data must be collected or processed than is necessary for the purpose of registration.

4. Personal data may only be processed if:
- the data subject has given his unambiguous consent for the processing;
- the data processing is necessary for the performance of an agreement to which the data subject is a party (e.g. an agreement to conclude a financial product or financial service or the employment contract with the data subject) or for acts, at the equest of the data subject, that are necessary for the conclusion or assisting in the management of an agreement;
- the data processing is necessary to comply with a legal obligation of the controller;
- the data processing is necessary in connection with a public interest of the data subject;
- the data processing is necessary for the sake of an interest of the controller or of a third party, unless that interest is contrary to the interest of the person whose data are processed and that interest precedes it.
- The recording of the social security number will only take place if there is a legal basis for his. As a rule, such a basis will not be present for our services.
- Anyone acting under the authority of the controller or the processor – and also the processor itself – only processes personal data on behalf of the controller, except in case of deviating legal obligations.
- The data are only processed by persons who are obliged to maintain confidentiality on the basis of a (employment) agreement.

7. Processing of personal data

1. The processing takes place by employees of our company or other natural persons who are engaged in financial services activities under our responsibility. 4 June 2021
2. The processing is generally carried out in connection with the execution of an agreement, namely the service agreement. In those cases where there is no performance of such an agreement, the processing takes place with the express consent of the data subject.
3. The processing takes place in order to be able to carry out our work as an advisor and/or mediator in financial products and services.

8. Special personal data

1. The processing of personal data about a person's religion or belief, race, political affiliation, health, sexual life, membership of a trade union or criminal personal data is prohibited, except in cases where the law explicitly determines by whom, for what purpose and under what conditions such data may be processed (Articles 9 and 10 of the GDPR).

2. As a financial service provider, we may process information about your health in our administration, provided that this is not necessary for the proper execution of our work. We may also request data about any criminal history from you, if this is necessary for the proper execution of the agreement, provided that you explicitly grant your consent for this.

9. Data processing

Data obtained from the data subject

1. If the personal data are obtained from the data subject himself, the controller shall inform the data subject before the moment of acquisition:
- his identity;
- the purpose of the processing for which the data are intended, unless the data subject already knows that purpose.
- The controller shall provide the data subject with further information to the extent that, having regard to the nature of the data, the circumstances under which they were obtained or the use made of them, this is necessary to ensure proper and careful processing visspective processing vis-spectively with the data subject.

Data obtained outside the data subject to

1. In addition to the information received from the data subject, the controller may, for the purposes described, obtain information from external sources which the controller deems reliable. Think for example of the CIS foundation for the prevention and fight against fraud in the insurance industry.

2. The controller shall ensure that, in any processing of personal data, only those personal data that are accurate, adequate, relevant and not excessive are processed.

10. Right of access

1. The data subject has the right to take note of the processed data relating to his person.

2. The controller shall inform everyone in writing, at his request - as soon as possible within four weeks of receipt of the request - whether personal data concerning him are being processed.Such communication may incur charges. In addition, the data subject who requests access to his personal records maybe asked for a copy of a valid identity document.

3. If this is the case, the controller shall, if desired, provide the applicant with a complete overview in writing , as soon as possible but no later than four weeks after receipt of the request, containing information on the purpose or purposes of the data processing, the data or categories of data to which the processing relates, the recipients or categories of data providers and the origin of the data.

4. If a significant interest of the applicant so requires, the person responsible shall comply with the application in a form other than that adapted to that interest.

5. The controller may refuse to comply with a request if and to the extent that it is necessary in connection with:- the detection and prosecution of criminal offences;- the protection of the data subject or of the rights and freedoms of others

11. Provision of personal data

1. In principle, the provision of personal data to a third party is no different than after the consent of the data subject or his representative, subject to a legal regulation or a state of emergency to that effect.

2. The exception to this rule is the exchange of information with parties that need information for the implementation of the agreement, such as insurance companies, banks, lenders or parties involved in the treatment of claims.

3. Finally, we can provide personal data in order to comply with legal obligations, such as to the Dutch Tax Authorities and the Netherlands Authority for the Financial Markets.

12. Right to correction, addition, removal

1. At the written request of a data subject, the controller shall correct, supplement, delete and/or shield the personal data processed about the applicant if and to the extent that these data are factually incorrect, incomplete, irrelevant for the purpose of the processing or include more than is necessary for the purpose of the registration, or are other wise processed in violation of a legal regulation. The request of the person concerned shall contain the amendments to be made.

2. The person responsible shall inform the applicant in writing as soon as possible, but no later than four weeks after receipt of the application, whether he complies with it. If he does not want to comply with this or does not want to comply fully, he motivates it. In this context, the applicant has the possibility to contact the complaints committee of the person responsible.

3. The person responsible shall ensure that a decision to improve, supplement, remove and/or shield within 14 working days, and if this is not reasonably possible otherwise as soon as possible thereafter, will be implemented.

13. Data retention

1. Personal data is no longer stored in a form that makes it possible to identify the data subject than is necessary for the realization of the purposes for which they are collected or subsequently processed.

2. The official determines how long the recorded personal data will be stored.

3. If the retention period of the personal data has expired or the data subject requests deletion before the expiry of the retention period, the relevant data will be deleted within a period of three months.

4. However, removal shall not be made where it is reasonable to assume that- the retention is of great importance to someone other than the data subject;- the retention is required during the period of a policy of insurance;- the retention is required by law (including the Financial Supervision Act) or- if there is agreement between the data subject and the person responsible.

14. Processing register

1. A fully or partially automated processing of personal data intended for the realization of a purpose or related purposes has been mapped out by us and processed in an internally held processing register, before the processing is started.

2. In those cases where a continuous automated process for the processing of personal data poses a high risk to the data subject, taking into account the nature and context of the personal data held, we will carryout a data protection effect assessment before we start this processing and ensure that we have sufficient control over the risks associated with it, in order to be able to adequately guarantee the rights of data subjects.

3. The internal processing register shall state:

- the name and address of the responsible;
- the purpose or purposes of the processing;
- a description of the categories of data subjects and of the (categories of) data relating there to;
- the recipients or categories of recipients to whom the data can be accessed;
- the retention periods held.

15. Data breaches

1. If the controller is confronted with a data breach, she investigates whether personal data has been lost or whether unlawful processing cannot be excluded.

2. If the aforementioned research shows that personal data of a sensitive nature has been leaked or for another reason there is (a significant chance of) adverse consequences for the 7June 2021protection of the processed personal data, then the controller informs the Autority PersonalData about the data breach.

3. If the controller has not (properly) encrypted all leaked personal data, or if the data breach is likely to have adverse consequences for the privacy of the data subject for other reasons, the controller also reports the data breach to the Netherlands Authority for the FinancialMarkets. It is possible that in consultation with the aforementioned supervisors it is also decided to inform the data subjects about the possible data breach.

16. Complaints ruling

If the person concerned considers that the provisions of this Regulation are not being complied with, they may address:

- the person responsible;
- the Dutch Data Protection Authority with the request to mediate and advise in the dispute between the data subject and the controller;
- the court.

17. Amendment of entry into force and copy

1. Amendments to these Regulations shall be made by the person responsible.
2. The amendments to the rules are in force four weeks after they have been announced to those involved.
3. These regulations are per 1 May 2021 entered into force.
4. These regulations can be seen by the person responsible. If desired, a copy of these regulations can be obtained at cost price

18. Unforeseen

In cases not provided for in these Regulations, the person responsible shall decide, taking into account the provisions of the law and the purpose and scope of these Regulations.

Information about the General Data Protection Regulation:

text of the lawthe website of the Dutch Data Protection Authority