Confidentiality & Privacystatement
The Dutch Accreditation Council (RvA) processes personal data in order to carry out its duties assigned by law; accrediting organizations that certify, inspect and test. The RvA considers information security of great importance for its customers and has a legal obligation and responsibility to treat your information confidentially. In this privacy statement we explain how we handle your personal data and other information of you or your organisation.
Legal responsibility regarding confidentiality
As a national accreditation body and independent government agency, the RvA has a legal responsibility to handle data from applicants for accreditation or accredited organisations with care. Therefor organisations can rely on the RvA, among other things, that the RvA:
• takes technical and organisational measures to protect confidential information
• works according the Baseline Information security Government (BIO)
• works according the rules of the General Data Protection Regulation (GDPR / AVG)
Company data and personal data
When you are in contact with the RvA, you can be asked to share or provide information. For example: quality management system information, or personal data when applying for a job. The RvA treats all information confidential. For privacy related information the RvA applies a specific policy that is adapted tot the GDPR / AVG. More information about the processing of personal data can be found in the Privacy section below.
Baseline Information security Government
To protect company and personal data, the RvA works in accordance with the Baseline Information security Government (BIO). The BIO Is based on NEN-ISO/IEC 27001 and NEN-ISO/IEC 27001. In this context the RvA pays specific attention to access management, confidentiality relationships with (ICT) suppliers and protective measures. Working according to the BIO ensures protection of confidentiality, as well as availability and integrity of information.
Uniform confidentiality policy
As an independent government agency the RvA treats all organisations in the same manner, with uniform policies with respect to confidentiality; each organisation is entitled to the same reliable guarantees. It is not possible to conclude individual confidentiality agreements and processing agreements between the RvA and its customers.
The information below refers to the processing of personal data by the RvA. We explain what personal data are, for what purpose we process personal data, how we do this, and which measures are taken. It also indicates how you can make use of your privacy right, such as the right of access to your personal data.
What is personal data?
By personal data we mean the information that can be traced back to a natural person, for example a name, home address, or an e-mail address, but also the IP address of your computer. The privacy legislation helps to protect the privacy of citizens and also applies to personal data collected via the internet.
More information on the definition of personal data can be found on the website of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
For which basis and purposes do we process your personal data?
The RvA may obtain your personal data in various ways. With this privacy statement we explain what type of personal data, the basis of which it is processed and for what purpose.
Legal obligation RvA
For the execution of our tasks and processing of application, the RvA processes personal data of the organizations contact person. This concerns the name, telephone number and e-mail address.
When applying for a job, you provide us with your personal data by phone, website, post or e-mail. We may also obtain your personal data through a third party (for example an employment agency of recruitment agency). This includes your name and address, telephone number, e-mail address and the personal data from your application letter and cv. These personal data are processes for the purpose of acquiring personnel for our organization. We have a legitimate interest to do this; to recruit competent personnel with a good fit for the hob and for the organization.
Contact via RvA website
You have the option to provide us with your contact information through the RvA website. This includes, for example, filling out the contact form or the complaint form. It concerns your name, e-mail address and phone number. This information is processed with your consent for the purpose of contacting you, for example, to answer a question or make an appointment. If the contact leads to an agreement, the personal data will be processes in order to be able to execute the agreement.
If you sign up to receive our newsletter, we will process your name and e-mail address with your consent, in order to be able to send you the newsletter. You may unsubscribe from the newsletter at any time.
What personal data do we process?
Processing personal data is necessary to carry out the legal task. The RvA will inform you about the processing of your personal data. We only process data you provide or data you know is already known within the RvA.
The RvA may process the following data:
• Name and surname
• Address information
• Date of birth
• Phone number
• E-mail address
• Personal data from application letter and cv
How do we handle personal data?
The RvA ensures adequate security of your personal data, in line with the applicable legal requirements and guidelines, including the Baseline Information Security Government (BIO, based on ISO 27001 and 27002).
The RvA processes personal data, solely for the purpose for which it is collected, limited to what is necessary for this purpose. The RvA does not perform automated decision making processes.
The RvA employees have signed a confidentiality agreement and are bound by certain rules regarding the handling of information including personal data.
When and with whom do we share personal data?
The RvA takes the utmost care and restraint in providing personal data to third parties.
The process of accreditation may entail that the RvA shares data, including personal data, with third parties under its responsibility. These third parties are often individuals who, on the basis of their specific expertise, are called upon by the RvA to carry out accreditation assessment on behalf of the RvA.
The RvA uses third party services to perform its services and processing (personal) data. These suppliers are engaged for, for example, ICT support and phone-services. These suppliers are not allowed to use the personal data for other or own purposes, they are contractually obliged to handle your personal data with care, and they are bound by duty of confidentiality, and meet the requirements arising from the GDPR (AVG). A data processing agreement is concluded with all suppliers.
Furthermore, personal data may be shared with third parties in case of a legal obligation to do so, for example by order of the police, or data for the implementation of tax- and pension law.
How long is your personal data stored?
The RvA will not retain your personal data longer than is necessary, for the purpose the processing or as required under the Dutch Archive law.
Personal data obtained by the RvA for the purpose of a job application will be deleted no later than 4 weeks after the closing of the job application process, in case the RvA does not enter into a contract with you. By your consent the data may be kept for a longer period of time, with a maximum of 1 year. In the case you send an open application and there is no open position that you would like to apply for, the RvA will respond to your application. With your permission, your personal data will then be kept for up to 1 year with a view to possible future vacancies.
If you are subscribed to the newsletter, your personal data will be kept for the duration of this subscription. You may unsubscribe at any time by contacting us. After unsubscribing, your personal data will be deleted within reasonable time.
Personal data necessary for the execution of the agreement that you or your organization has concluded with the RvA, will be kept as long as required by law (fiscal, archival).
If the contact did not lead to an agreement, the personal data will be deleted within reasonable time.
What privacy rights do you have?
You can make a request in the following situations:
• You want to know what personal data we process about you (article 15 GDPR/AVG).
• You want to have your personal data adjusted (article 16 GDPR/AVG).
• You want to have your personal data deleted (not always possible, article 17 GDPR/AVG).
• You want us to limit the processing of your data (article 18 GDPR/AVG).
• You want to object (article 21 GDPR/AVG).
Contact about your rights
To make a request regarding of your rights, please email: firstname.lastname@example.org.
You may also make a request by mail:
Raad voor Accreditatie
Request privacy rights
3500 GT UTRECHT
In the case you make a request to execute your rights as described above, the RvA may ask for your identification. Your contact information provided in doing so, will be used to process your request. The RvA will respond within 1 month.
You can file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) about the way the RvA processes your personal data.
Data Protection Officer
The RvA has appointed a Data Protection Officer (DPO) who is registered with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). The DPO is independent and supervises the compliance and application of the GDPR (AVG). The DPO can be reached via: email@example.com.
The RvA website also saves analytical cookies. These cookies are used to analyse the website and related statistics, to allow the website to be optimized. Matomo is used to keep track of website visitor statistics. The cookies are only used to keep track of the number of visitors to the website.
In addition we place cookies that track your browsing habits so we are able to offer customized content. At your first visit to our website, we have already informed you about these cookies and asked for your permission to use them. All stored cookies can be deleted via your browser setting. You may also adjust your browser settings to no longer store cookies.
Privacy statement, April 2022