Privacy and personal data.
At FabLab Wageningen we take your privacy serious – and we did that even before the famous AVG (Algemene Verordening Gegevensverwerking / the Dutch version of the EU -wide privacy law) came into rule.
When and where (and why) we handle and store personal data:
We only handle and store personal data that are necessary to establish and maintain a relation, and we do that as long as the relation exists. Think in this context about subscription holders, participants to workshops and courses, suppliers, customers and likewise. We receive all data from the relations themselves, as we never buy data from outside.
The only case where we will (and effectively need to) handle data given to us by a third party, is when we receive a request for a group event, and the requestor issues us all data centrally.
We suppose that the establishment of a relation (agreement to start a subscription, confirmation of participation in a course etc.) implicitly gives FabLab Wageningen permission to handle and store the relevant personal data.
In terms of the AVG, FabLab Wageningen is a ‘gegevensverantwoordelijke’ (responsible for keeping data).
What type of data do we keep:
We keep both personal and business data:
- Name, address and e-mail address.
- Employer / firm when applicable.
- Subscription details (year, start, rebate if applicable).
- Transaction details (sales, purchases) where and when applicable.
- Optional activities (board membership, course teacher, workshop host).
- Bank account.
We explicitly do not keep nor process special personal data as listed under ‘bijzondere persoonsgegevens’ in the AVG.
Sharing of data with ‘third parties’:
It is impossible to keep all data exclusively in-house. There are parties with whom we need to share (part of) our data in order to be able to function properly. These concern:
- Triodos Bank – who handles our payments.
- e-Boekhouden – who hosts our on-line accounting / bookkeeping software.
- VimeXX Hosting – who hosts our website.
- Google – who hosts our shared drives
- Mailchimp – who handles our mailings.
In terms of the AVG, these parties are ‘gegevensverwerker’ (responsible for processing data from external sources). If necessary, we will review our contracts with these parties to guarantee safe and confidential processing of our data, but in most cases this is already covered by current contracts.
We will never share nor sell our data to any other third party, unless legally obliged to do so. The only exception is that we need to report to the parties that give us currently subsidy: the City of Wageningen and Wageningen University. In these cases, however, we accumulate data to a non-personal (group) level and take care these are strictly anonymous.
Photo’s on our website and social media.
Obviously, we like to place photo’s on our website and on social media on which we have a platform. We regard this as regular promotion and sharing of ideas, without which we can not function as a FabLab. We will do so without explicit prior consent of persons portretted, but only under the condition that we do not mention personal details.
In practice, this will mean that we will not place photo’s with a postscript like: ‘Anne Seaweed of class 7B of Headache College in Wageningen is visibly enjoying her masterclass Ballistic Missile Making’. Instead, we will preferably anonymise this to: ‘College-grade students love our workshops’. In the case that a portretted person nevertheless disagrees on the publication of a photo or an associated postscript, he or she can send us a request to remove this with the reason to do so.
Rights of individuals and organisations:
The AVG gives both individuals and organisations the right to:
- Request to see all data the FabLab stores and processes of this person / organisation.
- Request correction of any data, perceived to be incorrect.
- Request removal of any data, perceived to be obsolete or irrelevant.
- Request the stop of processing data by all or specified ‘third parties’.
- Request anonymization of postscripts of photographs portretting the person.
- Request removal of photographs portretting the person.
Requests of the above cases can be send to ‘email@example.com’. In case of (legal) conflict, the designated legal authority is the ‘Autoriteit Persoonsgegevens’, to which legal objections should be directed. Obviously, we sincerely hope issues will not reach that far.
There is one significant exception to the above: we are forced to retain all relevant information for VAT (sales tax) calculation for 7 years. Think invoices in thid aspect. This is a legal obligation we cannot escape.
Wageningen, May 2018.