Privacy statement

  • ASR Nederland N.V. is the point of contact with regard to the processing of personal data by all its entities, including ASR Real Estate B.V.

    In some cases, ASR Real Estate B.V. represents group companies that are subsidiaries of ASR Nederland N.V., as well as:

    the ASR Dutch Core Residential Fund;
    the ASR Dutch Prime Retail Fund;
    the ASR Dutch Mobility Office
    Fund;
    the ASR Dutch Science Parks Fund;
    the ASR Dutch Farmland Fund;
    the ASR Property Fund;
    the ASR Green Energy Fund I.

    ASR Real Estate B.V. is independently responsible for processing personal data.

    Visiting address:

    Archimedeslaan 10
    3584 BA Utrecht

    Postal address:

    PO Box 2072
    3500 HB Utrecht

    Other contact details:

    https://en.asrrealestate.nl/contact

  • ASR Real Estate B.V. (hereinafter referred to by its trade name a.s.r. real estate or a.s.r.) is part of ASR Nederland N.V. We handle your personal data with care, in compliance with applicable privacy laws and regulations. All our employees have pledged to act with integrity and in a manner worthy of your trust. This means that they will keep your information confidential.

  • This privacy statement applies to all personal data that a.s.r. real estate processes if you are a customer, visit our website, use our apps or portals, or contact our customer service. It also applies to personal data processed by a.s.r. real estate if you use our business services, and if you had contact with a.s.r. real estate but did not become a customer.

  • If you apply to a.s.r. real estate for a lease, cooperation agreement, investment or other service (financial or otherwise), or if you provide any of these to a.s.r. real estate, we will ask you for your personal data. You can either provide this data to us indirectly via your adviser or broker (hereinafter: adviser), or directly, for example via our website, email or telephone. The types of data that may be collected are set out below.

    In addition, we may request information about your income if we need this to determine your eligibility for a rental property, or to determine your rent increase. We may also request your income and/or turnover data, as well as your company’s annual figures, if we need this information to determine whether you can enter into a lease or ground lease with us or, in some cases, rent commercial space.

    a. Name and address

    The type of contact we have with you determines what kind of personal data we process:

    If you visit one of our websites, we use cookies  to collect information about your visit.

    If you request information from us, we will ask for your contact details so that we can send you the information you want to receive.

    If you become a customer, we at least need the following contact details: name, address, place of residence, telephone number and email address. In some cases, we may also ask for your date of birth and gender. We use this information to perform the agreement we have with you.

    If you submit a complaint through one of our websites, we will ask you for the personal information we need to process your case.

    b. Financial data
    If you are a customer with us, we use your bank account number to make and collect payments.

    In addition, we may request information about your income if we need this to determine your eligibility for a rental property, or to determine your rent increase. We may also request your income and/or turnover data, as well as your company’s annual figures, if we need this information to determine whether you can enter into a lease or ground lease with us or, in some cases, rent commercial space.

    c. Citizen service number
    In some cases, we may also use or register your citizen service number (BSN), for example if you sign a ground lease with us, as we are required to submit this number to the Land Chamber. We process your BSN only if we have a legal basis to do so.

    d. Data about your contact with us
    We process data about the contact you have with us to determine:

    • What the contact was about (product, advice, offer, service call, message, complaint, information). 
    • When the contact occurred and the department you had contact with. 
    • How you interacted with us (by post, through our tenant portal, website or newsletter, via email, telephone or chat, or through your adviser).

    We use this information to keep track of what we discussed in our previous interactions with you. If you had a question or complaint, this is recorded in your customer file so that we are better able to help you the next time you reach out to us.

    e. Video recordings of number plates and visitors

    We may use cameras for the purpose of number plate recognition in our parking facilities. We may also use surveillance cameras in and around our residential, commercial and retail premises and parking facilities.

    f. Company data

    We also process personal data in providing our business services. This may include the names of companies’ contact persons, shareholders, UBOs (ultimate beneficial owners) or PEPs (politically exposed persons). The Anti-Money Laundering and Anti-Terrorist Financing Act requires us to identify the UBOs of our business customers and suppliers, and to check for PEPs. For more information, please visit the website of the Dutch Authority for the Financial Markets (AFM).

    g. Sustainability performance

    We may also measure the sustainability performance of rental or leasehold properties.

  • In most cases, we get your personal data directly from you. In addition to the information we receive from you, we may also receive and process data from third parties, such as your adviser, the letting agent, the property manager, the tax authorities, the Chamber of Commerce, the Land Registry or the government (government lists such as PEP and sanctions lists), or from other external parties, such as market research or data enrichment agencies. We may also record your personal data when you visit our premises or parking facilities.

    In addition, we may consult other public sources, such as the public registers of De Nederlandsche Bank (DNB) and the AFM, as well as newspapers, websites and your public social media profiles in order to detect or prevent fraud and misuse, and protect a.s.r. 

    You can give a.s.r. permission to collect your personal data through the MyQii app, which allows us to receive and process information from third parties, for example from the tax authorities, the UWV, overheid.nl and mijnpensioenoverzicht.nl.

    In our processing register, we record the third party sources from which we have received data, where these sources are known to us.

    Your use of our websites, apps and portals
    We record data about your use of some of our websites, apps and portals, such as which pages you visit, when you log in to the ‘My –’ environment and your search history. This information allows us to improve your user experience, and we may also use it for marketing purposes. We collect data by placing cookies on your device. In doing so, we process your IP address. As our websites, apps and portals may use different cookies, please refer to the applicable cookie statement of the website, app or portal you are using/used for specific cookie information. If you visit one of our websites, the cookie statement can generally be found at the bottom of the page, in the footer.

  • We process personal data for the following purposes:

    a. Performing our services
    We may use your data to contact you, to investigate whether you can become a customer or business partner, or to make changes to your agreement. In addition, we may use your data to manage your agreement and handle queries, complaints and financial matters. We may also use personal data to process occasional transactions. For example, we can use your number plate information to charge parking fees. Finally, we process data on the sustainability performance of rental or leasehold properties, for instance to advise customers on efficient energy use, and to measure the return on our sustainability investments.

    b. Assessing and reducing risks
    We also use your personal data to assess and reduce risks, for example by:

    • ensuring proper security. This means that we may record usernames, passwords and control questions, and that we sometimes use camera surveillance.
    • conducting internal quality reviews to identify potential problems and risks, and to assess whether legislation has been properly implemented.
    • knowing our customers and other associates to ensure that we remain a healthy company that operates with integrity (risk management). We conduct a survey before or at the start of a new relationship with a customer or associate to determine whether we can accept them. We will also evaluate whether they can remain a customer or associate during the course of the relationship.

    c. Conducting marketing activities

    We like to keep you informed, for instance by sending you emails or newsletters, through offers on our website or via social media. We may also show you personalised ads through third party apps and websites, or on social media. Sometimes this requires the use of personal data.

    We can acquire this data by: 

    • recording your choices and searches when you visit our websites, use our apps, or open our newsletters or other emails.
    • combining the data we collect ourselves with personal data (such as an application for another product) as well as general data from other sources (such as the Chamber of Commerce).

    Would you prefer not to receive personalised offers? No problem – just use the link in the contact details at the bottom of our promotional emails to unsubscribe on the a.s.r. website. If you are a residential tenant, you can also indicate your preferences in the tenant portal.

    d. Improving and innovating

    We also use your personal data to improve our products and services. We do this by combining and analysing information, which helps us develop new ideas and better solutions. By analysing personal data, we can:

    • Resolve the cause of complaints, improve pages and forms on our website and streamline processes.
    • Assess how customers use our services, measure the impact of campaigns and make improvements where necessary.  
    • Improve our services, for example in response to customer satisfaction surveys.
    • Develop new services.
    • Put together reports on our analyses and insights to provide information services at an aggregated level. Where possible, we will delete personal data that we do not need when preparing analyses. We can also aggregate data at a specific level of abstraction, pseudonymise it through encryption or anonymise it.

    e. Detecting fraud and misuse
    We use various public sources to obtain the personal data we process in order to detect and combat fraud, misuse and improper use (see also Section 3). We may also receive tips or witness reports in this context. In addition, we can gather information by carrying out or commissioning technical, tactical and personal investigations. In conducting these investigations, we may use the services of investigative agencies. If we carry out or commission a personal investigation, we always adhere to the General Data Protection Regulation (GDPR).

    To detect and combat fraud, misuse and improper use, we also record personal data in our central event register, our own incident register (IVR) and that of the financial sector (EVR).

    Central event register
    To monitor the security and integrity of its various entities and brands, ASR Nederland N.V. uses a central event register. This database stores personal and other data relating to certain events that require our special attention. Data from the central event register can only be accessed through ASR Nederland N.V.’s Security Department or other authorised employees. 

    IVR
    To monitor the security and integrity of its various entities and brands, ASR Nederland N.V. also uses its own incident register (IVR). This database stores personal and other data relating to certain incidents that require our special attention. Data from the incident register can only be accessed through ASR Nederland B.V.’s Security Department or other authorised employees. 

    EVR
    The financial sector’s joint register (EVR) allows us to exchange data collected by entities and brands within ASR Nederland N.V. with other financial institutions, and with external research agencies. In doing so, we adhere to the Incident Warning System for Financial Institutions Protocol (PIFI). PIFI is used by:

    • the Association of Insurers;
    • the Dutch Banking Association;
    • the Mortgage Fraud Prevention Foundation;
    • the Association of Finance Companies in the Netherlands;
    • the Association of Dutch Healthcare Insurers. 

    If we record your data in these registers (the IVR or EVR) in connection with suspected fraud or other forms of insurance crime, we will provide you with specific information in advance (what data, why and for how long) – except if this is not allowed or if this would interfere with the investigation. This may be the case, for example, if the police ask us not to inform you. If you do not want us to record this data, you can file an objection. In addition, you can ask for your data to be corrected or deleted (see also Section 9). To receive an overview of the records relating to you stored in the EVR, you can submit a request to the Central Information System Foundation (Stichting CIS). Stichting CIS uses its own privacy and user regulations for this purpose, which can be consulted via its website. We can only process access requests for data recorded by us in our central event record, the IVR or the EVR.

    For more information, see the Incident Warning System for Financial Institutions Protocol (PIFI).

    f. Conducting business transactions and supporting operational activities

    We may process your personal data if this is necessary to conduct business transactions or to support a.s.r.’s operational activities. Examples include potential or actual mergers, acquisitions, the full or partial transfer of assets (such as real estate properties), financing, potential or actual legal proceedings, bankruptcy or restructuring of all or part of the operational activities or a change of UBOs or PEPs (see Section 2f).

  • We process your personal data on one of the following legal bases:

    1. You have given consent. If we process your personal data based on your consent, you can withdraw your consent at any time. You can do so by contacting us by phone or email. We include our contact details at the bottom of our newsletters.
    2. It is necessary for the performance of your contract (e.g. your rental agreement).
    3. It is necessary to comply with a legal obligation. Financial service providers are subject to various legal obligations. As a financial service provider, we are therefore obliged to verify your identity if you become a customer with us (identification obligation), and in certain cases we are obliged to provide data to government agencies. As a result of these obligations, we have to request this data from you. Failure to provide the requested information may have consequences for you. If we are unable to verify your identity, we cannot enter into a contract with you, for example. Furthermore, if a contract has already been concluded on the basis of incorrect information, we may terminate it.
    4. It is necessary in order to protect a legitimate interest, for example if we are investigating suspected fraud. In doing so, we will balance our own legitimate interests (or those of a third party) against your interests. This process is recorded and we will keep you informed about it as much as possible.
  • We handle your personal data with care, and we have taken technical and organisational measures to ensure an adequate level of protection and secure your personal data against loss or unlawful processing. We take great care to ensure optimal security of the systems we use to store personal data. This means that we take measures to keep our websites and IT systems secure and prevent misuse, and that we secure the physical spaces where personal data is stored. We monitor the security of our data traffic 24 hours a day. We also have an information security policy in place and train our employees on personal data protection.

    Only authorised employees who need to access your data can view and process it. All our employees have pledged that they will comply with the relevant laws, regulations and codes of conduct, and that they will act with integrity. In certain cases (for instance if access to special personal data is required), employees must sign an additional confidentiality agreement before being granted access.

  • We do not keep your data longer than necessary. In some cases, the law stipulates how long we may or must retain data. In other cases, we have determined how long we need to store your data. We have drawn up a comprehensive data retention policy for this purpose.

    We retain customer files for at least 10 years after the relationship with a.s.r. real estate has ended, unless a shorter period is permitted under the relevant laws and regulations and the specific situation does not conflict with these.

    If you have any questions about this, please contact us.

  • We only share personal data with third parties if this is permitted by law and necessary for a.s.r.’s operational activities.

    1. Within ASR Nederland N.V.

    a.s.r. real estate does not exchange personal data between the various entities it represents. If you are also a customer of one of the other brands that fall under ASR Nederland N.V., this means that we will not exchange your personal data with those subsidiaries. Some departments of ASR Nederland N.V. that are involved in a.s.r. activities are exempt from this. These include the Security Department, which implements the screening policy on behalf of a.s.r., and Compliance, which monitors compliance with laws and regulations.

    2. The government

    Sometimes we are required by law to share certain personal data with the government, for instance with the tax authorities, the UWV, the police, the Public Prosecution Service, the Chamber of Commerce, or regulators such as DNB, the AFM and the Dutch Data Protection Authority.

    3. Service providers and companies we work with

    If permitted by law, we may share data needed to provide services with your adviser. Sometimes we need your permission to do so.

    We may also engage other companies to perform services for us related to the agreement you have entered into with us. For real estate matters, these include property managers, real estate agents, appraisers, notaries, accountants and companies that perform maintenance or repairs. We make arrangements with these parties to ensure your privacy.

    The processing of personal data may also be outsourced to third parties. For example, we rely on IT service providers for maintenance and support. In most cases, these IT service providers are considered processors, as they have no independent control over the personal data made available to them by a.s.r. real estate in the context of their provision of services. a.s.r. real estate remains responsible for the careful processing of your data in these situations.

    4. Parties involved in business transactions and operational activities

    We may share personal data with third parties in connection with business transactions and operational activities, as explained under 4f. These may include parties who are themselves involved in the business transactions and operational activities in question, such as potential buyers of real estate, an opposing party in legal proceedings or financiers in a business transaction. But they may also include professional advisers to those parties or, for example, a bailiff, if this is necessary for the business transaction or operational activities.

    5. CIS database

    To ensure a responsible underwriting and risk policy, and to prevent fraud, we may record or consult your data in the Central Information System of Stichting CIS. In doing so, we adhere to the rules of the CIS user protocol. We may, under strict conditions, exchange information with insurers affiliated to CIS through Stichting CIS. For more information about this, please visit the Stichting CIS website.

    6. Third parties outside the European Economic Area (EEA)

    If we share data with a service provider in a country outside the EEA, we make arrangements to ensure compliance with the rules agreed for this purpose in the European Economic Area. We do so using the Standard Clauses. This model, which has been approved by the European Union, is used to agree that there is an adequate level of protection for securing personal data.

  • 1. Accessing or correcting data

    You have the right to ask us what personal data we process and to have incorrect data corrected. If you use one of our apps or portals, you can also change certain data yourself in the app or portal in question.

    If you submit a request to access or correct your personal data, we will ask you verification questions or request a copy of your ID* to confirm your identity.

    You will receive a response within four weeks.

    *ID

    If you send us a copy of your ID, please obscure your photo and citizen service number (BSN). We also recommend that you indicate on the copy that it is for the purpose of exercising your rights in relation to your personal data.

    2. Having data deleted and the right ‘to be forgotten’.

    In some cases, and under certain conditions, you have the right to have your personal data erased. This is the case if:

    • the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
    • you have withdrawn your consent to the processing of your personal data;
    • you raise legitimate objections to the processing of your personal data;
    • your personal data has been unlawfully processed by us;
    • you request erasure of your personal data on the basis of a legal obligation;
    • we have collected your child’s personal data in connection with a direct offer of internet services to your child.

    The right to be forgotten is not an absolute right.

    We may decide not to erase your data if your request is not based on any of the above grounds, or (i) to exercise the right to freedom of expression and information; (ii) to comply with a legal obligation; or (iii) to establish, exercise or substantiate legal claims.

    If we do not comply with your request to have your personal data erased, we will inform you of our reasons.

    3. Restricting the processing of your data

    If you believe that we are processing your personal data unlawfully, you can request restriction of processing. This means that your data may no longer be processed by us.

    4. Transfer of data (data portability)

    You have the right to obtain a copy of the personal data you have provided to us for the performance of a contract you have entered into with us or on the basis of your consent. This only applies to personal data we received from you, not to data received from third parties. The purpose of this right is to allow you to easily transfer your data to another party.

    5. Right to object

    You always have the right to object to the processing of your personal data based on our legitimate interest or the legitimate interest of a third party. If you do so, we will no longer process your data, unless there are compelling and legitimate grounds for the processing that outweigh your objection, or that are related to the establishment, exercise or substantiation of a legal claim.

    6. Unsubscribing from personalised offers

    You have the right to unsubscribe from newsletters or personalised offers relating to our financial services, and we always include an unsubscribe option in our commercial offers.

  • 1. Email

    We strive to communicate with you via email or one of our apps or portals as much as possible. You can indicate your preferences via the relevant app or portal. In some situations, you may also receive physical mail from us.

    2. Social media

    You can choose to contact us via our social media accounts on platforms such as Facebook, LinkedIn and Twitter, or via WhatsApp, where available. If you approach us through one of these channels, we will store the data you provide to us in a secure environment. If you send us a personal query on social media, we will ask you to share your contact details with us in a personal message (direct message or email). This allows us to verify that we are talking to the right person before we respond.

    The data we obtain from you through these platforms is subject to this privacy statement. Your use of social media is your own responsibility, however, and this privacy statement does not apply to how social media platforms handle the personal data you provide. Please note that many social media platforms are based outside the European Union, and store data outside the European Union. EU privacy laws usually do not apply to this data. We recommend that you consult the privacy statements of these social media platforms for more information on how they process your personal data.

  • We may create profiles of our customers based on the data we collect, with the aim of analysing this data to gain insight into actions and preferences, including future actions and preferences. We can then use these insights, for example by sending customers targeted advertising or information based on data about their browsing behaviour collected through tracking cookies. We comply with all relevant laws and regulations in doing so. This means that we will seek prior consent if required by law, for example if we create profiles based on special personal data.

    We do not make use of automated decision-making.

  • A number of bodies monitor how we process personal data:

    • the Dutch Data Protection Authority (AP) monitors compliance with the GDPR;
    • the Netherlands Authority for Consumers and Markets (ACM) monitors compliance with the Telecommunications Act (including with regard to cookies and direct marketing);
    • De Nederlandsche Bank (DNB) and the Dutch Authority for the Financial Markets (AFM) are responsible for the general supervision of the financial sector (including with regard to customer interests);
    • ASR Nederland N.V.’s Data Protection Officer (see below for contact details).
  • We will update this privacy statement to comply with changing privacy legislation. We will do so in response to new developments, for example if there are changes in our operational activities, or in the law or jurisprudence. We therefore recommend that you regularly review this privacy statement when visiting any of our websites. We will also actively inform you of substantial changes to this privacy statement by means of a pop-up banner, email or news update on our websites.

  • If you have any questions, for example about this privacy statement, or would you like to exercise your rights, you can always contact us through one of the channels available for this. You can find these here:

    https://en.asrrealestate.nl/contact

    You can contact ASR Nederland N.V.’s Data Protection Officer by sending an email to privacy@asr.nl, or by sending a letter to:

    a.s.r.
    Attn: Data Protection Officer
    Compliance
    PO Box 2072
    3500 HB Utrecht
    The Netherlands

    If you have a privacy-related complaint, you can contact us at asr.klachten.asrvv@asr.nl, or via the complaint form on our website https://en.asrrealestate.nl/complaint-page.

    You can also file a complaint with the Dutch Data Protection Authority: https://www.autoriteitpersoonsgegevens.nl/en, +31 88 1805250.

    Privacy statement posted on https://en.asrrealestate.nl/ and last updated March 2024.