a.s.r. real estate

Privacy Statement of a.s.r. real estate

Personal data protection policy of ASR Real Estate B.V.

Who we are
ASR Nederland N.V. is the point of contact for the processing of personal data by all its brands, including ASR Real Estate B.V.

Visitor address
Archimedeslaan 10
3584 BA Utrecht
The Netherlands

Postal address:
Postbus 2008
3500 GA Utrecht
The Netherlands

Facebook Twitter (asr) WhatsApp: +31(0)623889539 Telephone: +31(0) 30 257 9111

1 How do we handle your personal data?
ASR Real Estate B.V. (hereinafter referred to by its trading name a.s.r. real estate) is a division of ASR Nederland N.V. We handle your personal data with due care as much as possible. We abide by the applicable (privacy) laws and regulations.

When do we process your personal data?

This personal data protection policy applies to all your personal data that a.s.r. real estate processes if you are a client of ours, when you visit our website, use our apps or when you contact our customer service. This policy also applies to situations in which, for example, you have had contact with a.s.r. real estate, but did not become a client of ours.

2 What personal data do we process?
If you apply for a tenancy agreement, partnership agreement, investment or a financial or other service from a.s.r. real estate or if you provide us with a service, we will ask for your personal data. You provide us with this data through your adviser/intermediary (hereinafter referred to as adviser) or directly via our website, by email or by telephone.

a. Name and address details
The personal data we process depends on the type of contact we have with you:

If you visit our websites, we will collect data on your visit to our website via cookies and our cookie settings.

If you request information from us, we will ask you to provide us with your contact details so that we can send you the information.

If you become a client, we will require at least your contact details (name, address, telephone number and email address and in some cases also your date of birth and gender). We use this data to ensure performance of the agreement we have with you.

If you submit a complaint via our websites, we will request the personal data necessary to handle your complaint.

b. Financial data
If you are a client of ours, we will use your bank account number to make and collect payments.

We also have access to your income details if we require these to determine whether you qualify for a rental property or to determine a rent increase of the property you rent. We also have your income details if we require these to determine whether you can enter into a long-term leasing contract with us or, in some cases, can rent commercial property.

c. BSN
In some cases, we also hold your citizen service number (Dutch acronym: BSN). This will be the case, for instance, for land tenancy agreements as we are obliged to pass your citizen service number to the agricultural tenancies authority. We will process your BSN only when we have legal grounds to do so.

d. Data about your contact with us
We process data about the contacts you have had with us in order for us to see:
• What the contact was about (product, advice, offer, service discussion, message, complaint, information);
• When the contact took place and with which department;
• How the contact took place, for instance by post, via the tenant portal, via the website, by telephone, by email, via the newsletter, via an adviser or via chat.

We use this data to see what contact we have previously had with you. If it concerned a question, a complaint or advisory opinion, we will be able to see this in your client file and will be able to help you better when you next contact us.

e. Video footage of license plates and visitors
We can take video footage with cameras that recognise license plates in our parking facilities. Besides that, we can use surveillance cameras in and around our housing estate, commercial real estate and parking facilities.

f. Business data

In our business services we also process personal data. These are the names of contact persons, shareholders or UBOs (ultimate beneficial owner or ultimate stakeholder) of a company or PEPs (politically exposed persons). Pursuant to the Money Laundering and Terrorist Financing (Prevention) Act, we must determine who our business clients' UBOs are.

3 Where do we obtain your data from?
In most cases, we obtain the data directly from you. Besides the information that we obtain from you, we may also receive and process data from third parties, such as the manager, the Dutch Tax & Customs Administration, the Chamber of Commerce or other third parties, such as market research agencies. We can also process your personal data if you visit our commercial real estate or parking facilities. We record the sources of data we have received in our processing register if these sources are known.
4 Why do we process your data?
We process personal data for the following reasons:

a. Service provision
We use your details to get in touch with you, to assess whether you can become a client or business partner of ours or to amend our agreement. We may use your data to manage your agreement and to handle questions, complaints and financial affairs. Besides this we use your personal data to manage incidental transactions, such as license plate data to charge parking costs.

b. Risk mitigation
We also use your data to mitigate risks, for instance by:

• Ensuring a good level of security. This includes user names, passwords and security questions and camera surveillance;
• Performing an internal quality review of potential problems and risks, and assessing whether statutory compliance has been achieved;
• Ensuring that we maintain the health and integrity of our business (risk management).

c. Marketing activities
We like to keep you up-to-date, for instance by sending emails, newsletters, special offers on our website or via social media, or by targeted advertising in apps and on third-party sites and social media. We also use your personal data for these.
We do so by:
• Assessing which a.s.r. products and services you use and which you do not;
• Logging your choices and search terms, for instance if you visit our web pages or apps, or open our emails, such as the newsletter. And we analyse these;
• Combining the data that we have gathered with personal data (e.g. an insurance application) as well as general data from other sources (e.g. the Chamber of Commerce).

If you prefer not to receive personalised offers, you can opt out via the contact details section at “Who we are” shown on the website of a.s.r. real estate.

d. Improvement and innovation
We also use your personal data to improve our products and services. We do so by combining and analysing the data. These analyses inspire new ideas and improved solutions. These analyses enable us to:
• Resolve the root cause of problems, improve pages and forms on the website and speed up processes;
• Measure how clients use our services and assess the result of a campaign. And to improve things, where necessary;
• Develop new services;
• Create reports of our analyses and insights, and use these to provide information services at an aggregated level. When creating reports and analyses, we remove any personal data that we do not need, where possible. We can also combine data at a certain level of abstraction (aggregation), encode it (pseudonymisation) or anonymise it.

e. Identifying fraud and abuse
We also store data for the purposes of identifying fraud, abuse and improper use. For this purpose, we can exchange data within a.s.r. real estate with other financial institutions or external investigative agencies. In doing so, we comply with the Insurance and Criminality Protocol and the Financial Institutions Incident Warning System Protocol, if applicable. The latter protocol involves at least the following parties: the Dutch Association of Insurers (Verbond van Verzekeraars), the Dutch Banking Association (Nederlandse Vereniging van Banken), the Mortgage Fraud Foundation (Stichting Fraudebestrijding Hypotheken), the Association of Financing Companies in the Netherlands (Vereniging van Financieringsondernemingen in Nederland) and Zorgverzekeraars Nederland (the umbrella organisation of ten health insurers in The Netherlands). In the event of a personal investigation in connection with an insurance, we adhere to the rules of the Code of Conduct for Personal Investigations. To monitor the security and integrity of the various labels within a.s.r. real estate, we use a Central Events Administration. This database stores (personal) data that require our special attention with regard to certain events. Data from the Central Events Administration can only be accessed through our Security Department or other authorised employees.

5 What is the legal basis for using your personal data?
We process your personal data based on one of the following legal bases:

  1. You have given consent. If we process personal data after you have given us your consent, you may withdraw your consent at any time. You can do so by contacting us by telephone or by email. Our contact details are also listed at the bottom of every newsletter we send you.
  2.  The processing is required for the performance of the agreement, e.g. a tenant agreement.
  3. The processing is required to comply with a statutory obligation. Financial services providers are subject to many statutory obligations. We are a financial services provider, which is why we are required to verify your identity if you become a client of ours (identification obligation), and in certain cases we are under an obligation to provide data to government bodies. We will ask for this data as a consequence of these obligations. Failing to provide these data may have certain implications for you. If we are unable to verify your identity, we will not be able to enter into an agreement with you. If we have not received information on your criminal record, or if the information was incorrect, we will not be able to conclude an agreement with you. If an agreement has already been concluded based on incorrect information, we are entitled to terminate it.
  4. The processing is required in order for us to defend a legitimate interest, for instance when we investigate suspected fraud. When we do so, we have to strike a balance between the legitimate interest of ourselves or a third party and your interests. We will weigh up these interests in writing and inform you of this as soon as possible.

6 How do we secure your data?
We handle your data with due care and take the necessary technical and organisational measures to ensure an appropriate level of protection. We pay considerable attention to the optimal security of our systems processing personal data. We monitor the security or our data traffic 24 hours a day. In addition, our processes are set up in such a way that only those employees who need to have access to certain systems are allowed such access.

Technical and organisational measures
We have taken technical and organisational measures to protect your data from loss or unlawful processing. These include measures to ensure the secure use of our website and IT systems, and to prevent abuse. They also include the security of physical spaces where data is stored. We have in place an information security policy and train our employees in the field of personal data protection. Only authorised personnel can see and process your data. All our employees have sworn an oath or affirmation. Employees swear or affirm that they will abide by legislation, regulations, codes of conduct, and that they will act with integrity.

7 How long do we store your data?
We do not retain your data any longer than necessary. In some cases, the law determines how long we may or must keep data. In other cases, we have made our own determination of how long we need to retain your data. In this context, we have established a comprehensive retention periods policy. For example, we keep client files for seven years following the end of the relationship with a.s.r. real estate. However, we hold onto real estate files for at least ten years following the end of the relationship with a.s.r. real estate. If you have any specific questions about this, please contact us.

8 Who do we share your data with?
We only provide personal data to third parties if this is permitted by law and is required for the business operations of a.s.r. real estate.

1. At ASR Nederland N.V.
If you are a customer of one of the labels (De Amersfoortse, Ardanta, Ditzo, De Europeesche Verzekeringen), which are divisions of ASR Nederland N.V. in addition to a.s.r. real estate, we may share your personal data with one of the other labels of ASR Nederland, for instance as part of a responsible underwriting policy and to prevent and combat fraud.

We can also share data between the various departments of ASR Nederland to process your application or to gain an understanding of the products and services you have with us. This allows us to provide you with a better service.
It is possible that you will receive offers for other products of the labels that come under ASR Nederland N.V. If you do not wish to receive offers for other products, you can let us know.
If you have an adviser, you will only receive messages from us in coordination with your adviser.

2. Government
Sometimes we are under a statutory obligation to pass on certain personal data to the government. This includes the Dutch Tax & Customs Administration, the Employee Insurance Administration Agency, the police, the judicial authorities or regulators, such as the Dutch Central Bank (DNB), the Netherlands Authority for the Financial Markets (AFM) and the Dutch Data Protection Authority.

3. Service providers and business partners
If permitted by law, we can share data with your adviser where this is required to provide the service. We sometimes need your consent for this.

We also engage other businesses to provide services on our behalf relating to the contract that you have concluded with us. For real estate matters, for instance, these will include a real estate manager, a surveyor, a civil-law notary or a maintenance or repair company. We will make arrangements with these parties to ensure that your personal data remains protected.

We may also outsource the processing of personal data to third-party data processors. For instance, we engage IT service providers to arrange for maintenance and support functions. In most cases, these IT service providers are considered processors because they do not have independent control of the personal data that is provided by a.s.r. real estate to the IT service provider for the service to be provided. In these situations, a.s.r. real estate remains responsible for the due processing of your data.

4. CIS database
To ensure a responsible underwriting and risk policy, and to prevent fraud, we record your data in the Central Information System (CIS) of Stichting CIS and also consult this system. We adhere to the rules of the CIS user protocol. Subject to strict conditions, we can share data with insurers affiliated with CIS via Stichting CIS. For more information, see the website of Stichting CIS.

5. Third parties outside the European Economic Area (EEA)
If we share data with a service provider in a country outside the EEA, we will make arrangements with them so that we always comply with the rules that have been agreed within the European Economic Area. We will then use the standard clauses, i.e. model contracts approved by the European Union to ensure that a sufficient level of protection of personal data is achieved.

9 What are your rights?
1. Access to and rectification of data
You have the right to ask us what personal data of yours we process and to ensure that incorrect data is rectified.

We will ask security questions or ask for a copy of your ID* in order to verify your identity.
You will receive our reply within four weeks.

*ID
When providing a copy of an identity document, your passport photo and citizen service number (BSN) must be obscured. We also recommend to mark on the copy that it is intended only for the purpose of exercising your personal data protection rights.

2. Right to erasure (‘right to be forgotten’)
In a number of cases and subject to conditions, you have the right to have your personal data that we hold erased. This is the case when:
• The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
• You have withdrawn your consent for processing;
• You make a reasoned objection to the processing;
• Your personal data has been unlawfully processed by us;
• The personal data has to be erased for compliance with a legal obligation;
• It concerns personal data about your child that was collected in connection with a direct offer of online services to your child.

The right to be forgotten is not an absolute right. We can decide to reject your request and not to erase your data if your request is not based on one of the aforementioned reasons, or (i) in order to exercise the right to freedom of expression and information; (ii) in order to comply with a statutory obligation; or (iii) to establish, exercise or defend a legal claim.

If we reject your request to erase your personal data, we will inform you of the reasons why we are unable to honour your request.

3. Restriction of processing
If you believe that we are processing your information unlawfully, you can request that the processing be restricted. This means that we may no longer process the data.

4. Data transfers (data portability)
You have the right to obtain a copy of the personal data that you have provided to us for the performance of the agreement that you have concluded with us or based on your consent. This only concerns personal data that we have received from you and not data that we have received from third parties. The aim of this right is to enable you to easily transfer this data to another party.

5. Right to object
You always have the right to object to the processing of your personal data that takes place based on our legitimate interest or the legitimate interest of a third party. In that case, we will no longer process your data unless there are compelling legitimate grounds for processing that take precedence, or that relate to the establishment, exercise or defence of legal claims.

6. Opting out of personalised offers
You have the right to opt out of newsletters or personalised offers in relation to our financial services. In commercial offers, we will always offer you the option to opt out. We may phone you for commercial purposes. We follow the rules of the Dutch Do Not Call Registry. Visit the website www.bel-me-niet.nl to opt out of commercial cold callingand to find out more about the Dutch Do not Call Registry. Such opt outs in the Dutch Do Not Call Registry only apply to companies and organisations with which you have no relation. Even if you are listed in the Dutch Do Not Call Registry, please note that companies or organisations of which you are or have been a customer may still call you for a similar product or service. (Source: Dutch Do Not Call Registry)

10 Email and social media (chat, WhatsApp, Facebook)
1. Email
Before we communicate with you by email, we will ask for your consent, unless you have previously given your consent. You may withdraw your previously given consent at any time.

2. Social media
You can choose to contact us by online chat or via our social media pages on Facebook, LinkedIn or via Twitter or WhatsApp. If you contact us through one of these channels, we will store the data you send us through these channels in a secure environment. In order to respond to personal questions in your social media message, we will ask you to share your contact details with us in a personal message (direct message or email). This allows us to verify that we are talking to the right person.

The information we receive from you via these platforms is governed by this personal data protection policy. Use of social media is your own responsibility. This personal data protection policy is not applicable to how social media platforms handle the personal data that you provide. We advise you that many social media platforms are established outside the European Union and store their data outside the European Union. In most cases, the personal data protection legislation of the European Union will not then apply. We encourage you to consult the privacy statements of these social media channels for further information on how they process your personal data.

11 Profiling
We compile profiles of our clients based on the data that we collect for the purposes of analysing this data and thus obtaining insight into (future) actions and preferences. We will then be able to respond appropriately, for instance by sending targeted advertising/information to customers based on their browsing behaviour that has been tracked using tracking cookies. When we do this, we comply with the relevant rules and regulations. This means, for instance, that we ask consent in advance if legally required. This is the case, for instance, for profiling involving special categories of personal data.

12 Supervision

  • The Dutch Data Protection Authority (Dutch DPA): supervises compliance with the GDPR
  • The Netherlands Authority for Consumers and Markets (ACM): supervises compliance with the Dutch Telecommunications Act (this involves cookies and direct marketing, amongst others)
  • De Nederlandse Bank (DNB) (the Dutch central bank) and the Dutch Authority for the Financial Markets (AFM): supervise the operation of the financial markets in general, including the interest of the customer
  • The Data Protection Officer of ASR Nederland N.V. (refer below for the contact details)

13 Amendments to personal data protection policy
Personal data protection legislation does not stand still. We may therefore make amendments to this personal data protection policy in order to keep pace with new developments, for instance if our business activities change or if there are changes in statute or case law. For this reason, we advise you to regularly check this privacy statement when you visit one of our websites. We will also actively inform you of any changes to this personal data protection policy by means of a pop-up banner, email or news message on our websites.

14 Questions or complaints?
If you have any questions about this personal data protection policy, please contact the Data Protection Officer of ASR Nederland N.V. Send an email to: privacy@asr.nl or address a letter to:

a.s.r.
Attn.: The Data Protection Officer
Integrity Department
Postbus 2072
3500 HB Utrecht
The Netherlands

If you have any questions about privacy, please contact us via asr.klachten.asrvv@asr.nl or via the complaints form on our website https://asrrealestate.nl/klachtenpagina.

You can also always submit a complaint to the Dutch Data Protection Authority

(https://autoriteitpersoonsgegevens.nl or call them on 0900-2001201 – in the Netherlands only).

Personal data protection policy published on the website of www.asrrealestate.nl and last updated 5 June 2020.