Privacy

Privacy Statement & Privacy Regulation

Privacy

Privacy Statement

You share certain personal data with WiSH Outdoor to enable our staff to give you the best possible service as agreed. These data tell us something about yourself, or can be linked to you as a person in various ways. As far as the processing of these data is concerned, WiSH Outdoor does of course abide by the principles of the General Data Protection Regulation (GDPR).

The personal data that WiSH Outdoor processes will depend on the assignment, but we ask you to provide us with only the data that are strictly necessary so that we can guarantee the agreed form of service.

Principles of processing your personal data

For processing the personal data, WiSH Outdoor follows the principles as set out in the GDPR. These principles must be respected at all times when processing personal data and are as follows:

  • Lawful, proper and transparent;
  • Exclusively for legitimate purposes;
  • Not more or longer than necessary;
  • Accurate, up to date and confidential;
  • Appropriate technical and organizational security measures.

Personal data will be processed only for specific, designated purposes on a lawful basis. These are:

  • Client acceptance;
  • To perform the agreed service;
  • To be able to provide information on the service;
  • Communication relating to the service.

Retention period

WiSH Outdoor will retain your personal data no longer than necessary for providing the agreed service. Precisely how long will depend on the specific data and the form of service for which your data are processed, and is laid down in various laws. A record and retention policy ensures that the correct retention period is adhered to.

Security

WiSH Outdoor takes all technical and organizational measures that may reasonably be expected of it to secure your personal data. Naturally these measures are entirely in line with prevailing laws and regulations and the current state of the art.

Upon taking up employment with WiSH Outdoor, new employees are instructed in the rules and procedures within the organization, in particular concerning the applicable security rules and procedures. Attention is regularly given to increasing our employees' awareness of security and privacy issues.

Sharing

Your personal data are not shared unless there are legal grounds to do so, for example if the police, judiciary or regulators request information from us under the law. The courts can also oblige us to provide information or allow such information to be inspected.

WiSH Outdoor stores its data always within the borders of the EU. Should data be shared outside these borders in connection with the service we provide, this will always be done with the appropriate level of security.

Subprocessors

For us to be able to carry out our service, we make use of a number of partners. It is possible that your personal data will be stored, with your permission, with one of these partners. Naturally WiSH Outdoor has made agreements with these partners on how your personal data must be handled. These agreements are laid down in processor agreements. Which and how many partners are involved will depend on the service WiSH Outdoor provides for you, but these will be partners in the following categories:

'Infrastructure as a Service' service providers in the field of data centres, data storage and data communication (Microsoft, Dataplace Nedzone, Solimas, Transip, Cloudflare);

'Software as a Service' service providers in the field of crow building software such as online ticketing services and online visitor administration (Eventix, In2event, Appic).

Complaints & regulation

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) checks whether WiSH Outdoor complies with the General Data Protection Regulation. Data subjects have the right to submit a complaint to a regulatory authority if they believe that their rights have been breached. The regulator in that case is the Dutch Data Protection Authority.

Questions and requests to access, rectify and erase your personal data

If you would like more information about your personal data that WiSH Outdoor processes, we can only provide this information once it is sufficiently clear who you are (identification) and that you are also the person you say you are (authentication).

Concerning your personal data, you have a number of legal rights:

  • The right to access your personal data held by us;
  • The right to submit a request to rectify or erase your personal data;
  • The right to object to a certain way in which your personal data are used.

In certain cases, WiSH Outdoor cannot or is not permitted to rectify or erase data, for example if this is contrary to the law and regulations. A request for access or rectification can be submitted in writing to our Data Protection Officer at the following address:

WiSH Outdoor Nederland B.V.
T.a.v. Data Protection Officer
Bosscheweg 26a
5741 SX Beek en Donk

We will send you a written reply to your request within four weeks.

Privacy regulations

More detailed information on the protection of personal data can be found in the accompanying privacy regulations. This document can be provided at request.

Application

This privacy statement is applicable to WiSH Outdoor Nederland B.V. and the companies affiliated to it at any time.

Amendments to this statement

WiSH Outdoor may amend or update this privacy statement from time to time. You can see when it was most recently updated from the revision date at the end of the statement. The amendments and additions are effective from the date on which they are posted. It is therefore advisable to view the privacy statement from time to time to check whether it contains any relevant changes.

Most recently amended on: 09-06-2022

Privacy Regulation

REGULATIONS ON THE PROCESSING OF PERSONAL DATA

Article 1 Definitions

1.1     In these regulations, the terms below have the following meanings:

  1. GDPR: Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Official Journal No. L119 of 4 May 2016, p. 1 et seq.; 
  2. WiSH Outdoor: WiSH Outdoor Nederland B.V. and each of the legal entities affiliated with it in a group, each of which operates separately under the brand name 'WISH Outdoor' in a specific field of the (corporate) events and festivals;
  3. Customer: the person who has instructed WiSH Outdoor to carry out work;
  4. Data Subject: the natural person identified or identifiable by means of personal data.
  5. Supplier: the party who provides services or delivers goods to WiSH Outdoor;
  6. Employee: a person who performs work for WiSH Outdoor on the basis of an employment contract or other type of agreement;
  7. UAVG: Act of 16 May 2018, Bulletin of Acts and Decrees of the Kingdom of the Netherlands 2018, 144, containing rules for the implementation of the GDPR (General Data Protection Regulation Implementation Act), in Dutch UAVG (Uitvoeringswet Algemene verordening gegevensbescherming).

1.2 Incidentally, all terms contained in these regulations, which are identical to the terms defined in Article 4 of the GDPR, have the same meaning as defined in that article.

Article 2 Applicability

2.1 These regulations apply to the processing of personal data by WiSH Outdoor as controller.

2.2 These regulations do not apply to the processing of personal data by WiSH Outdoor as processor. In that case, the relationship between WiSH Outdoor and the relevant controller will be governed by a data processing agreement within the meaning of Article 28(3) of the GDPR.

2.3 These regulations also have the meaning as set out in Article 30(1) of the GDPR, entitled ‘Records of processing activities’.

Article 3 Controller

3.1 WiSH Outdoor Nederland B.V., with its registered office in Beek en Donk The Netherlands, will be regarded as the controller under these regulations, regardless of whether the processing of personal data is carried out by WiSH Outdoor Nederland B.V. or by a group company of WiSH Outdoor Nederland B.V.

3.2     As the controller, WiSH Outdoor Nederland B.V. has appointed a Data Protection Officer for WiSH Outdoor as a whole.

3.3 Data Subjects may contact the Data Protection Officer referred to in Article 3.2 to exercise their rights under these regulations and for all other matters relating to the processing of personal data by WiSH Outdoor, regardless of whether such processing is carried out by WiSH Outdoor Nederland B.V. or by a group company of WiSH Outdoor Nederland B.V. The contact details of this Data Protection Officer are:

WiSH Outdoor Nederland B.V.

T.a.v. Data Protection Officer

Bosscheweg 26a

5741 SX Beek en Donk

email: privacy@wishoutdoor.nl

Article 4 Purpose of processing the personal data

4.1 WiSH Outdoor processes personal data for the following purposes:

  1. to perform contracts with Customers;
  2. to perform contracts with Suppliers;
  3. to perform contracts with Employees;
  4. to exercise rights of claim and other rights arising from agreements;
  5. to carry out marketing activities;
  6. to carry out recruitment activities;
  7. to comply with WiSH Outdoor's statutory obligations;
  8. the specific purpose for which personal data are processed with the consent of the Data Subject.

4.2 The personal data are processed by WiSH Outdoor on the basis of the following legal grounds:

  • for the purposes referred to in Article 4.1(a) to (d): Article 6(1)(b) of the GDPR (performance of a contract);
  • for the purpose referred to in Article 4.1(e): Article 6(1)(a) of the GDPR (consent of the Data Subject) or Article 6(1)(f) of the GDPR (representation of the legitimate interest of WiSH Outdoor);
  • for the purpose referred to in Article 4.1(f): Article 6(1)(a) of the GDPR (consent of the Data Subject);
  • for the purpose referred to in Article 4.1(g): Article 6(1)(c) of the GDPR (compliance with legal obligations);
  • for the purpose referred to in Article 4.1(h): Article 6(1)(a) of the GDPR (consent of the Data Subject).

4.3 If the processing of personal data by WiSH Outdoor is based on the consent of the Data Subject, the Data Subject will at all times have the right to withdraw the consent. The withdrawal of consent only applies to the future.

Article 5 Categories of Data Subjects and personal data

5.1 WiSH Outdoor processes personal data of the following categories of Data Subjects, in so far as they are natural persons: 

  1. Customers;
  2. Suppliers;
  3. Employees;
  4. Persons who have consented to the processing of personal data for the purpose of carrying out marketing activities or recruitment activities;
  5. Persons who have consented to the processing of personal data for another specific purpose.

5.2     WiSH Outdoor processes the following categories of personal data, but only in so far as processing these data is necessary for the relevant purpose:

Identification data

  1. name;
  2. address;
  3. date of birth;
  4. place of birth;
  5. citizen service number;
  6. ID number;
  7. telephone number;
  8. email address;
  9.  IP address;

Transaction data

  1. bank account number;
  2. credit entries to, debit entries from and transfers to bank accounts;

Financial data

  • tax returns;
  • financial and advisory reports;
  • invoices;
  • credit notes;
  • payslips;
  • payment history; 
  • income;

Audiovisual information

         (s) CCTV footage taken at WiSH Outdoor offices or festival grounds.

 

Article 6 Provision of personal data to third parties

6.1 WiSH Outdoor provides personal data to the following recipients, but only to the extent that this is necessary for the purpose in question or WiSH Outdoor is obliged to do so under the law:

  1. Tax and Customs Administration;
  2. Chamber of Commerce;
  3. Investigative authorities;
  4. Supervisory authorities.

6.2 WiSH Outdoor will inform the Data Subject about the provision of personal data to the categories of recipients referred to in Article 6.1, unless it is prohibited from doing so under the law.

 

Article 7 Processing or transfer of personal data in or to third countries

7.1 WiSH Outdoor will not process the personal data in or transfer them to a country outside the European Union or the European Economic Area, if it has not been established by a decision of the European Commission that this country guarantees an appropriate level of protection within the meaning of Article 45(1) of the GDPR, unless:

  1. with the explicit written permission of the Data Subject, or
  2. appropriate safeguards within the meaning of Article 46(1) of the GDPR are in place.

7.2 WiSH Outdoor will inform the Data Subject about the intention to process personal data in or transfer personal data to a third country, stating the data referred to in Article 13(1)(e) of the GDPR.

Article 8 Retention of personal data

8.1 WiSH Outdoor will not retain personal data for longer than is necessary for the purpose for which the personal data are processed and furthermore with due observance of the applicable statutory retention periods. Personal data will then be anonymized, pseudonymized or deleted.

8.2 WiSH Outdoor may retain personal data for a longer period than provided for in Article 8.1, but only to the extent that those personal data are retained for historical or scientific research or for statistical purposes and are processed with due observance of the provisions of Article 89(1) of the GDPR.

Article 9 Security of personal data

9.1 WiSH Outdoor will take appropriate technical and organizational measures to protect the personal data against loss and any form of unauthorized or unlawful processing, including unnecessary collection and further processing thereof, taking account of the stipulations of Article 32(1) and (2) of the GDPR. A general description of the measures referred to above is given in Appendix A.

9.2 WiSH Outdoor will take measures to ensure that personal data are only processed by Employees who are authorized to do so by virtue of their position or duties and that Employees will not process more personal data than is necessary for the relevant purpose.

Article 10 Processors

 

10.1 WiSH Outdoor is authorized to engage third parties as processors in the processing of personal data. The processors engaged by WiSH Outdoor for the processing of personal data are listed in Appendix B.

 

10.2 The legal relationship between WiSH Outdoor and the processors referred to in Article 10.1 is governed by a data processing agreement concluded between WiSH Outdoor and each of those processors within the meaning of Article 28(3) of the GDPR.

 

Article 11 Rights of the Data Subject

11.1 The Data Subject has the right to:

  1. access the personal data concerning him or her that are processed by WiSH Outdoor and the information referred to in Article 15(1) of the GDPR; 
  2. rectification or completion of incorrect or incomplete personal data concerning him or her processed by WiSH Outdoor in accordance with Article 16 of the GDPR;
  3. erasure of personal data concerning him or her that are processed by WiSH Outdoor in the cases referred to in Article 17(1) of the GDPR;
  4. restriction of the processing of personal data concerning him or her by WiSH Outdoor in the cases referred to in Article 18(1) of the GDPR;
  5. receive the personal data concerning him or her in a structured, commonly used and machine-readable format and the right to transmit those personal data to another controller in the cases referred to in Article 20(1) of the GDPR.

 

11.2 The Data Subject furthermore has the right to object to the processing of personal data concerning him or her and to request a cessation of such processing in the cases referred to in Article 21(1) and (2) of the GDPR.

11.3 The exercise of the rights referred to in Articles 11.1 and 11.2 will be effected by submitting a request to that effect (hereinafter referred to as 'the request') to WiSH Outdoor by or on behalf of the Data Subject. The request will be sent to the address referred to in Article 3.3.

11.4 The request must contain information that makes it possible to identify the Data Subject. In the absence of such data, WiSH Outdoor may require that the Data Subject identify himself or herself. This identification can take place at one of the offices of WiSH Outdoor. The request will be deemed to have been received as soon as the identity of the Data Subject has been established.

11.5 WiSH Outdoor will deal with the request as soon as possible after receipt and will inform the Data Subject within one month thereafter of the manner in which the request has been complied with. That period may be extended by two months. In the event of an extension, the Data Subject will be informed within one month of receipt of the request.

11.6 If the request is not complied with, WiSH Outdoor will inform the Data Subject of this within one month of receiving the request, stating reasons. In that case the Data Subject has the option of submitting a complaint to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or filing a petition to the court as referred to in Article 35 of the UAVG.

11.7 Submitting and processing the request, providing information in response to the request and taking measures to implement the request are free of charge.

11.8 If a request is manifestly unfounded or excessive, for example because it is made repeatedly, WiSH Outdoor is entitled either to charge administrative costs or to refuse compliance with the request.

 

Article 12 Dispute settlement

12.1 If the Data Subject does not agree with WiSH Outdoor's decision not to comply with the request referred to in Article 11.3 or if there is any other dispute between the Data Subject and WiSH Outdoor about the application of these regulations, the Data Subject has the option, on the basis of Article 36 of the UAVG, to apply to the Dutch Data Protection Authority with the request to mediate.

12.2 If the Data Subject makes use of the option referred to in Article 12.1, WiSH Outdoor will cooperate fully in the settling of the dispute by the Dutch Data Protection Authority.

Article 13 Notifications and communications

13.1 All notifications or communications by WiSH Outdoor to the Data Subject within the framework of these regulations will be made in writing and will be sent to the postal address or email address of the Data Subject as included in WiSH Outdoor's records, unless the Data Subject has explicitly provided a different address in writing for this purpose.

13.2 If the Data Subject so requests, the notifications or communications referred to in Article 13.1 may also be made orally by WiSH Outdoor to the Data Subject, provided that the identity of the Data Subject has been established.

Article 14 Final provisions

14.1 These regulations have been adopted by the management board of WiSH Outdoor Nederland B.V. and will apply to WiSH Outdoor as a whole with effect from 1 January 2022.

14.2 These regulations may be amended at any time by a resolution of the managing board of WiSH Outdoor Nederland B.V. to this effect. The amendment of the regulations will be laid down in writing and will be announced in the manner to be determined by the resolution to amend the regulations.

____________________ 

Appendix A  General description of security measures

For the security of its organization and infrastructure, WiSH Outdoor ICT thrives to comply with the internationally recognized standard for information security: the ISO 27001 standard. The standard applies to the ICT processes: information, information systems, networks, and to the IT personnel that support the business processes.

By regularly carrying out information security checks, WiSH Outdoor maintains a high level of information security. WiSH Outdoor has selected all control measures on the basis of risk analyses and from the baselines and policy. 

The information security policy of WiSH Outdoor contains various control measures, which are subdivided into the following categories:

  • Security of the physical ICT environment;
  • Development and maintenance of information systems;
  • Management of operating assets;
  • Employees;
  • Secured applications;
  • Supply relationships;
  • Management of information security incidents.

Appendix B  List of processors

  • Microsoft
  • Transip
  • MailChimp
  • Eventix
  • Dropbox
  • Appic