Version: 25 May 2018
2. Personal data processed by us
Depending on the type of Services you use, or Products you purchase, the personal data we collect and process about you include:
- Your contact details, such as name, email address, home address and (mobile) phone number.
- Your account details and (electronic) identification data, such as your account on the website or your Rijksstudio account, your bank account number, electronic identification data such as your IP or MAC address, as well as the data you have added to your account yourself (such as your user name, password, date of birth, interests).
- Information related to the use of our online Services or applications, such as the web pages you visit, Products and Services you are interested in, the contents of your shopping basket.
- Information related to the Products and Services that you purchase from us, such as your hobbies and interests, profession/work, pictures, personal features and the knowledge that you have used that specific Product or Service.
- The content of your communications with us, for example, when you contact us by email, phone or otherwise.
3. The purposes and legal basis for processing your personal data
The Rijksmuseum collects and uses your personal data for the purposes set out below, based on the law. Insofar as the Rijksmuseum already holds your personal data, these personal data will be used for the same purposes and on the same legal basis.
- Required for the execution of an agreement
Your personal data are collected and processed to handle your purchase of Products and your request to provide Services. In addition, we process your personal data to handle any requests, complaints or questions from you.
- Required to represent the legitimate interests of the Rijksmuseum
We may use the aforementioned personal data to improve our Products and Services and to better understand and approach our visitors and relations, both on an aggregate and an individual level. This means that we analyse your use of our Products and Services and that we use this information to improve our Products and Services in order to provide you with an improved user experience (for example, we analyse which web pages you visit and which Products and Services you use, which enables us to create personal profiles and assess what could be of interest to you and what recommendations we can give you when using our Services).
- Based on consent
To the extent necessary, we will ask for your consent to keep you informed about news or offers related to our Products and Services.
You can withdraw your consent at any time. How you can do this is described below.
- Required to comply with a legal obligation
We may use your personal data to comply with applicable laws, to comply with requests from public bodies and authorities, or to cooperate with law enforcement.
5. Who receives your personal data?
Only authorised employees of the Rijksmuseum have access to your personal data to the extent necessary for the performance of their work at the Rijksmuseum.
We will not disclose the personal data you have provided to us to third parties without your express prior consent, unless we are required to do so for the purposes set out under section 3. For example, we may pass on your personal data to suppliers/service providers for the execution of agreements we have concluded with you, such as payment processing. In addition, we may disclose your personal data to public authorities to comply with applicable legal obligations.
6. Transfer of your personal data
Unless otherwise stated, we process and store your personal data within the European Union. It may be that our service providers transfer your personal data to a country outside the European Economic Area (“EEA”) that does not offer the same level of protection under European law as the country where you normally use your products and/or services. In that case, we will take the necessary steps to ensure that your personal data are adequately protected, such as drafting standard EU contracts with parties outside the EEA.
We take appropriate and reasonable security measures to protect your personal data against unauthorised access, modifications, disclosure, loss or improper use, and to protect the accuracy and integrity of your personal data. In order to ensure a risk-adapted level of security, we implement technical and organisational measures, including security with regard to access to our systems.
8. How long do we keep your personal data?
9. What rights do you have with regard to your personal data and how can you exercise these rights?
Under the applicable laws and regulations, you have a number of rights with regard to your personal data, including:
- Right of access. At your request we will provide you, free of charge, with information regarding the personal data we process about you.
- Right to rectification. At your request we will correct, supplement, block or delete your personal data in the event that these are factually incorrect, incomplete or irrelevant for the objective or objectives of the processing, or when these are processed in any other way that infringes a legal provision.
- Withdrawal of consent. You can withdraw your consent at any time for future processing by us of your personal data.
- Right to object. You have the right to object to the processing of your personal data for marketing purposes.
- Right to restriction of processing. If applicable, you have the right to request a restriction on the processing of your personal data by the Rijksmuseum. This means that your personal data may (temporarily) not be processed and changed.
- Right to erasure. If applicable, we will delete your personal data without unreasonable delay (right to be forgotten).
- Right of opposition. If applicable, you have the right to object to the processing of your personal data based on, among other things, the basis of the “legitimate interest” of the Rijksmuseum.
- Right to transfer data. If applicable, we will provide you with an overview of the personal data you have provided to us, so that these data can be transferred to another data controller, to the extent that this (data portability) is technically possible.
- Right to file a complaint. Finally, you have the right to file a complaint with the supervisory authority if you believe that your personal data are being processed in violation of this privacy statement.
If you wish to exercise one of your rights, you can do so by using the contact information set out below.
10. Contact information
P.O. Box 74888
1070 DN AMSTERDAM