General Terms and Conditions

Our General Terms and Conditions
PRIVACY POLICY KROESEPATERNOTTE

1. SCOPE
This is the Privacy Statement of KroesePaternotte, a partnership with its registered office and principal place of business at Amsteldijk 194-bg, (1079 LK) Amsterdam, and listed in the Trade Register of the Chamber of Commerce under number 34314993, and its partners (“KroesePaternotte”). KroesePaternotte is the A1 retail specialist in the Netherlands. KroesePaternotte has been active in the retail market since 1984, its business ranging from retailers in high streets, shopping centres and home furnishing malls to department stores and other retail locations. This Privacy Statement explains how KroesePaternotte handles personal data it receives from you. We believe it is of the utmost importance that your personal data is handled with care. When processing your personal data, KroesePaternotte observes the General Data Protection Regulation (“GDPR”) and any and all laws and regulations that arise from it.

This Privacy Statement applies to all online and offline types of personal data received by KroesePaternotte from:
• (potential) suppliers, customers, contractors, clients and other relations of
KroesePaternotte;
• the lessees and lessors of the retail locations;
• visitors to the website of KroesePaternotte (https://www.KroesePaternotte.nl)
and/or the app Winkelwijzer;
• recipients of information from KroesePaternotte;
• all other persons in contact with KroesePaternotte.

2. WHAT PERSONAL DATA CAN WE PROCESS?

KroesePaternotte can process the following personal data, always subject to a legal ground provided by the GDPR:

• Personal data that you have provided yourself:
• contact details (name, address, place of residence, e-mail address, phone number(s);
• identity information;
• payment details (bank account number). personal data obtained through means of communication, such as the website,
newsletters and emails:
• contact details;
• information about the device with which you visited our website, such as an IP address;
• your surfing behaviour on the website, such as:
o which data/web pages you have viewed;
o how you navigate the website;
o whether you to open a newsletter or email and which parts of it you click on;
o the dates and times of your visit to the website;
• the operating system you are using;
• the Internet address of the website to which the link is made;
• the geolocation;
• the data sent to KroesePaternotte;
• the data downloaded from the website.
Personal data obtained from other sources:
• data regarding lessees that is disclosed by lessors;
• data available from public sources such as, but not limited to, social media sources;
• data obtained from the Trade Register of the Chamber of Commerce and the Land Register;
• data available on public business websites.

3. WHY DO WE USE YOUR PERSONAL DATA?
KroesePaternotte processes your personal data for the following purposes:

• to perform the agreement it has concluded with you;
• to verify your identity;
• to meet the requirements of the Dutch Money Laundering and Terrorist Financing
(Prevention) Act (“Wet ter voorkoming van witwassen en financieren van
terrorisme”, “Wwft”);
• to inform you about products and services of KroesePaternotte;
• to contact you for newsletters, only if you have signed up for them (opt-in);
• to manage, secure, adapt and improve the website and related technologies;
• for marketing/commercial purposes;
• for recruitment and selection;

4. LAWFULNESS OF PROCESSING
KroesePaternotte defines the purposes and means of the processing of personal data. This means that KroesePaternotte is the controller within the meaning of the GDPR. The processing of personal data requires a legal basis. In the following cases, KroesePaternotte may process your data:

• if you have given KroesePaternotte permission for the processing of your personal data for one or more specific purposes.
• if the processing is necessary for the performance of an agreement to which you are a party, or to take measures at your request prior to the conclusion of an agreement;
• if processing is necessary in order to comply with a legal obligation that rests on KroesePaternotte;
• if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in KroesePaternotte;
• if the processing is necessary for the protection of a legitimate interest of KroesePaternotte or of a third party, unless the interests or rights of the data subject outweigh the legitimate interests of KroesePaternotte or the third party.

KroesePaternotte may rely on the following legitimate interests:
• improvements to our IT management;
• analysis and improvement of the services and content of our website or app;
• research and analysis of our services;
• provision, improvement, adaptation and support of services;
• improvements to security;
• prevention and countering of fraud, unauthorised use, violations of our terms and
conditions and policy rules and any other harmful or illegal activities.

5. USING SPECIAL PERSONAL DATA
We only process special personal data if it is required to verify your identity in the context of the Wwft. With respect to processing Special Personal Data, KroesePaternotte relies on the provisions referred to in Article 9(2)(g) GDPR and Section 25(a) of the Dutch GDPR Implementation Act (“Uitvoeringswet AVG”).

6. ENGAGEMENT OF THIRD PARTIES
KroesePaternotte may engage third parties who process personal data on behalf of KroesePaternotte as controller. These may be:
• (government) organisations;
• contractors/suppliers, including but not limited to suppliers of IT services.

KroesePaternotte remains responsible for the processing of personal data in the situations set out above. KroesePaternotte concludes processing agreements with these organisations. KroesePaternotte may also enter into collaborations with third parties who themselves are co-controllers. In such cases, KroesePaternotte will conclude an agreement between controllers with these third parties. As a result of a merger, takeover or sale of its business (or a part of it), KroesePaternotte may share your personal data with the party (or parties) involved in that merger, takeover or sale.
Naturally, we will inform you about this via email and/or a clearly visible notification on our website, and we will inform you about your rights in this regard. Aside from sharing your personal data with third parties as provided in this section, KroesePaternotte does not sell your personal data to third parties.

7. AUTOMATED DECISION-MAKING
KroesePaternotte does not make decisions based on automated processing about matters that may have considerable consequences for individuals. This refers to decisions made by computer programs or systems without human intervention (e.g. by an employee of KroesePaternotte).

8. TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA
Due to the international character of KroesePaternotte, it may sometimes be necessary to transfer your personal data to suppliers, potential or actual buyers, sellers or other business partners established outside the European Economic Area (EEA). For example, if one of KroesePaternotte’s servers is located outside the EEA. In accordance with Articles 44-49 GDPR, KroesePaternotte will only transfer your personal data to other countries outside the EEA:

1. if the European Commission has decided that the third country concerned safeguards an adequate level of protection, or
2. if appropriate safeguards are provided for and the data subjects have enforceable rights and have effective legal remedies at their disposal. Furthermore, KroesePaternotte may transfer your personal data to suppliers, potential or actual buyers, sellers or other business partners established outside the EEA if one of the statutory exceptions may be relied on (see Article 49 GDPR). For example:
1. the transfer is necessary for the performance of an agreement concluded between you and KroesePaternotte;
2. if you have given your express consent to do so, after having been sufficiently informed.

In situations where KroesePaternotte transfers your personal data outside the EEA, we
treat your personal data with respect and take measures to ensure that your personal
data remains completely secure. Please bear in mind that in certain situations, personal
data may be disclosed to public authorities in the context of judicial proceedings, a court
order or legal proceedings.

9. PROTECTION
KroesePaternotte takes ongoing and structural measures to optimally protect your personal data against unlawful use. KroesePaternotte takes physical, administrative, organisational and technical measures. Measures taken by KroesePaternotte include:
• access to the personal data is restricted to authorised persons, whereby this number
is kept as low as possible;
• all employees of KroesePaternotte (regardless of the form of their employment) have signed a confidentiality agreement whereby they undertake to observe complete confidentiality with regard to all information of a confidential nature or of which they must understand its confidential nature, including personal data;
• the electronic transmission of personal data always takes place in encrypted form and via a secure connection;
• the website is secured via https;
• If personal data is provided to third parties, KroesePaternotte concludes processor agreements and/or agreements with co-controllers.

Following on from the above, KroesePaternotte ensures that all its user settings, programs
and services are set up in such a way that, right from the start, your privacy is protected to
the greatest possible extent. Where possible, KroesePaternotte takes ongoing privacyincreasing security measures.

10. RETENTION PERIODS
KroesePaternotte retains your Personal Data as long as we deem necessary in order to be able to provide you with care and other services, to facilitate your use of the website, to comply with applicable legislation, to resolve disputes with other parties, and for other purposes insofar as required to enable us to carry out our business activities. KroesePaternotte will in any case retain your Personal Data for the term of the agreement
you have concluded with KroesePaternotte. Some personal data are subject to statutory retention periods. KroesePaternotte fully complies with these retention periods. The copy of the verified identity document that is retained pursuant to Section 33(1)(a)(1) Wwft as proof of the identification obligation is subject to a statutory retention period of 5 years, counting from the moment the data is recorded, or as much longer as is reasonably required.

11. THIRD-PARTY WEBSITES
This Privacy Statement does not apply to third-party websites that are connected to our website via links. This is because we cannot guarantee that such websites handle your personal data reliably or securely. We urge you to always read the privacy statement of such websites before you use them, to acquire more information about the manner in which they will handle your personal data.

12. MINORS
If you are not yet 16 years of age, you are not allowed to use our website unless you are supervised by your parents or legal representatives.

13. RIGHTS OF DATA SUBJECTS
If any of your personal data is processed, you have a number of rights, which are set out below. You may exercise these rights by submitting your request in writing to KroesePaternotte or by sending an email to info@kroesepaternotte.com. KroesePaternotte is required to verify your identity before your request can be met. Unless explicitly stated otherwise below, KroesePaternotte will respond to your request
as soon as possible, but at the latest within one month. In principle, your requests will be processed electronically (and will therefore be replied to by email), unless this is not possible or you request otherwise. In principle, KroesePaternotte will not charge you for the processing of the
aforementioned requests, unless your requests are excessive, manifestly unfounded or if you request additional copies when exercising your right of access. • Viewing and/or modifying data You can ask us at any time to indicate which (categories of) data KroesePaternotte on you are being processing, for which purposes, from which source the data come and which retention periods are applied. In addition, you can contact us at any time to complete, correct or delete your data. In the unlikely event that KroesePaternotte has provided incorrect personal data about you, KroesePaternotte will rectify this. If KroesePaternotte has changed your personal data, KroesePaternotte will notify you accordingly.

Limit the processing of your data
If you do not agree with the content of the data on you stored by KroesePaternotte, you can submit a request to temporarily restrict the processing of your data.

Withdrawing consent
You may also withdraw your permission to process your data at any time. Upon receipt of your letter or email, KroesePaternotte will immediately cease processing of your personal data for which you have given your permission. However, the withdrawal of your permission does not affect the processing operations that have already taken place.

Right to transfer data
You can retrieve the personal data on you stored by KroesePaternotte in a structured, common and machine-readable form. After receiving your personal data, you are free to transfer this information to a third party.

Right to be forgotten
If you no longer wish to make use of KroesePaternotte’s services, you may submit a request for the deletion of all your personal data.

Right to object
You have the right to object to the processing of your personal data that KroesePaternotte bases on ‘legitimate interests of KroesePaternotte or a third party’ and ‘performance of a task carried out in the public interest’. If KroesePaternotte relies on such a basis, it weighs these interests against your privacy. The right to object gives you the opportunity to ask KroesePaternotte to weigh the interests once more.

Right to lodge a complaint / initiate legal proceedings
If you do not agree with KroesePaternotte’s use of your personal data, you can also lodge a complaint with the Dutch Data Protection Authority (“Autoriteit Persoonsgegevens”) or initiate legal proceedings. You can find the Dutch Data Protection Authority’s contact details by clicking here.

14. QUESTIONS/COMMENTS/COMPLAINTS/SUSPECTED DATA LEAK/PRIVACY OFFICER
If you have any questions, remarks or complaints about the protection of your personal data by KroesePaternotte or if you suspect that there is a Data Leak you can of course contact us.

Our contact details are:
KroesePaternotte.
Amsteldijk 194-bg
1079 LK Amsterdam
e-mail: info@kroesepaternotte.com

KroesePaternotte has appointed a privacy officer who will monitor the application of and
compliance with the privacy regulations within the organisation. The privacy officer’s
contact details are: W.P. Schut MRE, email: info@kroesepaternotte.com.

15. CHANGES AND APPLICABLE LAW
KroesePaternotte reserves the right to modify or change this Privacy Statement. If significant changes are made to this Privacy Statement or to the manner in which KroesePaternotte processes your personal data, we will notify you of this via email and/or a clearly visible notification on our website. None of the provisions of this Privacy Statement are intended to create any obligation or agreement between KroesePaternotte and you as a data subject. Dutch law will apply to the provisions of this Privacy Statement and all disputes arising there from. This Privacy Statement was last revised on and is valid from 25 May 2018.