It is important to Justis to ensure that you know that your personal data are treated with due care. This privacy statement provides general information about the personal data that Justis processes and describes the measures Justis implements to protect your personal data and the rights you have with regard to the processing of your personal data.
What are personal data?
Personal data means any information relating to an identified or identifiable natural person. This means that information refers to a specific person directly or can be traced to that person. There are many types of personal data: for example, a name or home address; but an email address or telephone number can also be personal data.
Special categories of personal data are data of an especially sensitive nature, such as medical data. These are subject to special rules. Criminal personal data also constitute such sensitive data. These are likewise subject to special rules.
The General Data Protection Regulation (GDPR) requires personal data to be processed in a lawful, fair and transparent manner. Pursuant to the GDPR, personal data may only be processed for specific, explicit and legitimate purposes. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) supervises compliance with the statutory rules for the protection of personal data.
- For what purposes does Justis process personal data and for how long are the data stored?
It is necessary for Justis to process personal data in order to comply with its statutory obligations. Justis screens persons and organisations with regard to integrity and uses personal data in that screening. Justis supplies numerous products in connection with that screening and thereby performs various statutory duties. The specific laws and regulations that apply to the product concerned determine the purpose for which Justis is permitted to process personal data.
Justis does not store them for any longer than is required for the purpose of the data processing. This means that the data are removed after they also cease to be necessary for archiving purposes. That is because government bodies are subject to a statutory obligation to manage their information with due care, in order to ensure that it is and remains accessible.
Overview of Justis products and the legal basis and for how long the data are stored per product:
Certificate of Conduct (Verklaring Omtrent het Gedrag, VOG) for natural persons and for legal entities Sections 28-39 of the Judicial Data and Criminal Records Act (Wet justitiële en strafvorderlijke gegevens) Five years Continuous screening of staff of child care facilities and driver's card holders in the taxi sector Section 22a and 22b of the Judicial Data and Criminal Records Act (Wet justitiële en strafvorderlijke gegevens), Passenger Transport Decree (Besluit personenvervoer) and the Act on Child Care and Quality Requirements for Playgroups (Wet kinderopvang en kwaliteitseisen peuterspeelzalen) Five years Certificate of conduct for procurement (GVA) Public Procurement Act 2012 (Aanbestedingswet 2012), chapter 4.1 Five years Bibob recommendations, recommendations issued pursuant to the Public Administration (Probity Screening) Act (Wet bevordering integriteitsbeoordelingen door het openbaar bestuur, Bibob) to administrative bodies Public Administration (Probity Screening) Act (Wet Bibob) Eight years Bibob-register Section 11a of the Public Administration (Probity Screening) Act (Wet Bibob) Five years Risk notifications and network maps for the supervision of legal entities Legal Entities (Supervision) Act (Wet controle op rechtspersonen) 3 months in the event that data collection from automatic assessment does not give rise to manual assessment;
6 months in the event that manual assessment does not lead to risk notification;
2 years after issuance of risk notification
5 years following the provision of information (Section 6(3) Legal Entities (Supervision) Act (Wet controle op rechtspersonen)
Guarantees for insolvency practitioners Insolvency Practitioner Guarantee Scheme 2012 (Garantstellingsregeling curatoren 2012) 10 years after termination of guarantee Licence and permission for (staff of) private security companies and detective agencies Private Security Organisations and Detective Agencies Act (Wet particuliere beveiligingsorganisaties en recherchebureaus) 10 years after termination of licence, exemption or permission and after determination of equivalent EU licence or decision on violation Investigative powers for special investigating officers (Opsporingsbevoegdheid voor buitengewoon opsporingsambtenaren) Special Investigating Officers Decree (Besluit buitengewoon opsporingsambtenaar) 10 years after termination, withdrawal or expiry of the designation, the investigative power or the exemption Decisions on requests for a change of surname and name determination Change of Surname Decree (Besluit geslachtsnaamswijziging) Retained
Decisions on requests for matrimonial dispensation and marriage by proxy Dutch Civil Code Book 1 Section 41(2) and Section 66 Marriage Dispensation: Retained
Marriage by proxy: 5 years
Decisions on requests for a pardon Pardons Act (Gratiewet) Retained in the event of life sentence prisoners or collective pardons;
25 years for all other cases with samples every ten years (which are retained)
Decisions on administrative appeals in cases concerning firearms licences or decisions on applications for exemptions from weapons laws Weapons and Ammunition Act (Wet wapens en munitie) Exemptions: 10 years after termination of the exemption
Administrative appeal: 20 years
Issuing statement on the right to stand for election Section Y 38 of the Elections Act (Kieswet) Six years
- New accordion title
New accordion content
- What personal data does Justis process?
The personal data that are processed for the various products are recorded in the Justis record of processing activities. This also states the purpose and the legal basis for each processing operation.
Justis processes the following categories of personal data:
- Ordinary personal data, such as name, address, place of residence, telephone number, date of birth and place of birth;
- The citizen service number (BSN);
- Special categories of personal data (occasionally), such as data on physical or mental health;
- Criminal personal data
Justis obtains those personal data in various ways:
- from the party requesting the product;
- from public sources, such as the commercial register;
- from sources that are not accessible to everyone, such as the criminal records, for criminal personal data.
Justis processes only the personal data that are necessary for the performance of its statutory duties.
In addition, your data can be used to contact you in connection with customer satisfaction surveys that Justis carries out regularly. You can state at the time concerned whether or not you are interested in taking part in this.
- Does Justis also use forms of ‘profiling’?
Profiling means that organisations prepare a profile on people by collecting, analysing and combining all kinds of data about them. Justis only uses profiling for the screening product for the supervision of legal entities.
Justis implements the Legal Entities (Supervision) Act (Wet controle op rechtspersonen). The purpose of that Act is to prevent and combat abuses by legal entities (businesses). Screening businesses more frequently for potential abuses enables enforcing authorities to act more swiftly. Legal entities (and their directors, shareholders and immediate environment) are screened by means of a risk analysis. If any risk of abuse is identified, a risk notification is issued to an enforcing or supervisory authority. The risk notification is always prepared by a person. The automated system is used solely as a tool in this connection. Accordingly, no risk notification is prepared without human involvement.
The selection criteria and the risk profiles for screening of legal entities are not publicly disclosed. These selection criteria and risk profiles are prepared on the basis of indicators that may be indicative of abuses by or of legal entities. Public disclosure of the selection criteria and risk profiles would reduce the effectiveness of the screening of legal entities. That is because this would enable directors to anticipate the indicators that could cause a risk notification to be issued.
- How does Justis treat personal data that you provide via the website, the Customer Contact Centre or in any other way?
In principle, Justis only processes your personal data for the purpose for which you actively provided them. In addition, the data you have provided can also be used to contact you in connection with customer satisfaction surveys that Justis carries out regularly. You can state at the time concerned whether or not you are interested in taking part in this.
You provide personal data to Justis in the following cases:
- If you request a Justis product online via the website. These request forms are designed in accordance with the requirements applicable pursuant to the guideline for web applications (richtlijn webapplicaties) of the National Cyber Security Centre (NCSC). Each year, the application is subjected to a mandatory audit by the National Audit Service. The application complies with the strict standards that apply for using DigiD. Your data are used in order to be able to process the request.
- If you apply a certificate of conduct when you are not registered in the Municipal Personal Record Database (BRP). Your data will be used to process the request.
- If you enter personal data on the contact form on the website www.justis.nl. These personal data are used to be able to assist you in the best possible way, for instance in answering your question.
- If you contact Justis by telephone and provide your personal data. Again, these personal data are used to be able to assist you in the best possible way. Telephone calls may be recorded in connection with the training, coaching and assessment of staff. These recordings of telephone calls are protected and stored in such a way that they cannot be accessed by unauthorized parties. The recordings of telephone calls are not stored for any longer than is strictly necessary.
- The website allows you to provide feedback anonymously via a thumb icon and to suggest improvements in the notes. Do you wish to remain anonymous? Do not include any personal data or other data that allow your identity to be readily discovered.
Customers' personal data can be used for investigation purposes if crimes are committed via the website or the Customer Contact Centre of Justis or if criminal statements are made (or if other situations as referred to in Article 23 of the GDPR apply).
- Does Justis disclose personal data to other organisations and/or other countries?
The basic principle is that all data that have been provided by a data subject or have been obtained on a data subject are treated confidentially. Justis is authorised and sometimes obliged by law to disclose to government bodies data and information that they require to fulfil their duties. For example, risk notifications and network maps are issued pursuant to the Legal Entities (Supervision) Act to the organisations referred to in that Act and Bibob recommendations are issued pursuant to the Public Administration (Probity Screening) Act (Wet bevordering integriteitsbeoordelingen door het openbaar bestuur, Bibob ).
Certain professional groups are subject to a regime of signal-driven screening. This is the case for taxi drivers and staff of child care facilities. In those cases, personal data are also disclosed to the chain partners engaged in supervising those sectors. In all cases, the disclosure or forwarding of the personal data is provided for in the laws and regulations concerned and is recorded in the Justis record of processing activities.
Data are only disclosed to other countries in two cases:
- Network maps of legal entities are occasionally provided to the BES islands pursuant to Section 8 of the Legal Entities (Supervision) Act (Wet Controle Op Rechtspersonen) and Article 7 of the Legal Entities (Supervision) Decree (Besluit Controle Op Rechtspersonen), in conjunction with Article 49(1)(d) of the GDPR;
- The International Transfer of Criminal Sentences department of the Ministry of Justice and Security is informed in the case of requests for a pardon or decisions on a pardon of convicted offenders who are serving a sentence imposed abroad in the Netherlands or convicted offenders who are serving a sentence imposed in the Netherlands abroad. The International Transfer of Criminal Sentences department will inform the competent authority of the country concerned whether the request for a pardon has been accepted or rejected (Section 18(5) of the Pardons Act (Gratiewet)). In the case of requests for a pardon and decisions on a pardon of convicted offenders of or on the BES islands, the decision on the request for a pardon is sent directly to the Joint Court of Justice of Aruba, Curaçao, Sint Maarten and of Bonaire, Sint Eustatius and Saba.
- How has Justis protected the processing of personal data?
Justis takes certain measures to safeguard the reliable, appropriate and careful handling of personal data. Personal data will be treated confidentially. This means that Justis ensures that only persons with the required authorisations as well as an obligation of confidentiality can process your data. Personal data will be suitably protected. The Dutch central government's regulations and standards for information security are observed as a minimum. Justis makes agreements concerning measures with external parties and verifies compliance with those agreements.
- What are your rights regarding the processing of your data by Justis?
On the basis of the GDPR, you have the following rights:
- Right to information (Article 13 and Article 14 of the GDPR)
If you request a Justis product, you will provide the personal data yourself and therefore be aware of the processing of your personal data. In addition, information on the processing of your data is available in this privacy statement. Persons that are subject to the signal-driven screening are informed by the chain partners that the continuous screening will commence.
If the personal data have not been obtained from you, you will be informed of those data, except in the case of the products legal entities supervision and Bibob recommendations. It is possible in that case that you may not be aware of the processing of your personal data. The obligation to provide information pursuant to Article 14 of the GDPR will not apply in those cases however, as the recording or the disclosure of personal data is prescribed explicitly and exhaustively in the applicable laws and regulations.
- Right of access (Article 15 of the GDPR) and right to rectification (Article 16 of the GDPR)
Pursuant to Article 15 of the GDPR, you can submit a request to see what data concerning you are processed by Justis. There is a chance that Justis will be unable to provide access with regard to the processing of certain data, such as police or judicial data, as this is contrary to an obligation of confidentiality in the specific legislation. If you do receive access to certain personal data that Justis has processed and those data prove to be inaccurate, incomplete or not relevant, you can request Justis to amend or supplement these personal data (Article 16 of the GDPR). In that case Justis will notify every recipient to which personal data have been disclosed of any rectification.
- The right to restrict the processing (Article 18 of the GDPR)
In certain cases you have the right to restrict the use of your data. The situations concerned are stated in Article 18 of the GDPR (1) under a-d the data may be inaccurate, the processing is unlawful, the data are no longer needed, or you have objected to the processing and there are no overriding legitimate grounds for the processing. Justis will in such a case notify every recipient to which personal data have been disclosed of any restriction of the processing.
- The right to object (Article 21 of the GDPR)
If you request a Justis product, processing of your personal data will take place on your own request. It would therefore not be an obvious course of action for you to object to the processing of your personal data. However, the supervision of legal entities and Bibob recommendations also involve the processing of personal data of data subjects who have not asked for this. Pursuant to Article 21 of the GDPR, you can object to the processing of your personal data for reasons that relate to your specific situation. Justis will then assess whether the processing of your personal data needs to be discontinued. In view of the specific provisions and objectives of the Legal Entities (Supervision) Act (Wet controle op rechtspersonen) and the Public Administration (Probity Screening) Act (Wet bevordering integriteitsbeoordelingen door het openbaar bestuur, Bibob), such an objection is not very likely to be accepted.
- The right to data portability (Article 20 of the GDPR)
This means that you have the right to receive the personal data concerning you that an organisation has. That will for instance enable you to easily transmit your data to another organisation. The right to data portability only exists however if the processing is based on consent or an agreement and the processing is automated. At Justis, almost all processing operations have a legal basis, meaning that a request to exercise the right to data portability is not very likely to be accepted.
- Right to erasure / right to be forgotten (Article 17 of the GDPR)
Justis is obliged – subject to certain conditions – to erase your personal data without undue delay. Justis will in such a case notify every organisation to which personal data have been disclosed of the erasure. There are a number of exceptions to the right to be forgotten. For instance, if an organisation is obliged by law to process certain data. In that case, the organisation cannot erase the data on request. That is usually the case at Justis.
You can submit a request to exercise a right in writing to:
attn. Legal Affairs department (JZU)
PO Box 20300
2500 EH The Hague
We may ask you to identify yourself if you request access to or a copy of your data. You can do this by submitting a copy of your identity document. To make a safe copy, you can render the citizen service number illegible and clearly state to whom you are sending the copy for what purpose. You can also use the app ‘KopieID’ of the Dutch central government to do this. More information about making a safe copy of your identity document is available on the website www.rijksoverheid.nl.
- Right to information (Article 13 and Article 14 of the GDPR)
- Who is the Data Protection Officer (DPO)?
The DPO for Justis is the DPO of the Ministry of Justice and Security. Do you have general questions about data protection at the Ministry? If you do, please contact the DPO. You can submit your questions online or on paper to:
Data Protection Officer
Ministry of Justice and Security
attn the Data Protection Officer
PO Box 20301
2500 EH The Hagu
- How can you lodge a complaint?
If you have a complaint concerning the processing of your personal data by Justis you can submit it to:
attn CCC department (KCC)
PO Box 20300
2500 EH The Hague
You also have the right to lodge a complaint with the Dutch Data Protection Authority:
Dutch Data Protection Authority
PO Box 93374
2509 AJ The Hague
Contact Justis if you have any questions, comments or suggestions.
+31 (0) 88 - 998 22 00