The NKC (provider of Campercontact) processes personal data and wants to communicate clearly and transparently about it. The NKC is the largest (Dutch) club for motorhome enthusiasts and offers insurances, travels, advice and information regarding motorhome stops around the globe (Campercontact). In this privacy statement, the NKC provides information about how it processes personal data. Not all elements of the statement apply to you being a Campercontact user.
The NKC values the protection of the personal details of its members, partners and other relations. Personal data are therefore treated and protected with the utmost care by the NKC. The NKC meets the requirements set by the General Data Protection Regulation (GDPR).
Requirements processing personal data for associations
The GDPR has six bases for the processing of personal data. To be allowed to process personal data, at least one of these principles must apply:
- The person concerned gives permission.
- It is necessary to execute an agreement.
- It is necessary for compliance with a legal obligation.
- It is necessary for protecting a vital interest.
- It is necessary for carrying out a task of general interest or public authority.
- It is necessary to look after legitimate interests.
Personal data are all kinds of information about persons with whom they can be identified. Examples are name and address details, e-mail and IP addresses and passport photos.
In addition, the law distinguishes special personal data, such as information about health. This is information that can seriously affect someone's privacy. Therefore, this information may only be processed under strict conditions.
The NKC processes personal data in various systems. These are hosted on internet servers of the NKC in European data centers.
The administrative application of the NKC is used by individual members of the NKC. The purpose of this application is to provide members with the correct information faster and to make administrative tasks more efficient. The data is stored in one place. With their personal MijnNKC-account members get access to the application and their own personal data.
Digital channels NKC
The NKC manages a number of websites and apps.
- app Campercontact (Android and iOS)
- app Kampeerauto (Android and iOS)
Access for the users is fully handled by the central SingleSignOn program of the NKC; the websites and the apps use the same personal data.
The insurance administration is used together with insurance broker Aon and both the NKC and Aon are responsible for the processing of personal data. The personal data that are processed are necessary to be able to manage the relevant insurance policies.
Right of inspection
If someone's personal data is processed, this person has the right to know which data, for which purpose these are being used exactly and with whom these may be shared. Someone can only request information about themselves, not about others.
Most of the data processed by the NKC of individuals can be viewed online on the personal MijnNKC page. In addition, the NKC keeps other data, such as device ID and IP addresses.
With a written request it is possible to inspect the registered personal data and the processing that takes place. This request can be sent via email to: firstname.lastname@example.org. Please indicate 'right of access' in the subject line. The NKC reacts within the legal one-month period.
Right to be forgotten
In some cases, a person has the right to be forgotten, or to have personal data removed from the administration of the NKC. The NKC must grant such a request in the following situations:
- The data is no longer necessary for the purpose for which it was collected.
- The consent given is withdrawn and there is no other legal basis for the processing.
- An objection is made to the processing.
- The data has been processed unlawfully.
A request for the removal of personal data must be made in writing. This request can be sent via email to: email@example.com. Please indicate 'right to be forgotten' in the subject line. The NKC reacts within the legal one-month period. In some cases, the NKC can not grant the request, for example if there is a legal obligation to keep the data. The person concerned will be informed about this.
The consequence of the execution may be that the service is not optimal or can not be carried out at all.
Persons authorized to register and consult personal data (both general and special data) are obliged to maintain confidentiality. One can only deviate from this if there is a legal or reasonable need to provide information to third parties.
The NKC processes personal data and wants to communicate about it as clearly and transparently as possible. The privacy statement provides answers to the most important questions about the processing of personal data by the NKC. The privacy statement can be found here.
Processing and authorization
Processing in the member administration
The following processes are handled in the members administration application:
- Member administration.
- Financial administration including debtor and creditor administration.
- Registration and invoicing for participation in tours and events.
- Selling store items in the webshop.
To ensure that these processes run smoothly, general personal data are recorded, such as name and address details, email addresses, telephone numbers, date and place of birth. These personal details are necessary in order to be able to execute the obligations arising from NKC membership.
The NKC bases these processing operations on the following bases:
- Data processing is required to execute an agreement.
For the services resulting from, for example, membership, it is necessary to process personal data, as well as for entering into other agreements.
- The person in question gives permission for the data processing.
The NKC processes personal data on the basis of permission. Participants in NKC Camper Travel or NKC Events sometimes also record special personal data. This only concerns health data that may be necessary to carry out the trip or the event. The participant must give explicit permission for this.
Members are free to withhold or withdraw permission. The consequence of the decision may be that the service is not optimal or can not be carried out at all.
Registration of additional data
Additional data may be stored for research purposes. Members can subscribe and unsubscribe themselves online and change the data. This concerns information about the camper they own and which surveys they wish to participate in.
Provision to third parties
In order to optimally implement the services provided by the NKC, third parties are involved. It is sometimes necessary to provide personal data for their activities. In order to guarantee privacy, agreements are concluded with these parties on the use and security of personal data.
- Processors of the dispatch of postal items and periodicals, such as the Camper.
- Research bureaus for conducting research and surveys.
- Email service providers for sending digital mailings and newsletters.
- Third parties in the context of the execution of trips or events such as ferry companies and campsites.
The NKC never sells your data to third parties. Data is only provided for a functional operation of the services of the NKC.
Authorization of member administration
Members are responsible for the quality of their data in the membership administration. They must submit changes to their personal data, online in MijnNKC or with an e-mail message to the NKC members administration, which will then make the mutations.
In their personal MijnNKC account members can view their data and (partly) edit it themselves.
Every employee of the NKC can view details of members of the NKC in the membership administration. If functionally necessary, employees of the NKC can be granted authorization that also makes it possible to edit the data of members. When this employee gets a different position within the organization, the need for authorization is considered again. Within the application, assigning rights is done at the higher level; a user can never claim access on his own.
Employees may not pass on personal data of participants in a trip or event or of members of a specific group to the other participants or members of that group.
NKC volunteers who organize an event or a trip may use the details of members registered for the members activity under the following conditions:
- The participant conditions state that the data will only be used for the event.
- There is an opt-in for the use of special personal data that are requested on the registration form.
- Participant lists held by the volunteer will be destroyed within four weeks after the end of the event or the trip. This applies to participant data both on paper and digitally.
- Personal data of participants in a trip or event or of members of a specific group are never passed on to the other participants or members of that group.
Processing in the insurance administration
The insurance administration is used for the (registration of) the following processes:
- Providing the requested services.
- Mediating in the realization of insurances.
- Handling claims.
- Examining claims or complaints in connection with insurance policies and / or services.
- Investigating customer satisfaction.
- Examining creditworthiness and debtor policy.
- Examining imposed sanctions, validation of data, facilitating prevention, detection and / or investigation into crime.
- The internal reporting, analysis, and improvement of products and services
- Compliance with legal obligations.
Personal details are processed in the insurance administration that are required to perform the services resulting from the purchased insurance products. This concerns name and address details, email addresses, date of birth, gender, nationality, marital status, bank account numbers and credit card details, information about credit history and bankruptcy or moratorium status. In addition, data is recorded about driving behavior, driving license, insurance history and claims history.
The NKC and Aon base these processing operations on the following bases:
- Data processing is required to execute an agreement .
For the services that result from taking out insurance policies, it is necessary to process personal data.
- Data processing is required to meet a legal obligation .
The Financial Supervision Act and the Dutch Bank require the registration of certain personal data when insurance products are purchased.
- Data processing is necessary to represent a legitimate interest .
For example, information about fraud and creditworthiness is included in the assessment of an applicant for insurance.
- The person in question gives permission for data processing.
The NKC and Aon process personal data on the basis of permission. To register profiling characteristics, explicit permission must be requested.
Members are free to withhold or withdraw permission. It may be that such a decision means that the service is not optimal or can not be carried out at all.
We engage third parties in the context of our services. We can provide data in that context to:
- insurers and intermediaries where necessary for taking out insurance and providing our services.
- Expertise bureaus, lawyers, and research bureaus for work in case of damage and necessary reports.
- Enforcement agencies where necessary to prevent or detect fraud and crime.
- Public authorities where necessary for Aon to meet its legal obligations. In the context of motor insurance policies, data is passed on to the Rijksdienst voor het Wegverkeer.
- Medical experts, for example, in the case of health insurance and claim handling services.
- Research agencies that are called in to investigate creditworthiness, criminal record, fraud (and issue statements about conduct) in order to detect and prevent fraud in the insurance industry.
Processing NKC Online
NKC online includes nkc.nl, campercontact.com and the apps Campercontact and Kampeerauto. These systems use the same personal data. It concerns names, birth dates, email addresses, membership numbers, postal codes and IP addresses.
In addition, the Campercontact app saves the device ID and the location data of the user with the user's consent. The user always has the possibility to withdraw his consent. This can be done via the Campercontact app.
The NKC bases these processing operations on the following bases
- Data processing is necessary to represent a legitimate interest .
The collection of certain data is necessary in order to offer visitors of NKC.nl and Campercontact.com relevant information based on the use of the websites. This registration also serves statistical purposes in order to be able to follow the use of the websites and to be able to adapt them to the wishes of the visitors.
- The person in question gives permission for data processing .
The NKC processes personal data on the basis of permission. To register profiling characteristics, explicit permission must be requested.
Visitors are free to withhold or withdraw permission. It may be that such a decision means that the service is not optimal or can not be carried out at all.
NKC Online does not provide personal data to third parties.
Storage of personal data
The member administration system provides for export and import options, for example to create participant lists of trips or events for the supervisors. This is handled with great care.
It is forbidden to multiply exported data. The export is strictly personal.
The data in the membership records are strictly personal. These may not be published without the express consent of the relevant member.
Exported files may only be used temporarily and must then be destroyed in such a way that they are unusable both on paper and digitally.
Data in the membership records are saved as long as the membership of the member concerned is in effect. This includes both personal data and, for example, registrations and bank details.
Even after the membership ends, the data are still retained for the legally required term of seven years. Thereafter, the data of the ex-member is deleted or anonymised.
The NKC regularly sends messages via mail, email and other channels to members and interested parties who have registered for certain mailings. For this, the NKC adheres to the following rules.
Opt in / opt out
The NKC can and may send members the information relevant to their membership and / or participation in activities, without being asked. An opt-out option must be actively offered for these messages.
System messages such as invoices and reminders and messages that are essential for membership do not, according to the GDPR, have an opt-out option.
The term bulk mail includes e-mail messages, postal items, SMS and telemarketing campaigns that are distributed in large numbers. In order to prevent inconvenience for the recipients, the NKC has a protocol for bulk mail, which includes rules on the numbers and frequency of bulk mailpieces.
Messages with less than twenty unique receivers are not a bulk mail. In addition, system messages and functional e-mails (reporting essential for membership of the NKC) are excluded from bulk mail and the opt-out option. This concerns messages with, for example, admission tickets or participation confirmation.
With the help of a permanent cookie, nkc.nl and campercontact.com register that a visitor returns. The websites can thus be better adjusted to the preferences of this visitor. When a visitor has given permission for the placing of cookies, the websites can remember this by means of a cookie. This means that the visitor does not always have to repeat his preferences, which results in time savings and user-friendliness of the website. Permanent cookies can be removed by the visitor via the settings of the browser.
Using a session cookie, the NKC registers which parts of the website the visitor has viewed during a specific visit. With this information, the NKC can adapt the services as much as possible to the surfing behavior of the visitors. These cookies are automatically deleted when someone closes his web browser.
Tracking cookies from the NKC
The NKC only places a cookie on visitors' equipment with permission. These can be requested as soon as the visitor visits a website from the NKC network. The NKC thus knows that this visitor was also on the relevant other website (s) from the NKC network. With this information a profile is built up that is not linked to a person with a name, address, e-mail address and the like. This profile is used to tailor personally relevant messages to the visitor. Tracking cookies can be removed by the visitor via the settings of his browser.
Tracking cookies from advertisers
Only with permission do advertisers place tracking cookies on the equipment of visitors of nkc.nl and campercontact.com. They use these cookies to keep track of which pages from their network the visitor views, in order to build up a profile of that visitor's online surfing behavior.This profile is also built on the basis of comparable information that they receive from visiting other websites from their network. This profile is not linked to a person with a name, address, e-mail address and the like as known to the NKC. That profile is used to match advertisements with the visitor. These cookies can be removed centrally via Your Online Choices so that they are not returned to a third-party website.
Via the NKC websites a cookie is placed from Google as part of the Analytics service. The NKC uses this service to keep track of and to receive reports on how visitors use the websites with the aim of improving the user-friendliness.
Google may provide this information to third parties if Google is legally obliged to do so, or if third parties process the information on behalf of Google. The NKC has no influence on this. As a user, the NKC has allowed Google to use the obtained analytics information for other Google services.
The information that Google collects is anonymised as much as possible. For example, IP addresses are not included. The information is transferred to and stored by Google on servers in the United States. Google maintains the Privacy Shield principles and is affiliated with the Privacy Shield program of the US Department of Commerce. This means that there is an appropriate level of protection for the processing of any personal data.
The NKC websites contain buttons to promote or share web pages on social networks such as Facebook and Twitter. These buttons work through pieces of code that come from Facebook or Twitter itself. Only when such a button is clicked are cookies placed on the visitor's computer.
The privacy statements of Facebook and Twitter state what they do with (personal) data that they process via these cookies.
The information they collect is anonymised as much as possible. The information is transferred to and through Twitter, Facebook, Google+ and LinkedIn and stored on servers in the United States. LinkedIn, Twitter, Facebook and Google+ adhere to the Privacy Shield principles and are affiliated with the Privacy Shield program of the US Department of Commerce. This means that there is an appropriate level of protection for the processing of any personal data.
Naturally, the NKC does everything to ensure that the personal data mentioned in this document is not in the hands of third parties who are not entitled to this data. If this does happen, it’s a data breach.
Article 34 of the General Data Protection Regulation provides that if a data breach takes place, this must be reported. Here we are talking about the leakage of personal data as a result of security problems. These data leaks must be reported to the supervisory authority, the Dutch Data Protection Authority (AP) without delay.
What is a data breach?
A data breach is used when personal data are lost or unlawful processing can not reasonably be excluded. Unlawful processing means adjusting and / or changing personal data and unauthorized access to these data. A data breach is much more than just a hacker or malware that gains access to personal data.
Examples of a data breach are:
- A ransomware (cryptolocker) that encrypts data.
- Losing a USB stick.
- Sending a mailing with addresses in the CC field.
- A list of personal data sent to a wrong address.
Report data breach
A data breach can be recognized in various ways. In general, it will be a report that there is a way to request data outside of security that should not be publicly available. However, this does not mean that this vulnerability has been used by third parties. Because an extensive logging takes place, it is possible to check whether a data breach has actually taken place.
Procedure to communicate data leaks
Upon detection of a data breach or a suspicion of a data breach, this must be reported immediately to the controller within the NKC.
To the supervisor
As soon as a data breach has been detected, this must be reported to the supervisor within 72 hours. The notification to this contains at least:
- The nature of the infringement
- The bodies where more information about the infringement can be obtained
- The recommended measures to limit the negative impact of the infringement
- A description of the observed and the likely consequences of the infringement for the processing of the personal data
- The measures that the organization has taken or proposes to take to remedy these consequences
To the member
After a data leak has taken place and it is probable that the leak will have adverse effects on the privacy of the member concerned, this member must receive a notification. This notification will contain at least the nature of the infringement, the bodies where more information about the infringement can be obtained and the recommended measures to limit the negative consequences of the infringement.
Whoever has complaints about the processing of his personal data by NKC, can contact this.This can be done by sending an email to contact person Hans Inkenhaag, Manager Operations and Finance via firstname.lastname@example.org. The NKC then searches for a solution together with the person concerned. If this does not work satisfactorily, there is still the possibility to file a complaint with the privacy regulator, the Dutch Data Protection Authority.