Privacy Statement

Application
With this Privacy Statement, Rotterdam Airport B.V., also referred to as Rotterdam The Hague Airport (hereafter “RTHA”) wants to offer transparency on how RTHA treats your personal data and for what purposes these data are used. This Privacy Statement applies to all processing of personal data by or on behalf of RTHA.

This Privacy Statement does not apply to data processing by other organisations based at the airport of RTHA, such as airlines, ground handlers, lessees, operators of shops and catering outlets at RTHA, security companies, the Royal Netherlands Marechaussee and Customs. RTHA has no access to this data processing by third parties or to the data involved, and is not the controller for it. We refer to the privacy statements of those organisations for more information on the way in which they treat personal data.

For what purposes does RTHA process your data?
The purposes for and bases on which RTHA processes personal data are:

1.To implement statutory regulations and tasks in the public interest
There are a number of legal obligations that require personal details to be processed to comply with that obligation.

Safeguarding security
The safety of all visitors and RTHA staff is paramount to us. Personal data that may be processed for that purpose include, for instance, camera images that are recorded in the terminal. The camera images are removed after 28 days, unless there are good reasons for storing the images for a longer period, for example for an investigation of an incident.

Civil aviation security
In performing its task as the operator of the airport, RTHA processes personal data for civil aviation security purposes.

Access Control
RTHA has to verify that access to the area behind the security checkpoints is only granted to passengers that depart the same day. For this purpose, RTHA checks boarding pass data that are processed at the security checkpoints. If and to the extent that access control takes place via a Self Service Boarding Pass Control, your data will be scanned automatically. Those data are only processed, not stored.

Airport employees, working for RTHA or other organisations based at the airport of RTHA, working in the area behind the security checkpoints, are granted access to that area only by a special RTHA Airport Badge (‘airport badge’). The airport badge is one of the controls to prevent the risk of unauthorized access of persons and vehicles to the security areas. RTHA has to comply with the relevant (inter)national (security) legislation in order to perform its tasks with regard to the security of civil aviation.

With issuing the airport badge and the accompanying registration, certain personal data are processed. This is pursuant to a legal ground, including the requirements of Regulation (EC) No 300/2008 of the European Parliament, articles 4, paragraph 1.2 and the requirements set out in the National Civil Aviation Security Programme.

With respect to the airport badge, RTHA processes the following personal data: name, address, date and place of birth, nationality, sex, photo, employee number (optional). In addition, an iris template of the badge user may be stored, for the purpose of identification of the person in the embedded (staff)corridors. These personal data will be stored for a period of 5 years after the moment that the airport badge has been returned, unless there are valid reasons for storing the personal data for a longer period, for example for an investigation of an incident.

2.Supply of services to visitors, customers and passengers
Parking
RTHA uses the following personal data for the performance of parking agreements that RTHA enters into with customers via its website or app: initials, last name, email address, telephone number, vehicle registration number, payment details such as credit card number (last four digits). A retention period of two years after the booking has been established for these personal data.

Wi-Fi network
After explicitly agreeing to the terms and conditions, visitors to RTHA may use the Wi-Fi network as a free service, provided by KPN. If you make use of the free Wi-Fi network, your data is being processed according to the KPN terms and conditions. For more information, please refer to the following link:  https://www.kpn.com/algemeen/alle-voorwaarden.htm

Events
Occasionally, RTHA organises various events. In case you are visiting RTHA for a guided tour or any other kind of gathering, RTHA uses your name and date of birth in order to process your registration and to create a visitor’s badge. On the day of the event, you need to identify yourself with a passport or ID. Those data is only processed, not stored.

RTHA may ask for your email address to confirm your booking. After a specific event, RTHA may ask you to use the provided email address for sending newsletters, emails about future events and/or questionnaires to improve our services. For this you are explicitly requested to provide your consent. You are at any time allowed to withdraw such consent.

Product and service improvement
RTHA processes your personal data in order to improve our services and to keep you informed about the services and products you purchase or may purchase from us, as explained in further detail in this Privacy Statement, unless you have objected to this use of your data.

If you are a RTHA customer, and you have given your consent for this, we combine information we obtain when you purchase one or more products or services from us, such as parking and receiving newsletters. We do this for administrative purposes and in order to gain a complete overview of the products and services you have purchased from RTHA. In turn, this will allow us to provide you with better service if you contact us and to offer you other products and services that may be of interest to you.

Via the Wi-Fi network, RTHA conducts a research on the customer experience at RTHA. When you are connected to the Wi-Fi network, you are offered the possibility the participate in this research. This is voluntary. For this research, we process the minimum of personal data, at least your IP/MAC-address. Via this research, RTHA aims to improve the provided services at and around the airport for visitors, customers and passengers.

3. Implementation and analysis of company processes and systems
RTHA processes personal data to optimise its business processes, such as the baggage process and the passenger process.

Baggage process
For the routing, sorting and screening of baggage, RTHA processes, for each item of baggage, the passenger name, the barcode of the suitcase and (if applicable) the passenger’s Frequent Flyer number. These data are retained for seven days after the departure of the flight.

Crowd management
To ensure that your journey via RTHA is as pleasant as possible, we track how many passengers are at RTHA to allow us to give you information on expected peaks and waiting times. In the terminal we use a Wi-Fi and Bluetooth tracking system for this. RTHA uses sensors to trace Bluetooth and Wi-Fi signals. A device (mobile telephone, laptop, etc.) can be identified by its unique ‘MAC address’. This MAC address does not link to individual user data, and therefore no personal data is compromised. You are of course always free to switch off your Wi-Fi and Bluetooth.

RTHA also uses camera images for crowd management; the purpose is to gain insight into the number of people in queues, the density of people in spaces and the occupation of desks. That information can also be used to provide predictions with regard to the numbers of passengers/visitors and therefore also waiting and processing times. These camera images are stored for a maximum of 28 days after which they are destroyed.

4.Operation of RTHA online services such as its website, newsletter, social media and app

Website
General data on website visits, such as the most frequently requested pages, are tracked on RTHA’s website without identifying visitors. The purpose is to be able to adapt the design of our website as much as possible to visitors’ requirements. These data can also be used to place more targeted information on the site. This enables RTHA to further optimise the services we offer to you via the website.

The RTHA web server automatically collects IP addresses. Your IP address is a number with which computers on the network can identify your computer, so that data (such as internet pages) can be sent to your computer. We use IP addresses to manage the website and to ensure it is as relevant as possible.

It is possible to click through to websites of other parties via the RTHA websites. RTHA cannot accept responsibility for the treatment of personal data by those other parties. We advise you to carefully read the privacy policy of those other parties. The terms and conditions on those websites may differ from those of RTHA.

Newsletter
If you sign up for our electronic newsletter, you thereby give us your consent to use your email address to send you the newsletter. If you have also given explicit consent for receiving other information such as offers and questionnaires, we will send those to you as well. You can always unsubscribe from this via the link at the bottom of the newsletter page of every newsletter. The interactions, occurring via the newsletter, are registered with the aim to further optimise our newsletter and respond to your preferences.

Cookies
During your visit to the RTHA website, our systems will create and consult cookies. A cookie is a compact piece of information which is stored on your computer. Most browsers accept cookies; however, it is generally possible to change the settings of a browser so that it no longer accepts cookies. Read more here about the use of the various types of cookies by RTHA, and how you can accept or refuse them.

Social media
Our social media channels provide the latest news, information, offers and useful facts about RTHA. These channels are an easy way to contact RTHA, participate in discussions, respond to posted content or take action in some other way. We are always happy to exchange ideas with you and receive your opinion on RTHA and its services.

Engaging with customers like this allows us to continually improve our service. We request that you do not place privacy-sensitive information about yourself or others (e.g. email address, name, address, telephone number) on these channels, but that you share your information with us via a private message if necessary. RTHA will only use the data shared by you to answer your question and to improve its customer service (for instance, by means of anonymised Q&As that can be modified by input from customers). RTHA may remove publicly shared privacy-sensitive data.


The RTHA-app
RTHA offers services via the RTHA-app. Your data can be used for location determination and route planning / navigation at RTHA, provided you have given explicit consent for this.

Google Analytics
RTHA uses Google Analytics to calculate website statistics, such as the number of unique visitors, sessions and campaign data. This information is not shared with third parties and the IP address is anonymised.

 5. Recruitment and selection
RTHA only uses applicants’ personal data for recruitment and selection purposes. Unless required by law, RTHA will not provide these data to other persons or bodies outside RTHA without the applicant’s prior consent. Applicants’ data will be deleted no later than four weeks after the application procedure has ended, unless the personal data are retained, with the applicant’s consent, for one year after the end of the application procedure with a view to possible future vacancies.

6. Maintaining customer relationships
RTHA lets office space at RTHA. In connection with the performance of the lease contract and for maintaining the customer relationship, RTHA processes contact details of contacts of its lessees.

RTHA has a CRM system in which it processes contact details for maintaining the customer relationship with the contacts of its customers, such as airlines, ground handlers, forwarders, travel organisations and travel agents. The purpose is to inform these organisations and persons about RTHA and/or to invite them to meetings and events. These data are not used for the purposes of sales.

Data protection
RTHA is a company, which is part of the Royal Schiphol Group N.V. (‘RSG’). RSG has implemented a privacy governance policy that also applies to RTHA. RTHA does everything within its power to protect your personal data against loss and unauthorised use. All RTHA employees who have access to personal data as part of their work are required to maintain confidentiality. Your data will only be supplied to parties outside RTHA if this is necessary for the performance of the aforementioned purposes. RTHA has agreed in a data processing agreement with RTHA partners who are responsible for performing certain services or parts thereof that they will also do everything within their power to protect the personal data and that they will comply with the provisions of the GDPR.

RTHA will endeavour to ensure that processed personal data are accurate and precise. Moreover, RTHA will not process more personal data than necessary, and will store them for no longer than is necessary for the purposes for which they were collected. RTHA has defined/will define a suitable retention period for the various processing operations of personal data.

If a data leak occurs despite the measures referred above, we will naturally handle it in accordance with the rules. If you yourself believe or suspect that there is a data leak, we ask you to report this as soon as possible to the following email address: dpo@schiphol.nl.

Your rights
If your personal data have been collected by RTHA, you have the right to request access to or rectification or removal of these data. You may also request us to transfer the data to another party or request that these data be processed only to a limited extent. Furthermore, you may object to the processing of these data.

In specific situations, RTHA is not obliged to act on a request of a data subject, based on those rights, namely if imposing restrictions on the rights of the data subjects is necessary to safeguard, for instance: national or public security; the prevention, investigation, detection and prosecution of criminal offences or if this necessary to safeguard the rights or freedoms of others.

Below, you will find further explanation regarding the rights you have as a data subject:

Right of access
The data subject has the right to obtain from RTHA confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and the following information:

  1. a) the purposes of the processing;
  2. b) the categories of personal data concerned;
  3. c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
  4. d) where possible, the envisaged period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period;
  5. e) the existence of the right to request rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject, or to object to such processing;
  6. f) the right to lodge a complaint with the Dutch Data Protection Authority;
  7. g) where the personal data are not collected from the data subject, any available information as to their source;
  8. h) the existence of automated decision-making, including ‘profiling’, if applicable.

Right to rectification
The data subject has the right to obtain from RTHA without undue delay the rectification of inaccurate personal data concerning him or her or – taking into account the purposes of the processing – to have incomplete personal data completed.

Right to be forgotten
The data subject has the right to obtain the erasure of personal data concerning him or her and RTHA has the obligation to erase those personal data where, for instance, one of the following grounds applies:

  1. a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
  3. c) the personal data have been unlawfully processed;

Right to restriction of processing
The data subject has the right to request restriction of processing where one of the following applies:

  1. a) the accuracy of the personal data is contested by the data subject;
  2. b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. c) RTHA no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  4. d) the data subject has objected to processing (pursuant to Article 21 (1) of the GDPR) pending the verification whether the legitimate grounds of RTHA override those of the data subject.

Right to data portability
The data subject has the right, under certain circumstances and solely where technically feasible, to receive the personal data concerning him or her, which he or she has provided to RTHA, in a structured, commonly used and machine-readable format, and has the right to transmit those data to another controller.

Right to object
The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling based on those provisions.

Data Protection Officer
Royal Schiphol Group N.V., of which RTHA is a part of, has appointed a Data Protection Officer (DPO). One of the tasks of this DPO is to supervise whether RTHA processes personal data in accordance with the GDPR.

If you have any questions about your data or the way in which we treat your privacy, or if you want to exercise the rights referred to above, you can send an email to the DPO via dpo@schiphol.nl. As soon as possible after receipt of your request, we will inform you about the handling of your request.

If you are dissatisfied with the way in which we treat your privacy and/or the rights referred to above, you can file a complaint with the Dutch Data Protection Authority via https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/privacyrechten/klacht-over-gebruik-persoonsgegevens?qa=klacht.

The recipients of your data
The following persons and/or institutions may receive your personal data:

  1. a) anyone at RTHA who is responsible for carrying out or supervising tasks related to the processing of your personal data or anyone involved in this;

b)processors and subprocessors contracted by RTHA to perform certain tasks relating to the processing of your personal data;

  1. c) (other) controllers who use your personal data for purposes of their own and inform you of this, such as airlines;
  2. d) within the scope of the automatic border passage, the Royal Netherlands Marechaussee insofar that is necessary for the performance of its duties;
  3. e) government bodies, such as the police and judicial authorities, insofar as this is necessary to comply with statutory obligations.

Transfer of data to countries outside the EU
In certain cases, RTHA transfers personal data to countries outside the EU, but ensures that this takes place in accordance with the relevant legal requirements, e.g. using EU model contract conditions.

Amendments
RTHA reserves the right to revise its privacy statement from time to time. This may be the result of changed policy, changes in data processing or changes in the systems with which RTHA processes data. This is a continuous process. The most recent version of the Privacy Statement is always available on our website, and we advise you to check it regularly.

This version was drawn up on October 1 2018.

Rotterdam Airport B.V.
Postal address:
Postbus 12025
3004 GA Rotterdam
Netherlands

Visitor address:
Rotterdam The Hague Airport
Rotterdam Airportplein 60
3045 AP Rotterdam
Netherlands