Privacy Policy
(last updated: 9/11/2023)
The privacy of our conference’s participants and website visitors is of high importance to us. We have, therefore, decided to split our policy into four clear and easily readable chapters:
Privacy Policy, for more information on how we value your privacy in general.
Cookie Policy, for more information on how our website makes use of cookies.
Protocol Reporting Data Breaches, for more information on how we handle the (unlikely) event of a data breach.
Processing Register, for a structured overview of and more information on what categories of data we process, who is responsible for the collection, how long we retain the data, et cetera.
Privacy Policy (last updated: 9/11/2023)
The I.M.U.N.A. Foundation respects the privacy of its website visitors, in particular their rights regarding the automatic processing of personal data. We have therefore formulated and implemented a policy on complete transparency with our customers regarding the processing of personal data, its purpose(s) and the possibilities to exercise your legal rights in the best possible way.
If you require any additional information about the protection of personal data, please visit the website of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): https://autoriteitpersoonsgegevens.nl/nl.
Until you accept the use of cookies and other tracking devices, we will not place any non-anonymised analytical cookies and/or tracking cookies on your electronic device.
With the continued visit of this website, you accept these terms of use and you accept the use of cookies and other tracking systems unless we have provided another method of accepting cookies on our website.
The currently available version of this privacy policy is the only version that applies while visiting our website until a new version replaces the current version.
Article 1 – Definitions
- Website (hereinafter: “Website”) www.imuna.nl.
- Party responsible for processing personal data (hereinafter: “the controller”): Stichting I.M.U.N.A., established at Bergerhout 1, 1815 DA Alkmaar, The Netherlands, Chamber of Commerce number: 41241492.
Article 2 – Access to the website
Access to and use of the website are strictly personal. You will refrain from using the data and information of this website for your own commercial, political or advertising purposes, as well as for any commercial offers, in particular unsolicited electronic offers.
Article 3 – Website content
All brands, images, texts, comments, illustrations (animated) images, video images, sounds and all the technical applications that can be used to operate this website and more generally all the components used on this website, are protected by the laws on intellectual property. Any reproduction, repetition, use or modification, by any means whatsoever, of all or just part of it, including technical applications, without the prior written permission of the controller, is strictly prohibited. The fact that the controller may not take immediate action against any infringement, cannot be considered as tacit consent, nor of a waiver of any right to prosecute the infringing party.
Article 4 – Management of the website
For the purpose of proper management of the site, the controller may at any time:
- suspend, interrupt, reduce or decline access to the website for a particular category of visitors,
- delete all information that may disrupt the functioning of the website or conflicts with national or international laws or is contrary to internet etiquette,
- make the website temporarily unavailable in order to perform updates.
Article 5 – Responsibilities
- The controller is not liable for any failure, disturbances, difficulties or interruptions in the functioning of the website, causing the (temporary) inaccessibility of the website or of any of its functionalities. You, yourself, are responsible for the way you seek connection to our website. You need to take all appropriate steps to protect your equipment and data against hazards such as virus attacks on the Internet. Furthermore, you are responsible for which websites you visit and what information you seek.
- The controller is not liable for any legal proceedings taken against you:
- because of the use of the website or services accessible via the Internet,
- for violating the terms of this privacy policy.
- The controller is not liable for any damages that incur to you or third parties or your equipment, as a result of your connection to or use of the website and you will refrain from any subsequent (legal) action against the controller.
- If the controller is involved in a dispute because of your (ab)use of this website, he is entitled to (re)claim all subsequent damages from you.
Article 6 – Collection of data
- Your personal data will be collected by the I.M.U.N.A. Foundation and (an) external processor(s).
- Personal data means any information relating to an identified or identifiable natural person (‘data subject’).
- An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- The personal data that are collected on the website are used mainly by the collector in order to maintain a (commercial) relationship with you and if applicable in order to process your orders. They are recorded in an (electronic) register.
Article 7 – Your rights regarding information
- Pursuant to Article 13 paragraph 2 sub b GDPR each data subject has the right to information on and access to, and rectification, erasure and restriction of processing of his personal data, as well as the right to object to the processing and the right to data portability.
- You can exercise these rights by contacting us at it@imuna.nl.
- Each request must be accompanied by a copy of a valid ID, on which you put your signature and state the address where we can contact you.
- Within one month of the submitted request, you will receive an answer from us.
- Depending on the complexity and the number of requests this period may be extended to two months.
Article 8 – Legal obligations
- In case of infringement of any law or regulation, of which a visitor is suspected and for which the authorities require the personal data collected by the collector, they will be provided to them after an explicit and reasoned request of those authorities, after which these personal data do not fall anymore under the protection of the provisions of this Privacy policy.
- If any information is necessary in order to obtain access to certain features of the website, the controller will indicate the mandatory nature of this information when requesting these data.
Article 9 – Collected data and commercial offers
- You may receive commercial offers from the collector. If you do not wish to receive them (anymore), please send us an email to the following address: it@imuna.nl.
- Your personal data will not be used by our partners for commercial purposes.
- If you encounter any personal data from other data subjects while visiting our website, you are to refrain from collection, any unauthorized use or any other act that constitutes an infringement of the privacy of the data subject(s) in question. The collector is not responsible in these circumstances.
Article 10 – Data retention
The collected data are used and retained for the duration determined by law, which is equal to seven years. Comments on blog posts or personal information in user accounts of the website get stored indefinitely.
Article 11 – Cookies
The website makes use of cookies. For more information, please refer to the Cookie Statement below.
Article 12 – Imagery and products offered
You cannot derive any rights from the imagery that accompanies any offered product on our website.
Article 13 – Applicable Law
These conditions are governed by Dutch law. The court in the district where the collector has its place of business has the sole jurisdiction if any dispute regarding these conditions may arise, save when a legal exception applies.
Article 14 – Contact
For questions or information about the website itself, please reach out to our Head of Information Technology.
Protocol Reporting Data Breaches (last updated: 29/11/2021)
Considerations:
- The I.M.U.N.A. Foundation attaches importance to good security of its (electronic) systems in which personal data are stored and processed,
- nevertheless, it can never be completely prevented that a data breach will occur.
- The I.M.U.N.A. Foundation is under the General Data Protection Regulation (GDPR) obliged to report (serious) data leaks to the Dutch Data Protection Authority and to those involved.
- The I.M.U.N.A. Foundation wishes to comply with its legal obligations.
- The I.M.U.N.A. Foundation has therefore formulated a policy to act as adequately as possible in the unlikely event that a data breach does occur.
1 – Definition of a data breach
A data breach occurs when a breach of security occurs that accidentally or unlawfully leads to destruction, loss, alteration, or the unauthorized disclosure or access to transmitted, stored or otherwise processed data.
2 – Internal persons responsible for reporting data breaches
- The I.M.U.N.A. Foundation has appointed internal responsible persons who are responsible for reporting a data breach.
- Those responsible are: M.E. Kuipers, telephone number: +31725123202; email address: bod@imuna.nl and if not reachable R. van Kempen, telephone number: +31725123202; email address: bod@imuna.nl, hereinafter referred to as: “internal responsible“.
3 – Internal report when a data breach is discovered
- The person who discovers a data breach at the I.M.U.N.A. Foundation reports this immediately to the internal responsible.
- If possible, the person who discovered the data breach will simultaneously ensure that the leaked data is immediately remotely deleted or made inaccessible.
4 – Investigation by the internal responsible
The internal responsible investigates, among other things:
- whether personal data has been lost or can be used unlawfully,
- who or which departments within the organization are involved in the data breach,
- whether a(n) (external) data processor is involved in the incident.
5 – Fight against data breach
The internal responsible will stop the data breach if that is still possible and will also take the necessary measures to combat the data breach as effectively as possible.
6 – Determining the consequences of a data breach
The internal responsible will investigate the possible consequences of the data breach based on the nature and extent of the data that have been leaked and determine what the adverse consequences of the data subjects may be.
7 – Cooperation with the provision of information regarding the data breach
The discoverer/reporter of the data breach fully cooperates with the internal responsible person by answering the following questions as quickly and as accurately as possible:
- what happened? (description of the incident),
- was it accidental or was it caused by malicious intent (e.g., hacked data)?,
- when did it happen? (date and time),
- when was it discovered? (date and time),
- what data (registers) have been leaked? (see processing register),
- is the data encrypted, and if so, how? (encryption type and process),
- Could the data be remotely erased or made inaccessible, and if so, has that happened?,
- what are the possible consequences for those involved?,
- which group(s) of people is / are affected by this? (for example: sponsors, Executive Staff, delegates),
- How many people are (approximately) affected by this?,
- Has there also been data on persons in other EU countries affected by the data breach?,
- Could technical and/or organizational measures already be taken as a result of the incident?.
8 – Availability of personnel after the discovery of data breach
The person responsible for the department from where the data breach took place as well as the discoverer of the data breach and anyone who, based on their position or knowledge, is able to take organizational and/or technical measures to limit the consequences of the data breach, keep themselves available the 1st 24 hours after the discovery of the data breach for consultation with the internal responsible person or any experts appointed by him/her, and for carrying out tasks assigned to them as a result of the data breach if necessary.
9 – Decision on reporting data breaches
- The internal responsible decides as soon as possible, but in any case within 60 hours after the discovery of the data breach – whether or not in consultation with the responsible person of the department in which the data breach was discovered and/or experts appointed by him – whether or not the discovered data breach must be reported to the Dutch Data Protection Authority and/or the parties involved.
- In principle, a data breach is always reported to the Dutch Data Protection Authority, unless it is unlikely that the data breach entails a risk to the rights and freedoms of the data subjects.
- The notification of the data breach is accompanied by answers to the questions as described in section 7.
- A data breach that was reported to the Dutch Data Protection is also reported to the data subjects if it poses a high risk to the rights and freedoms of natural persons unless appropriate measures have been taken to prevent the high risk.
10 – Reporting data leaks to the Dutch Data Protection Authority and/or those involved
- If necessary, the internal responsible is responsible for reporting to the Dutch Data Protection Authority and/or the person (s) involved.
- Reporting takes place as soon as possible after the discovery and no later than 72 hours after the discovery of the data breach.
- Any employee other than the internal controller is not permitted to report the (possible) data breach to the Dutch Data Protection Authority and/or the person (s) involved.
- If an employee does not agree with the decision of the internal responsible regarding whether or not to report the data breach to the Dutch Data Protection Authority and/or the person (s) involved, he can make his grievances known to the management.
- If requested to do so, an employee will cooperate fully with the controller in order to be able to inform the affected persons about the data breach in accordance with Article 34 GDPR.
11 – Consequences of reporting data leaks
- If the data breach has negative consequences for those involved, the internal responsible will do everything in his power to limit these consequences as much as possible.
- Depending on the nature and extent of the data breach for those involved, the internal controller determines:
- how data subjects are informed (including at least the statements made about which types of personal data have been affected, what the possible consequences are, which measures the I.M.U.N.A. Foundation takes and how data subjects themselves can prevent or limit the damage)
- which aftercare those involved receive
- which actions are necessary for the interest of the organization
- If a data breach has taken place – regardless of whether it has been reported or not – adequate technical and/or organizational measures will be taken as soon as possible to prevent future similar data breaches.
12 – Keeping records of data leaks
The internal responsible person keeps a register of all data breaches, in which all data related to the data breach is registered, such as:
- a description of the incident,
- date and time of the data breach,
- date and time of discovery of the data breach,
- description of the type of leaked personal data,
- description of the category (s) of data subjects affected (see processing register),
- description of the number of parties involved (approximate),
- whether data of persons in other EU countries has also been leaked,
- whether the incident has been reported to the Dutch Data Protection Authority and, if so, date and time of the report,
- whether the incident has been reported to the parties involved and, if so, date and time of the report,
- how those involved have been informed,
- the consequences of the data breach, including date and time if possible,
- which technical and/or organizational measures have been taken after the data breach, stating the date and time if possible.
Processing Register (last updated: 29/11/2021)
Contact details:
Foundation: I.M.U.N.A. Foundation, Bergerhout 1, 1815 DA Alkmaar, email address: secretariat@imuna.nl, telephone number: +31725123202
Main responsible: M.E. Kuipers, email address: bod@imuna.nl, telephone number: +31725123202
Operational responsible: F. Bellis, email address: sg@imuna.nl, telephone number: +31614267353
Data Processing Officer: N.A., we have chosen not to appoint a Data Processing Officer. This decision was taken as we work with personal data on a relatively small scale, do not process special personal data and collect personal data in a fairly static way. As a result, it takes little effort to make any necessary adjustments and/or improvements in the future.
Processing activities of regular personal data:
- Category of personal data: Name, address, place of residence
- Category of stakeholders: Participants
- The basis for processing: Agreement
- Purpose of processing: Organising the I.M.U.N.A. conference
- Processed ourselves: Yes
- Processor location: Within the EU or in a country with sufficient legal guarantees
- EU Processing Agreement: Yes
- Retention period: 7 years
- Security measures: Access restriction/prior authorization
- Category of personal data: Place of birth and/or date/age
- Category of stakeholders: Participants
- The basis for processing: Agreement
- Purpose of processing: Organising the I.M.U.N.A. conference
- Processed ourselves: Yes
- Processor location: Within the EU or in a country with sufficient legal guarantees
- EU Processing Agreement: Yes
- Retention period: 7 years
- Security measures: Access restriction/prior authorization
- Category of personal data: Email address/telephone number
- Category of stakeholders: Participants
- The basis for processing: Agreement
- Purpose of processing: For organizing the I.M.U.N.A. conference
- Processed ourselves: Yes
- Processor location: Within the EU or in a country with sufficient legal guarantees
- EU Processing Agreement: Yes
- Retention period: 7 years
- Security measures: Access restriction/prior authorization
- Category of personal data: Digital data (IP addresses, login data)
- Category of stakeholders: Website visitors
- The basis for processing: Consent
- Purpose of processing: To improve the website, user experience and to help spam detection
- Processed ourselves: Yes, as well as by external processors (Google: https://policies.google.com/privacy, Gravatar: https://automattic.com/privacy/).
- Processor location: Within the EU or in a country with sufficient legal guarantees
- EU Processing Agreement: Yes
- Retention period: 14 months
- Security measures: Anonymization of personal data, access restriction/prior authorization
Processing activities of special personal data:
N.A., we do not collect special personal data.