Privacy statement SURF B.V.

SURF B.V. (hereinafter referred to as SURF) values the privacy of both its member institutions and of visitors to its website. When we ask you for your personal details, we handle them with care. We always comply with the General Data Protection Regulation (GDPR). You can read all about this in our privacy statement.

Please note: this privacy statement explicitly does not apply to the processing operations that take place within the SURFspot service.

How do we handle your data?

Privacy

If SURF requests and processes your personal data, then your privacy is our prime concern. This means, among other things, that:

  • we clearly state for what purposes we are processing your personal data; we do this by means of this privacy statement;
  • we ask for only the personal data that is needed for legitimate purposes;
  • we keep your personal data very safe and also demand the same from the parties, which process your personal data on our behalf; and
  • you may view, correct or delete your personal data at any time. 

Security measures

Among other things, we have applied the following security measures to protect your personal data:

  • Our system is accessible only over the SURF-network, using a secure VPN connection;
  • We use secure (HTTPS) connections to guarantee the security of data transfers; and
  • We apply organizational and physical access controls.

For what do we use your data?

Registration for events

If you register for an event via our website, we shall ask you to provide the following personal details:

  • first name and surname (mandatory)
  • e-mail address (mandatory)
  • organisation in which you work (mandatory)
  • sector of the organisation in which you work
  • job
  • payment details
  • dietary preferences
  • any other information you voluntarily provide 

Why do we ask for this information?

We need your details in order to process your registration (legal basis for processing: performance of an agreement). In addition, we can carry out statistical research using this information in order to improve our services (legal basis for processing: SURF's legitimate interest) 

How long do we retain these details?

SURF may retain your details for up to 18 months after the event for the purpose of research. This research is aimed at improving the events we offer the target group. SURF pseudonymises the data for this research so that they are no longer directly traceable to individuals. To this end, SURF removes your name and e-mail address. After 18 months, your details are completely anonymised so that they are untraceable, either directly or indirectly. SURF may use the anonymised details only for statistical research.

Registration and participation SURF Education Days

If you register for the SURF Education Days, we will process the following personal data:

  • email address (mandatory field)
  • first name (mandatory field)
  • surname (mandatory field)
  • organisation (mandatory field)
  • function
  • comments or any other information you provide voluntarily

If you participate in the SURF Education Days, we may process the following personal data:

  • information that is processed to complete the survey after the end of the SURF Education Days

If you participate in the networking session that goes via Zoom:

  • (video) image and sound

Why do we ask for this information?

We need your data in order to process your registration (legal basis for processing: performance of contract).  

Finally, we may ask you to participate in the survey, so that we can possibly improve SURF Onderwijsdagen (legal basis processing: consent).

How long does SURF retain this data?

SURF may use the data for the purposes of your registration for research purposes up to 18 months after the event at the latest. This research is aimed at improving the events that we offer to the target group. For the purpose of this research SURF pseudonymises the data so that it can no longer be directly traced back to individuals. For this purpose SURF removes your name and e-mail address. After 18 months your data will be completely anonymized, so that they are no longer traceable, either directly or indirectly. SURF will then only be able to use the anonymized data for statistical research purposes.

The personal data processed for participation in SURF Education Days will be used for research purposes until 18 months after the event at the latest. The personal data processed for the survey will be used for improving SURF's events until 18 months after the event at the latest. 

Which parties obtain this personal data?

Various tools are used for the (online) organisation of SURF Educational Days. The SURF Education Days take place online in the Reply.live platform of FX Agency. Your personal data will be shared with them so that you can participate online. FX Agency will delete your personal data within 4 weeks after the end of the SURF Education Days.

Zoom is used for certain sessions. These sessions can be followed via the browser without opening the Zoom tool. Via the browser you will not be in the picture and you cannot be heard. It is possible that there is a 1 on 1 video call with partners in the Port. If you have requested a conversation with a supplier, the supplier will provide a link for a video conferencing tool. Here you will be in the picture and you can also turn on your sound. Participation in these video conversations is not mandatory. In addition, a 'networking session' will be organized during the SURF Educational Days. To participate in the networking session, it is necessary to install the Zoom application. Participation in the networking session is voluntary and there are plenty of other sessions you can attend during the Education Days if you choose not to participate in the networking session. Zoom's services involve the processing of personal data outside the EEA. SURF has made good arrangements with Zoom regarding the processing of your personal data. However, we advise you not to discuss sensitive information during the network session and/or other sessions. Zoom applies its own retention periods, for which we refer you to Zoom's privacy statement.

Submitting a session proposal

You may submit a session proposal for a SURF event via our website. If you register via our website to present a session at an event, SURF may process your following details:

  • first name and surname (mandatory)
  • mobile telephone number (mandatory)
  • e-mail address (mandatory)
  • gender
  • job
  • organisation or institution in which you work
  • address
  • sector of the organisation in which you work
  • fellow speakers

Why do we ask for these details?

SURF has to process your details so that your session proposal can be processed. By sending us an e-mail, you consent to the processing of your details (legal basis for processing: consent).

How long do we retain these details?

If you submit a session proposal via our website, SURF will retain these details until the event takes place and then for a further 2 months for any follow-up questions and in order to send you the evaluation of your session.

Videos of plenary and/or parallel sessions

Image and sound recordings of plenary and/or parallel sessions may be made during SURF events for the purpose of knowledge transfer. Speakers will be clearly visible in these videos; visitors will generally not be recognisable and will only be visible from the rear. However, we cannot guarantee this. If you do not wish to be recognisable in the video, you may take a seat at the back of the room. Usually only the front rows of visitors will be visible from the rear. As there are also sound recordings, any questions and comments will also be recorded. We shall publish the videos on the review page of our website for the period set out below.

Why do we ask for this information?

The processing of speakers’ details occurs in consultation on the basis of consent or on the basis of performance of the contract. The processing of details of visitors who may be visible in the video is based on the legitimate interest of SURF and its target group (legal basis for processing: legitimate interest). SURF and its target group have an interest in the transfer of knowledge that takes place through the publication of these videos. Before each session, it is clearly mentioned that image and sound recordings will be made and how to ensure that you do not appear in the video.

The videos fall under ‘journalistic/academic expression’ in the applicable privacy legislation (Article 85 GDPR) and are published on the Internet only as long as they have journalistic or academic value. Consequently, it is generally not possible to submit a removal request as long as the images still have journalistic or academic value. 

How long do we retain these details?

We retain the videos as long as they are of journalistic, academic or scientific value; SURF checks this every year. This value can be demonstrated, for example, by the fact that videos are frequently viewed.

Images of SURF events

During SURF events, professional photographers, camera people and SURF may take photos and record videos and/or vlogs. We may use these atmospheric images on Twitter, on our website, in the newsletter or a mailing from SURF about the event in question. We may also retain a small and carefully selected part of the visual material in an archive for the purpose of historical awareness.  

Why do we ask for these details?

We process these images on the basis of the legitimate interest of SURF. SURF has an interest in recording visual material of its events to raise awareness for the event.

You may indicate that you would rather not be visible in the images. We use a colour system for this. Based on your preference, you will receive a lanyard in a specific colour at the event. That way photographers, camera people and SURF can take your preference into account. SURF always takes the privacy of its visitors into account and carefully assesses the visual material to be used in publicity for the event.

How long do we retain these details?

In principle, SURF does not store visual material for longer than 2 years after the event. After 2 years at the latest, the visual material is permanently deleted.

In exceptional cases, SURF may retain a small and carefully selected part of the visual material for a longer period of time for the purpose of historical awareness. This visual material can be used later, such as for an anniversary. To the extent possible, we select visual material in which visitors are not clearly visible.

Interviews

SURF may interview visitors during events. A video is made of the interview, which may be published on the website, for example.  

Why do we ask for these details?

SURF may ask visitors whether they wish to participate in an interview (legal basis for processing: consent). The interview will be made into a video, which SURF may use for public relations purposes (for example by publishing the video on the website or incorporating it in a review video). 

How long do we retain these details?

If you agree to processing of the interview, we do not retain the video of the interview for longer than 2 years after the event in question. In exceptional cases, SURF may apply a different time limit. If this is the case, we will clearly indicate this in a written statement of consent which we will submit to you before the interview is conducted. 

The interviews may fall under ‘journalistic/academic expression’ in the applicable privacy legislation (Article 85 GDPR). In that case, it is generally not possible to submit a removal request as long as the legal retention period has not yet expired.

Contact by e-mail

If you contact us by e-mail for questions or support, SURF may process the following details you provide:

  • name
  • e-mail address
  • any other personal data you send us by e-mail

Why do we ask for this information?

We need to process these details to be able to deal with and answer your question (legal basis for processing: consent). By sending us an e-mail, you consent to the processing of your details.

How long do we retain these details?

If you contact us by e-mail, we will retain your details for as long as necessary, based on the content of the e-mail, in order to deal with and answer your question and for any follow-up questions.

SURF Magazine

If you subscribe to the quarterly SURF Magazine via our website, we ask you for the following personal details:

  • first name and surname;
  • gender;
  • address;
  • email address;
  • telephone number;
  • organization for which you work;
  • sector of the organization where you work; and
  • job-title.

Why do we ask for this information?

We need your details in order to process your subscription to SURF Magazine (legal basis for processing: performance of an agreement). In every SURF Magazine there are instructions on how to unsubscribe. You unsubscribe by sending an email to communicatie@surf.nl

How long do we retain these details?

We retain your details for as long as you are a subscriber to SURF Magazine. Once you unsubscribe, we immediately delete your details. 

Web forms

On our website, you can fill out forms for a variety of reasons. For example, you may register as a speaker for an event or fill out a feedback form. When you fill out a web form, SURF may ask you for the following details:

  • first name and surname;
  • address;
  • email address;
  • telephone number;
  • area of interest;
  • organization for which you work;
  • sector of the organization where you work;
  • job-title; and
  • other information that you can provide optionally.

Why do we ask for this information?

We need your details in order to process your registration or request (legal basis for processing: performance of an agreement).

How long do we retain your details?

We retain your data up to 1 month after your request or registration has been fully processed, so that we can still answer any follow-up questions. 

Our SURF News newsletter

If you subscribe to our SURF News online newsletter, we ask you for the following personal details:

  • first name and surname;
  • email address;
  • organization for which you work; and
  • area of interest.
  • Every newsletter from SURF includes a link at the foot of the newsletter to allow you to unsubscribe.

Why do we ask for this information?

We need your details in order to process your registration (legal basis for processing: performance of an agreement).

How long do we retain your details?

Directly after you have signed out of SURF News, you will not receive the newsletter anymore.

Customer relationship management

We process personal data in the context of our customer relationship management, in order to fulfil our obligations under the agreements with our relations. For example, we can record data of contact persons of institutions, suppliers and other business relations in the SURF-wide CRM system. For the purpose of relationship management, we may process the following data:

  • first name and surname; 
  • gender;
  • address;
  • telephone number;
  • cell number;
  • role or job-title;
  • department;
  • institution or organization with which you are affiliated;
  • email address; and
  • short business visit report, if our relationship manager has visited you

Why do we process this information?

We need this information for the purposes of our customer relationship management (legal basis for processing: SURF's legitimate interest).

How long do we retain your details?

Data that are required to be retained by law will be retained for the period the law requires. We therefore retain the data included in the legal basic administration for up to 10 years after the end of the contract. In all other cases, we retain your data for up to 1 year from the end of the agreement. 

SURF Events app

SURF offers a SURF Events app (“SURF Events”) with information about all SURF events. The SURF app, which you can download from the Google Playstore and the Apple ITunes Store, can be used without having to create a profile. In that case, you can view general information in the app, such as the programme of the event and the speakers. It is also possible to create a profile in the app, which gives you access to all functions. You can choose to keep your profile private or to make it public. Creating a profile allows you to place messages on the bulletin board, complete polls, receive push messages and see the profiles of other users, who have indicated that they wish to make their profiles public in the app.

When using the app, SURF may process the following personal data about you:

Use of the app without a profile

  • IP address

Use of the app with a profile

  • E-mail address (mandatory)
  • Personal profile
    • first name and surname (mandatory)
    • business pitch (free field) (optional)
    • social media profiles (optional)
  • DM messages sent (optional)
  • Programme favourites (optional)
  • Active and past events
  • Likes and comments on bulletin board (optional)
  • Polling choices (optional)
  • IP address
  • User ID

Why do we ask for or process these details?

We apply different principles for processing this information:

  • E-mail address and personal profile. This information is necessary to create a personal profile for you in the app (basis: performance of contract).
  • You may choose to make your personal profile public so that it is visible to all users of the SURF events app. This is not the default setting. By default, the app is set to keep your profile private. Your profile will only be made public if you actively choose this option (legal basis: consent).
  • IP address and User ID. We process these data to ensure the security and stability of the system (legal basis: legitimate interest of SURF).
  • All messages you send, the messages that you post on the bulletin board and any polls you complete will be processed on the basis of your consent (legal basis: consent).
  • We may process your User ID, IP address and e-mail address to detect error messages in the app and to improve the app (legal basis: legitimate interest of SURF). You can read more about this under ‘Cookies and similar technologies’.

How long do we retain these details?

IP addresses

31 days

User IDs

3 months

Personal profiles, including logging of your agreement to the Terms of Use

Until you delete your profile. If a profile has been inactive for 24 months, SURF will send an e-mail to the user concerned that the profile will be deleted after one week. If no one responds to this e-mail, SURF will delete the profile.

Comments and likes on the bulletin board

Until your profile is deleted. After that the data will be anonymised.

Polling choices

Until your profile is deleted. After that the data will be anonymised.

Programme favourites

Until the event/session in question. After that, the event/session automatically disappears from your list of programme favourites.  

Active and past events

Until your profile is deleted. After that the data will be anonymised.

DM messages

User names will be retained, but anonymised.

Content will be deleted.

User ID, IP address, e-mail address for dealing with error messages

31 days

Transfer of data outside the EEA

A small part of your personal data may be transferred to ICT service providers based in the USA. These parties operate under the Privacy Shield and must comply with European privacy legislation. 

Cookies and similar technologies

We use cookies when offering our app. A cookie is a simple, small text file that is stored on your device to make it recognisable. When we talk about cookies in this Privacy Statement, we also mean similar (tracking) techniques, such as scripts.

Our application uses the following cookies or similar technologies:

Functional: Sentry

Sentry is a script that we use to detect error messages in the app and to improve the app. The following personal data may be processed:

  • User ID
  • IP address
  • E-mail address

These details are stored for a period of 31 days.

Third party: Google Maps

The app uses the Google Maps service, which makes it possible to display a geographical map. It can also be used to generate directions.

The information collected by Google is anonymised as much as possible. Google transfers the information to and stores it on servers in the United States. Google is Privacy Shield certified. This means there is an adequate level of protection for the processing of any personal data.

To whom do we transfer your data?

We only pass on the data you provided us to third parties when this is necessary to be able to provide you with the respective services.

We will only supply your data to other parties with your agreement, unless it is legally required of us or permitted to transfer your data. For example, the police may require us to provide data as part of a fraud investigation. SURF is then legally required to provide these data.

In addition to the cases referred to above, we may provide your details in the following situation: when processing them in the context of relationship management, we may provide your contact details to your institution's SURF Coordinating Contact Person if this is necessary for proper coordination of communication on SURF-related topics. For this purpose, we may provide your name, business e-mail address, and the SURF committee or group in which you are involved. Your details will be provided on the basis of the legitimate interests of SURF and the institution.

What rights do you have in relation to your data?

We process your personal data and you can therefore decide what is done with them. To do so, you can contact SURF; see the contact details at the foot of this page. What exactly can you do with the data provided to us?

  • You may request to see your data that we are processing.
  • You may ask us to amend your data, to complete them, or to remove them if they are incorrect or not (no longer) relevant.
  • You may ask us to restrict the processing of your data.
  • You may request a digital copy of your data that we process and you have the right to transfer these data to a different service provider.
  • You may withdraw your consent to the processing of your personal data, for example by unsubscribing from a newsletter. Note: the processing of your personal data before you withdrew your consent remains legal.

If you believe that SURF is not handling your personal data correctly, then you may file a complaint with SURF. If you and SURF are unable to resolve the issue, then you can submit a complaint about SURF to the Personal Data Authority

Right of objection

In addition to the rights referred to above, you may also object to processing that takes place on the grounds of the legitimate interest of SURF or a third party. This may be for reasons related to your specific situation. You can object via the contact details at the bottom of this privacy statement.

Please note: there are exceptions to this. Please be aware that SURF no longer has control of content (such as videos), after it has been published online on channels other than its own website. In addition, we may use visual material in a review video of the event or in a printed newsletter. In these cases, too, SURF cannot remove the visual material after publication. SURF will, of course, select the visual material used for this purpose with the utmost care.

Third-party websites

This privacy statement does not apply to third-party websites to which we have links on our website. SURF is unable to guarantee that these third parties will handle your data in a trustworthy or secure manner. We recommend that you read the privacy statement(s) on those websites before you make use of such website(s).

Amendments to privacy statement

SURF may amend this privacy statement. We therefore recommend that you review this privacy statement regularly.

Cookie policy

Also read our cookie statement, where we explain what cookies we use on our website and why. 

SURF contact details

General

SURF
Moreelsepark 48
3511 EP  Utrecht
The Netherlands
communicatie@surf.nl
+31-887873000

This privacy statement was last revised on 4 January 2021.