Schiphol Pass Privacy Statement

Which personal data do we process?
Persons employed on the airport grounds are granted access to airport locations via a Schiphol Pass. Depending on the area where you work, you will be given a specific type of Schiphol Pass (either a green, orange, blue, white or grey pass).

The following personal data of everyone issued with a Schiphol Pass are stored in our access control systems:

• name and address details
• date of birth and place of birth
• nationality
• gender
• passport photo
• employee number (optional)
• name of employer
• address of employer
• email address of employer
• telephone number of employer

We may also save a ‘certificate of good conduct’ or ‘certificate of no objection’.

Moreover, we record on the pass itself an iris template and the weight of the user. This allows the user to be identified at the airport’s passageways. We do not store the iris template and the weight of the user in our systems.

We register whenever and wherever you use your Schiphol Pass. Schiphol does not access these data unless there is a specific (security-related) reason for doing so.

Why do we process your personal data?
Schiphol is obliged to ensure the security of the airport pursuant to various national and international security-related and other legislation and regulations. These provisions are implemented by means of controlled entryways in combination with a valid Schiphol Pass in accordance with the requirements specified in EU Regulation (EC) 300/2008, Article 4(1.2), for example.

It is essential for Schiphol to process personal data if the airport is to comply with these statutory obligations. Schiphol does not process the personal data for other purposes.

How long do we retain your data?
The personal data stored on Schiphol’s systems are destroyed five years after the pass is handed in, unless there are well-founded reasons to retain them for longer, for example in the event of an investigation into an incident.

The Schiphol Pass and the information stored on it (such as the iris template and weight of the user) are destroyed immediately on the handing in of the pass.

The information pertaining to the use of the pass are saved for one year.

Who do we share your data with?
We will share the personal data we register with your employer. We do not share the information pertaining to the use of your Schiphol Pass with your employer.

Furthermore, we share the personal data stored in Schiphol’s systems with the Royal Netherlands Marechaussee. We do not share the information pertaining to the use of your Schiphol Pass with the Royal Netherlands Marechaussee unless there is a need to do so owing to security reasons.

Amsterdam Airport Schiphol processes personal data as much as possible within the European Union. Schiphol may engage a processor who delivers IT services whereby data are processed in countries outside the European Union, including the United States of America or India. We do this only in a manner that complies with the requirements of the General Data Protection Regulation.

Access to, amendment and deletion of your personal data
You have the right to know what personal data on you are processed by Schiphol. If we have not obtained the data directly from you, you also have the right to know from what source they derive and to receive a copy thereof.

If your personal data prove to be incorrect, you can ask us to amend your data. You can also request us to delete personal data and to discontinue their use. If we process your personal data on the basis of your consent, and there is no other legal basis for the processing, you have the right to withdraw that consent and we will comply with your request to delete them. In some cases, we may refuse your request.

Restriction of processing and right to transfer your data
If in your opinion we are not processing your data in a correct manner, you can request a restriction of the processing.

You can also ask us to transfer your digital personal data to you or to another party in a readable and usable form.

Lodging an objection
Besides requesting deletion or restriction of the processing, you can also object to the processing of personal data by Schiphol. Firstly, you can do so if you do not agree to Schiphol using your personal data for direct marketing (for instance by profiling).

Secondly, you can object to the use of your personal data owing to your specific situation. If you lodge an objection, we will in principle temporarily discontinue or restrict the processing of your personal data. If your objection is accepted, we will definitively discontinue or restrict the processing.

Your request and our response
If you have a question or a request or if you wish to lodge an objection, email our Data Protection Officer (DPO) via dpo@schiphol.nl. We will do our utmost to respond to your request in a timely manner.

We may ask you to send us a copy of a valid ID if this is necessary in order to confirm your identity.

If any part of your request is unclear to us, we may ask you to specify your request and/or to supplement it, to enable us to provide you with the best possible service.

Who is the controller?
This privacy statement is issued by Schiphol Nederland B.V. Our contact details:

Schiphol Nederland B.V.
P.O. Box 7501
1118 ZG Schiphol

How to contact our Data Protection Officer (DPO)
Schiphol has a Data Protection Officer (DPO) for all your questions concerning privacy. The DPO also provides advice to us and monitors compliance with the privacy laws and regulations by Schiphol.

Do you have any questions or requests concerning your data? If so, you can send an email to the DPO via dpo@schiphol.nl or send a letter to our postal address, for the attention of the Data Protection Officer. Together with your request, please provide your name, address, email address and telephone number.

If you are dissatisfied with the way in which we treat your privacy or handle your request or objection, you can file a complaint with the Dutch Data Protection Authority.

If necessary, we will update this privacy statement. This may be due to changes in policies, changes in the data processing operations or changes in the systems we use to process data.