Privacystatement: Privium

During your Privium membership, we will collect the following data of yours:

• Contact details:
  Correspondence name, address, postcode, city/town, country, telephone number, email address, language preference and membership details (membership number, membership type, card number, card expiry date, effective date).
• Travel document details:
  Surname, initials, date of birth, place of birth, gender, nationality, type of travel document, travel document number, expiry date, country of issue.
• Payment method details:
  Payment preference, IBAN (for direct debit) and, where applicable, BIC (foreign bank account), SEPA authorisation (for direct debit).
• Card use:
  We document when you use your Privium card. We register card use at the personal level at the Privium gates and at Privium parking. Card use is stored on an anonymous basis when you visit the lounges.
• Iris data:
  Iris photographs are taken of both of your eyes, specifically for your Privium membership. This information is needed to give you access to the Privium gates and border passage. A template is calculated based on those iris photographs, which is then stored in encrypted form in the highly secure Privium database. The photographs of your iris cannot be reconstructed from the template. If your iris template is stored in the Privium database, a unique code is stated on the chip of your Privium card in order to read your iris template in the Privium database. Schiphol does not store this code itself. Schiphol is therefore unable, without your Privium card with the unique code, to decrypt your iris template or to link it to your person. As soon as you arrive at a Privium gate for border passage, the code on your card will be used to decrypt the iris template and your iris will be compared with the iris template that is stored in the Privium database.
• Preference data:
  Privium has a loyalty programme and a member-gets-member (MGM) programme. In some cases, we offer you the opportunity to choose a gift as part of these programmes. Schiphol will document your gift preferences.
• Membership status details:
  We also process data on the status of your membership, such as whether your membership is active or inactive. In addition, we process data on your membership, such as instances when your Privium pass or Privium membership has been subject to misuse.

When you receive a Privium card, the following data will be printed on the Privium card:

• Privium membership number
• The card number, the expiry date of the card and the type of membership
• Name, initials and date of birth

The following encrypted information is stored in the chip of the Privium card:

• Privium membership number
• Name, initial, date of birth, place of birth
• The unique code for retrieving your iris template (if stored in the Privium database) or your iris template (if your iris template is stored on the card).

• Contact details:
  We use your contact details for purposes such as communication, determining the range of services, customer surveys and correct invoicing. We need the contact details for the performance of the agreement that you enter into with Schiphol.
• Email address:
  We also use your email address for marketing and communication purposes. For instance, we may invite you for Privium networks that exist via social media. When you register for the Privium programme, you provide consent for this.
• Travel document details:
  Your travel document details are necessary for identification and verification for the automatic border passage. We therefore process those data in connection with the performance of the agreement that you conclude with Schiphol.
• Payment method details:
  We use your data for the invoicing of the Privium services. We therefore process those data in connection with the performance of the agreement that you conclude with Schiphol.
• Card use:
  We need your card data to be able to present a use summary to you (performance of an agreement) and in connection with combating fraud (legitimate interest).
• Iris data:
  Your iris data are necessary for the verification for the automatic border passage. We need those data in connection with the performance of the agreement that you conclude with Schiphol. In addition, when you register for the Privium membership, you expressly provide consent for the use of these data. If you do not wish to provide consent for the storage of your iris template in the Privium database, you may opt to have it stored on your Privium card rather than in the Privium database.
• Preference data:
  We use your preference data to present relevant offers and possible gifts to you in the future. We use your preference data for the performance of the agreement that we have with you. You also provide consent for the processing of these data by Schiphol.
• Membership status details:
  We process this data in order to monitor the status of the membership. This is needed to ensure that the membership is being used correctly and that the person in question is entitled to use the Privium services.
• Opwaardeerstation:
  Our ‘Opwaardeerstation’ is a machine that is available for members to use when they are in one of the Privium lounges. This machine can, for example, give members some information about their membership. Using this Opwaardeerstation we process your contact details, your Privium card details and possibly a part of your iris data that is on the Privium membership card. The machine only uses your iris data when you actively choose to remove your iris data from our database.

We will delete the contact details, travel document details, payment method details and preference data two years after the end of your Privium membership. Your card use will be deleted two years after the date of use.

As Schiphol is unable to decrypt your iris template, Schiphol will of its own accord delete your iris template ten years after your iris template was stored in the Privium database (enrolment date). If you want your iris template to be deleted earlier, Schiphol will need your help to do so, via your Privium card (or the white QR card), because that is the only place where the unique code is stored that is required to be able to delete your iris template.

If your iris template is stored on your Privium card only, the iris template will be destroyed as soon as the card is destroyed.

If, in your use of your Privium pass or Privium membership, you breach the General Terms and Conditions you agreed to when you signed up for membership, you may receive a warning from us; in the event of a second breach, a suspension of your membership may be imposed. Depending on the nature of the breach and the type of suspension imposed, we will in any case retain your membership status details and your contact information for up to 10 years from the time that the warning or the suspension is imposed. If your membership is not terminated as a result of the suspension, we will retain your personal data for 2 years after your Privium membership expires.

We share your travel document data with the Royal Netherlands Marechaussee to make the border passage possible.

Schiphol also shares your email address with providers of social media services, so that you can be invited to join the Privium groups on social media.

If your email address cannot be reached, your contact details will be disclosed to an external company, to be able to send your invoice by post. Contact details are also disclosed to external parties to be able to send or offer a gift to you in certain cases.

If your membership is paid or will be paid by third parties (for instance, if your employer or company has entered into a Privium Corporate Membership), we will disclose your correspondence name, initials and date of birth to those third parties to ensure that invoicing can take place in the correct manner.

Access to, change and deletion of your personal data
You have the right to know what personal data on you are processed by Schiphol. If we have not obtained the data directly from you, you also have the right to know from what source they derive and to receive a copy thereof.

If your personal data prove to be incorrect, you can ask us to change your data. You can also request us to delete personal data and to discontinue their use. If we process your personal data on the basis of your consent and there is no other legal basis for the processing if you withdraw that consent, we will comply with your request to delete them. In some cases, we may refuse your request.

Restriction of processing and right to transfer your data
If in your opinion we are not processing your data in a correct manner, you can request a restriction of the processing.

You can also ask us to transfer your electronic personal data to you or to another party in a readable and usable form.

Lodging an objection
Besides requesting deletion or restriction of the processing, you can also object to the processing of personal data by Schiphol. Firstly, you can do so if you do not agree to Schiphol using your personal data for direct marketing (for instance by profiling).

Secondly, you can object to the use of your personal data owing to your specific situation. If you lodge an objection, we will in principle temporarily discontinue or restrict the processing of your personal data. If your objection is accepted, we will definitively discontinue or restrict the processing.

Your request and our response
If you have a question or a request or if you wish to lodge an objection, send an email to our Data Protection Officer via dpo@schiphol.nl. We will do our best to respond to your request on time.

If it is necessary in order to confirm your identity, we may ask you to send us a copy of a valid ID. Instructions for making a safe copy are available on the Rijksoverheid website. If you do not wish to send a copy of your ID, you can also visit us for the purpose of identification. For more information about this, please contact the Data Protection Officer.

If any part of your request is unclear to us, we may ask you to specify your request and/or to supplement it, to enable us to provide you with the best possible service.

Who is the controller?
This Privacy Statement is issued by Schiphol Nederland B.V. Schiphol’s contact details are:
Schiphol Nederland B.V.
PO Box 7501
1118 ZG Schiphol
The Netherlands
privium@schiphol.nl

How to contact our Data Protection Officer
Schiphol has a Data Protection Officer for all your questions concerning privacy. The Data Protection Officer also provides advice to us and monitors compliance with the privacy laws and regulations by Schiphol.

Do you have any questions or requests concerning your data? If so, you can send an email to the Data Protection Officer via dpo@schiphol.nl or send a letter to our postal address, for the attention of the Data Protection Officer. Together with your request, please inform us of your name, address, email address and telephone number

If you are dissatisfied with the way in which we treat your privacy or handle your request or objection, you can file a complaint with the Dutch Data Protection Authority.

If necessary, we will update this Privacy Statement. This may be due to changes in policies, changes in the data processing operations or changes in the systems we use to process data. You can find the most recent version of the Privacy Statement on our website www.schiphol.nl/privium. We advise you to check this regularly.