This privacy statement lays down what personal data GVB processes, what we use this data for and how. If, after reading this privacy statement, you have any further questions about your personal data, , click here to read how you can contact GVB.. we are more than happy to answer your questions.
Our complete privacy statement can also be Download.
First and foremost, we process your personal data in accordance with the requirements of the
- General Data Protection Regulation ("GDPR")
- the General Data Protection Regulation Implementation Act ("UAVG")
- the Police Data Act
- and the Dutch Telecommunications Act.
GVB also observes the "Code of Conduct for the Processing of Personal Information for an OV-chipkaart
” of Koninklijk Nederlands Vervoer. The code of conduct contains rules that stipulate that travellers' personal data must be processes in a responsible and careful manner.
Amendment to privacy statement
GVB may make amendments to this privacy statement from time to time. In the event of major changes, GVB will notify you of these via our newsletter or website, for example. The date of the last amendment is stated at the top of our privacy statement at all times.
The party responsible for processing your personal data within the meaning of the GDPR and the Police Data Act (the controller) is GVB Exploitatie B.V., with its registered office in Amsterdam, the Netherlands, unless stated otherwise in this privacy statement. The controller determines what will happen to your personal data within the statutory frameworks.
GVB Exploitatie B.V.
1000 CC AMSTERDAM
GVB Exploitatie BV is registered in the Commercial Chamber of Commerce under number 34259721.
If you make use of GVB's ferries, GVB Veren B.V. is the controller for processing your personal data.
GVB Veren B.V.
1021 KB Amsterdam
GVB Veren BV is registered in the Commercial Register of the Chamber of Commerce under number 34259718.
Questions, complaints and contact
Do you have questions or complaints in relation to the processing of your personal data by GVB? Do you have any comments or suggestions in relation to this privacy statement? Or, do you want to exercise your rights (including the right to inspect, correct or delete data). If so, you are welcome to get in touch with us: Please find our contact details here
Who do we share your data with?
GVB does not sell any personal data to other parties.
Sometimes GVB wishes to provide your personal data to other parties. For example, to the insurance company if a damage claim has been submitted, the Tax and Customs Authority on the grounds of legislation and regulations, or in legal proceedings or proceedings for the Public Transport Disputes Committee to corroborate our viewpoint. These other parties are personally responsible for the use and processing of the received personal data. GVB does not provide more data to these third parties than is necessary.
In order for the OV-chipkaart to work well nationally, for the settlement of transactions/travel transactions with your OV-chipkaart and the financial settlement for profit sharing between the public transport companies (“transport companies”), GVB shares your (transaction) data and product data with Translink Systems B.V. (“Translink”). Further information about this cane be found at www.ov-chipkaart.nl
. Further information about the processing of your personal data in the context of the OV-chipkaart system can be found under the section public transport chip card system
. For certain processes of the OV-chipkaart system, the shipping companies and Translink are joint controllers.
GVB also brings in other parties to perform services. These are processors of GVB who are able to process personal data by order of and on behalf of GVB. GVB reaches specific agreements with these processors in relation to the processing of personal data, such as in relation to security and data retention, confidentiality and that fact that data may only be used for the execution of the specific order obtained by GVB. These processors may not use or pass on this personal data independently. This concerns, for example, payment service providers, debt collection agencies, cloud and hosting parties, IT service providers, survey and campaign agencies or research agencies and consultancy firms.
GVB is obliged to cooperate in this matter and to provide personal data if investigation organisations, such as the police or the FIOD for example, demand data. In such cases, GVB investigates the authority of the investigation organisation in question and will, of course, observe the requirements set by the GDPR or the Police Data Act, even when fulfilling its statutory obligation. GVB may also provide personal data independently to the police or the judicial authorities in order to protect the rights and property of GVB.
More specific information about provision to other parties can be read for each situation or process referred to in the section Why does GVB use your personal data?.
Where is your personal information stored?
Your personal data will be stored and processed within the Netherlands or the European Economic Area (EEA consisting of EU + Iceland, Norway and Liechtenstein). Processing of personal data in countries outside of the EEA is permitted for countries which the European Commission has decided have an appropriate level of protection (for example, parties in America that fall under the Privacy Shield). For other countries outside of the EEA, GVB is taking appropriate measures. GVB then agrees on the standard provisions determined by the European Commission, so that only parties offering adequate protection for your personal data are legally bound. For further information, please contact the Data Protection Officer on firstname.lastname@example.org
How do we safeguard your personal data?
We handle your personal data with care, which is why GVB has taken appropriate security measures to protect your personal data against unintentional or unlawful destruction, loss, amendment or unauthorised provision of or access to your personal data. Those measures vary from physical measures such as a burglar alarm or access control to various organisational and technical security measures. GVB regularly evaluates the technical and organisational measures taken, so that these are and remain appropriate. We also place contractual requirements to take appropriate security measures on our processors if they process data on our behalf. Furthermore, only authorised employees or third parties have access to your personal data and only if that is necessary for the execution of their work and on the basis of established authorisation policy. They also have a duty to maintain confidentiality.