This is the Privacy Policy of Stichting Het Rijksmuseum, domiciled in Amsterdam at Hobbemastraat 20, 1071 ZC (hereinafter referred to as “Rijksmuseum”, or “we”), containing a description of how we handle your personal data. The Rijksmuseum values your privacy and will always process your personal data in accordance with the General Data Protection Regulation.

1. Scope

This Privacy Policy applies to all personal data about you that is collected and used by the Rijksmuseum when you visit our website, application or web shop, create a profile for Rijksstudio, make a donation, become a Friend of the Rijksmuseum or a sponsor, participate in one of our receptions and events or use one of our other services (“Services”), or, when you make a purchase using the ticket or web shop or otherwise purchase products from us (“Products”). Personal data are data that allow us to identify you as an individual, as set out below under “Personal data processed by us”.

2. Personal data processed by us

Depending on the type of Services you use, or Products you purchase, the personal data we collect and process about you include:

  • Your contact details, such as name, email address, home address and (mobile) phone number.
  • Your account details and (electronic) identification data, such as your account on the website or your Rijksstudio account, your bank account number, electronic identification data such as your IP or MAC address, as well as the data you have added to your account yourself (such as your user name, password, date of birth, interests). Information related to the use of our online Services or applications, such as the web pages you visit, Products and Services you are interested in, the contents of your shopping basket.
  • Information related to the Products and Services that you purchase from us, such as your hobbies and interests, profession/work, pictures, personal features and the knowledge that you have used that specific Product or Service.
  • The content of your communications with us, for example, when you contact us by email, phone or otherwise.

3. The purposes and legal basis for processing your personal data

The Rijksmuseum collects and uses your personal data for the purposes set out below, based on the law. Insofar as the Rijksmuseum already holds your personal data, these personal data will be used for the same purposes and on the same legal basis.

  • Required for the execution of an agreement
    Your personal data are collected and processed to handle your purchase of Products and your request to provide Services. In addition, we process your personal data to handle any requests, complaints or questions from you.
  • Required to represent the legitimate interests of the Rijksmuseum
    We may use the aforementioned personal data to improve our Products and Services and to better understand and approach our visitors and relations, both on an aggregate and an individual level. This means that we analyse your use of our Products and Services and that we use this information to improve our Products and Services in order to provide you with an improved user experience (for example, we analyse which web pages you visit and which Products and Services you use, which enables us to create personal profiles and assess what could be of interest to you and what recommendations we can give you when using our Services).
  • Based on consent
    To the extent necessary, we will ask for your consent to keep you informed about news or offers related to our Products and Services. You can withdraw your consent at any time. How you can do this is described below.
  • Required to comply with a legal obligation
    We may use your personal data to comply with applicable laws, to comply with requests from public bodies and authorities, or to cooperate with law enforcement.

4. Use of cookies

Our website and applications use cookies to improve usability, effectiveness and security, as well as for marketing purposes. Cookies are small text files on your computer that are stored by your browser. For more information about the use of cookies by the Rijksmuseum, please refer to the Cookie Policy.

5. Who receives your personal data?

Only authorised employees of the Rijksmuseum have access to your personal data to the extent necessary for the performance of their work at the Rijksmuseum.

We will not disclose the personal data you have provided to us to third parties without your express prior consent, unless we are required to do so for the purposes set out under section 3. For example, we may pass on your personal data to suppliers/service providers for the execution of agreements we have concluded with you, such as payment processing. In addition, we may disclose your personal data to public authorities to comply with applicable legal obligations.

6. Transfer of your personal data

Unless otherwise stated, we process and store your personal data within the European Union. It may be that our service providers transfer your personal data to a country outside the European Economic Area (“EEA”) that does not offer the same level of protection under European law as the country where you normally use your products and/or services. In that case, we will take the necessary steps to ensure that your personal data are adequately protected, such as drafting standard EU contracts with parties outside the EEA.

7. Security

We take appropriate and reasonable security measures to protect your personal data against unauthorised access, modifications, disclosure, loss or improper use, and to protect the accuracy and integrity of your personal data. In order to ensure a risk-adapted level of security, we implement technical and organisational measures, including security with regard to access to our systems.

8. How long do we keep your personal data?

We keep your personal data as long as necessary or permitted with respect to the objectives for which they were obtained, and as set out in this Privacy Policy. The criteria used to determine our retention periods include: (i) the period during which we have an ongoing relationship with you; (ii) whether there is a legal obligation we are subject to; and (iii) whether retention is desirable in light of our legal position (for example, in relation to the enforcement of general terms and conditions, lawsuits or legal investigations).

9. What rights do you have with regard to your personal data and how can you exercise these rights?

Under the applicable laws and regulations, you have a number of rights with regard to your personal data, including:

  • Right of access. At your request we will provide you, free of charge, with information regarding the personal data we process about you.
  • Right to rectification. At your request we will correct, supplement, block or delete your personal data in the event that these are factually incorrect, incomplete or irrelevant for the objective or objectives of the processing, or when these are processed in any other way that infringes a legal provision. Withdrawal of consent. You can withdraw your consent at any time for future processing by us of your personal data.
  • Right to object. You have the right to object to the processing of your personal data for marketing purposes.
  • Right to restriction of processing. If applicable, you have the right to request a restriction on the processing of your personal data by the Rijksmuseum. This means that your personal data may (temporarily) not be processed and changed.
  • Right to erasure. If applicable, we will delete your personal data without unreasonable delay (right to be forgotten).
  • Right of opposition. If applicable, you have the right to object to the processing of your personal data based on, among other things, the basis of the “legitimate interest” of the Rijksmuseum.
  • Right to transfer data. If applicable, we will provide you with an overview of the personal data you have provided to us, so that these data can be transferred to another data controller, to the extent that this (data portability) is technically possible.
  • Right to file a complaint. Finally, you have the right to file a complaint with the supervisory authority if you believe that your personal data are being processed in violation of this privacy statement.

If you wish to exercise one of your rights, you can do so by using the contact information set out below.

10. Contact information

If you have any questions about this Privacy Policy, the way we process your personal data or if you want to exercise any of the above rights, please contact the Rijksmuseum using the contact information below:

Rijksmuseum
Postbus 74888
1070 DN AMSTERDAM

info@rijksmuseum.nl

This Privacy Policy is updated from time to time. This Privacy Policy enters into force on 25 May 2018. The most recent version is published on rijksmuseum.nl.