Privacy statement (2024)

Centraal Beheer PPI

Your data in trusted hands

Centraal Beheer PPI N.V. (Centraal Beheer PPI) is the pension administrator for various pension schemes. If you as employer place your pension scheme with us, or if you are a current or former participant in a pension scheme that your current or former employer has placed with us, or if you have contact with us on any other basis, we need certain information from you. We consider it important that you know what we do with your personal data and what your rights are, so that you can be confident that when you give us your data it is in good hands.

What data do we use?

Usually we will ask for your name, address, e-mail address and telephone number.

If you are a participant or former participant in a pension scheme that we administer for your current or former employer, we need your personal data for the implementation of the pension scheme. This will include your name, address, and date of birth. In addition, we will process your Dutch BSN (burgerservicenummer/citizen service number), information concerning your income and employment, and your individual pension. In some cases we will require other information. The exact information that we use will depend on the objective for which we are processing the information, the cookie settings you select, and the product or service in question.

We will sometimes verify your identity

If you are or become a customer (or ultimate beneficiary or representative) of Centraal Beheer PPI we may ask you to identify yourself. We may also require additional information to establish that the identity information you provide is correct. We may do this using your iDIN or identification in person at one of our locations.

We also use cookies

Cookies allow us to show you or direct you to information, offers and advertisements that may be relevant to you. Consult our cookie policy or what cookies are and how we use them.

If you receive e-mails from Centraal Beheer PPI, we may register your click history within our e-mails. For example, we may log whether you opened an e-mail and which links and articles in it you clicked. This helps us make our e-mails more relevant to you.

What do we use your information for?

We are permitted to use your information for the purposes defined within relevant legislation and regulations. This includes, for example:

  • offering you a product or service, which may be ours or that of a third party.
  • contracting a product or service for you.
  • entering into and performing a contract with you.
  • administering a pension scheme that your current or former employer has placed with us.
  • establishing your needs and preferences.
  • fine-tuning our products and services to better meet your needs.
  • making a personal offer to you at the appropriate moment.
  • making an assessment of our risk.
  • fighting fraud and dealing with instances of fraud.
  • To ensure the security and integrity of both Centraal Beheer PPI and the financial sector as a whole (fighting and preventing crimes or other forms of misconduct, including terrorism, money-laundering and fraud).
  • In order to meet the requirements under the law for fighting money-laundering and the financing of terrorism.
  • for the purposes of scientific research, statistical research and market research.
  • to keep us generally in compliance with applicable law and regulations.
  • To test the integrity, stability and security of the systems we use to process your personal data (verifying that they are functioning as they should within the limits of legislation and regulations).
  • logging when and how often we have contact with you.

For more details, see the complete list here. This list also includes the specifics on the basis for the data processing (why we are permitted to use your data).

What contact moments do we register?

We register what we arrange with you. And we use our contact moments to improve the services we provide to you. The contact moments that we register include:

  • letters and e-mails that we send to you and receive from you.
  • telephone calls and chats.
  • what you do on our websites and what pages you view.
  • what you do in our apps and what you view in them.
  • our contacts via social media (Facebook, Twitter/X, WhatsApp, etc.).

Social Media

Achmea may have contact with various persons through social media channels (our own or third-party channels) concerning our organisation, products and/or services. This refers to customers, users of our brands or services and our apps, and visitors to our websites. In these contacts we wish to present useful and relevant information. We also use these channels to answer questions that we receive via social media. We actively follow content on the web and social media channels such as Facebook, Twitter/X and blogs. It can happen that Achmea registers personal data in the process. Where this happens, all processing of personal data is of course in compliance with this privacy statement. We bear no responsibility for content posted on or by social media channels or how those channels handle personal data.

Profiling and automated decision-making

Profiling

For a number of the processes within Centraal Beheer PPI, we create a profile for you based on the data on you that we have. This may be data that we have received from you, but also data from external (public) sources. We analyse this data in part with the goal of identifying your expected preferences and for the purposes of better risk coverage. Profiles are used for various purposes, such as:

  • the calculation of the premium for an insurance
  • targeting of marketing messages
  • determining your risk profile for investments
  • Assessing risks in the context of fighting fraud and preventing money-laundering and the financing of terrorism (“Know Your Client”).

The profiles generated can be used as input for the decision-making by our employees.

Achmea B.V. is responsible

Centraal Beheer PPI is a brand of Achmea B.V. For all brands, Achmea is responsible for the proper processing of your personal data.

Where do we get your data from, and who do we share it with?

In most cases, you provide us with your personal data yourself. There are a few cases in which we obtain your personal data in another way.

If you are a participant in a pension scheme that your employer has placed with us, we get your personal data from your employer or your employer’s pensions consultant.

We may also obtain your data from third parties such as insurers, other pension administrators, or other parties. These may include: the Chamber of Commerce’s trade register and/or UBO register, the Dutch Personal Records Database (Basisadministratie Personen/BRP), the Employee Insurance Schemes Implementing Body (Uitvoeringsinstituut werknemersverzekeringen/UWV), and government databases (including, but not limited to, lists of Politically Exposed Persons (PEP) and sanctions lists).

In the event of a fraud investigation, and specifically those pertaining to individuals, we may also use information concerning you obtained from the internet. In some cases, we may check your data against the data on you held by other organisations. We never sell your personal data.

In certain circumstances, we may forward your data to other organisations: for example, we may provide data that third parties engaged by us in the course of our operations or services require, and which third parties process said data at our instruction.

We may exchange data with:

  • Other business units of Achmea.
  • Other insurers with which we partner. For the implementation of the pension scheme, Centraal Beheer PPI works with insurers that insure the risks of death and occupational disability.
  • Other pension administrators. We exchange data if you or your employer request a value transfer of pension to or from another pension administrator.
  • Employers for which we administer their pension schemes. For administrative tasks relating to a pension insurance contracted for you, under certain circumstances we share your personal data with your employer.
  • Our vendors and business partners (collection agencies, process servers, sector organisations (such as the Dutch Association of Insurers), etc.). Centraal Beheer PPI may engage third parties for the performance of certain activities, such as delivery services or IT service providers to design, maintain and improve our IT systems, tools and portals.
  • The Pensions Register Foundation (Stichting Pensioenregister). We share data with the Pensions Register Foundation for our portal mijnpensioenoverzicht.nl.
  • Tax authorities. We are obliged to share certain information, for example concerning net pensions, with the Dutch tax authorities (information sharing obligation).
  • Other financial institutions.
  • Dutch regulatory authorities such as the Authority for the Financial Markets (AFM), the Dutch Central Bank (DNB), the Authority for Consumers and Markets (ACM) and the Personal Data Authority (AP), as required in individual cases (such as investigation by regulatory authorities).
  • The Chamber of Commerce - UBO register in the context of client investigation as dictated by the Dutch Money Laundering and Terrorist Financing (Prevention) Act (Wet ter voorkoming van witwassen en financiering van terrorisme/WWFT).
  • The Dutch employee insurance schemes implementing body (Uitvoeringsinstituut Werknemersverzekeringen/UWV).
  • Police/judicial authorities/the Dutch Financial Intelligence Unit.

For more details, see the complete list here. This list includes more information concerning other organisations with which data may be shared.

Wherever it may become necessary to share date with recipients outside the European Economic Area (EEA), we do this with the utmost restraint. The data privacy rules that apply in the Netherlands also apply throughout the EEA.

How do we ensure that your data is safe with us?

Our website, portals and IT systems are secured with effective measures, and we are always upgrading these measures and implementing new ones to prevent improper use of your data. Additionally, our employees are instructed clearly on how to handle your data.

Any time that Achmea or any of its brands send any confidential information by e-mail, this is always done using a secure e-mail solution.

If, despite our best efforts, you ever do discover a vulnerability in our internet services, please report it to Achmea using the Responsible Disclosure procedure. We appreciate every report and will take immediate action to remedy the vulnerability. To do this, go to Achmea | Responsible Disclosure | Achmea Together we can make the security of our data and systems as strong as they can be.

We handle sensitive data with extra care

Sensitive data includes things like:

  • Your citizen service number (BSN), your passport information and your banking details.
  • Your health information.
    • In the administration of pension schemes, we use limited health data such as the start and end dates of your disability benefits and the degree to which you are occupationally disabled. Centraal Beheer PPI does not process any medical data.
  • Data obtained from criminal-law sources.
    • In assessing the risks involved in an insurance or financial product, we may ask you whether you have any criminal convictions or have ever been suspected of a crime. You do not need to report any convictions or suspicions dating from more than eight years in the past.
  • Financial data. For the administration of a pension scheme, we require certain information about the employment and the income of participants.
  • Login data.

How long do we retain your data?

We retain your data as long as we require it for the purposes for which we have collected it or as long as we are permitted to re-use it, or else as long as stipulated in the law. When we no longer require the data for the purposes as described in this privacy statement, we may still retain the data with a view to potential legal proceedings or for the purposes of historical, scientific or statistical research. After that we will either delete or anonymize your data. Anonymizing your data means that we remove all the information that be used to identify you. The data can then no longer be traced back to you. Anonymized data helps us to get a better picture of our risks, products and services.

Privacy rules and privacy laws

We adhere to all rules and laws relating to privacy. This includes, in part:

  • The European General Data Protection Regulation (GDPR).
  • The Dutch act implementing the General Data Protection Regulation (Uitvoeringswet Algemene Verordening Gegevensbescherming).
  • The Code of Conduct for the Processing of Personal Data by Insurers (Gedragscode Verwerking Persoonsgegevens Verzekeraars).
  • The Dutch Telecommunications Act (Telecommunicatiewet).

Your rights

Your rights are also regulated by law. You may:

  • request the data that we have on you.
  • have any of your data that is incorrect changed.
  • have your data deleted.
    • In many cases we will not be able to comply with a request to delete your data. This may be because we still need your data for our administrative processes, or because we are not permitted to delete it pursuant to a provision of law.
  • object to a specific use of your data.
    • This would include, for example, requesting to no longer receive e-mail offers from us. All our e-mails contain a link through which you can unsubscribe. You may also make unsubscribe requests by phone. In other cases, you will need to clearly explain why you are objecting to the use of your data so we can evaluate your request.
  • revoke your consent.
    • When you have consented to our use of your data, you can later revoke this consent. As of that moment we will no longer use your data.
  • have your data transferred.
    • You can do this when you have given us data with your consent or pursuant to an agreement or contract with us. You can have your data transferred to another party or to yourself.
  • temporarily restrict the use of your data.
    • You may request this in a number of circumstances, for example if you have objected to the use of your data.

We will not always be able to comply with such a request. If that is the case or if we require more information to comply with your request, we will contact you.

If you wish to exercise your rights, let us know

You can do this by sending us an e-mail or letter. In order to ensure that we can identify the data of the correct person, we must establish the identity of the person exercising their rights. We can do this by customer or policy numbers, date of birth, or name and address information. When exercising your rights in regard to your data, please give us this information. In some cases, such as if the person’s identity cannot be established using the data we have, we may request a copy of your passport or identification card. We may also do this when the request pertains to very sensitive information such as health information. When we ask for a copy of your passport or ID card, we will request that you make your citizen service number (BSN) unreadable and obscure your photo. We will then respond within a month of receiving your request.

Requests by e-mail should be sent to: avgloket@achmea.nl. Letters should be sent to:

Centraal Beheer PPI
Attn. AVG-loket
Postbus 9150
7300 HZ Apeldoorn

If sending a request by e-mail, please use a secure e-mail solution.

You can view and change much of your data yourself on our website.

Do you have a question, tip or complaint?

Send any questions to Achmea’s Data Protection Officer at privacymanager@achmea.nl.

You can also send a letter to:

Achmea B.V.
attn.: Privacy manager
Compliance
Postbus 866
3700 AW Zeist

If we are unable to resolve your request to your satisfaction, you can submit a complaint to the Dutch Data Protection Authority.

We can change this privacy statement

We can do this in response to changes in the law or applicable rules and regulations, or if we develop new products or services. The version of this privacy statement on our website is always the current version.

This is the current version, of 2 December 2024.