You may be leaving behind personal information when you visit Befrank.com. If your pension scheme is already administrated by BeFrank, we will already have personal data of yours. In the performance of our business operations, BeFrank already receives such personal data through advisors, employers, government bodies, or directly from you. Protecting and processing your personal data are very important to BeFrank. Read this privacy statement to learn how BeFrank carefully handles, protects and processes your data.
Whenever we process data, we do so in accordance with the Personal Data Protection Act (Wbp) and the General Data Processing Regulation (GDPR). For the provisions, please refer to the government website: http://wetten.overheid.nl/BWBR0011468 and the information on the website of the Dutch Data Protection Authority (AP): https://autoriteitpersoonsgegevens.nl.
Our systems and work processes are and continue to be designed in the most privacy-friendly manner. Even if we think of something new. BeFrank has assessed the impact of data processing, considering exactly which data we process, whether there is in fact a need to do so, whether there are risks for the persons concerned and whether the degree of protection in place is adequate. This means that BeFrank does not process more personal data than is strictly necessary and that we protect personal data. We destroy the data if there is no need to retain them. BeFrank only provides access to personal data to staff who are duly authorised.
Cooperation with third parties
In principle, BeFrank does not provide any personal data to third parties. However, BeFrank may cooperate with third parties to carry out our business operations. If that is the case, personal data may only be processed on the basis of written instructions given by us. Our consent is also required for engaging a subcontractor, if applicable. This is governed by a data processing agreement in which the purpose, confidentiality and security of data are described and provided for, together with the obligation of the third party to cooperate in inspections to verify compliance with the conduct rules.
BeFrank sets great store by the security of personal data. Should personal data nonetheless fall into the hands of third parties who should not have access to that data, we will notify the Dutch Data Protection Agency of this in the case of a serious data breach and we will always notify the persons whose personal data were affected by the breach. You have a right of access, correction, removal and the right to transfer your data.
Your privacy – why do we ask you for your data?
The processing of data is part of BeFrank’s objective under its articles of association. BeFrank uses your personal data for several purposes:
• Administrating the pension scheme, including the assessment and acceptance process, keeping pension scheme records, but also handling benefit payments by our principals. We also want to give you information and instructions that can be important for your pension.
• Ensuring the safety and integrity of BeFrank, for example by preventing, investigating or combating punishable or objectionable conduct aimed against customers and staff of BeFrank, or against BeFrank itself.
When is BeFrank permitted to process personal data?
BeFrank is not permitted to process personal data at its discretion. Doing so always requires a ‘clear basis’, i.e. a lawful basis. The following represent or provide such a basis:
• Your unequivocal and in some cases express consent; or
• An agreement between an employer and BeFrank to enter into a pension scheme. This also includes the preparatory phase of requesting a contract.
The following also applies, however:
• The processing of personal data is necessary to act in BeFrank’s legitimate interests; or
• There is a legal obligation that BeFrank is required to comply with; or
• It is aimed at safeguarding a vital interest of the person concerned; or
• The processing of your data is necessary for the proper discharge of a duty under public law by BeFrank.
If none of the above applies, BeFrank is not permitted to process personal data.
Special personal data
Except for medical data, BeFrank does not document special personal data. We do not ask any questions concerning a person’s religious beliefs, personal beliefs, race, political preference, inclinations, sex life or criminal record. We only ask for medical data in special situations in order to take out term insurance with a power of attorney.
Where does your personal data come from?
The personal data that BeFrank processes come mainly from the employer. Other sources are:
• The pension advisors BeFrank works with;
• The municipal personal records database;
• The tax authorities;
• Other pension administrators;
• The Employee Insurance Agency (UWV);
• The Social Insurance Bank (SVB);
• Other natural persons, institutions and organisations authorised by you to provide data.
Protecting your personal data is important for us. We will always treat your personal data with due care. Only staff who are allowed to process or view data on the basis of their position have access to personal data. Staff are only permitted to pass on personal data if a legal obligation to do so applies or if this is necessary in accordance with their duties. In addition, all staff within BeFrank have signed a non-disclosure agreement, and non-disclosure is also part of our Code of Conduct. Moreover, we have properly protected our systems and programs, and security checks are performed regularly to protect personal data against, for instance: unauthorised access, (intentional) destruction, forgery or unauthorised distribution, and against any other form of unlawful processing. BeFrank has also taken measures to ensure that personal data can be replaced or restored in the event of loss or damage.
For how long will BeFrank retain your personal data?
How long BeFrank is permitted to retain personal data depends on the purpose for which the data were obtained. This can differ depending on the situation: there is no fixed retention period. As a rule, BeFrank applies a retention period of seven years. If your pension is administrated by BeFrank, we will retain your personal data for a longer period, often until after your retirement date. If the data no longer need to be retained, the data are removed in full. BeFrank is permitted to retain personal data for longer than stipulated if they are stored anonymously for historical, statistical, marketing or research purposes. BeFrank takes the required measures to ensure that the data concerned are used only for those specific purposes in accordance with legal requirements.
Use of website & app ‘My Pension’
Is BeFrank permitted to provide data to third parties?
BeFrank can exchange personal data, but only as part of its services or on your request. BeFrank reserves the right to use third parties and we will in that case only provide data to them in exceptional cases if:
• you have agreed to this in writing; or
• if there is a legal basis; or
• if a third party is authorised to process personal data under a data processing agreement.
This can mean that personal data are transferred to countries outside the European Union (EU). Transfers of personal data to countries outside the EU are permitted only to other countries that offer an adequate level of protection. Apart from those cases, transfers are only permitted on the basis of an exception provided for by law or with a permit from the Minister of Justice and Security.
What are your rights?
You have the right to know which personal data of yours are processed by BeFrank. You are also entitled to know where the personal data come from and to whom the personal data have been provided. You also have the right to have your data transferred to another party and you have the right to correction. You also have the right to be forgotten provided that does not contravene our statutory duty as a pension administrator.
How to obtain access to your data
We are eager to help you as much as we can. It is important for us to have the correct information. Accordingly, we aim to keep your data up to date. If you want to make sure that all data we have on you are correct, check them on your personal pension page (https://www.befrank.nl/login/). Alternatively, you can also send a request to the address stated below, together with a copy of your ID. We advise you to state on it in large letters that it is a copy for BeFrank, to state a date and to strike out your BSN (citizen service number). You will then be given access to your data as soon as possible.
Let us know if the overview contains any incorrect data. If necessary, we will modify, block or remove the data if they are processed for an incorrect purpose. Within four weeks after receipt of your request, BeFrank will review whether the correction, addition, removal, blocking or objection is justified. BeFrank is entitled to refuse to meet your request, but only if there are other interests that outweigh your own, or if the request relates to someone else. If the request is justified, we will handle it immediately and ensure that it will also be communicated to any third parties used by BeFrank. If it is appropriate and possible to do so, information can be provided by telephone. BeFrank will determine whether both the importance of providing the information and your identity have been adequately demonstrated.
You can address your request in writing to:
1096 BC Amsterdam
or e-mail it to:
Should a dispute arise between you and BeFrank concerning the processing of personal data, the following procedure will apply: BeFrank will inform you in writing as soon as possible, but within four weeks after receipt of the report at the latest, whether your request will be complied with. If your request is not complied with, we will always state why it has been rejected. If you believe that BeFrank is acting in breach of the privacy rules, you can contact the Dutch Data Protection Authority at https://autoriteitpersoonsgegevens.nl/nl/.
The text of this privacy statement can be changed by us in light of new developments, new products and services and/or laws and regulations. The most recent text of the privacy statement shall always apply to our services.
This regulation became effective on 1 January 2018.