Acm.nl uses cookies to analyze how the website is used, and to improve the user experience. Read more about cookies

Privacy notice

The Netherlands Authority for Consumers and Markets (ACM) believes it is important that your personal data is handled with care. We gladly explain to you how we handle your data.

On this page:

The use of your personal data

We need your personal data to perform our statutory duties properly. In that way, we are, for example, able to investigate who is responsible for a violation or to solve issues that have been reported to us by consumers or businesses. We process your personal data only for those kinds of specific purposes on the basis of a legal ground.

Personal data is information that can be traced back to you as an individual, for example, your name, your home address, or email address.

Retention period

If we no longer need your data for a specific purpose, we will delete it. For example, if an investigation has been completed, and we no longer need the personal data. In that context, we keep in mind the provisions of the Dutch Public Records Act (in Dutch). This law stipulates that government organizations must have and keep important government information in a proper, structured, and accessible state. This means we cannot delete such information.

Security

We handle your personal data with care, and we ensure that it is well-secured. We follow the security rules set by the Dutch central government (in Dutch), such as the Government Information Security Baseline (in Dutch: de Baseline Informatiebeveiliging Overheid, BIO), in order to minimize the likelihood of loss, theft, or abuse of your data.

We process your personal data only if such is permitted by law. The law offers different reasons for processing personal data. Those reasons are called legal grounds (in Dutch). We process your personal data in accordance with these legal grounds:

Public interest: performing our statutory duties

In these situations, we are required to process your data in connection with the performance of our statutory duties:

  • If we carry out an investigation into a business and, in that process, look into administrative documents or emails.
  • If a copy of your ID is required, for example, when you as a private individual request a phone number.
  • If you report a cartel to our leniency office.
  • If we collect information from public sources in connection with our oversight efforts. We collect this information with the greatest possible care so that the chance of us processing personal data is as small as possible. If we do unintentionally collect personal data, we will delete it immediately upon discovery.
  • If you contact ACM or ACM ConsuWijzer (in Dutch).
  • If you receive a sanction decision from us, and if you file an objection or appeal against a decision of ours.
  • If we are statutorily required to share your personal data with other organizations. For example, think of collaborations with other regulators (national or European) in a European investigation. Or with the Netherlands Public Prosecution Office (OM) and the courts for a case’s criminal proceedings. We only share your data if such is necessary and the law allows it.

Legitimate interest

In these situations, we have a legitimate interest in processing your personal data:

  • For the safety of our visitors and employees, we use camera surveilllance in our building. We only use the cameras for security purposes. The footage review process complies with applicable privacy laws. We only use footage in cases of incidents, and we delete the footage within the statutorily permitted retention period.
  • For managing our social-media channels.

Consent

In these situations, you give us consent for processing your personal data:

  • If you apply for a job, we process your personal data to assess your application and to perform the selection procedure. This includes, for example, your contact details, CV, and cover letter. We handle your data with care, and store them as long as necessary for the application procedure, in accordance with applicable privacy laws.
  • If you sign up for our newsletter. This includes your email address, the topics and document types you are interested in, and the frequency with which you want to receive the newsletter. We store this data until you unsubscribe from the newsletter.

Your privacy rights

Under the General Data Protection Regulation (GDPR), you have the following rights:

  • Right of access: You can ask what personal data of yours we use. In this way, you can check whether we do this in accordance with the law.
  • Right to rectification: If your data is incorrect, you can ask us to correct it.
  • Right to erasure: In some cases, you have the right to have your personal data deleted.
  • Right to object: If you disagree with our decision on your access request, you can file an objection.
  • Right to withdraw consent: If you gave us consent for the use of your personal data, you can also withdraw this consent.
  • Right to restrict processing: You can ask us to temporarily stop processing your personal data, for example, if you want to wait for another decision.
  • Right to data portability: You can request us to hand over your personal data to another party.

If you wish to exercise a privacy right, please submit your request to privacy [at] acm [punt] nl (privacy[at]acm[dot]nl) or to our postal address with the subject ‘GDPR request’. We will subsequently request a copy of your ID to verify your identity. In that way, we know for sure that we do not share your personal data with someone else. We do not store the copy longer than necessary, and we will delete it no later than 3 weeks after the ID verification. We will store your personal data as long as necessary for fulfilling your request. In this process, we also take into account the provisions of the Dutch Public Records Act.

As soon as we have verified your identity, we will respond to your question within a month. In some cases, we need more time. In those cases, we can extend the response deadline by up to two months. If that is the case, we will inform you in a timely manner.

Social media and external platforms

We use external platforms such as Facebook, Instagram, and LinkedIn. We have no influence over the way in which these platforms handle your personal data. Never share privacy-sensitive information with us through social-media platforms.

For managing our social-media channels, we use the external application Coosto. In addition, we monitor what publicly available messages are about ACM, so that we know what is happening online. We use this information for improving our strategy and services. In this context, we search for topics, not for individuals. You can ask us questions through social media. If you do so, we collect your username and the content of your message. We use this data to answer your question.

On some social-media platforms, such as Facebook and Instagram, we also post ads sometimes. To present these ads to the correct target demographic, we use the personal data collected by the platforms.

We also use the platform Mastodon for sharing information. Mastodon is a decentralized social network. We are active on a special government server. Mastodon does not contain any ads, algorithms, and does not store any personal data. In addition, users are not required to create accounts for viewing the messages on the government server social.overheid.nl (in Dutch).

In cases of objections or legal proceedings, we process data. Legal proceedings consist of an appeal or a request for a preliminary injunction.

Objections

If you file an objection against one of our decisions, your notice of objection may contain personal data, for example, in the description of the objection or in the documents that have been submitted by you or other parties. We process those personal data. If someone else files the objection on your behalf, we will also process the contact details of this authorized representative.

In the objection phase, you, as an interested party, have the opportunity to be heard during a hearing. In that case, we will process your personal data as a visitor to our offices. In addition, an audio recording will be made of the hearing. We only use such a recording for drawing up the minutes of the hearing.

We use the personal data to get in contact with you or your authorized representative, for example, for the invitation to a hearing, if we have questions about your objection, or for informing you about our decision.

Legal proceedings: appeals or preliminary injunctions

In legal proceedings, we process the personal data that are found in the documents that you have submitted to the court, which means both the documents that we submit ourselves as well as the documents that you or any interested third parties submit. If someone litigates on behalf of someone else, we process the personal data of this authorized individual too.

We use the personal data to contact you or your authorized representative, for example, regarding questions about your notice of appeal or the preliminary injunction.

Sharing personal data in objection proceedings or legal proceedings

When handling a notice of objection or in legal proceedings, it is sometimes necessary to share personal data with other parties. For example, we need to share personal data with:

  • the courts, for the legal proceedings to which we are a party;
  • contact persons for appellants or their authorized representatives as well as courts, and possibly our lawyer
  • Interested third parties

Applying for a job

We find it is very important that your application and personal data are treated with care. We only use your data for the application process. In that context, we use the personal data that you provide us with, and we sometimes look at additional information from public sources such as social media (LinkedIn, for example).

We keep your personal data no longer than necessary for the application process. In order to be able to contact you regarding possible similar job openings, we keep your data, as a rule, for up to four weeks after the end of the initial application process. If you do not want this, or if you want your data to be kept for a longer period of time, so that we are able to contact you regarding similar openings, send an email to recruitment [at] acm [punt] nl (recruitment[at]acm[dot]nl). We are allowed to keep your data for that purpose for up to one year at the longest.

If you want access to the application data that we have on you, or have it corrected or deleted, send a request to recruitment [at] acm [punt] nl (recruitment[at]acm[dot]nl). You can also send an email to the same address regarding other privacy-related questions surrounding your application.

Phone number applications

If you apply for a phone number with us, we process the following personal data:

  • Contact details, including name and postal address, email address, and/or phone number.
  • If you are a private individual requesting an information number: copies of your ID without the picture, the extract from the Personal Records Database (in Dutch: Basisregistratie Personen, BSR), and the Citizen Service Number (in Dutch: Burgerservicenummer, BSN).
  • If your application concerns a 090x- or 18xy-number: any information regarding possible criminal offenses or administrative sanctions.

You are not required to submit this personal data. However, without this data, your phone number application is incomplete. In that case, we may declare your application inadmissible on the basis of the Dutch General Administrative Law Act (in Dutch: Algemene wet bestuursrecht).

We process your data in order to be able to assign a phone number to you, and to keep the public phone number register up to date. These are our statutory duties under Section 4.2, paragraph 1, and Section 4.8 of the Dutch Telecommunications Act (in Dutch: Telecommunicatewet). The register states the name, place of business, and place of residence of the individuals to whom phone numbers have been assigned.

We keep your data for 15 years starting from the date of the number assignment. This does not apply to copies of identification documents and extracts from the BRP. We delete those immediately after the check.

Oversight in health care

We enforce competition in the health-care sector and, in that context, we process personal data. As part of our oversight, we receive claims data that health-care providers submit to health insurers and regional health-care offices. This data is collected by Vektis (in Dutch) by order of the health insurers. In addition, we receive data regarding complex care from the Dutch Healthcare Authority (NZa), and information regarding claimed medical aids from the National Health Care Institute (In Dutch: Zorginstituut Nederland). Also, we process personal data of health-care providers from the Data Management Register for the Healthcare Industry (in Dutch: AGB-register).

We use this data for statistical analyses, and for assessments of whether mergers and acquisitions in the health-care sector have consequences for competition. Also, the data is used for market studies.

Claims data contain information regarding care, and fall under the category of special personal data. Before we receive such data, identifiers such as names, full addresses, and dates of birth are deleted. As a result, the claims data that we receive cannot directly be traced back to individuals. Since we do not process any identifiable claims data, we cannot fulfill any access, rectification, or deletion requests.

We store the claims data and the thereto-related data from health-care providers for up to 20 years. This data is not used for automated decision-making processes.

Criminal and Unaccountable Assets Infobox

We participate in the inter-governmental partnership iCOV, which is the Criminal and Unexplained Assets Infobox (iCOV). This is a collaboration between various Dutch government organizations. In that partnership, participants exchange data that they need for performing their statutory duties. As part of our participation in iCOV, we also process personal data. When processing such data, we comply with strict rules and regulations laid down in, among other laws, the Data Processing by Partnerships Act (in Dutch: Wet gegevensverwerking door samenwerkingsverbanden, or WGS).

Data Protection Officer

We have an independent Data Protection Officer (in Dutch: Functionaris Gegevensbescherming, FG). The FG has been registered with the Dutch Data Protection Authority (AP). The FG ensures that, within the organization, we comply with the rules laid down in the GDPR and the GDPR implementing act.

Data processing register

If you want to know more about a specific process, please consult our data processing register (in Dutch).

Questions or complaints

If you have any questions or complaints about how we handle your personal data, please do not hesitate to contact us.

Back to top