Privacy statement

In the event of any discrepancy or inconsistency between the Dutch and English versions of this Privacy Statement, the Dutch version shall prevail.

The Dutch Payments Association (hereinafter referred to as “Association”, “Dutch Payments Association”, “we” or “us”) respects your privacy and the confidentiality of your personal data. In this Privacy Statement, we explain what personal data we collect via our website and for what purposes we use it. The Dutch Payments Association is a membership association focused on providing information about Dutch and European payments. We handle your personal data with care and secure it properly, in accordance with the General Data Protection Regulation (GDPR) and other relevant laws and regulations.

What personal data do we process?

Data you provide yourself: When you contact us via our website (for example, via a contact form) or sign up for a newsletter, we ask for some necessary information. This may include your name, email address, telephone number, and organization. We only ask for information that is necessary to process your request or to contact you, so that we can help you as quickly and efficiently as possible.

Automatically collected data: When you visit our website, our systems collect certain technical information. For example, our web server automatically records your IP address, the time and date of your visit, which pages you visit, and which link or website brought you to our site. This data helps us gain insight into the use of the website. Where possible, we anonymize this data. For example, we anonymize IP addresses by removing the last octet (number group) of the IP address before it is stored. This means that the IP address cannot be traced back to an individual visitor.

Cookies: Our website uses cookies and similar techniques. Cookies can also be used to collect certain personal data or data about usage. You can read more about this in the Cookie Statement. In short, we use cookies for functional purposes (to ensure the site works properly) and for analytical purposes (to measure and improve the use of the site). We do not use cookies for commercial purposes or to build profiles of individual users, so no third-party advertising or tracking cookies are used.

Special and sensitive data: Our website and services do not intend to process special categories of personal data (such as data about health, religion, ethnicity) or data from minors. We therefore request that you do not share such information with us via the website. The Dutch Payments Association deliberately does not collect data from persons under the age of 16, unless permission has been given by a parent or guardian. Please contact us if you suspect that we have collected personal data from a minor without such permission, and we will delete that information.

For what purpose and on what basis do we process personal data?

Purposes: The Dutch Payments Association processes your personal data exclusively for the following purposes:

Handling your requests: We use the information you enter in our contact form or send us by email to answer your questions or handle your request. If you ask us for information, we use your data to fulfill that request (for example, to call or email you with a response).
Newsletters: If you have subscribed to our newsletter, we use your email address (and possibly your name) to send you the newsletter periodically. We will only send you newsletters if you have actively subscribed (opt-in). You can unsubscribe at any time via the unsubscribe link in each newsletter or by contacting us.
Analyzing and improving the website: We process data about your visit and click behavior on our site to keep statistics. We do this to gain insight into which information is frequently consulted, which pages perform well, and how visitors navigate through the site. We use these insights to continuously improve our website and better tailor it to the information needs of visitors. In doing so, we process anonymized data (such as truncated IP addresses and aggregated statistics) as much as possible.
Security and website maintenance: Collecting certain technical data (such as IP addresses and user agents) also helps us to ensure the security of the website, detect unauthorized access, and resolve technical issues. This falls under our legitimate interests in keeping the site secure and operational.

Basis: We process your personal data on the following legal grounds under the GDPR:

We rely on legitimate interest to handle your information requests or contact requests: we have an interest in being able to answer your questions, and you can reasonably expect that the data you provide will be used for this purpose. In some cases, your own consent will be the basis, for example when you voluntarily ask us a question or sign up for the newsletter (this counts as consent for the use of your email address for this purpose).
We rely on consent to send newsletters: you will only receive newsletter emails if you have subscribed to them. You can withdraw this consent at any time by unsubscribing.
For analytical cookies and the collection of statistics, we rely on legitimate interest insofar as the impact on your privacy is minimal (for example, because we anonymize data). If required by law, we ask for consent in advance for the placement of certain cookies or the processing of data (in particular for third-party cookies, see the Cookie Statement).
For the security and maintenance of the website, we rely on our legitimate interest in securing our systems and ensuring the smooth running of our online services.

We will not use your personal data for purposes other than those described above. In particular, we will not use your data for unsolicited commercial communications, profiling, or other purposes that are not reasonably related to you.

Comments and messages on the site

If our website offers the possibility to leave public comments (for example, under news items or blogs), the following provisions apply:

When visitors leave a comment on the site, we collect the data shown in the comment form, along with the visitor’s IP address and browser user agent. This information is necessary to help detect and filter spam and unwanted comments.
An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service if you use Gravatar. The Gravatar service privacy policy is available on the Automattic website. After your comment is approved, your profile picture (linked to your Gravatar account) will be publicly visible with your comment.
Please note that any information you post publicly in a comment can be seen and collected by others. Therefore, please think carefully about what personal data you share in a comment. We reserve the right to moderate or remove comments if they do not comply with our terms and conditions.

NB: Currently, the comment form on our website is inactive or only available to certain users. If the comment option is offered in the future, the above will apply.

Embedded content from other websites

Posts or pages on our site may contain embedded content from other websites, such as YouTube or Vimeo videos, Google Maps maps, an Albumizr photo album, or social media feeds. Such embedded content functions in exactly the same way as if you were visiting the third party’s website yourself. This means that these external services may collect data about you or place cookies when you view or interact with that content:

YouTube and Vimeo: When we embed videos from YouTube or Vimeo on our site, these platforms may collect information about your viewing behavior. For example, they may place cookies to remember your preferences or track your viewing history. If you are logged in to such a platform while viewing the embedded video, the provider may link your viewing activity to your account with that service.
Google Maps: On our contact or location page, we may display an interactive map via Google Maps. When loading the map, Google may collect data (such as your IP address) and place cookies to remember user settings and analyze the use of its services.
Albumizr photo gallery: The site may use Albumizr to display photo albums or galleries. When viewing such a photo gallery, cookies or similar techniques may be used by Albumizr to facilitate viewing of the photos and to keep statistics on the use of the slideshow.
Social media content: If we embed content from social media platforms (such as Twitter timelines or LinkedIn posts), these platforms may collect data in a similar manner when you view or use the embedded content.

These third parties may therefore monitor your visit to our site when you view the embedded content, and they may use this data for their own purposes (for example, to personalize services or advertisements on their platform). We have no control over the cookies or data processing of these external parties. For more information, please refer to the privacy statements of the relevant providers (e.g., those of Google, YouTube, Vimeo, Albumizr, etc.). If you do not want these parties to collect data about you via our site, you can choose not to open or play the relevant content.

No sale or unauthorized disclosure: the Dutch Payments Association will not sell your personal data to third parties. We will only disclose your data to third parties if this is necessary for the purposes described above or to comply with a legal obligation.

Service providers (processors): We use a number of external services and tools, which may have limited access to certain personal data, but only on our behalf and under our instructions. We enter into a processing agreement with all external parties that process personal data on our behalf (processors) to ensure that they apply the same level of security and confidentiality to your data. Some examples:

Website hosting and IT suppliers: Our website is hosted on servers belonging to an external hosting provider or our web agency. They ensure the technical availability of the site. Server log files (containing IP addresses, etc.) may be stored on their systems. However, these parties have no independent authority to use your data other than as necessary for hosting the site.
Analytical software (Matomo): We use Matomo to collect statistics, which we host ourselves on our own server (on-premise). This means that no data is shared with an external analytics provider (such as Google); all analysis data remains within our own infrastructure.
Newsletter distribution (Mailchimp): We use the Mailchimp service to send our email newsletters. When you subscribe to the newsletter, your email address (and name, if provided) is stored with Mailchimp. Mailchimp will store this data on our behalf and use it to send the newsletters. Mailchimp may keep statistics on how newsletters are opened and read, to give us insight into their use. We have made agreements with Mailchimp to protect your privacy. Please note: Mailchimp is a US service; your newsletter data may be processed outside the European Economic Area (EEA). However, we have put safeguards in place (such as standard contractual clauses) to ensure that your data is well protected there too. By subscribing to the newsletter, you acknowledge that your data will be transferred to Mailchimp for processing in accordance with Mailchimp’s privacy policy.
Spam detection: If you post a comment or fill out a form via the site, your submission and data may be checked by an automated spam detection service (such as Akismet) to prevent unwanted or malicious content from appearing.

Such a service receives the data you enter solely for the purpose of analyzing it for spam characteristics. Processing agreements also apply in this case.

Legal obligations: The Dutch Payments Association may be required to disclose your personal data if we are legally obliged to do so, for example on the basis of a court order or a request from competent authorities. In exceptional cases, we may also share data if this is necessary to report criminal offenses or to protect our rights, property, or safety (or that of others).

In all cases, we limit the data we share with third parties to the minimum necessary. Third parties with whom we collaborate are obliged to respect your privacy and to take appropriate security measures. Your data will not be shared with third parties for their commercial purposes.

How long do we retain your data?

We do not retain your personal data for longer than is strictly necessary to achieve the purposes for which your data was collected. The retention period may vary depending on the category of data:

Contact forms and information requests: If you ask a question or submit an information request via the website, we will retain the data you provide for a maximum of two months after your request has been fully processed. This allows us to follow up on any follow-up questions or corresponding communication. After this period, your personal data will be removed from our active systems. Any email correspondence may be stored in our archives for longer, but again, no longer than is necessary for the purpose.
Account details: (Where applicable) If our website has registered user accounts (e.g., for members or administrators), we will retain personal information in the user profile for as long as the account is active. Users can view, change, or delete their personal information within the account (with the exception of the username or other system data that cannot be changed). When an account is closed, the associated personal data will be deleted or anonymized within a reasonable period of time, unless legal retention obligations dictate otherwise.
Comments on the website: If you post a comment on our website (to the extent that this functionality is available), that comment and the associated metadata will in principle be stored indefinitely. We do this so that we can automatically recognize and follow up on any subsequent comments instead of moderating them again and again. Upon request, we can delete old comments; see also your rights below.
Newsletter data: Your email address and any other data you have provided for the newsletter will be retained for as long as you are subscribed to the newsletter. As soon as you unsubscribe, we will remove your contact details from our active mailing list within a short period of time. Please note that our newsletter provider may have backups or log data that may be retained for some time before being completely deleted.
Analytical data: The raw visit data we collect via Matomo (as described in the section on website analysis) is only stored for a short period of time. Specifically, the detailed visit logs in Matomo are stored for 1 month; after that, they are automatically deleted, and we only retain aggregated statistics without personally identifiable information.We may store the aggregated statistical information (e.g., total number of visitors per month) for trend analysis, without this being traceable to individual visitors.
Legal retention periods: In some cases, we are required by law to retain certain data for longer periods of time. For example, tax or administrative legislation sometimes requires that certain transactional data or correspondence be retained for a number of years. In such cases, we will only retain that specific data for the applicable legal period.

After the applicable retention period has expired, we will delete or anonymize your personal data. Anonymization means that all identifying characteristics are removed from the data so that it can no longer be linked to you.

How do we protect your data?

The Dutch Payments Association takes the security of your data extremely seriously. We take both technical and organizational security measures to protect your personal data against loss, misuse, unauthorized access, unwanted disclosure, and unauthorized modification. Some of these measures are:

Secure connection: Our website uses an encrypted SSL connection (HTTPS). This means that data you send via the site is encrypted and cannot be read by unauthorized parties.
Access management: Personal data is only accessible to employees who need to process it for their work (need-to-know principle). These individuals are bound by confidentiality obligations.
Secure storage: The systems and databases in which we store personal data are secured in accordance with applicable security standards. These include firewalls, up-to-date virus scanners, and patch management to protect our servers and software. Where possible, we encrypt sensitive information.
Monitoring: We monitor our systems and networks to detect any vulnerabilities, misuse, or intrusion attempts at an early stage. We take immediate action in the event of suspicious activity.
Periodic evaluation: Our security procedures and measures are regularly reviewed and, where necessary, tightened or updated, for example when new technologies become available or when audits/pen tests give cause to do so.

Although we make every effort to ensure security, no internet transmission or storage system can be guaranteed to be 100% secure. We therefore cannot guarantee the absolute security of information, despite all precautions. In the unlikely event of a data breach or security incident with potentially adverse consequences for your privacy, we will act in accordance with our legal obligations. This includes, if required, reporting this to the Dutch Data Protection Authority and informing those involved.

Your privacy rights

Under privacy legislation (GDPR), you have various rights with regard to the personal data we process about you. You can invoke the following rights:

Right of access: You have the right to ask us whether we process your personal data. If so, you are entitled to a copy of that data, including information about how and why we process it.
Right to rectification: If you notice that certain personal data we hold about you is incorrect or incomplete, you have the right to request that this data be corrected or supplemented. We will then correct any incorrect information and, if applicable, inform third parties to whom the data has been provided.
Right to erasure (right to be forgotten): In certain cases, you may ask us to delete your personal data. For example, if the data is no longer necessary for the purposes for which it was collected, or if you withdraw your previously given consent and we no longer have any other legal basis for processing it. Please note that we cannot always delete all requested data, for example when we are legally obliged to retain certain information.
Right to restriction of processing: In certain situations, you have the right to have the processing of your data temporarily restricted. This means that we will retain the data but will not process it further for a temporary period. You can request this, for example, while awaiting the correction of inaccurate data, or if you believe that we are processing your data unlawfully but do not want it to be completely deleted.
Right to data portability: To the extent that we process your personal data on the basis of your consent or in order to perform a contract, you have the right to request that we transfer the data you have provided to you in a structured, commonly used, and machine-readable format. You may also request that we transfer that data directly to another organization if it is technically feasible.
Right to object: You may object to certain processing of your personal data. If we process data on the basis of a legitimate interest, you have the right to object to that processing if your particular situation gives cause to do so. When it comes to processing for direct marketing purposes (such as newsletters), we will always honor your objection; for example, you can always unsubscribe from further marketing emails.
Right to withdraw consent: In cases where we process your personal data on the basis of your consent, you always have the right to withdraw this consent. This does not affect the lawfulness of the processing based on the consent prior to the withdrawal. If you withdraw your consent, we will stop the relevant processing insofar as no other legal basis applies.

How can you exercise your rights?

You can submit a request to exercise your privacy rights by contacting us (see the contact details at the bottom of this Privacy Statement). To prevent abuse, we may ask you to identify yourself adequately when submitting a request, for example by means of identity verification. We will respond to your request as soon as possible, but no later than one month. If the request is complex or involves multiple simultaneous requests, this period may be extended by a further two months; in that case, we will inform you of the extension.

In general, we will carry out your request free of charge. However, if your request is manifestly unfounded or excessive (for example, in the case of repeated requests), we may charge a reasonable fee or refuse the request in accordance with the GDPR. In such a case, we will of course provide you with an explanation.

If you have any complaints about how the Dutch Payments Association handles your personal data or about the handling of a privacy request, please let us know so that we can work together to find a solution. You also have the right to lodge a complaint with the Autoriteit Persoonsgegevens (the Dutch supervisory authority for privacy protection) if you believe that we are not complying with the privacy rules.

On our website, we provide buttons or links that allow you to share certain content on social media platforms such as LinkedIn, Facebook, X (formerly Twitter), and so on. We maintain profiles on some of these platforms ourselves in order to share news and information. When you click on a social media button on our site, you will be redirected to the website of the relevant platform. At that moment, information may be sent to that platform via your browser. This concerns the usual technical data that is sent when clicking on a hyperlink, such as your IP address, the user agent (information about your browser and operating system), and the referring page (the URL of the page you shared).

It is important to emphasize that no data is sent to social media platforms as long as you do not click on a share button. Only when you actively press such a button to share content does your browser connect to the relevant platform and transfer data. From that moment on, you are subject to the terms of use and privacy policy of the relevant platform. We recommend that you read the privacy statements of the social networks you use so that you know what they do with your (personal) data.

The Dutch Payments Association does not receive any personal data from these platforms when you share content from our site. At most, we can see that an item has been shared via, for example, the platform’s counting mechanisms, but this cannot be traced back to individual persons for us.

Changes to this Privacy Statement

The Dutch Payments Association may amend or update this Privacy Statement from time to time. We reserve the right to make changes at our own discretion. If we make significant changes to the way we process your personal data collected via the website, we will announce this via an amended Privacy Statement on our website. We will indicate the date of the most recent change at the top of the statement. We recommend that you check this page regularly to stay informed of any changes.

If, after reading this Privacy Statement, you still have questions about how we handle your privacy, please feel free to contact us.

Contact details

The Dutch Payments Association
Gustav Mahlerplein 33-35
1082 MS, Amsterdam

Email: info@betaalvereniging.nl
Phone: +31 20 305 19 00

For privacy-related questions, please contact us by email at the above address. We will be happy to assist you.

Amsterdam, October 2025