Legal basis and meaning
To ensure that people’s privacy remains well protected, in May 2018 the European General Data Protection Regulation (GDPR) (information in Dutch) was introduced. It replaced the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens, WBP). The GDPR applies to all countries in the European Union. Personal data is information that can be traced back to an individual. The GDPR has two aims: to ensure that personal data is processed securely and with due care, and to ensure transparency. ‘Transparency’ in this context means people being able to access information about their personal data. This means that citizens are entitled to know what the information is, who is gathering this information and for what purpose.
How does the Ministry of Foreign Affairs (BZ) handle personal data?
Because the work done at BZ often entails working with personal data, it is important to ensure that your privacy as an individual is protected and that the GDPR is complied with at all times. The statement below explains how BZ ensures this.
Information concerning your visa application
Why we need information about you
To be able to assess visa applications, we need certain information about you. You provide this on the visa application form. We ask you for only the information that we need.
Sharing your personal data with third parties
The data we collect and information relating to the decision on your application and/or any decision to revoke, withdraw or extend your visa is entered in Kairos and in the European Visa Information System (VIS).
It is important that your application is properly assessed. For this purpose the personal details on your visa application form, as well as your fingerprints and photo, are shared with the competent authorities in the other EU member states before a decision is made. Information entered in VIS can be accessed by visa authorities, by the authorities competent to carry out visa checks at external borders and within member states, and by member states’ immigration and asylum authorities.
Information is shared so that authorities can check whether the conditions for lawful entry into and lawful residence within the territory of the member states have been met, to determine which individuals do not or no longer meet these conditions, and to investigate an asylum application and establish who is responsible for carrying out this investigation. Under certain conditions, Europol and designated authorities in the member states also have access to the information, in order to prevent, detect and investigate terrorist offences and other serious crime.
When you use our services, for instance by applying for a Schengen visa, BZ may share some of your personal data with third parties. This occurs in countries where BZ uses external service providers to handle the intake of applications. BZ uses two companies for this purpose: TLScontact (in China only) and VFS Global (in certain other countries). These two companies also accept Schengen visa applications for other Schengen countries. When processing Schengen visa applications in Kairos, BZ also uses external parties (data processors) in the IT sector for both system management and server hosting. These external parties are located in Utrecht and Amsterdam respectively. When we share your personal data with external parties, we ensure through the data processor agreements concluded with them that your personal data is protected in accordance with the GDPR and this privacy statement.
To ensure that applications are processed as quickly and efficiently as possible, BZ has introduced a new way of working: information-supported decision-making. This method involves comparing the information provided in your visa application with information held in a specially designed secure database called the BZ Application Assessment Database (BAO). See the factsheet for more information.
Your rights
You are entitled to request the disclosure of any of your personal data stored in Kairos, as well as to have incorrect data rectified and have personal data deleted, subject to the provisions of the GDPR.
You are also entitled to request a member state to disclose any of your personal data stored in the European Visa Information System (VIS), as well as to have incorrect data rectified and unlawfully processed data destroyed.
Retention period for personal data
Your personal data will be stored in Kairos, BAO and VIS for up to five years.
Contact
If you have any questions or requests concerning your personal data, please write to: Ministry of Foreign Affairs, Consular Affairs and Visa Policy Department (HDCV), Postbus 20061, 2500 EB Den Haag, The Netherlands.
You can also submit questions and requests with regard to the protection of personal data to the national supervisory authority: This is the Data Protection Authority, Postbus 93374, 2509 AJ Den Haag, The Netherlands.