Privacy Statement

1. Introduction

This Personal Data Processing Statement explains how we handle your personal data. smartLOXS respects your privacy and ensures that the personal data provided to us or otherwise obtained is treated confidentially. We always process and secure personal data with care. In doing so, we comply with the requirements of the Algemene Verordening Gegevensbescherming (AVG).

2. Why does smartLOXS process your personal data?

smartLOXS processes your personal data to process the application and issuance of smartLOXS managed cards (ACN-card, EU-card, or smart ID). The smartLOXS-card consists of a chip card and contains personal data of the card user. The data printed on the card and stored in its chip are also recorded in a central database.

3. What is the purpose and function of the smartLOXS card?

The smartLOXS-card and the smartLOXS-card system facilitate the safe and efficient transfer of air freight. The smartLOXS-card system is used for:

a) Arranging access and authorizations with the site manager. The site manager can specify which (access) authorizations are assigned to each card issued. The individual site manager is free to establish further rules regarding access to the sites and areas.

b) Establishing the identity of the card user. The ACN-card is a personal identification tool for air freight drivers. The ACN-card is used by site managers to record the identity of drivers, registration times, and the transfer of air freight, ensuring compliance with the security procedures of the air freight chain in accordance with Vo. EG. 2015/1998.

The EU-card and smart-ID are personal cards used by site managers to establish the identity of drivers, access authorizations, and registration times. The smartLOXS-card is read by a (smartLOXS) card reader at the site manager’s location.

c) Managing an efficient air freight supply chain. The ACN- and EU-cards enable automatic driver identification and support logistics processes. Using the ACN- or EU- card, the Site Manager can set specific logistics routes, which can be managed safely and efficiently based on the planned freight handling.

4. Basis for Processing

The processing of your personal data is lawful and based on the principles of ‘public interest’ (Article 6, paragraph 1, subparagraph e AVG) and ‘legitimate interest’ (Article 6, paragraph 1, subparagraph f AVG). You have been informed of the processing of your personal data by your employer/client, the purpose of the processing has been made clear to you, and you have been informed of your rights.

5. What personal data does smartLOXS process?

For card users with a smartLOXS-card, the minimum data required to produce the ACN-card is processed. The identity of the card user is uniquely verified for this purpose. This concerns the following data:

a) Identity of the Card User (surname, prefixes, first names, date of birth, card number, card type, issue date, expiration date)

b) Identity of the System User (username, password, surname, prefixes, first names, email address, telephone number)

Identity of the Card User

The following data is processed regarding the identity of ACN-card users: employer/company name, first names, surname, date of birth, passport photo, and the type of identity document and the number of the ID used to identify themselves when the card was issued. The following data is processed regarding the identity of EU card users: company name, first names, surname, date of birth, passport photo. The following data is processed regarding the identity of smart ID card users: company name, first names, surname, date of birth, passport photo. No copies or scans of identity documents or Verklaring Omtrent het Gedrag (VOG) are made. The address data of card users is also not processed.

User System Identity

Regarding a card application, we record the carrier (company name) and the User (account) who requested the card, the application date, the production date, and the card’s validity, as well as other data necessary for the system’s operation, including a unique card number and the card model number. Regarding other system functions, we record the User’s rights within the smartLOXS system.

6. Is your data shared with other parties?

smartLOXS does not share your personal data with third parties unless: – the third party is a site manager who uses the card as an access control device. Logs (time and control status per pass reader) of pass usage at a site manager’s location are shared with that site manager. – the third party is a supervisory authority or investigative service, and to the extent legally required to do so.

7. How does smartLOXS secure your data?

The protection of your personal data and compliance with the General Data Protection Regulation are of paramount importance to smartLOXS. – SmartLOXS supplies and maintains the technical infrastructure for issuing passes and registering the personal data in the smartLOXS pass and the chip embedded in it. – SmartLOXS has implemented various technical and organizational measures to protect your data against loss or unauthorized use. – SmartLOXS has made standard Data Processing Agreements available to site managers and alerts site managers to the importance of these agreements in relation to the General Data Protection Regulation. – SmartLOXS has been ISO 27001 certified since the end of 2021.

8. Retention Period

The data processed for Users and the application and issuance of smartLOXS passes is retained by default for a period of up to 90 days:

– after a user account has been terminated;

– after the pass has expired;

– after the pass has been revoked or blocked;

– after the pass application has not been converted into a pass production;

– after a log has been recorded on the site manager’s premises.

The data will be destroyed after the 90-day period, unless the competent authorities have initiated an investigation into the pass user in question. Even if the pass user has requested to retain the data for a longer period and this request has been granted by the parties, the data will be retained for longer than the standard retention period.

9. Rights of card and/or system user

The card/system user (hereinafter: User) has the following rights under the General Data Protection Regulation:

1. Right of access;

2. Right of rectification;

3. Right to erasure;

4. Right to restriction;

5. Right to object.

The following describes how smartLOXS implements each right.

Right of access

A User can request a printout or a digital file containing all currently available data recorded regarding the applicant. The requested data will be provided within 30 days of the request.

Right of rectification

If one or more of a card user’s data is incorrect, the card user has the right to rectification. The card user must be able to demonstrate that the data is incorrect and must identify themselves with a valid passport or identity card. Because the system is designed for security reasons to prevent data from being changed after it has been issued, rectification can only be made by revoking the existing pass and requesting a new one.

Right to Erasure

The parties have implemented the right to erasure by applying standard retention periods. Data is automatically erased after the retention period expires. If a pass user wishes to have data erased sooner, they can object to the processing.

Right to Restriction

A pass user has the right to restrict the processing of their data in certain situations, such as when the pass user disputes the accuracy of the data, the processing is unlawful, the pass user needs the data to initiate, exercise, or defend a legal claim, the pass user has objected, and the situation requires that data not only be no longer processed but also not erased. If a request for restriction is granted, the retention periods are suspended for the duration of the restriction. Once the restriction has been assigned and set, use of the pass is not possible until the restriction has been lifted.

Right to Object

A User may object to the processing. The parties have agreed not to assess the objection on its merits, but to grant it in all cases. If a User objects to the processing, their account and/or pass will be revoked. All User or Pass User data will then be automatically destroyed after 90 days, unless an investigation into the pass user has been initiated. A Pass User who objects must identify themselves with a valid passport or identity card and is required to surrender their ACN pass. The parties will inform the carrier who applied for the pass that the pass user has objected to the processing of their personal data and that their pass has therefore been revoked.

If a pass user believes that the processing violates the General Data Protection Regulation, they have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). See: https://www.autoriteitpersoonsgegevens.nl/nl/zelf-doen/privacyrechten/klacht-indienen-bij-de-ap.

10. Changes to the Privacy Statement

smartLOXS reserves the right to change this Privacy Statement at any time without prior notice. We will only do this if it is necessary to protect your and our interests. Therefore, please consult our website regularly.

11. Contact

If you have any questions about this Privacy Statement, please contact: smartLOXS BV Jadelaan 113 2132XZ Hoofddorp Telephone: 020-6534562 Email: helpdesk@smartloxs.com Internet: www.smartloxs.com