Privacy statement

The privacy statement tells what TNO does with your personal data, how TNO protects it and how you can exercise your GDPR rights.

Privacy statement TNO research

TNO research sometimes works with participants or with data from people contained in files. In that case, personal data of these people is used. TNO ensures that this type of research is conducted in a responsible manner and in accordance with the privacy legislation.

Human research

TNO research involving participants or data from people is called Human Research. TNO divides this research into three categories:

  1. Intervention research: a participant is asked to do something, for example to follow a certain diet or to use newly created equipment or technology.
  2. Observational research: people's behavior is examined, for example with questionnaires or via an interview.
  3. Research with data: existing data of individuals is researched or linked to develop new knowledge.

Human Research is internally reviewed for quality and the legal and ethical admissibility of the proposed research. If the research falls under the Medical Research Involving Human Subjects Act, this assessment takes place externally by a Medical Research Ethics Committee (MREC)

Consent

TNO always asks for consent from participants in Human Research unless this is impossible or requires a disproportionate effort. Participation is always voluntary and you can stop participating at any time. You can then also withdraw your consent for the use of your data. The researchers keep your data secret.

Sometimes it is not possible to ask for consent. This occurs in research with data. This data is pseudonymised, which means that the data can no longer be directly traced back to a person. TNO then has no contact details to request consent. It is always checked whether the data may be used for research.

Information

TNO ensures that participants in Human Research are well informed about the research and the use of your data. This information is provided to the participants in the research. In any case, the participant information must state which data is used, for what purpose, whether the data is shared with others and how long the data is stored.

Storage limitation

TNO is legally obliged to keep research data. Research data is stored for a longer period of time in order to be able to check the research afterwards, but also to reuse the data for follow-up research. In general, a retention period of 10 years after completion of the research applies. The retention period that applies is stated in the participant information.

What is personal data?

Personal data is information that can be traced back to you as a person. Examples of personal data are your name, home address and email address. You will find more information about personal data and privacy legislation on the website of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

Why does TNO use your personal data?

TNO can use your data for various purposes. Below you will find an overview of the most common processing purposes of TNO and the personal data involved.

Data processing

TNO has a register of data processing activities in which all operational and business data processing operations are registered.

Register data processing
Data processing Category of personal data
TNO research Contact details; sex; date of birth or age; research data, including special categories of personal data such as health data or financial details.
TNO websites Contact details; IP address and other online IDs; sex; date of birth or age; usernames and passwords; surfing behaviour; browser settings.

Customer and supplier management

Contact details; (digital) signature; sex, date of birth or age; payment details; correspondence content and results from customer satisfaction surveys.
Procurement Contact details; ID details; financial data, sex; date of birth or age.
Access control to TNO locations (visitor registration and camera surveillance)

Contact details; sex; date of birth or age; ID-card details; camera images.

Recruitment and selection of personnel

Contact details; CV details; correspondence content.

All data entered by you and data provided by you in the submitted attachments.

TNO does not collect or process sensitive information such as data revealing your racial or ethnic background, political, religious or philosophical beliefs, possible trade union membership, health or sex life.

Legal proceedings (private law, administrative law and complaints Contact details; sex; date of birth or age; ID card details, financial details, substantive procedural details.
Screening against (inter)national sanctions- and export controls regulations Contact details; sex; date of birth or age; place of birth, identification data

How long does TNO keep your personal data?

TNO does not process your personal data longer than necessary for the purpose of the data processing. The retention period depends on a number of circumstances:

  • applicable laws and regulations, such as fiscal legislation or the 1995 Archives Act;
  • type of relationship with you as a data subject, for example customer relationship, job applicant or research participant;
  • the necessity to keep data in connection with (future) legal proceedings.

Recruitment: legitimate ground and purposes of data processing

TNO uses your personal data to facilitate a responsible, effective and efficient recruitment and selection process. The legitimate ground for processing these data lies in the legitimate interest of TNO in recruiting and selecting potential candidates for job vacancies. TNO has taken appropriate technical and organisational measures to protect the data against any form of unlawful processing, such as loss, theft, misuse, unauthorised access, undesired disclosure, improper amendment or distribution.

TNO collects and processes personal data from both open applications and applications for existing job vacancies. TNO will only process personal data for recruitment purposes. TNO’s recruitment purposes are: comparing the applicant’s data with current vacancies, communicating recruitment and selection procedures, contacting applicants to plan interviews, testing applicants and informing applicants of other relevant vacancies. ‘Processing’ means collecting, registering, storing, organising, transferring, adapting, modifying, retrieving, consulting, using, limiting, disclosing (via transmission, dissemination or another method), comparing, blocking, destroying and deleting recruitment information.

Retention periods

TNO retains the data of applicants during the recruitment and selection procedure. Following the end of the recruitment and selection procedure, TNO retains the data of applicants for one year. TNO retains personal data if there is a ‘business need’ to retain these data, e.g. retaining an applicant’s CV in case a suitable vacancy arises

One month prior to the end of an applicant’s data retention period, a request will be sent to you asking your consent to extend the data retention period by one year. If you do not consent to this, the data will be completely removed. In the event that an applicant is hired by TNO, the part of the data required for the conclusion of the employment contract will be included within the HR administration.

GDPR rights

GDPR grants people certain rights in order to check if the data processing is in accordance with the law. Most important rights relating to the recruitment process are your right to access, amend and delete your data. You can exercise your rights by contacting recruitment@tno.nl.

No use of data by third parties

Unless the exceptions mentioned below apply, TNO will not make your data available to third parties under any circumstances, nor will your data be sold.

Exceptions regarding no use of data:

  1. In the context of statutory regulations or legal
  2. In order to protect the rights or property of
  3. To prevent a crime or to protect state
  4. To protect the personal safety of
  5. In order to process candidate data during the recruitment process, the supplier Bullhorn processes data in the ATS
  6. If an assessment takes place, the name and email address will be shared with the supplier of the assessment application, LTP is responsible for the processing itself.

How does TNO secure your personal data?

TNO considers it very important that the personal data you provide is treated and secured with the greatest possible care. In order to optimally protect your personal data against loss, theft, unauthorized access or incorrect use, TNO takes appropriate technical and organizational measures to protect your personal data. These measures include measures to ensure the confidentiality, integrity and availability of personal data through physical, technical (access) controls. When using personal data in research TNO makes sure the research data is pseudonymized whenever possible.

Does TNO give personal data to other organisations?

TNO may share your data with other persons or organizations. TNO often collaborates with other research organisations in the Netherlands and abroad. If you participate in TNO research, it may be necessary to share your data with partners in a specific research.

There are also situations in which TNO is legally obliged to provide personal data to others. This always concerns special circumstances such as compliance with applicable laws and regulations or legal proceedings.

TNO uses IT systems that are not hosted by TNO. Your data will then be processed in these systems on behalf of TNO. TNO ensures that contracted IT vendors use IT systems that offer an appropriate level of data protection. TNO concludes data processing agreements with these vendors.

Below you will find the main categories of recipients who may process your personal data.

  • Research partners
  • IT-services, web and data hosting parties
  • Payment processors
  • Legal advisers and accountants
  • Courts
  • Governmental agencies

What are your privacy rights?

Based on GDPR, you have various rights to check if TNO collects and uses your personal data in accordance with the law. You can request access to your data, check if TNO has used the data lawfully or object against the processing of your personal data.

If you want to exercise your privacy rights, you can complete an online form.

After you have submitted the completed form, you will receive an automatic confirmation by email. In response to your request, TNO may ask for identification.

You can also download the form, print it and send it to:

TNO
attn. Corporate Legal & Compliance department
Postbus 96800
2509 JE THE HAGUE

Your request will always be processed. However, this does not mean that your request can be granted without further ado. In some cases your privacy rights do not apply. This may be the case when your personal data is used in TNO research.

You will receive a reply to your request within a month. If your request cannot be processed within a month, you will be notified accordingly. TNO is required to process your request within three months at the latest.

TNO's response is a decision governed by the General Administration Act. If you disagree with the decision because TNO has denied your request partially or in full, you can lodge an objection and subsequently apply to the administrative law courts.

Indicents (data breach)

In spite of our precautionary measures designed to give personal data the best possible protection, it remains possible that an incident may occur in which personal data are involved. An incident of this type is called a data breach. If you believe that a data breach is occurring at TNO, always get in touch with the Data Protection Officer of TNO (privacy@tno.nl or phone 088-866 0000).

The following information should be supplied when reporting a data breach:

  • your name and contact details;
  • the nature of the incident;
  • which personal data are involved;
  • which systems are involved in the incident; and
  • when and how you discovered the incident.

Questions and complaints

If you have any questions about this privacy statement, please contact the Data Protection Officer of TNO (privacy@tno.nl). You can also send a letter to:

TNO
attn. Data Protection Officer
Postbus 96800
2509 JE Den Haag

If you have a complaint, you can contact us in the same way. In addition, you are always entitled to submit a complaint to the Dutch Data Protection Authority.

Changes

This privacy statement may be changed at any time by TNO without prior announcement. Changes come into effect as soon as they are published on this website.