Legal & Privacy

The CRREM Foundation collects personal data when you interact with our services, website, or communications. This may include:

• Contact information: Name, email address, phone number, organization, and job title — provided when you register for events, subscribe to communications, submit inquiries, or apply for licensing or accreditation.
• Professional information: Organization type, role, and sector — provided in the context of partnership, licensing, or service provider applications.
• Website usage data: IP address, browser type, device information, pages visited, and interaction patterns — collected automatically through cookies and similar technologies when you visit crrem.org.
• Communication data: Records of correspondence when you contact us by email or through our website.

We do not collect sensitive personal data (such as health data, biometric data, or data revealing racial or ethnic origin) unless explicitly required and consented to.

We process your personal data for the following purposes:

• Delivering our services: Processing licensing and accreditation applications, providing access to the CRREM Pathways and related tools, and managing partner and stakeholder relationships.
• Communications: Sending newsletters, event invitations, pathway updates, and other communications you have opted into. You can unsubscribe at any time.
• Responding to inquiries: Answering your questions and requests submitted through our website or by email.
• Website improvement: Analyzing website usage patterns to improve functionality, content, and user experience. This processing uses aggregated and anonymized data where possible.
• Legal and regulatory compliance: Meeting our obligations under applicable law, including financial reporting and governance requirements.

Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:

• Consent (Art. 6(1)(a) GDPR): Where you have given clear consent for us to process your personal data for a specific purpose — for example, subscribing to our newsletter or accepting website cookies. You may withdraw consent at any time.
• Contractual necessity (Art. 6(1)(b) GDPR): Where processing is necessary to perform a contract with you or to take steps at your request before entering into a contract — for example, processing a licensing or accreditation application.
• Legal obligation (Art. 6(1)(c) GDPR): Where processing is necessary to comply with a legal obligation — for example, financial record-keeping.
• Legitimate interest (Art. 6(1)(f) GDPR): Where processing is necessary for our legitimate interests, provided these are not overridden by your rights — for example, improving our website, maintaining the security of our systems, or communicating with existing stakeholders about CRREM developments.

We do not sell your personal data. We may share your data with:

• Service providers: Trusted third parties who process data on our behalf — such as website hosting, email delivery, event management, and IT support providers. These providers are contractually bound to process your data only on our instructions and in compliance with GDPR.
• Professional advisors: Legal, accounting, or other professional advisors where necessary for our legitimate business operations.
• Regulatory authorities: Where required by law or regulation.

We implement appropriate technical and organizational security measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. Access to personal data is restricted to authorized staff and service providers who need it to perform their duties.

International transfers: Where your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Specifically:

• Contact and communication data: Retained for the duration of our relationship with you, plus a reasonable period thereafter (typically 2 years) unless you request earlier deletion.
• Licensing and accreditation records: Retained for the duration of the agreement plus the period required by Dutch law for financial and contractual record-keeping (typically 7 years).
• Website analytics data: Aggregated and anonymized data may be retained indefinitely. Identifiable website usage data is retained for no longer than 26 months.
• Correspondence: Retained for as long as reasonably necessary to resolve your inquiry and for our legitimate record-keeping purposes.

When personal data is no longer needed, it is securely deleted or anonymized.

Under GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your personal data where there is no compelling reason for continued processing.
• Right to restriction (Art. 18): Request that we limit how we use your data in certain circumstances.
• Right to data portability (Art. 20): Request a copy of your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, contact us at info@crrem.org. We will respond within one month of receiving your request, as required by GDPR.

If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority:

Autoriteit Persoonsgegevens
Bezuidenhoutseweg 30, 2594 AV Den Haag
www.autoriteitpersoonsgegevens.nl