top of page

Privacy Policy

​

At TTO-Noordzee, protecting your privacy is of utmost importance. We aim to inform you as much as possible, respect your privacy, and give you control over what happens to your personal data. Below you will find information about the data we collect, why we collect it, and how we use it. You will also find details on how long we retain your data, what your privacy rights are, and how to exercise them.

 

1. Coverage of this Privacy Policy

This privacy policy applies only to the personal data that we process as a data controller (see section 2B).

It applies to the processing of personal data of our members/volunteers, customers, and suppliers in relation to the services we provide as a tourist railway.

This policy also applies when you visit our site in person, our websites, participate in events, surveys, contests, promotions, log in to our hotspots, or otherwise use our products and services. Personal data of former members, customers, suppliers, and prospects will also be treated carefully and securely in accordance with this privacy policy.

2. What “Data Processing” Means and Who is Responsible

A. Definition

“Processing of personal data” refers to any operation concerning data that can identify you as a natural person. This includes collecting, recording, organizing, storing, updating, modifying, retrieving, consulting, using, disseminating, combining, archiving, deleting, or destroying personal data.

For clarity, processing personal data of business customers, suppliers, or members/volunteers applies only if the person is a natural person. If the entity is a legal person, this policy applies only to the personal data of natural persons connected to that entity (e.g., authorized representatives, contacts, or end users).

B. Data Controller

TTO-Noordzee vzw, with registered office at Loskaai 15, B-8660 De Panne, Belgium, registered with the Crossroads Bank for Enterprises (KBO) under number 0418.352.684, is the data controller. This means TTO-Noordzee determines the purposes and means of processing personal data.

Two responsible roles are appointed internally:

  • Controller: Monitors GDPR compliance (acts as Data Protection Officer without holding the official title). Ensures all members/employees are informed about GDPR, their rights, and obligations.

  • Operator: Handles the day-to-day management of personal data under guidance from the controller.

The controller ensures that members/employees are informed about GDPR in a traceable way, for example through emails with checkboxes confirming receipt and acceptance.

C. Our Responsibilities to Members, Customers, and Suppliers

TTO-Noordzee vzw must:

  • Adequately inform members/volunteers, visitors, customers, and suppliers that their personal data will be processed according to GDPR.

  • Obtain legally required consent before personal data is shared for processing.

  • Not collect personal data unlawfully.

  • Protect personal data with appropriate technical and organizational measures.

  • Ensure reliability of anyone with access to personal data.

  • Avoid any actions that could violate privacy laws.

  • Organize, update, and limit access to contact information.

D. Your Responsibilities Regarding End Users

If you allow end users (family, friends, visitors) to use TTO-Noordzee products/services, you must:

  • Inform end users that their personal data will be processed.

  • Obtain required consent before sharing personal data.

  • Not collect data unlawfully.

  • Ensure technical and organizational measures protect the data.

  • Ensure reliability of users with data access.

  • Avoid any actions that could violate privacy laws.

E. Our Responsibilities Regarding Third-Party Services

Third parties given access to TTO-Noordzee member databases (e.g., newsletter providers like YMLP) act only as operators. TTO-Noordzee remains responsible as the controller. All third parties must demonstrate GDPR compliance.

F. Your Responsibilities Regarding Third-Party Services

You may use third-party services (chat, forums, social media, apps) through TTO-Noordzee products/services. TTO-Noordzee does not control or take responsibility for how third parties process the data you provide to them. You must use these services responsibly and review their privacy policies.

3. What Personal Data We May Process

A. Data You Provide

  • Members/Volunteers: Data provided at registration and internal evaluations.

  • Customers/Suppliers: Data collected via phone, written forms, email, SMS, or in person.

B. Data Automatically Collected

  • We do not assign personal data automatically.

  • We may ask how you discovered TTO-Noordzee (e.g., website, Google) or your postal code, which is outside GDPR scope.

C. Data Obtained from Third Parties

  • We never purchase personal data from third parties.

D. Categories of Data

Level 1 – Basic Member Info: Name, gender, contact info.
Level 2 – Customer/Supplier Info: Contact and company details.
Level 3 – Targeted Info: Emergency contacts, age, personal dossiers, incident reports, billing data, preferences.
Level 4 – Sensitive Info: Medical information, exam results – only accessible by the two GDPR officers.

We do not process sensitive data like racial, political, sexual orientation, or health data unless strictly necessary.

E. Non-Customer Data

We may collect personal data from non-customers via contests, promotions, or websites to provide relevant offers. We ensure consent and proper handling of such data.

4. Why We Use Personal Data

A. Proportional Processing

We process personal data only when necessary:

  • For contract execution

  • To comply with legal obligations

  • For legitimate interests, balancing your rights

B. Specific Purposes

  • Managing memberships, meetings, exams, trainings, and communications.

  • Handling customer/supplier requests, bookings, and inquiries.

  • Providing invoices, addressing complaints, or managing incidents.

  • Fraud prevention, identity verification, and safety measures.

  • Informing you about new products or promotions (up to 2 years after relationship end).

  • Legal compliance (law enforcement, accounting, or fiscal obligations).

C. Automated Decision-Making

We do not make automated decisions with legal or significant effects unless:

  • Necessary for contract execution

  • Permitted by law

  • Explicit consent is obtained

You will always be informed and may request human intervention.

5. How We Protect Your Data

A. Technical and Organizational Measures

  • Staff training, volunteer GDPR monitoring, and IT security measures.

  • Passwords, encryption, firewalls, antivirus, intrusion detection.

  • Access restricted to authorized staff based on necessity.

B. Telecommunications Confidentiality

  • Communications via phone or WiFi are confidential.

  • Only work-related communications using radios are exceptions.

6. Sharing Data with Third Parties

A. Data Transfers

  • Personal data is never sold.

  • May be shared with legal successors, service providers, or if legally required.

  • Contracts ensure GDPR compliance.

B. International Transfers

  • Data processed outside the EU is safeguarded by contractual or other measures ensuring an adequate protection level.

C. Use of Anonymous Data

  • Anonymous or aggregated data is used for internal analysis or reporting.

  • No data can be traced back to an individual.

7. Commercial Use of Personal Data

  • Members/volunteers data is never used for commercial purposes.

  • Customers and suppliers only provide necessary information for services.

  • Website data may be used for statistical purposes; no personal communication is monitored without legal or service necessity.

Minor Data: For users under 16, parental consent is required where applicable.
Opt-Out: You may opt out of marketing communications at any time.

8. Your Privacy Rights

  • Access: Request to see what personal data we hold and purposes.

  • Correction: Rectify incomplete, inaccurate, or outdated data.

  • Deletion (“Right to be Forgotten”): Request deletion when no longer necessary, consent is withdrawn, or processing is unlawful.

  • Restriction: Limit data use if accuracy is disputed or processing is unlawful.

  • Data Portability: Obtain data in a machine-readable format and transfer to another controller.

  • Objection: Object to processing based on legitimate interests.

Practical Notes: Requests are free unless excessive or repetitive. Response within 1 month, extendable by 2 months if complex.

9. Retention of Personal Data

  • Data retained only as long as necessary for its purpose.

  • Examples: traffic data – 24 months, invoices – 7 years, legal evidence – up to 10 years.

  • Former customers’ data may be retained up to 2 years for communication unless they opt out.

10. Our Website

  • Data collected: IP address, browser info, device type, visit time, pages viewed, clicks.

  • Personal info (email, name, address, phone) may be requested.

  • Purposes: service delivery, communication, statistics, personalized content, promotions.

11. Cookie Policy

A. What are cookies?

  • Cookies store information to improve site usability, personalization, and analysis.

B. Types

  • Necessary, functional, performance, social media cookies.

  • Third-party cookies (Adobe Analytics, Google Analytics, Hotjar) used for anonymized tracking.

C. Managing Cookies

  • Can be disabled via browser settings.

  • Disabling cookies may affect website functionality.

12. Contact

  • For questions or exercising your rights, contact TTO-Noordzee customer service or the Data Protection Officer via www.ttonoordzeevzw.be.

13. Updates

  • Privacy policy may be updated due to market or operational changes.

  • Latest version will always be on the website; consent may be required for new processing activities.

14. Supervisory Authority

  • Complaints can be submitted to the Belgian Data Protection Authority:
    Drukpersstraat 35, 1000 Brussels, Belgium
    +32 (0)2 274 48 00
    commission@privacycommission.be
    www.privacycommission.be

bottom of page