Book page

Privacy statement

• 20 November 2025

Last updated: October 14, 2025

1. Purpose and scope

This privacy statement describes how the Netherlands Chamber of Commerce (in Dutch: Kamer van Koophandel, hereinafter: “KVK”) handles personal data processed via the closed collaboration platform Open Social. The platform is used by participants who are organized into work packages, use cases, and groups.

The platform supports, among other things:

  • Finding and connecting participants;
  • Sharing knowledge and exchanging documents;
  • Collaboration within work packages, use cases, and groups.

This statement applies to all registered users of the platform.

2. Responsibility and roles

KVK is the data controller solely for facilitating access to and technical use of the platform (e.g. onboarding, account management, authorizations and platform security). 

Open Social B.V. provides the platform as a processor on behalf of KVK. A Data Protection Agreement (DPA) between Open Social B.V. and KVK applies to this arrangement. 

Work packages and participants are fully responsible for the content / data they upload or share via the platform. KVK is not responsible for the substance of uploaded data via the platform. Each participant is responsible for the careful use of the platform and must comply with the established Terms of Use. Work packages and participants should conduct a legal compliance check upfront, as is stated in the Terms of Use. KVK facilitates this platform, but does not oblige the use of it in any way.

3. What personal data do we process?

For access to and use of the platform, the following personal data is processed:

  • Name, organization and position;
  • Email address and login details (username, password);
  • Profile photo and short biography (optional);
  • Data regarding participation in work packages, use cases, and groups;
  • Communication data (messages, forum posts, comments, polls);
  • Metadata such as login time, IP address, and usage statistics.

In the Terms of Use, the sharing and/or uploading of information (including but not limited to data, documents, files, records, images, or any other materials, in whatever form or medium) is governed in more detail. Users (and thus KVK) are fully responsible for compliance with the applicable legal framework (see Terms of Use, but it includes also compliance with the General Data Protection Regulation and all its (information) obligations). Amongst other things, special categories of personal data as stated in provision 9 of the GDPR is prohibited (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation), as is sharing and/or uploading of datasets of any nature (unless specified otherwise in i.e. Data Management Plan or WE BUILD Management Handbook).

4. Purposes of processing

Personal data is processed solely for the following purposes:

Processing under responsibility of KVK (facilitating the platform):

  • Access and authentication: creating and managing user accounts;
  • Management and security: monitoring correct use of the platform.

Processing under responsibility of participants and work packages:

  • Collaboration: sharing, storing, and editing documents within the consortium and subgroups;
  • Communication: sending messages, announcements, and participating in discussions;
  • Reporting and evaluation: providing insights into participation in work packages, use cases, and pilots.

Clarification: As outlined in chapter 2, KVK acts as data controller only for the facilitation and technical use of the platform. Work packages and participants are responsible for the purposes and means of processing related to the content they upload and share (e.g. documents, research data, presentations). 

5. Legal basis

The processing of personal data on the platform is based on:

  • Performance of the collaboration agreement within the consortium: personal data are necessary to provide access to the platform and to enable collaboration within the WE BUILD consortium;
  • Legitimate interest: for supporting processing activities such as technical management and security of the platform. The legitimate interest is maintaining a secure and efficient digital collaboration environment. The impact on privacy is limited, as only a restricted set of business contact details is processed;
  • Legal obligations: where information must be shared with competent authorities.

6. Retention period

  • Name, organization and position;
  • Email address and login details (username, password);
  • Profile photo and short biography (optional);
  • Data regarding participation in work packages, use cases, and groups;
  • Communication data (messages, forum posts, comments, polls);
  • Metadata such as login time, IP address, and usage statistics.

Above stated information will be deleted February 1st, 2028.

7. Security

Amongst other things, the following security measures are in place.

  • Provider: Open Social, an ISO27001-certified and GDPR-compliant provider.
  • Primary Hosting: Application and database are hosted on Platform.sh (managed PaaS). For WE BUILD, the hosting region is configured for the European Economic Area (EEA).
  • Encrypted Backups: Daily backups are stored on AWS S3 in Frankfurt, Germany (EEA). Backups are retained for 14 days.
  • Network Edge & Delivery: Cloudflare provides CDN and DDoS protection. Open Social configures Cloudflare to ensure that all origin storage remains within the EEA.
  • Information Security Management: Open Social implements controls aligned with ISO/IEC 27001 standards, including risk management, access control, encryption, and incident response.

8. Sharing of personal data

Data is only shared: 

  • With Open Social and sub-processors for service delivery;
  • With competent authorities if legally required;
  • In case of misuse, only after project coordinator approval, limited to what is necessary.

9. User rights

Users have the right to:

  • Access their personal data;
  • Rectification or completion of inaccurate data;
  • Deletion of personal data (where legally permitted);
  • Restriction of processing;
  • Data portability;
  • Object to processing.

Requests may be addressed to the [email protected]. GDPR timelines apply.

10. Terms of Use

In addition to this privacy statement, the Open Social Platform’s Terms of Use for the WE BUILD Consortium apply. These outline which types of information may (not) be shared and the rules of conduct for participation. By using the platform, you agree to both this privacy statement and the terms of use.

11. Complaints

Complaints may be submitted to [email protected] or to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

12. Changes

This privacy statement may be updated to comply with new legal requirements or changes in the use of the platform. The most recent version will be published on the platform.