Privacybeleid
Privacy Policy
This privacy policy describes how the SPONGE programme (hereafter "we", "us", or "our") collects, uses, and protects personal data through the SPONGE Voucher Portal. The portal is used for submitting, assessing, and managing voucher applications within the Interreg Meuse-Rhine programme.
We attach great importance to the protection of your personal data and process it in accordance with the General Data Protection Regulation (GDPR).
Jump to:
- Data controller
- What data do we collect?
- What do we use your data for?
- Legal basis for processing
- How is your data stored?
- Sharing with third parties and sub-processors
- International transfers
- Retention period
- Your rights
- Automated decision-making
- Security
- Cookies
- Right to lodge a complaint
- Contact
- Changes
Data controller
The data controller for the personal data processed through the SPONGE Voucher Portal is:
[Name of responsible organisation / lead partner to be completed]
[Address]
[Postal code and city]
[Country]
Data Protection Officer (DPO):
[Name or role to be completed, or state that no DPO has been appointed and why]
Email: [DPO email address to be completed]
What data do we collect?
Account data
When you register and use your account, we collect:
- Full name
- Email address
- Password (stored in encrypted form)
- Organisation name
- Phone number
- Country (the Netherlands, Belgium, or Germany)
- Profile photo (optional)
Project application data
When submitting a voucher application, we collect:
Applicant and organisation details:
- Organisation name and legal form
- Organisation address details
- Registration number (Chamber of Commerce/RSIN or equivalent)
- Contact person: name, role, email address, and phone number
- Proof of legal personality (document upload)
Project details:
- Project name and description
- Project location and address details
- River/catchment area
Partner details:
- Names and roles of project partners
- Partner type (landowner, co-financier, contractor, NGO, government, etc.)
- Partner contact details
Permits and ownership:
- Permit status and associated documents
- Ownership situation
Financial data:
- Co-financing details (names, amounts, status)
- Budget items and amounts
- Budget documents (upload)
Planning and concept:
- Planned start and end date
- Concept plan documents (upload)
- Name of concept plan author
Self-assessment and declarations:
- Assessments on 15 criteria (hydrological, ecological, technical, social)
- Maintenance commitment
- De minimis declaration (including document upload)
- Name, role, and place of the signatory
Assessment data
For assessors and committee members, we store:
- Assessment scores and decisions
- Assessment notes and explanations
Technical data
- Session cookies (required for the portal to function)
- Desktop notification cookie (valid for 1 year, does not contain personal data)
What do we use your data for?
We process your personal data exclusively for the following purposes:
- Account management: creating and managing your user account
- Application processing: receiving, assessing, and processing voucher applications
- Communication: contacting you about your application or account
- Legal obligations: meeting the reporting requirements of the Interreg Meuse-Rhine programme and ERDF subsidy rules
Legal basis for processing
The processing of your personal data is based on:
- Performance of a contract (Art. 6(1)(b) GDPR): processing your voucher application
- Legal obligation (Art. 6(1)(c) GDPR): compliance with subsidy and reporting obligations
- Legitimate interest (Art. 6(1)(f) GDPR): management and security of the portal
How is your data stored?
- Hosting: the SPONGE Voucher Portal is hosted exclusively by Hetzner Online GmbH in Germany, an ISO 27001-certified data centre within the EU/EEA
- Database: your account data, project data, assessments, and uploaded documents (supporting evidence, concept plans, budgets, permits, de minimis declarations) are stored on Hetzner servers in Germany
- Public files: public assets and images are served via Bunny CDN, an external content delivery service (see also International transfers)
- Passwords: are stored exclusively in encrypted (hashed) form
Sharing with third parties and sub-processors
We do not share your data with third parties, except:
- Hetzner Online GmbH (Germany): for hosting the application, database, and all non-public files. A data processing agreement (Auftragsverarbeitungsvertrag) has been concluded with Hetzner.
- Bunny CDN (bunny.net): for delivering public assets and images. A data processing agreement has been concluded with Bunny CDN. Bunny CDN does not process personal data or confidential documents.
- Interreg Meuse-Rhine programme authorities: for reporting and audit purposes, as required by the subsidy conditions
- Assessors and committee members: who have access to project applications within the portal for assessment purposes
We do not sell your data to third parties and do not use it for marketing purposes.
A current overview of sub-processors is available upon request via the contact details under Contact.
International transfers
Your personal data is processed exclusively within the European Economic Area (EEA). The application, database, and all confidential documents are hosted by Hetzner Online GmbH in Germany (ISO 27001-certified). Personal data does not leave the EU/EEA.
For serving public assets and images, we use Bunny CDN. Bunny CDN is configured to store and deliver files exclusively from storage zones within the EU/EEA. No personal data or confidential documents are processed via Bunny CDN.
Retention period
Your personal data will be retained for the duration of the SPONGE programme, followed by a period of five (5) years after the closure of the programme, in accordance with the legally required retention period for ERDF-funded projects. After this period, your data will be deleted or anonymised, unless a longer retention obligation applies under other laws or regulations.
Your rights
Under the GDPR, you have the following rights:
- Access (Art. 15 GDPR): you may request information about the data we process about you
- Rectification (Art. 16 GDPR): you may have incorrect data corrected via your profile page or by contacting us
- Erasure (Art. 17 GDPR): you may request deletion of your data, unless retention is legally required
- Restriction (Art. 18 GDPR): you may request restriction of processing
- Data portability (Art. 20 GDPR): you may request to receive your data in a structured, commonly used, and machine-readable format
- Objection (Art. 21 GDPR): you may object to the processing of your data
To exercise any of these rights, please contact us via the details under Contact. We will respond to your request within one month. In exceptional cases, this period may be extended by two months, in which case we will inform you in a timely manner.
Automated decision-making
No automated decision-making or profiling within the meaning of Article 22 GDPR takes place within the SPONGE Voucher Portal. All assessments of voucher applications are carried out by assessors and committee members (natural persons).
Security
We take appropriate technical and organisational measures to protect your personal data, including:
- Hosting at ISO 27001-certified data centres within the EU/EEA
- Encrypted connections (HTTPS/TLS)
- Hashed passwords
- Protection against user account enumeration
- Role-based access control (applicant, assessor, committee member)
- Regular data backups
- Logging and monitoring of portal access
A Data Protection Impact Assessment (DPIA) has been carried out for this portal to identify risks to data subjects and implement appropriate measures.
Cookies
The SPONGE Voucher Portal uses the following cookies:
| Cookie | Type | Purpose | Retention period |
|---|---|---|---|
| Session cookie | Essential | Maintaining login status and session data for the portal to function | Session duration (expires when the browser is closed) |
| Desktop notification cookie | Functional | Remembers whether the user has seen/dismissed the desktop notification | 1 year |
No analytical, tracking, or marketing cookies are placed. The portal does not use third-party cookies. As only essential and functional cookies are used, prior consent is not required under the GDPR and the ePrivacy Directive.
Right to lodge a complaint
If you believe that your personal data is not being processed correctly, you have the right to lodge a complaint with the competent supervisory authority. Given the cross-border nature of the SPONGE programme (the Netherlands, Belgium, Germany), you may contact:
- The Netherlands: Autoriteit Persoonsgegevens (AP) — autoriteitpersoonsgegevens.nl
- Belgium: Gegevensbeschermingsautoriteit (GBA) — gegevensbeschermingsautoriteit.be
- Germany: the competent Landesdatenschutzbehörde of your federal state
Contact
For questions about this privacy policy or about the processing of your personal data, please contact: support@tdzuiderlicht.com
We aim to respond to your request within one month.
Changes
We reserve the right to amend this privacy policy. Changes will be published on this page with the date of the latest amendment. In case of significant changes, we will inform you via the portal or by email.