GVB has Special Investigating Officers (or “BOAs” in Dutch) in service for the enforcement of the social safety in and around public transport. The municipality of Amsterdam also has BOAs in service who are active in and around public transport.
What does a BOA do?
At stations and in vehicles, among other places, a BOA checks whether travellers are in possession of a valid ticket. A BOA also monitors the public order, the compliance with legal provisions, and the GVB travel rules and general transport conditions. In the event of violations, the BOA acts with respect to enforcement.
When a BOA processes personal data in the performance of their police duties (such as the investigation of punishable offences and the enforcement of the public order), the Police Data Act applies and not the GDPR. Just as the GDPR does, the Police Data Act sets requirements for the processing of personal data.
For what purpose does GVB process your personal data in the context of the Police Data Act
Under the Police Data Act, we process personal data for various purposes. These purposes are stated in Articles 8, 9 and 13 of the Police Data Act. These include:
writing a report if you have committed a criminal offence or if you travel without a valid ticket (fare-dodging);
the handling, administration and financial settlement of payments related to an official report, such as granting an objection, applying the leniency scheme, and applying reductions and payment arrangements;
researching and investigating perpetrators of punishable offences (including incidents of graffiti);
investigating perpetrators of spitting incidents to enable prosecution by the Public Prosecution Service.
Which personal data does GVB process?
When giving notice of an official report, we collect contact details, place and date of birth, a description of the punishable offence with the time and location thereof, citizen service number, and ID type and number. We also collect financial data for the payment of an official report for fare-dodging and/or for the implementation of a payment arrangement.
You can submit to us an objection or request for leniency for an official report. In that case, in addition to the data which you have provided in your request, we also collect your contact details, place and date of birth, a copy of your public transport chip card, and the official report number.
If we make a report to the police, we collect to the extent possible your contact details, place and date of birth, tag and/or sign in the case of a graffiti incident, and the time, place and type of criminal offence. In the event of a spitting incident, we collect DNA from the suspect.
We also make use of camera images when identifying offenders, investigating perpetrators of punishable offences, and researching punishable offences which have been committed.
Basis for processing
The basis for which the GVB BOAs process your personal data for the Police Data Act is the performance of a statutory obligation. The BOAs process personal data pursuant to the:
Dutch Code of Criminal Procedure;
Special Investigating Officer Decree;
General municipal by-law (APV).
Finally, the BOAs process personal data for the performance of the agreement. In doing so, these rules apply:
How long do we retain your personal data?
The Police Data Act includes terms for the retention of police data.
In addition, we retain the camera images which have been made in GVB vehicles and vessels for seven (7) days if there has been no incident.
If there has been no incident, we retain the camera images from GVB stations, stops, buildings and grounds for 28 days.
We save camera images which are used for the performance of a police duty (such as images on which an incident or a committed crime can be seen) to hand them over to the police for use in criminal proceedings. More information: “Camera surveillance”.
With whom do we share the personal data?
Only authorised employees receive access to the data. They may only examine those data they need for their work. We may provide access to employees of the police or the municipality. They, too, may only examine those data they need for their work. The actions of employees in systems is logged. Consequently, we maintain who has conducted which action at which time in a certain file.
When giving notice of an official report, we verify your data in the Dutch Population Register (BRP). We do this again after sending the first payment reminder due to fare-dodging.
Sometimes it is necessary for GVB to provide your personal data to third parties. These include the Central Fine Collection Agency (CJIB) if you have not paid your fine in a timely manner, or the Public Prosecution Service or the police because of an incident which GVB reports.
In addition, we sometimes share your personal data with processors who process personal data on the instructions of and for GVB. These processors are collection agencies, cloud and hosting parties, and IT service providers.
What are your rights under the Police Data Act?
Under the Police Data Act, your rights deviate from those under the GDPR. You have the right to inspect the personal data which GVB processes for you under the Police Data Act. To do so, you can request a written summary of your personal data at GVB by sending an e-mail to privacy@gvb.nl.
If your personal data under the Police Data Act are incorrect or incomplete, you can ask GVB to adjust your personal data. In addition, you can have your personal data deleted or request a limitation of the processing of your personal data. You can also object to or appeal the preparation of an official report and fine imposed. More information: “Your privacy rights”. <link>
You will receive from us a message if your request for correction, deletion or limitation of the processing of your data has been completed. We have the right to deny your request if:- the request would obstruct judicial investigations or proceedings;
it has adverse consequences for the prevention of committing punishable offences, for investigation, research, prosecution or the imposition of punishments;
public safety is at stake;
the rights and freedoms of third parties are violated;
national security is at stake;
GVB has the statutory obligation to retain these personal data;
it appears to be an unfounded or excessive request.