Privacy declaration

Privacy declaration

Klik voor Nederlands

Last updated: May 23, 2018

WNS BV, also acting under the name World Natural Spa, located at Rotterdamsedijk 255a, 3112 AL Schiedam, is responsible for the processing of personal data as shown in this privacy statement.

Art. 1 – General Data Protection Regulation

Under the General Data Protection Regulation (AVG) new rights apply for the data subject and further obligations for data controllers, processors and sub-users of personal data. In this document you will find our statement regarding the processing and security of (personal) data, as well as our disclaimer. This statement is binding and publicly transparent (!)

Art. 2 – Definitions 
Person concerned : The visitor of our website, user of our platforms, applicant of our service (s) and / or the recipient;
erwerker / Chief / Administrator :   World Natural Spa. 

Art. 3 – Active provision of data

  1. The person concerned can only actively leave his / her data via the website, webshop and social media channels of the processor / controller. The data that the data subject provides to the processor / controller during this process will only be used for the purpose for which they were left behind.
  2. For the sake of completeness, the data referred to in 3 paragraph 1 concern the  processor / controller with regard to the application and the subsequent following services:
    Name and e-mail address from the contact form, in order to contact the person in question;
    b. Name, e-mail address and IP address from the opt-in form, in order to build a relationship with leads;
    c. Company name, name, address, bank account number, e-mail address and optionally the telephone number from the payment form, to be able to send an invoice and for administrative reasons;
    d. Name, e-mail address and IP address from the chat form, to be able to contact the person who left a chat message;
    e. Name, e-mail address and IP address from the support form, to be able to serve customers and to answer support questions;
    f. Information about the activities of the person concerned on the website of processor / responsible
    g. Information about the surfing behavior of the person concerned through different websites
    h. Internet browser and device type
  3. The data in  3 paragraph 2 under c  will only be processed if provided by the party concerned. This concerns optional data to be provided here.
  4. It is possible that data are included in the database of processor / controller because they are obtained via a different channel than via the website of the processor / controller. This could include contact via telephone, whatsapp, e-mail, social media or a third party. In the aforementioned cases, too, the information actively provided by the person concerned will only be used for the purpose for which they were left behind.
  5. The website and / or service of processor / controller does not intend to collect data about website visitors who are younger than 16 years. Unless they have permission from parents or guardians. However, the processor / responsible can not check whether a visitor is older than 16. Processor / controller recommends that parents are involved in the online activities of their children, in order to prevent data about children being collected without parental consent. If the person concerned is convinced that the processor / responsible person has collected personal information about a minor without this permission, contact and this information will be removed by the processor / controller.

Art. 4 – Early control of data The data controller
/ data controller will check data provided by the data subject in the registers of the Chamber of Commerce. The purpose of such verification is solely to verify the accuracy of the data.

Art. 5 – Reason for processing
The under art. 3 paragraph 2 of this declaration are required for the processing of the application actively filed by the person involved, as well as for the execution of an agreement, as well as due to a legal obligation, as well as the ability to maintain the communication with the person involved pending the execution of the agreement as well as being able to follow the surfing behavior of the person concerned with which the processor / responsible products and services can adapt to the needs of the person involved, as well as to carry out a validity check in Art. 4.

Art 6. – Automated decision-making process The
processor / controller does not make decisions based on automated processing that can have adverse consequences for the data subject.

Art. 7 – Processing of data

  1. All (personal) data obtained by the processor / controller of the data subject, regardless of the channel with which they are or will be obtained, will not be stored for longer than is strictly necessary for the purpose for which the data was actively left by the data subject. It also applies that for the processing of (personal) data only those data are used that the person concerned has actively left behind.
  2. Exceptions as mentioned  in art. 43 Personal Data Protection Act (formerly: Section 43 of the Dutch Data Protection Act) will remain in full force, except where the scope, purpose and nature of an exception in the GDPR is different.

Art. 8 – Sharing of personal data with third parties
Processer / controller shares personal data of the data subject with various third parties if this is necessary for the execution of the agreement and to comply with any legal obligation. With companies that process data of the data subject on behalf of the processor / controller, a processor agreement is concluded to ensure the same level of security and confidentiality of the data subject’s data. Processor / controller remains responsible for these processing operations. In addition, processor / controller provides personal data of the data subject to other third parties. This is done by the processor / controller only with the explicit consent of the person concerned.

Processor / controller makes use of the following suppliers who process personal data on behalf of processor / controller, with whom each processing agreement has been concluded (if already available): Drip Communications, Zapier, Facebook, Zendesk,, WordPress, Manychat, TransIP, GravityForms.

Art. 9 – Security and protection of your data

  1. Provided data via the website of processor / controller are only transferred with an encrypted (secure) SSL connection, so that a third party can not intercept the data to be sent or received. The person concerned recognizes the active secure connection through a visible ‘lock’ at the top of the address bar of the web browser. For a manual of a web browser, always consult the builder such as Microsoft, Mozilla, Google and so on.
  2. Provided data is transferred to an SSL secured server after receipt. The aforementioned environments are shared with any online accessible system.
  3. The processor / controller takes the data protection of the data subject seriously and takes appropriate measures to prevent misuse, loss, unauthorized access, unwanted disclosure and unauthorized modification. If the person concerned thinks that data is not properly secured or there are indications of abuse, the data subject can contact him at

Art. 10 – Right to access your data

  1. As soon as the data subject is recorded on a server of the processor / controller, the processor / data controller retains the (actively provided) data of the data subject.
  2. The person concerned can at any time address a request for inspection to the processor / controller and the processor / controller will comply with this by providing an overview with a comprehensible printout with the data as recorded by the processor / controller.
  3. It is the care of the person concerned to keep his / her data up to date by providing timely changes to the processor / controller.

Art. 11 – Right to forgetfulness

  1. As soon as the agreement between processor / controller and data subject ends or data of the data subject are no longer required, the data subject can submit a request to have his / her data immediately ‘forgotten’ by submitting a written request to the processor / controller.
  2. A request as contained in art. 11 paragraph 1 of this declaration is always executed, unless there is an exception as mentioned in art. 11 paragraph 3.
  3. A request for oblivion will not be carried out if:
  4. the execution of the agreement between the data subject and the processor / controller can no longer be carried out in a proper manner.
  5. the request does not have to be made to an exception such as eg but not limited to  17 paragraph 3 under e  of the AVG.

Art. 12 – Use website

  1. The manager uses active hosting for his website, the purpose of which is to offer a safe environment to every visitor. The manager strives for a safe environment and will outsource parts relating to payments to specialized third parties that protect payment processes with a so-called SSL / SSL secured connection and specialize in this.
  2. The visitor indemnifies the manager and owner according to the SIDN of the website for any damage that occurs as a result of a poorly secured connection on the part of the visitor himself. Examples include the use of unsafe WiFi networks, out-of-date virus and control programs, and so on.
  3. The administrator’s websites are available at all times with a so-called secure SSL / TLS connection. Visitor recognizes this connection at the lock in the address bar of the web browser, this lock does not ask the administrator to make this known immediately via: and under no circumstance leave any data (!)

Art. 13 – Procedure for data leaks

  1. If the undesirable situation arises where the slightest threat exists for (possible) data leaks due to the malicious behavior, we will act in accordance with processing agreement (s) concluded with the relevant party, meaning that we report the potential leak to the competent authority and an IT expert. have the problem identified and corrected, as well as informing persons included in the database without delay, so that submitted data is safe at all times and safety can be guaranteed.

Art. 14 – Information on the website

  1. The information on the website has been created with the greatest possible care, without prejudice to the information on the website being based on a snapshot, therefore information on our website is informative, as well as indicative in nature. In addition, typing and spelling errors are subject to change, including the non-committal nature of the overall content.

Art. 15 – Newsletter and other notifications

  1. Betrokkene ontvangt uitsluitend een nieuwsbrief (of andere soortgelijke meldingen), wanneer betrokkene zich actief voor de nieuwsbrief of andere soortgelijke meldingen), van verwerker/verantwoordelijke aanmeldt of heeft aangemeld. Dit betekent dat betrokkene geen nieuwsbrief (of andere soortgelijke meldingen)ontvangt als er geen expliciete en actieve aanmelding heeft plaatsgevonden. Zodra betrokkene zich heeft aangemeld wordt het e-mailadres tezamen met de datum van registratie en diverse technische gegevens in een veilige omgeving, althans naar maatstaven van redelijkheid beveiligde omgeving opgeslagen.
  2. The person concerned can automatically unsubscribe via any unsubscribe newsletter (or other similar notifications) via the unsubscribe link and the associated page on the website. It is also possible to unsubscribe by sending an email to with the subject ‘unsubscribe newsletter’.
  3. Cancellation is possible at any time and without giving a reason.

Art. 16 – Cookies

  1. Processer / responsible uses functional, analytical and tracking cookies. A cookie is a small text file that is stored in the browser of the computer, tablet or smartphone of the person concerned on the first visit to this website. The processor / responsible party uses cookies with purely technical functionality. These ensure that the website works properly and that, for example, preferences of the person concerned are remembered. These cookies are also used to make the website work well and to optimize it. In addition, processor / responsible cookies store the surfing behavior of the data subject so that the processor / controller can offer customized content and advertisements.
    The person concerned can opt out of cookies by setting the internet browser in such a way that it no longer stores cookies. In addition, the person concerned can delete all information previously stored via the settings of the browser. Cookies are also placed on this website by third parties. These are for example advertisers and / or social media companies.
  2. The linked Google Analytics account has been modified and set up in such a way that, in accordance with the current cookie legislation, no notification regarding the storage of cookies is displayed on our website.

Art. 17 – Complaints and questions

  1. You have the right to submit a complaint to the Dutch Data Protection Authority if the processor / controller and / or manager does not comply with the above.
  2. For questions regarding this statement, please contact:

World Natural Spa