What are the most important changes when the General Data Protection Regulation comes into effect?

Control over your data

The safety of data and privacy are one of  the most important pillar stones of Nmbrs. This is why we find it (very) important that you can trust we process your data in a secure manner. This is only possible when our software is working properly and safe, our internal processes and policies are up to date and that our employees deal with your (company)data in the right ways. This is something we are continuously working on.

On the 25th of May, the EU General Data Protection Regulation (GDPR) will be a fact. The GDPR is, as it reads on their own website, “the most important data privacy regulation in 20 years.” Enacted by the EU Parliament after four years of deliberation, GDPR aims to protect the privacy of EU citizens, specifically their “right to be forgotten” in other words, their right to demand that organizations identify and eradicate any and all data about them.
This means that every organization, per the 25th of May, has the obligation to safeguard the privacy of the (personal)date they process or is being processed on their behalf. Where the emphasis, more than that now, is on responsibility to be able to show that the law is being complied with. This implies that everyone who collects and / or processes personal data must demonstrably have to comply with the rules of the AVG / GDPR.

What constitutes personal data?

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

In the processing of personal data, Nmbrs adheres to the most important principles: legality, transparency, purpose limitation and correctness.



The used procedures are in accordance with the applicable rules and decisions.



Accessibility is central to communication; both in finding the right information and in expressing the rights of those involved.


Purpose limitation

The personal data collected will be used for a specific legitimate purpose and will not be provided for other purposes.



The personal data must be and remain correct.

The data subject rights under the GDPR

In addition to giving proper interpretation to the four above-mentioned principles, the GDPR grants 8 fundamental data subject rights. You must give substance to these (privacy) rights of individuals with respect to their personal data.

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
The right to know whether data concerning him or her are being processed.
When personal data are inaccurate, then controllers need to correct them indeed.
The GDPR introduces a right for individuals to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’.
Individuals have the right to request the restriction or suppression of their personal data. When processing is restricted, you are permitted to store the personal data, but not use it. This is not an absolute right and only applies in certain circumstances.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing. In other cases where the right to object applies you may be able to continue processing if you can show that you have a compelling reason for doing so.
The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her. Such processing includes 'profiling' that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her.

Nmbrs and the GDPR

As of May 25, 2018, Nmbrs® will comply with the legal requirement in the context of the GDPR legislation.

We have appointed our Compliance and Risk Officer as our Data Protection Officer (DPO) who is registered as such with the Dutch Data Protection Authority.


Floris Drost

+31 (0)85 888 9961 (Office hours)


We have implemented technical and organizational measures to show that we integrated data protection into our processing activities.(Privacy by Design & Privacy by Default)

Further we have substantive agreements with its suppliers and sub-processors, specifically about the way in which personal data is handled and how they are protected. For more information about this look at our sub-processors page.

All our subscribers recieved our standard data processors agreement.  Note: If you have started your Nmbrs subscription after the 25th of may 2018, you do not need a data processing agreement, because all relevant agreements are incorporated in our general terms.

For all subscribers, before the 25th of may, who haven't recieved our data processing agreement. You can request one via, by providing us your debtor number and Nmbrs url. 

If you have additional questions for this, please contact

"Privacy by design & by default should be a core value of everyone"

Floris Drost, Compliance Officer

What else do we do?

We want to inform you in the best possible way about our security measures. Visit our security page for a complete understanding of our policies and technical measures.

Visit security page