Trusted by many



Pay attention! Borrowing money, costs money

Privacy declaration


When mediating and concluding financial products or services, we ask Snaploan Online a lot of confidential information from customers. Customers of Snaploan Online must be able to assume that we will handle the information that a customer provides us with due care and that this information will not be shared with others without the explicit consent of the customer.

In this sense, careful handling of the recording and exchange of personal data is a condition for careful financial services. Confidentiality is an important aspect for our company and the attitude of the professionals working in it.

For the effective performance of our activities, it is necessary that we exchange personal data with providers and, for example, banks and insurance companies, because this affects the core of our tasks as a financial service provider. In addition, it is possible that we provide information on the basis of legal obligations to, for example, the Dutch Tax Authorities or the Netherlands Authority for the Financial Markets.

We have mapped the personal records kept by us and processed them in our internal processing register, which you can find on our website. Potential and existing customers and other stakeholders can receive these on request. Here they will find information about the data that we process and about the parties with whom we can exchange this data.

1. Definitions

In these regulations the following terms have the following meanings:

  • the law: the General Data Protection Regulation (GDPR) and the GDPR Implementation Act;
  • personal data: any information about an identified or identifiable natural person;
  • processing of personal data: any action or set of actions relating to personal data, including in any case the collection, recording, organization, storage, update, modification, retrieval, consultation, use, provision by means of transmission, distribution or any other form of making available, bringing together, linking together, as well as shielding, erasing or destroying data;
  • file: any structured set of personal data, regardless of whether this set of data is centralized or distributed in a functionally or geographically determined manner, which is accessible according to certain criteria and relates to different persons;
  • controller: the natural person, legal person or any other person or administrative body that, alone or together with others, determines the purposes and means of processing personal data;
  • processor: the person who processes personal data on behalf of the controller, without being subject to his direct authority;
  • data subject: the person to whom personal data relates;
  • third party: any person, other than the data subject, the controller, the processor, or any person who is authorized to process personal data under the direct authority of the controller or processor;
  • recipient: the person to whom the personal data are provided;
  • consent of the data subject: any free, specific and informed expression of will by which the data subject accepts that personal data relating to him will be processed;
  • supervisor: Dutch Data Protection Authority;
  • provision of personal data: the disclosure or making available of personal data;
  • collection of personal data: obtaining personal data.

2. Range

  1. These regulations apply to the fully or partially automated processing of personal data. It also applies to the non-automated processing of personal data contained in a file or intended to be included therein.
  2. These regulations apply within Snaploan Online and relate to the processing of personal data of customers, employees and other natural persons involved.

3. Purpose

  1. The purpose of collecting and processing personal data is to have access to the data that are necessary for the realization of the purposes as described in the articles of association, the annual plans and other plans of Snaploan Online, the realization of legal purposes and the conducting policy and management in the context of these purposes.
  2. The purposes for which data is collected and processed within Snaploan Online are explicitly described in the appendix.

4. Representation of the person concerned

  1. If the person concerned is a minor and has not yet reached the age of sixteen or if the person concerned is of age and placed under guardianship, the consent of his legal representative is required instead of the consent of the person concerned. The consent is recorded in writing. If the data subject has issued a written authorization with regard to his representative to the processor, the consent of the agent in writing is required.
  2. Consent can be withdrawn at any time by the person concerned, service authorized in writing or his legal representative.

5. Responsibility for management and liability

  1. The controller is responsible for the proper functioning of the processing and management of the data; Under the responsibility of the controller, an administrator is usually charged with the actual management of the personal data.
  2. The responsible party ensures that appropriate technical and organizational measures are taken to protect against any loss or any form of unlawful processing of data.
  3. The responsibility referred to in paragraph 1 and the provisions of paragraph 2 apply without prejudice if the processing takes place by a processor, this is regulated in an agreement (or by means of another legal act) between the processor and the controller.
  4. The responsible person is liable for damage or disadvantage caused by non-compliance with the provisions of the law or these regulations. The processor is liable for that damage or that disadvantage, insofar as this / that is caused by his actions.

Lawful Processing

  1. Personal data is processed in a proper and careful manner in accordance with the law and these regulations.
  2. Personal data is only collected for the purposes referred to in these regulations and is not further processed in a way that is incompatible with the purposes for which they were obtained.
  3. Personal data must be adequate and relevant in view of the purposes for which they are collected or subsequently processed; no more personal data must be collected or processed than is necessary for the purpose of the registration.
  4. Personal data may only be processed if:
    • the data subject has given his unambiguous consent to the processing;
    • the data processing is necessary for the performance of an agreement to which the person concerned is a party (for example, an agreement to conclude a financial product or financial service or the employment contract with the person concerned) or for actions, at the request of the person concerned, that are necessary for the conclusion, or assisting in the management of an agreement;
    • the data processing is necessary to fulfill a legal obligation of the controller;
    • the data processing is necessary in connection with a vital interest of the data subject;
    • the data processing is necessary with a view to an interest of the controller or of a third party, unless that interest conflicts with the interest of the person whose data are being processed and that interest prevails.
  5. The Citizen Service Number is only registered if there is a legal basis for this. As a rule, there will be no such basis for our services.
  6. Anyone who acts under the authority of the controller or processor - and also the processor himself - only processes personal data on behalf of the controller, except in the case of deviating legal obligations.
  7. The data is only processed by persons who are obliged to observe secrecy on the basis of an (employment) agreement.

7. Processing of personal data

  1. Processing is carried out by employees of Snaploan Online, our company, or other natural persons who are engaged in financial services under our responsibility.
  2. The processing generally takes place in connection with the performance of an agreement, namely the agreement to provide services. In those cases where there is no performance of such a contract, the processing takes place with the express consent of the data subject.
  3. The processing is done in order to be able to perform our activities as a broker in financial products and services.

8. Special personal data

  1. The processing of personal data about a person's religion or belief, race, political opinion, health, sexual life, membership of a trade union or of criminal personal data is prohibited, except in cases where the law expressly provides by whom, for what purpose and under what conditions such data may be processed (Articles 9 and 10 of the GDPR).
  2. As a financial service provider, we may process information about your health in our administration, provided this is necessary for the proper performance of our work. We may also request information about a possible criminal past from you, if this is necessary for the proper execution of the agreement, provided that you give your explicit permission for this.

9. Data processing

If the personal data are obtained from the data subject himself, the controller shall inform the data subject before the moment of collection:

  • his identity;
  • the purpose of the processing for which the data are intended, unless the data subject already knows that purpose.
  1. The controller shall provide the data subject with further information to the extent that - given the nature of the data, the circumstances under which they were obtained or the use to which it is made - it is necessary to guarantee proper and careful processing towards the data subject.
Data obtained without the involvement of the person concerned
  1. In addition to the information received from the data subject, the controller may, for the purposes described, obtain information from external sources that the controller considers reliable. Think of the Roy data for the registration of your bonus / malus statement, the RDW for your vehicle data and the CIS foundation for the prevention and combating of fraud in the insurance sector.
  2. The responsible party shall ensure that with any processing of personal data, only those personal data are processed that are accurate, adequate, relevant and not excessive.

10. Right of access

  1. The data subject has the right to be informed of the processed data relating to his person.
  2. The controller will inform everyone at his / her request - as soon as possible but no later than four weeks after receipt of the request - in writing whether personal data concerning him or her will be processed. Costs may be charged for providing such a notification. In addition, the data subject, who requests access to his personal records, may be asked for a copy of a valid proof of identity.
  3. If that is the case, the controller will provide the applicant with a complete written statement, as soon as possible, but no later than four weeks after receipt of the request, with information about the purpose or purposes of the data processing, the data or categories of data. to which the processing relates, the recipients or categories of recipients of the data as well as the origin of the data.
  4. If a weighty interest of the applicant requires this, the controller will comply with the request in a form other than the written form that is adapted to that interest.
  5. The controller can refuse to comply with a request if and insofar as this is necessary in connection with:
    1. the investigation and prosecution of criminal offenses;
    2. the protection of the data subject or of the rights and freedoms of others.

11. Provision of personal data

  1. In principle, the provision of personal data to a third party does not take place other than with the consent of the person concerned or his representative, except in the case of a statutory regulation or the state of emergency.
  2. An exception to this rule is information exchange with parties that need information for the performance of the agreement, such as insurance companies, banks, lenders or parties involved in claims handling.
  3. Finally, we can provide personal data in order to comply with legal obligations, such as to the Dutch Tax Authorities and the Netherlands Authority for the Financial Markets.

12. Right to correction, addition, deletion

  1. At the written request of a data subject, the controller will correct, supplement, delete and / or protect the personal data processed about the applicant, if and insofar as these data are factually incorrect, incomplete or irrelevant for the purpose of the processing. or comprise more than is necessary for the purpose of the registration, or otherwise processed in violation of a legal provision. The request of the person concerned contains the changes to be made.
  2. The controller will inform the applicant in writing as soon as possible, but no later than four weeks after receipt of the request, whether he complies with it. If he does not want to comply with this or not fully, he will give reasons. In this context, the petitioner has the option of addressing the controller's complaints committee.
  3. The responsible party will ensure that a decision to correct, supplement, remove and / or shield is carried out within 14 working days, and if this is not reasonably possible otherwise as soon as possible afterwards.

13. Retention of data

  1. Personal data will not be kept in a form that makes it possible to identify the data subject for longer than is necessary for the realization of the purposes for which they are collected or subsequently processed.
  2. The controller determines how long the recorded personal data will be kept.
  3. If the retention period of the personal data has expired or the data subject makes a request for deletion before the expiry of the retention period, the relevant data will be deleted within a period of three months.
  4. However, removal will not take place if it can be reasonably assumed that this is the case
    • the storage is of great importance to someone other than the data subject;
    • the storage is required by law (including the Financial Supervision Act) is or
    • if there is agreement on this between the data subject and the controller.

14. Processing register

  1. A fully or partially automated processing of personal data intended for the realization of a goal or related purposes has been mapped out by us and processed in an internal processing register before the processing starts.
  2. In those cases where an automated process deployed for the processing of personal data poses a high risk for the data subject, taking into account the nature and context of the personal data held, we will carry out a data protection impact assessment before starting this processing and we ensure that we adequately control the associated risks, in order to guarantee the rights of data subjects sufficiently.
  3. The internal processing register states:
    • the name and address of the controller;
    • the purpose or purposes of the processing;
    • a description of the categories of data subjects and of the (categories of) data relating to them;
    • the recipients or categories of recipients to whom the data may be disclosed;
    • the retention periods used.

15. Data breaches

  1. If the controller is confronted with a data breach, it will investigate whether personal data has been lost or whether unlawful processing cannot be ruled out.
  2. If the aforementioned investigation shows that personal data of a sensitive nature has been leaked or there is (a significant chance of) adverse consequences for the protection of the processed personal data for another reason, the responsible party will inform the Dutch Data Protection Authority about the data breach.
  3. If the controller has not (properly) encrypted all leaked personal data, or if the data breach is likely to have adverse consequences for the privacy of the data subjects for other reasons, the controller will also report the data breach to the Netherlands Authority for the Financial Markets. It is possible that, in consultation with the aforementioned supervisory authorities, it will also be decided to inform those involved about the possible data breach.

16. Complaints procedure

If the person concerned is of the opinion that the provisions of these regulations are not being complied with, he can contact:

  • the responsible;
  • if the person concerned is not satisfied with the outcome of the complaint, he can turn to the Financial Services Complaints Institute in The Hague;
  • with the request to mediate and advise the Dutch Data Protection Authority in the dispute between the data subject and the controller;
  • the court.

17. Change of entry into force and copy

  1. Changes to these regulations are made by the responsible person.
  2. The changes to the regulations will take effect four weeks after they have been announced to those involved.
  3. These regulations came into effect on 25-05-2018.
  4. These regulations can be viewed at the responsible party. If desired, a copy of these regulations can be obtained at cost price.

18. Unforeseen

In cases not provided for in these regulations, the responsible party decides, with due observance of the provisions of the law and the purpose and purport of these regulations.

Current interest rates

Request a quote without obligation