69.DC.1001 · Version 3.0 · Last updated 24.12.2025 · Information classification: Public (P)
MOVE-IZI APPLICATION
Privacy Statement – IZI-to B.V.
1. Introduction
IZI-to B.V. (operating under the brand MOVE-IZI) attaches great importance to the careful, lawful, and transparent processing of personal data. This privacy statement explains which personal data we process, for what purposes, on which legal bases, and how we safeguard your privacy when providing toll collection and related services.
This Statement applies to:
- All users of the MOVE-IZI App
- Visitors of our website
- Road users who use our toll collection services
Data Protection Officer (DPO)
IZI-to B.V. has appointed a Data Protection Officer. If you have questions, requests, or complaints about privacy, please contact:
E-mail: dpo@izi-to.com
Postal address: MOVE-IZI, Box A6093, Kwikstaartlaan 42, 3704 GS Zeist, The Netherlands
2. Key terms
To make this privacy statement easier to read, some key terms used in the General Data Protection Regulation (GDPR) are explained below. These definitions will help you better understand how IZI-to B.V. processes and protects personal data.
| Term | Meaning |
|---|---|
| Controller | IZI-to B.V., who decides why and how personal data is processed. |
| Data subject | The person whose personal data is being processed. |
| EEA | European Economic Area (EU countries, Norway, Iceland, Liechtenstein). |
| Personal data | Any information that identifies you directly or indirectly. |
| Processor | A company that processes data on behalf of IZI-to B.V. |
| Toll transaction | The registration of a toll passage (including time, location, and vehicle identification data) for the purpose of calculating and collecting toll fees. |
3. How we process personal data
Personal data includes any information that can identify a natural person directly or indirectly. Personal data relates to an individual — the data subject. The collection, recording, organization, structuring, storage, alteration, retrieval, use, disclosure, and transmission of personal data are collectively referred to as “processing.”
The personal data we collect about you helps us provide the best possible support in carrying out our activities, including (but not limited to) when you:
- use or drive on toll roads where we provide toll collection services;
- visit our website; or
- otherwise communicate with us.
In addition, IZI-to B.V. is required to process certain personal data to comply with legal and tax obligations.
This privacy statement provides an overview of the personal data we process, the legal grounds for processing, and the purposes for which processing takes place. Certain processing activities may, where necessary, be carried out by carefully selected third parties acting on behalf of IZI-to B.V. and strictly in accordance with our instructions and security requirements.
IZI-to B.V. does not intentionally process special categories of personal data or criminal data. Should such processing become necessary due to a statutory obligation or explicit legal exception, we will ensure full compliance with applicable safeguards. Likewise, no automated decision-making or profiling takes place that produces legal effects or significantly affects you, as defined in Article 22 of the GDPR. For processing activities with a higher privacy risk, IZI-to B.V. conducts a Data Protection Impact Assessment (DPIA).
Categories of data subjects
- users of the MOVE-IZI app;
- toll road users;
- visitors to the MOVE-IZI website;
- customer service contacts and business partners of IZI-to B.V.
Why we collect your data
- Managing data as part of the service agreement.
- Offering web and online services.
- Enabling your use of our ‘automatic toll payment’ service for the A24/Blankenburg connection.
In addition, we process personal data when required by law.
When we process your data based on our legitimate interests (Article 6(1)(f) GDPR), we always carefully balance our interests against your privacy rights.
Which personal data do we collect from you and for what purposes do we use it?
| Personal Data | Purpose of Processing | Legal Basis | Retention Period |
|---|---|---|---|
| • Name • Address • (Mobile) phone number • E-mail address • License plate • Vehicle details (make, model, weight) |
Managing and processing toll passages and payments and/or billing services | Performance of contract (Art. 6(1)(b) GDPR) | 7 years |
| • Correspondence data • Records of communication • Questions and complaints • Name, e-mail address, tax number, license plate, case number, contact number |
Providing customer support | Performance of contract (Art. 6(1)(b) GDPR) / Legitimate interest (Art. 6(1)(f) GDPR) | 5 years |
| CCTV data (photos, videos of vehicles) | Responding to customer complaints or requests related to toll collection | Legitimate interest (Art. 6(1)(f) GDPR) | 5 years |
| Payment details and methods (e.g. credit card / bank account) | To collect toll fees for passages | Performance of contract (Art. 6(1)(b) GDPR) | 7 years |
| Date and time of toll transactions (passages) and payment history | To verify payments | Legitimate interest (Art. 6(1)(f) GDPR) | 7 years |
4. Cookies
Our website uses technical, analytical, and profiling cookies (both our own and from third parties). They help the website work properly, improve your experience, and personalize our services. We ask for your consent before setting analytical or profiling cookies. You can change or withdraw your cookie preferences at any time in the cookie settings on our website. Analytical cookies that have little to no impact on your privacy may be placed without consent only if they meet the exemption criteria of the Dutch Telecommunications Act.
5. How we collect your data & who we share it with
How we collect your data
- When you provide it directly (e.g. using the app, website, or customer service)
- When you use our automatic toll payment services
- Through automated systems such as license plate recognition and toll systems
We may also receive information from external or public sources, such as trade registers or open data from the RDW (Dutch Vehicle Authority) to verify vehicle details. These verifications are necessary to ensure accurate toll calculation and to meet obligations relating to vehicle class and weight, as set out in the toll legislation.
Who we share data with
To the extent necessary for the purposes described in this privacy statement, personal data is shared with carefully selected parties, including:
- IT hosting and cloud providers
- Payment and billing service providers
- Customer support and communication partners
- Legal and financial advisors
- Public authorities when legally required
All processors act exclusively on our documented instructions and are contractually bound to comply with strict confidentiality, security, and data protection obligations as required under Article 28 GDPR. Our processors are located within the European Economic Area (EEA). If processing takes place outside the EEA, appropriate measures will be taken in accordance with paragraph 7 below.
6. Access to personal data
Access to your data within IZI-to B.V. is strictly limited to employees who need it to perform their duties (“need-to-know”). For the purposes described in this privacy statement, personal data may also be processed by carefully selected external parties, including:
- Technical service providers, subcontractors, and service partners that support the operation of our infrastructure and services.
- Payment service providers involved in processing toll transactions and other payment activities.
- Where relevant, affiliated entities within the IZI-to group for internal administrative purposes, subject to equivalent privacy safeguards.
IZI-to B.V. enters into written data processing agreements with all such parties, in accordance with Article 28 of the GDPR. These agreements set out the required security measures, confidentiality obligations, and audit rights. In addition, personal data may be shared, where necessary, with competent courts, lawyers, financial institutions, or public authorities to comply with legal obligations, court orders, or to defend against legal claims.
7. Data transfers outside the EEA
Personal data is not transferred outside the European Economic Area (EEA). All processing takes place within the EEA in accordance with the standards of the GDPR and other applicable laws. If, in the future, the transfer of personal data outside the EEA becomes necessary, IZI-to B.V. will only do so using appropriate safeguards, including the EU Standard Contractual Clauses (SCCs) or other legally approved mechanisms as referred to in Articles 45 and 46 of the GDPR. If an international transfer becomes necessary, IZI-to B.V. will conduct a transfer impact assessment to determine whether additional technical or organizational measures are required to ensure an equivalent level of protection.
8. Data security
IZI-to B.V. implements technical and organizational measures in accordance with Article 32 of the GDPR to ensure an appropriate level of security. These measures are tailored to the nature, scope, context, and purposes of the processing, as well as to the risks posed to the rights and freedoms of data subjects. The security measures are periodically evaluated and improved following the PDCA cycle (Plan–Do–Check–Act) to ensure continuous enhancement of the security level.
IZI-to B.V. maintains its information security management system in line with the international standard ISO/IEC 27001. This certification demonstrates that our information security management system is subject to periodic, independent audits and meets internationally recognized security standards.
The implemented security measures include, among others:
- Access control based on a “need-to-know” principle and encryption of data both at rest and in transit.
- Logging, monitoring, and incident management.
- Backup and recovery procedures.
- Regular internal and external audits focused on compliance and the effectiveness of security measures.
- Continuous training and awareness programs for employees.
- A formal information and access security policy.
- A business continuity and incident response plan.
- Established protocols for change management and monitoring.
- Maintenance of privacy and cookie policy.
- Management of information systems and assets in accordance with recognized security standards.
9. Data retention
IZI-to B.V. does not retain personal data longer than necessary for the purposes for which it was collected or processed. We apply retention periods that are based on the nature of the data, the contractual relationship with the data subject, and applicable legal, tax, or accounting obligations.
After the relevant retention period has expired, personal data is securely deleted or irreversibly anonymized, unless a legal obligation requires a longer retention period (for example, under tax or administrative law). Where data must be retained for longer periods for the establishment, exercise, or defence of legal claims, we will restrict access through appropriate technical measures.
10. Your rights under the GDPR
| Right | Meaning | Limitations / Conditions |
|---|---|---|
| Information | You have the right to clear information about how your personal data is processed, including the purposes, retention periods, and your rights. | The information must be provided in a clear and transparent manner, usually through a privacy statement. |
| Access | You may request access to your personal data that we process. | Identity verification is required; access may not infringe upon the rights and freedoms of others. |
| Data portability | You have the right to receive your data in a structured, commonly used, and machine-readable format, so that you can transfer it to another organization. | Applies only to data you have provided to us, and only when the processing is based on consent or the performance of a contract. |
| Correction | You may request correction of inaccurate or incomplete data. | Applies only to your own personal data. |
| Objection / restriction | You have the right to object to processing or request restriction of processing. Applies when processing is based on legitimate interests or direct marketing. | Applies under the conditions listed in Article 18 GDPR (for example, if the accuracy of the data is contested). |
| Erasure ("right to be forgotten") | You have the right to request deletion of your data when it is no longer needed, has been unlawfully processed, or when you have withdrawn consent. | Not possible where there is a legal obligation or outstanding payment(s). |
| Withdrawal of consent | You may withdraw your consent at any time. | Applies only to future processing; previous processing remains lawful. |
We will respond within one month of receiving your request. This period may be extended by two months if the request is complex; in that case, we will inform you in time of the reason for the extension. You can exercise your rights by contacting dpo@izi-to.com. We may ask you for additional information to verify your identity.
In addition to our internal process, you always have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) via www.autoriteitpersoonsgegevens.nl.
11. Data Controller
IZI-to B.V.
Address: Van Deventerlaan 31, 3528 AG Utrecht, The Netherlands
E-mail: dpo@izi-to.com
Chamber of Commerce nr: 83064583
If IZI-to B.V. is part of a group of companies, data may be shared within the group for internal purposes under the same privacy safeguards. If we make changes to our corporate structure (such as mergers or acquisitions), your data will remain protected under this privacy statement or an equivalent level of protection.
12. Changes to this privacy statement
IZI-to B.V. reserves the right to amend or supplement this privacy statement at any time. The most current version of this notice will always be available on our website. We recommend that you review this privacy statement regularly to stay informed about any changes. In the event of significant changes that may affect how we process your personal data, IZI-to B.V. will actively inform you — for example, via e-mail, a notification in the MOVE-IZI app, or an announcement on our website move-izi.nl.