Protecting your privacy is important to us.
We respect your privacy and ensure that your personal data is protected and processed in accordance with the law. As Deafblind International is a non-profit association registered in the Netherlands, it applies the General Data Protection Regulation (GDPR) of the European Union (EU).
Data protection laws are designed to safeguard individuals’ privacy when their personal data is processed. Personal data includes any information that can identify a person, either directly or indirectly. This may involve contact details such as name, phone number, address, or email, as well as other personal information like date of birth. Certain types of personal data are considered especially sensitive—particularly information related to a person’s health or their ideological beliefs.
This Privacy Policy explains how DbI collects and handles personal data, and why this information is necessary. When we refer to the processing of personal data, we mean any action taken with that data—including storing, altering, using, or deleting it.
This privacy policy is not exhaustive. When providing certain services or in other contexts, other privacy policies, contractual provisions, terms and conditions of participation or similar documents may apply.
Who is responsible for data processing?
Deafblind International is responsible for processing all data. If there are any questions or suggestions regarding data protection, please contact us at SHOW EMAIL or use our postal address:
Deafblind International DbI
Postbus 115
5270AC Sint-Michielsgestel, The Netherlands
Why do we collect personal data?
All personal data is processed for clearly defined purposes, which may stem from contractual obligations, legal requirements, or technical needs. We only collect and use personal data to the extent necessary to achieve these purposes. This includes managing relationships with members and partners, delivering our services—such as responding to inquiries, sharing information about our offerings, and marketing them—providing support in educational, or technical areas, and assessing and improving our services and products. At the heart of this is our commitment to fulfilling our core mission.
What about the processing of personal data within the scope of our core mission?
DbI is THE point of connection in deafblindness worldwide. We connect to maximize positive impact for and with all those concerned and involved.
Our mission includes, in particular, promoting awareness of deafblindness as a unique disability; facilitating the exchange and learning from each other among service organisations, people with lived experience, practitioners, leaders, researchers, and any other person with and without deafblindness in the field; and influencing for inclusion, full participation, and access to appropriate services for persons with deafblindness around the world.
In order to fulfil our mission, we are particularly dependent on data from members, partners, beneficiaries and clients. DbI only collects as much data as is necessary to fulfil its mission and its obligation to provide information to supervisory authorities.
We use various tools to fulfill our mission. Our main platform is Google Workspace. DbI has agreed to the Supplement for Cloud Data Processing (CDPA), which contains standard contractual clauses to meet the security, contractual, and data transfer requirements under the data protection laws of the European Union, the United Kingdom, and Switzerland. 2FA (two-factor authentication), which requires users to confirm their login with a second device such as a mobile phone, is mandatory for logging into DbI’s Google Workspace. DbI fully implements the data minimisation principle, only gathers what is needed to process, and limits the amount of personal data uploaded to Google Workspace products to what is absolutely necessary. Additionally, DbI schedules regular reviews of the data stored in DbI’s Google Workspace drives and removes files that are no longer needed. This is the responsibility of the Information Officer. DbI prohibits all users from storing personal data in their own drives (personal) instead of shared drives (google workspace). Emails containing personal data are mainly sent and managed by members of DbI’s Management Committee, especially by the secretariat and the treasury. Emails containing personal data are only sent to recipients outside DbI using Gmail’s confidential mode. Standard email delivery is only possible in exceptional cases, for compelling reasons and with documented consent of the persons whose personal data is being sent in this way.
For Board meetings and meetings of Committees, we use Zoom’s AI Companion, ensuringthat we are checking with each participant as part of the invitation process and we are transparent about using Read AI, as it is noted in each agenda.
For all DbI-related digital short messages containing personal data, DbI’s Board and Committees, Networks, and employees of partnering organisations and their employees fulfilling tasks for DbI like the secretariat, the treasury and the DbI review editing use Threema exclusively and obligatorily (for more information: https://threema.com/en). Threema offers maximum security and data protection and complies with the GDPR. All communication is always end-to-end encrypted. No phone number or email address is required. Address book synchronisation is optional and, if desired, Threema can be used without address book access.
Information Management Systems
Our information management systems for the treasury are Rabobank, which is an international, cooperative bank with Dutch origins (Privacy Statement – Rabobank), compliant with the GDPR.
In addition, the treasury and the secretariat also use Teamleader Focus, which is an accounting software (CRM-software; Teamleader | Privacy Statement). Teamleader’s headquarters are in the EU as well. Their software is used to process membership fees and related data. The personal data stored relates to membership, including and not limited to organisation of employment, business address, telephone number and email addresses. DbI does not buy or sell personal contact information for fundraising or similar activities. Additionally, we do not use personal data for automated decision-making or profiling that results in legal consequences or significantly impacts users.
In order to maintain connection as part of our primary mission, the Secretariat uses Mailchimp, a marketing platform (How Mailchimp is GDPR Compliant in the EU | Mailchimp). In addition, Round Cube webmail is linked to the Mailchimp account.
The Secretariat accesses Sensity’s MS Outlook for all memberships received through the DbI website, and all board of directors and committee meetings are set up through this account as well. As a third party, Sensity uses Barracuda email protection and Microsoft Defender (Plan 1), both of which are GDPR compliant.
Website(s)
The Data Protection Officer also ensures that the data protection declaration for the DbI website is up to date and can be accessed via the website. To ensure that declarations are always up to date, DbI is currently working with the 100% GDPR-compliant services of PrivacyBee Switzerland: https://www.privacybee.io/de-ch/
For major maintenance and development work on DbI’s website, we currently collaborate with the organisation of our Information Officer, “Yaseneva Poliana” in Russia. They require access to website data to perform their duties, but do not use this data for any other purpose.
In addition, the backup organisation for the Information Officer, DeafBlind Ontario in Canada, and some members of DbI’s Communications Committee (ComCom) have access to the website’s backend. Yaseneva Poliana and DeafBlind Ontario are both organisational members of DbI and currently hold seats on the Board.
DbI’s website uses web forms (for example for new members). The entry of certain personal data is mandatory (marked in the respective form) for the form to fulfil its purpose. DbI uses this and any other data provided voluntarily only to process the corresponding task.
Online donations are made via DbI’s PayPal Charity account. PayPal offers strong GDPR alignment through Binding Corporate Rules, Data Protection Addendums (DPAs) with EU & UK SCCs, enterprise-grade security governance, and data subject rights mechanisms.
DbI does not use plug-ins from social networks such as Facebook and Instagram on the website to track usage. However, DbI’s website connects to its social media channels on Bluesky, Facebook, Instagram, LinkedIn and YouTube via linked buttons.
Of course, DbI’s website cannot be used if certain information required to ensure data traffic (such as IP address) is not disclosed.
DbI may operate a special website for certain projects, such as conferences, for a limited time. These websites are subject to exactly the same data protection measures as DbI’s website.
DbI is not responsible for ensuring data protection compliance on external websites linked from its own site. Users are encouraged to review the privacy policies of any third-party sites they visit.
Social Media, DbI Review and Media Permission
DbI’s Communication Committee currently operates social media accounts on Bluesky, Facebook, Instagram, LinkedIn, and YouTube.
DbI also publishes a digital magazine, the DbI Review, in various languages. DbI’s Information Officer is responsible for all corresponding data protection requirements.
In general, any photos, film and sound recordings at DbI are only permitted with the prior verbal consent of the persons being recorded. The use of names, photos, films or sound recordings of recognisable persons for advocacy, communication, training or other purposes by DbI is only permitted with prior written consent.
DbI maintains a media permission form for obtaining written consent prior to using identifiable photos, videos, or sound recordings. There is an additional consent form for authors contributing to the DbI Review.
DbI has selected SwissTransfer (https://www.swisstransfer.com/) as the standard GDPR-compliant data transfer tool. Exceptions may be made with documented consent from data owners.
Personal data for research & development
DbI has a policy that provides the framework by which Deafblind International (DbI) actively manages and encourages research projects in the role of knowledge broker. The policy aims to support DbI’s commitment to evidence-informed decision-making that is inclusive of DbI’s mission, vision, values and strategic priorities. This is an organisational policy only and does not of itself give rise to any cause of action.
DbI actively conducts research & development and raises awareness through public relations and marketing. Any processing of personal data for the purpose of research and development requires the consent of the data subject or their legal representative. We clarify with the data subjects in each individual case whether we may process the data concerning them for these additional purposes and obtain their consent in the form of a written declaration of consent.
Data sharing and data transfer
DbI discloses personal data to third parties, in particular to our external service providers, within the scope of our activities and purposes.
Possible recipients include, for example, our insurance companies. External service providers who process data on our behalf are contractually obliged to maintain confidentiality and comply with data protection regulations. In some cases, personal data may be processed abroad (worldwide) in the course of providing services. By agreeing to this data protection declaration, permissions is given to transfer personal data (ordinary, NOT particularly sensitive) to third parties such as external service providers abroad.
Third-party providers are required to uphold the same data protection standards as DbI. If a provider operates in a country where data protection laws differ from those in the Netherlands – such as the United States – we take steps to ensure your personal data remains protected to Dutch standards. This includes using standard contractual clauses and implementing additional technical and organisational safeguards.
Retention of personal data
DbI processes and stores personal data for as long as it is necessary to fulfil its contractual and legal obligations or for the purposes for which it was collected, i.e. for the duration of the entire business relationship (from the initiation and execution to the termination of a contract) and beyond, in accordance with the statutory retention and documentation obligations.
Once personal data is no longer needed for the purposes outlined above, it will be deleted or anonymized in accordance with applicable data protection laws.
To help safeguard personal data, the Information Officer will deactivate accounts that have been inactive for over one (1) year and issue a deactivation notice. If a user does not log in within one (1) year following deactivation, and the data is not subject to legal retention requirements, the account and all associated personal data will be permanently deleted. Users who wish to retain their account and data can log in at any time before the deletion deadline and provide consent to reactivate their account and continue using the services.
Data security
We use appropriate technical and organisational security measures to protect personal data stored in connection with DbI against manipulation, partial or complete loss and against unauthorised access by third parties. We take appropriate measures to protect all data. This includes all members of the Board and official committees being required to protect their mobile phones with a 6-digit code.
However, any transmission of information via the Internet and other electronic means always involves certain security risks, and we cannot guarantee the security of information transmitted in this way.
Rights with regard to your personal data
Users are always welcome to exercise their data protection rights without fear of discrimination. If they believe their data has been mishandled, they may also file a complaint with the relevant data protection authority, where applicable.
For users located in the European Union and believe that their data protection rights have been violated, they have the right to lodge a complaint with a supervisory authority in their country of residence. For Swiss residents, they may contact the Federal Data Protection and Information Commissioner (FDPIC):
Website: https://www.edoeb.admin.ch
Users have the right to:
- Access, correct, and delete their personal data
- Restrict or object to how their data is processed
- Request disclosure of their personal data, provided this does not conflict with legal or contractual obligations
To make any such request, users can contact us at SHOW EMAIL or using our postal address provided below. We are committed to working together to find a straightforward and satisfactory solution.
Deafblind International DbI
Postbus 115
5270AC Sint-Michielsgestel, The Netherlands
Notification of a personal data breach
A personal data breach means “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.
Personal data breaches include security incidents that are the result of both accidents (such as sending an email to the wrong recipient or losing a USB key containing membership data), as well as deliberate acts (such as phishing attacks to gain access to DbI’s data).
All data breaches that DbI is aware of, are notified to the relevant public Data Protection Authority, except for those unlikely to present any risk to individuals, according to Art. 33 of the General Data Protection Regulation (GDPR) of the European Union (EU).
If the breach takes place in the context of cross-border processing in the European Economic Area, DbI notifies the breach to the lead Data Protection Authority (DPA) or, at a minimum, the local DPA where the breach has taken place.
If this does not apply, DbI notifies the breach to every DPA for which affected individuals reside in their country.
To facilitate this notification, Data Protection Authorities in the European Union have implemented procedures and online forms guiding through the process. They can be accessed using this link: How to notify a data breach to your DPA? | European Data Protection Board
Of course, DbI must be aware of the data breach in order to report it. Individuals and organisations who wish to alert DbI to a breach involving data for which DbI is responsible for protecting, can reach us at SHOW EMAIL
Changes to this privacy policy
DbI reserves the right to amend and supplement this policy at any time. The current version is published on our website in the policy section. If the privacy policy is part of an agreement, users will be informed of any changes by email of any updates. DbI Board and Management Committee, January 2026
DbI Board and Management Committee, January 2026