Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Mozard Suite is a Dutch case management, CRM and content platform developed by Mozard B.V. for the public sector. It is used by municipalities, provinces, water boards and other public bodies in the Netherlands and Belgium to handle citizen requests, permits, complaints and self service portals. Mozard sets strictly necessary session and authentication cookies for citizens connecting to the front end, and optional analytics cookies that require prior consent under the GDPR and the Dutch UAVG.
Mozard Suite is a SaaS case management, CRM and content platform built by Mozard B.V. in Naarden, the Netherlands. It is mainly used by Dutch municipalities, provinces, water boards and other public bodies to handle citizen requests, permits, complaints, subsidies and licences, as well as the corresponding self service citizen portals. The platform integrates with DigiD, eHerkenning, the Dutch base registries (BRP, BAG, NHR), the BSN, and document management systems based on NEN 2082.
On the citizen portal Mozard sets a session cookie, a CSRF token cookie and an authentication cookie once the visitor signs in (typically via DigiD or eHerkenning). These cookies are first party and strictly necessary. On the case management side the platform processes the full case file: identity, contact details, the citizen number BSN when authorised, request content, attached documents, decisions, financial flows and audit trail. Optional modules can add web analytics (often Matomo), chat and customer satisfaction surveys, which set non strictly necessary cookies.
Session, CSRF and authentication cookies fall under the Article 5(3) ePrivacy strictly necessary exemption and do not require consent. The processing of case data is based on the legal task of the public body (Articles 6(1)(c) and 6(1)(e) GDPR) and is regulated by Dutch sector laws (Awb, Algemene wet bestuursrecht). The Archive Act (Archiefwet) and the Open Government Act (WOO) impose specific retention, accessibility and disclosure requirements that must be reflected in the Mozard configuration.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Strictly necessary cookies and core case processing rely on public task, legal obligation and contract performance (Articles 6(1)(c), 6(1)(e) and 6(1)(b) GDPR). Analytics, chat and satisfaction cookies rely on consent under Article 6(1)(a) GDPR and on the Dutch Telecommunicatiewet implementation of the ePrivacy Directive. A data processing agreement between the public body (controller) and Mozard B.V. (processor) under Article 28 GDPR is required, alongside the Dutch sector specific agreements.
Mozard B.V. hosts Mozard Suite on Dutch data centres compliant with BIO (Baseline Informatiebeveiliging Overheid) and NEN 7510. Sub processors are typically EU established (Dutch hosting providers, EU email gateways). Transfers outside the EEA are normally not part of the standard offering. Public sector customers should verify the sub processor list before signing the DPA and rely on Standard Contractual Clauses or the EU US Data Privacy Framework for any module that might involve a US sub processor.
Run a DPIA covering the entire case management lifecycle, sign the Mozard data processing agreement, integrate the Mozard Suite cookies in your CMP (always on for strictly necessary, consent gated for analytics), configure retention to match Archive Act schedules and document role based access. Verify the alignment with BIO controls (logging, encryption, segregation of duties) and run regular access reviews for back office users handling sensitive case files.
Websites using Mozard Suite must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally required for Mozard Suite deployments in the public sector because the platform processes case files that often include identifying information, financial details, social benefits, complaints and sometimes sensitive data (health, social services). Dutch public bodies are required by the Autoriteit Persoonsgegevens to perform DPIAs for systematic processing of personal data in case management systems, and the DPIA must be updated when new modules or data sources are added.
Sample consent text
This citizen portal runs on Mozard Suite, a case management platform by Mozard B.V. in the Netherlands. Strictly necessary cookies are used to keep your session, authenticate your DigiD or eHerkenning login and submit your request; these do not require your consent. With your permission we also activate an analytics cookie that helps us measure how the portal is used and improve it.
Third-party domains contacted
mozard.nlmozardsaas.nlapp.mozard.nlCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| MZSESSION | first_party | Session | Server side session identifier set by Mozard Suite to bind the citizen browser to a server side session that holds the form draft and navigation state. Strictly necessary. |
| XSRF-TOKEN | first_party | Session | Cross site request forgery protection token. Required to safely submit forms and to authorise actions in the citizen portal. |
| mz_auth | first_party | Session | Authentication context set after a successful login via DigiD, eHerkenning or a local account. Required to access personalised case data. |
| _pk_id.* | first_party | 13 months | Optional Matomo analytics identifier deployed by some public bodies on the citizen portal to measure usage. Requires consent. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
On the citizen portal Mozard sets a session cookie, a CSRF token cookie and an authentication cookie after sign in (DigiD, eHerkenning or local accounts). All three are first party and strictly necessary for the portal to function. Optional modules may add an analytics cookie (typically Matomo), a chat cookie and a customer satisfaction cookie, which are non strictly necessary and require consent.
Consent is not required for the strictly necessary cookies (session, CSRF, authentication). Consent is required for the optional analytics, chat and survey cookies, which must remain blocked in the CMP until the visitor opts in. The DigiD or eHerkenning authentication flow itself is regulated by separate Dutch government requirements and does not depend on cookie consent in the ePrivacy sense.
Public task and legal obligation (Articles 6(1)(c) and 6(1)(e) GDPR) cover the core processing of case files by the public body. Contract performance (Article 6(1)(b) GDPR) can support citizen self service accounts. Consent (Article 6(1)(a) GDPR) covers optional analytics and engagement cookies. The Dutch UAVG and sector specific laws (Awb, Archiefwet, WOO) define additional obligations and bases for the public body.
In the standard configuration, no. Mozard B.V. hosts the platform on Dutch data centres and uses EU established sub processors. The DPA published by Mozard lists the sub processors, all of which are typically located in the EU. Transfers outside the EEA can occur only if the customer activates optional modules with non EU sub processors, in which case Standard Contractual Clauses or the EU US Data Privacy Framework apply.
Yes, in practice. Dutch public bodies must perform DPIAs for systematic processing of personal data in case management systems, especially when the data includes citizen identifiers (BSN), social or financial information, or sensitive data. The DPIA should cover the citizen portal, the back office case workflow, the integration with base registries and the optional modules.
Sign the Mozard data processing agreement, document the public task and legal obligation as the legal basis, run a DPIA, integrate the Mozard cookies in your CMP (strictly necessary always on, analytics consent gated), configure retention according to the Archiefwet and the WOO, and enforce role based access control with regular reviews. Align the deployment with BIO controls and document the alignment in your security policy.
For Dutch public sector case management, alternatives include Decos JOIN, Centric Key2Klantcontact, Atos Engage Smart Government, Cobra Suite, Civision Geo, e Suite by Atos and the open source GEMMA based Open Zaak. From a GDPR perspective they are broadly comparable because they target the same regulatory environment; the choice usually depends on functional fit, ecosystem integration and pricing.
List the strictly necessary cookies (session, CSRF, authentication) with their names and durations and explain the ePrivacy exemption. List the optional analytics, chat and survey cookies with purpose, duration and recipient, and link to your CMP. Mention Mozard B.V. as processor in the privacy notice, reference the DPA and confirm that personal data stays in the Netherlands by default.