Privacy statement
From 25 May 2018, the General Data Protection Regulation (GDPR), or in English the General Data Protection Regulation (GDPR), will come into force. From then on, the same privacy legislation will apply to all countries that are part of the European Union (EU). Centagon B.V. undertakes to comply with this regulation and expresses this through this privacy statement.
This statement provides an explanation of how Centagon B.V., located at Provincialeweg 66, 5503 HH Veldhoven, Netherlands (referred to as 'we', 'us', or 'Centagon') processes personal data of its website visitors (referred to as 'you' and 'your data') and outlines your rights regarding your personal data through the website.
This document contains the following information:
1. Employee awareness
2. Rights of data subjects
3. Processing activities
4. Data Protection Impact Assessment (DPIA)
5. Privacy by design and Privacy by default
6. Data Protection Officer
7. Data breach notification
8. Data processing agreement
9. Lead supervisory authority
10. Consent
11. General
12. Contact
Introduction
The DDMA (Data Driven Marketing Association, Amsterdam 2010) is the leading industry association for marketing and data. When a member of DDMA complies with the European privacy legislation (GDPR, May 25, 2018) and adheres to the established codes of conduct, they are eligible to display the Privacy Waarborg certification mark. This certification ensures that members handle personal data with care.
Based on the audit procedure conducted by the DDMA Privacy Authority, reports (DDMA Privacy & Security check) have confirmed that Centagon B.V. has been authorized to display the Privacy Waarborg certification mark since May 2018.
This certification provides an important guarantee to all clients of Centagon B.V. that the processing of personal data is conducted in accordance with the applicable laws and within the strict codes of conduct of the DDMA.
For questions or additional information regarding the Privacy Waarborg certification and/or the General Data Protection Regulation (GDPR), please contact Walter van Houten via [email protected].
1. Employee awareness
Centagon B.V. informs all employees who directly or indirectly have access to personal data as referred to in the General Data Protection Regulation (AVG) and enters into a formal agreement with each individual employee in which they declare to be aware of the guidelines as stated in the AVG and as formulated in this Privacy Policy and to act in accordance with these guidelines in all occurring situations.
2. Rights of data subjects
Onder een ‘betrokkene’ wordt de persoon verstaan van wie persoonsgegevens worden opgeslagen en/of verwerkt.A 'data subject' means the person whose personal data are stored and/or processed.
2.1 Right to data portability (Article 20 AVG)
Data subjects have the right to portability of digital personal data. Upon first request, collected personal data will be provided in a structured, commonly used and machine-readable format.
2.2 Right to oblivion (Article 17 AVG)
Under the following conditions, data subjects have the right to request the erasure of their collected personal data:
No longer necessary: Centagon B.V. no longer needs the personal data for the purposes for which it was collected or processed.
Withdrawal of consent: The data subject previously gave (explicit) consent to Centagon B.V. for the use of their data but has now withdrawn that consent.
Objection: The data subject objects to the processing. According to Article 21 of the GDPR, there is an absolute right to object to direct marketing. There is also a relative right to object when the data subject's rights outweigh Centagon B.V.'s interests in processing the personal data.
Unlawful processing: Centagon B.V. unlawfully processes the personal data, for example, because there is no legal basis for the processing.
Legally determined retention period: Centagon B.V. is legally obligated to erase the data after a certain period.
Children: The data subject is younger than 16 years old, and the personal data was collected through an app or website.
The right to be forgotten is not applicable when:
2.3 Right of inspection (Article 15 AVG)
When requesting access to personal data, Centagon B.V. will inform data subjects about:
2.4 Right to rectification and supplementation (Article 16 AVG)
Centagon B.V. bears responsibility for ensuring that personal data processed are correct. Data subjects have the right to rectify or supplement personal data.
2.5 Right to restriction of processing (Article 18 AVG)
The right to restrict processing applies in situations that meet one of the following criteria:
2.6 Recht op een menselijke blik2.6 Right to a human eye
In appropriate situations, Centagon B.V. may make a decision based on automatically processed data, such as profiling. If such decision-making has consequences for a data subject, the right exists for the data subject to demand a new decision based on a human, not automated, assessment
2.7 Right of objection
If Centagon B.V. processes personal data on the basis of a general or legitimate interest, the data subject has the right to object to the processing of their data.
3. Processing
We have appropriate technical and organisational measures in place to protect your personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and against all other forms of unlawful processing.
3.1 Duty to inform
Centagon B.V. aims, and is legally obliged by virtue of the AVG, to clearly inform new and existing data subjects for what purpose personal data are collected and processed.
3.2 Accountability
Centagon B.V. aims, and is legally obliged by virtue of the AVG, to be able to demonstrate that the processing of personal data complies with key principles of processing:
In addition, Centagon B.V. bears responsibility for taking the appropriate technical and organisational measures to protect personal data and to make these transparent at the time of a request by the Personal Data Authority. Centagon B.V. is not obliged to, and will not, maintain a register of processing activities based on the assessments that Centagon B.V. employs fewer than 250 employees, the processing of personal data is not incidental, no personal data are processed that pose a high risk to the rights and freedoms of data subjects whose data are collected and processed, and no personal data are collected and processed that are categorised under 'special personal data' such as religion, health, political affiliation and/or criminal data.
4. Effectbeoordeling gegevensbescherming (DPIA)
Centagon B.V. is not obliged to, and will not, conduct a Data Protection Impact Assessment (DPIA) with the substantiation of the assessment that no data with a high privacy risk are collected or processed. High privacy risk data in this context includes the systematic and comprehensive evaluation of personal aspects (w.o.w. profiling), the large-scale processing of special personal data or the large-scale and systematic tracking of people in a publicly accessible area (such as camera surveillance).
5. Privacy by design en Privacy by default
Centagon B.V. is committed to having a strong focus on protecting personal data when designing services and products. An important part of this is minimising the amount of personal data collected to a nature and extent that serves the intended purpose and is reasonably and fairly related to it. Another criterion counted on Privacy by Design is determining the period of time in which personal data is stored and communicating it to data subject. Centagon expresses the concept of Privacy by Default by applying the basic principle in every development of an application or the design of an online campaign that only those personal data are collected and processed that are relevant for a specific purpose.
6. Data protection officer (FG)
Centagon B.V. is not a public organisation or government agency and does not have a core business involving large-scale tracking of individuals. As a result, Centagon B.V. does not meet the criteria set by the AVG regarding the obligation to appoint a Data Protection Officer (FG).
7. Duty to report data breaches
Centagon B.V. undertakes to comply with the data breach notification obligation as it applies to companies and public authorities as of 1 January 2016. When Centagon B.V. discovers, or is made aware of, a serious data breach, a notification will immediately be made to the Dutch Data Authority via the data breach notification desk and to the client. Centagon B.V. processes data leaks and/or vulnerabilities in accordance with the guideline described in the document 'Guideline to arrive at a practice of Responsible Disclosure' of the N.C.S.C (National Cyber Security Centre) / Ministry of Security and Justice:
7.1 Objective of Responsible Disclosure
The purpose of responsible disclosure is to contribute to the security of ICT systems and manage the vulnerability of ICT systems by reporting vulnerabilities responsibly and handling these reports carefully, so that damage can be prevented or mitigated as much as possible. Central to working with responsible disclosure is remedying vulnerabilities and increasing the security of information systems. The key issue in responsible disclosure is that parties mutually comply with agreements on reporting the vulnerability and dealing with it. For example, a party that adopts a responsible disclosure policy may commit to the principle of not reporting if the ground rules applicable under the policy are met. The practice of responsible disclosure primarily involves the reporter and the organisation, which owns/manages the system. It is important to have as few links as possible between the person reporting the vulnerability and the organisation responsible for fixing the problem. However, the reporter and the organisation may jointly decide to inform the National Cyber Security Centre (NCSC) or other parties within the ICT security community about the vulnerability, especially in the case of a not yet known vulnerability, in order to prevent or mitigate (consequential) damage elsewhere as well.
7.2 Responsibilities
With the implementation of a responsible disclosure policy, the aim is to jointly contribute to reducing vulnerabilities in information systems by the reporter and the organization. The respective responsibilities are borne by Centagon B.V. and the reporter.
The promotion of responsible disclosure begins with Centagon B.V., the owner of the information systems. As the primary party responsible for the security of these systems, Centagon B.V. establishes its own policy for responsible disclosure to clarify how it intends to handle vulnerability reports:
The key to implementing a successful practice of responsible disclosure lies with the reporter. The reporter has identified a vulnerability and wishes to contribute to the security of information systems by disclosing the vulnerability to Centagon B.V. Reporters acknowledge their important societal responsibility and fulfill it by disclosing vulnerabilities responsibly. To achieve a successful practice of responsible disclosure, the following elements apply to the reporter:
Internally, the policy states that internal processors of personal data may only process such data through the secure network and the secure applications provided for data processing. It is strictly prohibited for them to store personal data in any other manner (e.g., on personal computers, laptops, storage devices such as USB sticks, CD-ROM/DVDs, or external hard drives), transmit it (e.g., via email, SharePoint, WeTransfer), create duplicate files, or process it in any way that could jeopardize the security of the personal data.
Centagon has documented a protocol and communicated it internally, which outlines how employees should act in the event of loss or theft of equipment and/or data.
9. Leading supervisor
Centagon B.V. processes cross-border data in appropriate situations, subjecting itself to the supervision of a lead supervisor ('lead supervisory authority') of the (EU) country where the principal place of business of a commissioning organisation is located, or the central administration is conducted, and acting in accordance with the guidelines for European privacy supervisory authorities ('Guidelines for identifying a controller or processor's lead supervisory authority' / April 2017).
10. Leading supervisor
Centagon B.V. acts in line with the regulations as stated in the AVG by only collecting and processing personal data for which there is a legal basis. The processing of 'special' and 'criminal' personal data is therefore excluded in principle, unless there is a legal exception. Centagon B.V. only processes personal data in accordance with the bases as formulated in the AVG, namely:
11. General
Centagon B.V. has described and implements an information security policy. In case of demonstrated relevance, insight into this can be provided upon request.
In addition, Centagon B.V. has described an incident management response process which is being implemented. In the event of proven relevance, insight into this can also be provided upon request.
12. Contact regarding our privacy policy
If you have any questions or complaints, we kindly ask you to contact us, this can be done by clicking here.