HELLO
We are looking for an Allround Digital Marketeer.
Read the vacancy ≫

Privacy statement

From 25 May 2018, the General Data Protection Regulation (GDPR), or in English the General Data Protection Regulation (GDPR), will come into force. From then on, the same privacy legislation will apply to all countries that are part of the European Union (EU). Centagon B.V. undertakes to comply with this regulation and expresses this through this privacy statement.

This statement provides an explanation of how Centagon B.V., located at Provincialeweg 66, 5503 HH Veldhoven, Netherlands (referred to as 'we', 'us', or 'Centagon') processes personal data of its website visitors (referred to as 'you' and 'your data') and outlines your rights regarding your personal data through the website.


This document contains the following information:

1. Employee awareness
2. Rights of data subjects
3. Processing activities
4. Data Protection Impact Assessment (DPIA)
5. Privacy by design and Privacy by default
6. Data Protection Officer
7. Data breach notification
8. Data processing agreement
9. Lead supervisory authority
10. Consent
11. General
12. Contact

Introduction

The DDMA (Data Driven Marketing Association, Amsterdam 2010) is the leading industry association for marketing and data. When a member of DDMA complies with the European privacy legislation (GDPR, May 25, 2018) and adheres to the established codes of conduct, they are eligible to display the Privacy Waarborg certification mark. This certification ensures that members handle personal data with care.

Based on the audit procedure conducted by the DDMA Privacy Authority, reports (DDMA Privacy & Security check) have confirmed that Centagon B.V. has been authorized to display the Privacy Waarborg certification mark since May 2018.

This certification provides an important guarantee to all clients of Centagon B.V. that the processing of personal data is conducted in accordance with the applicable laws and within the strict codes of conduct of the DDMA.

For questions or additional information regarding the Privacy Waarborg certification and/or the General Data Protection Regulation (GDPR), please contact Walter van Houten via [email protected].

1. Employee awareness

Centagon B.V. informs all employees who directly or indirectly have access to personal data as referred to in the General Data Protection Regulation (AVG) and enters into a formal agreement with each individual employee in which they declare to be aware of the guidelines as stated in the AVG and as formulated in this Privacy Policy and to act in accordance with these guidelines in all occurring situations.

2. Rights of data subjects

Onder een ‘betrokkene’ wordt de persoon verstaan van wie persoonsgegevens worden opgeslagen en/of verwerkt.A 'data subject' means the person whose personal data are stored and/or processed.

2.1 Right to data portability (Article 20 AVG)

Data subjects have the right to portability of digital personal data. Upon first request, collected personal data will be provided in a structured, commonly used and machine-readable format.

2.2 Right to oblivion (Article 17 AVG)

Under the following conditions, data subjects have the right to request the erasure of their collected personal data:

  1. No longer necessary: Centagon B.V. no longer needs the personal data for the purposes for which it was collected or processed.

  2. Withdrawal of consent: The data subject previously gave (explicit) consent to Centagon B.V. for the use of their data but has now withdrawn that consent.

  3. Objection: The data subject objects to the processing. According to Article 21 of the GDPR, there is an absolute right to object to direct marketing. There is also a relative right to object when the data subject's rights outweigh Centagon B.V.'s interests in processing the personal data.

  4. Unlawful processing: Centagon B.V. unlawfully processes the personal data, for example, because there is no legal basis for the processing.

  5. Legally determined retention period: Centagon B.V. is legally obligated to erase the data after a certain period.

  6. Children: The data subject is younger than 16 years old, and the personal data was collected through an app or website.

The right to be forgotten is not applicable when:

  • Processing is necessary to exercise the right to freedom of expression and information, acknowledging that privacy and freedom of expression are equal fundamental rights.
  • Centagon B.V. processes the data because there is a legal obligation to do so.
  • Centagon B.V. processes the data to perform a task carried out in the public interest or in the exercise of official authority.
  • Centagon B.V. processes the data for public health purposes in the public interest.
  • Centagon B.V. needs to archive the data for historical, statistical, or scientific research purposes in the public interest.
  • The data is necessary for the establishment, exercise, or defense of legal claims.

2.3 Right of inspection (Article 15 AVG)

When requesting access to personal data, Centagon B.V. will inform data subjects about:

  • the reason why Centagon B.V. collects and processes certain personal data
  • What kinds of personal data Centagon B.V. collects
  • To which organizations Centagon B.V. transfers the personal data, also to organizations in other countries or to international organizations (if applicable)
  • the period for which Centagon B.V. retains the personal data and the criteria used by Centagon B.V. to determine a retention period
  • the privacy rights that data subject has; the right to erase personal data, the right to request less personal data to be processed and the right to object if Centagon B.V. processes personal data
  • the right the data subject has to file a complaint with the Personal Data Authority
  • from which organisation Centagon B.V. received personal data when it was not collected by Centagon B.V. (if applicable)
  • on the basis of which logic Centagon B.V. makes an automated decision about a data subject.

2.4 Right to rectification and supplementation (Article 16 AVG)

Centagon B.V. bears responsibility for ensuring that personal data processed are correct. Data subjects have the right to rectify or supplement personal data.

  • On first request, Centagon B.V. will rectify and/or supplement personal data if the data subject can plausibly demonstrate that these data are incorrect and/or incomplete.
  • Centagon B.V. will pass on adjustments and/or supplements to other organizations to which personal data in question have been provided (if applicable)
  • Centagon B.V. will inform the data subject to which other organisations rectifications and/or additions to personal data have been provided (if applicable).

2.5 Right to restriction of processing (Article 18 AVG)

The right to restrict processing applies in situations that meet one of the following criteria:

  • Data may be inaccurate
    When data subjects indicate that Centagon B.V. processes incorrect personal data, such data will not be processed until Centagon B.V. has carried out a verification of its accuracy.
  • Processing is unlawful
    Centagon is not entitled to process certain data but data subject does not want this data to be deleted
  • Data is no longer needed
    Centagon B.V. no longer needs the personal data for the purpose for which they were collected. But the data subject still needs the personal data for a legal claim (e.g. legal proceedings in which he is involved)
  • Affected party objects
    If a data subject objects to the processing of their personal data, Centagon B.V. will cease processing such data unless Centagon B.V. cites compelling legitimate grounds for the processing which outweigh the interests, rights and freedoms of the data subject. As long as it is not yet clear whether the alleged grounds for processing outweigh the interests, rights and freedoms of the data subject, Centagon B.V. will not process the data
  • Affected party appeals
    If a data subject invokes the right to restrict processing and personal data concerned have been transferred to other organisations, Centagon B.V. will inform these organisations about the appeal and request an equal restriction of processing (if applicable)
  • Centagon B.V. informs
    Centagon B.V. will inform data subject to which other organisations a request for restricted processing of personal data has been provided (if applicable).

2.6 Recht op een menselijke blik2.6 Right to a human eye

In appropriate situations, Centagon B.V. may make a decision based on automatically processed data, such as profiling. If such decision-making has consequences for a data subject, the right exists for the data subject to demand a new decision based on a human, not automated, assessment

2.7 Right of objection

If Centagon B.V. processes personal data on the basis of a general or legitimate interest, the data subject has the right to object to the processing of their data.

  • If a data subject objects to the processing of their data, Centagon B.V. will cease further processing unless compelling legitimate grounds for the processing can be invoked which outweigh the interests, rights and freedoms of the data subject, or grounds relating to a legal claim. Until it is clear whether these grounds are compellingly justified, the data will not be processed
  • If personal data are used for direct marketing, the data subject has the right to object to this. This applies equally in case of profiling for these marketing purposes. If data subjects object to the processing of personal data for direct marketing purposes, Centagon B.V. will immediately cease such processing.
  • Centagon B.V. will inform data subjects about the right to object at the first moment of contact. This information will be offered clearly and separately from other information.

3. Processing

We have appropriate technical and organisational measures in place to protect your personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and against all other forms of unlawful processing.

3.1 Duty to inform

Centagon B.V. aims, and is legally obliged by virtue of the AVG, to clearly inform new and existing data subjects for what purpose personal data are collected and processed.

  • Centagon B.V. publishes this Privacy Policy via its own website (www.centagon.com) and thus offers a complete and up-to-date insight into the rights of data subjects in respect of the collection and processing of personal data. In addition, pop-ups may be shown with a consent question.

3.2 Accountability

Centagon B.V. aims, and is legally obliged by virtue of the AVG, to be able to demonstrate that the processing of personal data complies with key principles of processing:

  • lawfulness
  • transparency
  • Purpose limitation
  • accuracy

In addition, Centagon B.V. bears responsibility for taking the appropriate technical and organisational measures to protect personal data and to make these transparent at the time of a request by the Personal Data Authority. Centagon B.V. is not obliged to, and will not, maintain a register of processing activities based on the assessments that Centagon B.V. employs fewer than 250 employees, the processing of personal data is not incidental, no personal data are processed that pose a high risk to the rights and freedoms of data subjects whose data are collected and processed, and no personal data are collected and processed that are categorised under 'special personal data' such as religion, health, political affiliation and/or criminal data.

4. Effectbeoordeling gegevensbescherming (DPIA)

Centagon B.V. is not obliged to, and will not, conduct a Data Protection Impact Assessment (DPIA) with the substantiation of the assessment that no data with a high privacy risk are collected or processed. High privacy risk data in this context includes the systematic and comprehensive evaluation of personal aspects (w.o.w. profiling), the large-scale processing of special personal data or the large-scale and systematic tracking of people in a publicly accessible area (such as camera surveillance).

5. Privacy by design en Privacy by default

Centagon B.V. is committed to having a strong focus on protecting personal data when designing services and products. An important part of this is minimising the amount of personal data collected to a nature and extent that serves the intended purpose and is reasonably and fairly related to it. Another criterion counted on Privacy by Design is determining the period of time in which personal data is stored and communicating it to data subject. Centagon expresses the concept of Privacy by Default by applying the basic principle in every development of an application or the design of an online campaign that only those personal data are collected and processed that are relevant for a specific purpose.

6. Data protection officer (FG)

Centagon B.V. is not a public organisation or government agency and does not have a core business involving large-scale tracking of individuals. As a result, Centagon B.V. does not meet the criteria set by the AVG regarding the obligation to appoint a Data Protection Officer (FG).

7. Duty to report data breaches

Centagon B.V. undertakes to comply with the data breach notification obligation as it applies to companies and public authorities as of 1 January 2016. When Centagon B.V. discovers, or is made aware of, a serious data breach, a notification will immediately be made to the Dutch Data Authority via the data breach notification desk and to the client. Centagon B.V. processes data leaks and/or vulnerabilities in accordance with the guideline described in the document 'Guideline to arrive at a practice of Responsible Disclosure' of the N.C.S.C (National Cyber Security Centre) / Ministry of Security and Justice:

7.1 Objective of Responsible Disclosure

The purpose of responsible disclosure is to contribute to the security of ICT systems and manage the vulnerability of ICT systems by reporting vulnerabilities responsibly and handling these reports carefully, so that damage can be prevented or mitigated as much as possible. Central to working with responsible disclosure is remedying vulnerabilities and increasing the security of information systems. The key issue in responsible disclosure is that parties mutually comply with agreements on reporting the vulnerability and dealing with it. For example, a party that adopts a responsible disclosure policy may commit to the principle of not reporting if the ground rules applicable under the policy are met. The practice of responsible disclosure primarily involves the reporter and the organisation, which owns/manages the system. It is important to have as few links as possible between the person reporting the vulnerability and the organisation responsible for fixing the problem. However, the reporter and the organisation may jointly decide to inform the National Cyber Security Centre (NCSC) or other parties within the ICT security community about the vulnerability, especially in the case of a not yet known vulnerability, in order to prevent or mitigate (consequential) damage elsewhere as well.

7.2 Responsibilities

With the implementation of a responsible disclosure policy, the aim is to jointly contribute to reducing vulnerabilities in information systems by the reporter and the organization. The respective responsibilities are borne by Centagon B.V. and the reporter.

The promotion of responsible disclosure begins with Centagon B.V., the owner of the information systems. As the primary party responsible for the security of these systems, Centagon B.V. establishes its own policy for responsible disclosure to clarify how it intends to handle vulnerability reports:

  • Centagon B.V. ensures that the reporting process is easily accessible for reporters, such as by providing a standardized method, such as an online form, for submitting reports. The organization may choose to accept anonymous reports.
  • Centagon B.V. has sufficient capacity to respond adequately to reports.
  • Centagon B.V. receives and promptly forwards vulnerability reports to the Security Officer.
  • Centagon B.V. sends an acknowledgement of receipt to the reporter (unless the report is anonymous and no contact information is available). Subsequently, Centagon B.V. and the reporter establish contact to discuss the further process.
  • Centagon B.V., in consultation with the reporter, determines whether and, if so, when disclosure will take place. A reasonable standard timeframe for addressing software vulnerabilities is 60 days.
  • If a vulnerability is difficult or costly to address, Centagon B.V. and the reporter may agree not to disclose it publicly.
  • Centagon B.V. keeps the reporter and other relevant parties informed about the progress of the process.
  • Centagon B.V., in consultation with the reporter, may decide to inform the broader ICT community about the vulnerability if it is likely to be present elsewhere.

The key to implementing a successful practice of responsible disclosure lies with the reporter. The reporter has identified a vulnerability and wishes to contribute to the security of information systems by disclosing the vulnerability to Centagon B.V. Reporters acknowledge their important societal responsibility and fulfill it by disclosing vulnerabilities responsibly. To achieve a successful practice of responsible disclosure, the following elements apply to the reporter:

  • The reporter is responsible for their own actions and ensures that the report is primarily submitted to the (system/information) owner.
  • The reporter submits the report as soon as possible to prevent malicious actors from discovering and exploiting the vulnerability.
  • The reporter submits the report confidentially to the organization to prevent unauthorized access to the information.
  • The reporter refrains from engaging in disproportionate actions, such as using social engineering to gain unauthorized access to the system, placing their own backdoor in an information system, exploiting the vulnerability beyond what is necessary to establish its existence, copying, modifying, or deleting data from the system, making changes to the system, repeatedly accessing the system or sharing access with others, or engaging in brute force attacks to gain system access.
  • If the reporter and organization agree to disclose the vulnerability publicly, the reporter should do so only after all involved organizations have been properly informed and have confirmed that the vulnerability has been resolved in accordance with the agreed-upon terms.

Internally, the policy states that internal processors of personal data may only process such data through the secure network and the secure applications provided for data processing. It is strictly prohibited for them to store personal data in any other manner (e.g., on personal computers, laptops, storage devices such as USB sticks, CD-ROM/DVDs, or external hard drives), transmit it (e.g., via email, SharePoint, WeTransfer), create duplicate files, or process it in any way that could jeopardize the security of the personal data.

Centagon has documented a protocol and communicated it internally, which outlines how employees should act in the event of loss or theft of equipment and/or data.

8. Processor agreement

Centagon B.V. processes collected data itself and exclusively. In no situation is this data processing outsourced to a processor. For this reason, there is no reason to draw up, maintain and ratify a processor agreement as referred to in Article 28(3) of the AVG).

9. Leading supervisor

Centagon B.V. processes cross-border data in appropriate situations, subjecting itself to the supervision of a lead supervisor ('lead supervisory authority') of the (EU) country where the principal place of business of a commissioning organisation is located, or the central administration is conducted, and acting in accordance with the guidelines for European privacy supervisory authorities ('Guidelines for identifying a controller or processor's lead supervisory authority' / April 2017).

10. Leading supervisor

Centagon B.V. acts in line with the regulations as stated in the AVG by only collecting and processing personal data for which there is a legal basis. The processing of 'special' and 'criminal' personal data is therefore excluded in principle, unless there is a legal exception. Centagon B.V. only processes personal data in accordance with the bases as formulated in the AVG, namely:

  • consent has been given by the person concerned;
    • consent has been freely given by the person concerned,
    • consent has been given unambiguously,
    • data subject has been informed of the identity of the data processing organisation and the purpose for which consent is sought,
    • there is clarity on what personal data is collected and used,
    • data subject has been informed of the right to withdraw consent.
  • Data processing is necessary for the performance of an agreement
  • Data processing is necessary for the fulfilment of a legal obligation
  • The data processing is necessary for the protection of vital interests
  • The data processing is necessary for the performance of a task of public interest or the exercise of public authority
  • Data processing is necessary for the protection of legitimate interests.

11. General

Centagon B.V. has described and implements an information security policy. In case of demonstrated relevance, insight into this can be provided upon request.

In addition, Centagon B.V. has described an incident management response process which is being implemented. In the event of proven relevance, insight into this can also be provided upon request.

12. Contact regarding our privacy policy

If you have any questions or complaints, we kindly ask you to contact us, this can be done by clicking here.

Do you have a question or a challenge? Contact us:

Walter van Houten

Account consultant
(Founder)

Leon Hendrix

Senior digital marketing
strategist (Founder)

Ralph Kuijper

Account consultant

René de Korte

Digital marketing strategist

Get in touch directly with someone?
Send us a message with WhatsApp:


Scan the QR or
use this link for

WhatsApp Web
This is not correct
This is not correct
This is not correct
This is not correct
Please fill in

Thank you, we will contact you in 2 days.