Ctac Group – External Privacy Statement

1. Introduction

We are the Ctac Group. If we mention Ctac in the privacy statement, we refer to the Ctac Group. The Ctac Group includes the following companies.

We offer IT services to other companies. We process your personal data if you are a customer, work for one of our customers or if you contact or interact with us. In such cases, we process your personal data as a data controller and this privacy statement applies. This privacy statement describes how we process your personal data and what your rights are.

If we process personal data on behalf of our customers when providing our services, we are a data processor. Our processing activities as data processor are not covered by this privacy statement. If you want to know more about these processing activities, you can consult the privacy statement of the customer in question.

If you have any queries regarding this statement or the way in which we process your personal data, please contact our privacy officer via [email protected]. We have also appointed a data protection officer, whom you can contact via [email protected].

We may make changes to this statement from time to time. Any material changes and updates to this statement that affect the personal data we process about you will be communicated to you if we have your contact details and we will inform you via our company websites as described above.

2. Changes to your personal data

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes or if you become aware that any personal data that we hold is not accurate.

3. what personal data we collect – general information

• Personal data is all information related to a person who can be identified (directly or indirectly). For example, a name, telephone number, postal and electronic addresses, date of birth, payment information and bank details. Data that cannot be traced back to a person is not considered personal data. This is considered anonymous data.
• The situations in which we process your personal data are listed below. We have also included the legal basis we use and how long we will keep your personal data for a specific purpose. We have made a distinction between your role as a data subject:
  • In chapter 4, we explain which data we process if you are a customer, supplier or prospect, or an employee or representative of one of our customers, suppliers or prospects.
  • In chapter 5, we explain which data we process if you visit our website, if you interact with us or if you are an investor.
  • In chapter 6, we explain which data we process if you apply for a job at Ctac.
  • In chapter 7, we explain which data we process for other purposes despite your role as data subject (e.g. for security purposes, in case of conflicts or for audit purposes).

4. What personal data we collect – our customers, suppliers, prospects and their employees and/or representatives

If you are our customer, supplier, prospect or their employee or representative, we may process your personal data. In the table below, we specify in which cases which personal data we process for the various processing activities we conduct.

5. What personal data we collect – visitors to our websites and interacting with us

If you visit our websites, interact with us or if you contact us via the website or by other means, we process your personal data. In the table below, we specify which personal data we process for the various processing activities.

6. What personal data we collect – job applicants

If you apply for a job at Ctac, we will process your personal data. In the table below, we specify which personal data we process for the various processing activities.

7. What personal data we collect – other

Below we describe for which processing purposes we may process your personal data, despite your role as data subject. For example, visitor registration may apply to employees of our customer but also to our job applicants or other types of visitors. The personal data mentioned below is generally available to us because this personal data has been shared by you for the purposes described above. If you refuse to share your personal data with us for these purposes, we cannot conclude a contract with you or your employer and we may not be able to communicate with you or comply with our obligations towards you.

8. What if you refuse to provide us with personal data?

• If the table above states that we need to process your personal data to comply with the law or to perform an agreement with you or the company you work for, we may not be able to provide you with our services if you refuse to provide us with the required personal data.

9. Third Parties

• If we share your personal data with other data controllers, this is mentioned in the table above for the relevant processing purpose (e.g. that we share our financial administration with our accountant). We may also engage processors, which process your personal data on our instruction and behalf. We agree with such parties that they may not process your personal data for their own purposes. Such parties are software and hosting providers, such as Microsoft.

• Our websites, tools and software may link or redirect to other websites, software or other content which is not under our control. Such links or redirections are not endorsements of such websites or representations of our affiliation with them. Such third-party websites are outside the scope of this statement. If you access such third-party websites, please ensure that you are satisfied with their respective privacy statements before you provide them with any personal data. We cannot be held responsible for the activities, privacy statements or levels of privacy compliance of any website operated by any third party.

10. Use of artificial intelligence

• We may use generative artificial intelligence (AI) to process your personal data for the purposes mentioned above (e.g. Microsoft Copilot). Before doing so, we will first conduct a risk assessment and take mitigating measures. We will only use AI in case the assessment shows that there are no high risks for your personal data. The provider of the AI will be subject to strict security and privacy requirements. We will agree with the provider of the AI that they may only process your personal data on our instruction. Your personal data will not be used to train the AI and we will ensure your personal data remains in the EEA. We implement short retention periods to ensure that your data is not stored unnecessarily in the AI. Our staff will also be adequately trained on the use of AI, the risks involved with the use of AI and will receive clear instructions on using personal data in AI.

11. Security of your personal data

• For as long as we process your data, we follow generally accepted industry standards. We maintain safeguards to attempt to ensure the security, integrity, and privacy of the information we process.
• It is important that you keep secure and confidential any login credentials that you have for the services provided by Ctac. You are responsible for maintaining the security and confidentiality of such login credentials. You should notify us promptly if you become aware that the security or confidentiality of your login credentials is compromised.

12. Cookies

• Our websites and portals use cookies as detailed in the cookie statement.

13. Your rights as a data subject

• In accordance with the GDPR, you have certain rights to protect your privacy. Below you will find more details and information on how and when to exercise your rights:

• The right to access your personal data. This gives you the right to receive a copy of the personal data we process about you in capacity of data controller. This allows you to check whether the data is correct and whether we process it lawfully.
• The right to request that your personal data be corrected or updated. You can have any incomplete or incorrect personal data that we hold amended or completed.
• The right to request the deletion of your personal data. You can request deletion of your personal data, but only if:
  • your personal data are no longer needed for the purposes for which they were collected;
  • you withdraw your consent if the processing of your personal data is based on consent and no other legal basis exists;
  • you object to the processing of your personal data and we do not have a compelling legitimate ground for processing;
  • your personal data are processed unlawfully; or
  • your personal data must be removed to comply with a legal obligation.

If we grant your request, we will, to the extent reasonably possible, inform the parties with whom we share your personal data.

• The right to object to the processing of your personal data. If we process your personal data on the basis of a legitimate ground for processing, you may object to us processing your personal data for such legitimate ground. We will comply with your request, unless our legitimate interest outweighs your interests or if we need to continue processing your personal data to establish, exercise or defend a legal claim or to comply with our legal obligations.
• The right to restrict the processing of your personal data. You can request us to restrict the processing of your personal data, in the event that:
  • the accuracy of your personal data is disputed by you, during the period in which we need to verify the accuracy of the personal data;
  • the processing is unlawful and you oppose the deletion of your personal data and request its restriction;
  • we no longer need your personal data for the purposes of processing, but your personal data are necessary for you in the context of a legal claim; or
  • you have objected to the processing, during the period in which we have to verify compelling legitimate grounds.
• The right to data portability. You can request us to receive your personal data and/or to send it to a third party, as far as this is feasible. You only have this right if it concerns personal data that you have provided to us and the processing is based on consent or based on the necessity for the performance of our contract with you.
  • We do not make decisions based solely on automated processing.
  • For further information, or to exercise any particular right, please contact us at [email protected].

14. Questions and complaints

• We take our data protection obligations seriously. If you have any questions or complaints about this statement or the way that we handle your personal data, please contact us first. We would appreciate the chance to deal with your concerns before you approach the relevant data protection authority. Please contact us via [email protected].
• You have the right to make a complaint at any time to any relevant supervisory authority for data protection issues. In the Netherlands this is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) (https://www.autoriteitpersoonsgegevens.nl).