GDPR Privacy Notice

Please click here for XBP Europe, Inc.’s Privacy Policy

1 Purpose

XBP Europe as a Group of Companies (hereinafter referred to as ‘XBP Europe’ or/and ‘We’) takes the privacy of an individual’s data very seriously and is committed to protecting and respecting individual’s privacy. The Data Controller of your personal data is XBP Europe B.V., Herengracht 576b, 1017 CJ AMSTERDAM – Netherlands – Organization no :72638974 in conjunction with a Joint Controller of XBP Europe Inc., 2701 East Grauwyler Road Irving, TX 75061 United States of America – Organization no: 471347291. In the United Kingdom, Data Controllers appointed its representative – Data Force Interact Ltd, 10 Pond Wood Close, Northampton, NN3 6DF, Organisation no: 503-921-749

2 Scope

This Privacy Notice describes how we collect, use and process your personal data through our website, with whom we might share it and how long we usually keep it. This also makes you aware of your rights under the European Economic Area or the United Kingdom data protection legislations.. This Privacy Notice applies to the personal data of all users of the website.

3 GDPR Privacy Notice Standard

3.1 WHAT INFORMATION DO WE COLLECT?

3.1.1 We collect, store and use some or all of the below listed personal data:

  • for general identification – name, surname, email address, phone number;
  • for professional identification – business e-mail, business telephone number, job title, employment history;
  • technical data – internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website;
  • usage data – includes information about how you use our website or how you interact with us such as your responses to event invitations or downloads of articles or publications;
  • marketing and communications data – includes your preferences in receiving marketing communications from us and your communication preferences.

3.1.2 We won’t collect, store and use any of the ‘special categories’ of personal information. We do not intentionally collect information from children under the age of 16. Any linked websites of XBP Europe (e.g. Talento) will have their own privacy notices, and different rules of collecting and processing personal data.

3.2 HOW DO WE COLLECT THIS DATA?

3.2.1 We collect information directly from you when you visit our website or by filling in online forms or by corresponding with us by post, phone, email, social media or otherwise. It also concerns situations when you decide to sign up for marketing communications to be sent to you.

3.2.2 If you fail to provide certain information when requested, we may not be able to comply with contractual obligations and perform the contract we have entered into with you (such as replying on your request), or we may be prevented from complying with our legal obligations.

3.2.3 When you interact with our website, we may automatically collect Technical Data and/or Usage Data, unless you have opted-out or have otherwise refused to provide consent. Following data may be used:

  • Technical Data: we may collect information about the device you use to access our website, such as your device’s IP address and operating system. Additionally, in the case of mobile devices, your device type, and mobile device’s unique advertising identifier. Some technical information about the browser you are using will also be collected –
  • Usage Data: This is data about your browsing activity on our website e.g. information about the pages you visited and when, what items were clicked on a page, how much time was spent on a page etc.;
  • Location Data: This is non-precise information related to your geography derived from your device’s IP address e.g. computer. This does not reveal your precise geographic coordinates. This helps us to display ads that are relevant to your general location e.g. if we’d like to show ads for people located in the Netherlands only;
  • Ad Data: This is data about the online ads we have served, or attempted to serve to you
    e.g. how many times specific ad has been served to you, what page the ad appeared on etc.

3.2.4 In addition, we may receive personal data from various third parties which shared with us your data like: name, surname, company name, business e-mail, business telephone number and job title. Furthermore, Technical Data from analytics and email subscription providers such as LinkedIn, Pardot, Google Analytics or Facebook can be shared with us too. If we receive such data from our third party providers and We will be considered as Data Controller, each time we will inform you from which source the personal data originates, and provide details in separate privacy notice.

3.2.5 We might aggregate data from different sources (both internally and externally) to have a better understanding of your preference and interests, and be able to provide you more relevant communications.

3.3 HOW DO WE USE PERSONAL INFORMATION?

3.3.1 We may process personal information for the following reasons:

  • send you technical notices, updates, security alerts and support and administrative messages;
  • assessment and screening of potential clients, business partners or other person with a business relationship with us;
  • respond to your comments, questions and requests and provide customer service;
  • communicate with you about products, services, offers, promotions, rewards and events offered by us;
  • monitor and analyze trends, usage and activities in connection with our Services;
  • to improve the services, website, products, online services, mobile applications and communications we provide towards you or others;
  • comply with legal obligation, protect of our interests/assets and defense of legal claims.

3.3.2 We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which we are using that allows us to do so. When required, we will ask your consent before starting among other marketing activities. Please note that even if you opt out from receiving marketing communications, you might still receive administrative, service or other important notices.

WHAT LEGAL BASIS DO WE HAVE FOR PROCESSING YOUR PERSONAL DATA?

3.3.3 As a rule, our legal basis for the processing of personal data are:

  • your consent;
  • performance of a contract;
  • legal obligation; and
  • our legitimate business interest.

3.3.4 This legal basis have been defined in the GDPR. We describe each of these below.

  • Consent
    • Should we want or need to rely on consent to lawfully process your data, we will request your written consent for the specific activity we require consent for and record your response on our system. Where consent is the lawful basis for our processing you have the right to withdraw your consent to this particular processing at any time (as set out below).
    • You have the right to withdraw your consent at any time and we will cease to carry out the particular activity that you previously consented to unless we consider that there is an alternative reason to justify our continued processing of your data for this purpose in which case we will inform you of this condition.
  • Performance of a contract
    • We will rely on performance of a contract to provide you the services and manage relationships.
  • Legal Obligation
    • We will rely on legal obligation, if we are legally required to hold information on you to fulfil our legal obligations – including where you are placed in a role in a regulated environment. This would include the requirement to obtain and hold data regarding criminal convictions.
    • This also concerns if XBP Europe would like to establish or defend its legal claims:
      • Sometimes it may be necessary for us to process personal data and, where appropriate and in accordance with local laws and requirements in connection with exercising or defending legal claims or in case of carrying out other XBP Europe’s obligations;
      • This may arise, for example; where we need to take legal advice in relation to legal proceedings or are required by law to preserve or disclose certain information as part of the legal process.
  • Our Legitimate Business Interests
    • Our legitimate business interest means processing of personal data is necessary to enable XBP Europe to conduct its business, e.g., matters related to the protection of property, employees and matters related to providing security to persons present at premises. We never override fundamental rights and freedoms of our employees which require protection of personal data.
  • Local Legislations and Regulations
    • In certain cases, employment, financial (i.e. anti-money laundering) and other local legislation may require that we collect information that is considered to be ‘delicate’. In these circumstances we will ensure that only the minimum required is collected, and that it is securely stored and that it is deleted when no longer required.
    • Below you can find examples of legal basis per type of processing which we may undertake:
Type of processingLegal basis
Notifying you about changes to our website terms or privacy policyPerformance of a contract / Legal obligation
Respond to your comments, questions and requests and provide customer service;Performance of a contract
Monitor and analyze trends on our websiteLegitimate interest
Communicate with you about products, services, offers, promotions, rewards and events offered by us (marketing activity)Consent
Give an option to accept or reject cookies on our websiteLegal obligation

3.4 WHEN DO WE SHARE PERSONAL DATA?

3.4.1 XBP Europe being an international company processes data in locations both in the EEA or the UK and outside the EEA or the UK. We share your personal information with other entities of XBP Europe as part of our regular reporting activities on company performance, in the context of a business reorganization or restructuring exercise, for system maintenance support and hosting of data. Several support services such as finance are centralized and located outside of the EEA or the UK. We transfer the personal information we collect about you to XBP Europe entities within EEA, UK and in USA and India.

3.4.2 We may share your personal information with

  • different governmental authorities, institutions, agencies (or similar), or insurance companies where required by law for the purpose of their regulatory tasks; and
  • with selected third parties including:
    • Google – Advertising platform. Based in the US;
    • Facebook- Advertising platform. Based in the US;
    • Business partners who act as data processor due to outsourcing of certain processing activities.

3.4.3 Where we do share your data with 3rd parties or other XBP Europe’s entities, the shared data will be limited to that which is required by the 3rd party or other XBP Europe’s entity to provide the required processing. In such cases your personal data are safeguarded by Data Processing Agreements, committing outsourced service providers to process your personal data for specified purposes and in accordance with our instructions, comply with GDPR (or Data Protection Act 2018 for the UK) and apply appropriate security measures to protect your personal information in line with our policies. All transfers outside EEA made to countries which are considered by the European Commission (or by UK government relating to the transfers outside UK) to not provide an adequate level of protection of personal information are safeguarded with agreements based on Standard Contractual Clauses approved by European Commission. Where data is being transferred to USA, we have established appropriate impact assessments to verify whether importers of data located in USA conform European data protection legislation.

3.4.4 As an example we have listed on table below several categories of personal data which We may share with other entities of XBP Europe and selected third parties:

Third PartyCategories of personal data sharedComments
EXELA USAName and last name, e-mail address, phone number, employment history, job title, social media profile IDs/links.Acts as a Joint Controller. Customer relationship data for sales and marketing purposes.
EXELA Indiainternet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website.Acts as a Data Processor – Website updating and technical deployments.
Google & FacebookE-mail address, phone number, job title, company, geo-location (country /zip) and internet protocol (IP) addressAs part of our marketing activitiy we may share data with those third parties (who will act as separate Data Controllers) to provide you our advertisement materials.

3.4.5 More details about sharing data can be obtained from contact point specified in section 4.12.

3.5 HOW DO WE SECURE PERSONAL DATA?

3.5.1 Once We have received your information, we will use strict procedures and security features to prevent unauthorized access. All information you provide to us is stored securely on our servers. We have in place the following measure to ensure that confidentiality, integrity and availability of the personal data we hold on you.

  • Facilities are in place to ensure that data is backed up in the case of accidental or deliberate loss, and that the system can be recovered with minimal interruption in case of a loss of service;
  • Access to the data is tightly controlled and only authorized users are permitted access. We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality;
  • All staff are given training in the requirements of the GDPR and data security;
  • Access to the data is tightly controlled and only authorized users are permitted access. We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality;
  • We have in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

3.5.2 We are avoiding personal data collection and usage in paper format. If required, the paper documents and copies will be always stored in locked-up premises with very restricted access to the limited members of staff in line with our internal policy.

3.6 HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR?

3.6.1 We understand our legal duty to retain accurate data, that’s why we will only retain your personal data as long as we have consent from you.

3.6.2 Regardless of the above, every 2 years we will send you a communication where we will ask you to re-authorize your consent for marketing communications, if you signed up.

3.6.3 If you consent to receiving our Newsletter, you revoke consent at any time by clicking the ‘unsubscribe’ button on our Newsletter communication or by contacting us at any time. All paper records will be deleted by secure shredding of the paper files electronic copies will be deleted by secure erasure in accordance with applicable laws and regulations.

3.6.4 Details about retention schedule can be obtained from contact point specified in section 3.10.

3.7 YOUR RIGHTS IN RELATION TO PERSONAL DATA

3.7.1 Under the GDPR you have the right to:

  • Request access to your personal information which involves confirming with us whether we are processing your personal data and if we are, to request access to that personal data including the categories of personal data processed, the purpose of the processing and the recipients or categories of recipients. We do have to take into account the interests of others though, so this is not an absolute right;
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected or deleted;
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes. To stop receiving marketing communications from us or change your preferences please contact us on our local email address / contact details;
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it;
  • Request the transfer of your personal information to another party in certain formats, if practicable.
  • Withdraw consent to processing at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. To withdraw consent please contact; Local contact details with details of what information is to be provided.

3.7.2 If you wish to exercise any of the rights set out above, please contact with details of what information is to be provided.

  • You will not have to pay a fee to access your personal data (or to exercise any of the other rights), however, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances;
  • We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response;
  • We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated;
  • In certain circumstances we may need to limit the scope of the data subject’s rights e.g. where a request is made to delete data that has to be retained for legal or regulatory reasons, or where fulfilling the request may expose the personal data of another data subject.

3.8 USE OF AUTOMATED DECISION-MAKING AND PROFILING

3.8.1 We don’t undertake automated decision making, however we use profiling through our CRM systems. We do use our computer systems to search and identify personal data in accordance with parameters set by a person. A person will always be involved in the decision making process.

3.9 CHANGES TO OUR PRIVACY NOTICE

3.9.1 If any changes we would make to our Privacy Notice in the future, we will inform you by placing the appropriate information on our website.

3.10 HOW TO CONTACT US?

3.10.1 Questions, comments and requests regarding this Privacy Notice are welcomed and should be addressed to:

  • XBP EuropeEEA address:  Uraniumweg 15, 3812 RJ Amersfoort The NetherlandsUK address: Data Force Interact Ltd, 10 Pond Wood Close, Northampton, NN3 6DF

You have the right to make a complaint at any time to the Local Supervisory Authority We would however, appreciate the chance to deal with your concerns before you approach the Local Supervisory Authority so we encourage you to contact us in the first instance:

  • XBP Europe’s Lead Supervisory Authority in the EEA:Autoriteit Persoonsgegevens, Bezuidenhoutseweg 30, 2594 AV DEN HAAG, +31 (0) 70-8888 500
  • XBP Europe’s Lead Supervisory Authority in the UK:Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire

3.11 HOW DO WE USE COOKIES?

3.11.1 A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server. Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.3.11.2 Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies. We use both session and persistent cookies on our website. The cookies we use and their purpose can be found HERE.

Need Help?