Privacy Statement

Updated: October 2023

  1. Your privacy & CCV
  2. Your rights
  3. How we handle your data
  4. In the event of a personal data breach
  5. Terms and definitions
  6. Our cookie policy
  7. Security of personal data
  8. Amendment of the privacy policy
  9. Questions and contact


Your privacy & CCV

At CCV we think your privacy is very important, because you entrust CCV with your payment and personal data. We therefore would like to take this opportunity to explain how we protect your personal data.

CCV has been in the business of handling payment data – yours and those of millions of other people in Europe – for decades. The privacy of people whose personal data we process is key for our business. We process these data because they are necessary to provide our services and products and to meet our legal obligations. CCV also processes personal data of its own employees. We consider it important to be transparent about our processing of personal data and to meet the requirements laid down in the EU General Data Protection Regulation (‘GDPR’) and other privacy legislation. For this reason we have published this Privacy Statement that describes how CCV processes personal data and how CCV ensures the protection of privacy when processing personal data.


For its work CCV has to comply with the following legislation:

  • General Data Protection Regulation[1] (GDPR), this is European privacy legislation;
  • Algemene Verordening Gegevensbescherming (AVG) and the Uitvoeringswet Algemene Verordening Gegevensbescherming (UAVG), local privacy laws in the Netherlands;
  • International laws such as the Convention for the Protection of Human Rights and Fundamental Freedoms (Article 8);
  • Charter of Fundamental Rights of the European Union, C364/01, 18 December 2000 (Article 8);
  • Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (ETS No. 108), Council of Europe Convention;
  • Guidelines of the Article 29 Working Party of the European Data Protection Board;
  • Dutch Financial Supervision Act (Wet op het financieel toezicht, WFT);
  • Dutch Prevention of Money Laundering and Terrorist Financing Act (Wet ter voorkoming van Witwassen en Financieren van Terrorisme, WWFT, SWG-FT);
  • Dutch Telecommunications Act (Telecommunicatiewet, TW).

CCV’s operational processes are set up to ensure full compliance with the stringent requirements of each of the above-mentioned laws. In addition to this, we have taken technical and organizational measures to protect the processing and transfer of data and data traffic and to ensure the safety of your privacy and your customers’ privacy.

Basic privacy principles

In a nutshell, our compliance with these laws means that we observe the following basic principles:

  • We will use (process) your personal data to perform our work, and only if we have a legitimate reason for this, for example to carry out an agreement with you.
  • We will have access to the data that we need in order to perform our work.
  • We will share data if this is required by the supervisory authorities or by the police or justice officials because we have an obligation to share the requested information with them (legitimate interest).
  • In all other circumstances we will only process your personal data with your explicit permission.
  • We will inform you of your rights (this is the purpose of this document).
  • We will not take any action with regard to your personal data unless, and not before, you give us permission to take certain action, or when you ask us to take any action, such as to correct your personal data or to remove it if we still have it on file under our retention policy.
  • We will make sure your personal data are and remain correct.
  • We will not retain your personal data for a longer period than necessary.
  • We will protect your personal data against unauthorized access, loss or destruction.
  • We can demonstrate our compliance with these principles.

We handle all personal data extremely carefully and confidentially and we make sure that personal data are protected by effective security measures. The processing operations that CCV performs are registered in a record of processing activities. A check is made to verify whether CCV is allowed to process the personal data, and also to make sure that CCV is not processing more personal data than necessary or mandatory. At CCV, we also ensure that only authorized persons are able to access personal data and that the personal data are not being used for impermissible purposes. If we engage any another company to perform certain processing activities, we make sure that the other company applies the same basic principles as we do at CCV to assure the careful handling of personal data and the same level of protection.

CCV is required by law to adhere to statutory data retention periods for numerous processing operations. For all other processing operations, we do not save personal data longer than strictly necessary to fulfil the purposes for which the data was collected.

What personal data do we collect?

This can include, for example: first name, last name, date of birth, company name, country, email address, physical address, phone number, gender, ID copy, contact history, account numbers, IP address, cookie settings, cookies and data about your website visits. An up-to-date overview of the personal data collected for each purpose is included in the register of processing activities. These data are collected through various forms on our website. For more information on cookies, please see our cookie statement.

CCV does not collect data that fall under the sensitive categories of personal data (e.g. data revealing health, racial or ethnic origin, political opinions, religious or philosophical beliefs).

How do we collect personal data?

  • Personal data provided by the data subject him/herself;
  • Public sources like the Chamber of Commerce and Company records and Google;
  • Personal data received by transaction monitoring;
  • Personal data received by third parties.

CCV is data controller and data processor

From a legal perspective, we fulfil a dual role when it comes to privacy. We record and manage personal data of our clients, your customers and our employees. Officially, we are a data controller in that capacity and, as such, accountable for the careful handling of data.

In addition, we process payment data on behalf of our clients, including ING, Equens, ACI and Bancontact. In that sense, we are a data processor. Our clients are data controllers and accountable for data handling. They expect us to meet specific requirements concerning the handling of your data. These requirements are laid down in a partnership agreement. We carry out such agreements with utmost care. In both roles, we are committed to protecting your privacy with due care.

Your rights

We handle your data as carefully and as safely as possible. Should you want to verify this, it is good to know that you – as the owner of your personal data – have a number of rights:

Right to information

You have the right to be informed about our work processes that involve the handling and processing of your personal and payment data.

More about how CCV handles data >>

Right to inspection

You have the right to access the personal data that we have about you. If you want to exercise this right, we must first verify your identity before we can start retrieving your data. All the data that we have about you will be sent to you. We will also inform you of the details of our processing method, including the purpose, retention period, the parties that we share data with, and how the data has been collected. We aim to provide you with an overview of these data within one month. We will inform you if we expect this will take longer than one month.

Submit a request for access to your data >>

Right to correction, restriction and deletion

You have the right to correct or supplement the personal data that we have about you. You also have the right to delete part of your data in order to restrict how much data we can use in the future. And you have what is known as the ‘right to be forgotten’, which means that all the data about you that we have on file will be deleted. However, we are required by law to retain certain data, so we cannot delete these data.

Submit a request to change or delete data >>

Right to data transfer

You have the right to request the digital transfer to a different organization of data that CCV has on record about you. If you want to exercise this right, we will make your data available to you in a structured and generally accepted file format. We are only allowed to do this with personal data that you provided to us in person, or if you gave express permission to process such data, or with data we obtained as a result of the fulfilment of our agreement. We aim to complete preparing the file for data transfer within one month. We will inform you if we expect this will take longer than one month.

Submit a request for data transfer >>

Right to object

If you think that we are wrongfully processing personal data about you, we encourage you to make this known to us. If your objection is justified, we will stop processing your personal data. You can also submit an official complaint if you think your data are not being handled with due care. When we receive a complaint, we will carefully review our processes and we will make improvements if we identify any shortcomings. We will try to deal with your complaint within five business days. We will inform you if we expect this will take longer. If we are unable to reach an agreement, you have the option of submitting your complaint to the Dutch Data Protection Authority.

Submit a complaint to CCV >>

Submit a complaint to the Dutch Data Protection Authority >> 

How we handle your data

We use a range of technological and organizational measures to protect your private data as effectively as possible. With certifications from national and international quality and safety standards organizations, we demonstrate how serious we are about protecting your privacy. These certifications include compliance with the Payment Card Industry Data Security Standard (PCI DSS). We use the following methods to protect your privacy in our work processes.

Triple data protection

  1. First and foremost, responsibility for the careful handling of data rests with our colleagues whose day-to-day work involves the processing of personal data. They know how data are processed and have access to the content of applications. They also assess the proper functioning of all processes on a daily basis.
  2. Internal policies, compliance with rules and legislation, and risk management is the responsibility of CCV’s GRC department and CCV’s Data Protection Officer. CCV’s privacy officers conduct risk analyses in the various departments and assess whether the processes comply with applicable laws and regulations.
  3. Lastly, our independent internal audit department and the Data Protection Officer will check if the aforementioned colleagues work together effectively, and whether we actually fulfil all our legal and business obligations.

Safeguarding work processes

A new working method can sometimes involve risks to your personal data. That is why we subject any new work processes to a Data Protection Impact Assessment (DPIA). We also conduct a risk analysis and a technical assessment, so we can be sure that the authorization process, security aspects and record keeping are compliant.

Record-keeping of processing activities

Records are kept of all data processing operations that we carry out so that we can always trace what happens with your personal data. Our Data Protection Officer will make sure these records are and remain complete and up-to-date.

Purpose of data usage

Personal data about employees will only be used to carry out our duties as an employer. Personal data about clients (such as name and contact details) will only be used to provide our services, such as but not limited to:

  • Conclude or amend agreements and allow execution of (service) contracts;
  • Allow compliance with legal obligations, such as CCV’s KYC policy for new and existing clients, or Customer/Supplier Due Diligence;
  • Fulfil reporting obligations to the authorities;
  • Process and analyse payment transactions;
  • Resolve disputes and disputed payment transactions;
  • Prevent and address fraud, money laundering and other unlawful activities;
  • Analyse data in order to improve our services and to enhance our products and services;
  • Research (for research purposes CCV uses pseudonymized (not traceable to an individual person) personal data);
  • Record telephone conversations in order to avoid misunderstandings and mistakes in contacts with clients or to record oral agreements or promises we make to you on the phone, and to ensure our staff handle issues correctly in telephone conversations;
  • Initiate, coordinate and outsource work processes;
  • Carrying out specific marketing activities.

Retention period

Personal data will not be retained for longer than is necessary for the intended purpose, and will not be retained beyond the statutory retention period. We ensure compliance with this retention period by keeping the retention period details and the corresponding personal data in the same location.

Anti-fraud measures

We work together with banks, credit card companies and other parties that combat fraud. To facilitate these efforts, it is sometimes necessary to share data with these parties. This always happens in compliance with the legal requirements and only with the express permission of our Data Protection Officer.

Internal training and awareness

Our employees are aware of the importance of privacy. They have been trained in protecting your privacy and keeping information secure. We make sure this awareness and expertise stays up-to-date, for example by offering an e-learning program and through regular internal information sharing. Our Data Protection Officer and the corporate information security officer monitor these activities.

Our promise

CCV will only disclose your personal data to other organizations if we are legally required to do so. For example, CCV is bound by obligations embodied in such legislation as the Anti Money Laundering and Terrorist Financing Prevention Act, the Sanctions Act and the Financial Supervision Act. As part of a fraud investigation, CCV might process data relating to criminal offences. We make agreements with organizations that receive your data from us about such matters as the security and confidentiality of your data. We keep a record of processing activities in which we register the purpose of the processing, the reasons for the processing, the retention period, the technical and organizational measures implemented, the type of personal data and the portability of personal data to third parties.

In the event of a personal data breach

No matter how effectively we perform our work, the risk of a personal data breach always exists. This can be the result of human error or have an external cause. A personal data breach is defined as a situation in which personal data is lost, unintentionally ends up in the wrong hands or is otherwise exposed.

In the event of a personal data breach, immediate action is required. We will first examine which personal data have been affected. If the breach could potentially affect your rights as the owner of the data and your integrity, the personal data breach will be reported to the Dutch Data Protection Authority within 72 hours after the discovery of the breach. If there is a risk that your personal integrity may be affected, you will be informed right away.

In addition, the breach will be thoroughly investigated. We will get to the bottom of what happened and determine which data has been exposed to risk, who or what might be the cause, and how we can prevent similar personal data breaches in the future. This approach enables us to tighten our security. Furthermore, we will carefully record all our findings about the personal data breach to ensure we can learn from them in the future.

Reporting a personal data breach

Do you think a personal data breach may have occurred? Please inform us as quickly as possible and state the reasons or the signals that your suspicion is based on.

Report a suspected personal data breach >>





Terms and definitions


Personal data

All information pertaining to an individual, for instance a name or email address. It also includes data that indirectly relate to someone’s identity, i.e. personal details such as an IP address, a card number or transaction data. Combined with other data, these details can be traced to an individual.

General Data Protection Regulation (GDPR)

European legislation that regulates the careful processing and free movement of personal data. This Regulation was adopted and became applicable in all EU member states on 27 April 2016, subject to a two-year transition period to enable organizations to make their administrative and operational processes compliant with the new law, which became enforceable on 25 May 2018.

General Data Protection Regulation Implementing Act

The implementation of European legislation in domestic law, such as the Dutch Uitvoeringswet Algemene Verordening Gegevensbescherming (UAVG), ensures the GDPR is applied correctly. This Implementing Act supplements the GDPR and also carries forward elements from previous legislation, such as the Dutch Personal Data Protection Act (Wet Bescherming Persoonsgegevens, WBP) or the Belgian Privacy Law of 1992.

Data Protection Authority

National supervisory authority tasked with supervision and regulation on privacy. If you think that CCV is wrongfully processing your personal data or is not processing it correctly, and you are unable to reach an agreement with us, you can submit a complaint to the Data Protection Authority (NL: AP, BE: GBA, DE: BDSG).

Financial Supervision Act

The Financial Supervision Act (Wet op het Financieel Toezicht, WFT) is a Dutch law that ensures financial markets operate effectively and safeguards the stability of the financial system. It also protects consumers and businesses against bankruptcy or objectionable actions by financial institutions.

Money Laundering and Terrorist Financing Prevention Act

The Dutch law implementing the European anti-money laundering and terrorist financing regulations aimed at preventing companies from becoming involved, either knowingly or inadvertently, in money laundering or the financing of terrorist activities.

Authority for the Financial Markets

The Dutch regulator on the behaviour of financial institutions in the financial markets.

Telecommunications Act

The Dutch law safeguarding the security of online networks (among other matters) and the regulation of consumer and privacy protection (Telecommunicatiewet, TW).

Data Protection Impact Assessment (DPIA)

A new working method can sometimes involve risks to your personal data. That is the reason why any new working methods of CCV are subject to a Data Protection Impact Assessment (DPIA). The GDPR sets out the requirements applicable to DPIAs.

Data controller

A person or organization that – individually or in collaboration with third parties – registers or manages personal data. The data controller is also responsible for how its data processing activities are structured and function. CCV is the data controller of the personal data of our clients.


A person or organization that processes personal data on behalf of and on the instruction of the data controller. We are the data controller of payment data on behalf of a number of clients. A data processor and a data controller always conclude a contract setting out the terms and conditions that must be met to guarantee the security of personal data.


A person that enters into a relationship with CCV, e.g. a visitor to our website, a person using our services or products, a supplier or a business partner.

Your privacy & CCV - Our cookie policy

Updated: October 2023

This website uses cookies. We use cookies to personalise content and ads, provide social media features and analyse our website traffic. We also share information about your use of our site with our partners for social media, advertising and analytics. These partners may combine these data with other information you have provided to them or that they have collected based on your use of their services.

Cookies are small text files that can be used by websites to make user experiences more efficient. By law, we are allowed to store cookies on your device if they are strictly necessary for the use of the site. For all other types of cookies, we need your consent.

This website uses different types of cookies. Some cookies are placed by third-party services that are displayed on our pages. You can change or withdraw your consent at any time via the cookie statement on our website. Our privacy policy tells you more about who we are, how to contact us, and how we process personal data.

If you have any questions about your consent, please state the ID and the date of consent.

Your current status: Allow all (Necessary, Preferences, Statistics, Marketing)

Your consent ID: Date of consent:

Change your consent | Withdraw your consent


Security of personal data

CCV takes appropriate technical and organizational measures to protect the personal data of data subjects against misuse, unauthorised access and loss. Please contact CCV if you have any questions or comments about the security method, or if you have any indications of misuse of personal data.

Amendment of the privacy policy

Our privacy statement may be amended if changes are made to our privacy policy. Any changes will be announced on the CCV website.

Questions and contact

If you need assistance, our Service & Support team will be happy to help.

Contact us on +31 (0)88 228 9849 or send us an email with your question:


This privacy statement has been drawn up by the following controller:

CCV Group B.V.

Westervoortsedijk 55

6827 AT Arnhem

PO Box 9226

6800 KH Arnhem

Chamber of Commerce number: 09045274

Telephone: +31 (0)88 228 9849


CCV Group B.V.'s Data Protection Officer:

We have a Data Protection Officer (DPO). If you have any questions and/or complaints regarding your privacy, please contact our DPO. Our Data Protection Officer works for Lumen Group. The DPO can be reached by phone at +31 (0)30 889 6575 or by email at In addition, the DPO can also be reached via the secure website.

Lumen Group B.V.
Reactorweg 47

  • [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation (GDPR));