Privacy statement
Updated: April 14, 2021
Version 2.1
- Your privacy & CCV
- Your rights
- How we handle your data
- In the event of a data breach
- Terms and definitions
- Our cookie policy
- Security of personal data
- Amendment of privacy policy
- Questions and contact
Your privacy and CCV
At CCV we think your privacy is very important, because you entrust CCV with your payment and personal data. We therefore would like to take this opportunity to explain how we protect your personal data.
CCV has been in the business of handling payment data – yours and those of millions of other people in Europe – for decades. The privacy of people whose personal data we process, is key for our business. We process these data because they are necessary to provide our services and products and to meet our legal obligations. CCV also processes personal data of its own employees. We consider it important to be transparent about our processing of personal data and to meet the requirements laid down in the EU General Data Protection Regulation (‘GDPR’) and other privacy legislation. For this reason we have published this privacy statement that describes how CCV processes personal data and how CCV ensures the protection of privacy when processing personal data.
For its work CCV has to comply with the following legislation:
- EU General Data Protection Regulation (“GDPR”, Algemene Verordening Gegevensbescherming, AVG)
- Act on Financial Supervision (Wet op het financieel toezicht, WFT)
- Act on the prevention of Money Laundering and Terrorist Financing (Wet ter voorkoming van Witwassen en Financieren van Terrorisme, WWFT)
- Telecommunications Act (Telecommunicatiewet, TW)
- General Data Protection Regulation Implementing Act (Uitvoeringswet Algemene Verordening Gegevensbescherming, UAVG)
CCV’s operational processes are set up to ensure full compliance with the stringent requirements of each of the above-mentioned laws. In addition to this, we took technical and organisational measures to protect the transfer of data and data traffic and to ensure the safety of your and your customers’ privacy.
Basic privacy principles
In a nutshell, our compliance with these laws means that we observe the following basic principles:
- We will only use (process) your personal data to perform our work and to execute an agreement with you.
- We will only collect and process data that we need in order to perform our work.
- We will only transfer data when required for example by the supervising authorities or by the police or justice officials and because we have the obligation to share the requested information with them (legitimate interest).
- In all other circumstances we will only process your personal data with your explicit permission.
- We will inform you of your rights (this is the purpose of this document).
- We will not take any action with regard to your personal data unless and until you give permission to take any action or when you ask us to take any action such as to correct your personal data or to remove them, if we still retain them under our retention policy.
- We will ensure that your personal data are and remain correct.
- We will not retain your personal data for a longer period than necessary.
- We will protect your personal data against access by unauthorized parties, loss or destruction.
- We can demonstrate our compliance with these principles.
We treat all personal data extremely carefully and confidentially and we make sure that personal data are protected by effective security measures. The processing operations that CCV perform are registered in a record of processing activities. A check is made to verify whether CCV is allowed to process the personal data, and also to make sure that CCV is not processing more personal data than necessary or mandatory. At CCV, we also ensure that only authorised persons are able to access personal data and that the personal data are not being used for impermissible purposes. If we engage any another company to perform certain processing activities, we make sure that the other company applies the same basic principles as we do at CCV to assure the careful treatment of personal data and the same level of protection.
CCV is required by law to adhere to statutory data retention periods for numerous processing operations. For all other processing operations, we do not save personal data longer than strictly necessary to fulfil the purposes for which the data were collected.
What personal data do we collect?
First name, last name, company name, country, email address, phone number, gender, copy ID, contact history, IP address, cookie-settings, cookies and data about your website visits. This data is collected via several forms on our website. For more information regarding cookies, please visit our cookie statement.
CCV does not collect data that falls under the special categories of personal data (e.g. data revealing health, racial or ethnic origin, political opinions, religious or philosophical beliefs).
How do we collect personal data?
- Personal data provided by data subject himself;
- Public sources like, KvK Google;
- Personal data received by transaction monitoring;
CCV is data controller and data processor
From a legal perspective, we fulfil a dual role when it comes to privacy. We record and manage personal data of our clients, your customers and our employees. Officially, we are a data controller in that capacity and, as such, accountable for the careful handling of data.
In addition, we process payment data on behalf of our clients, including ING, Equens, ACI and Bancontact. In that sense, we are a data processor. Our clients are data controllers and accountable for data handling. They expect us to meet specific requirements concerning handling of your data. These requirements are laid down in a partnership agreement. We carry out such agreements with utmost care. In both roles, we are committed to protecting your privacy with due care.
Your rights
We handle your data as carefully and as safely as possible. Should you want to verify this, it is good to know that you – as the owner of your personal data – have a number of rights:
Right to information
You have the right to be informed about our work processes that involve the handling and processing of your personal and payment data. More about how CCV handles data >>
Right to inspection
You have the right to access the personal data about you that we have on record. If you want to exercise this right, we must first verify your identity before we can start retrieving your data. You will be sent all the data about you that we have. We will also inform you of the details of our processing method, including the purpose, retention period, the parties that we share data with, and how data have been obtained. We aim to provide you with an overview of these data within one month. We will inform you if we expect that it will take more time than one month.
Submit a request for access to your data >>
Right to correction, restriction and deletion
You have the right to correct or supplement the personal data about you that we have on record. You also have the right to delete part of your data in order to restrict how much data we can use in the future. And you have what is known as the ‘right to be forgotten’, which means that all the data about you we have on record will be deleted. However, we are required by law to retain certain data, so these we cannot delete.
Submit a request to change or delete data >>
Right to data transfer
You have the right to request the digital transfer to a different organization of data that CCV has on record about you. If you want to exercise this right, we will provide your data to you in a structured and generally accepted file format. We are only allowed to do this with personal data that you provided to us in person, or if you gave express permission to process such data, or with data we obtained as result of the fulfilment of our agreement. We aim to complete preparing the file for data transfer within one month. We will inform you if we expect that it will take more time than one month.
Submit a request for data transfer >>
Right of objection
If you think that we are wrongfully processing personal data about you, we encourage you to make this known to us. If your objection is justified, we will stop processing your personal data. You can also file an official complaint if you think your data are not being handled with due care. When we receive a complaint, we will carefully review our processes and work to eliminate any shortcomings we identify. We aim to address your complaint within five business days. We will inform you if we expect it will take more time. If we are unable to reach agreement, you have the option of submitting your complaint to the Dutch Data Protection Authority.
Submit a complaint to CCV >>
Submit a complaint to the Dutch Data Protection Authority >>
How we handle your data
We use a range of technological and organizational measures to protect your privacy as effectively as possible. With certifications from national and international quality and safety standards organizations, we demonstrate how serious we are about protecting your privacy. These certifications include compliance with the Payment Card Industry Data Security Standard (PCI DSS). We use the following methods to protect your privacy in our work processes.
Triple data protection
- First and foremost, responsibility for the careful handling of data rests with our colleagues whose day-to-day work involves the processing of personal data. They know how data are processed and have access to the content of applications. They also assess the proper functioning of all processes on a daily basis.
- They are backed up by support and advice from the risk management department (“GRC”), from CCV’s data protection officer, who draft policies and the privacy officers in the various departments, who conduct risk analyses, and assess whether the processes comply with applicable laws and regulations.
- Lastly, our independent internal audit department and the data protection officer will check if the aforementioned colleagues work together effectively, and whether we actually fulfil all our legal and business obligations.
Safeguarding work processes
A new work process can sometimes involve risks to your personal data. That is why we subject any new work processes to a Data Protection Impact Assessment (DPIA). We also conduct a risk analysis and a technical assessment, so we can be sure that the authorization process, security aspects and record keeping are compliant.
Record-keeping of processing activities
Detailed records are kept of all data processing operations that we carry out, to make sure that we can always trace what happens with your personal data. Our data protection officer will make sure that this record keeping is and remains complete and up-to-date.
Purpose of data usage
Personal data about employees will only be used to carry out our duties as an employer. Personal data about clients (such as name and contact details) will only be used to provide our services, such as but not limited to:
- Conclude or amend agreements,
- Perform KYC (know-your-customer) processes when we on-board our clients to our services,
- Process and analyse payment transactions,
- Resolve disputes and disputed payment transactions,
- Prevent and address fraud, money laundering and other unlawful activities,
- Analyse data in order to improve our services and to enhance our products and services,
- Research (For research purposes CCV uses pseudonymised (not traceable to an individual person) personal data),
- Record telephone conversations in order to avoid misunderstandings and mistakes in contacts with clients or to record oral agreements or promises we make to you on the phone and to ensure that our staff handled issues correctly in telephone conversations,
- Initiate, coordinate and outsource work processes,
- Perform specific marketing activities.
Retention period
Personal data will not be retained for longer than is necessary for the intended purpose, and will not be retained beyond the statutory retention period. We ensure compliance with this retention period by keeping the retention period details and the corresponding personal data in the same location.
Anti-fraud measures
We work together with banks, credit card companies and other parties that combat fraud. To facilitate these efforts, it is sometimes necessary to share data with these parties. This always happens in compliance with legal requirements and only with the express permission of our data protection officer.
Staying up-to-date
Our employees are aware of the importance of privacy. They have been trained in protecting your privacy and keeping information secure. We make sure that this awareness and expertise stay up-to-date, for instance by offering an e-learning programme and through regular internal information sharing. Our data protection officer and the corporate information security officer monitor these activities.
Our promise
CCV will disclose your personal data to other organisations only if it is legally required from us. For example, CCV is bound by obligations embodied in such legislation as the Anti Money Laundering and Terrorist Financing Prevention Act, the Sanctions Act and the Financial Supervision Act. As part of a fraud investigation, CCV might process data relating to criminal offences. We make agreements with organisations that receive your data from us about such matters as the security and confidentiality of your data. We keep a record of processing activities in which we register the purpose of processing, the grounds for processing, the retention period, the technical and organisational measures implemented, the type of personal data and the portability of personal data to third parties.
In the event of a data breach
No matter how effectively we perform our work, the risk of a data breach always exists. This can be the result of human error or have an external cause. A data breach is defined as a situation in which personal data is lost or ends up in the wrong hands.
In the event of a data breach, immediate action is required. We will first examine which personal data have been affected. If the breach could potentially affect your rights and freedoms, the data breach will be reported to the Dutch Data Protection Authority within 72 hours after discovery of the breach. In case of a high risk, you will also be informed right away.
In addition, the breach will be thoroughly investigated. We will get to the bottom of what happened and determine which data were exposed to risk, who or what might be the cause, and how we can prevent similar data breaches in the future. This approach enables us to tighten our security. Furthermore, we will carefully record any and all findings about the data breach to ensure we can learn from them even in the future.
Reporting a data breach
Do you think a data breach may have occurred? Please inform us as quickly as possible, stating the reasons or the signals that your suspicion is based on.
Report a suspected data breach >>
Terms and definitions
Personal data
All information pertaining to an individual, for instance a name or e-mail addresses. It also includes data that indirectly relate to someone’s identity, i.e. personal details such as an IP address, a card number or transaction data. Combined with other data, these details can be traced to an individual.
General Data Protection Regulation (GDPR)
European legislation regulating the careful processing and free movement of personal data. This Regulation was adopted and became applicable in all EU member states on 27 April 2016, subject to a two-year transition period to enable organizations to make their administrative and operational processes compliant with the new law, which became enforceable on 25 May 2018.
General Data Protection Regulation Implementing Act
A Dutch law (Uitvoeringswet Algemene Verordening Gegevensbescherming, UAVG) that ensures the GDPR is applied correctly. This Implementing Act supplements the GDPR and also carries forward elements from its predecessor legislation, the Dutch Personal Data Protection Act (Wet Bescherming Persoonsgegevens, WBP).
Dutch Data Protection Authority
The national regulator tasked with supervision and regulation on privacy. If you think that CCV is wrongfully processing your personal data or is not processing them correctly, and you are unable to reach agreement with us, you can get the Dutch Data Protection Authority involved.
Financial Supervision Act or Act on Financial Supervision
The Financial Supervision Act (or Act on Financial Supervision) (Wet op het Financieel Toezicht, WFT) is a Dutch law that ensures financial markets operate effectively and safeguards the stability of the financial system. It also protects consumers and businesses against bankruptcy or objectionable actions by financial institutions.
Anti Money Laundering and Terrorist Financing Prevention Act
A Dutch law (Wet ter voorkoming van Witwassen en Financieren van Terrorisme, WWFT) aimed at preventing companies from becoming involved, either knowingly or inadvertently, in money laundering or the financing of terrorist activities.
Authority for the Financial Markets
The Dutch regulator on the behaviour of financial institutions in the financial markets.
Telecommunications Act
A Dutch law (Telecommunicatiewet, TW) safeguarding the security of online networks (among other matters), and addressing consumer and privacy protection.
Data Protection Impact Assessment (DPIA)
A new work process can sometimes involve risks to your personal data. That is the reason that any new work processes of CCV is subject to a Data Protection Impact Assessment (DPIA). The GDPR sets out the requirements applicable to DPIAs.
Data controller
A person or organization that – individually or in collaboration with third parties – registers or manages personal data. The data controller is also responsible for how its data processing activities are structured and function. CCV is the data controller of the personal data of our clients.
Data processor
A person or organization that processes personal data on behalf of and on the instruction of the data controller. We are the data controller of payment data on behalf of a number of clients. A data processor and a data controller always conclude a contract setting out the terms and conditions that must be met to guarantee the security of personal data.
Client
A person that enters into a relationship with CCV, e.g. a visitor to our website, a person using our services or products, a supplier or a business partner.
Your privacy & CCV - Our cookie policy
Updated February 2021
Our cookie policy
We use cookies to ensure our website functions properly. Cookies are small text files we send to your computer, tablet or phone. Such a file will record certain data, such as the webpages you visit. This is an entirely anonymous process; your identity will not be revealed. However, cookies do reveal certain information about your behaviour. For that reason, we would like to inform you about cookies and the options available to you.
Purpose of our cookies
Cookies are useful both for us and for you. For instance, cookies ensure you do not need to enter the same information repeatedly, and that you are presented with information that is in line with your interests. We also use cookies to analyse how you use our website. The insights gained from this help us to make the site user-friendlier.
Cookies are used for a variety of purposes:
• To enable communication across a digital network
• To research how our website is used
• To conclude or fulfil an agreement
• To deliver a service requested by you
• To identify what your interests are based on how you use our site
• To enable third parties to identify what your interests are
If you prefer to disable cookies
You can decide which types of cookies you want to accept, if any. However, this choice may have certain consequences. If you disable our cookies, we cannot guarantee that our website will work flawlessly.
You can change settings to determine which cookies to accept and which to disable. For instance, you may want to accept statistical cookies but not the ones for personalised information.
You can personalise the settings of your browser – Chrome, Safari, Internet Explorer – to have it display a warning when a website wants to send a cookie, or to have it refuse all cookies or only third-party cookies. You can also delete all received cookies. Make sure you change these settings on every device and in every browser you use.
You can disable tracking by Google Analytics for all websites. If you want to do this, you can unregister for all Google cookies on their website.
Go to Google and unregister >>
The cookies we use
Essential
Google Tag Manager
Who: https://apps.ghostery.com/nl/apps/google_tag_manager
Purpose: Google Tag Manager allows CCV to quickly and easily update tags and code fragments on the website. Once the Tag Manager fragment has been added to the website, CCV can configure tags via a web interface without needing to change or implement additional code. This reduces the likelihood of errors and it will no longer be necessary to involve a developer when CCV needs to change something.
Cookies: -
Expiry period: Unlimited
Cookie opt-in: Non-optional
Website analytics
Google Analytics
Who: https://apps.ghostery.com/nl/apps/google_analytics
Purpose: Obtain insight in visitors’ behaviour on the website in order to improve their user experience.
Cookies: __utma, __utmb, __utmc, __utmv, __utmz, _ga
Expiry period: After two years
Cookie opt-in: Optional
Hotjar
Who: https://apps.ghostery.com/nl/apps/hotjar
Goal: to do qualitative research among website visitors and gain a better insight into the click behaviour of the visitor. This can improve the user experience on the website.
Cookies: _hjIncludeInSample, _hjMinimizedPolls, _hjUserId
Expiry period: 12 months
Cookie opt-in: optional
AB Tasty
Who: https://apps.ghostery.com/nl/apps/optimizely
Goal: to gain a better insight into the click behaviour of the visitor. This can improve the user experience on the website.
Cookies: ABTasty, ABTastySession
Expiry period: 13 months
Cookie opt-in: Optional
Advertising
Doubleclick
Who: doubleclick.net
Purpose: Measuring the conversion. This anonymous information is used to determine the value of an advertising partner and to enable billing of advertising partners. This anonymous information is also used to build anonymous visitor segments, if an opt-in for this was given.
Cookies: id, test_cookie,_drt_, p
Expiry period: no more than 90 days
Cookie opt-in: optional
Facebook pixel
Goal: Measuring conversions and making targeted offers on third-party sites. The anonymous conversion information is used to determine the value of various advertising partners in a central adserver and this anonymous information is used to place targeted offers on third-party sites through this central adserver.
Cookies: locale, c_user, csm, datr, fr, lu, xs, pk, s, p, act, x-src, presence, tr
expiry period: 12 months
Cookie opt-in: optional
LinkedIN pixel
Goal: to measure conversions and make targeted offers on third-party sites. The anonymous conversion information is used to determine the value of various advertising partners in a central adserver and this anonymous information is used to place targeted offers on third-party sites through this central adserver.
Cookies: bcookie, bscookie
Expiry period: 12 months
Cookie opt-in: optional
Pinterest pixel
Goal: to measure conversions and make targeted offers on third-party sites. The anonymous conversion information is used to determine the value of various advertising partners in a central adserver and this anonymous information is used to place targeted offers on third-party sites through this central adserver.
Cookies: _pinterest_ct_rt, ajs_user_id,
Expiry period: 12 months
Cookie opt-in: optional
Google Optimize (currently running in DE and NL)
Who: https://marketingplatform.google.com/about/optimize/
Goal: to gain a better insight into the click behaviour of the visitor. This can improve the user experience on the website.
Cookies: _gaexp, _opt_awcid, _opt_awmid, _opt_awgid, _opt_awkid, _opt_utmc
Expiry period: differs per cookie, 24 hours - 90 days
Cookie opt-in: optional
AdCalls (currently running in NL)
Who: https://www.adcalls.com/
Goal: to gain a better insight into campaign effectiveness. To provide insight into all call conversions per traffic source or campaign.
Cookies: acalltracker, acalltrackersession, acalltrackerreferrer, excludecalltracking, acalltrackernumber.
Expiry period: differs per cookie, 30 minutes - 30 days
Cookie opt-in: optional
Customer interaction
LiveChat
Who: https://apps.ghostery.com/nl/apps/livechat
Purpose: to initiate customer interaction via the website.
Cookies: __lc_cst, amplitude_idlivechatinc.com, __lc_cid, landing_page, __livechat, 3rdparty, __lc_vv.group16, referrer, message_text.group16, chat_widget_amplitude_idlivechatinc.com, recent_window.group16, main_window_timestamp.group16, main_window_timestamp_16.group16, _ga, notification[status_ping].group16, utm_source, __livechat_lastvisit
Expiry period: no more than 2 years
Cookie opt-in: optional
Security of personal data
CCV takes appropriate technical and organisational measures to protect the personal data of data subjects from misuse, unauthorised access and loss. Please contact CCV if you have questions or comments about the method of security, or if you have indications of misuse of personal data.
Amendment of privacy policy
Our privacy statement is subject to amendment if changes are made to our privacy policy. Any changes will be made known on the CCV website.
Questions and contact
If you need any help, our customer service department will be happy to assist you.
• I have a question about privacy>>
• I have a complaint >>
• I want to report a suspected data breach >>
• I have a request to access my data >>
• I have a request to change or delete my data >>
• I have a request for data transfer >>
Contact us on +31 (0)88 228 9849 or send us an e-mail with your question: privacy@ccv.eu.
This privacy statement is from the following data controller:
CCV Group B.V.
Westervoortsedijk 55
6827 AT Arnhem
Postbus 9226
6800 KH Arnhem
Chamber of Commerce No.: 09045274
Telephone: +31 (0)88 2289849
The data protection officer of CCV Group B.V.:
We have appointed a Data Protection Officer (DPO). You may contact our DPO if you have any questions and/or complaints with regards to your privacy. Our Data Protection Officer is working for
Lumen Group.
You can you reach our DPO via 030 - 889 65 75 or per e-mail fg@lumengroup.nl. You can also reach our DPO via a secured website.
Lumen Group B.V.
Reactorweg 301
3542 AD UTRECHT
The Netherlands