DATA PRIVACY NOTICE
1 Who is responsible for your Personal Data
This Privacy Notice explains how Kartesia (being "Kartesia Management", "Kartesia Advisor LLP" and any other Kartesia Group entity, its subsidiaries and branches, "we", "us" or "our") collects, uses, shares and otherwise processes your Personal Data in connection with your relationship with us as a Kartesia client, acting for a client or being generally interested in our services and our publications in accordance with applicable data privacy laws and the General Data Protection Regulation 2016/679 ("GDPR") which will become applicable as of 25 May 2018.
We control the ways your Personal Data are collected and the purposes for which we use your Personal
Data acting as "data controller" for the purposes of the GDPR.
2 Personal Data we collect about you
When using the term "Personal Data" in this Privacy Notice, we mean information that relates to you and allows us to identify you, either directly or in combination with other information that we may hold. Your Personal Data may include for example your name, your contact details, bank details or information on how you interact with us.
We will process your Personal Data if and to the extent applicable law provides a lawful basis for us to do so. We will therefore process your Personal Data only:
a) if you have consented to us doing so
b) if we need it to perform the contract we have entered into with you, or c) if we need it to comply with a legal obligation, or
d) if we (or a third party) have a legitimate interest which is not overridden by your interests or fundamental rights and freedoms. Such legitimate interests will be the provision of services by us, administrative or operational processes and direct marketing.
2.1 Categories of data we collect
Personal identification data
• Name and surname
• Postal and/or e-mail address
• Phone numbers
• Passport / ID, TIN
• Date of birth
• LinkedIn profile
• Salutation (Mr / Mrs / Ms)
• Content you provide (such as CV, education history, comments, responses to questions)
• Subscription details
• Payment account information
• Job title
• Department and name of organization
2.2 Sensitive Personal Data
In the course of providing services to you, we may collect information that could reveal your racial or ethnic origin or conviction of criminal offences. Such information is considered "sensitive personal data" under the GDPR. We only collect this information in the case you have given your explicit consent, it is necessary according to legal obligations, or you have deliberately made it public.
For example, we may collect this information during the onboarding phase at the beginning of our business relationship when you provide us with an extract of your criminal record. Also, when you provide us with your personal documentation such as CV, copy of passport or ID card, your nationality and/or photo may imply your racial or ethnic origin.
By providing any sensitive personal data you explicitly agree that we may collect and use it in order to provide our services and in accordance with this Privacy Notice.
If you do not allow us to process any sensitive personal data, this may lead to us being unable to provide all or parts of the services that you have requested from us.
3 How and why we use your Personal Data
We use your Personal Data for the following purposes:
• To provide our services to you
• To communicate with you and manage our relationship with you
• To personalize and improve your customer experience
• To improve our services, fulfil our administrative purposes and protect our business interests
• To comply with our legal obligations
We will only use your Personal Data for the purposes for which we collected it and which we informed you about, unless we reasonably consider that we need to use it for another reason which is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
4 Your rights in relation to your Personal Data
Under the GDPR you have rights as an individual which you can exercise under certain circumstances in relation to your Personal Data that we hold. These rights are to:
• request access to your Personal Data (commonly known as a "data subject access request") and
request certain information in relation to its processing;
• request rectification of your Personal Data;
• request the erasure of your Personal Data;
• request the restriction of processing of your Personal Data;
• object to the processing of your Personal Data.
If you want to exercise one of these rights please contact us at GDPR@kartesia.com .
You also have the right to lodge a complaint at any time with the National Commission for Data Protection ("CNPD"), the Luxembourg supervisory authority for data protection issues, or, as the case may be, any other competent supervisory authority of an EU member state.
5 Security of your Personal Data
We are committed to taking appropriate technical and organisational measures to protect your Personal
Data against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Your Personal Data is stored in Luxembourg in electronic and physical form. Any physical documentation is kept under lock and key in a secure location at our premises. Copies of this documentation are kept within a bank vault. Electronic files that contain Personal Data are stored within a secured IT infrastructure.
6 Retention period
We will only retain your Personal Data for as long as we need it in order to fulfil the purposes for which it was collected and processed, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements.
In some circumstances we may anonymise your Personal Data so that it can no longer be associated with you, in which case it is no longer considered as Personal Data. Upon expiry of the applicable retention period we will securely destroy your Personal Data in accordance with applicable laws and regulations.
7 Sharing your Personal Data
Please note that we may use or disclose Personal Data if we are required by law to do so or if we reasonably believe that use or disclosure is necessary to protect our rights and/or to comply with judicial or regulatory proceedings, a court order or other legal process.
You will in general not have to pay a fee to exercise any of your individual rights mentioned in this Privacy Notice. However, we may charge a reasonable fee if your request to exercise your individual rights is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
9 Updates to our Privacy Notice
We reserve the right to update this Privacy Notice at any time, and we will make an updated copy of such privacy notice publicly available.
10 Contact information
If you have any concerns or require any further information, please do not hesitate to contact us at GDPR@kartesia.com or send your request to the following address:
Kartesia Management S.A.
Attn. Bérengère HAUSMANN
19-21 route d’Arlon
Grand-Duchy of Luxembourg