Privacy policy | 5CA

Privacy policy

Last amendment: 5 September 2024

 

Privacy mission and vision

Our Mission: Enable 5CA to navigate a dynamic future in privacy through transparent, ethical, and innovative uses of personal data. 5CA Privacy Team is a division of the 5CA Legal and Compliance department. We strive to be a valued partner and advisor to 5CA community by providing guidance and training on privacy laws, policies, and best practices.

 

Long Term Goals:

  • Promulgate privacy by design
  • Build trust as a data steward
  • Manage privacy risk proactively and pragmatically
  • Advocate for the innovative and ethical use of data
  • Be a recognized leader in data privacy
Who are we? Introduction

This privacy policy (“Policy”) applies to anyone who contacts 5CA (for example, via a contact form or email/message; “Requester”) or wishes to enter or enters a relationship where 5CA provides services (“Prospect/Client”) or where the service is provided to 5CA (“Vendor”). This policy also applies to anyone who visits 5CA.com (“Website Visitor”) and to those who participate in our marketing campaigns, events and other activities (“Participants”). We call all these parties “you”, “your” and “yours”.

 

5CA B.V. located at Stationsstraat 154, 3511 EK Utrecht is your Data Controller under this Policy. If you enter into a relationship with any of our affiliates and entities specifically, your Data Controller will be such entity (“5CA”, “5CA Group”, “we”, “us”, “our”). If you are our Turkish Vendor then our Turkish Supplier Enlightenment Policy applies to you, and you can check it already here (in Turkish, in English).

 

“Personal data” means any information relating to an identified or identifiable natural person. For example, we may collect your first, last name and email address which is your personal data when you contact us via email.

 

This also means that from the moment of the collection of your personal data, you are a “Data subject” in the meaning of Privacy Law that applies to you.

 

5CA places foremost importance on any operation or set of operations performed on personal data or on sets of personal data, whether by automated means. This is, for example, the collection, use, recording, disclosure, maintenance, organisation, storage, and deletion of your personal data (“Processing”).

 

Your personal data under this Privacy Policy is processed under General Data Protection Regulation (“GDPR”) and other data protection and privacy legislation that applies to your specific relationship with us such as when you sign an agreement with one of 5CA’s Group entities (“Privacy law”).

 

5CA processes your personal data subject to privacy principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability that arise from the GDPR and similar privacy principles that come from the applicable Privacy law.

Which information do we collect and why?

We will process personal data for the purposes as stated below:

Data Subject Personal Data Purpose Legal ground
Website Visitor Website Browsing and Device Information including IP address, browser type, device type, browsing time, hashed email address (collected via application form if you accept advertisement and targeting cookies), your use of this Website, and other clickstream data as per cookie). Depending on used Cookies, this will be in particular:

  • Providing certain features of the Website, user verification,
  • Understanding and saving user’s preferences for future visits,
  • Advertising on other sites,
  • Compiling and aggregating data about site traffic and site interaction so that we can offer better Website experiences and tools in the future,
  • Statistical analysis and market research.

 

You can freely customize your data per use/purpose via our Cookie settings by clicking the cookie icon or cookie settings. To know more about these purposes, see our Cookie policy.

 Consent except for strictly necessary cookies (legitimate interest ground).
Requesters
  • First name,
  • Last name,
  • E-mail,
  • Phone number (if provided),
  • Company name (if applicable),
  • Other personal data that Website Visitor decides to provide via “Description” field,
  • Other personal data as needed to proceed with the request.
  • To proceed with your questions and requests and provide you with sufficient information,
  • Hosting, storing, and security of the systems.
  • Performance of a contract and consent if you voluntarily provide sensitive personal data,
  • Legitimate interest (explained below),
  • Depending on your specific request, the legal ground can be as well a legal obligation and legitimate interest (explained below).
Prospect/Client
  • Contact details including full name, email address, phone number (if provided), social media link,
  • Contractual and financial information such as tax ID number, banking details, (e) signatures (including date, time), title/role, company entity, expense details, invoices,
  • Other personal data as needed for the provision of service,
  • If you have an account in our systems: basic user account, information, activity logs, device details, IP address, OS information.
  • Communication, creating and maintaining business relationships, internal and external meetings,
  • Account management, Contract renewal, negotiations,
  • Book-keeping, invoicing, payments, billing, business reporting,
  • Hosting, storing, and security of the systems.
  • Performance of a contract,
  • Legitimate Interest (explained below),
  • Legal obligation (e.g., tax compliance).
Vendor Contact details including full name, email address, address, phone number (if provided),

Contractual and financial information such as tax ID number, banking details, (e) signatures (including date, time), title/role, company entity, expense details, invoices,

If you have an account in our systems: basic user account information, activity logs, device details, IP address,

Other personal data as needed for the provision of service.
  • Communication,
  • Book-keeping, invoicing, payments,
  • Vendor management, negotiations, contract execution, signature, renewal,
  • Hosting, storing, and security of the systems.
 Performance of a contract and if necessary for a legal obligation (e.g., tax compliance).
Participants Contact details:

  • First name
  • Last name
  • Email address

and personal data collected via consent during an event or activity, e.g., pictures, videos.
  • Promoting our brand, for example, when we run a marketing campaign or want to share some pictures or video content from our events externally (e.g., on social media),
  • Hosting, storing, and security of the systems.
 Consent
Legal basis

Performance of a contract
We must process your personal data to negotiate, review enter, sign and fulfill the contract with you (Art. 6(1)(b) GDPR) otherwise we cannot proceed with these actions and eventually enter into a contract with you.

 

Legitimate interest 
Based on Article 6(1)(f) of the GDPR we will process your personal data for the legitimate interest of the proper management of the relationship with you (e.g., keeping lists of contracts with you, budget and contract management, business reporting). Failure to process this data constitutes the impossibility to enter and proceed with the relationship with you as we will not be able to administer it appropriately.

 

We also use legitimate interest legal ground to make sure your account is registered (if we need to create it), and your personal data stored within our environment is well-maintained and protected. Failure to process this data constitutes the impossibility to enter into any communication with you because we need to make sure it is stored, maintained and secured. For more information about security measures, see Section 8.

 

In addition, in certain cases we may invoke legitimate interest to proceed with legal claims.

 

You have the right to object under Article 21 of the GDPR.

 

Consent  
Based on Article 6(1)(a) of the GDPR, we may process your personal data based on prior, freely given, informed, unambiguous and specific consent. You are free to provide your consent and have the right to withdraw it at any time.

 

Right to withdraw consent 
You can withdraw your consent at any time by sending a request to privacy@5ca.com. If you change your decision, it will not affect the lawfulness of processing your personal data based on consent before its withdrawal. This means we will not further process your personal data from the moment of withdrawal, but the processing activities performed beforehand will still be legitimate.

 

Necessary for a legal obligation
To legal obligations mean that 5CA must process your personal data to comply with a particular law that applies to 5CA.

 

5CA may process your personal data, in particular, for any legally required registries, book-keeping, tax, solve your legal request, or in case your personal data are subject to a conflict to which we are a party; we might need to process and disclose your personal data to authorities and persons we require to use our right to defense such as attorneys, experts and courts. We may process your personal data to fulfil these legal liabilities and to use our right to defense.

Retention period

5CA gives utmost importance on not keeping your personal data longer than necessary. To ensure that personal data is kept for no longer than necessary, we apply retention periods concerning the category, sensitivity and the purpose of personal data processed. This also depends on the type of relationship you have and our legal ground. For example, when you sign an agreement with our entity in the Netherlands, we will store most of your financial and contractual personal data in most cases for 7 years because the Dutch law obliges us to do so.

 

Where technically possible we set automated retention periods so after a reasonable period your personal data will be anonymized or deleted. The established retention periods are reviewed and updated regularly.

Sharing personal data with third parties

Your personal data is stored mainly in our Microsoft environment. Your personal data is shared with our hosting and (cloud, back-up) providers that assist us in creating and maintaining this environment. We also share your personal data between 5CA Group entities (e.g., if our colleague based in the Netherlands handles your personal data).

 

Your contractual and financial personal data is also shared with our (e)signature providers, legal and compliance providers (such as book-keeping, law firms, accountants, legal registry’s providers, auditing companies), local banks, depending per 5CA Group’s entity. Depending on the circumstances, your personal data may also be shared with the relevant public authorities (such as tax authority).

 

If you provide your consent, personal data that you disclose will be shared with the parties indicated on a consent form or notices (these are usually social media platforms such as LinkedIn).

 

Your personal data as a Website Visitor (if it constitutes personal data) is shared with our website hosting provider, cookie providers per cookie type (such as Google) and cookie managing platforms (such as OneTrust). For example, analytics and performance cookies’ information of the SRM_B cookie is shared with Microsoft. You can see the list of all the parties via the Cookie banner that pops up when you enter our Website or by clicking on the Cookie settings at the bottom of a page and then Cookie details in the Cookie banner. For more details about Cookies and how to remove them, please check our Cookie Policy.

 

The above-mentioned parties use their own systems and vendors to support performing the service for the purposes listed in the table above. You can contact us for further details regarding a certain party.

Data transfers, storage, and processing globally

The location of the parties depends on the relationship with us. Most of the parties provided in Section 6 are located in the European Economic Area (“EEA”), and some may be located outside of the European Economic Area, for example, in United States, United Kingdom, Argentina, Hong Kong, South Africa, Philippines, Turkey. This will also depend on which entity of 5CA Group you enter into a relationship with.

 

Where your personal data is stored outside the EEA, and when such a country does not have any binding adequacy decisions from the European Commission (such decisions guarantee your data is safely sent outside EEA), we will ensure an appropriate level of protection for the data transferred by providing adequate contractual (such as Standard Contractual Clauses), organizational and technical safeguards (jointly referred to as “adequate safeguards”). We also require vendors to act appropriately to protect the confidentiality and security of personal data, especially for your personal data processed outside EEA. You can ask for a copy of such adequate safeguards via privacy@5ca.com.

How do we protect your information?

We have implemented commercially reasonable technical, organizational and security measures designed to protect your personal data. Ensuring the security of your personal data is particularly important to us, which is why we have taken different technical and organizational measures to ensure this. In particular:

  • We use regular prevention, detection, and response systems to scan and mitigate potential vulnerabilities and reduce security risks,
  • Your personal data is contained behind secured networks and is only accessible by a limited number of your recruiters, hiring managers, maintenance, and security teams on a need-to-know basis and who are required to keep the information confidential as per Zero Trust approach. In addition, the information is encrypted with Secure Socket Layer (SSL) technology,
  • We implement a variety of security measures when you enter, submit, or access your information to maintain the safety of your personal data.

 

As the security of information depends in part on the security of the computer, device, or network you use to communicate with us and the security you use to protect your user IDs and passwords, please make sure to respond appropriately to protect the information you send us as well.

Your privacy rights

If you believe that your data protection rights may have been breached,

  • You have the right to lodge a complaint with the applicable supervisory authority or to seek a remedy through the courts,
  • You have the right to object to profiling (if such is part of our activities),
  • You have the right to object, to or to request restriction, of the processing,
  • You have the right to request that we rectify any personal data.
  • You also have a right to request certain details of the basis on which your personal data is transferred outside the European Economic Area and adequate safeguards we use for these data transfers,
  • You have the right to data portability as to request that some of your personal data is provided to you, or another data controller, in a commonly used, machine-readable format,
  • You have the right to request the erasure of your personal data when such personal data is no longer necessary for the purposes for which it was collected, or when, among other things, your personal data has been unlawfully processed. However, please keep in mind that we may not delete all your personal data as we may still need to keep it for our legitimate purposes such as establishment, exercise and defense of legal claims,
  • You have a right to access personal data held as to request a copy of the personal data that we hold about you. There are exceptions to this right, so that access may be denied if, for example, it does infringe upon the rights and freedom of others or if we are legally prevented from disclosing such information,

 

You can exercise your rights by submitting a request to privacy@5ca.com.

 

Subject to legal and other permissible considerations, we will make every reasonable effort to honor your request promptly in accordance with applicable law or inform you if we require further information to fulfil your request. When processing your request, we may ask you for additional information to confirm or verify your identity and for security purposes before processing and/or honoring your request.

 

We reserve the right to charge a fee where permitted by law, for instance, if your request is manifestly unfounded or excessive. In the event that your request would adversely affect the rights and freedoms of others (for example, would impact the duty of confidentiality we owe to others) or if we are legally entitled to deal with your request in a different way than initially requested, we will address your request to the maximum extent possible, all in accordance with applicable law.

Changes to the Privacy Policy

5CA may make changes to this Privacy Policy. 5CA, therefore, recommends that you regularly check for updates to the privacy statement. You can track the changes by checking the data on the top of this page.

Contact information

You are welcome to contact the Privacy Team (privacy@5ca.com) for any questions, comments, and requests regarding this Internal Privacy Policy or if you have any other requests or questions about your personal data and its processing by 5CA.