Privacy statement

Data subjects have the right to portability of digital personal data. Upon first request, collected personal data will be provided in a structured, commonly used and machine-readable format.

Under the following conditions, data subjects have the right to request the erasure of their collected personal data:

1. No longer necessary: Centagon B.V. no longer needs the personal data for the purposes for which it was collected or processed.

2. Withdrawal of consent: The data subject previously gave (explicit) consent to Centagon B.V. for the use of their data but has now withdrawn that consent.

3. Objection: The data subject objects to the processing. According to Article 21 of the GDPR, there is an absolute right to object to direct marketing. There is also a relative right to object when the data subject's rights outweigh Centagon B.V.'s interests in processing the personal data.

4. Unlawful processing: Centagon B.V. unlawfully processes the personal data, for example, because there is no legal basis for the processing.

5. Legally determined retention period: Centagon B.V. is legally obligated to erase the data after a certain period.

6. Children: The data subject is younger than 16 years old, and the personal data was collected through an app or website.

The right to be forgotten is not applicable when:

• Processing is necessary to exercise the right to freedom of expression and information, acknowledging that privacy and freedom of expression are equal fundamental rights.
• Centagon B.V. processes the data because there is a legal obligation to do so.
• Centagon B.V. processes the data to perform a task carried out in the public interest or in the exercise of official authority.
• Centagon B.V. processes the data for public health purposes in the public interest.
• Centagon B.V. needs to archive the data for historical, statistical, or scientific research purposes in the public interest.
• The data is necessary for the establishment, exercise, or defense of legal claims.

When requesting access to personal data, Centagon B.V. will inform data subjects about:

• the reason why Centagon B.V. collects and processes certain personal data
• What kinds of personal data Centagon B.V. collects
• To which organizations Centagon B.V. transfers the personal data, also to organizations in other countries or to international organizations (if applicable)
• the period for which Centagon B.V. retains the personal data and the criteria used by Centagon B.V. to determine a retention period
• the privacy rights that data subject has; the right to erase personal data, the right to request less personal data to be processed and the right to object if Centagon B.V. processes personal data
• the right the data subject has to file a complaint with the Personal Data Authority
• from which organisation Centagon B.V. received personal data when it was not collected by Centagon B.V. (if applicable)
• on the basis of which logic Centagon B.V. makes an automated decision about a data subject.

Centagon B.V. bears responsibility for ensuring that personal data processed are correct. Data subjects have the right to rectify or supplement personal data.

• On first request, Centagon B.V. will rectify and/or supplement personal data if the data subject can plausibly demonstrate that these data are incorrect and/or incomplete.
• Centagon B.V. will pass on adjustments and/or supplements to other organizations to which personal data in question have been provided (if applicable)
• Centagon B.V. will inform the data subject to which other organisations rectifications and/or additions to personal data have been provided (if applicable).

The right to restrict processing applies in situations that meet one of the following criteria:

• Data may be inaccurate
  When data subjects indicate that Centagon B.V. processes incorrect personal data, such data will not be processed until Centagon B.V. has carried out a verification of its accuracy.
• Processing is unlawful
  Centagon is not entitled to process certain data but data subject does not want this data to be deleted
• Data is no longer needed
  Centagon B.V. no longer needs the personal data for the purpose for which they were collected. But the data subject still needs the personal data for a legal claim (e.g. legal proceedings in which he is involved)
• Affected party objects
  If a data subject objects to the processing of their personal data, Centagon B.V. will cease processing such data unless Centagon B.V. cites compelling legitimate grounds for the processing which outweigh the interests, rights and freedoms of the data subject. As long as it is not yet clear whether the alleged grounds for processing outweigh the interests, rights and freedoms of the data subject, Centagon B.V. will not process the data
• Affected party appeals
  If a data subject invokes the right to restrict processing and personal data concerned have been transferred to other organisations, Centagon B.V. will inform these organisations about the appeal and request an equal restriction of processing (if applicable)
• Centagon B.V. informs
  Centagon B.V. will inform data subject to which other organisations a request for restricted processing of personal data has been provided (if applicable).

In appropriate situations, Centagon B.V. may make a decision based on automatically processed data, such as profiling. If such decision-making has consequences for a data subject, the right exists for the data subject to demand a new decision based on a human, not automated, assessment

If Centagon B.V. processes personal data on the basis of a general or legitimate interest, the data subject has the right to object to the processing of their data.

• If a data subject objects to the processing of their data, Centagon B.V. will cease further processing unless compelling legitimate grounds for the processing can be invoked which outweigh the interests, rights and freedoms of the data subject, or grounds relating to a legal claim. Until it is clear whether these grounds are compellingly justified, the data will not be processed
• If personal data are used for direct marketing, the data subject has the right to object to this. This applies equally in case of profiling for these marketing purposes. If data subjects object to the processing of personal data for direct marketing purposes, Centagon B.V. will immediately cease such processing.
• Centagon B.V. will inform data subjects about the right to object at the first moment of contact. This information will be offered clearly and separately from other information.

Centagon B.V. aims, and is legally obliged by virtue of the AVG, to clearly inform new and existing data subjects for what purpose personal data are collected and processed.

• Centagon B.V. publishes this Privacy Policy via its own website (www.centagon.com) and thus offers a complete and up-to-date insight into the rights of data subjects in respect of the collection and processing of personal data. In addition, pop-ups may be shown with a consent question.

Centagon B.V. aims, and is legally obliged by virtue of the AVG, to be able to demonstrate that the processing of personal data complies with key principles of processing:

• lawfulness
• transparency
• Purpose limitation
• accuracy

In addition, Centagon B.V. bears responsibility for taking the appropriate technical and organisational measures to protect personal data and to make these transparent at the time of a request by the Personal Data Authority. Centagon B.V. is not obliged to, and will not, maintain a register of processing activities based on the assessments that Centagon B.V. employs fewer than 250 employees, the processing of personal data is not incidental, no personal data are processed that pose a high risk to the rights and freedoms of data subjects whose data are collected and processed, and no personal data are collected and processed that are categorised under 'special personal data' such as religion, health, political affiliation and/or criminal data.

The purpose of responsible disclosure is to contribute to the security of ICT systems and manage the vulnerability of ICT systems by reporting vulnerabilities responsibly and handling these reports carefully, so that damage can be prevented or mitigated as much as possible. Central to working with responsible disclosure is remedying vulnerabilities and increasing the security of information systems. The key issue in responsible disclosure is that parties mutually comply with agreements on reporting the vulnerability and dealing with it. For example, a party that adopts a responsible disclosure policy may commit to the principle of not reporting if the ground rules applicable under the policy are met. The practice of responsible disclosure primarily involves the reporter and the organisation, which owns/manages the system. It is important to have as few links as possible between the person reporting the vulnerability and the organisation responsible for fixing the problem. However, the reporter and the organisation may jointly decide to inform the National Cyber Security Centre (NCSC) or other parties within the ICT security community about the vulnerability, especially in the case of a not yet known vulnerability, in order to prevent or mitigate (consequential) damage elsewhere as well.

With the implementation of a responsible disclosure policy, the aim is to jointly contribute to reducing vulnerabilities in information systems by the reporter and the organization. The respective responsibilities are borne by Centagon B.V. and the reporter.

The promotion of responsible disclosure begins with Centagon B.V., the owner of the information systems. As the primary party responsible for the security of these systems, Centagon B.V. establishes its own policy for responsible disclosure to clarify how it intends to handle vulnerability reports:

• Centagon B.V. ensures that the reporting process is easily accessible for reporters, such as by providing a standardized method, such as an online form, for submitting reports. The organization may choose to accept anonymous reports.
• Centagon B.V. has sufficient capacity to respond adequately to reports.
• Centagon B.V. receives and promptly forwards vulnerability reports to the Security Officer.
• Centagon B.V. sends an acknowledgement of receipt to the reporter (unless the report is anonymous and no contact information is available). Subsequently, Centagon B.V. and the reporter establish contact to discuss the further process.
• Centagon B.V., in consultation with the reporter, determines whether and, if so, when disclosure will take place. A reasonable standard timeframe for addressing software vulnerabilities is 60 days.
• If a vulnerability is difficult or costly to address, Centagon B.V. and the reporter may agree not to disclose it publicly.
• Centagon B.V. keeps the reporter and other relevant parties informed about the progress of the process.
• Centagon B.V., in consultation with the reporter, may decide to inform the broader ICT community about the vulnerability if it is likely to be present elsewhere.

The key to implementing a successful practice of responsible disclosure lies with the reporter. The reporter has identified a vulnerability and wishes to contribute to the security of information systems by disclosing the vulnerability to Centagon B.V. Reporters acknowledge their important societal responsibility and fulfill it by disclosing vulnerabilities responsibly. To achieve a successful practice of responsible disclosure, the following elements apply to the reporter:

• The reporter is responsible for their own actions and ensures that the report is primarily submitted to the (system/information) owner.
• The reporter submits the report as soon as possible to prevent malicious actors from discovering and exploiting the vulnerability.
• The reporter submits the report confidentially to the organization to prevent unauthorized access to the information.
• The reporter refrains from engaging in disproportionate actions, such as using social engineering to gain unauthorized access to the system, placing their own backdoor in an information system, exploiting the vulnerability beyond what is necessary to establish its existence, copying, modifying, or deleting data from the system, making changes to the system, repeatedly accessing the system or sharing access with others, or engaging in brute force attacks to gain system access.
• If the reporter and organization agree to disclose the vulnerability publicly, the reporter should do so only after all involved organizations have been properly informed and have confirmed that the vulnerability has been resolved in accordance with the agreed-upon terms.

Internally, the policy states that internal processors of personal data may only process such data through the secure network and the secure applications provided for data processing. It is strictly prohibited for them to store personal data in any other manner (e.g., on personal computers, laptops, storage devices such as USB sticks, CD-ROM/DVDs, or external hard drives), transmit it (e.g., via email, SharePoint, WeTransfer), create duplicate files, or process it in any way that could jeopardize the security of the personal data.

Centagon has documented a protocol and communicated it internally, which outlines how employees should act in the event of loss or theft of equipment and/or data.