This Privacy statement explains how

  • Centagon B.V.
  • Provincialeweg 66,
  • 5503 HH Veldhoven
  • Nederland
    (hereafter referred to as 'we', 'us' or 'Centagon') managed customer data from it's visitors and which rights you can apply with regards to your personal data _(hereafter referred to as 'you' en 'your data') via the website.


The DDMA (Data Driven Marketing Association, Amsterdam 2010) is the leading trade association for marketing and data. When a DDMA member meets the European privacy laws (GDPR, May 25 2018) and operates in accordance with the codes of conduct its allowed to propagate the 'Privacy Waarborg' quality mark. This ensures the member will thoughtfully process all personal data.

The audit procedure as performed by the DDMA Privacy Authority generated reports (DDMA Privacy & Security check) concluding that Centagon B.V. is entitled to propagate the 'Privacy Waarborg' quality mark from May 2018 onwards.

This ensures the important guarantee for all Centagon clients the processing of personal data takes place in accordance with applicable legislation and codes of conduct as defined by the DDMA.

For any questions of additional information with regards to the 'Privacy Waarborg' and/or the General Data Protection Regulation (GDPR) please contact us via Walter van Houten

More about privacy waarborg

1. Employee awareness

Centagon B.V. informs all its employees that have direct or indirect access to personal data as meant in the GDPR and has closed a contract with each individual employee in which the employee declares to be aware of the content of the regulation as described in this Privacy Policy and declares to act accordingly in all situations.

2. Rights of involved persons

An ‘involved person’ is understood as a person of whom personal data are being stored and/or processed.

2.1 Right to data-portabiliteit (Article 20 GDPR)

Persons involved are entitled to the right on transferability of digital personal data. At first request all stored personal data will be supplied in a structured, common and machine readable format.

2.2 Right to oblivion (Article 17 GDPR)

Persons involved are entitled to request to clear collected personal data under the following conditions:

No longer required

Centagon B.V. no longer requires the personal data for the purposes Centagon B.V. originally collected the data or has processed the data.

withdraw permission

The person involved previously has authorised Centagon B.V. to use its personal data but withdraws the authorisation at this moment in time.


The person involved objects against further processing of the personal data. Article 21 of the GDPR confirms an unquestioning right to object against direct marketing. And besides a related right to object when the interests of the person involved prevail over the interests of Centagon B.V. to process the personal data.

Unlawful processing

Centagon B.V. processes the personal data in a unlawful way. For instance because the legal basis for processing is missing.

Lawful storage period

Centagon B.V. is legally obligated to clear personal data when the agreed period has passed


The person involved is younger than 16 years old and the personal data has been collected via an app or website.

The right to oblivion does not apply when:

  • the processing is necessary to exercise the right to freedom of expression and information. With this, the GDPR does justice to the principle that privacy and freedom of expression are equal fundamental rights
  • Centagon B.V. processes the data because there is a legal obligation to do so
  • Centagon B.V. processes the data to exercise public authority or a (statutory) task of general interest
  • Centagon B.V. processes the data for a task of public interest in the field of public health
  • Centagon B.V. should archive the data in the public interest the data are necessary for a legal claim.
2.3 Right of inspection (Article 15 GDPR)

When there’s a request for access to personal data, Centagon B.V. will inform stakeholders about

  • the reason why at Centagon B.V. certain data is collected and processed
  • what types of personal data Centagon B.V. collects
  • to which organizations Centagon B.V. passes on the personal data, also to organizations in other countries or to international organizations (if applicable)
  • the period within which Centagon B.V. stores the personal data and the criteria used by Centagon B.V to determine a retention period
  • the privacy rights of the person involved; the right to delete personal data, the right to request processing of less personal data and the right to object when Centagon B.V. processes personal data
  • the right of the person involved to submit a complaint to the Dutch Data Protection Authority
  • from which organization Centagon B.V. has received personal data when not collected by Centagon B.V. (if applicable)
  • on the basis of which logic Centagon B.V. takes an automated decision about a person involved.
2.4 Right to rectification and supplementation (Article 16 GDPR)

Centagon B.V. bears the responsibility for personal data that are processed to be accurate. Involved parties have the right to rectify or supplement personal data.

  • Centagon B.V. will rectify and / or supplement personal data on first request when the person involved makes it plausible that these data are incorrect and / or incomplete
  • Centagon B.V. will pass on adjustments and / or additions to other organizations to whom personal data have been provided (if applicable)
  • Centagon B.V. will inform the person involved to which other organizations rectifications and / or additions to personal data have been provided (if applicable).
2.5 Right to limit processing (Article 18 GDPR)

The right to limit the processing applies in situations that meet one of the following criteria:

  • Data may be incorrect
    When the person involved indicates that Centagon B.V. processes inaccurate personal data, these data will not be processed until Centagon B.V. has carried out a verification of its correctness
  • The processing is unlawful
    Centagon is not entitled to process certain data, but the person involved does not want these data to be erased
  • Data is no longer needed
    Centagon B.V. no longer needs the personal data for the purpose for which they were collected. But the person involved still needs the personal data for a legal claim (for example, a legal procedure in which he is involved).
  • The person involved objects
    If a person involved objects to the processing of his personal data, Centagon B.V. will stop processing of these data unless Centagon B.V. gives compelling legitimate grounds for processing data, that outweigh the interests, rights and freedom of the person involved. As long as it is not yet clear whether the reasons provided for processing will weigh more heavily, Centagon B.V. will not process the data
  • If a person involved appeals to the right of limitation of processing personal data and these data concerned were transferred to other organizations, Centagon B.V. will inform these organizations about the appeal and request an equal limitation of processing (if applicable)
  • Centagon B.V. will inform the person involved to which other organizations a request for limited processing of personal data has been provided (if applicable)
2.6 Right to a human assessment

In some occasions, Centagon B.V. might make a decision based on automatically processed data, such as for example in profiling. If such decision-making has consequences for a person involved, the person involved has the right to demand a new decision based on a human, non-automated, assessment.

2.7 Right of objection

If Centagon B.V. processes personal data on the basis of a general or legitimate interest, the person involved has the right to object to the processing of his data.

  • If a person involved objects to the processing of his personal data, Centagon B.V. will stop processing of these data unless Centagon B.V. gives compelling legitimate grounds for processing data, that outweigh the interests, rights and freedom of the person involved, or grounds relating to a legal claim. Until the moment it is clear whether these grounds are compellingly justified, the data will not be processed
  • If personal data are used for direct marketing, the person involved has the right to object. This also applies in case of profiling for these marketing purposes. If the person involved objects to the processing of personal data for direct marketing, Centagon B.V. will stop this processing immediately
  • Centagon B.V. will inform the person involved about the right of objection at the first moment of contact. This information will be presented clearly and separately from other information.

3. Processing

Wij hebben passende technische en organisatorische maatregelen getroffen om uw persoonlijke gegevens te beschermen tegen onopzettelijke of onwettelijke vernietiging of onopzettelijk verlies, aanpassing, ongeautoriseerde openbaring of toegang en tegen alle overige vormen van onwettelijke verwerking.

3.1 The obligation to inform

Centagon B.V. aims, and is legally obliged by the GDPR, to clearly inform new and existing stakeholders for what purpose personal data are collected and processed.

  • Centagon B.V. publishes this Privacy Policy via its own website ( and thus offers a complete and up-to-date insight into the rights of parties involved regarding the collection and processing of personal data. Optionally, pop-ups can be shown with a permission request.
3.2 Accountability

Centagon B.V aims, and is legally required by the GDPR, to be able to demonstrate that the processing of personal data complies with the main principles of processing:

  • legality
  • transparency
  • goal binding
  • correctness

In addition, Centagon B.V. has the responsibility to take the correct technical and organizational measures to protect personal data and to provide insight into these at the moment that the Dutch Data Protection Authority requests it. Centagon B.V. is not obligated to, and will not, maintain a register of processing activities with the justification that Centagon B.V. employs fewer than 250 employees, the processing of personal data is not incidental, no personal data are processed that pose a high risk to the rights and freedom of persons involved from whom data is collected and processed and no personal data is collected and processed counted under ‘special personal data’ such as religion, health, political preference and / or criminal law data.

4. Data Protection Impact Assessment (DPIA)

Centagon B.V. is not obliged to, and will not carry out, a Data Protection Impact Assessment (DPIA) with the justification that no data with a high privacy risk will be collected or processed. Data with a high privacy risk are, in this context, the systematic and comprehensive evaluation of personal aspects (ie profiling), the processing of special personal data on a large scale or the large-scale and systematic tracking of people in a publicly accessible area (such as camera surveillance).

5. Privacy by design and Privacy by default

Centagon B.V. has committed itself to have a strong focus on protecting personal data when designing services and products. An important part of this is minimizing the amount of personal data that is collected to a nature and size that serves the intended purpose and relates to it in all reasonableness and fairness. Another criterion that is counted on Privacy by Design is determining the period within which the personal data is stored and communicating it with the person concerned. Centagon expresses the concept of Privacy by Default by using the basic principle in every development of an application or the design of an online campaign, whereby only those personal data are collected and processed that are relevant for a specific purpose.

6. Data Protection Officer (DPO)

Centagon B.V. is not a public organization or government agency and has no core activity where individuals are followed on a large scale. This means that Centagon B.V. does not meet the criteria set by the GDPR with regard to the obligation to appoint a Data Protection Officer (DPO).

7. Responsible disclosure

Centagon B.V. is obliged to comply with the obligation to report data leaks as per 1 January 2016 for companies and governments. When Centagon B.V. detects a serious data leak, or is pointed out to it, a report will be made immediately to the Dutch Data Protection Authority via the data counter and to the client. Centagon B.V. processes data leaks and / or vulnerabilities in accordance with the guidelines described in the document ‘Guidance to achieve a practice of Responsible Disclosure’ by the N.C.S.C (National Cyber Security Center) / Ministry of Security and Justice:

7.1 Objective Responsible Disclosure

The purpose of responsible disclosure is to contribute to the security of ICT systems and to control the vulnerability of ICT systems by reporting vulnerabilities in a responsible manner and to handle these reports carefully, so that damage can be prevented or limited as much as possible. Central to working with responsible disclosure is the elimination of the vulnerability and the increase of the security of information systems. In the case of responsible disclosure, the main thing is that the parties mutually agree on reporting on the vulnerability and how to deal with it. For example, a party that establishes a responsible disclosure policy can commit itself to the principle of not submitting a declaration if the applicable rules are complied with. In the practice of responsible disclosure, primarily the reporter and the organization, who owns / manages the system, are involved. It is important to have as few links as possible between the person reporting the vulnerability and the organization responsible for solving the problem. The reporter and the organization can, however, jointly decide to inform the National Cyber Security Center (NCSC) or other parties within the ICT security community about the vulnerability, certainly in the case of a not yet known vulnerability, to also prevent or limit (consequential) damage elsewhere.

7.2 Responsibilities

With the pursuit of a policy for responsible disclosure it is envisaged that jointly by the reporting party and organization a contribution will be made to the reduction of vulnerabilities in information systems. The respective responsibilities are borne by Centagon B.V. and the reporter.
The presentation of responsible disclosure starts with Centagon B.V. who owns information systems. After all, the owner / supplier is primarily responsible for the information security of these systems. By drawing up its own policy for responsible disclosure Centagon B.V. makes clear how it wants to deal with reports of vulnerabilities:

  • Centagon B.V. makes it easy for a reporter to make a report. This can be done by using a standardized manner, for example an online form, for reporting. The organization may consider the receipt of anonymous reports
  • Centagon B.V. has sufficient capacity to adequately respond to notifications
  • Centagon B.V. will receive the report about a vulnerability and ensure that it arrives at the Security Officer as quickly as possible
  • Centagon B.V. will send a confirmation of receipt of the report to the reporter (unless anonymous and therefore no contact details are available). Then Centagon B.V. and the reporter will be in touch about the further process
  • Centagon B.V. determines in consultation with the reporter whether a publication will take place and if so on what period. A reasonable standard term that can be used for vulnerabilities in software is 60 days
  • If a vulnerability is difficult or impossible to solve, or if there are high costs involved, the reporter and Centagon B.V. can agree not to make the vulnerability public
  • Centagon B.V. keeps the reporter and other parties involved informed of the progress of the process
  • Centagon B.V. can, in consultation with the reporter, agree to inform the broader ICT community about the vulnerability if it is plausible that the vulnerability is also present in other places.

The key to being able to conduct a practice of responsible disclosure is the reporter. The reporter has detected a vulnerability in any way and wants to contribute to the safety of information systems by making this vulnerability public and the vulnerability to be repaired at Centagon B.V. Detecters hereby acknowledge that they have and take an important social responsibility by revealing vulnerabilities in a responsible manner. In order to arrive at a successful practice of responsible disclosure, the following suggestions/instructions apply to the reporter:

  • The reporter is responsible for their own actions and ensures that the report is primarily made to the (system/information)owner
  • The reporter will make a report as quickly as possible, in order to prevent malicious people from finding the vulnerability and abusing it
  • The reporter will file the report in a confidential way with the organization to prevent others from gaining access to this information
  • The reporter will not act disproportionately:
    • by using social engineering to gain access to the system in this way
    • by placing an own backdoor in an information system in order to demonstrate the vulnerability, as this can cause additional damage and create unnecessary safety risks
    • by exploiting a vulnerability beyond what is necessary to determine the vulnerability
    • by copying, modifying or deleting data from the system
    • by making changes to the system
    • by repeatedly gaining access to the system or sharing access with others
    • by using the so-called “bruteforcen” of access to systems, there is after all no question of vulnerability, but only of repeatedly trying passwords
  • If the reporter and the organization agree that the vulnerability is made public, a reporter only discloses it when all the organizations involved have been properly informed and they have indicated that the vulnerability has been resolved, in accordance with the agreements made.

The internal regulation states that internal processors of personal data may only process this data via the secure network and the secure applications with which the data are processed. They are strictly prohibited from storing personal data in any other way (eg PC, laptop, data carriers such as USB stick, CD-ROM / DVD or external hard disk), sending (eg e-mail, SharePoint, WeTransfer), making or processing copy files in any way that could compromise the security of the personal data.

Centagon has described a protocol and communicated this internally, which specifies how employees should act in the event of loss or theft of equipment and / or data.

8. Processors agreement

Centagon B.V. itself processes only the collected data. In no circumstances will this data processing be outsourced to a processor. For that reason there is no reason to draw up, maintain and ratify a processing agreement as referred to in Article 28, paragraph 3 of the GDPR.

9. Leading supervisor

Centagon B.V. processes cross-border data in certain situations and subjects itself to the supervision of a lead supervisory authority of the (EU) country where the head office of a client organization is established, or the central administration is conducted, and acting in accordance with the guidelines for European privacy supervisors (‘Guidelines for identifying a controller or processor’s lead supervisory authority’ / April 2017).

10. Permission

Centagon B.V. acts in line with the regulations as stated in the GDPR by only collecting and processing personal data for which there is a legal basis. The processing of ‘special’ and ‘criminal’ personal data is therefore in principle excluded, unless there is a legal exception. Centagon B.V. only processes personal data in accordance with the principles as formulated in the GDPR, namely:

  • The person concerned has given permission; the permission is freely given by the person concerned, unambiguous consent has been granted, the person concerned is informed about the identity of the data processing organization and about the purpose for which the permission is requested, there is clarity about which personal data is collected and used, the person concerned has been informed about the right to revoke consent.
  • The data processing is necessary for the execution of an agreement
  • The data processing is necessary for compliance with a legal obligation
  • The data processing is necessary to protect vital interests
  • The processing of data is necessary for the fulfillment of a task of general interest or exercise of public authority
  • The data processing is necessary for the representation of the legitimate interests.

11. General

Centagon B.V. has described and implements an information security policy. In case of demonstrated relevance, insight can be provided on request.

In addition, Centagon B.V. has described an incident management response process that is implemented. Here too, in case of demonstrated relevance, insight can be provided on request.

12. Contact with regards to our privacy policy

In case of questions or complaints please contact us via the following link