- Your privacy & CCV
- Your privacy & CCV – Your rights
- Your privacy & CCV – How we handle your data
- Your privacy & CCV – In the event of a data leak
- Your privacy & CCV – Terms and definitions
Updated: May 25, 2018
You entrust CCV with your payment and personal data. We attach great importance to that trust. We would like to take this opportunity to explain how we protect your personal data.
We have been in the business of handling payment data – yours and those of millions of other people in Europe – for decades now. That is why we comply with the following legislation:
- Financial Supervision Act (Wet Financieel Toezicht, WFT)
- Money Laundering and Terrorist Financing (Prevention) Act (Wet ter voorkoming van Witwassen en Financieren van Terrorisme, WWFT)
- Telecommunications Act (Telecommunicatiewet, TW)
- General Data Protection Regulation (GDPR) of the European Union
- General Data Protection Regulation Implementing Act (Uitvoeringswet Algemene Verordening Gegevensbescherming, UAVG)
Our operational processes are set up in full conformity with the stringent requirements of each of these pieces of legislation. We have also put in place robust measures to protect data traffic. That is how we ensure your and your customers’ privacy.
Basic privacy principles
In a nutshell, our compliance with these laws means that we observe the following basic principles:
- We will inform you of your rights and will not take action unless and until you give permission to process your data.
- We will only use your personal data to perform our work.
- We will only collect data that we need in order to perform our work.
- We will ensure that your personal data are and remain correct.
- We will not retain your personal data for longer than necessary.
- We will protect your personal data against access by unauthorized parties, loss or destruction.
- We can demonstrate our compliance with these principles.
Data manager and data processor
From a legal perspective, we fulfil a dual role when it comes to privacy. We record and manage personal data of our clients, your customers and our employees. Officially, we are a data manager in that capacity and, as such, accountable for the careful handling of data.
In addition, we process payment data on behalf of our clients, including ING, Equens, ACI and Bancontact. In that sense, we are a data processor. Our clients are data managers and accountable for data handling. They expect us to meet specific requirements concerning handling of your data. These requirements are laid down in a partnership agreement. We carry out such agreements with utmost care. In both roles, we are committed to protecting your privacy with due care.
We handle your data as carefully and as safely as possible. Should you want to verify this, it is good to know that you – as the owner of your personal data – have a number of rights.
Right to information
You have the right to be informed about our work processes that involve the handling and processing of your personal and payment data. More about how CCV handles data >>
Right to inspection
You have the right to access the personal data about you that we have on record. If you want to exercise this right, we must first verify your identity before we can start retrieving your data. You will be sent all the data about you that we have. We will also inform you of the details of our processing method, including the purpose, retention period, the parties that we share data with, and how data have been obtained. We aim to provide you with an overview of these data within one month. We will inform you if we expect it to take longer.
Submit a request for access to your data >>
Right to correction, restriction and deletion
You have the right to correct or supplement the personal data about you that we have on record. You also have the right to delete part of your data in order to restrict how much data we can use in the future. And you have what is known as the ‘right to be forgotten’, which means that all the data about you we have on record will be deleted. However, we are required by law to retain certain data, so these we cannot delete.
Submit a request to change or delete data >>
Right to data transfer
You have the right to request the digital transfer to a different organization of data that CCV has on record about you. If you want to exercise this right, we will provide your data to you in a structured and generally accepted file format. We are only allowed to do this with personal data that you provided to us in person, or if you gave express permission to process such data, or with data we obtained as result of the fulfilment of our agreement. We aim to complete preparing the file for data transfer within one month. We will inform you if we expect it to take longer.
Submit a request for data transfer >>
Right of objection
If you think that we are wrongfully processing personal data about you, we encourage you to make this known to us. If your objection is justified, we will stop processing your personal data. You can also file an official complaint if you think your data are not being handled with due care. When we receive a complaint, we will carefully review our processes and work to eliminate any shortcomings we identify. We aim to address your complaint within five business days. We will inform you if we expect it to take longer. If we are unable to reach agreement, you have the option of submitting your complaint to the Dutch Data Protection Authority.
Submit a complaint to CCV >>
Submit a complaint to the Dutch Data Protection Authority >>
We use a range of technological and organizational measures to protect your privacy as effectively as possible. With certifications from national and international quality and safety standards organizations, we demonstrate how serious we are about protecting your privacy. These certifications include compliance with the Payment Card Industry Data Security Standard (PCI DSS). We use the following methods to protect your privacy in our work processes.
Triple data protection
- First and foremost, responsibility for the careful handling of data rests with our colleagues whose day-to-day work involves the processing of personal data. They know how data are processed and have access to the content of applications. They also assess the proper functioning of all processes on a daily basis.
- They are backed up by support and advice from the risk management department and the data protection officer, who draft policies, conduct risk analyses, and assess whether the processes comply with applicable laws and regulations.
- Lastly, our independent internal audit department and the data protection officer will check if the aforementioned colleagues work together effectively, and whether we actually fulfil all our legal and business obligations.
Safeguarding work processes
A new work process can sometimes involve risks to your personal data. That is why we subject any new work processes to a Data Protection Impact Assessment (DPIA). We also conduct a risk analysis and a technical assessment, so we can be sure that the authorization process, security aspects and record-keeping are all in order.
Record-keeping of processing activities
Detailed records are kept of all data processing operations that we carry out, to make sure that we can always trace what happens with your personal data. Our data protection officer will make sure that this record-keeping is and remains complete and up-to-date. These records are publicly accessible.
Purpose of data usage
Personal data about employees will only be used to carry out our duties as an employer. Personal data about clients will only be used to provide our services, for instance to:
- Conclude or amend agreements,
- Process and analyse payment transactions,
- Resolve disputes and disputed payment transactions,
- Prevent and address fraud and other unlawful activities,
- Analyse data in order to improve our services,
- Initiate, coordinate and outsource work processes,
- Perform specific marketing activities.
Personal data will not be retained for longer than is necessary for the intended purpose, and will not be retained beyond the statutory retention period. We ensure compliance with this retention period by keeping the retention period details and the corresponding personal data in the same location.
We work together with banks, credit card companies and other parties that combat fraud. To facilitate these efforts, it is sometimes necessary to share data with these parties. This always happens in compliance with legal requirements and only with the express permission of our data protection officer.
Our employees are aware of the importance of privacy. They have been trained in protecting your privacy and keeping information secure. We make sure that this awareness and expertise stay up-to-date, for instance by offering an e-learning programme and through regular internal information sharing. Our data protection officer and the corporate information security officer monitor these activities.
No matter how effectively we perform our work, the risk of a data breach always exists. This can be the result of human error or have an external cause. A data leak is defined as a situation in which personal data is lost or ends up in the wrong hands.
In the event of a data leak, immediate action is required. We will first examine which personal data have been affected. If the breach could potentially affect your rights and freedoms, the data leak will be reported to the Dutch Data Protection Authority within 72 hours. In case of a high risk, you will also be informed right away.
In addition, the leak will be thoroughly investigated. We will get to the bottom of what happened and determine which data were exposed to risk, who the culprits might be, and how we can prevent it from happening again. This approach enables us to tighten our security. Furthermore, we will carefully record any and all findings about the data leak to ensure we can learn from them even in the future.
Reporting a data leak
Do you think a data leak may have occurred? Please inform us as quickly as possible, stating the reasons or the signals that your suspicion is based on.
Report a suspected data leak >>
All information pertaining to an individual, for instance a name or e-mail address. It also includes data that indirectly relate to someone’s identity, i.e. personal details such as an IP address, a card number or transaction data. Combined with other data, these details can be traced to an individual.
General Data Protection Regulation (GDPR)
European legislation regulating the careful processing and free movement of personal data. This Regulation was adopted and became applicable in all EU member states on 27 April 2016, subject to a two-year transition period to enable organizations to make their administrative and operational processes compliant with the new law, which will become enforceable on 25 May 2018.
General Data Protection Regulation Implementing Act
A Dutch law (Uitvoeringswet Algemene Verordening Gegevensbescherming, UAVG) that ensures the GDPR is applied correctly. This Implementing Act supplements the GDPR and also carries forward elements from its predecessor legislation, the Dutch Personal Data Protection Act (Wet Bescherming Persoonsgegevens, WBP).
Dutch Data Protection Authority
The national regulator tasked with information privacy. If you think that CCV is wrongfully processing your personal data or is not processing them correctly, and you are unable to reach agreement with us, you can get the Dutch Data Protection Authority involved.
Financial Supervision Act
The Financial Supervision Act (Wet Financieel Toezicht, WFT) is a Dutch law that ensures financial markets operate effectively and safeguards the stability of the financial system. It also protects consumers and businesses against bankruptcy or objectionable actions by financial institutions.
Money Laundering and Terrorist Financing (Prevention) Act
A Dutch law (Wet ter voorkoming van Witwassen en Financieren van Terrorisme, WWFT) aimed at preventing companies from becoming involved, either knowingly or inadvertently, in money laundering or the financing of terrorist activities.
Authority for the Financial Markets
The Dutch regulator for participants in the financial markets.
A Dutch law (Telecommunicatiewet, TW) safeguarding the security of online networks (among other matters), and addressing consumer and privacy protection.
Data Protection Impact Assessment (DPIA)
A new work process can sometimes involve risks to your personal data. That is why we subject any new work processes to a Data Protection Impact Assessment (DPIA). The GDPR sets out the requirements applicable to DPIAs.
A person or organization that – individually or in collaboration with third parties – registers or manages personal data. The data manager is also responsible for how its data processing activities are structured and function. We are the data manager of the personal data of our clients.
A person or organization that processes personal data on behalf of the data manager. We are the data manager of payment data on behalf of a number of clients. A data processor and a data manager always conclude a contract setting out the terms and conditions that must be met to guarantee the security of personal data.
A person that enters into a relationship with CCV, e.g. a visitor to our website, a person using our services or products, a supplier or a business partner.
Purpose of our cookies
Cookies are used for a variety of purposes:
- To enable communication across a digital network
- To research how our website is used
- To conclude or fulfil an agreement
- To deliver a service requested by you
- To identify what your interests are based on how you use our site
- To enable third parties to identify what your interests are
If you prefer to disable cookies
You can decide which types of cookies you want to accept, if any. However, this choice may have certain consequences. If you disable our cookies, we cannot guarantee that our website will work flawlessly.
- You can change settings to determine which cookies to accept and which to disable. For instance, you may want to accept statistical cookies but not the ones for personalised information.
- You can personalise the settings of your browser – Chrome, Safari, Internet Explorer – to have it display a warning when a website wants to send a cookie, or to have it refuse all cookies or only third-party cookies. You can also delete all received cookies. Make sure you change these settings on every device and in every browser you use.
- You can disable tracking by Google Analytics for all websites. If you want to do this, you can unregister for all Google cookies on their website. Go to Google and unregister >>
The Cookies we use
Google Tag Manager
Purpose: Google Tag Manager allows CCV to quickly and easily update tags and code fragments on the website. Once the Tag Manager fragment has been added to the website, CCV can configure tags via a web interface without needing to change or implement additional code. This reduces the likelihood of errors and it will no longer be necessary to involve a developer when CCV needs to change something.
Expiry period: Unlimited
Cookie opt-in: Non-optional
Purpose: Obtain insight in visitors’ behaviour on the website in order to improve their user experience.
Cookies: __utma, __utmb, __utmc, __utmv, __utmz, _ga
Expiry period: After two years
Cookie opt-in: Optional
Purpose: Measuring the conversion. This anonymous information is used to determine the value of an advertising partner and to enable billing of advertising partners. This anonymous information is also used to build anonymous visitor segments, if an opt-in for this was given.
Cookies: id, test_cookie,_drt_, p
Expiry period: No more than 90 days
Cookie opt-in: Not required