DATA PRIVACY POLICY


1. Introduction

Circeo is committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection in accordance with the EU General Data Protection Regulation (“GDPR”). The privacy of our website visitors is very important to us, and we are committed to safeguarding it. This policy explains what we will do with your personal information.

The controller responsible in accordance with the GDPR is Circeo SA, 29, rue des Martyrs, Rumelange, 3739 Luxembourg

If you have any questions or suggestions regarding data protection, please do not hesitate to contact us by email at dataprivacy@circeo.today.


2. Collecting personal information

The following types of personal information may be collected, stored, and used:

– information about your computer including your IP address, geographical location, browser type and version, and operating system;
– information about your visits to and use of this website including the referral source, length of visit, page views, and website navigation paths;
– any other personal information that you send to us.

Before you disclose to us the personal information of another person, you must obtain that person’s consent to both the disclosure and the processing of that personal information in accordance with this policy.


3. Using your personal information

Personal information submitted to us through our website will be used for the purposes specified in this policy. We may use your personal information for the following:

– administering our website and business;
– personalizing our website for you;
– enabling your use of the services available on our website;
– dealing with inquiries and complaints made by or about you relating to our website;
– keeping our website secure and prevent fraud; and
– other uses.

If you submit personal information for publication on our website, we will publish and otherwise use that information in accordance with the license you grant to us.

Your privacy settings can be used to limit the publication of your information on our website and can be adjusted using privacy controls on the website.

We will not, without your express consent, supply your personal information to any third party for their or any other third party’s direct marketing.]


4. Disclosing personal information

We may disclose your personal information to any of our employees, officers, insurers, professional advisers, agents, suppliers, or subcontractors as reasonably necessary for the purposes set out in this policy.

We may disclose your personal information to any member company of the Circeo group as reasonably necessary for the purposes set out in this policy.

We may disclose your personal information:

– to the extent that we are required to do so by law;
– in connection with any ongoing or prospective legal proceedings;
– in order to establish, exercise, or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk);
– to the purchaser (or prospective purchaser) of any business or asset that we are (or are contemplating) selling; and
– to any person who we reasonably believe may apply to a court or other competent authority for disclosure of that personal information where, in our reasonable opinion, such court or authority would be reasonably likely to order disclosure of that personal information.

Except as provided in this policy, we will not provide your personal information to third parties.


5. International data transfers

Information that we collect may be stored, processed in, and transferred between any of the countries in which we operate in order to enable us to use the information in accordance with this policy.
Information that we collect may be transferred to the following countries which do not have data protection laws equivalent to those in force in the European Economic Area: the United States of America and Russia.
Personal information that you publish on our website or submit for publication on our website may be available, via the internet, around the world. We cannot prevent the use or misuse of such information by others. You expressly agree to the transfers of personal information described in this Section 5.


6. Retaining personal information

This Section 6 sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations regarding the retention and deletion of personal information.
Personal information that Circeo processes for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes (usually 7 days).
If certain documents (including electronic documents) containing personal data are to be retained, such retention will only be made:
– to the extent that we are required to do so by law;
– if we believe that the documents may be relevant to any ongoing or prospective legal proceedings; and
– in order to establish, exercise, or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk).


7. Security of your personal information

We will take reasonable technical and organizational precautions to prevent the loss, misuse, or alteration of your personal information.

We will store all the personal information you provide on our secure (password- and firewall-protected) servers.

You acknowledge that the transmission of information over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.


8. Amendments

We may update this policy from time to time by publishing a new version on our website. You should check this page occasionally to ensure you understand any changes to this policy. We may notify you of changes to this policy by email.


9. Your rights as data subject

In case your personal data is processed, you are the data subject within the meaning of the GDPR and you have the rights outlined hereafter.

  • 9.1 Right of confirmation and access (Information)

Each data subject shall have the right granted by the European legislator to obtain from Circeo the confirmation as to whether or not personal data concerning him or her are being processed.

In case such processing occurs, the data subject may request access to the following information:

– the purposes of the processing of personal data;
– the categories of personal data concerned in the processing;
– the recipients or categories of recipients to whom the personal data have been or will be disclosed;
– where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
– where the personal data are not collected from the data subject, any available information as to their source;
– the existence of automated decision-making, including profiling, referred to in Art. 22 (1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.

Furthermore, the data subject shall have a right to obtain information as to whether personal data are transferred to a third country or to an international organization. Where this is the case, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer in accordance with Art. 46 of the GDPR.

  • 9.2 Right to rectification of inaccurate data

You have the right that Circeo has to immediately correct or complete any personal data concerning you if it is inaccurate or incomplete. We as controller would have to execute your request without undue delay.

  • 9.3 Right to restriction of processing

You have the right to request that Circeo restricts processing of your personal data subject to the following prerequisites:

– The accuracy of the personal data is contested by the data subject, for a period enabling Circeo to verify the accuracy of the personal data.
– The processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the restriction of their use.
– Circeo no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims.
– The data subject has objected to processing pursuant to Art. 21 (1) of the GDPR pending the verification whether the legitimate interests of Circeo override those of the data subject.

In case the processing of your personal data was subject to restriction, and notwithstanding their storage, such data shall only be processed with your consent or for the establishment, exercise, or defense of claims or for the procurement of the protection of rights of a natural or legal person or for purposes of an important public interest of the European Union or a member state.

In case the restriction of processing has been executed in accordance with the above, you shall be informed by Circeo prior to the cancellation of such restriction.

  • 9.4 Right to erasure (“Right to be forgotten”)

a) Right to erasure

Each data subject shall have the right to request from Circeo the erasure of personal data concerning him or her without undue delay, and Circeo shall have the obligation to erase personal data without undue delay where one of the following reasons applies, as long as the processing is not necessary:

– the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
– the data subject withdraws consent to which the processing is based according to Art. 6 (1) it. a) of the GDPR, or Art. 9 (2) it. a) of the GDPR, and where there is no other legal reason for the processing;
– the data subject objects to the processing pursuant to Art. 21 (1) of the GDPR and there are no overriding legitimate reasons for the processing, or the data subject objects to the processing pursuant to Art. 21 (2) of the GDPR;
– the personal data has been unlawfully processed;
– the personal data must be erased for compliance with a legal obligation in Union or Member State law to which Circeo is subject to;
– the personal data have been collected in relation to the offer of information society services referred to in Art. 8 (1) of the GDPR.

b) Information to third parties

Where Circeo has made personal data public and is obliged pursuant to Art. 17 (1) of the GDPR to erase the personal data, Circeo, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that the data subject has requested erasure of any links to, or copy or replication of, those personal data, from these controllers. 

c) Exemption

The right to erasure does not apply where the processing is necessary:

– for the exercise of the right of freedom of speech and information;
– for the fulfilment of a mandatory legal obligation that is mandatory, according to European or the respective member state’s law Circeo is subject to, or is necessary for the performance of a task carried out in the public interest;
– for reasons of public interest in regard to public safety and health pursuant to Art. 9.2 it. h) and i) as well as Art. 9 (3) of the GDPR;
– for archives in the public interest, scientific, historical or statistical purposes pursuant to Art. 89 (1) of the GDPR, insofar as the granted right mentioned in a) above would likely make the achievement of such purposes impossible or seriously endangered; or
– for establishing, exercising or defending legal claims.

  • 9.5 Right of information

In case you have claimed the right of rectification, erasure or restriction of the processing towards Circeo, Circeo is obliged to inform all recipients of personal data belonging to you such rectification, erasure or restriction accordingly, unless such information seems to be impossible or only possible by needing inappropriate efforts.

You are entitled to claim to be informed by Circeo about such recipients.

  • 9.6 Right to data portability

You shall have the right to receive the personal data concerning you, which was provided to us as Circeo, in a structured, commonly used and machine-readable format. You shall also have the right to transmit this data to another controller without hindrance from Circeo to which the personal data has been provided,

– as long as the processing is based on consent pursuant to Art. 6 (1) it. a) of the GDPR or of Art. 9 (2) it. a) of the GDPR, or on a contract pursuant to Art. 6 (1) al. b of the GDPR, and
– the processing is carried out by automated means.

Furthermore, in exercising your right to data portability, the data subject shall have the right to have personal data transmitted directly from one controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.

The right to data portability only applies as long as the processing is not necessary for the performance of a task carried out in the public interest.

  • 9.7 Right to object

Each data subject shall have the right to object, based on his or her particular situation, at any time, to processing of personal data concerning him or her, which is based of Art. 6 (1) it. e), or f) of the GDPR. This also applies to profiling based on these provisions.

Circeo shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate reasons for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims.

If Circeo processes personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. This applies to profiling to the extent that it is related to such direct marketing.

If the data subject objects to Circeo to the processing for direct marketing purposes, Circeo will no longer process the personal data for these purposes.

In order to exercise the right to object, the data subject is free in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to use his or her right to object by automated means using technical specifications.

  • 9.8 Right to withdraw data protection consent

You as data subject shall have the right to withdraw your consent to processing of your personal data at any time. Irrespective of such withdrawal of the consent, the legitimation of the processing of personal data until the withdrawal shall remain unaffected.

  • 9.9 Automated individual decision-making, including profiling

Each data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her, as long as the decision

i) is not is necessary for entering into, or the performance of, a contract between the data subject and a controller, or
ii) is not authorized by Union or Member State law to which Circeo is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or
iii) is not based on the data subject’s explicit consent.

Notwithstanding the aforementioned, such decisions shall not be based on specific categories of personal data pursuant to Art. 9 (1) of the GDPR, insofar Art. 9 (2) it. a) or it. g) do not apply and in case that suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests were procured.

In view of the cases i) to iii) above, Circeo shall procure suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests. This means that Circeo is at least required to ensure the right to express his or her point of view and contest the decision.

  • 9.10 Right to file complaints with the regulatory authority

Notwithstanding any other administrative and judicial procedures, you shall have the right to file a complaint with a competent regulatory authority, in particular in the member state where you are situated, you have your place of work or where the alleged breach has occurred if you believe that the processing of your personal data is a breach of the regulations set forth in the GDPR.

The regulatory authority, that has been approached by you, shall inform you about the status of the results of an investigation on an ongoing basis as well as about the possibility of a judicial procedure according to Art. 78 of the GDPR.


10. Information security, technical measures and organization

Circeo takes the privacy and security of individuals and their personal information very seriously and take every reasonable measure and precaution to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure or destruction and have several layers of security measures.

Circeo has designated Matthieu Job as our Data Protection Officer (DPO) and have appointed a data privacy team to develop and implement our roadmap for constantly complying with the GDPR. The team are responsible for promoting awareness of the GDPR across the organization, assessing our GDPR readiness, identifying any gap areas and implementing the new policies, procedures and measures.