GDPR Privacy Notice Standard

Please click here for XBP Global Holdings, Inc.’s Privacy Policy

1 Office of Responsibility

Senior Vice President, Global Risk & Compliance. 

2 Purpose

XBP Global Holdings Inc. as a Group of Companies (hereinafter referred to as ‘the Company’ or ‘XBP Global”) takes the privacy of an individual’s data very seriously and is committed to protecting and respecting an individual’s privacy. The Data Processor of your personal data is XBP Europe., Herengracht 576b, 1017 CJ AMSTERDAM – Netherlands – Organization no: 72638974 in conjunction with a Joint Processor of XBP Global Holdings Inc., 6641 N. Belt Line Road, Suite 100. TX 75063 United States of America – Organization no: 471347291. In the United Kingdom, Data Processors appointed their representative – Data Force Interact Ltd, 10 Pond Wood Close, Northampton, NN3 6DF, Organization no: 503-921-749

3 Scope

The Privacy Policy defines Company objectives for securing and protecting personally identifiable information and other information. 

The GDPR Privacy Notice Standard builds on the objectives established in the Privacy Policy and provides specific requirements for the management of personal information of EEA and UK residents. 

4 GDPR Privacy Notice Standard

4.1 WHAT INFORMATION DO WE COLLECT?

4.1.1 We collect, store and use some or all of the below listed personal data:

  • for general identification – name, surname, email address, phone number; 
  • for professional identification – business e-mail, business telephone number, job title, employment history; 
  • technical data – internet protocol (IP) address, browser type, and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website; 
  • usage data – includes information about how you use our website or how you interact with us such as your responses to event invitations or downloads of articles or publications; 
  • marketing and communications data – includes your preferences in receiving marketing communications from us and your communication preferences. 

4.1.2 We won’t collect, store and use any of the ‘special categories’ of personal information. We do not intentionally collect information from children under the age of 16. Any linked websites of XBP GLOBAL) will have their own privacy notices and different rules for collecting and processing personal data.

4.2 HOW DO WE COLLECT DATA?

4.2.1 We collect information directly from you when you visit our website or by filling in online forms or by corresponding with us by post, phone, email, social media, or otherwise. It also concerns situations when you decide to sign up for marketing communications to be sent to you. 

4.2.2 If you fail to provide certain information when requested, we may not be able to comply with contractual obligations and perform the contract we have entered into with you (such as replying to your request), or we may be prevented from complying with our legal obligations. 

4.2.3 When you interact with our website, we may automatically collect Technical Data and/or Usage Data, unless you have opted out or have otherwise refused to provide consent. Following data may be used: 

  • Technical Data: we may collect information about the device you use to access our websites, such as your device’s IP address and operating system. Additionally, in the case of mobile devices, your device type, and mobile device’s unique advertising identifier. Some technical information about the browser you are using will also be collected –
  • Usage Data: This is data about your browsing activity on our website e.g. information about the pages you visited and when, what items were clicked on a page, how much time was spent on a page, etc.; 
  • Location Data: This is non-precise information related to your geography derived from your device’s IP address e.g. computer. This does not reveal your precise geographic coordinates. This helps us to display ads that are relevant to your general location e.g. if we’d like to show ads for people located in the Netherlands only; and
  • Ad Data: This is data about the online ads we have served, or attempted to serve to you (e.g. how many times a specific ad has been served to you, what page the ad appeared on, etc.).

4.2.4 In addition, we may receive personal data from various third parties which shared with us your data such as name, surname, company name, business e-mail, business telephone number, and job title. Furthermore, Technical Data from analytics and email subscription providers such as LinkedIn, Pardot, Google Analytics, or Facebook can be shared with us too. If we receive such data from our third-party providers and we shall be considered as Data Controller, each time we will inform you from which source the personal data originates, and provide details in a separate privacy notice. 

4.2.5 We might aggregate data from different sources (both internally and externally) to have a better understanding of your preference and interests, and be able to provide you with more relevant communications. 

4.3 HOW DO WE USE PERSONAL INFORMATION?

4.3.1 We may process personal information for the following reasons: 

  • send you technical notices, updates, security alerts, and support and administrative messages; 
  • assessment and screening of potential clients, business partners, or other people with a business relationship with us; 
  • respond to your comments, questions, and requests and provide customer service; 
  • communicate with you about products, services, offers, promotions, rewards, and events offered by us; 
  • monitor and analyze trends, usage, and activities in connection with our Services; 
  • to improve the services, website, products, online services, mobile applications, and communications we provide towards you or others; 
  • comply with legal obligation, protect our interests/assets, and defense of legal claims. 

4.3.2 We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which we are using that allows us to do so. When required, we will ask for your consent before starting other marketing activities. Please note that even if you opt-out from receiving marketing communications, you might still receive administrative, service, or other important notices. 

4.4 WHAT LEGAL BASIS DO WE HAVE FOR PROCESSING YOUR PERSONAL DATA?

4.4.1 As a rule, our legal basis for the processing of personal data are: 

  • your consent; 
  • performance of a contract; 
  • legal obligation; and 
  • our legitimate business interest. 

4.4.2 This legal basis has been defined in the GDPR. We describe each of these below. 

  • Consent
    • Should we want or need to rely on consent to lawfully process your data, we will request your written consent for the specific activity we require consent for and record your response on our system. Where consent is the lawful basis for our processing you have the right to withdraw your consent to this particular processing at any time (as set out below). 
    • You have the right to withdraw your consent at any time and we will cease to carry out the particular activity that you previously consented to unless we consider that there is an alternative reason to justify our continued processing of your data for this purpose in which case we will inform you of this condition. 
  • Performance of a contract 
    • We will rely on performance of a contract to provide you the services and manage relationships. 
  • Legal Obligation 
    • We will rely on legal obligation, if we are legally required to hold information on you to fulfill our legal obligations – including where you are placed in a role in a regulated environment. This would include the requirement to obtain and hold data regarding criminal convictions. 
    • This also concerns if XBP GLOBAL would like to establish or defend its legal claims: 
      • Sometimes it may be necessary for us to process personal data and, where appropriate and in accordance with local laws and requirements in connection with exercising or defending legal claims or in case of carrying out other XBP GLOBAL’s obligations; 
      • This may arise, for example; where we need to take legal advice in relation to legal proceedings or are required by law to preserve or disclose certain information as part of the legal process. 
  • Our Legitimate Business Interests 
    • Our legitimate business interest means processing of personal data is necessary to enable XBP GLOBAL to conduct its business, e.g., matters related to the protection of property, employees, and matters related to providing security to persons present at premises. We never override the fundamental rights and freedoms of our employees which require protection of personal data. 
  • Local Legislations and Regulations 
    • In certain cases, employment, financial (i.e. anti-money laundering), and other local legislation may require that we collect information that is considered to be ‘delicate’. In these circumstances, we will ensure that only the minimum required is collected and that it is securely stored and that it is deleted when no longer required. 
    • Below you can find examples of legal basis per type of processing which we may undertake: 
Type of processing Legal basis
Notifying you about changes to our website terms or privacy policyPerformance of a contract / Legal obligation
Respond to your comments, questions, and requests and provide customer service;Performance of a contract
Monitor and analyze trends on our websiteLegitimate interest
Communicate with you about products, services, offers, promotions, rewards, and events offered by us (marketing activity)Consent
Give an option to accept or reject cookies on our websiteLegal obligation

4.5 WHEN DO WE SHARE PERSONAL DATA?

4.5.1 The Company being an international company processes data in locations both in the EEA or the UK and outside the EEA or the UK. We share your personal information with other entities of XBP GLOBAL as part of our regular reporting activities on company performance, in the context of a business reorganization or restructuring exercise, for system maintenance support and hosting of data. Several support services such as finance are centralized and located outside of the EEA or the UK. We transfer the personal information we collect about you to XBP GLOBAL entities within EEA, the UK and in the USA, and India.

4.5.2 We may share your personal information with different governmental authorities, institutions, agencies (or similar), or insurance companies where required by law for the purpose of their regulatory tasks; and with selected third parties including: 

  • Google – Advertising platform. Based in the US;
  • Facebook- Advertising platform. Based in the US; 
  • Business partners who act as data processors due to outsourcing of certain processing activities. 

4.5.3 Where we do share your data with 3rd parties or other XBP GLOBAL entities, the shared data will be limited to that which is required by the 3rd party or other XBP GLOBAL’s entity to provide the required processing. In such cases your personal data are safeguarded by Data Processing Agreements, committing outsourced service providers to process your personal data for specified purposes and in accordance with our instructions, comply with GDPR (or Data Protection Act 2018 for the UK) and apply appropriate security measures to protect your personal information in line with our policies. All transfers outside EEA made to countries that are considered by the European Commission (or by the UK government relating to the transfers outside the UK) to not provide an adequate level of protection of personal information are safeguarded with agreements based on Standard Contractual Clauses approved by European Commission. Where data is being transferred to the USA, we have established appropriate impact assessments to verify whether importers of data located in the USA conform to European data protection legislation. 

4.5.4 As an example we have listed in the table below several categories of personal data which we may share with other entities of XBP GLOBAL and selected third parties: 

Third PartyCategories of personal data sharedComments
XBP GLOBAL – AmericasName and last name, e-mail address, phone number, employment history, job title, social media profile IDs/links. Acts as a Joint Controller. Customer relationship data for sales and marketing purposes.
XBP GLOBAL – AsiaInternet protocol (IP) address, browser type, and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website.Acts as a Data Processor – Website updating and Technical deployments.
Google & FacebookE-mail address, phone number, job title, company, geo-location (country /zip), and internet protocol (IP) addressAs part of our marketing activity, we may share data with those third parties (who will act as separate Data Controllers) to provide you our advertisement materials.

4.5.5 More details about sharing data can be obtained from the contact point specified in section 4.11. 

4.6 HOW DO WE SECURE PERSONAL DATA?

4.6.1 Once We have received your information, we will use strict procedures and security features to prevent unauthorized access. All information you provide to us is stored securely on our servers. We have in place the following measure to ensure the confidentiality, integrity, and availability of the personal data we hold on you. 

  • Facilities are in place to ensure that data is backed up in the case of accidental or deliberate loss, and that the system can be recovered with minimal interruption in case of a loss of service;
  • Access to the data is tightly controlled and only authorized users are permitted access. We limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality; 
  • All staff are given training in the requirements of the GDPR and data security; 
  • Transfer of personal data from one location to another is via secure links that use cryptography to ensure the security of the data being transferred; 
  • We have in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. 

4.6.2 We are avoiding personal data collection and usage in paper format. If required, the paper documents and copies will be always stored in locked-up premises with very restricted access to the limited members of staff in line with our internal policy. 

4.7 HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR?

4.7.1 We understand our legal duty to retain accurate data, that’s why we will only retain your personal data as long as we have consent from you. 

4.7.2 Regardless of the above, every 2 years we will send you a communication where we will ask you to re-authorize your consent for marketing communications, if you signed up. 

4.7.3 If you consent to receive our Newsletter, you revoke consent at any time by clicking the ‘unsubscribe’ button on our Newsletter communication or by contacting us at any time. All paper records will be deleted by secure shredding of the paper files electronic copies will be deleted by secure erasure in accordance with applicable laws and regulations. 

4.7.4 Details about the retention schedule can be obtained from the contact point specified in section 3.10. 

4.8 YOUR RIGHTS IN RELATION TO PERSONAL DATA

4.8.1 Under the GDPR you have the right to: 

  • Request access to your personal information which involves confirming with us whether we are processing your personal data and if we are, to request access to that personal data including the categories of personal data processed, the purpose of the processing, and the recipients or categories of recipients. We do have to take into account the interests of others though, so this is not an absolute right; 
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected or deleted; 
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below); 
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object to where we are processing your personal information for direct marketing purposes. To stop receiving marketing communications from us or change your preferences please contact us on our local email address/contact details; 
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example, if you want us to establish its accuracy or the reason for processing it; 
  • Request the transfer of your personal information to another party in certain formats, if practicable. 
  • Withdraw consent to processing at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. To withdraw consent please contact; Local contact details with details of what information is to be provided. 

4.8.2 If you wish to exercise any of the rights set out above, please contact the contact with details of what information is to be provided. 

  • You will not have to pay a fee to access your personal data (or to exercise any of the other rights), however, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances; 
  • We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response; 
  • We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated; 
  • In certain circumstances, we may need to limit the scope of the data subject’s rights 
  • e.g. where a request is made to delete data that has to be retained for legal or regulatory reasons, or where fulfilling the request may expose the personal data of another data subject. 

4.9 USE OF AUTOMATED DECISION-MAKING AND PROFILING

4.9.1 We don’t undertake automated decision making, however we use profiling through our CRM systems. We do use our computer systems to search and identify personal data in accordance with parameters set by a person. A person will always be involved in the decision-making process. 

4.10 CHANGES TO OUR PRIVACY NOTICE

4.10.1 If any changes we would make to our Privacy Notice in the future, we will inform you by placing the appropriate information on our website. 

4.11 HOW TO CONTACT US?

4.11.1 Questions, comments, and requests regarding this Privacy Notice are welcomed and should be addressed to: 

  • XBP Europe Phone number: +1 844 935 2832,
  • EEA address: Herengracht 576b, 1017 CJ AMSTERDAM, The Netherlands 
  • UK address: Data Force Interact Ltd, 10 Pond Wood Close, Northampton, NN3, 6DF
  • Email: marketing@xbpeurope.com

4.11.2 You have the right to make a complaint at any time to the Local Supervisory Authority We would however, appreciate the chance to deal with your concerns before you approach the Local Supervisory Authority so we encourage you to contact us in the first instance: 

  • XBP Europe’s’s Lead Supervisory Authority in the EEA: Autoriteit Persoonsgegevens Bezuidenhoutseweg 30 2594 AV DEN HAAG +31 (0) 70-8888 500
  • XBP Europe’’s Lead Supervisory Authority in the UK: Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF 

4.12 HOW DO WE USE COOKIES?

4.12.1 A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server. Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed. 

4.12.2 Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies. We use both session and persistent cookies on our website. The cookies we use and their purpose can be found HERE.