- 1. Introduction
- 2. Definitions
- 3. Overall policy statement
- 4. Limitation
- 5. Criteria for legitimate processing of personal data
- 6. Data quality, proportionality and relevance
- 7. Transparency
- 8. Security and confidentiality
- 9. Personal data transfers between facevalue companies
- 10. Personal data transfers to parties outside the EEA
- 11. Conflict of laws
- 12. Right of access, rectification, erasure and blocking of personal data 9
- 13. Sensitive Personal Data
- 14. Direct marketing
- 15. Automated decision making
- 16. Compelling business interests
- 17. Supervision and compliance
- 18. Third-party beneficiary
- 19. Compliancy procedures
- 20. Liability
- 21. Enforcement of rights and mechanisms
- 22. Data originating from countries outside
- 23. Amendments to this global data protection policy
- 25. Inquiries
- 1.1 In the Netherlands, financial institutions like Facevalue B.V. (hereinafter “facevalue”) are governed under the supervision of authorities such as the Dutch Central Bank (De Nederlandsche Bank, “DNB”), the Authority for the Financial Markets (Autoriteit Financiële Markten, “AFM”) and the Data Protection Authority (College Bescherming Persoonsgegevens, “CBP”). In other countries, financial institutions like facevalue are subject to supervision of similar local authorities. As a result, financial institutions are bound to ensure that (i) there will be a high standard of technical and organisational security measures within their organisation and (ii) these technical and organisational security measures shall be applicable with regard to the Processing of the Personal Data of Clients and Employees.
- 1.2 The purpose for which facevalue collects Personal Data revolves around its core business proposition, which is divided into the following divisions; Bank (including financial services), e-Invoice, Network, Communicate and Commerce. facevalue is a secure, networked orientated platform, which relies on the positive identification and authentication during interaction with facevalue and it's Clients. facevalue provides personal financial management tools to its Clients and as such collects a variety of transactional data in order to present it to its Clients in a secure and confidential manner.
- 1.3 facevalue process Personal Data of Clients and Employees as appropriate in connection with their business which includes, but is not limited to, the Processing of Personal Data in the context of the business relationship between facevalue and its Clients on the one hand, and on the other, in the context of the relationship between facevalue (as employer) and its Employees, and in relation to various supporting activities. Furthermore, facevalue processes Personal Data for security purposes.
- 1.4 Within the European Union the Processing of Personal Data is governed by the European Commission Directive 680/2016 (the “Data Protection Directive”).
- 1.5 This Global Data Protection Policy (the “Policy”) is based on the Data Protection Directive and applies to all Processing of Personal Data by facevalue and includes exchanges of Personal Data within facevalue and transfers to third parties. facevalue is aware of the different levels of Personal Data protection provided in the countries where facevalue and such third parties are located. facevalue acknowledges that the lawful transfer of Personal Data within the European Union, the European Economic Area (“EEA”) and to those countries which have been qualified by the European Commission as ensuring an adequate level of protection does not pose a threat to the privacy rights of the Data Subjects as these countries have adopted similar data protection standards as those set in the Data Protection Directive. The implementation of this Policy within facevalue aims at ensuring an adequate level of protection as stated in Article 9 of the Data Protection Directive.
- 1.6 This Policy establishes minimum standards for the Processing of Personal Data within facevalue. facevalue must therefore comply with this Policy, without prejudice to local legislation. This means that in addition to this Policy, local legislation relating to data protection will be observed. However, in case the level of protection ensured by local legislation is lower than the level of protection provided for in this Policy, this Policy shall prevail.
- 2.1.In this Policy, unless the context clearly indicates a contrary intention, the words and phrases herein below defined shall have the meanings assigned to them (defined terms begin with capital letters), and cognate expressions shall bear corresponding meanings:
- 2.1.1.“Client” includes the Data Subject with whom facevalue (i) has entered into a legal relationship, (ii) may wish to enter into a legal relationship or (iii) used to have a legal relationship; or (iv) a Data Subject who contacted facevalue; or (v) a Data Subject whose Personal Data is obliged to be processed by facevalue in connection with contractual or legal obligations with a customer or a Third-party;
- 2.1.2.“Data Subject” means any individual to whom the Personal Data relates;
- 2.1.3.“Data Subject's Consent” means any freely given specific and informed indication of his or her wishes by which the Data Subject signifies his or her agreement to Personal Data relating to him or her being processed;
- 2.1.4.“Data Controller” means the European Community institution or body, the Directorate-General, the unit or any other organisational entity which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by a specific European Community act, the controller or the specific criteria for its nomination may be designated by such Community act;
- 2.1.5.“Employee” includes any Data Subject potentially, currently or formerly employed by any facevalue company. This includes temporary workers, contractors or trainees of any facevalue company;
- 2.1.6.“facevalue” means Facevalue Besloten Vennootschap, a company incorporated under the laws of the Netherlands with registration number 63008432, and its direct and indirect subsidiaries, affiliates and branches and any (other) entities in which facevalue holds a controlling interest or exercises management control (“facevalue company” shall have a corresponding meaning);
- 2.1.7.“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
- 2.1.8.“Personal Data Transfer” means any disclosure of Personal Data by facevalue to another facevalue company, or by facevalue to a Third-party;
- 2.1.9.“Personal Data Filing System” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
- 2.1.10.“Policy” means this Global Data Protection Policy;
- 2.1.11.“Process” of Personal Data means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Processing and Processed” shall have a corresponding meaning);
- 2.1.12.“Processor” means any individual or legal person, public authority, agency or any other body, being either facevalue or a Third-party, which processes Personal Data on behalf of facevalue;
- 2.1.13.“Recipient” means a natural or legal person, public authority, agency or any other body to whom data is disclosed, whether a Third-party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients;
- 2.1.14.“Sensitive Personal Data” means Personal Data revealing an individual's religion or philosophy of life, race, political persuasion, health and sexual life, or Personal Data concerning trade union membership, criminal behaviour, or unlawful or objectionable conduct connected with a ban imposed with regard to such conduct;
- 2.1.15.“Third Country” means any country other than the Netherlands;
- 2.1.16.“Third-party” means any natural or legal person, public authority, agency or any other body other than the Data Subject, facevalue, the Processor, the Data Controller and the persons who, under the direct authority of facevalue or the Processor, are authorised to process Personal Data.
- 2.2.Words importing the singular shall include the plural and vice versa, words importing the masculine gender shall include the other genders and vice versa and natural persons shall include juristic persons and vice versa.
- 2.3.The head notes to the paragraphs of this Policy are inserted for purposes of reference only and shall not affect the interpretation of any provisions to which they relate.
- 2.4.In the event that any definition (whether in this clause 2 or elsewhere in this Policy) contains substantive provisions, then such provisions shall be given effect to as if same were incorporated into the main body of this Policy.
- 2.5.Where any term is defined within the context of any particular clause in this Policy, the term so defined, unless it is clear from the clause in question that the term so defined has limited application to the relevant clause, shall bear the meaning ascribed to it for all purposes in terms of this Policy, notwithstanding that term has not been defined in this clause 2.
- 2.6.Words and phrases defined in this Policy shall bear the same meanings in schedules or addenda to this Policy (if any), which do not themselves, contain their own definitions.
3. Overall policy statement
- 3.1.This Policy applies to the Processing of Personal Data by facevalue and will be implemented through the procedures set out in facevalue Operational Framework Manual (“OFM”). This means that this Policy is mandatory for all Employees of facevalue.
- 3.2.facevalue shall, without prejudice to local legislation, comply with this Policy.
- 3.3.This Policy is in force in addition to privacy policies or similar arrangements of facevalue and local data protection legislation in force at the date hereof. If the terms of the Policy provide for a better level of data protection for Personal Data and Sensitive Personal Data, the terms of this Policy shall prevail. All existing policies, contracts, procedures and systems shall be made compliant with this Policy.
- 3.4.The principles set out in this Policy will be further developed where required in order to facilitate the Policy's implementation within facevalue. facevalue will decide whether the principles of this Policy need to be further developed and how this should occur. Any such further development will be compatible with the principles established in this Policy. facevalue's Employees will be provided with practical instructions on this Policy.
- 3.5.facevalue will submit a copy of this Policy to the European Commission's Data Protection Supervisor and inform it of any amendments.
Personal Data shall be Processed only for the specific purposes set out in 1.2 and 1.3 above and this clause 4, or for purposes which are compatible with these specific purposes.
- 4.1.The Processing of Personal Data of Clients takes place in order to support efficient and effective management of facevalue, especially in light of the following activities:
- 4.1.1. assessing and accepting Clients, entering into and executing of agreements with Clients as well as carrying out payment transfers;
- 4.1.2.performing analyses with respect to Personal Data for statistical purposes and for scientific purposes;
- 4.1.3.for commercial activities in order to establish a relationship with a Data Subject and/or continuing as well as extending a relationship with a Client;
- 4.1.4.ensuring the security and integrity of the financial sector and the interests of facevalue; 4.1.5.complying with legal obligations.
- 4.2.The Processing of Personal Data of Employees takes place in order to support efficient and effective management of facevalue, especially in light of the following activities:
- 4.2.1.supporting the activities of facevalue aimed at a responsible, effective and efficient human resources management;
- 4.2.2.ensuring the security and integrity of the financial sector and the interests of facevalue;
- 4.2.3.supporting the activities of facevalue in relation to pension management;
- 4.2.4.Complying with legal obligations
5. Criteria for legitimate processing of personal data
- 5.1.Personal Data may only be Processed if at least one of the following criteria applies:
- 5.1.1.the Processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract;
- 5.1.2.the Processing is necessary for compliance with a legal obligation to which the facevalue company is subject;
- 5.1.3.the Processing is necessary in order to protect the vital interests of the Data Subject;
- 5.1.4.the Data Subject has unambiguously given his consent to the Processing; or
- 5.1.5.the Processing is necessary for the purposes of the legitimate interests pursued by the facevalue company or by the Third-party or Parties to whom Personal Data is disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the Data Subject.
- 5.2.In case the consent of a Data Subject is required, facevalue shall ensure that the Data Subject unambiguously provides his informed, specific and free consent to the Processing of Personal Data. To this end, facevalue shall inform the Data Subjects of the purposes of the Processing for which consent is required, of the possible consequences of the Processing for the Data Subject as well as of such other information insofar as necessary to ensure a fair Processing of such Personal Data.
- 5.3.facevalue shall not seek the consent of Employees for Processing their Personal Data which is directly or indirectly connected to the employment of such Employee, unless such Processing has no foreseeable adverse consequences for Employees' employment relationship with the relevant facevalue company or to the extent it follows from applicable (domestic or foreign) law.
- 5.4.Where consent has been granted, the Data Subject may withdraw such consent at all times. In that case, facevalue shall cease the Processing of the relevant Personal Data without undue delay upon receipt of such withdrawal.
- 5.5.Where consent has been provided by an Employee, no negative consequences will follow from withdrawing such consent, except where consent has been obtained following from applicable (domestic or foreign) law.
- 5.6.facevalue shall determine the maximum period for which Personal Data shall be retained in a Personal Data Filing System, for which applicable local laws will be taken into account. The retention period shall not be longer than the time necessary to achieve the purposes for which the Personal Data have been collected or further processed. Once this period has lapsed, facevalue shall ensure that the Personal Data is either:
- 5.6.2.anonymised, so they can still be used for statistical purposes; or
- 5.6.3.transferred to an archive, where they can be used for historical, scientific or statistical purposes, dispute resolution, investigations or general archiving purposes. Access to these Personal Data will only be granted to an authorised limited number of Employees.
6. Data quality, proportionality and relevance
- 6.1.Personal Data shall be:
- 6.1.1.collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of personal data for historical, statistical or scientific purposes shall not be considered incompatible provided that the controller provides appropriate safeguards, in particular to ensure that the data are not processed for any other purposes or used in support of measures or decisions regarding any particular individual;
- 6.1.2.adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
- 6.1.3.accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which is inaccurate or incomplete, having regard to the purposes for which it was collected or for which it is further processed, is erased or rectified;
- 6.1.4.kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed. facevalue shall lay down that personal data which is to be stored for longer periods for historical, statistical or scientific use should be kept either in anonymous form only or, if that is not possible, only with the identity of the Data Subjects encrypted. In any event, the data shall not be used for any purpose other than for historical, statistical or scientific purposes.
- 6.2.Without prejudice to the provisions of the foregoing provisions of clause 6.1, traffic data relating to Clients, which is processed and stored to establish calls and other connections over facevalue's communications service shall be erased or made anonymous upon termination of the call or other connection.
- 6.3.If necessary, traffic data as indicated in a list agreed by the European Data Protection Supervisor may be processed for the purpose of telecommunications budget and traffic management, including the verification of authorised use of the telecommunications systems. This data shall be erased or made anonymous as soon as possible and no later than six months after collection, unless it needs to be kept for a longer period to establish, exercise or defend a right in a legal claim pending before a court.
- 6.4.Processing of traffic and billing data shall only be carried out by persons handling billing, traffic or budget management.
- 6.5.Clients using facevalue's communication service shall have the right to receive non-itemised bills or other records of calls made.
- 7.1.facevalue collecting Personal Data of Data Subjects must provide the Data Subject ultimately at the time of collection of the Personal Data with information as to: a) the purposes of the Processing; b) the identity of the facevalue company; c) other information insofar as this is necessary to ensure fair Processing.
- 7.2.If facevalue has not collected Personal Data directly from the Data Subject, the above information must be provided before the Processing of the Personal Data but ultimately at the time of recording of the Personal Data or when the information is intended to be disclosed to Third Parties at the time of disclosure.
- 7.3.Notwithstanding clause 16 of this Policy, facevalue does not have to provide the information set forth above in so far the information was already known to the Data Subject or in so far the provision of such information proves impossible or would involve a disproportionate effort.
- 7.4.This Policy will be published on facevalue's website and intranet.
8. Security and confidentiality
- 8.1.facevalue shall take appropriate technical and organisational security measures to protect Personal Data against unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and against all other unlawful forms of Processing in accordance with adequate internal instructions adopted by facevalue. Where local laws prescribe specific instructions and measures to be adopted for the purposes of this clause, local laws will prevail.
- 8.2.Where Personal Data is Processed by automated means, measures shall be taken as appropriate in view of the risks in particular with the aim of:
- 8.2.1.preventing any unauthorised person from gaining access to computer systems processing Personal Data;
- 8.2.2.preventing any unauthorised reading, copying, alteration or removal of storage media;
- 8.2.3.preventing any unauthorised memory inputs as well as any unauthorised disclosure, alteration or erasure of stored Personal Data;
- 8.2.4.preventing unauthorised persons from using data-processing systems by means of data transmission facilities;
- 8.2.5.ensuring that authorised users of a data-processing system can access no Personal Data other than those to which their access right refers;
- 8.2.6.recording which Personal Data has been communicated, at what times and to whom;
- 8.2.7.ensuring that it will subsequently be possible to check which personal data has been processed, at what times and by whom;
- 8.2.8.ensuring that Personal Data being processed on behalf of facevalue by Third-parties can be processed only in the manner prescribed by the contracting institution or body;
- 8.2.9.ensuring that, during communication of Personal Data and during transport of storage media, the data cannot be read, copied or erased without authorisation;
- 8.2.10.designing the organisational structure within an institution or body in such a way that it will meet the special requirements of data protection.
- 8.3.facevalue shall take appropriate technical and organisational measures to safeguard the secure use of the telecommunications networks and terminal equipment, if necessary in conjunction with the providers of publicly available telecommunications services or the providers of public telecommunications networks. Having regard to the state of the art and the cost of their implementation, these measures shall ensure a level of security appropriate to the risk presented.
- 8.4.In the event of any particular risk of a breach of the security of the network and terminal equipment, facevalue shall inform its Clients of the existence of that risk and of any possible remedies and alternative means of communication.
9. Personal data transfers between facevalue companies
- 9.1.facevalue aims at ensuring that an adequate and consistent level of protection is in place when Personal Data is transferred between facevalue companies.
- 9.2.facevalue will transfer Personal Data to other facevalue companies abiding by the rules established in this Policy.
- 9.3.Personal Data shall only be transferred to and further processed by Processors that are facevalue where it has been established that Personal Data will be processed in accordance with the instructions of a facevalue company acting as a Data Controller.
10. Personal data transfers to parties outside the EEA
facevalue establishes the following measures to ensure that Personal Data Transfers to, and further Processing by, Third-parties who may be established either in External Countries, offering an adequate level of protection, or in External Countries not offering an adequate level of protection, observe the principles established in the Data Protection Directive.
- 10.1.Personal Data shall only be transferred to and further processed by a Third-party Processor who is not a facevalue company in an Third Country where:
- 10.1.1.arrangements have been made to require such Processor to Process Personal Data only in accordance with the instructions of facevalue;
- 10.1.2.sufficient guarantees in respect of technical and organisational security and fulfilling the security obligations incumbent on facevalue under the Data Protection Directive and in place.
- 10.1.3.a service level agreement has been concluded between facevalue and such Processor whereby the terms and conditions are set out demanding a minimum standard that the Processor agrees to adhere to, including the provisions established in the European Commission's model contractual clauses for Data Processors established in External Countries contained in decision C(2004) 5721 for countries that do offer an adequate level of protection; and C(2010) 593 for countries that do not offer an adequate level of protection.
- 10.2.The transfer to third parties (including a Processor who is not facevalue or a public authority) in External Countries not offering an adequate level of protection may only take place provided that the transfer is based at least on one of the following grounds and that the further limitations established in this clause are abided by:
- 10.2.1.the transfer is necessary for the performance of a contract between the Data Subject and facevalue or the implementation of pre-contractual measures taken in response to the Data Subject's request;
- 10.2.2.the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between facevalue and a Third-party;
- 10.2.3.the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims. Any transfer on this ground shall be authorised by Compliance in consultation with Legal. If Legal and Compliance allow the transfer, prior to such transfer additional appropriate measures to ensure that the privacy rights of Data Subjects are protected will be taken, if deemed necessary after consultation with the Dutch Data Protection Authority;
- 10.2.4.the transfer is necessary in order to protect the vital interest of the Data Subject;
- 10.2.5.the transfer is made from a public register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in local laws for consultation are met;
- 10.2.6.the transfer is required by any foreign or domestic law to which facevalue is subject. Any transfer on this ground shall be authorised by Compliance in consultation with Legal. If Legal and Compliance allow the transfer, prior to such transfer additional appropriate measures will be taken to ensure that the privacy rights of Data Subjects are protected, if deemed necessary after consultation with the Dutch Data Protection Authority;
- 10.2.7.the transfer is required for upholding a legitimate business interest of facevalue, except where the interests or fundamental rights and freedoms of the Data Subject, in particular the right to protection of individual privacy, prevail. This ground may be relied upon if appropriate safeguards are in place, such as the adoption of adequate arrangements or individual agreements or the signature of a contract based on the standard terms referred to in 10.1.3 above between facevalue and the Third-party or having related companies who will process Personal Data on behalf of facevalue in a country not ensuring an adequate level of protection.
- 10.3.facevalue may rely on the Data Subject's consent for the transfer, without prejudice of the provisions of clause 5.2 of this Policy. Where consent will be relied on according to this clause the following information shall be provided to the Data Subjects before such consent is provided: a) the purposes of the transfer, b) the identity of the party responsible for the transfer, c) the parties to whom data will be provided and the countries in which these are located, d) whether the External Countries where Personal Data will be sent ensure an adequate level of protection e) the categories of Personal Data that will be transferred.
11. Conflict of laws
- 11.1.Where the terms of this Policy offer a higher level of protection to the Data Subjects than the provisions of applicable local laws, the terms of this Policy shall apply. Where provisions of local law offer a higher level of protection to Data Subjects, the provisions of the relevant local law will apply.
- 11.2.An facevalue company or Employee shall promptly inform facevalue when it has reasons to believe that the legislation applicable to it, or any future legislation that comes into force, may prevent it from fulfilling its obligations under this Policy or under the Data Protection Directive and that would have a substantial adverse effect on the guarantees provided for under the Policy or under the Data Protection Directive. In this case, Legal will consult with local counsel how to proceed on a case by case basis. Where considered necessary, facevalue shall inform the Dutch Data Protection Authority or other competent authorities.
12. Right of access, rectification, erasure and blocking of personal data 9
- 12.1.Data Subjects shall have the right to access their Personal Data. In the event the Personal Data of the Data Subjects are incorrect or are not Processed in compliance with applicable law or this Policy, Data Subjects have the right to have their Personal Data corrected, erased or blocked as appropriate.
- 12.2.Data Subjects shall address requests for access, rectification, erasure or blocking to the facevalue company in the country of their residence or, if no facevalue company is established in such country, to Facevalue B.V.
- 12.3.The Data Subject shall have the right to obtain from facevalue the blocking of Personal Data where:
- 12.3.1.their accuracy is contested by the Data Subject, for a period enabling facevalue to verify the accuracy, including the completeness, of the Personal Data, or;
- 12.3.2.facevalue no longer needs them for the accomplishment of its tasks but they have to be maintained for purposes of proof, or;
- 12.3.3.the processing is unlawful and the Data Subject opposes their erasure and demands their blocking instead.
- 12.4.In facevalue's Personal Data Filing System blocking shall in principle be ensured by technical means. The fact that Personal Data is blocked shall be indicated in the system in such a way that it becomes clear that the Personal Data blocked pursuant to this clause shall, with the exception of their storage, only be processed for purposes of proof, or with the Data Subject's consent, or for the protection of the rights of a Third-party.
- 12.5.The Data Subject who requested and obtained the blocking of his or her data shall be informed by facevalue before the Personal Data is unblocked.
- 12.6.In the event that a Data Subjects submits a request for access to their Personal Data, the local facevalue company shall provide the Data Subject with the following information (except if the data Subject already has the information) as soon as possible, but in any event no later than three months after receipt of the request:
- 12.6.1.communication in an intelligible form of the data undergoing Processing;
- 12.6.2.confirmation as to whether or not data relating to the Data Subject are being processed;
- 12.6.3.the existence of the right of access to, and the right to rectify, the data concerning the Data Subject;
- 12.6.4. whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply;
- 12.6.5.the purposes of the Processing;
- 12.6.6.the identity of the Data Controller;
- 12.6.7.the Recipients and/or categories of Recipients;
- 12.6.8.the categories of Personal Data Subject of the Processing;
- 12.6.9.the categories of Recipients of the Personal Data;
- 12.6.10.the available information about the origin of the Personal Data;
- 12.6.11.any further information such as:
- 188.8.131.52.the legal basis of the processing operation for which the data is intended;
- 184.108.40.206.the time-limits for storing the data;
- 220.127.116.11.the right to have recourse at any time to the European Data Protection Supervisor;
- 18.104.22.168.the origin of the data, except where the controller cannot disclose this information for reasons of professional secrecy.
Insofar as such further information is necessary, having regard to the specific circumstances in which the data is processed, to guarantee fair processing in respect of the Data Subject.
- 12.7.Notwithstanding clause 16, requests for access, correction, erasure or blocking may be denied if (i) the Data Subject is abusing his rights under this Policy and the Directive on Data Protection, (ii) the request for access, correction, erasure or blocking are unspecified or unreasonable; or (iii) facevalue is obliged not to do so according to applicable law.
- 12.8.Prior to providing access to Data Subjects to which a Third-party may be expected to object, the facevalue company having received the request for access shall give the Third-party an opportunity to express its views where the information mentioned in clause 12.3 of this Policy contains data concerning that Third-party unless this appears to be impossible or would involve a disproportionate effort.
- 12.9.In case of transfer of Personal Data within facevalue, the exporting facevalue company shall undertake to assist the Data Subjects in exercising its rights vis-à-vis the recipient facevalue company. Further to the request of a Data Subject, the exporting facevalue company shall investigate such requests and shall undertake appropriate action to review and where necessary grant such requests.
13. Sensitive Personal Data
- 13.1.facevalue shall not Process Sensitive Personal Data, except where:
- 13.1.1.the Data Subject has given explicit consent, or;
- 13.1.2.the Processing is required or authorised by domestic law, or;
- 13.1.3.the Processing is necessary for the establishment, exercise or defence of legal claims, or;
- 13.1.4.the Processing is necessary to protect the vital interests of the Data Subject, or;
- 13.1.5.the Processing is necessary to comply with an obligation of international public law, or;
- 13.1.6.the Processing is necessary with a view to an important public interest, where appropriate measures have been put in place to protect individual privacy and this is provided for by foreign or domestic law or the relevant Data Protection Authority has granted an exemption.
- 13.1.7.the Personal Data has been made manifestly public by the Data Subject.
- 13.2.Notwithstanding clause 13.1 of the Policy and the provisions or restrictions of local laws on the Processing of health related data, facevalue may process health related Personal Data of Employees only for (a) the proper implementation of law provisions, pensions, pension regulations or collective agreements which create rights dependent on the state of health of the Employee, or (b) the reintegration of or support for Employees or persons entitled to benefit in connection with sickness or work incapacity. Employee health related data will be treated as confidential.
- 13.3.Notwithstanding clause 13.1 of the Policy and the provisions or restrictions of local laws on the Processing of health related data, facevalue may process health related Personal Data of Clients, subject to the provisions of clauses 13.3 up to and including 13.9 of this Policy.
- 13.4.facevalue may process Personal Data relating to a person's state of health insofar as this is necessary for: the assessment of a Client, the approval of a Client, the execution of an agreement with a Client and the settlement of payment transactions.
- 13.5.Personal Data regarding a person's state of health that are processed in order to make an assessment of a Client, in connection with the acceptance of a Client, the execution of an agreement with a Client with regard to a specific product or the settlement of a claim for damages of a Client shall not be used without the Client's explicit consent for the assessment of a Client, the acceptance of a Client, the execution of an agreement with a Client for another product or the settlement of another claim for damages.
- 13.6.If, in connection with the acceptance and/or the handling of claims a Client is requested to undergo a medical examination or an additional examination, facevalue shall point out in the medical examiner's documents and forms the importance of the identification in order to prevent mistaken identity. The Client shall then be informed that he has the right to make it known in writing that he wishes to be informed of the results and conclusion of the examination. Unless it concerns an insurance policy concluded under civil law, the Client has the right to demand that he shall be the first to be informed of this information in order that he may decide that the results and conclusions are not be communicated to others.
- 13.7.The collection of Personal Data regarding a person's state of health by a medical advisor of facevalue from other parties than the Client shall only take place after the Client has given his permission and issued an authorisation for this. This authorisation may not be of a general nature, but must concern the Processing in connection with a concrete issue. The Client must be informed about the nature of the to be requested information as well as about the purpose thereof. This must be apparent from the authorisation.
- 13.8.The information regarding a person's state of health shall only be processed by persons who are bound to secrecy by virtue of their office, profession or legal regulations or by virtue of an agreement, except insofar as they are obliged to disclose this information by law or their task requires that this information should be disclosed to others who are authorised to process this information.
- 13.9.Health related data will be handled confidentially. Access will only be granted to authorised persons within the organisation.
- 13.10.Notwithstanding the provisions of clause 13.1 and any relevant specific provisions of national law prohibiting or imposing extra requirements to the Processing of criminal behaviour related personal data, criminal Personal data may be processed according to in accordance with clauses 13.11 up to and including clause 13.14.
- 13.11.facevalue may process Personal Data relating to criminal offences insofar as this is necessary for: (a) the assessment of a Client, the acceptance of a Client, the execution of an agreement with a Client and the settlement of payment transactions; (b) safeguarding the security and integrity of the financial sector, including also detecting, preventing, investigating and combating (attempted) (criminal or objectionable) conducts directed at the sector which facevalue is part of, at the group to which facevalue belongs, at facevalue itself, at its Clients and Employees, as well as the use of and the participation in warning systems; or (c) to comply with legal obligations.
- 13.12.In view of a sound acceptance Policy, facevalue may enquire about facts relating to a possible criminal record of persons to be insured and others whose interest are also insured in the applied for insurance policy (including directors and shareholders of legal entities), insofar as these facts relate to a period of eight years prior to the date of the insurance application. In this regard, the disclosed criminal record may only be used for the assessment of the insurance application and legally obtained data relating to a criminal record may be used in connection with invoking non-compliance with the disclosure obligations.
- 13.13.The prohibition on Processing other Sensitive Categories of Personal Data does not apply insofar as this is necessary in addition to the Processing of Personal Data relating to a criminal offence for purposes for which this Personal Data is being processed.
- 13.14.Personal data that:
- 13.14.1.relate to criminal offences that were perpetrated, or that, based on facts and circumstances of the case, are expected to be perpetrated, against one of the facevalue companies; or
- 13.14.2.serve to detect possible criminal conduct towards facevalue, can be disclosed by facevalue, provided that the information is only disclosed to officers who require this information in connection with the performance of their duties as well as to the police and judicial authorities.
14. Direct marketing
By “direct marketing” it is meant the transmission of unsolicited information by facevalue or a third-party to a Data Subject for commercial or charitable purposes.
14.1.Processing of Personal Data through automated means (opt-in)
Where Personal Data is Processed for direct marketing purposes through the use of automated means, electronic mail, or mobile services, facevalue shall obtain the consent of Data Subjects, except where these have provided their Personal Data to facevalue in the context of the sale of a facevalue product or service. This is subject to the condition that: (i) when the Personal Data was obtained from the Data Subject, the possibility was explicitly offered to lodge an objection free of charge against the use of this Personal Data; and (ii) if the Data Subject has not made any use of this, at the time of each communication, the Data Subject shall explicitly be offered the possibility to lodge an objection free of charge against the further use of the Personal Data.
14.2.Processing of Personal Data through non automated means (opt-out)
Where Personal Data is Processed for direct marketing purposes through the use other means than specified in clause 14.1 of this Policy, such as non- automated means such as, telephone non automatic calling and letters sent by post, the relevant facevalue company shall (i) provide the Data Subjects at least with the possibility to opt-out from such use and (ii) not direct unsolicited commercial communications at Data Subjects enlisted with the so called “opt out” registries if required by law.
14.3.Right to object
In the case a Data Subject objects to the use of his Personal Data for direct marketing purposes, his Personal Data shall be blocked for such use as soon as possible after the objection has been received by the relevant facevalue company.
15. Automated decision making
facevalue employs various automated business rules for risk and price based decisions. Data Subjects are entitled to query a decision and request the logic implemented to derive the decision, which is based solely on automated Processing of Personal Data, unless:
- 15.1.the decision is taken in the course of the entering into or performance of a contract which contract was requested by the Data Subject and the decision was positive for the Data Subject;
- 15.2.other measures are taken to safeguard the Data Subject's legitimate interests, such as arrangements allowing the Data Subject to express his point of view or;
- 15.3.the decision is authorised by law.
16. Compelling business interests
- 16.1.The requirements of clauses 4, 7 and 12, may be set aside if in the specific circumstances of the case at hand (especially in case of regulatory compliance) a pressing need exists which outweighs the fundamental rights and freedoms of the Data Subject in order to:
- 16.1.1.protect the legitimate business interests of facevalue, including:
- 22.214.171.124.the security of an Employee;
- 126.96.36.199.the protection of its trade secrets and reputation;
- 188.8.131.52.the uninterrupted continuity of its business operations;
- 184.108.40.206.the protection of confidentiality in for instance an (intended) sale or merger or acquisition of (its) business operations;
- 220.127.116.11.involvement of trusted advisors or consultants for legal, tax, insurance or business consultancy purposes;
- 16.1.2.prevent, detect, prosecute (including to cooperate with public authorities) breaches of (criminal) law or breaches of the terms of employment or other company rules or codes;
- 16.1.3.protect and defend the rights and freedoms of facevalue, its staff or other persons (including the Data Subject) hereinafter “Compelling (Business) Interests”); or
- 16.1.4.protect the rights and freedoms of the Data Subjects or of a Third-party.
- 16.2.The provisions of clause 13 may in specific cases be set aside if in the specific circumstances of the case at hand a pressing need thereto exists which outweighs the interests of the Data Subject for Compelling (Business) Interests described in clauses 16.1 only.
17. Supervision and compliance
- 17.1.Each facevalue company shall designate a Data Protection Officer in accordance with Section 8 of the Data Protection Directive.
- 17.2.facevalue is aware of the provisions, requirements and limitations of term and restrictions of dismissal stated in Section 8 of the Data Protection Directive and shall appoint a qualified Data Protection Officer, whom shall be registered with the European Data Protection Supervisor.
- 17.3.The Data Protection Officer shall be selected on the basis of his or her personal and professional qualities and, in particular, his or her expert knowledge of data protection.
- 17.4.The selection of the Data Protection Officer shall not be liable to result in a conflict of interests between his or her duty as Data Protection Officer and any other official duties, in particular in relation to the application of the provisions of the Data Protection Directive.
- 17.5.facevalue shall give prior notice, containing the information stipulated by Article 25 of the Data Protection Directive to the Data Protection Officer of any Processing operation or set of such operations intended to serve a single purpose or several related purposes.
- 17.6.The Data Protection Officer shall maintain a register containing the information referred to in 17.5 above of all Data Processors, which will be available for inspection by the European Commission Data Protection Supervisor.
- 17.7.facevalue will regularly (at least on an annual basis) audit its systems used to Process Personal Data to ensure compliance with this Policy.
- 17.8.facevalue shall ensure that internal audits will take place on a regular basis within facevalue.
- 17.9.facevalue shall ensure that those Employees that are responsible for ensuring compliance with data protection principles shall comply with this Policy and educate and inform them about the consequences of non-compliance.
- 17.9.1.facevalue shall provide special training to promote privacy awareness and familiarity with the rules established in the Policy will be developed for Employees of facevalue.
- 17.10.A global complaint procedure for the effective protection of the rights established in this Policy will be set up upon implementation of the Policy. This global complaint procedure will be available to Employees and Clients of facevalue.
18. Third-party beneficiary
- 18.1.The Data Subjects can enforce all obligations of facevalue contained in this Policy which directly relate to the lawful or fair Processing of their Personal Data as Third-party beneficiaries.
- 18.2.Any facevalue company shall make available, upon request, a copy of this Policy to Data Subjects who are Third-party beneficiaries under this clause.
19. Compliancy procedures
- 19.1.If the Data Subject is of the opinion that facevalue is not complying with the Policy or the privacy rights of the Data Subject are infringed according to applicable data protection legislation, the Data Subject may lodge a complaint.
- 19.2.The Data Subject's complaint must be lodged according to the complaint procedure for Clients or Employees, as applicable, adopted in every country where facevalue is present.
- 19.3.The country specific complaint procedure for Clients and Employees must comply with respectively with facevalue's OFM and applicable local law.
- 19.4.A complaint shall be lodged by the Data Subject in accordance with the complaint procedure from the country where;
- 19.4.1.the Data Subject has its habitual place of residence, or
- 19.4.2.the facevalue company which allegedly infringed the Policy or the Data Subject's privacy rights is located ,or
- 19.4.3.the facevalue company employing the Data Subject, who qualifies as Employee, is located.
- 19.5.In the event that a facevalue company wrongfully receives a complaint as referred to in this clause, such facevalue company shall assist the Data Subject in lodging the complaint to facevalue company which is charged with dispatching the complaint.
- 19.6.Should the Data Subject be unsatisfied about the handling of the complaint, the Data Subject may address such concern to facevalue by emailing firstname.lastname@example.org or calling +3185 888 7417.
- 20.1.A Data Subject who has suffered direct damages as a result of any violation of the provisions of this Policy that directly relate to the lawful or fair Processing of his Personal Data, and only to the extent that the Data Subject can show that;
- 20.1.1.it has suffered damage and
- 20.1.2.the occurrence of such damage originates in the violation of the Policy, is entitled to receive compensation for the damage suffered.
- 20.2.Facevalue B.V. and the relevant facevalue company shall be jointly and severally liable for any direct damage suffered by the Data Subject resulting from any violation of this Policy by Facevalue B.V. or any facevalue company. Facevalue B.V. or the relevant facevalue company may be exempted from this liability only if they prove that neither of them is responsible for the violation of those provisions.
- 20.3.If a facevalue company is held liable before the competent courts, or mediation or arbitration institutions to which facevalue are subject, by a Data Subject for a violation of this Policy by facevalue, this facevalue company will, to the extent to which it is liable, indemnify Facevalue B.V. for any costs, charge, damages, expense or loss it has incurred.
21. Enforcement of rights and mechanisms
- 21.1.The Data Subject has the right to address the courts or other competent authorities, including the Data Protection Authority in the Netherlands.
- 21.2.The provisions of this clause 21 apply without prejudice to the substantive rights and remedies or the dispute settlement procedures which are available to a Data Subject in accordance with other provisions of national or international law.
- 21.3.All facevalue companies are obliged to cooperate with the competent Data Protection Authority and any other lawful investigation or inquiry by a competent authority. The facevalue company shall in a reasonable time and to the extent reasonably possible assist other facevalue companies if this assistance is required in order to handle any request or complaint or claim of a Data Subject.
- 21.4.Notwithstanding the rights of the Data Subject as set forth in the above paragraphs of this Policy, the Dutch Data Protection Authority and the Dutch courts shall at all times be competent to supervise compliance with this Policy. Both the Dutch Data Protection Authority and the Dutch courts shall rule in accordance with Dutch law.
22. Data originating from countries outside
Where a facevalue company is established in a country outside the EEA Processes domestic Personal Data not originating in EEA countries, such facevalue company may decide whether it will apply the level of protection set out in this Policy. Such Processing of Personal Data will as a minimum ensure that it complies with applicable local laws.
23. Amendments to this global data protection policy
- 23.1.facevalue is not entitled to make any amendments to this Policy, or the purpose for which it collects Personal Data, as set out in 1.2, 1.3 and 4 hereof, without obtaining the consent of the Data Subjects. Any relevant amendments to this Policy shall be published and Data Subjects will be properly informed of the change.
- 23.2.The amendments shall only come into effect relative to each Client, after the amended Policy has been published in accordance with the relevant parts of facevalue's OFM and the Data Subject's Consent has been obtained.
- 23.3.facevalue will inform the Data Protection Supervisor of any amendment to this Policy.
Inquiries relating to this Policy should be directed to: