Hello! This is our Privacy Notice. We are required to have one of these to explain how we comply with the applicable data protection legislation and to let you know what we do with the information we collect about you when you visit our website(s).

We do write this kind of things for a living, yet we also know that not that many people take the time to read them (though they should). Considering that we develop them for many of our customers, we thought we’d show off our knowledge and skills by explaining, in plain English, what this Privacy Notice is about.

Note that our website(s) may provide links to a number of third-party websites. Please beware that we have no control over the manner in which these third-party websites collect and process your personal data when you make use of them. When visiting those links, make sure you review first their privacy notices prior to providing any personal data to them.

In compliance with the applicable requirements of the data protection legislation, we, Excellium Services SA, a company incorporated under Luxembourg law, with the registration number B 213082, are the responsible entity (the “data controller”) for the collection and processing of your personal data you provide to us when you visit and make use of our website(s). Our very cool offices are located at rue Goell 5, L-5326 Contern, Grand Duchy of Luxembourg. You should pay us a visit to see for yourself.

When you visit our website(s) and submit a contact form or email to us, we will keep the information that you provide to us so that we may respond to your queries. Obviously, you won’t go into that many details about your private life when you contact us, so we will most likely know only the very basic things about you, such as:

• your name,
• your business address, e-mail, and phone number,
• the content of your message to us,
• whatever other information you may want to share with us about you or the company you work for and the reason(s) for contacting us,
• data generated through automated technologies such as cookies, web beacons and similar technologies (see cookies section below).

We require this information is so that we may be able to get back to you and provide answers to your questions or to your requests for information on who we are and what we do for a living. After all, it would be rude to ignore you and if we never got back to anyone, we wouldn’t have a business to run.

During your visit of our website(s) we may also collect some technical data about your device (such as device type, model, operating system, browser type, screen resolution, your machine IP address). We use on our website(s) Google Analytics and for that to work, we need to collect your IP address. The reason we use analytics is firstly to find out if anyone comes to visit our website(s) and, secondly, whether all our efforts to write about clever stuff are going to waste or are actually read. We also want to know what interests you on our website(s) so we may write more of the interesting stuff you like.

Not all data that we collect, and process constitute ‘personal data’. Personal data as defined by law refers to data by which you can be uniquely identified, either directly or indirectly. (For example, information about the type of operating system your computer is running, the browser type you are using, the screen resolution, are not considered personal data.)

We also use some very fashionable social media for networking (i.e., LinkedIn, Twitter, Facebook) so that we can try get you interested in our services. We might be on a mission to change the world for better data privacy and data security, but we are a business after all, and we need to make use of your data for us to be able to do business and work with you.

Our website(s) are not intended for the use of individuals under 18 years old. We do not knowingly collect and process any personal data from individuals who are under the age of 18 years old.

A “cookie” is a small (temporary) text file that our website(s) saves on your computer or mobile device when you visit our website(s). These cookies are intended to save your preferences to be used during a later visit (e.g.: your choice of language, adjust our website to your display settings, render adequately our website graphics and images, facilitate entering your information when using the contact page, etc.). Additionally, some cookies may also be used for marketing and statistic purposes.

A “web beacon” is a transparent graphic image, usually no larger than 1×1 pixels, used to monitor which web pages are visited on our website(s). A web beacon is often used in combination with other cookies. We may use cookies, web beacons and similar technologies in connection with our website(s) to monitor and analyse how the visitors make use of our website(s). This information allows us to optimize visitors’ browsing experience.

Like most websites, our(s) uses a few selected but really necessary cookies. Should you not want them, or won’t find them to your liking, then you can reject them, by clicking the “Reject” button on our cookie banner, or by simply blocking them in your browser settings. However, should you choose to reject these cookies some of our website(s) features might not work for you as well as they should.

Additionally, you may also choose to configure your browser’s standard privacy and security settings, by installing certain browser specific add-ons (such as “Google Analytics Opt-out Browser” add-on, which is currently available for most commonly used web browsers). You may review these settings and change them prior to, or after you visit our websites. You may also choose to block or delete cookies. If you choose to change these settings after you have visited our websites (e.g.: deleting all cookies), next time you visit our websites you may be asked to consent again to our use of cookies, web beacons and similar technologies.

Additional information about browser settings and cookies could be found on http://www.allaboutcookies.org/.

We will process the information you provide to us to:

• provide you with our excellent professional services;
• inform you when we operate changes to our services;
• allow you to use our websites and make it more convenient for you to do so (For example, we may use the data by placing a cookie on your device to remember your language preference for when you visit our website(s) again);
• make our site(s) look better and ensure its content is presented in the friendliest yet most effective way for you and for your computer, smartphone, or whatever other connected devices you may use;
• manage our site, including troubleshooting (i.e., we may use the data to resolve technical issues surrounding our website(s) navigation and use), data analytics, research, and put pretty looking reports together for our regular meetings where we get to enjoy croissants and lots of coffee;
• to further develop and update our website(s) (i.e., we may use the data to analyse when and how visitors navigate on our websites. This helps us to understand what we need to change and improve on our websites content and provide you with the best online experience);
• enable us to comply with our obligations under applicable laws, the exercise or defence of legal claims, or to exercise our rights (i.e., we may need to process the data for evidence reasons);
• let you get involved, where possible, with those interactive features of our site(s);
• keep our site(s) secure, clean, user-friendly, and safe (i.e., we may use the data to verify that we do not receive spam submissions through the contact form on our website(s));
• for other purposes for which you have given us your explicit and informed consent.

We will process your data only to the extent allowed by the applicable data protection laws. Subject to the requirements of the applicable laws, we are permitted to process your (personal) data if:

• you have given us your consent to do so; and/or
• such processing is necessary for the performance of a contract or respond to requests you made to us (e.g., to answer a question that you submitted through the online form on our website); and/or
• the processing is necessary to pursue our legitimate interests or those of a third party; (e/g/: we may for the purpose of optimizing our services and products);
• you are a registered customer or a prospect customer.

Whenever your consent is required to allow us to process your personal data, we will inform you on the reason(s) for processing your data and will ask you beforehand whether you consent or not to such processing. You may choose not to consent. However, should you choose not to consent some features of our website(s) may not work properly and some functionality may not be available to you, or we may not be able to (fully) respond to your request.

We take appropriate security measures to prevent misuse and/or unauthorized access to your personal data. In doing so, we ensure that your personal data is kept safe and only our authorized personnel may access your data.

We do not share or transfer your personal data with any entity except:

• where you consented for us to do so; or
• to our service providers that are bound by specific contractual terms, as required by law, to allow processing on our behalf in accordance with this Privacy Notice; or
• if we are required to do so pursuant to law (e.g., in response to a judicial or court order); or
• to any entity that we acquire in whole or in part, or any entity that we are, in whole or in part, acquired by, merged into, or merged with;
• as otherwise stated in this Privacy Notice or permitted by the applicable law(s).

Our company HQ is based in the Grand Duchy of Luxembourg, so your personal data is kept safely in our CRM located there.

Some of our business partners and service providers may store your data outside the EU/EEA. We’ve taken the time and meticulously read all their privacy notices and terms and conditions for all the companies we use (for inspiration mainly, but also for due diligence and regulatory compliance, and we are confident, as experts in the field, that they are okay.

Where required we use the Standard Contractual Clauses (SCCs) with additional technical safeguards, with any of our service provider or third-party contractors located outside the EU/EEA. Our SCCs have been adjusted to reflect the specific requirements imposed by the European Court of Justice ruling in “Schrems II”, to ensure and enable us to enforce their regulatory compliance with the requirements EU’s GDPR. The few selected US-based companies that we use have all undergone a thorough due diligence process from our side, complemented with thorough transfer impact assessments (TIAs) to ensure they are good and safe enough to look after your data. We definitely don’t share your data with anyone else unless we need to do so in order to fulfil our contractual obligations to you and your organisation, in which case you are transparently informed of such transfers prior to any data transfers occurring.

Given that we are cybersecurity and data protection specialists (and very good ones too), we have implemented a proper data protection regime in place to make sure we look after all the data you trust us with, in the right and legally compliant way. Our IT security guys make sure they’ve implemented some very tough IT security controls in our systems to prevent anyone from trying to access or steal the information we have about you. We have also implemented some strict internal policies and monitoring controls in place to make sure that only the staff who needs to know may access your data.

• Should you choose to become our customer, the Luxembourg tax law requires us to keep your data (name, contact info, fiscal and business details) for a minimum of 10 years. We’ll get rid of it after that.
• If you contact us to ask us about our services and we don’t end up working with you, we’ll usually delete your information within 12 months (to give you some time to think it over, just in case you may change your mind and return to us at a later time).
• If you say “yes” to our regular but insightful newsletters or decide to attend one of our amazingly informative events, we’ll keep your information until you ask us to delete it. You can do that each time you get an email from us, by clicking on the “unsubscribe” link included in it. Note that by doing so you will hurt our feelings but feel free to use the link if you really have to.

As a person (or “data subject”, as affectionately the law refers to you), you do have certain rights under the data protection law, rights that you can always exercise. This means that you can ask us to do any of the following things and, if it won’t get us in legal trouble (remember the bit on the tax law we mentioned earlier?) then we’ll definitely do it.

Subject to the conditions stated under the applicable data protection laws, you may:

1. contact us requesting information on what personal data we have on you;
2. rectify any erroneous personal data you (may) have submitted to us via our websites
3. export (where applicable) your personal data to a third-party of your choosing;
4. object or restrict, under specific circumstances, the processing of your personal data;
5. request the removal of your personal data, where such removal is permitted under the applicable laws;
6. withdraw your consent if you’ve given it to us.

Should you have questions with regard to this Privacy Notice or wish to exercise any of the above-mentioned rights, you may do so by submitting an e-mail request to our DPO (click here to email our DPO). Alternatively, you may address your questions or exercise your rights by regular post at Excellium Services SA, 5 rue Goell, L-5326 Contern, Luxembourg.

When you contact us, please be specific as to what information you require, or what right(s) you wish to exercise. To prevent any abuse or identity fraud, we may ask you to provide additional information and/or an adequate identity proof. A response to your request shall be provided within the timeframe established by the applicable data protection laws. Excellium Services is committed to working with clients and consumers to obtain a fair resolution of any complaint or concern about personal privacy.

Should you be disappointed by the way we handled your request, you may submit a complaint about us to our lead Data Protection Supervisory Authority, by contacting the Commission Nationale pour la Protection des Données (“CNPD”), either by regular mail at 1, avenue du Rock’n’Roll, L-4361 Esch-Sur-Alzette, Grand Duchy of Luxembourg, or by email to: info[at]cnpd[dot]lu.

When and if we make any changes to this Privacy Notice that you need to know about, we’ll let you know, otherwise we won’t bother you with nonsense. We hope the above was easy to read and clear to understand and that you are now confident that we process your data with the care and attention it deserves.

To find out how we can create a similarly stunning pieces of non-legalese privacy notices for you, or other impressive legal documentation on regulatory compliance, you may contact us at: contact[at]excellium-services[dot]com.

Last updated: 01 October 2022