Hello! This is our Privacy Notice. We are required to have one of these to explain how we comply with the applicable data protection legislation and to let you know what we do with the information we collect about you when you visit our website(s).
We do write this kind of things for a living, yet we also know that not that many people take the time to read them (though they should). Considering that we develop them for many of our customers, we thought we’d show off our knowledge and skills by explaining, in plain English, what this Privacy Notice is about.
In order to comply with the requirements of the law, we need to let you know that the data controller (that is the company that makes decisions about what to do with your personal data, for the personal data you provide to us is Excellium Services Group SA, a company incorporated under Luxembourg law, with the registration number B 213082. Our very cool offices are located at rue Goell 5, L-5326 Contern, Grand Duchy of Luxembourg. You should pay us a visit to see for yourself.
Information we may collect about you
When you come onto our website(s) and submit a contact form or email to us, we will keep the information that you provide to us so that we may respond to you. You probably won’t go into many details about your private life when you contact us, so we will most likely know only very basic things about you, like your name, business address, e-mail and phone number as well as whatever other information you want to share with us about you or the company you work for. The only reason we need this information is so that we can get back to you and provide answers to your questions or to your requests for information on who we are and what we do for a living. After all, it would be rude to ignore you and if we never got back to anyone, we wouldn’t have a business to run.
We also collect some technical data about you, like your IP address. Surprisingly for some, the data protection law states that the IP data are actually considered to be personal data. We use on our website(s) Google Analytics and for that to work, we need to collect your IP address. The reason we use analytics is firstly to find out if anyone comes to visit our website(s) and, secondly, whether all our efforts to write about clever stuff is going to waste or is actually read. We also want to know what interests you on our website(s) so we may write more of the interesting stuff you like.
We also use some very fashionable social media for networking (i.e. LinkedIn, Tweeter, Facebook) so that we can try get you interested in our services. We might be on a mission to change the world for better data privacy and data security, but we are a business after all, and we need to make use of your data for us to be able to do business and work with you.
Our delicious cookies
Like most websites, our(s) uses a few selected but useful cookies. If you don’t want them, or don’t find them to your liking, then you can reject them, by clicking the “Reject” button on our cookie banner, or by simply blocking them in your browser settings. However, should you choose to reject these cookies some of our website(s) features might not work for you as well as they should.
How we use your information?
Our Group HQ is based in the Grand Duchy of Luxembourg, so your data is definitely kept safely in our CRM.
Some of our business partners, service providers or 3rd parties listed above may store your data outside the EEA. We’ve taken the time and meticulously read all the privacy notices of all the companies we use (for inspiration mainly, but also for due diligence and regulatory compliance – and we can definitely tell you that they are much more boring than ours) and take it from us, as experts in the field, they are okay.
We use Standard Contractual Clauses (SCCs) with any service provider or 3rd party located outside the EEA, adjusted to reflect the specific requirements imposed by the European Court of Justice ruling in “Schrems II”, to ensure and enable us to enforce their regulatory compliance with the requirements EU’s GDPR, so that we can grace them with the data that our customers have entrusted us with. The few selected US companies that we trust with your data have all undergone a thorough due diligence process from our side to ensure they are good and safe enough to look after your data. We definitely don’t share your data with anyone else without informing you before.
Given that we are cybersecurity and data protection specialists (and very good ones too), we have implemented a proper data protection regime in place to make sure we look after all the data you trust us with, in the right and legally compliant way. Our IT security guys make sure they’ve implemented some very tough IT security controls in our systems to prevent anyone from trying to access or steal the information we have about you. We have also implemented some strict internal policies and monitoring controls in place to make sure that only the staff who needs to know may access your data.
Do we share your information?
We may have to share some of your data with other companies or people that work with us, or for us, so that we can actually do our job. These include:
- Microsoft Azure (“Azure”) – so we can safely store documents and email you;
- Salesforce.com (“Salesforce”) – so we may invoice you for our awesome services.
- Atlassian Pty Ltd (“Atlassian”) – so we can manage our teamwork via Confluence;
- WordPress.com (“WordPress”) – so that we may host and manage our very informative website(s);
- Some social media like LinkedIn, Tweeter, Facebook, that allow you to visit our dedicated company pages hosted with them;
- Other business partners, suppliers and sub-contractors so we can deliver our awesome services to you as well as so we can provide you with the best solutions to your problem(s);
- Analytics and search engine providers that assist us in the improvement and optimization of our website(s) (yeah, we know we’ve already told you about this one, but it’s better to make sure you get the idea);
- With other people or organizations when required by law.
Where do we store your information?
Our Group HQ is based in the Grand Duchy of Luxembourg, so your data is definitely kept safely here, on our CRM.
Some of our business partners or third parties listed above may store your data in the USA. We’ve taken the time and meticulously read all the privacy notices of all the companies we use (for inspiration mainly, but also for due diligence and regulatory compliance – and we can definitely tell you that they are much more boring than ours) and take it from us, as field experts, they are okay.
There is a special deal between EU and the USA called the “Privacy Shield Framework” which is basically a certification US companies need to get in order to show the EU that they are compliant enough to be graced with the data that belongs to people who live in the EU/EEA. The US companies we trust with your data have this certification which means the EU law says they are good and safe enough to look after your data.
If we ever need to share your information with anyone else, we’ll make sure they have similar legally binding rules in place to store your data securely and that they comply with the EU data protection standards (such as Standard Contractual Clauses) when it comes to protection of your data. We definitely don’t share your data with anyone else without informing you before.
Given that we are cybersecurity and data protection specialists (and very good ones too), we have implemented proper data protection regime in place to make sure we look after all the data you trust us with, in the right way. Out IT security guys make sure they’ve implemented some very tough security controls in our systems to prevent anyone from trying to access or steal the information we have about you.
How long do we keep your information for?
Should you choose to become our customer, the Luxembourg tax law requires us to keep your personal data (name, contact info, fiscal and business details) for a minimum of 10 years. We’ll get rid of it after that.
If you contact us to ask us about our services and we don’t end up working with you, we’ll usually delete your information within 12 months (to give you some time to think it over, just in case you may change your mind and return to us at a later time).
If you say “yes” to our regular but insightful newsletters or decide to attend one of our amazingly informative events, we’ll keep your information until you ask us to delete it. You can do that each time you get an email from us, by clicking on the “unsubscribe” link included in it. Note that by doing so you will hurt our feelings but feel free to use the link if you really have to.
What are your rights?
As a person (or “data subject”, as affectionately the law refers to you), you do have certain rights under the data protection law, rights that you can always exercise. This means that you can ask us to do any of the following things and, if it won’t get us in legal trouble (remember the bit on the tax law we mentioned earlier?) then we’ll definitely do it:
- Ask us for a copy of the data we hold on you;
- Ask us to correct your data if we got it wrong;
- Ask us to delete your data (do bear in mind this is not always possible due to some legal constraints, like the tax law we’ve mentioned earlier);
- Ask us to stop or restrict processing your data (where applicable, as when you are our client we have to process your data to provide you with the requested service);
- Ask us to send your data to another company in a sensible yet secure way (e.g. not via an USB stick or email) where such data portability is applicable;
- Withdraw your consent if you’ve given it to us.
You may ask us, by contacting our Data Protection Officer (“DPO”) via email: dpo[at]excellium-services[dot]com, to do any of the above and if we don’t do it right, then we should really be out of job. Nevertheless, should you be disappointed by the way we handled your request, you may also direct your complaint about us to our lead Data Protection Supervisory Authority, by contacting the Commission Nationale pour la Protection des Données (“CNPD”), either by regular mail at 1, avenue du Rock’n’Roll, L-4361 Esch-sur-Alzette, Grand Duchy of Luxembourg, or by email to: info[at]cnpd[dot]lu.
Changes to our Privacy Notice
When and if we make any changes to this Privacy Notice that you need to know about, we’ll inform you, otherwise we won’t bother you with nonsense. We hope the above was easy to read and clear to understand and that you are now confident that we process your data with the care and attention it deserves.
To find out how we can create similarly stunning pieces of non-legalese privacy notices for you, or other impressive legal documentation on regulatory compliance, you may contact us at: contact[at]excellium-services[dot]com.
For your information
Excellium Services Group is committed to working with clients and consumers to obtain a fair resolution of any complaint or concern about personal privacy.
Excellium Services Group complies with the requirements of the EU GDPR and where applicable with the national data protection laws.