Privacy statement Cerme ICT B.V. — Version 5.2
1 — Your Privacy, Our Priority
At Cerme ICT B.V., we respect your privacy and secure your data. We want you to have a clear understanding of what data we collect, why we use it, and how you can exercise your rights.
This statement is based on the highest standards of data protection and cybersecurity:
- General Data Protection Regulation (GDPR) (EU 2016/679) and the GDPR Implementation Act (UAVG)
- ISO/IEC 27001:2022 & 27005 (Information security)
- NIS2 Directive (EU 2022/2555) (Cybersecurity)
Application: This statement applies to all services, products and websites of Cerme ICT B.V., including, but not limited to:
2 — What data do we collect?
We only collect the data necessary to provide our services, optimize your experience, and comply with legal requirements.
| Category | Examples | Purpose |
|---|---|---|
| Your details | Name, company name, contact person | Customer management, communication about the service. |
| Contact | Email, phone number, address | Invoicing, correspondence, service. |
| Financial data | IBAN, payment information | Payment processing, legal financial obligations. |
| Account details | Username, password (hashed) | Access to customer portals and security. |
| Technical data | IP address, browser, device ID | Security, network monitoring, website optimization. |
| Cookies & analytics | Website use, preferences | Functionality, analytics, and marketing (last with permission). |
3 — How do we use your data and what is the legal basis?
We process your personal data exclusively on the basis of the following legal bases (Art. 6 GDPR):
| Purpose of the processing | Legal basis |
|---|---|
| Providing services & support | Performance of the agreement with you or your organization. |
| Comply with | Legal obligation (invoicing, tax, audits, compliance with sector-specific legislation such as NIS2). |
| Security & abuse prevention | Legitimate interest (protection of our and your systems, networks, and services). |
| Marketing & communication | Consent, which you can withdraw at any time (e.g. for newsletters). |
4 — Retention periods
We do not store your data longer than necessary for the purposes for which it was collected.
| Category | Retention period |
|---|---|
| Invoices & administration | 7 years after the end of the financial year (legal obligation). |
| Customer Accounts & Contract Data | Active + 1 year after termination of the agreement (for service and administration). |
| Support logs | 2 years (for quality improvement and incident analysis). |
| Newsletter details | Until such time as you withdraw your consent. |
After the retention period has expired, data is securely deleted or anonymized.
5 — Data Sharing
We only share your data if it is strictly necessary for the provision of our services, on the basis of a legal obligation, or with your explicit consent.
Data Processing Agreements: We enter into a Data Processing Agreement (DPA) with all external parties who process personal data on our behalf to ensure that they maintain at least the same level of security as we do.
Third parties:
- Cloud providers (EU, ISO 27001 certified) – hosting & backup.
- Delivery services – delivery of products.
- Payment processors – payment processing.
- IT support & auditors – system administration, compliance.
Transfer outside the EEA: Data is primarily processed within the EEA. If transfers outside the EEA are necessary, this will only be done with appropriate safeguards, such as the Standard Contractual Clauses (SCCs) and additional security measures.
6 — Security
The protection of your data is essential. We implement technical and organizational measures to protect your data against loss or unlawful processing. We use the standards of ISO 27001 and the NIS2 directive, including:
- TLS encryption for all connections.
- Multi-factor authentication (MFA) & strict access control.
- Logging & monitoring of network activities.
- Regular Penetration Tests & Vulnerability Scans.
- Separate environments for production and test.
- Robust backup & disaster recovery procedures.
- Incident management in accordance with ISO 27035.
- Annual risk assessment according to ISO 27005.
7 — Your rights
You can always exercise the following rights in accordance with the GDPR:
- Access: You have the right to see which of your data we process.
- Correction: You can have incorrect or incomplete data corrected.
- Deletion (Right to be forgotten): You can request the deletion of your personal data.
- Restriction of processing or objection: You can restrict the processing of your data or object to the processing.
- Data portability: You have the right to transfer your data to another party.
- Withdrawal of consent: You can withdraw a previously given consent at any time.
- Complaint: You can file a complaint with the Dutch Data Protection Authority (DPA) if you believe that we are not handling your data correctly.
Contact: For questions about your rights, please send an email to [email protected]. We will respond to your request within 30 days.
8 — Cookies
Our websites use cookies:
- Functional: Necessary for the correct functioning of the website.
- Analytical: For the anonymous measurement and analysis of website use (often with permission).
- Marketing: To show relevant content or advertisements, only after explicit permission.
More detailed information can be found in our Cerme ICT Cookie Statement.
9 — GDPR and Privacy Protection
Cerme ICT meets the requirements of the GDPR:
- Personal data is only processed for legitimate purposes.
- Only necessary data is collected (data minimisation).
- Data subjects have the right to inspection, correction and removal.
- Data breaches are reported to the Dutch Data Protection Authority (if applicable) within 72 hours.
- Processing agreements are concluded with external parties that process personal data.
10 — Changes
We reserve the right to update this statement at any time. The most recent and current version is always on [email protected]. In the event of important changes, we will inform you immediately.
Document information
Title: Privacy statement Cerme ICT B.V.
Version: 5.2
Date: 10-10-2025
Approved by: Management Cerme ICT B.V.
Next review date: 10-10-2026
