Personal data is processed at CS&A in accordance with national and European legislation and regulations on data protection, privacy and security. From 25 May 2018 onwards the General Data Protection Regulation (GDPR) will be in force. CS&A attaches great value to handling your personal data in accordance with the fundamental principles relating to the processing of personal data. We process your personal data in a lawful, fair and transparent manner, correctly and with due care.
GDPR: the most important European law protecting Your Personal Data,
meaning regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) which came into effect on 25 May 2018, and any future versions of this regulation;
CS&A: CS&A International, a division of Universal Dragon Limited
Personal Data: all the information we Process of You, which we could have received from Your legal representative on behalf of You,
meaning any information relating to an identified natural living person or to a natural living person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, ID number, location data, IP address or other online identifier or to one or more other factors specific to the person’s identity. For the sake of clarity, personal data includes personal data that is publicly available and excludes personal data that has been irreversibly anonymised so it is no longer possible to re-identify a data subject from the information, taking into account all means likely and reasonably to be used by the Controller or anyone else to re-identify them;
You: You, as a data subject,
meaning that You are the natural person to whom the Personal Data relates that we Process;
Controller: we as CS&A, being the entity who is responsible for Processing Your Personal Data,
meaning a natural or legal person or an organisation which alone or jointly with others determines the purposes for which Personal Data is Processed and the manner in which Personal Data is Processed;
Processor or Third Party: other entities, besides CS&A, involved in Processing Your Personal Data,
meaning a natural or legal person or an organisation that Processes Personal Data on behalf of CS&A as a Controller, whilst not being part of the legal structure of CS&A;
Processing: everything we do with Your Personal Data,
meaning any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Supervisory Authority: Your national data protection watchdog,
meaning any competent public body responsible for monitoring and enforcing compliance with applicable (European) privacy law including at least the entities referred to in article 51 GDPR;
EEA: the European Economic Area,
meaning the member states of the European Union, Iceland, Liechtenstein, Norway and Switzerland.
2. Controller of Your Personal Data
Controller of Your Personal Data is:
A division of United Dragon Limited
Rooms 1109-10 CC Wu Building
302-08 Hennessy Road
Kowloon Bay, Kowloon
3. Why we Process Your Personal Data
At CS&A, we only Process Personal Data as a Controller if one or more of the following legitimate grounds apply:
A. You gave clear consent for the Processing,
meaning that Personal Data can be Processed if You have given freely, specific and informed consent.
CS&A makes it possible for You to withdraw previously granted consent at any time. Withdrawing such previously granted consent will not affect the lawfulness of the Processing activities immediately prior to the moment the consent was withdrawn.
Processing activities for which Your consent is required include, for example:
- sending newsletters to You and provide You with updates on our services and product portfolio;
- use of specific (tracking) cookies on CS&A’ website.
B. Processing Your Personal Data because You and we have (or could enter into) a contract,
meaning that the Processing is necessary for carrying out an agreement whereby You are a party or for taking pre-contractual measures requested by You and which are necessary for entering into a possible agreement.
Processing activities we perform based on this Processing ground are, for example:
- (sales)contract execution and the use of CS&A’ services;
- Processing Your requests for more information about CS&A’ services and product portfolio.
C. Processing Your Personal is mandatory according to applicable law,
meaning that the Processing is necessary in order to comply with a legal obligation to which CS&A is subject.
Processing activities we perform based on this Processing ground are, for example:
- transferring Personal Data to governmental bodies, such as the police, inspection- or tax authorities;
- bookkeeping (tax) laws and regulations applicable to legal entities, as well as (internal) auditing.
D. Processing Your Personal Data in the pursuance of a legitimate interest,
meaning that the Processing is necessary for legitimate interests pursued by CS&A or by a third party, except where such interests are overridden by Your interests or fundamental rights and freedoms which require protection of Personal Data.
Processing activities we perform based on this Processing ground are, for example:
- general customer relationship management, communication and information provision, such as answering Your questions or requests;
- preventing and investigating fraud and/or (suspected) legal offences;
- other regular business activities of CS&A, such as Processing Your orders and performing our services.
4. In general: Processing Your Personal Data and purposes
CS&A collects and Processes Personal Data from its (business) relations and visitors to its website to improve our business operations, to draw attention to services and to make offers available that may be of interest to You. When You use CS&A’ website, You may provide certain Personal Data on Your own initiative. CS&A may also request that You provide Personal Data.
List of purposes for which we use Your Personal Data:
- to administer and manage the website;
- to sort and analyse website user data on an aggregated level to improve the quality and effectiveness of our websites;
- Processing orders, service requests and execution of sales agreements;
- sending You newsletters and providing You with updates on our services and product portfolio;
- to develop our business, services and marketing activities;
- general customer relationship management, communication and information provision, such as answering Your questions or requests You submitted through our contact form;
- any other purposes for which You provided Personal Data to CS&A, in which case information concerning the collection and use of Your Personal Data may be made available to You when You provide Personal Data for these specific purposes.
5. Purposes – cookies
CS&A hands out cookies when You visit our website. A cookie is a small text file that is placed on Your computer or other device that is used for visiting CS&A websites. Information is stored in this text file and can be reopened during Your next website visit.
Cookies for which Your consent is not required
Functional cookies are used simply because they are necessary to ensure that the websites are working properly. These are used, for example, to display the web pages as optimally as possible, taking into account, among other things, the resolution settings of Your screen and web browser version. Asking Your consent for functional cookies is not legally required.
Analytical cookies are necessary to ensure that we are able to sort and analyse website user data on an aggregated level, meaning that we Process Your Personal Data in this context anonymously. Asking Your consent to place analytical cookies is not required because we Process the information on an aggregated level and we are merely using this to obtain information about the quality and effectiveness of our websites.
Functional and analytical cookies will be placed immediately once You visit our websites.
Cookies for which Your consent is required
In order to be able to easily share our website content with others by using designated buttons, we may use social media cookies from Facebook, Twitter and LinkedIn, so that these parties are able to recognize You of You which to share, for example an article, post or video. These social media Third Parties can use the data that they obtain through these cookies to build profiles of You. For more information about those cookies from these Third Parties, we refer to their privacy statements on their websites. Asking Your consent for social media cookies is required.
Most web browsers are set by default to accept cookies, but You can reset Your browser to refuse all cookies or to indicate when a cookie is being sent. However, it is possible that some functions and services, on our and on other websites, will not function properly if cookies are disabled in Your web browser.
6. Google Analytics
We use Google Analytics on our website. This is a piece of software we use to collect statistics on visitor numbers, visited web pages and traffic sources and to run reports. The purpose of this is to improve the website for users and to give us insight into how our website is performing.
These statistics cannot be traced back to You as an individual person by CS&A. Moreover, Your surfing behaviour is not monitored by us or Processed in any other way. The information that You enter and upload via our website, for example in our contact form, is never Processed in Google Analytics. When You visit the website, Your web browser automatically shares Your IP address and the URL of the webpage You visit with Google. With regard to this Processing of Personal Data, Google is the controller within the meaning of article 4 (7) GDPR. CS&A has no role whatsoever in these Processing activities.
Information regarding the Processing activities performed by Google can be found here.
7. Where we Process Your Personal Data
We only Process Your Personal Data on our own server computers, which are all located within the EEA, or those of Third Parties.
Where we collect Your personal information within the EEA, transfer outside the EEA will only take place:
- if the recipient of Your Personal Data is located in a country (or a specified sector within a country – e.g. an organisation under the EU-U.S. Privacy Shield) which is recognized by the European Commission with an adequate level of protection for Personal Data;
- under standard data protection clauses adopted by the European Commission or other safeguards meeting the requirements of the GDPR for transfers of Personal Data outside the EEA, or;
- any other lawful ground for the transfer of Your Personal Data.
8. How we protect Your Personal Data
We have implemented generally accepted standards of technology and operational security in order to protect Your Personal Data from loss, misuse, alteration or destruction. CS&A will ensure that only authorised personnel has access to the Personal Data necessary for carrying out their duties. Personnel with access to Personal Data is bound to maintain full confidentiality with regards to Your Personal Data and to Process it strictly in accordance with CS&A’ instructions, or to comply with a requirement of law.
The connection You have with CS&A’ websites is encrypted and authenticated using TLS 1.2, ECDHE_RSA with X25519, and AES_256_GCM technologies. This will make sure the communication through our website is secured, preventing unauthorized others to intercept the Personal Data and other information You provide to us.
Although we use appropriate security measures, the transmission of data over the internet (including by e-mail) is never completely secure. We endeavour to protect Personal Data properly, but we cannot guarantee full security of data transmitted to or by us.
9. Processors or Third Parties
- Software for gaining insights and analysing website usage.
- Agency and software (Content Management Systems) for web development.
- Email marketing tooling for sending mailings and our newsletter
- Payment services
- Social media platforms like Facebook, LinkedIn and Twitter
Personal Data that You provide in webforms on our website, may be shared with our business partners in your country.
We may also disclose Your Personal Data to law enforcement, regulatory and other government agencies and to professional bodies and other third parties, as required by and/or in accordance with applicable laws or regulations. This includes disclosures outside the country where You are located. CS&A may also review and use Your Personal Data to determine whether disclosure is required or permitted.
10. Your data protection rights
If You wish to exercise Your data protection rights under GDPR, CS&A will respond by taking any action required by law, unless Your request is obviously unfounded or excessive. You can send Your request to exercise Your data protection rights to: firstname.lastname@example.org
CS&A will respond to this in writing within one month of receipt of Your request. Depending on the complexity and the number of requests, CS&A is entitled to extent this period by two additional months. You shall be informed by CS&A of any such extension within one month of receipt of the request, together with the reasons for the delay. CS&A only Processes Your request to exercise Your rights under this clause after we have had the opportunity to identify You properly.
CS&A can reject a request to exercise Your data protection rights if:
- Your request is not clearly specified;
- Your identity cannot be established with reasonable certainty;
- the data Processing is allowed in connection with a fraud and/or criminal investigation, a legal obligation or a legal action;
- the request follows a previous request within an unreasonable interval or if the request constitutes a misuse of Your rights. An interval of 6 months or less will, in general, be considered as an unreasonable interval.
A (partial) rejection of Your request will be explained to You in writing.
A. Request to access Your Personal Data
You are entitled to request CS&A for a copy of Your Personal Data Processed by or on behalf of CS&A. Insofar as this is reasonably possible, this copy shall contain the following information:
- a summary of the details of Your Personal Data Processed by CS&A;
- a description of the purpose or the aims of the Processing;
- the categories of Personal Data to which the Processing relates;
- any Third Parties who have received the Personal Data;
- if available, information regarding the origin of the Personal Data;
- the envisaged period for which the Personal Data will be stored, or the criteria used to determine that period;
- Your rights regarding rectification, erasure, restriction and objection to the Personal Data being Processed;
- The right to lodge a complaint with a Supervisory Authority.
B. Request for rectification and/or erasure
If Personal Data Processed by CS&A is inaccurate, incomplete, no longer necessary for the purposes they were collected for, Processed contrary to applicable legislation and regulations, or if consent as mentioned in clause 3 (A) is withdrawn and there is no other legal ground for the Processing, You will be entitled to have this Personal Data rectified, completed or erased by CS&A.
In the event of an erasure of the Personal Data, CS&A shall take reasonable steps to inform Third Parties, to whom we provided Your Personal Data, of Your request for erasure.
C. Request for restriction
You have the right to request the restriction of the Processing of Your Personal Data if:
- You contest the correctness of Your Personal Data;
- the Processing is unlawful, and You oppose against erasure of Your Personal Data and instead request restriction of the Processing;
- CS&A no longer needs Your Personal Data for the purposes of the Processing, but they are required by You for the establishment, exercise or defence of legal claims; or
- You objected to the Processing pursuant to this clause pending the verification whether the legitimate interests of CS&A as mentioned in clause 3 (D) override Your (data protection) interests.
D. Right to object against the Processing
In addition, You are entitled to object to the Processing of Your Personal Data if the respective Processing is based on the legitimate interests ground as mentioned in clause 3 (D). This right applies in particular to our direct marketing activities. CS&A will discontinue the Processing of Your Personal Data if You have personal reasons plausible to this end, unless the Processing is necessary for the performance of one of the legitimate grounds as meant in clause 3 (D).
This request shall be rejected if CS&A can demonstrate compelling legitimate grounds for the Processing which override the interests, rights and freedoms of You or for the establishment, exercise or defence of legal claims.
E. Right to portability of Your Personal Data
You can request CS&A to provide Your Personal Data in a structured, commonly used and machine-readable form to You or, if technically possible, to transfer the Personal Data in an electronic form directly to a third party appointed by You. Such a request will be honoured by CS&A provided that:
- consent or the performance of an agreement as mentioned in clauses 3 (A) and 3 (B) is the applicable ground for the Processing to take place;
- the Processing of Your Personal Data by CS&A is computerized, and;
- Your right to transfer Your Personal Data does not affect the rights and liberties of others.
11. Unsubscribe from newsletter or change preferences
Do not like our newsletter? At the bottom of every newsletter, You will find the option to adjust Your preferences or to unsubscribe completely.
12. Retention of Your Personal Data
We will retain Your Personal Data on our systems only for as long as we need it, given the purposes for which it was collected, or as required to do so by law. For example, we are obliged to store financial data, such as invoices for at least 7 years, due to tax laws and regulation.
We retain contact information (such as mailing list information) until a user unsubscribes or requests that we delete that information. If You choose to unsubscribe from a mailing list, we may keep certain limited information about You so that we may honour Your request.
13. Questions, feedback and complaints
In addition, You have the right to lodge a complaint with a Supervisory Authority if You believe Your data protection rights are compromised by CS&A.
14. Version and future amendments