Legal notice and privacy

Introduction

Security is part of EBRC’s DNA. EBRC takes great of your privacy and the protection of your personal data. EBRC implements the necessary and adequate measures in compliance with the laws and standards in force, so that you can browse EBRC website safely according to your preferences.

Data Controller of your personal data

Your personal data collected from www.ebrc.com are processed by EBRC.
Therefore, the Data Controller is:
EBRC S.A.
5, rue Eugène Ruppert
L-2453 Luxembourg

When are your personal data collected?

During your browsing on EBRC website, EBRC may collect your personal data when:

  • you gave your consent for the collection of optional cookies;
  • you get in touch with us by filling in one of our forms:
    • if you apply for a job via our website;
    • if you register to our newsletter;
    • if you contact EBRC Data Protection Officer;
    • if you contact EBRC through the contact form.

EBRC will only collect personal data that are necessary to process your request. Data are collected and processed in all transparency and in accordance with the General Data Protection Regulation (hereinafter referred to as “GDPR”).

Purpose of personal data collection

Personal data collected by EBRC are subject to:

  • automatic processing with regard to cookies (aggregation of statistics and analyses of browsing so that EBRC can better understand the user interactions with EBRC website and improve its quality);
  • manual processing by EBRC teams when a contact form has been filled in.

With the “apply for a job” form, EBRC registers your application in its HR systems in order to analyse your profile and be able to contact you back.

The newsletter aims at informing you about EBRC events and services.
The “contact us” form allows you to contact EBRC for any question and/or request related to EBRC’s services.

Thanks to the “contact EBRC DPO” form, EBRC is compliant with the GDPR regarding your rights as an individual. In this case, EBRC will check your identity and will request you to provide a copy of your ID.
For every here above described purpose, the processing of your personal data is legally approved.

Nature of personal data collected

Your personal data or Personally Identifiable Information is all the data that allows us to directly or indirectly identify you.
Personal data that may be collected on www.ebrc.com are the following:

  • standard identification (last name, first name, email address, phone number, etc.);
  • Identity card (or passport, when you fill in “contact EBRC DPO form”);
  • professional identification (work experience, diplomas, CV, etc.);
  • technical data (IP address, date & time of connection, cookies, etc.);

Recipients of your personal data

Your personal data collected on www.ebrc.com are used by EBRC exclusively.
However, those can be transferred to:

  • third party subcontractors used by EBRC for some services, if you subscribe to them on our website (such as mass-mailing for the purpose of the newsletter, event organisation, etc.);
  • commercial partners, provided that you have given your prior consent.

EBRC could be obliged to transfer your personal data to a third party on the request of the regulatory authority or any administrative authority authorised by law.
Your personal data will not be transferred to any other third party.

Use of third-party services

EBRC may use third-party providers on EBRC website to provide certain features. If you decide to use a third-party service while navigating on EBRC website, some data may be collected, recorded and transmitted to the third-party provider of the service you are using. The third-party may collect, process and store your personal data based on your utilisation of their service. Please, refer to the Data Privacy Policy of the third-party of the service you are using for further information.

EBRC may collect the here below Data from your use of the third-party services:

Youtube:
Purpose: Hosting of EBRC videos and integration on the website.
Data that may be collected by EBRC: statistics data such as number of views, viewing times, comments, etc.
Visit the Youtube Data Privacy Policy for more information about Youtube collection and processing of your personal data:
https://policies.google.com/privacy?hl=en-GB

Vimeo:
Purpose: Hosting of EBRC videos and integration on the website.
Data that may be collected by EBRC: statistics data such as number of views, viewing times, comments, etc.
Visit the Vimeo Data Privacy Policy for more information about Vimeo collection and processing of your personal data:
https://vimeo.com/privacy#data_we_collect_about_you
https://vimeo.com/cookie_policy

Cisco Webex:
Purpose: Organisation and diffusion of Webinars.
Data that may be collected by EBRC:  name, surname, email address, viewing time of the Webinar, questions, chat conversation, statistics data.
Visit the Cisco Data Privacy Policy for more information about Cisco collection and processing of your personal data:
https://www.cisco.com/c/fr_fr/about/legal/privacy-full.html#cookies

Eventbrite:
Purpose: inscription to EBRC’s Webinars.
Data that may be collected by EBRC: Name, surname, email address, phone number, job title, company name. Commercial and marketing information may be collected based on your opt in.
Visit the Eventbrite Data Privacy Policy for more information about Eventbrite collection and processing of your personal data:

https://www.eventbrite.fr/support/articles/fr/Troubleshooting/politique-de-confidentialite-d-eventbrite?lg=fr

ISSUU:
Purpose: Hosting of publication and integration on the website.
Data that may be collected by EBRC: statistics data such as reading numbers, reading time, etc.
Visit the ISSUU Data Privacy Policy for more information about ISSU collection and processing of your personal data:  
https://issuu.com/legal/privacy

Leadseed:
Purpose: Self-assessment tool
Data that may be collected by EBRC: name, surname, email address, results and answers of the assessment.
Visit the Leadseed Data Privacy Policy for more information about Leadseed collection and processing of your personal data:

https://www.leadseed.io/wp-content/uploads/2020/02/190173-1-CGV-LeadSeed-FR-02-2020.pdf

Sarbacane
Purpose: emailing platform
Data that may be collected by EBRC: statistics data such as click, openings, unsubscriptions, etc.
Visit the Sarbacane Data Privacy Policy for more information about Sarbacane collection and processing of your personal data:
https://www.sarbacane.com/vie-privee

Facebook:
Purpose: interactions with the social media.
Data that may be collected by EBRC: name, surname.
Visit the Facebook Data Privacy Policy for more information about Facebook collection and processing of your personal data:
https://www.facebook.com/help/cookies/

Twitter:
Purpose: interactions with the social media.
Data that may be collected by EBRC: name, surname.
Visit the Twitter Data Privacy Policy for more information about Twitter collection and processing of your personal data:
https://twitter.com/en/privacy

Linkedin:
Purpose: interactions with the social media.
Data that may be collected by EBRC: name, surname, job title, work experience, company name.
Visit the Linkedin Data Privacy Policy for more information about Linkedin collection and processing of your personal data:
https://fr.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy
https://fr.linkedin.com/legal/cookie-policy?


Retention of your personal data

Your personal data are collected and processed for a retention in adequation with the above-mentioned purposes in order to meet the GDPR:

  • 3 years, from the end of the commercial relationship or if the prospect did not subscribe to EBRC’s service (marketing data);
  • 10 years, from the end of the commercial relationship for contractual issues (contracts, guarantees, claims, invoices, etc.);
  • 3 years, for the data transmitted in your job application process, if you were not selected;
  • 1 month (with a maximum of 2 months for extended requests as mentioned in “Your Rights” section) for the data transmitted to EBRC Data Protection Officer in the framework of a right request made by the concerned person.

Protection of your personal data

EBRC has implemented strong organisational and operational security measures in order to guarantee the security of your personal data. Those controls are also required by many of EBRC’s certifications (https://www.ebrc.com/en/company/awards-certifications).

EBRC’s employees who may handle personal data as part of their duties are subject to a strict confidentiality. They only access to personal data that are necessary for their missions and are regularly sensitised about data protection aspects.

EBRC’s subcontractors are selected through a strict process. EBRC will not select subcontractors which are not compliant with the GDPR.

Notifications about incidents related to your personal data

In the event of a security incident involving your personal data (data leak, unwanted modification of your personal data, unavailability of your personal data), EBRC will follow a strict data breach procedure by performing an impact analysis and taking adequate remediation. In case it requires a notification to affected data subjects, you will be informed without any delay and EBRC will contact the CNPD (Commission Nationale pour la Protection des Données).

Your rights

You have and can exercise the following GDPR rights at any time and within the limits set by law:

  • Access to your personal data (in order for you to know if and what data concerning you is being processed by EBRC and to obtain a copy of it);
  • Rectification of your personal data (if data are inaccurate or incomplete);
  • Restriction of the processing of your personal data (if the preconditions are met);
  • Opposition to the processing of your personal data (for legitimate reasons, in particular for commercial prospecting purpose);
  • Deletion of your personal data (right to be forgotten);
  • Portability of your personal data (receive a copy of the personal data you have provided to EBRC in a universal readable format);
  • Request not to be subject to a decision based on automated processing, including profiling;
  • Withdraw your consent (for processing operations based on your consent).

You can exercise any of these rights free of charge by contacting us:

EBRC – Data Protection Office, 5, rue Eugène Ruppert, L-2453 Luxembourg.

In order for EBRC to satisfy your request and to avoid identity theft, EBRC may ask you (depending on the situation) to provide a copy of both sides of an official identity document. Such documents are used to confirm your identity and are immediately deleted from our system after confirmation.

EBRC will answer your request in a delay that does not exceed one month as from the reception date of your completed application. This delay can be extended to a maximum of two months in case of numerous or complex requests. In such case the appropriate authorities and data subjects are duly informed according to GDPR requirements.

You may also lodge a complaint to the CNPD (Commission Nationale pour la Protection des Données), via their website: www.cnpd.lu.

EBRC Coordinated Vulnerability Disclosure policy

Purpose of this policy:

This policy outlines how EBRC will coordinate the disclosure of information related to vulnerabilities which, if exploited, could lead to confidentiality, integrity or availability of EBRC’s assets being compromised or degraded. EBRC’s assets include (but are not limited to) network, system or data.

How to be a player of this policy?

Security must be part of our DNA!

At EBRC, we are committed to addressing and reporting security issues through a coordinated workflow. We strongly encourage you to be a major player of this process.

This is why, if you discover a vulnerability in one of our asset, we should be grateful to be informed accordingly so that appropriate actions could be implemented to solve the vulnerability as quickly as possible.

In that way, your actions contribute protecting our services.

We kindly ask you to:

  • Contact us by using our contact form,
  • Provide enough information regarding your vulnerability and proof-of-concept,
  • Don’t hesitate to give us a copy of the code you used to perform your exploit as well as any information you deem useful,
  • Not abuse the vulnerability in a way which may harm EBRC or its clients,
  • Not access or modify any data in any account or system for which you do not have legal control,
  • Not disclose the vulnerability to other people until we inform you about its resolution,
  • Not make use of attacks on physical security, social engineering techniques or hacking tools, such as vulnerability scanners or DDOS attack,
  • Comply with all applicable laws and regulation.

What we promise:

  • We will acknowledge receipt of your findings within the best delay,
  • We will handle your report with all due confidentiality and ensure that your personal information is not shared with any third parties without your permission,
  • We will carry out a detailed assessment of your potential findings to determine their accuracy,
  • We will keep you informed of the progress in the solution resolution.

EBRC greatly appreciates the efforts made by security researchers sharing with us their discovery. This gives EBRC a chance of improving its services and offering better protection to our clients.

Thank you for your help and being part of this process.

To contact us, please refer to our contact form. Our team will contact you shortly so you can send them additional information.