Privacy Statement - Docunify
Victor Buck Services is a société anonyme located at 13-15 Parc d’Activités, L-8308 Capellen in Luxembourg and carrying on business as service provider of a web-based application as a service called “Docunify” and related support and maintenance services (“Services”).
The protection of your privacy is paramount to Victor Buck Services and this Statement informs you on how your personal data are processed when providing Services to you in accordance with the provisions of the Regulation n°2016/679 of the European Parliament and of the council of 27 April 2016 (“GDPR”).
Victor Buck Services may as Data Controller or Data Processor depending on the context and the purpose of the processing.
Victor Buck Services acts as Data Controller:
- when it collects personal data for the purpose of offering or providing our various services to you or our clients or performing any other activities related to the operation of our business, including our marketing and communication activities in accordance with Victor Buck Services’ Privacy Terms available at https://www.victorbuckservices.com/Information-Pages/Privacy-statement and/or
- when it collects personal data (identification data e.g. name, email addresses, phone numbers, IP address…) necessary for the purpose of setting up (create accounts) and/or maintains the Services.
Both processing are based on article 6. 1. b) of the GDPR i.e. necessary for the performance of Services as described in a contract.
In order to provide Services, the following sub-contractors may be used only for the purpose of support or maintenance services: Ascertia (Signing Hub product) for the electronic digital signature; Open Office for the edition of documents; and Wondershare (Foxit product) for the edition of “pdf” documents; and Mpulse for the One-Time-Password (OTP).
Data retention: Personal Data will be kept by Victor Buck Services for the duration of the contract executed with you and/or according to the applicable legislation.
Victor Buck Services acts as Data Processor concerning the processing of personal data i.e. the storage or transmission of documents in which personal data may be embedded and shared by Customers or Users.
Such processing is based on the legal basis described in article 6-1 b) of the GDPR i.e. necessary for the performance of Docunify’ services foreseen in a contract.
Data retention: Personal Data will be kept by Victor Buck Services for the duration of the contract executed with you and to a maximum 60 days upon termination of services provided to you unless otherwise agreed.
Victor Buck Services’ activities are certified ISO/CEI 27001:2013 and data are stored on Tier IV Data centers located in the Grand-Duchy of Luxembourg. Security mechanisms are described in https://www.victorbuckservices.com/Information-Pages/Data-Privacy-Policy.
Exercise of Data Subjects Rights (when VBS acts as Data Controller)
Regarding the processing of a data subject request, once Victor Buck Services has verified the identity of the data subject making the request (using “reasonable means”), Victor Buck Services will provide an answer within a time period of a month.
If the request is made electronically, Victor Buck Services should provide the information in a commonly used electronic format.
This time period could be extended by two months where the request is complex or Victor Buck Services receives a high number of requests. In such cases, Victor Buck Services will inform the data subject within one month of the receipt of the request and explain why the extension is necessary.
Victor Buck Services can refuse to comply with a request if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
If Victor Buck Services considers that a request is manifestly unfounded or excessive it can:
- request a "reasonable fee" to deal with the request; or
- refuse to deal with the request.
In either case, Victor Buck Services will justify its decision. Victor Buck Services will base the reasonable fee on the administrative costs of complying with the request.
Right of access
According to Article 15 of the GDPR data subjects have the right to access their personal data and supplementary information. The right of access allows data subjects to be aware of and verify the lawfulness of the processing.
Under the GDPR, data subjects will have the right to obtain from Victor Buck Services:
- confirmation that their data is being processed;
- access to their personal data; and
- other supplementary information.
Right to rectification
Under Article 16 of the GDPR data subjects have the right to have inaccurate personal data rectified. A data subject may also be able to have incomplete personal data completed – although this will depend on the purposes for the processing. This may involve providing a supplementary statement to the incomplete data.
Right of erasure (to be forgotten)
Under Article 17 of the GDPR data subjects have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
Data subjects have the right to have their personal data erased if:
- the personal data is no longer necessary for the purpose which Victor Buck Services originally collected or processed it for;
- Victor Buck Services is relying on consent as its lawful basis for processing the data, and the data subject withdraws his/her consent;
- Victor Buck Services is relying on legitimate interests as its basis for processing, the data subject objects to the processing of his/her data, and there is no overriding legitimate interest to continue this processing;
- Victor Buck Services is processing the personal data for direct marketing purposes and the data subject objects to that processing;
- Victor Buck Services has processed the personal data unlawfully;
- Victor Buck Services has to do it to comply with a legal obligation; or
- Victor Buck Services has processed the personal data to offer information society services to a child.
Right to restrict processing
Article 18 of the GDPR gives data subjects the right to restrict the processing of their personal data in certain circumstances. This means that a data subject can limit the way that an organisation uses his/her data. This is an alternative to requesting the erasure of his/her data.
Data subjects have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction. This may be because they have issues with the content of the information Victor Buck Services holds or how Victor Buck Services has processed his/her data.
In brief, the right to restrict processing implies that, when applied, Victor Buck Services will only keep the personal data (store it) without doing any further processing until the restriction of processing is applicable.
Data subjects have the right to request Victor Buck Services restrict the processing of their personal data in the following circumstances:
- the data subject contests the accuracy of their personal data and Victor Buck Services is verifying the accuracy of the data;
- the data has been unlawfully processed and the data subject opposes erasure and requests restriction instead;
- Victor Buck Services no longer needs the personal data but the data subject needs Victor Buck Services to keep it in order to establish, exercise or defend a legal claim; or
- the data subject has objected to Victor Buck Services processing his/her data under Article 21(1), and Victor Buck Services is considering whether its legitimate grounds override those of the data subject.
Right to data portability
The right to data portability allows data subjects to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability where technically feasible (cf. Art. 20 (2) GDPR).
The right to data portability only applies to personal data a data subject has provided to a controller (Victor Buck Services); where the processing is based on the data subject’s consent or for the performance of a contract; and when processing is carried out by automated means.
Right to object
Data subjects have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority, direct marketing (including profiling) and processing for purposes of scientific/historical research and statistics.
You may exercise your access, rectification, erasure, data portability rights and request restriction of or object to the processing in accordance with the applicable data protection legislation at the following email address: firstname.lastname@example.org or by post to the attention of Victor Buck Services – DPO, IVY Building, 13-15 Parc d'Activités, L-8308 Capellen. You have the right to lodge a complaint with the CNPD any information that could identify those individuals.
All processing of personal data done by Victor Buck Services (as a controller) is well defined and all purposes set in accordance with the GDPR.