SD Worx privacy notice – marketing and CRM

By ‘we’, we mean SD Worx People Solutions NV (“SD Worx”). SD Worx is the controller of your personal data for these activities. Where you have opted in to receive more information about our services, if you attend one of our events, or if you already employ our services, SD Worx People Solutions will process your personal data for marketing and CRM purposes. This privacy notice does not cover any other processing activities of SD Worx. 

In the following sections of this privacy notice, we will explain what personal data we process about you for our CRM and marketing activities, and why. Other details will include who has access to your personal data, and how long we keep it. We’ll also point out what your individual rights for that personal data are and how you can exercise them, as well as other important information.

1. What personal data do we process?

For our CRM and marketing activities, we will process the following categories of personal data about you:

• Identification data, like your first name, last name, business email address, phone number;
• Professional information: your position and role with your organization;
• CRM information: whether you are a prospect with SD Worx or a commercial contact person, and information about your status as commercial contact person with SD Worx;
• Event information: any information we may ask you to provide in order to organize an event or webinar and support your attendance, e.g. dietary preferences, time of arrival, email address used for registration purposes.

We may collect this information directly from you during RFI/RPFs and related activities, or via forms that are present on our website which allow you to provide us with your contact details.

2. What we use your personal data for

We will use your personal data only as necessary for our marketing and CRM activities, delivery of newsletters, and organising webinars and/or events. This processing is carried out on the basis of our legitimate interest to carry out sound customer relationship management and delivery of marketing materials, or on the basis of your consent (e.g. by explicitly opting in to receive a newsletter about our services). 

3. Who has access to my personal data?

In this section, we want to make explain who can have access to your personal data, and why. As a strict rule, we make sure people, our suppliers, or other third parties only receive or have access to what is really necessary. For clarity’s sake, we distinguish between two kinds of recipients: those within SD Worx, and those outside of our organization.

Recipients within SD Worx

SD Worx is a global organization. Our marketing division includes team members located in our entity in Mauritius and Switzerland. The international transfer of personal data to Mauritius is covered by additional safeguards including standard contractual clauses which may be consulted here. The international transfer to Switzerland is supported by an adequacy decision of the European Commission.

Recipients outside of SD Worx

For our CRM and marketing activities to operate smoothly, we make use of several suppliers. These suppliers, also called processors, may host your personal data, or have access to it as part of a marketing campaign. We have strict contracts in place to make sure that they protect any personal data they receive or have access to. These parties are the following:

• Marketing agencies: we engage marketing agencies to support our campaigns and event organization.
• IT support agencies: to help troubleshoot and keep our platforms running, we may call on external agencies.
• Salesforce.com: this party hosts our CRM platform, and is based in the UK.

To support the international transfer of data towards Salesforce.com, based in the UK, we have implemented additional safeguards, called ‘standard contractual clauses’, which can be consulted here.

4. How long your personal data is kept for

We take care not to hold your personal data for longer than necessary. As a rule, your personal data will be retained as long as necessary for the purpose that it has been collected or is being processed. In some cases, we will be under a legal obligation to retain your personal data for a specific period of time. When a retention period has expired, we will either securely delete or safely anonymize the personal data that period applied to.

5. Your rights over your personal data

Data protection law provides you a number of rights. Here, we want to explain what those rights entail, and how you can exercise them. You have the following rights:

• The right of access 
  This right allows you to request a number of things from us. You can ask if we process personal data about you as well as more information where that is the case. This right also allows you to ask us to provide you with a copy of the personal data we process about you. Where you request such a copy (even if you ask for just a specific set of data), we have the right to withhold some data if providing it would infringe on the rights of others.

• The right to rectification
  You can always ask us to rectify any personal data about you that is incorrect. If your personal data is incomplete or if something is missing, you can provide us with the missing information so that we can complete it.

• The right to erasure
  Under specific circumstances, you can ask us to erase all or some of your personal data. By way of example, you can ask us to delete your personal data if a national or EU law obligates us to do so, where you successfully objected, or if it is no longer necessary for the purpose we originally collected it for. We will be able to refuse a request to delete personal data if, for example, we are under a legal obligation to retain it.

• The right to restriction 
  This right allows you to, in some cases, request we temporarily restrict your personal data from being processed. For example, you can ask us to restrict the processing of your personal data until we have corrected your data, if you claimed it was inaccurate.

• The right to data portability
  This right only applies under specific circumstances, and may not include all the personal data we process about you. You can ask for a copy of, in a commonly used and machine-readable format, the personal data you provided to us which we process with your consent or because we need it to perform a contract. Alternatively, you can ask us to provide the same personal data directly to a third party.

• The right to object
  You have the right to object to any processing we carry out in pursuit of a legitimate interest.

• The right to withdraw consent
  Where we process any of your personal data with your consent, you can always withdraw it. For example, if you are a prospect and opted in to receive our marketing emails, you can always unsubscribe from receiving them. Our processing of your personal data before you withdrew your consent, will remain lawful.

6. How can I exercise these rights?

If you want to exercise any of the rights above, we ask you to reach out to our Data Protection Officer via email to dataprotectionofficer@sdworx.com. 

It helps both of us if you make your request as specific as possible. In some cases, we may reach out to you to verify your identity. This way, we avoid any personal data ending up in the wrong place. We will do our best to respond to your request within a month of receipt or after having verified your identity. If your request is complex, this may take longer.

You also have the right to submit a complaint with your local supervisory authority. A full overview of these authorities can be found here. 

7. Version control

Whenever we make changes to our CRM activities, we will update this privacy notice as necessary. 

This version of our privacy notice was published on 15 June 2021