Notification C2X A/S ("C2X") Global Data Privacy Notification
This Privacy Notification is effective as of September 12th, 2023.
This Privacy Notification explains how C2X and its affiliated companies (“C2X”, “we”, “us”, “our”) use personal data about you on our websites, mobile applications, or other sites that display this Privacy Notification. This Privacy Notification will also apply to information gathered from your visits to our facilities.
In specific situations, other provisions apply or supplement this Privacy Notification:
• when using our websites, the Policy on Cookies supplements the Privacy Notification.
Protecting your personal data
With offices and operations throughout the world, personal data will be transferred or be accessible internationally throughout C2X global business. Any transfers throughout C2X global business takes place in accordance with the applicable local data privacy laws and regulations and for the European Union in accordance with the authority approved Binding Corporate Rules (“BCR”) for A.P. Moller Maersk A/S.
Our BCR reflects the standards contained in European data privacy laws and regulations (including the General Data Protection Regulation). Having our BCR means that all group entities, including C2X, which have signed up to our BCR have to comply with the same internal rules. It also means that your rights stay the same no matter where your data are used by C2X entities.
Maersk Binding Corporate Rules (BCR) can be downloaded here.
Types of personal data that we use, purpose and the legal basis
Our customers, business partners and others
If you are a customer, business partner or else to C2X, we use personal data about you in order to fulfil the agreement between the parties, e.g., the administration of the agreement, payment, delivery or receipt of goods and services etc., where we use:
i. Business contact information (e.g., name, address, email, and phone number)
ii. Job title
C2X is also legally required to document the personal data in financial transactions when fulfilling our agreement, e.g., when paying or receiving payment for delivery of goods and services etc.
If you contact us, we use personal data about you in order to document quality and compliance (for instance in relation to statutes of limitations, security, litigation, or regulatory investigations) where either:
• our legitimate interest in improving our legal position overrides your interest in the information not being used, or
• the personal data is being collected for performance of any contractual obligations,
are the legal bases for our use, where we use:
i. Contact information (e.g., name, address, email, and phone number)
ii. Other applicable information.
Sharing of Personal Data
In addition to us sharing your Personal Data with C2X group entities, we may in some situations also share your Personal Data with third parties such as business partners, suppliers, vendors, consultants, agencies, customers, consumers, governmental bodies, courts, and IT hosting, supply and service providers that we use for our group’s IT environment (Third Parties). We only share Personal Data where it is relevant and necessary for us to perform the activities described in this Privacy Notification, for example, the fulfilment of your order, the processing of your payment details, or the provision of support services.
Transfer and protection of your personal data
As a brand with offices and operations throughout the world, we will transfer Personal Data collected by us on an aggregated or individual level to various divisions, subsidiaries, joint ventures, and affiliated companies of C2X around the world for the purposes stated above and in accordance with applicable laws and regulations, as well as to contractors and sub-contractors to C2X (data processors and sub-processors) for storage and service purposes. Your Personal Data will not be disclosed to anyone outside C2X unless permitted or required under applicable legislations and regulations and where necessary subject to appropriate written assurances from third parties who have access to your personal data, in which they must guarantee that they will protect the data with security measures designed to provide an adequate level of protection.
Unless you are otherwise notified, any transfers of your Personal Data will be based on applicable local data privacy laws, which among other includes appropriate international data transfer mechanisms and safeguards such as an adequacy decision, Standard Contractual Clauses, and/or Binding Corporate Rules. You can always request a copy of the transfer mechanisms, which includes the transfer of personal data, by filling out this contact form.
We choose to use suppliers that implement security in accordance with industry practices for good IT security, and we only use encrypted data communications when transferring sensitive and confidential personal data. We also maintain organizational, physical, and technical security arrangements for all the personal data we hold. We have protocols, controls and relevant policies, procedures, and guidance to maintain these arrangements taking into account the risks associated with the categories of personal data and the using we undertake. We store personal data on servers with limited access located in secured facilities, and our security measures are evaluated on an ongoing basis. The servers are protected by anti-virus software and firewalls, among other measures.
Personal Data retention
C2X stores your personal data for as long as it is necessary to fulfil the purpose of the use, unless C2X is obliged under applicable laws and regulations or is entitled to store the personal data for a longer period, more specifically:
• We retain your personal data as long as we have an ongoing relationship with you (in particular, if you have an account with us or have not withdrawn your marketing consent).
• We will only keep the personal data while your account is active or for as long as needed to provide services to you.
• We retain your personal data for as long as needed in order to comply with our global legal and contractual obligations.
We will also retain your Personal Data where this is advisable to safeguard or improve our legal position (for instance in relation to statutes of limitations, security, litigation, or regulatory investigations).
Data Subjects rights
You are entitled, in the circumstances and under the conditions, and subject to the exceptions, set out in applicable law, to:
• Request access to the personal data we use about you: You have the right to ask us for information about or access to your personal data. There are some exemptions, which means you may not always receive all the data we use.
• Request rectification of your personal data: this right entitles you to have your personal data be corrected if it is inaccurate or incomplete.
• Object to the use of your personal data: this right entitles you to request that we no longer use your Personal Data. However, it only applies in certain circumstances, and we may not need to stop the use if we can give legitimate reasons to continue using your personal data.
• Request the erasure of your personal data: this right entitles you to request the erasure of your personal data in certain circumstances.
• Request the restriction of the use of your personal data: this right entitles you to request that we only use your personal data in limited circumstances, including with your consent.
• Request portability of your personal data: this right entitles you to receive a copy (in a structured, commonly used, and machine-readable format) of personal data that you have provided to us or request us to transmit such personal data to another data controller.
• Withdraw your consent: You can withdraw your consent at any time by opting out in the email or by contacting us. However, this will not affect our right to use personal data obtained prior to the withdrawal of your consent, or our right to continue parts of the use based on other legal bases than your consent.
• File a complaint: You can always lodge a complaint with a data protection authority, for example the Danish Data Protection Agency.
Please note that certain personal data may be exempt from the above-mentioned rights pursuant to applicable data privacy laws, or other laws and regulations.
Please contact our Chief Data Privacy Compliance Officer by filling out this contact form, or send a letter to Sundkrogsgade 7, 2100 Copenhagen Ø, Att.: Data Privacy if you have a general question about how C2X uses and/or protects your personal data, if you wish to exercise your rights, or if you wish to make a complaint about how C2X uses your personal data.