Authority: Management Board
Approved by: Soufiane Jbara
Responsible: Compliance Officer/Legal Department
Reference: P-1 Privacy Statement and Cookies Policy
Date: July 2023
Employees Concerned: All Employees
- Human Resources
- Sales Trading
- Legal and Compliance
- IT Department
Version History: V1
- Created: July 2023
- Come into Force: July 2023
Reviewed and Modified:
1.1. This is the Privacy Statement of OTC FLOW B.V., with its registered office in Amsterdam the Netherlands (“OTC FLOW”). This Privacy Statement sets out how we handle personal data, which we do with all possible care. OTC FLOW is the controller with respect to the processing of personal data as covered in this privacy statement.
1.2. If, after reading this Privacy Statement, you have any questions about how we handle your personal data, or if you wish to exercise your rights under the General Data Protection Regulation (“GDPR”), or under any other data protection legislation, or if you wish to make a complaint about our use of your personal data, you may contact us at email@example.com. More information can be found on the website of the Dutch Data Protection Authority: https://www.autoriteitpersoonsgegevens.nl.
1.3. Our contact details areas follows:
OTC FLOW B.V.
1019 HE Amsterdam
2. Personal data of contacts at counterparties
2.1. Processed personal data, purpose and legal basis.
2.1.1 We process the contact details (name, company name, phone number, email) of our contact persons at our counterparties. The legal basis for this is that the data are necessary to enter into and perform the contract concluded with a counterparty.
2.1.2 We record the conversations in the trading room with contacts of counterparties to register proof of trades and to improve our services. This processing is necessary in view of OTC FLOW’s legitimate interest to be able to prove that an agreement was concluded and to ensure the transparency of our communication with the counterparties.
2.1.3 We also use the counterparties’ contact details in connection with relationship management. This processing is necessary given OTC FLOW’s legitimate interest to maintain a good relationship with its counterparties.
2.2. How long is personal data kept
2.2.1 We keep the personal data of our contact persons at counterparties for seven years after the final transaction with that counterparty is completed. We keep our administration, including invoices and other documents that include the personal data of parties, for a period of seven years after the end of the financial year, in order to comply with our statutory retention obligation for tax purposes.
2.2.2 The recordings of conversations in the trading room are kept for five years. Extensions may occur, up to seven years, when a competent authority undertakes complicated regulatory investigations in the course of exercising its supervisory powers.
3. Personal data of natural persons and entities within the context of the CEE scheme
3.1. We process personal data of natural persons within the context of the French dispositif des Certificats d’économies d’énergie (CEE), further to French Loi 2005-781 du 13 Juillet 2005,when submitting CEE files to the (EMMY) register in accordance with the applicable French legislation. We process this personal data in view of our legitimateinterest to perform our activities. In addition, the legal basis for this isthe consent we ask from each involved natural person.
3.2. We keep the personal data of natural persons and legal entities within the context of the French dispositif des CEE for nine years after a file is submitted to the competent authority. This period is prescribed by applicable French law.
4. Personal data of contacts of prospective or former counterparties
4.1. We process the contact details (name, company name, telephone number, email) of contacts at prospective and former counterparties to contact them to offer our services and to send them holiday wishes. We process this personal data in view of our legitimate interest to business development.
4.2. The personal data of prospective counterparties is deleted at the request of the data subject, or ultimately two years after the final communication with the person concerned.
5. Personal data of persons who contact OTC FLOW
5.1. If we are contacted via our website, by email, social media, or telephone, we process the data that is provided to us. This typically includes the name, email and telephone number, and the content of the contact. We use this information, where relevant, to contact the person concerned, for instance, to answer a question. We may add this data to our files. We process this personal data in view of our legitimate interest to provide quality and efficient commercial support services.
6. Personal data of persons involved in the process of recruitment and application
6.1. We process the personal data provided to us by prospective employees or obtained from a recruitment agency or via LinkedIn and other online job boards. This may include name, address, email, telephone number, CV, and all information the CV contains. If an applicant is invited for an interview, we process, in addition to the information mentioned above, all other information the applicant provides us with. This may include information about education, work experience, and references.
6.2. The legal basis for processing personal data within the context of recruitment and application procedures is that this processing is a necessary step to enter into an agreement, and in view of OTC FLOW’s legitimate interest to proceed with recruitment procedures and hire new staff.
6.3. Information about applicants that are not hired is deleted right after the application process/interviews unless the candidates have given their consent to OTC FLOW to keep their details for a year after the end of the application procedure. This term is necessary for us to evaluate the applicants’ applications, create a talent pool that is of great value to us, and possibly contact the applicant about future opportunities consistent with this policy and the expressed interests and qualifications. The applicant can exercise his or her rights as described in article 11 below, at any time.
7. Personal data of visitors of the OTC FLOW website
8. Other contact details
We keep other contact details for one year after the final contact, or until a request is submitted to us to delete them.
9. Sharing data
Personal data is stored electronically and may be included in emails wesend or receive and is stored (and processed) by our IT provider. We mayconclude data processing agreements with these providers that stipulate atleast the same level of security and reliability that you may expect from us.
Our accountant, auditors and supervisory authorities may have access tothe personal data of contact persons at counterparties.
We may also share the data of contact persons at counterparties withthird parties where this is necessary to provide our services or required bylaw or a regulator. We may for instance share your data with sellers, buyers, atrading venue or with the Pôle National des Certificats d’Economies d’Energieand the obligé within the sense of the CEE scheme or with any nationalauthority as provided in the schemes of specific products we trade.
The data collected via cookies is processed by the providers of those cookies. Please see our cookie statement for more information.
Apart from the situations mentioned above, we do not share personal data with third parties, unless we are obliged to provide certain data under the applicable laws or regulations, for instance to the police under a warrant.
10. Security measures
We have adopted a strict security policy, including appropriate technical and organizational measurements, to protect your personal data against loss, abuse, and unauthorized access by third parties. We apply strict access authorization, both offline and online, and our servers are regularly backed up, and our connections are secure. Our servers are located in the Netherlands.
11. Your rights
You have the following rights:
11.1. The right to access your personal data and to receive a copy thereof;
11.2. The right to have your personal data rectified if they are incorrect or incomplete;
11.3. The right to object to the processing and/or (in certain circumstances) to restrict the processing of your personal data;
11.4. In certain circumstances, the right to have your personal data erased (“right to be forgotten”);
11.5. The right to receive your personal data;
11.6. The right to lodge a complaint with a supervisory authority (Autoriteit Persoonsgegevens in the Netherlands).
11.7. For more information about these rights and when you may exercise them, see Articles 15 to 20 of the GDPR.
11.8. You may exercise your rights by contacting us via the email or telephone number mentioned at the beginning of this Privacy Statement.
12.1. Sometimes changes may occur in the personal data we process or in the applicable legislation. In that event, we may amend this Privacy Statement.
13.2. In this policy, we use the term “cookies” to refer to cookies and other similar technologies covered by the EU Directive on privacy in electronic communications.
13.3. What is a cookie?
13.3.1 A cookie is a small piece of data that a website asks your browser to store on your computer or mobile device. The cookie allows the website to “remember” your actions or preferences over time. Most Internet browsers support cookies; however, users can set their browsers to decline certain types of cookies or specific cookies. Users can delete cookies at any time.
13.5. What types of cookies do we use?
13.5.1 Essential cookies
13.6. How are cookies used?
Cookies help us collect aggregated audit data and research. We do not provide any personal information that we collect to advertisers.
13.7. How do I reject and delete cookies?