Privacy Statement of AOC

Introduction AOC wants to optimally protect your privacy. In this privacy statement you can read which personal data AOC collects from you and how it is processesed. This privacy statement applies to personal data that is processed when you visit the AOC website. AOC uses the personal data you share with us to further improve our products and services and your experience. This privacy statement is intended to provide you with a clear overview of how AOC uses the personal data you provide, your rights and possibilities to manage your personal data and how AOC protects your privacy. It also states which personal data AOC you collect when you visit its websites or stores or use its (mobile) apps and software products, as well as how AOC uses your personal data and with which third parties these data are shared.In this privacy statement you can also find out for what purposes your personal data can be used by AOC or its associated companies.

Amendments

AOC reserves the right to make changes to its privacy statement, for example due to legislative changes. The most recent version can always be found on this page.

Contact information

AOC is part of the TPV Technology Group and is based at Prins Bernhardplein 200 8, 1097 JB in Amsterdam, the Netherlands. The general email address is: info@tpv-tech.com. For all correspondence concerning privacy-related matters, please contact the data privacy officer of AOC which you can contact via privacy@tpv-tech.com or by telephone +31 020 504 6931.

This privacy statement has been updated on 25 May 2018.

AOC as controller

With regards to this website, AOC acts as a data controller, and thus determines the purpose and means for the processing of personal data, and the provisions of this privacy statement apply. If reference is made in the following to AOC, this also means its subsidiaries. These subsidiaries of AOC are established in various countries in the European Union and are responsible for the processing of your personal data if you use the services of that company in these countries. 

Introduction and scope of this privacy statement

AOC uses the personal data you share with us to improve our products and services and to offer you an optimal experience. By means of this privacy statement AOC gives you insight into how it uses your personal data, protects and offers you the possibility to manage your personal data yourself. Insight is given into what personal data is collected about you when you visit our websites or make use of our services and products, apps and applications, and with which third parties AOC shares your personal data. AOC uses your personal data for the purposes described below. 

Personal data collected about you

The term "personal data" as used in this privacy statement covers all information about an identified or identifiable natural person, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or one or more elements that are characteristic for the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person. AOC collects various types of personal data including the following (if applicable): 

Automatically collected information

AOC also collects personal data through the use of its websites and apps for example:

·        Websites: data about your visit and surfing behavior. When you visit one of the AOC websites, data is sent from your browser to its servers. Thus, AOC collects personal data such as:

o   your IP address;

o   date, time and duration of the visit;

o   the referral URL (the site where the visitor came from);

o   the pages visited on our website;

o   and information about the device and browser (such as browser type and version, operating system, etc.

o   Cookies and similar techniques: AOC and its partners apply techniques to collect and store data during your visit to and use of its websites, such as sending one or more cookies or other similar techniques to your device. On the AOC Cookie page you can find more information about the use of cookies and other similar techniques and how to disable them.

o   Location data: If you use a service on a mobile device where your location is enabled, we will give you a prior notice for permission to collect and process your current location data, for example via GPS signals sent by a mobile device. You can usually disable the sending of your location via the settings of your device. We always inform you when we use location data.

Sources of information

Most of the personal data that AOC collects about you is information that you provided voluntarily, for example through our websites, services or products, etc. Other sources through which your personal data are obtained:

•       other parts of AOC; and

•       third parties (such as credit rating agencies, law enforcement / regulatory bodies and data smokers, etc.), which can also provide publicly available source data.

AOC will provide you with a copy of the personal data processed in this context.

Use of your personal data

The personal data that AOC collects, for example when you register for the website, are used for identification and authentication. AOC creates a profile for you with the information required to provide you with products or services. These can also be combined with personal data obtained through other internal and external sources. This personal data can be used for the following purposes:

1.       Improvement of products and services: your personal data are processed to create a profile of you with the aim of understanding how you use our products and services, enabling AOC to develop better and more relevant products and services and to improve the website (s). Processing in this way is necessary for the legitimate interest of AOC to offer better products and services to you and other customers.

2.      Providing customer service: in case of contact with customer service, personal data are processed, for example your order data and contact history, in order to process your request and provide service. The legality of this processing lies in the necessity of processing for the execution of a contract with a company of AOC or if we have to comply with a legal obligation. If there is no necessity on the basis of any of these grounds, processing is deemed necessary for the purposes of the legitimate interest of AOC to ensure that the best possible service is provided.

3.      Marketing: If you register for newsletters, use the website, purchase online products or services or provide feedback on this, a profile of you is created. Processing in this way is necessary for the legitimate interest of AOC to generate proper files about you. Your profile will be created in accordance with your preferences to provide you with a good personalized experience, to send you personalized marketing messages and newsletters and for surveys. The way in which your personal data are used for these purposes is described below.

o   Retargeting: AOC websites and apps can use techniques for retargeting, with the aim of showing visitors, who were already interested in the products and / or services, advertisements on partner websites. As far as retargeting takes place, this is done on the basis of your explicit consent.

o   Advertisements: collaborates with external partners, such as SSPs and DSPs that use tracking techniques to place advertisements on behalf of AOC on the internet. These partners collect personal information about your visits to websites or apps of AOC and your interaction in relation to, for example, advertisements. They will only collect this data insofar as you have given permission for the placing of cookies for marketing purposes. See also the cookie policy.

4.      Quality of data, profiling: if your personal data has been obtained through various sources, this data will be merged in certain cases to improve your understanding of your products and services (for example, data that you have provided directly, can be combined with data which are collected automatically, such as metadata, IP addresses, browse data, information obtained lawfully from third parties, and the like). This can be used to send you more personalized marketing messages or to create more effective marketing campaigns. Processing in this way is necessary for the legitimate interest of AOC to ensure that you receive the most appropriate offers of its products and to personalize your experience. You can opt out of combining personal data with the information obtained from other sources by contacting AOC.

5.      Analyses: personal data of you are used to perform analyses and investigations. Processing in this way is necessary for the legitimate interest of AOC to better understand customers and to ensure that services meet the needs of its customers. This concerns analyses, in which data (such as personal data and / or sensitive data obtained through the use of a AOC app or browsing history) are combined and stored to:

  • learn more about customers and preferences;
  • b)identify patterns and trends;
  • to be able to deliver data, content and offers that are tailored to customer needs;
  • for general research and statistical purposes;
  • develop new products and services;
  • to monitor the performance of products and services and / or to improve the use of used technology;
  • g)send personalized marketing messages;
  • h)to show you online advertisements

6.      Analysis of AOC itself: by anonymizing your personal data and merging with other personal data of customers, analyzing the sales, supply chain and finances, determining how AOC performs and where improvements can be made. Processing of personal data in this way is necessary for the legitimate interest of AOC to measure how it performs and to determine how to improve it.

AOC will ask you for permission if it wishes to use your personal data for purposes other than those stated in this privacy statement. AOC will not use your personal data for other purposes before such permission is received. 

Providing personal data?

AOC treats your personal information carefully and confidentially and does not share it with others other than those listed below.

 

Business units of AOC

Each business unit of AOC with whom you have contact may share a limited part of the personal data you provide with registration (if your name, e-mail address, password and date of birth) with other components of AOC for registration and authentication purposes . Processing in this way is necessary for the legitimate interest of AOC to be able to execute a contract with you. Each business unit may share information from your profile with other entities of AOC or TPV if both entities are responsible for your personal data, or if the other entities act as our processors. Therefore, every part of the AOC group has access to all the data it is responsible for, so that it can comply with the law. Each part of the AOC group may share your personal data and anonymous and assembled data with other business units of AOC (such as the parent company of the group and / or if necessary other parts of AOC for trend analyzes, is necessary for the purposes of their legitimate interest in analyzing their performance.

 

With service providers

Personal data, which you provide when you register for registration with AOC (your name, e-mail address, password and date of birth), can only share AOC with suppliers of cloud services, so that you can log in quickly and anywhere. If necessary, your personal data will also be shared with third parties who process your personal data on behalf of AOC solely for the purposes and on the legitimate grounds described above. These can be third parties in the areas of hosting, transport, payment and fraud management, credit rating agencies and analysis platforms. Strict agreements have been reached with these third parties regarding the processing of your personal data, including the exclusive use of your personal data in accordance with the instructions of AOC and the law.

 

Judicial bodies or supervising authorities

AOC will release personal data if required by law or on the basis of a court decision, to protect your interests, for investigations by law enforcement or regulatory authorities, to protect and defend the property and legal rights of AOC and to ensure the personal safety of users of the AOC services.

Retention periods

AOC will keep your personal data 39 months from your last contact with us, such as the date your account was deleted, your last purchase, the last time you used one of our apps, or in any other way of interaction or contact, unless a longer or shorter storage period is required by law, this is necessary in connection with legal processes, or is otherwise required for a particular purpose under the applicable legislation.

Below are examples to indicate how long AOC stores your personal data in relation to a specific purpose:

Data processing outside the EU and EEA

Unless otherwise stated, your personal data will be stored and processed within the European Union. Occasionally, your personal data may be processed outside the European Economic Area ('EEA') in a country that does not offer the same level of protection under European law as the country where you normally use your products and / or services. This may occur, for example, if a processor is located outside the EEA, or uses sub-processors from outside the EEA, such as suppliers of cloud solutions. AOC will take the necessary steps in such cases to ensure that your personal data are adequately protected, such as carrying out security assessments and drawing up processor agreements with recipients to ensure that they take the same or comparable technical and organizational measures as AOC, so that your data is adequately protected.

Children's data

AOC does not, as data controller, process any personal data of children under the age of 16. If this happens unintentionally, steps will be taken to remove this data as quickly as possible, unless the law requires that this data must be retained. If it is known that a child is older than 16 years, but according to the law is considered as a minor, permission from the parent / guardian will be requested before the personal details of that child will be used.

Your rights

AOC fully complies with the obligations laid down in the General Data Protection Regulation, with the principle of transparency as paramount. To this end, AOC has implemented means to ensure that you can exercise any rights in connection with the processing of your personal data.

Right of inspection, rectification, removal

If you use products or services or have created an account, you can view your personal data via these websites, if the functionality exists. If your personal data are not available by the relevant website, you can submit an application free of charge to gain access to this information.

Upon receipt of your request and details to verify your identity, you will be provided with a copy of the personal data held by you, the origin of the data, the purposes for which the personal data are used, the recipients and on which you based the law. You can also indicate that certain changes in personal data, if you qualify them as incorrect or irrelevant, must be implemented. You can also have your personal data blocked, erased or completely deleted (right to be forgotten). You may also contact us in writing to object to a certain use of your personal data, to limit its use or to request that your personal data be provided in a usable electronic format or to transfer it to a third party (right to data portability). All these applications are met by AOC within the framework of the legal obligations.

Changes to this policy

AOC will regularly update this online privacy statement in order to keep it easily findable, error free and up-to-date and to ensure that sufficient information is available about your rights and that AOC 's way (s) of processing have been implemented in accordance with the law and continue to comply with it. If major changes are made to this privacy statement, you will be informed via the websites on which an updated version of the privacy statement is published.

AOC wants to cooperate with you in a good way and always find a suitable solution for complaints or care about privacy. If you are of the opinion that we could not help you with your complaint or care, you have the right to file a complaint via the website of your supervising authority.

TECHNICAL AND ORGANIZATIONAL SAFETY MEASURES

 

Introduction

AOC under art. 28 GDPR has the obligation to ensure the implementation of sufficient technical and organizational security measures. AOC shall ensure that appropriate technical and organizational security measures are implemented to protect your personal data against unauthorized or unlawful processing and unintentional loss, destruction or damage.

I.            Description of the measures that ensure that only authorized personnel have access to the Processing of Personal Data

AOC uses an authorization policy to determine who should have access to which data. Employees do not have access to more data on the basis of this system than is strictly necessary for their job.

II.           Description of the measures to protect personal data against unintentional or unlawful destruction, accidental loss or alteration, unauthorized or unlawful storage, processing, access or disclosure

Organization of information security and communication processes

·         AOC has established an information policy plan in which an information security coordinator has been appointed who identifies risks relating to the processing of personal data, promotes security awareness, checks facilities and takes measures to ensure compliance with the information security policy.

·         Information security incidents are documented and used for optimization of the information security policy.

·         AOC has set up a process for communication about information security incidents (databreach procedure).

Staff members

  • AOC stimulates awareness, training and training with regard to information security.
  • Employees do not have access to more data than is strictly necessary for their job based on an authorization system.

Physical security and continuity of resources

  • Personal data are only processed in a closed, physically secure environment with protection against external threats.
  • Personal data are only processed on equipment where measures have been taken to physically secure the equipment and to ensure the continuity of the service.
  • Periodic backups are made for the continuity of the service. These backups are treated confidentially and stored in a closed environment.
  • The locations where data are processed are secured by means of locks, alarm systems and video surveillance and are periodically tested, maintained and periodically assessed for safety risks. AOC has business continuity plans that include contingency locations.

Network, server and application security and maintenance

  • The network environment in which data is processed is strictly protected. Traffic flows are separated and measures are implemented against abuse and attacks.
  • The environment in which personal data are processed is monitored.
  • The digital services and products in which personal data are processed are established on the basis of system planning, security control and acceptance. Changes in applications are tested for vulnerabilities before they are taken into production.
  • On systems, the latest (security) patches are periodically installed on the basis of patch management.
  • Data processed within applications are classified according to risks.
  • Penetration tests and vulnerability assessments are performed periodically.
  • Information that is no longer used is removed.
  • Cryptographic measures have been applied to passwords to store these data securely.

III.          Description of the measures to identify weak points with regard to the Processing of Personal Data in the systems

The systems of AOC are periodically checked for safety. In addition, the security policy of AOC provides internal processes to identify vulnerabilities.

Reporting

The processor constantly updates this information and informs users about changes to the measures taken to protect personal data against abuse via the AOC website. In case you detect security risks, please contact the helpdesk of AOC.

Inform about Databreach and / or incidents related to security

The way in which monitoring and identification of databreaches takes place:

AOC monitors its services 24/7 and has taken measures to prevent and identify unauthorized or unlawful access to data. Signals that indicate a Databreaches are assessed by the security officer of AOC, who analyzes whether there may be a Databreach, the type of databreach and whether this concerns a Databreach that falls under its role as processor or its role as controller.

The way information is shared:

If a Databreach occurs with regard to personal data that AOC processes as a processor, the controller is informed by or on behalf of AOC in principle within 24 hours after detection of a Databreach by e-mail. Depending on the situation, information can also be shared by our website and official social media channels and / or official distributors and / or commercial agents.

If a Databreach occurs with regard to personal data that AOC processes as controller, the Dutch Data Protection Authority will be informed within 72 hours after detection of a Data Leak, and in case of adverse consequences for data subjects, then these will also be informed in the manner provided for by the law, so that they can take measures.

For follow-up actions or questions, you can contact our helpdesk by telephone or e-mail via the data included in the privacy statement.

AOC shares the following information when a Databreach occurs:

•                 The characteristics of the incident, such as: date and time of determination, summary incident, feature and nature incident (on what part of the security sees it, how did it occur, does it relate to reading, copying, changing, deleting / destroy and / or steal personal data);

•                 The cause of the security incident;

•                 The measures taken to prevent possible / further damage;

•                 Identifying those involved who may be affected by the incident and the extent to which they may be affected;

•                 The size of the group of stakeholders;

•                 The nature of the personal data affected by the incident (in particular, special data, or data of a sensitive nature, including access or identification data or financial data).

If a specific situation, AOC can make a (first) notification of a Databreach to the Dutch Data Protection Authority.