Cyber Protection Services Privacy Policy
Last Revised: 07 February 2023
Cyber Protection Services (hereinafter referred to as “CybPro” “we” “us” or “our”) is committed to protecting the privacy and security of the personal data it receives from its members in an open and transparent manner. The personal data that CybPro, as a data controller, collects and processes will vary depending on the services provided to you.
This Privacy Statement (“Privacy Statement”):
​
-
sets out the types of personal data we collect, how we collect and process that personal data, including special categories of personal data (as defined below), whom we may share it with and why, and how you can exercise your privacy rights under the EU General Data Protection Regulation ((EU) 2016/679) (“GDPR”) and any laws or regulations supplementing or implementing the GDPR, including the Protection of Natural Persons with Regard to the Processing of Personal Data and the Free Flow of Such Data Law of 2018 (N. 125(I)/2018) as amended, replaced or superseded from time to time (together with the GDPR, the “Applicable Data Protection Legislation”); and
-
relates to personal data collected from clients or the client’s representatives, whether such data concern them directly or relates to third parties who are natural persons.
For the Purposes of This Privacy Statement:
-
when we refer to “personal data” or “personal information” we mean data that identifies or may identify you and which may include, for instance, your name, address, identification number, telephone number, date of birth, occupation, and family status.
-
when we refer to “processing” we mean the handling of your personal data by us, including collecting, protecting, and storing your personal data.
-
when we refer to “special categories of personal data” we mean information revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, physical or mental health, sex life or sexual orientation as well as genetic and biometric data.
​​
Who We Are
Cyber Protection Services is a private cybersecurity limited liability company registered in Maryland, U.S., regulated by the Maryland State Laws and U.S. Federal Laws, having its registered office at 1420 Joh Ave Suite A, Halethorpe, MD 21227.
​
Other Websites
Our webpage may contain links to other websites which we do not control. This Privacy Statement does not apply to these other websites. We are not responsible for the privacy policies and practices of other websites and apps (even if you access them using links that we provide) as we provide links to those websites solely for your information and convenience. We specifically disclaim responsibility for their content, privacy practices, and terms of use, and we make no endorsements or representations about their accuracy, content, or thoroughness. When you leave our webpage, we encourage you to read the privacy policy of every website you visit.
​
Personal Data, We May Collect
Depending on the service that we provide to you, we may collect and process the following personal data from you:
​
-
Biographical and Identification Data, including your name, date of birth, email, gender, and signature.
-
Contact Data, including your address, phone number, fax number, and email address.
-
Financial and Payment Data, including your credit card and/or bank account number and other data necessary for processing payments.
-
Profession and other Employment Information, including your current occupation, employer, and employment address.
-
Additional “know-your-customer” (KYC) information, including your network information, number of and types of computers, and risk level for cyber-attack.
-
Information pertinent to fulfilling our services to you, including information provided during the contractual or client relationship between you and your organization and CybPro, or otherwise voluntarily provided by you or your organization.
-
Physical access data i.e. CCTV images of your visits to our premises.
-
Special categories of personal data. We will only process such personal data in limited circumstances, as described in section 7 of this Privacy Statement, and
-
Criminal record data. We will collect such data where permitted by law, for example when we represent you in a criminal case and we need to collect information about the alleged offenses and any related criminal history.
​​
Personal Data About Other People
On certain occasions, during our client services, you may provide us with the personal data of individuals who are not aware of our involvement or of our processing of their personal data (such as family members, customers, counterparties, employees, directors, shareholders, or beneficial owners). In such cases, we are likely to not have direct contact with individuals whose personal data we are processing or, it may for other reasons (such as, for example, to maintain confidentiality) not be appropriate for us to provide them with a privacy notice setting out how we handle their personal data. Before you disclose any such personal data to us, you must ensure that the relevant individuals have received this Privacy Statement or have otherwise been informed of our client services.
​
If You Fail to Provide Personal Data
Where we need to collect personal data to process your instructions or perform a contract, we have with you and you fail to provide that data when requested, we may not be able to carry out your instructions or perform the contract we have or are trying to enter with you. In this case, we may have to cancel our engagement with you, but we will notify you if this is the case at the time.​
​
How We Collect Your Personal Data
We obtain your personal data mainly through any information you provide directly to us, through information provided by third parties, or through publicly available sources, as follows:
​
1. Direct interactions with you: We may collect personal data about you through the completion of our KYC forms by you, by corresponding with us by email, fax, or post, by speaking to us in person or over the telephone, or whilst visiting our offices. These interactions may include instances when you:
​
-
enquire about our services or ask us to provide you with a quotation
-
seek advice from us
-
visit our premises
-
give us personal data necessary for a specific client service we are performing for you, for the purposes of our KYC procedures, or
-
give us your business card In an event or meeting, or otherwise, personally give us your personal data.
2. Third-party sources: We receive personal data about you from third parties when:
​
-
our KYC forms have been completed by your representative or your organization.
-
other parties, including our existing clients, send us your personal data to enable the provision of our services (e.g. in cases where you are an underlying client).
-
we interact with governmental or regulatory bodies or other authorities in relation to you or on your behalf.
3. Publicly available sources: We collect personal data concerning you from:
​
-
public registers of companies (for instance, from the Registrar of Companies and Official Receiver).
-
public registers of sanctioned persons and entities (such as the Office of Foreign Assets Control of the United States Department of the Treasury); and
-
other public sources including any services accessible on the Internet which you are using for professional networking purposes such as, for example, LinkedIn.
​​
Why We Need Your Personal Data
We will only use and share your information where it is necessary for us to lawfully carry out our business activities. We may process your personal data in connection with any of the purposes set out below on one or more of the following legal grounds:
​
1. Contractual Necessity
We may process your information where it is necessary to enter an engagement with you for the provision of our cybersecurity services or to perform our obligations under that engagement. This may include processing to:
​
-
take you on as a new client
-
administer and manage our relationship with you or your organization and deliver client services to you
-
communicate with you about the services you receive from us and notify you about any changes to our general terms of business, this Privacy Statement, or other policies which may affect you; and
-
to manage payments, fees, and charges and to collect and recover money owed to us.
Please note that if you do not agree to provide us with the requested information, it may not be possible for us to provide you with our services.
2. Legal Obligations
We may process your personal data to comply with legal and/or regulatory obligations that we are subject to, including any obligations imposed on us by the government, as well as to keep records of our compliance processes.
3. Legitimate Interests
We may process your personal information where it is in our legitimate interests to do so as an organization and without prejudicing your interests or fundamental rights and freedoms. We may process your personal information:
​
A. in the day-to-day running of our business and financial affairs and to ensure that our processes and systems operate effectively. This may include processing to:
​
-
monitor, maintain, and improve internal business processes, information, data, and technology solutions and services
-
ensure business continuity and disaster recovery and respond to information technology and business incidents and emergencies
-
to protect the security of our communications and other systems and to prevent and detect security threats or other malicious activities
-
perform general, financial, and regulatory accounting and reporting
-
to manage access to our premises for security and crime prevention purposes
-
to exercise or defend our legal rights, or to comply with court orders
-
enable a sale, reorganization, transfer, or other transaction relating to our business.
B. to ensure that we provide you with the most appropriate services and that we continually develop and improve as an organization. This may require processing your personal information to:
​
-
identify new business opportunities and develop inquiries into proposals for new business and develop our relationship with you
-
communicate with you to keep you up to date on the latest developments, announcements, and other information about our services and solutions (including briefings, newsletters, and other information), events and initiatives, and
-
assess the quality of our customer services and provide staff training.
4. Establishment, Exercise, or Defense of Legal Claims
We may process special categories of personal data that you may disclose to us to be able to act on your behalf in court proceedings or any administrative or out-of-court procedures.
​
Whom We Share Your Personal Data With
​
We may share your personal data with:
​
-
certain service providers, we have retained in connection with the cybersecurity services we provide, such as consultants, experts, and other specialists
-
if we have collected your personal data while providing services to any of our clients, we may disclose it to that client, and where permitted by law to others for the purpose of providing those services
-
with any competent law enforcement body, regulator, government agency, court, or other third parties where we believe disclosure is necessary as a matter of applicable law or regulation or to exercise, establish or defend our legal rights
-
suppliers and service providers who support our business including IT and communication suppliers, file storage, archiving and/or records management companies, and security solutions companies
-
if we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets to whom we assign or novate any of our rights and obligations, and
-
to a person, you have given us your consent to disclose.
​​
International Transfers
From time to time, your personal data may be transferred to and stored at a destination outside the United States (“US”) depending on the nature of the services we provide to you. When such a transfer occurs, we will use, share, and safeguard that information as described in this Privacy Statement and will ensure that at least one of the following safeguards is implemented:
​
-
We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the Federal Commission.
-
If we engage service providers outside the US, we may put in place standard contractual clauses approved by the United States which give personal data the same protection it has in the United States.
We may additionally, on rare occasions, transfer your personal data to a party outside the US where we have your prior explicit consent to do so or where such transfer is necessary for the provision of our services to you.
​
How Long Do We Keep Your Personal Data For
​
We will keep your personal data for as long as we have a business relationship with you. Once our business relationship with you has ended, we may keep your personal data for the longest of the following periods: (i) any retention period set out in our retention policy which is in line with regulatory requirements relating to retention; or (ii) the end of the period in which any legal action or investigations might arise in respect of the services provided.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from authorized use and whether we can achieve those purposes through other means, and the applicable legal requirements.
We may keep your data for longer if we cannot delete it for legal, regulatory, or technical reasons. If we do, we will make sure that your privacy is protected and that your personal data are only used for those purposes.
​
Security
We are committed to ensuring that your personal information is secure with us and with the third parties who act on our behalf.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, processed, or accessed in an unauthorized way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We currently working on getting accredited with ISO 27001 which is an international standard in relation to information security management, certifying that we have the relevant procedures in place as well as the software, hardware, and physical measures to protect data that are being processed by us. These measures are monitored, reviewed, and regularly enhanced to meet our professional responsibilities and the needs of our clients.
We have put in place procedures to deal with any incident that may lead to a security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
​
Your Data Protection Rights
We want to make sure you are aware of your rights in relation to the personal data we process about you. We have described those rights and the circumstances in which they apply further below.
You have the following rights in terms of the personal data we hold about you:
​
-
Receive access to your personal data. This enables you to receive access or receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
-
Request correction of the personal data we hold about you. If you believe that any of the information that we hold about you is inaccurate or incomplete, you have a right to request that we correct the inaccurate personal information.
-
Request the erasure of your personal information. You may request that we delete your personal information if you believe that:
a) we no longer need to process your information for the purposes for which it was provided
b) we have requested your permission to process your personal information and you wish to withdraw your consent,
c) we are not using your information in a lawful manner.
Please note that if you request us to delete your information, we may have to suspend the services we provide to you.
​
-
Object to the processing of your personal data where we are relying on a legitimate interest and there is something about your situation which makes you want to object to processing on this ground. If you exercise your right to object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims.
Depending on the circumstances, we may need to restrict or cease processing your personal data altogether or, where requested, delete your personal information. Please note that if you object to us processing your personal data, we may have to suspend the services we provide to you.
​
-
Request the restriction of processing of your personal data. This enables you to ask us to restrict the processing of your personal data, i.e. use it only for certain things, if:
a) it is not accurate
b) it has been used unlawfully but you do not wish for us to delete it
c) it is not relevant anymore, but do you want us to keep it for use in possible legal claims
d) you have already asked us to stop using your personal data, but you are waiting for us to confirm if we have legitimate grounds to use your data.
Please note that if you request us to restrict the processing of your personal data, we may have to suspend the services we provide to you.
​
-
Request the transfer of your personal data. Where we have requested your permission to process your personal information or you have provided us with information for the purposes of entering a contract with us, you have the right to receive the personal information you provided to us in a portable format. You may also request us to provide it directly to a third party, if technically feasible. We are not responsible for any such third party’s use of your account information, which will be governed by their agreement with you and any privacy statement they provide to you.
To exercise any of your rights, or if you have any other questions about our use of your personal data, please contact us at privacy@cyberprotection.com. We will endeavor to address all your requests promptly.
​
Right to Complain
​
If you have exercised any or all your data protection rights, or otherwise still feel that your concerns about the use of your personal data have not been adequately addressed by us, you have the right to complain by contacting us at privacy@cyberprotection.com.
​
Changes to This Privacy Policy
We reserve the right to update and change this Privacy Statement from time to time to reflect any changes to the way in which we process your personal data or changing cyber requirements.
We will notify you by email or otherwise when we make material changes to this Privacy Statement and we will amend the revision date at the top of this page. We do encourage you to review this statement periodically to be always informed about how we are processing and protecting your personal data.