Cass Europe B.V. and Cass Telecom Expense Management UK Privacy Statement

We at Cass Europe B.V. and Cass TEM UK Ltd. ("Cass" or "we/our/us") respect your privacy and are committed to safeguarding and protecting your privacy in connection with the recording, organization, structuring, storage, adaptation, alteration, retrieval, collection, consultation, use, disclosure, dissemination, restriction, erasure or destruction (“processing”) of your Personal Data. We may process your Personal Data for a variety of reasons and in a variety of ways.

This privacy statement (“Statement”) contains important information regarding our privacy practices and the choices we offer you with respect to your Personal Data. If you choose to provide us with your Personal Data, you are telling us that you have read, fully understand, and accept the privacy practices summarized in this Statement. We strongly encourage you to read this Statement in its entirety to understand our privacy practices before submitting any Personal Data to us.

If you have any questions about this Statement and/or the processing of your Personal Data, please do not hesitate to contact our EU or UK Privacy Managers at +31 76 5315 384 or +44 1256 679510 or our US Privacy Manager at privacy@cassinfo.com.

This Statement will inform you about:

• GDPR
• Scope of this Statement
• How We Collect Your Personal Data
• Who Has Access to Your Personal Data
• International Transfers of Your Personal Data
• Legal Ground(s) for Processing Your Personal Data
• Purposes for Which We Process Your Personal Data
• Your Rights with Respect to Your Personal Data
• Protection of Your Personal Data
• Retention of Your Personal Data
• Revisions to this Statement
• Our Privacy Concern Handling Process
• Our Contact Information

GDPR

Cass is operationalizing compliance changes in connection with the new EU General Data Protection Regulation (GDPR). The GDPR replaces the Data Protection Directive 95/46/EC, and similar domestic legislation in EU Member States with respect to most (but not all) areas of data privacy and protection. Significant changes include, but are not limited to:

• Increased fines (up to €20 million or 4% of global annual turnover);
• Enhanced rights for individual data subjects;
• Increased accountability;
• Changes in the ways that personal data should be obtained and held, including a requirement to document personal data processing activities; and
• Changes in the rules for responding to data breaches, requiring most data breaches to be reported to the relevant data protection authority within 72 hours of discovery.

Scope of this Statement

This Statement applies to our processing of the Personal Data of our business contacts, vendors, directors, agents, and customers (including their representatives and service providers), when the General Data Protection Regulation (EU 2016/679) applies to such Personal Data.

Personal Data is any information that relates to an identified or identifiable natural person and is sufficient to enable such person to be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, or an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. We act as a data processor for purposes of these processing activities. In this Statement, we use the word “you” to refer to anyone within the scope of this Statement.

How We Collect Your Personal Data

We use Personal Data on a day-to-day basis to run our business, provide our services, enter into contracts, and to protect our interests. We collect Personal Data from you when you provide it to us, or when we collect it from you, for instance, in the course of your dealings with us, because you use certain services (such as our online reporting tools), or because your Personal Data is included in our customer's invoices, documentation, files, or systems.

Depending on the processing activity, the Personal Data we process in relation to you may include, without limitation:

1. First and last name;
2. Phone number;
3. E-mail address;
4. Nationality;
5. Address;
6. Data regarding your equipment, such as an IP address;
7. Data regarding your use of our IT systems; and
8. Information regarding your employer, your employment, or our client.

It is necessary to provide us with certain Personal Data in order for us to be able to provide you with our services, as applicable. In certain situations, if you do not provide us with your Personal Data, we may be unable to provide you with our services.

We may use various technologies to collect Personal Data about you when you visit and use our website, http://www.cassinfo.com (“Site”). These technologies may include:

• Cookies. Like many websites our Site may use “cookies.” A cookie is a small information file that some websites transfer to a user’s hard drive. We may use cookies to improve a user’s experience on our Site, for example, to personalize features of the Site for you, to analyze the traffic on the Site, to better understand visitor and customer usage of our Site, and to maintain and make improvements based on the information we collect. The use of cookies has become standard practice for websites, but whether you choose to accept or decline these cookies is entirely up to you. Most browsers are initially set up to accept cookies. You may set your browser to reject cookies and to let you know when a cookie is being placed on your computer. If you refuse cookies, you may not be able to use some of the functionality of our Site. Other third parties associated with the Site may also use cookies in connection with the services and websites to which the Site links. We do not control these third-party cookies.
• Web Beacons. Web beacons are small files that communicate with third parties and are embedded in web pages. We may use web beacons to deliver or communicate with cookies, to count users who have visited a web page, to understand usage patterns of our customers and visitors. We also may use web beacons to learn if emails have been opened, acted on, or forwarded. We also may include web beacons in newsletters and other promotional email communications that we send to subscribers in order to count how many newsletters or other promotional communications have been opened or read. You can disable the ability of web beacons to store cookie information by declining cookies. Our web beacons do not collect, gather, monitor, or share any Personal Data about customers or visitors to our Sites. They are merely designed to compile usage data.
• Other Technologies. Examples of other technologies we may use to provide better service to you when visiting the Site include:
  • Web Session Variables. Information that is passed from one web URL to another as you browse.
  • Browser plug-ins/add-ons. Additional web components that may need to be installed to enable certain web features on the Site. You have the option not to install these components.

To find out more about how Cass uses cookies, please read our Cass Cookie Policy.

Who Has Access to Your Personal Data

Access to Personal Data relating to you is limited. It is our policy that persons within the organization should only have access to Personal Data on a need-to-know basis.

Under certain circumstances, we may share your Personal Data with third parties:

• Because Cass is a global company, we may share your Personal Data with other subsidiaries, such as Cass Commercial Bank, and affiliates belonging to the Cass Information Systems Group, including those in the United States. These subsidiaries and affiliates will maintain the privacy of your Personal Data in accordance with this Statement.
• We may also disclose your Personal Data to our agents, such as suppliers and service providers, acting on behalf of or for Cass under our instructions for the limited and specific purpose of assisting Cass with its normal business operations. In no event will that limited and specific purpose be inconsistent with this Statement. In all cases, these agents may only use this information in connection with providing support for or services to Cass.
• In the context of establishing and maintaining a customer relationship with you, we may disclose your Personal Data to your service providers.
• Sometimes a directive, law, regulation, court order, or other judicial, regulatory, or supervisory process requires us to provide Personal Data to a governmental body or party to a private lawsuit.
• Finally, we may disclose certain Personal Data if Cass is involved in a merger, acquisition, or sale of all or a portion of its assets, or we are required to bring or defend against litigation or any regulatory proceeding between, or relating to, you and us, or we have reason to believe that disclosing such information is necessary to identify, contact, or bring legal action against someone who may be causing injury to or interference with (either intentionally or unintentionally) our rights, our property, our customers, or anyone else who could be harmed by such activities.

We will only transfer your Personal Data to the above mentioned third parties for the purposes stated in this Statement, and only to the extent that is permitted under the applicable data protection law.

Third parties to whom we transfer your Personal Data are themselves responsible for compliance with applicable data protection law. We are neither responsible nor liable for the processing of your Personal Data where we do not determine the purposes and means of the processing of that Personal Data.

International Transfers of Personal Data

We take steps to protect your Personal Data no matter what country to which it is transferred. We have procedures and controls in place, as appropriate, to help ensure this is the case. That said, in connection with our business, and for administrative, management, and legal purposes, when processing Personal Data in line with this Statement, we may transfer your Personal Data outside the European Economic Area (“EEA”), including to the United States. If we transfer your Personal Data outside the EEA, such as to our parent, Cass Information Systems, Inc., in the United States, we do so in accordance with applicable data protection laws, including on the basis of an EU Commission adequacy decision, where the transfer takes place pursuant to recognized appropriate safeguards, and/or where a specific derogation is permissible.

Furthermore, our parent company, Cass Information Systems Inc., and two affiliates, Cass Commercial Bank and Cass International, LLC are EU-U.S. Data Privacy Framework certified and adhere to the EU-U.S. Data Privacy Framework  Principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement, and Liability (“EU-U.S. DPF Principles”).

If you would like to know more about how we protect your Personal Data when it is transferred outside the EEA, please contact our EU or UK Privacy Managers at +31 76 5315 384 or +44 1256 679510 or our US Privacy Manager at privacy@cassinfo.com.

Legal Ground(s) for Processing Personal Data

Under applicable data protection law, we are allowed to process Personal Data only if we can rely on one or more of the legal grounds for processing. The legal grounds we are most likely to rely on for processing Personal Data in relation to you are:

• Consent – In exceptional situations we may rely on your consent.
• Contract –The processing is necessary for performance of a contract with you/your company or to take steps at your request to enter a contract.
• Legal Obligation – The processing is necessary to ensure we comply with our legal and regulatory obligations. For example, to comply with our social insurance and tax-related obligations.
• Legitimate interests – The processing is necessary for our or a third party’s legitimate interests. We, as a service provider, or a third party on our behalf, may have legitimate interests in carrying on, managing, and administering our normal business operations and may need to process your Personal Data in connection with the same. Your Personal Data will not be processed on this basis if our or a third party’s legitimate interests are overridden by your own interests, rights, and freedoms.
• Vital interests – Where processing is needed to protect your vital interests (or someone else’s interests) and you are not capable of giving your consent. For example, in the case of a medical emergency.

Purposes for Which We Process Your Personal Data

Cass processes your Personal Data for certain purposes described below. As explained above, processing in this context might include transfers to third parties and/or transfers outside of the EEA. From time to time, we may publish specific notices setting out details regarding particular processes or programs being adopted by us.

• Customer Relationship – We may process your Personal Data for the purpose of establishing and maintaining a customer relationship with you and/or your service providers.
• Security – We may process your Personal Data for the purpose of ensuring physical, administrative, and technical security, including information gathered through the use of swipe and similar entry cards and sound and image data, such as CCTV or photographs.
• Order Processing – We may process your Personal Data for the purpose of handling the management and invoicing of shipments and orders.
• Corporate Transactions – We may process your Personal Data for the purpose of conducting corporate due dilligence (or permitting corporate due dilligence to be conducted) in the context of a potential merger or takeover.
• Legal Rights and Compliance Obligations – We may process your Personal Data for the purpose of meeting or complying with our legal, regulatory, or supervisory obligations or for the establishment, exercise, defense, or resolution of legal claims by or against you or a third party.
• Normal Business Operations – We may process your Personal Data for the purpose of meeting our day-to-day business operations. 

Cass does not engage in decision-making based solely on automated processing.

Your Rights with Respect to Your Personal Data

Under applicable data protection law, you may have the following rights:

• To obtain access to the Personal Data that we hold about you;
• To object on grounds relating to your particular situation to our processing activities where you feel they have a disproportionate impact on your interests, rights, and freedoms;
• To request to review, revise, correct, or update any of the Personal Data we may have about you free of charge, if you believe that your Personal Data that we possess is, or has become, incorrect or is incomplete;
• To request that we restrict the processing activities related to your Personal Data (and, where our processing is based on your consent, you may withdraw that consent, without affecting the lawfulness of our processing based on consent before its withdrawal);
• To request that we erase your Personal Data;
• To have Personal Data, which you have voluntarily provided to us, produced in a structured, commonly used, and machine-readable format, including for the purpose of transmitting it to another party; and
• To object to the processing of your Personal Data for direct marketing purposes.

Please note that the above individual rights are not absolute, and we may be entitled to refuse requests where certain exceptions apply. If you have given your consent and you wish to withdraw it, please contact our EU or UK Privacy Managers at +31 76 5315 384 or +44 1256 679510 or our US Privacy Manager at privacy@cassinfo.com.

Please note that where our processing of your Personal Data relies on your consent and where you then withdraw that consent, we may not be able to provide all or some aspects of our services to you and/or it may affect the provision of those services. If you have any questions about your rights regarding your Personal Data, please simply write to us at the postal address provided in our Contact Information below or contact our EU or UK Privacy Managers at +31 76 5315 384 or +44 1256 679510 or our US Privacy Manager at privacy@cassinfo.com, where you may initiate a request to access, reject, correct, restrict, or erase your Personal Data, or where you may initiate a request for transfer of your Personal Data or initiate a request that we refrain from sending you marketing information.

Protection of Your Personal Data

Cass takes reasonable and appropriate physical, administrative, and technical measures to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration, and destruction, taking into due account the risks involved in the processing and the nature of the Personal Data.

Retention of Your Personal Data 

We will retain your Personal Data only for as long as is necessary for the purposes set out in this Statement. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (such as, if we are required to retain your information to comply with applicable tax/revenue laws, resolve disputes, and enforce our agreements).

Where we rely on legitimate interests as a reason for retaining your Personal Data, we have carefully considered whether or not those interests are overridden by your rights and freedoms and have concluded that they are not.

Please note that for corporate law and tax purposes, in the Netherlands, we are required to keep certain data, which might include Personal Data we hold about you (whether directly or indirectly), for a period of seven (7) years after the information has lost its relevance, and in the UK, we are required to keep certain data, which might include Personal Data we hold about you (whether directly or indirectly), for a period of six (6) years after the information has lost its relevance. In certain limited cases, local legal requirements in the Netherlands and UK may result in the preservation or retention of Personal Data for longer periods of time.

Revisions to this Statement

Cass reserves the right, at its sole discretion, to change, modify, add, remove, or otherwise revise portions of our policies and this Statement at any time, consistent with the requirements of applicable law. If we change the Statement in a material way, we will provide appropriate notice to you. The “Effective Date” at the top of this Statement reflects the date of the most recent revisions.

Our Privacy Concern Handling Process

Cass is committed to resolving concerns about your privacy and our processing of your Personal Data. Individuals with inquiries or concerns regarding this Statement should first contact our EU or UK Privacy Managers at +31 76 5315 384 or +44 1256 679510 or our US Privacy Manager at privacy@cassinfo.com. In the event that resolution cannot be reached, individuals may also contact their local data protection authority (“DPA”), which may investigate your concern further.

The Netherlands
Autoriteit Persoonsgegevens
Postbus 93374
2509 AJ DEN HAAG
(+31) (0)70 888 85 00

UK
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
(+44) 0303 123 1113

Our Contact Information

If you have any questions or comments about this Statement and/or the processing of your Personal Data, please contact Cass at +31 76 5315 384 or +44 1256 679510 or at privacy@cassinfo.com. You may also write us at:

Cass Europe B.V.
EU Privacy Manager
Graaf Engelbertlaan 75
4837 DS 
Breda
The Netherlands

Cass TEM UK Ltd.
UK Privacy Manager
Belvedere House 
Basing View 
Basingstoke 
RG21 4HG 
United Kingdom 

Cass Information Systems, Inc.
US Privacy Manager
12444 Powerscourt Drive, Suite 550
St. Louis, Missouri 63131
United States