Version 2.0 DD March 27, 2018

The Personal data Policy concerning the processing of personal data and information on effective requirements for protection of personal data.


General provisions & Services

This Personal Data Policy (“Policy”) is applicable to the processing of Personal Data by Mindbox.Cloud B.V. (“Mindbox”) on behalf of its customers inside the European Economic Area (“EEA”) (“Customers”) in respect of the following services Mindbox offers to its Customers inside the EEA: Customer Data Platform, Multi-Channel Campaigns, Loyalty and Promotions, Support and constant improvement and all other future services to be delivered by Mindbox to its Customers inside the EEA (“Services”).


This Policy on the processing of personal data is developed in accordance with the provisions of the EU General Data Protection Regulation (“GDPR”) and determines general principles and the order of personal data processing and measures to ensure their safety at Mindbox.

Processor & Controller

Mindbox processes personal data on behalf of its Customers inside the EEA in respect of the Services and therefore acts as a processor in the sense of the GDPR (“Processor”). Mindbox’ Customers determine the purposes and means of the processing of personal data in respect of the Services inside the EEA and therefore act as a controller in the sense of the GDPR (“Controller”). The Customers are responsible for, and shall be able to demonstrate, compliance with the GDPR.

Purpose of processing

The processing of personal data by Mindbox on behalf of its Customers is only allowed in respect of providing the Services inside the EEA. Mindbox is not allowed to process personal data for its own purposes and means. Should Mindbox nevertheless process personal data for its own purposes and means in respect of the Services inside the EEA, then in such case only, Mindbox acts as a controller in the sense of the GDPR.

Personal data

Mindbox processes on behalf of its Customers in respect of the Services the following personal data inside the EEA: full name, e-mail address, address, telephone number, bank account, date of birth, cookies, IP address, [please fill in]. The processing of personal data concerning criminal convictions, special categories of personal data and biometric personal data, may be carried out by Mindbox solely in the cases and manner under instruction and on behalf of the Customer or established by applicable legislation.

Principles of personal data processing

The processing of personal data by Mindbox is carried out in accordance with the following principles:

  • Lawful, fair basis and transparent manner for the processing of personal data.

  • Limitation of the personal data processing by reaching concrete, priorly specified and legitimate purposes.

  • Processing of only such personal data which corresponds to the priorly stated purposes of their processing.

  • Preventing the unification of databases containing personal data, processing of which is carried out for purposes that are not compatible with each other.

  • Providing the accuracy, adequacy and relevance of personal data in relation to the purposes of personal data processing.

  • Personal data must be kept in a form that permits identification of data subjects for no longer than it is necessary for the purposes of personal data processing. Personal data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, or scientific, historical, or statistical purposes in accordance with applicable legislation and subject to the implementation of appropriate safeguards.

  • Destruction or pseudonymisation of personal data after the achievement of the stated purposes of their processing or in case of loss of necessity to achieve such purposes.

  • Personal data shall be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Third parties

Mindbox shall not disclose personal data to third parties or distribute it without the instruction of the Customer, unless otherwise stipulated by applicable legislation. Mindbox shall not conduct the crossborder transfer of personal data, unless agreed between Mindbox and its Customers or stipulated by applicable legislation. Cross-border data transfers to a recipient in a third country may only take place if the third country receives an Adequacy Decision from the European Commission in accordance with the EU applicable legislation.

Confidentiality of personal data

Mindbox shall ensure the confidentiality of the processed personal data on behalf its Customers, under the procedure provided by applicable legislation. Confidentiality is not required with respect to personal data after its pseudonymisation, personal data, to which an access of an unlimited amount of persons is provided by the personal data subject or on the request of the subject, personal data which is subject to publication or mandatory disclosure under applicable legislation.

Rights of personal data subjects

Personal data subjects have the following rights under the GDPR with respect to personal data: right to information, right to access, right to rectification, right to withdraw consent, right to object against processing for specific purposes (such as direct marketing), right to object to automated processing, right to be forgotten and Right for data portability (copy of personal data in a commonly used machine-readable format). Data subjects need to claim and exercise their rights at Mindbox’ Customers. In case data subjects wish to invoke their rights at Mindbox, then data subjects can use the contact form on Mindbox’ website, in which case Mindbox shall send the request to the applicable Customer who is responsible for proper settlement of the request. Data subjects may also submit complaints on the processing of personal data (if any) to the applicable local Data Protection Authority.


If applicable, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent. In all cases the Customer shall have the obligation to provide evidence of obtaining the consent of personal data subject for the personal data processing or evidence of the grounds specified by applicable legislation.

Protection of personal data

Protection of personal data processed by Mindbox is supported by the realization of legal, organisational and technical measures necessary and sufficient to ensure that the requirements of the applicable legislation in the field of personal data protection are met.

Tell us a little about yourself

We’ll respond within 24 hours

Partnership request

Typically we’re answering within 24 hours