Processor agreement

Code of Conduct CMC Worldwide BV with regard to the data protection policy (GDPR)

The protection of personal data is extremely important. CMC Worldwide B.V. (hereinafter referred to as CMC) therefore wants to inform its customers and debtors as much as possible about its data protection policy, which it applies in accordance with the European General Data Protection Regulation (GDPR). CMC undertakes to manage the data safely and legally in order to ensure correct processing of cases.

Below is the information about what data CMC collects, why, how long and to what extent data subjects have control over this.

The GDPR provides a definition of both "processing" and "personal data":
Processing: an operation or a set of operations relating to personal data or a set of personal data, whether or not performed via automated processes, such as collecting, recording, organizing, structuring, storing, updating or modifying, retrieving, consulting, using, providing by means of transmission, dissemination or otherwise making available, aligning or combining, blocking, erasing or destroying data;

Personal data: all information about an identified or identifiable natural person ("the data subject"); an identifiable natural person who can be identified directly or indirectly, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or one or more elements characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

As the law prescribes, CMC does not process sensitive data such as data on racial or ethnic origin, political opinions, gender preferences and health.

The processor is CMC Worldwide BV ( hereafter referred to as CMC), whose registered office is at Hanzeplein 11, 8017 JD, Zwolle, the Netherlands. Both in income upon subrogation, as with direct debit mandate, CMC itself determines what data it processes, where it collects data for a mandate by its own means, as well as to which ends the collected data is used (eg. to perform an address search, to deliver a summation, to carry out a home visit or to pay a wage transfer, to enrich the received data via internal enrichment as well as via external data quality partners, to answer questions of the debtors involved, to handle complaints from government agencies or consumer organizations.

This code of conduct applies to both individuals and customers of CMC as far as natural persons are concerned. This therefore concerns both consumer debtors and business debtors as customers, as far as natural persons are concerned. This code of conduct also applies when a visit is made to our office, to address visits by our mandatories, when using our websites and any apps owned or being managed by CMC. CMC and the third parties affiliated to CMC will fulfill their obligations and respect the rights of data subjects whenever we and / or our partners process data.

CMC only processes the personal data necessary to achieve the intended purpose. With regard to recovery files, i.e. collection files, this concerns the information necessary to collect a claim, possibly through insolvency proceedings or legal proceedings (such as the address and telephone number of the person concerned or his mandatary and for example not the external characteristics of someone). The processing of particular data is also prohibited, such as the health status of the person concerned: the only information that someone is "hospitalized" and therefore temporarily cannot fulfill a payment agreement or collect a hospital invoice that mainly contains payment data, is possible; Processing that someone suffers from a certain illness is too concrete and will not be done.

Their use is - more concretely - permitted in the following cases:

  • In the context of the preparation or execution of a contract , such as in the case where CMC is subrogated in the rights and obligations of the original creditor. In this case, CMC enters into the rights and obligations of the original creditor, making it itself creditor;
  • To comply with the legal provisions (in the broad sense) to which CMC is subject;
  • When CMC has a legitimate interest for this , where it must always be applied proportionately. An example of this is the case where CMC manages a dossier by mandate. A mandate (also called proxy or agency) is an agreement whereby the client is a person or company (CMC in this case) responsible for carrying out acts (i.e. closing payment in regards to a demand of the client-creditor).
  • When CMC has received permission to store and / or process the data.


  1. CMC trains its employees to manage confidential data correctly.
  2. In the case of privacy-sensitive projects, an estimate is also made with regard to security and the protection of personal data.
  3. Specific persons are authorized for the information security policy.
  4. CMC relies on internal and / or external specialized partners who are responsible for the security of its network, infrastructure and information systems. CMC also uses technical and organizational measures to protect personal data, such as: password protection, firewalls, antivirus, intrusion and anomaly detection and access controls for its employees.
  5. In the event of recourse to a processor of personal data (such as an independent or a company and its support company), CMC will enter into a processing agreement with the relevant processor, stating that the processor will only act after instruction from CMC and is subject to the same obligations regarding data protection.
  6. In case of a breach in the processing of personal data of a person, which is probably a high risk of damage to the his / her rights and freedoms, then CMC, as data processor, shall inform the person involved in clear and understandable terms about the nature of the infringement, its likely consequences and about the measures taken or still to be taken, and the contact point where more information can be obtained. In this case, CMC shall inform the Data Protection Authority without unreasonable delay and, if possible, no later than 72 hours after he becomes aware of it, unless it is unlikely that the personal data breach involves a risk to the rights and liberties of natural persons.
  7. CMC uses a risk-based approach: this means that it takes protective measures in relation to the risk level of the data processing activities.

When a proposed processing of personal data is likely to constitute a high risk to the rights and freedom of individuals with regards to the nature, scope, context and purpose, a preliminary data protection impact assessment is executed.

The use of new technologies may be an indication that there may be such a high risk. This is all the more the case if CMC develops different means (for example, collection trajectories, joining systems) which are linked to a group of persons (e.g. different collection trajectories depending on the region or age of those involved or antecedents at any collection company or the whether or not the persons have gone through insolvency proceedings before).

Such a data protection impact assessment specifically means:

  • a systematic description of the intended processing operations and the processing purposes, including, where appropriate, the legitimate interests represented by the controller;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of data subjects;
  • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons involved.
  • this code of conduct is taken into account in the data protection impact assessment.

CMC does not pass on personal data to third parties unless:

  • This is necessary for the provision of services within the framework of its purpose (discharge of the file). For some aspects of CMC's services, we work with third parties. These include external IT services maintaining CMC's computer system, printing partners, officers carrying out home visits or lawyers and bailiffs that CMC may enlist. CMC ensures that these third parties, just like CMC, manage the data safely & respectfully.
  • There is a legal obligation. The most common example of this is the confiscation of documents by government inspectors who are authorized to do so in connection with investigations in compliance with the law.
  • CMC has received the permission required. A frequently occurring case concerns lawyers of those involved (who are legally deemed to have a mandate from the person concerned) .
  • For investigations: In some cases, CMC uses anonymous data for research and, if applicable, reporting to the government or for press releases. These data can never be traced back to a certain individual.

The right of inspection and copy

Data subjects have the right to (free of charge) access the data that concern them. The following can be retrieved:

  • Whether CMC processes personal data;
  • What CMC processes it for;
  • Which categories of personal data CMC processes;
  • With which categories of third parties CMC shares personal data;
  • What the origin is of the processed data;
  • Which logic CMC uses when it automatically processes certain personal data. The right of inspection can be exercised in writing via a letter to CMC. In order to exercise the right of access, and to prevent any unauthorized disclosure of personal data, CMC must receive formal identification of the person the requested data concerns. In the event of a mandate, CMC must also receive formal identification of the person requesting the information as well as a signed mandate. CMC therefore requests that a copy of the front of the identity card of the applicant person be added to the application. CMC will respond promptly, and at the latest within 4 weeks , to a request from the person concerned. This period starts when the application has been received in writing and all relevant information for fulfilling the request is in the hands of the controller. The controller also provides the data subject with a copy of the personal data being processed. If there is any reason to believe that the CMC does not handle the request correctly, the management of CMC can be consulted, which monitors compliance with its deontology . The management investigates every possible complaint on the merits. After a complaint is registered, a receipt message is sent to the person who submitted it. If it appears that the complaint is justified, CMC (s requested to provide a solution, which is communicated to the complainant. For the sake of completeness, CMC informs you that if you do not respond to the request, you will be refused a response or if the answer does not meet the expectations, you always have the right to lodge a complaint with the Data Protection Authority, which will then intervene.

Right to improvement, deletion and right not to be assessed solely on the basis of automated processing
Data subjects have the right to have incomplete, incorrect, inappropriate or outdated personal data removed or changed. CMC can be contacted directly for this.
CMC will then adjust or remove this information if the request is correct. CMC will monitor the updating of data of the data subjects so that they remain up-to-date and correct. To keep data up-to-date, we request the data subjects to report any change to CMC, such as a move or change of e-mail address. This often concerns information that is already contained in the underlying contract. Finally, the person concerned is in principle entitled not to be subject to a decision based solely on automated processing which has legal consequences for him or which affects him to a considerable degree.

CMC maintains a register of all processing activities. This register will include: which data will be processed, for which purpose this data will be processed, who will be the recipients of the data, where they will be stored, how they will be protected and what the retention period is.

The personal data are only kept to the extent of and for as long as necessary for the purpose for which they were collected (collection of unpaid claims). Data is retained for a minimum of the applicable limitation period, but no longer than 20 years after the end of the subrogation or mandate, in case of interruption of the limitation period or any further liabilities. Those involved have, taking into account the above mentioned paragraph, the right to erase data if the retention of the data is no longer necessary in view of the purpose of the processing, if the retention is unlawful or if this has to be done on the basis of a statutory duty. Those archived data will only be accessible to a limited extent during the last-mentioned retention period.

CMC’s websites (,, and related) can be visited without disclosing personal data. In case those involved interact with the status of their file and even suggest payment facilities, this only happens via individually assigned secure codes.

Contacting CMC can be done in writing, by telephone, electronically or via the respective websites. The right of access to data of the data subject as well as requests for rectification or removal must be made in writing as stated under point 7 .


The personal data that CMC collects through these various channels (for example, via written or telephone responses from the person concerned, through home visits) will be included in its files. Those involved can always request the latest version from CMC. In case of contradiction, this code of conduct has priority over older codes of conduct.