Effective Date: 1st of January 2024

This Privacy Policy explains how Cybersecurity Strategy Consulting ("we," "us," or "our") collects, uses, and protects your personal data when we engage with you, primarily through our business-to-business (B2B) outreach and when providing our cybersecurity strategy consulting services. We are committed to protecting your privacy and complying with:

The EU General Data Protection Regulation (EU GDPR) 

The UK General Data Protection Regulation (UK GDPR) for data subjects located in the United Kingdom.

The Swiss Federal Act on Data Protection (FADP) for our operations within Switzerland.

The Privacy and Electronic Communications Regulations (PECR) for electronic communications in the UK.

The Telecommunications-Telemedia Data Protection Act (TTDSG) in Germany.

The Law for Confidence in the Digital Economy (LCEN) and the French Data Protection Act in France.

The Personal Data Protection Code (Legislative Decree No. 196/2003, as amended) in Italy.

Your Data Controller Cybersecurity Strategy Consulting is a sole proprietorship providing tailored security planning, documentation, and advisory services. We are based in Switzerland.

For the purposes of this Privacy Policy, we are the Data Controller for the personal data we collect from you directly (e.g., via our contact form or email) or indirectly (e.g., through B2B data providers or publicly available sources) for our own business operations, including lead generation, marketing, and service delivery.

Our Contact Details: 

Cybersecurity Strategy Consulting 

george.ghiultu@seconsulting.ch

Bern Area Switzerland

We collect minimal personal data that is strictly necessary for our legitimate business purposes. This primarily includes:

Your professional contact information: This typically consists of your business email address, and may include your name, job title, and the name of the company you work for.

Information you provide voluntarily: When you contact us or request services, you may provide additional information such as your company-related details needed for a quote or service delivery (e.g., industry type, company size).

For Private Individuals: When you engage us for digital hygiene checks or one-on-one coaching sessions, we collect your name, email address, and phone number (if provided). Any further information gathered during these sessions (e.g., details about devices or online accounts) is directly relevant to providing the agreed-upon cybersecurity advice.

We do not intentionally collect or process sensitive personal data (also known as 'special category data' under GDPR), such as national IDs, health records, or financial details, through our general contact forms or initial outreach.

We collect personal data in the following ways:

Directly from you: When you contact us via email, or fill out a form (e.g., our contact form, or a service inquiry form).

Indirectly from publicly available professional sources: We sometimes collect professional contact information from publicly accessible sources, such as company websites, professional networking platforms (e.g., LinkedIn), and business directories.

From reputable B2B data providers: We use B2B sales intelligence platforms to identify and obtain professional contact information. These providers assure that they collect and process data in compliance with relevant data protection laws, including GDPR, and enable us to target our outreach to relevant professional roles and industries. 

We use your personal data for the following purposes, based on the specified lawful bases under EU GDPR, UK GDPR and Swiss FADP:

To respond to your inquiries and provide quotes:

Lawful Basis: To take steps at your request prior to entering into a contract (Article 6(1)(b) UK GDPR, Article 6(1)(b) EU GDPR, Art. 31(2)(a) FADP). Where a direct contractual relationship is not immediately pursued, our lawful basis is Legitimate Interest (Article 6(1)(f) UK GDPR, Article 6(1)(f) EU GDPR, Art. 31(2) FADP - Overriding Private Interest) in responding to direct communications and fostering potential business relationships.

To deliver consulting services:

Lawful Basis: Performance of a Contract (Article 6(1)(b) UK GDPR, Article 6(1)(b) EU GDPR, Art. 31(2)(a) FADP) when we have an agreement in place to provide our services.

For Business-to-Business (B2B) Direct Marketing Outreach:

Lawful Basis: Legitimate Interest (Article 6(1)(f) UK GDPR, Article 6(1)(f) EU GDPR, Art. 31(2) FADP - Overriding Private Interest). We have conducted a Legitimate Interest Assessment (LIA) and determined that our interest in offering relevant cybersecurity solutions to businesses, particularly SMEs in the UK and EMEA regions, aligns with the reasonable expectations of professionals in roles related to cybersecurity, IT, or management. Our use of B2B sales intelligence platforms allows us to precisely target individuals based on their professional role, industry, and company size, ensuring our outreach is relevant and proportionate. We also ensure that our electronic marketing communications comply with relevant national laws transposing the ePrivacy Directive (e.g., TTDSG in Germany, LCEN in France, and the Personal Data Protection Code in Italy).  We ensure our outreach is targeted, proportionate, and includes a clear opt-out mechanism. 

To manage opt-out requests and maintain suppression lists:

Lawful Basis: Legal Obligation (Article 6(1)(c) UK GDPR, Article 6(1)(c) EU GDPR, Art. 31(2)(b) FADP) to comply with your unsubscribe requests and prevent unwanted future communications.

We do not share, sell, or use your data for advertising or similar commercial purposes with third parties.

Outreach & Lead Data: Our B2B outreach is strictly targeted at roles relevant to cybersecurity, IT, or management within companies, utilizing tools like B2B sales intelligence platforms for precise targeting. We aim to contact individuals where our services address general cybersecurity challenges and offer potential benefits to businesses like theirs. 

Security Assessments (for clients/prospects): As part of service delivery or audit preparation, SME clients may be asked to complete a security questionnaire. This questionnaire focuses solely on collecting organizational and technical data relevant to your company's cybersecurity posture (e.g., industry type, security tools, infrastructure, risk exposure, incident history). This information is used solely to develop a tailored cybersecurity strategy. It does not request any personal data (such as names, personal email addresses, or personal phone numbers) from the individuals completing it. Any necessary professional contact information for follow-up regarding the assessment will be collected separately via our standard contact methods. 

For Private Individuals (Coaching/Hygiene Checks): For private individuals, our assessments are conducted through one-on-one meetings to understand your specific needs for digital hygiene checks and secure configurations. No formal questionnaire is used in these cases.

Your personal data (primarily email addresses and any associated internal identifiers/random numbers) is password-protected and encrypted, held on a secure cloud storage service within our Google Workspace environment (which includes Drive, Gmail, Forms). Access to this data is strictly limited to the business owner.

We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction.

We retain your personal data for as long as necessary to fulfill the purposes for which it was collected, including for legal, accounting, or reporting requirements.

For marketing contacts (from outreach), we generally retain your data for 24 months from our last meaningful communication or until you unsubscribe.

If you unsubscribe or opt-out, your email address will be added to a suppression list and securely retained solely for the purpose of ensuring you are not contacted again in the future. No further marketing messages will be sent, and the data will not be used for any other purpose.

 For private individuals receiving digital hygiene checks or coaching sessions, data related to service delivery will be retained for the duration of the engagement plus a reasonable period afterward (e.g., 24 months after the last session) to allow for any follow-up questions, comply with legal obligations, or defend against potential claims.

EEA to Switzerland: Switzerland benefits from an adequacy decision by the European Commission, meaning that the EU has deemed Switzerland to provide an adequate level of protection for personal data. This ensures that your data transfer from the EU to Switzerland is considered lawful under EU GDPR.

UK to Switzerland: Similarly, Switzerland is recognized as providing an adequate level of data protection by the UK government, facilitating lawful transfers from the UK.

We use GDPR-compliant platforms (like Google Workspace) that adhere to strong data protection standards, including appropriate safeguards for international data transfers.

This website does not directly use cookies, tracking scripts, or analytics tools for the purpose of collecting your personal data or monitoring your Browse behavior.

However, please be aware that as this site is based on and uses services provided by Google, certain cookies may be utilized by Google's infrastructure for the security and essential functionality of this website. These cookies are typically necessary for the proper operation and security of the website (e.g., to distinguish between human users and automated bots, or to maintain session integrity) and are not employed by us to track your individual Browse activity across other websites. For information on how Google handles data, please refer to Google's Privacy Policy.

Should our direct use of cookies, tracking scripts, or analytics tools change in the future, you will be clearly notified via an updated Privacy Policy and, where legally required (especially under Swiss data protection laws), given the explicit option to consent.

Under EU GDPR, UK Data Protection Law (UK GDPR) and Swiss Data Protection Law (FADP), you have significant rights regarding your personal data:

Right to be Informed: To receive clear and transparent information about our data processing activities.

Right of Access: To request a copy of the personal data we hold about you.

Right to Rectification: To request correction of inaccurate or incomplete personal data.

Right to Erasure ("Right to be Forgotten"): To request the deletion of your personal data, subject to certain conditions (e.g., if you unsubscribe, or the data is no longer necessary for its original purpose).

Right to Restrict Processing: To request that we limit the way we use your personal data.

Right to Object: To object to the processing of your personal data for direct marketing purposes (which you can do by replying "Unsubscribe" to our emails). You can also object to processing based on legitimate interest if there are compelling reasons related to your particular situation.

Right to Data Portability: To receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where technically feasible.

To exercise any of these rights, or if you have a question, please Contact Us

If you have concerns about how we handle your personal data, please contact us directly in the first instance. If you remain dissatisfied, you have the right to lodge a complaint with:

For EU data subjects: The supervisory authority in your Member State of habitual residence, place of work, or place of the alleged infringement. You can find a list of all national data protection authorities in the EU here: https://edpb.europa.eu/about-edpb/about-edpb/members_en 

Specifically for German data subjects: The Federal Commissioner for Data Protection and Freedom of Information (BfDI) or the relevant state data protection authority: www.bfdi.bund.de

Specifically for French data subjects: The National Commission for Informatics and Liberties (CNIL): www.cnil.fr

Specifically for Italian data subjects: The Garante per la protezione dei dati personali (Italian Data Protection Authority):  www.garanteprivacy.it

For UK data subjects: The Information Commissioner's Office (ICO), the UK's independent authority for data protection issues:  www.ico.org.uk

For Swiss data subjects: The Federal Data Protection and Information Commissioner (FDPIC): www.edoeb.admin.ch

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The latest version will always be available on our website. We encourage you to review this policy periodically.