Sarens Bestuur NV, with registered office at Autoweg 10 B-1861 Wolvertem, registered with the Belgian Crossroads Bank for Enterprises under number 0451.416.125 and all its affiliated (hereinafter referred to as “Sarens”), attaches importance to the protection of the personal data processed by them.
Sarens undertakes to comply with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “GDPR”).
By this policy Sarens intends to inform about the processing of personal data and rights of the data subjects. This policy describes, among other things, the measures taken by Sarens to protect privacy in the context of Sarens’ services, including the use of its website.
For the proper understanding of the terminology used in the context of this policy statement, a number of terms are defined below, as the case may be in accordance with the GDPR:
- Data Subject: means a natural person, as the case may be the Client, whose Personal Data have been provided explicitly or implicitly to Sarens by him or by a Client.
- Personal Data: means any information relating to an identified or identifiable natural person (‘Data Subject’) in terms of the GDPR.
- Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, being, as the case may be Sarens.
- Client: means a client to whom Sarens provides services or to whom it has provided services in the past.
- Processing or to Process: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, adoption, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Processor: means a natural or legal person, public authority, agency or another body, to which processes Personal Data on behalf of the Controller.
- Personal Data Breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Processed Personal Data.
- Website: website of Sarens (www.sarens.com)
APPROVAL FOR PROCESSING
By contracting with Sarens (i.e. by signing a contract agreement) and/or by visiting the Website and/or by transferring Personal Data to Sarens via the Website and/or in any other way and to the extent that the Processing is not based on any other ground for Processing as set out in article 6 GDPR:
- Data Subject, in case it provides Personal Data, gives Sarens the permission to Process all data, including Personal Data relating to the Data Subject, in accordance with the purposes described below,
- Client guarantees, in case it provides Personal Data of Data Subject, that it has the necessary permissions and/or legal basis to give Sarens the permission to Process all data, including Personal Data relating to the Data Subject(s), in accordance with the purposes described below.
THE COLLECTION AND THE NATURE OF THE PERSONAL DATA
Sarens collects Personal Data in a variety of ways:
- Directly: We obtain personal data directly when we are establishing a business relationship, performing professional services through a contract. We may also obtain personal data directly, including obtaining personal data from individuals who provide us their business card, complete our online forms, subscribe to our newsletters and preference center, visit our offices and attend meetings or events we host.
- Indirectly: We obtain personal data indirectly about individuals from a variety of sources, including recruitment services and our clients. We may attach personal data to our customer relationship management records to better understand and serve our business clients, subscribers and individuals, satisfy a legal obligation, or pursue our legitimate interests.
- Public sources. Personal data may be obtained from public registers, news articles, sanctions lists, and Internet searches.
- Social and professional networking sites. If you register or login to our websites using social media (e.g., LinkedIn, Google, or Twitter) to authenticate your identity and connect your social media login information with us, we will collect information or content needed for the registration or login that you permitted your social media provider to share with us. That information may include your name and email address and depending on your privacy settings, additional details about you, so please review the privacy controls on the applicable service to set how much information you want shared with us.
- Recruitment services. We may obtain personal data about candidates from an employment agency or when you apply for vacancies roles on our Website (subcontracted part of our Website).
Personal Data therefore include amongst other things, surname and first name, contact details, such as the address, the telephone number, the e-mail address, identification data such as the VAT number and the national register number, data concerning civil status and data relating to employment or professional activities. CCTV at our sites may collect images of visitors. Our policy is to automatically overwrite CCTV footage within 30 days.
We do not collect any Special Categories of Personal Data about you (nothing about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
Our website is not intended for children and we do not knowingly collect data relating to children.
THE PURPOSE OF PROCESSING PERSONAL DATA
We aspire to be transparent when we collect and use personal data and tell you why we need it, which typically includes:
- Providing professional services within the framework of our contracts (including the administrative follow-up of the files and execution of agreements),
- Promoting our services, products and capabilities to existing and prospective business clients with a view to conducting efficient client management,
- for advertising and marketing purposes, such as newsletters, events and business courtesies (such as Christmas and New Year cards),
- Administering, maintaining and ensuring the security of our information systems, applications and websites.
To find out more about cookies, including how to manage and delete them, visit www.allaboutcookies.org
- Seeking qualified candidates, and forwarding candidate career inquiries to our team, which may be governed by different privacy terms and policies.
- Processing online requests, including responding to communications from individuals or requests for proposals and quotations.
- Contacting journalists regarding company press releases, invitations to annual press parties, highlighting messages that may be of interest on specific industry topics.
- Travel arrangement assistance.
All Personal Data will be processed exclusively for the purpose for which it was collected and to the extent that is necessary to achieve that finality. This restriction applies both to the quantity of Personal Data and to the scope of Processing, the retention period and the accessibility.
If Personal Data should be processed for a different purpose than those for which they were initially collected, Sarens ensures that the Processing does not take place in a manner that is incompatible with the purpose for which Personal Data has been provided. In case the desired finality is incompatible with the initial finality for which Personal Data has been provided, Sarens will ask the consent of the relevant Client and/or Data Subject for the Processing of their respective Personal Data in the light of this new purpose, provided that the consent is given freely.
Sarens states as a principle not to make use of automated decision-making.
If a Client or, if applicable, Data Subject, does not wish its Personal Data to be processed for publicity and marketing purposes or business courtesies, it can by means of a simple request to Sarens as referred to in article 13 of this policy statement, or via the means provided for in the relevant communication, withdraw its consent at any time.
THE LAWFULNESS OF PROCESSING
Sarens Processes Personal Data when this is necessary (a) for the performance of its contracts or for the execution of the pre-contractual measures requested by Client or Data subject, (b) to comply with its legal obligations, (c) for advertising and marketing purposes aimed at conducting a policy for provision of information to Clients and/or Data subjects and conducting a policy of customer binding, (d) for representing the legitimate interest of Sarens.
If the Processing cannot be justified by one of the aforementioned legal grounds, Sarens may request consent of Client and/or Data subject, provided that this consent is freely given.
With regard to the Processing of sensitive Personal Data, Sarens Processes these Personal Data when (a) it has obtained the explicit consent from the Data Subject, as the case may be via Client, to process one or more special categories of Personal Data for one or more well-defined purposes, (b) to comply with the Sarens legal obligations, (c) if the Processing relates to Personal Data that have manifestly been made public by the Data Subject.
THE RECIPIENTS AND PROCESSORS (Transfer of Personal Data)
Sarens may transfer Personal Data (or may be required to transfer Personal Data) to public authorities and may transfer Personal Data to Processors so that they can process these data on behalf of Sarens on the condition that Processors guarantee an adequate level of protection regarding Personal Data and are
contractually obliged to comply with the GDPR. Personal data will not be transferred to countries that do not offer protection that is at least equivalent to this protection within the European Economic Area (EEA).
Personal Data can be communicated for internal use to Sarens staff members and its lawyers, though always insofar as and to the extent that this is necessary for the performance of their duties, such as the follow-up and handling of the files, administrative follow-up and follow-up of customer relations.
Sarens may also transfer Personal data (or may be obliged to transfer Personal data) in connection with its use of external Processors (such as suppliers/providers of telecommunication systems, mailroom support, IT system support, archiving services, document production services and cloud-based software services, including services relating to software for processing and follow-up of files or accounting, the accountant, the cooperating partners and other persons involved in the follow-up of files, such as notaries, lawyers, bailiffs, recruitment services providers) provided that they offer sufficient guarantees with respect to the implementation of appropriate technical and organizational measures to ensure that the Processing complies with the requirements of the GDPR and the protection of Personal Data rights and when the transfer is necessary within the applicable legal or regulatory framework taking into account the purposes of the Processing.
To the extent required by the GDPR, Sarens has entered into a contract with the Processors in which the purpose of the Processing is determined, the Processor undertakes, amongst other things, to respect the confidentiality of Personal data, to limit the Processing to what is in line with Sarens’ instructions or with what is legally permitted and to cooperate with the exercise of the rights by Client and Data Subject granted to them by the GDPR.
Note also that some of the recipients of your personal data may be based in countries outside of the EEA whose laws may not provide the same level of data protection. In such cases, Sarens will ensure that there are adequate safeguards in place to protect your personal data that comply with our legal obligations. Where the recipient is not a member of the Sarens, the adequate safeguard might be a data transfer agreement with the recipient based on standard contractual clauses approved by the European Commission for transfers of personal data to third countries.
THE STORAGE OF PERSONAL DATA
Sarens can store Personal Data on servers that are outside of Belgium or in a cloud-environment. In such a case, Sarens ensures that the Personal Data are stored in an EU Member State and/or in a country that is recognized to offer an equivalent level of data protection and/or that compliance with the provisions of the GDPR is contractually guaranteed.
RECORD OF PROCESSING ACTIVITIES
Sarens shall keep a register of the Processing Activities carried out by it or under its responsibility. In that case, the register will contain the information required by GDPR, such as the name and contact details of the Privacy and Compliance Coordinator, the processing purposes, the description of the categories of Data Subjects, of Personal Data and of recipients, the retention period, etc. based on article 30 GDPR
THE RIGHTS OF CLIENTS AND DATA SUBJECTS
The Data Subject or the Client may exercise the rights set out below by submitting a written notification to the following e-mail address: firstname.lastname@example.org
Sarens draws attention to the fact that if the Client and/or Data Subject objects to the Processing of the Personal Data in question or exercises the rights set out below, this may result in Sarens being unable to further execute contracts and/or that Client or Data Subject will no longer be able to make use of the Sarsen’s services.
- Access – You can ask us to verify whether we are processing personal data about you, and if so, to provide more specific information.
- Correction – You can ask us to correct our records if you believe they contain incorrect or incomplete information about you.
- Deletion – You can ask us to erase (delete) your personal data after you withdraw your consent to processing or when we no longer need it for the purpose it was originally collected.
- Processing restrictions – You can ask us to temporarily restrict our processing of your personal data if you contest the accuracy of your personal data, prefer to restrict its use rather than having us erase it, or need us to preserve it for you to establish, exercise, or defend a legal claim. A temporary restriction may apply while verifying whether we have overriding legitimate grounds to process it. You can ask us to inform you before we lift that temporary processing restriction.
- Data portability – In some circumstances, where you have provided personal data to us, you can ask us to transmit that personal data (in a structured, commonly used, and machine-readable format) directly to another company if is technically feasible.
- Right to Object to Direct Marketing including Profiling – You can object to our use of your personal data for direct marketing purposes, including profiling. We may need to keep some minimal information to comply with your request to cease marketing to you. You are entitled to submit a complaint to the Data Protection Authority (Drukpersstraat 35, 1000 Brussels (www.privacycommission.be)) in case you believe that the Processing is unlawful.
- Right to Withdraw Consent – You can withdraw your consent that you have previously given to one or more specified purposes to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. It may mean we are not able to provide certain products or services to you and we will advise you if this is the case.
THE SECURITY OF PERSONAL DATA
Sarens ensures that the Personal data of Clients and/or Data Subjects are protected and secured to the maximum extent possible in order to ensure their confidentiality and to prevent them from being distorted, damaged, destroyed or disclosed to an unauthorized third party. We aim to ensure that access to your personal data is limited only to those who need to access it. Those individuals who have access to the data are required to maintain the confidentiality of such information. We may apply de-identification and anonymisation techniques in efforts to further protect personal data.
If you have access to parts of our websites or use our services, you remain responsible for keeping your user ID and password confidential. Please be aware that the transmission of data via the Internet is not completely secure. Whilst we do our best to try to protect the security of your personal data, we cannot ensure or guarantee the security of your data transmitted to our site; any transmission is at your own risk.
In the event of an infringement and the associated violation of the availability, integrity or confidentiality of Personal Data, Sarens shall report the infringement in connection with Personal Data to the Data Protection Authority within 72 hours of it becoming aware of it, unless it is unlikely that the infringement poses any risk to the rights and freedoms of the Clients or Data Subjects concerned.
Sarens will also report the Personal Data breach to the Clients and/or Data subjects concerned if it is likely that the breach will entail an increased risk for the rights and freedoms of the Clients or Data Subjects.
RETENTION PERIOD OF PERSONAL DATA
Sarens worked to categorize all of personal information retained and specified the appropriate retention period for each category of data. Those periods are based on the requirements of applicable data protection laws and the purpose for which the information is collected and used, taking into account legal and regulatory requirements to retain the information for a minimum period, limitation periods for taking legal action, good practice and Sarens business purposes. After this period, the Personal Data will be erased or anonymized.
For all additional information in connection with this Privacy Notice or for any request for correction, access or restriction of Processing, please contact Sarens at email@example.com. You will receive confirmation of your request free of charge within thirty (30) days, on the understanding that this period may be extended by an additional period of thirty (30) days, provided that Sarens considers the request in question to be a complex one.
DISPUTES AND APPLICABLE LAW
Before bringing a legal claim to court, all parties concerned shall take all possible measures to resolve their dispute amicably.