Protection of your privacy and your personal data is of capital importance to ELICIO.
2 What is the scope of this policy?
What constitutes “processing of your data” and who is responsible for it? We only collect and use personal data that is necessary within the scope of our activities and which allows us to propose top quality products and services to you. ELICIO S.A., whose head office is located at John Cordierlaan 9, in Ostend in Belgium, is the controller of personal data that it is involved processing.
As a result, we are a partner for you as well as the supervisory authorities (for example, the data protection authority) regarding any questions concerning the use of your data by our company.
We ensure that these processors only receive the data that is strictly necessary for the performance of their part of the contract.
We also act as a processor for other entities, both belonging to the ELICIO group and not. In these cases, the entities in question are the controllers of personal data and consequently we follow their instructions.
3 What data is covered by our policy?
The data covered by our policy is personal data of natural persons, i.e. data that can directly or indirectly enable identification of a data subject.
As part of your relations and interactions with ELICIO, we may be led to collect different types of personal data such as:
Identification and contact data (for example: your title, name, address, date and place of birth, national registration number, account number, telephone number, e-mail address, IP address, profession).
Family circumstances (examples: civil status, number of children).
Bank, financial and transaction details (examples: bank details, account numbers, data related to transfers including communication and, more generally, any data recorded during your bank transfers).
Data related to your behaviour and habits concerning use of our channels (examples: our website or tablet and smartphone applications).
Data concerning your preferences and interests, directly or indirectly communicated, for example via participation in our competitions or events, your leisure pursuits, etc.
Data from your interactions on our social network pages.
We never process data concerning your racial or ethnic origins, political opinions, religion, philosophical beliefs, trade union membership, genetic data, sex life or sexual preferences, unless obliged to do so by the law or if it is a result of your usage of our products and services (example: you mention this type of information).
4 Guiding principles for processing personal data
ELICIO shall respect, among others, the following guiding principles when processing personal data within the scope of its management and performance of its commitments:
Lawful processing of data: ELICIO processes personal data in a lawful manner within the scope of its activities.
Specified purposes and limited uses: ELICIO collects and processes personal data for the lawful purposes defined hereinafter.
Minimisation of data processing: ELICIO limits processing of personal data to what is strictly necessary within the scope of its activities.
Accuracy of personal data: ELICIO takes all reasonable steps to ensure that the personal data is accurate and that they are immediately corrected and/or deleted if they prove to be inaccurate.
Limitation of processing and storage: ELICIO will not process or store personal data any longer than is necessary for the performance of its activities.
Security measures: ELICIO takes the necessary and appropriate technical and/or organisational measures to ensure the security of personal data.
5 When is your personal data collected?
The data that we use can be collected directly from you or obtained from the following sources with the aim of verifying or enhancing our databases:
Publications/databases made accessible by the official authorities (example: the Belgian official gazette).
Our corporate customers or service providers.
Web sites/pages on the social networks containing information that you have made public (example: your web site or social network pages).
Databases made public by third parties.
In particular, certain data can also be collected by ELICIO:
When you become a customer or supplier.
When you register to use our on-line services (each time you log in or use the service).
When you fill in forms and contracts that we submit to you.
When you use our services and products after you have signed a contract.
When you subscribe to our newsletters or take part in our competitions.
When you contact us via the various channels made available.
When your data is published or transmitted by authorised third parties or professional data providers.
When you our filmed by our CCTV cameras situated in and around our premises/buildings.
The images are solely recorded to maintain the security of goods and persons as well as to prevent abuse, fraud and other offences made against our customers and/or personnel (stickers mentioning our contact details signal the presence of such cameras).
6 On what basis and why do we use your personal data?
We process your personal data for a variety of purposes. For each processing action, only the data relevant for the desired purpose are processed.
In general, we use your personal data:
Within the scope of performing a contract or taking pre-contractual measures.
In order to comply with legal and regulatory provisions that we have to respect.
For reasons of legitimate interest for the company (see the illustrations below). When we conduct this type of processing, we ensure that we maintain a balance between such interest and respecting your privacy.
When we have obtained your consent.
The personal data is processed by ELICIO for purposes that include, but are not restricted to, the following:
To provide you with information about our products and services.
To assist you and answer your questions.
To ensure the proper performance of agreements made.
To ensure ELICIO’ financial and accounts management.
To ensure good customer, material and supplier management.
To carry out market research and to establish user profiles if you have given your consent; to provide information and/or carry out promotions on products and services, for those of the group and/or its commercial partners.
To make improvements to existing products and services (or those under development) via surveys of current or potential customers, statistics, tests, comments that you have sent to us directly or remarks that you have posted on our web sites.
To meet legal obligations, including responding to official demands made by the duly authorised public or legal authorities.
To detect and prevent abuse and fraud: we process and manage contact and security data (card readers, passwords, etc.) in order to validate, monitor and ensure the security of transactions and communications made via our channels remotely.
In order to ensure provision of services and products by calling upon sub-contactors.
To monitor our activities (measurement of sales, number of appointments, number of calls, number of visits to our web sites, etc.).
To improve the quality of service for each of our customers.
To carry out prospection for ELICIO products and services, or for other products that we promote or which are promoted by companies that belong to the ELICIO group.
To ensure the security of our premises and infrastructures, as well as the people in these places.
7 Who has access to your data and to who are they transferred?
Only authorised users have access to your personal data in order to carry out the tasks mentioned above. An authorised user is somebody who, as part of carrying out their work for ELICIO, is authorised to process personal data within the framework of the activities performed on the basis of ELICIO’ directives.
In order to accomplish the aforementioned tasks, ELICIO discloses your personal data to:
Entities in the ELICIO group (example: to enable you to enjoy various products and services);
An external auditor;
An approved auditor;
A legal advisor;
A financial consultant;
Another professional and/or service provider/consultant;
A social bureau, banking organisations, insurers, funds;
Customer service providers (installers, repair services, etc.);
IT companies or service providers for software and electronic data storage (servers, etc.);
The legal, administrative or police authorities;
The supervisory authorities.
8 How long do we keep your data?
We store your personal data for the longest duration necessary in accordance with enforceable legal and regulatory provisions or another duration in consideration of operation constraints such as good book-keeping, efficient management of customer relations and responses to legal or regulatory demands.
Customer related data is stored for the duration of the contract and during an additional period of ten years following the end to contractual relations.
Data concerning potential clients are stored for no more than a year, depending on the life cycle of the project for which they have been collected and when the person concerned shows their interest.
Certain data is archived for longer durations in order to meet our legal obligations and for evidence purposes to safeguard your rights and the rights of our company. This archived data is only accessible for needs as evidence in legal proceedings, for inspection by authorised authorities (the tax authorities, for example), or for provision of documents to the legal, administrative or police authorities.
9 Security and confidentiality
ELICIO undertakes to adopt the required and appropriate technical, physical and organisational measures to protect personal data against unauthorised access, unlawful and unauthorised processing, loss or accidental damage and unauthorised destruction. These measures are regularly assessed and updated if necessary in order provide maximum protection for the personal data of the data subjects concerned.
In case of a breach or computer flaw, as described below, ELICIO takes the required and appropriate measures to assess the extent and consequences, to put an end to such occurrences as quickly as possible and, where necessary, limit its impact for the data subjects concerned.
10 What are your rights and how can you exercise them?
Rights of data subjects
In compliance with enforceable regulations, you have various rights:
A. Right to access, rectification and deletion
Any data subject has the right to make an access request. If a data subject exercises this right, ELICIO is required to provide the information regarding this matter, including:
If the data is inaccurate or incomplete, the data subject can request their rectification.
In certain circumstances, the data subject may, in compliance with data protection regulations, request the deletion of personal data concerning them if, among other reasons, the personal data is no longer required for the purposes for which it was collected or processed. However, ELICIO can refuse to delete such data, for example due to the establishment, implementation or proof of a right in legal proceedings.
To ensure your data is kept fully up-to-date, we ask that you inform us of any changes (for example, change in civil status, address, etc.).
B. Right to oppose and limit processing of your data and the right to withdraw your consent
You have the right to oppose certain processing of your personal data that we wish to perform. In particular, you have the right, without justification, to oppose the use of your data for prospection purposes. You may also request that processing of your data be limited.
However, this right can only be exercised in certain conditions:
Nonetheless, you cannot oppose processing required for performance of a contract that you have entered into with us or for the performance of pre-contractual steps taken on your request, or in order to respect any legal or regulatory provision with which we are bound to comply.
If you have given your consent for processing of your personal data, you have the right to withdraw this consent at any moment.
C. The right to data portability
When necessary and insofar as it is possible, the data subject may request reception of certain personal data supplied to ELICIO within the scope of managing and conducting its activities and to transfer such data to another data controller. In cases where it is technically possible, the data subject may request that ELICIO directly transfers such data to another data controller.
Who should you contact?
If the data subject wishes to exercise his or her rights concerning his or her personal data, he or she should contact:
In compliance with regulations, you have the right to submit a claim to the relevant supervisory authority.
11 Transfer of data outside the EEA
In the case of international transfers from the EEA to a third party country that the European Commission officially recognises as having a level of personal data protection that is equivalent to the level stipulated by legislation within the EEA, your personal data shall be transferred on this basis.
For transfers to countries outside the EEA that the European Commission does not officially recognise to have sufficient data protection, we base our action either on a dispensation applicable to the situation (for example, in the case of international payments, such a transfer is necessary for performance of the contract), or on the fact that the data recipient has accepted to process the personal data in compliance with the “Standard Contractual Clauses” established by the European Commission for data controllers or processors.
To obtain a copy of these texts or to find out how to access them, you should send a written request as described in Section 10.2. above.
12 Violation of personal data
A. Notification of personal data violations
Authorised users must ensure that, in performing their duties, they avoid (voluntary or involuntary) incidents that may harm the data subjects’ privacy.
In case of personal data violations, appropriate measures are taken as quickly as possible to minimise the risks of damages for the data subjects as well as ELICIO (damage to reputation, sanctions imposed, etc.).
In any event, all the authorised users, as well as all other persons who consult, use or manage ELICIO’ information must immediately report any security breach and information security related incidents to the D.P.O. to enable immediate performance of analysis, allow implementation of necessary measures and to know whether the violation must be reported to the Data Protection Authorities and/or the data subjects.
When such notification is made by e-mail, it is important that it is sent to the D.P.O. (see Section 10.2) and that it is expressly mentioned in the subject of the e-mail that it is a highly urgent message about a possible violation of personal data.
The information must contain a complete and detailed description of the incident, including the identity of the person reporting the incident (name, first name, address, e-mail address - where applicable – and telephone number), the type of incident concerned and how many people are affected.
B. Inquiry and risk assessment
In principle, within a period of 24 hours after the incident or violation is observed by ELICIO or reported by a processor, an authorised user, a recipient, a data subject or a third party, an inquiry shall be launched by ELICIO.
The inquiry will indicate the nature of the incident, the type of data concerned and specifically whether personal data is affected (if such is the case, who are the data subjects affected and what is the amount of personal data impacted). The inquiry will determine whether a personal data violation has occurred or not.
If it is indeed a personal data violation, risk assessment will be conducted to discern what might be the possible consequences of the violation and in particular the possible impacts for the data subjects.
ELICIO will then decide, based on the character of the violation, whether it is necessary to notify the Data Protection Authority and/or the data subject.
C. Documenting violations
All violations shall be documented in a register that will set out the main cause of the incident and contributing factors, the chronology of the events, responses to the incident, recommendations and lessons learned so as to identify domains requiring improvements. The recommended changes to be made to systems and procedures shall be documented and implemented as soon as possible.
Within the scope of his or her mission to monitor respect of data protection regulations, the D.P.O. will also examine the action taken to deal with the violation as recorded in the report.
13 Data protection officer (“D.P.O.”)
ELICIO has appointed a data protection officer who can be contacted by post (ELICIO DPO’s Office – John Cordierlaan 9, 8400 Ostend, Belgium) or by e-mail (privacy@ELICIO.be).
This data protection officer is competent to:
14 How can you familiarise yourself with this policy and it modifications?
We therefore invite you to familiarise yourself with the latest version of this document on our website and shall inform you of any substantial modifications via our website or our normal methods of communication.
15 How to contact us
If you have any question concerning the use of your personal data concerned by this policy, you can contact our data protection officer (D.P.O.) by post at the following address - ELICIO DPO’s Office – John Cordierlaan 9, 8400 Ostend, Belgium – or by e-mail at privacy@ELICIO.be.