Data Protection Policy
For the performance of its activities, i.deeds nv processes various data, both commercial data and personal data. This policy concerns the processing of personal data by i.deeds nv. The personal data of different categories of identifiable persons such as employees, clients and suppliers, users of the app’s and website, subscribers and other stakeholders are processed.
i.deeds nv understands the importance of the protection of personal data and the concerns of its employees, clients and clients’ contact persons, suppliers and suppliers’ contact persons and other persons with whom it has contact regarding the processing of their personal data. i.deeds nv always carefully considers the protection of personal data during the different personal data processing operations.
Different persons within the organisation may have access to the personal data of its employees (the term employees shall include: managers and everyone who works for i.deeds nv, including independent service providers and consultants, temporary workers such as agency workers, interns, student workers, volunteers, ex-employees) and other individuals (clients and suppliers) during the performance of their role. Each of these persons within i.deeds nv is bound by this policy on the protection of personal data.
The applicable data protection legislation imposes obligations on i.deeds nv regarding the way in which it must process data. In addition, the legislation provides for rights for the persons whose data is processed, so that they have more control over their own personal data.
This policy gives an overview of the general obligations under data protection legislation which the company and its employees must comply with. Compliance with this policy is important for the following reasons:
This policy is applicable to i.deeds nv which processes personal data and contains the guidelines which each personal data processing operation must comply with. This processing occurs either fully or partly via automated processes which are part of a structured filing system or will form part of a structured filing system.
The company has appointed a responsible person, supported by a team, to ensure the implementation of and compliance with data protection legislation and this policy.
The person responsible for data protection can be contacted via e-mail (firstname.lastname@example.org) or via telephone (+32(0)56 650100). In order to exercise your rights, please refer to Article 8 of this policy.
The applicable data protection legislation uses specific language and refers to an abstract matter. Below you will find several definitions in order to enable you to better understand the terminology, and by extension, this policy.
Various legislation can apply, depending on the concrete application in which personal data are processed.
As well as the European regulations, specific national data protection legislation also applies, such as the Law of 8 December 1992 on the protection of privacy with regard to the processing of personal data and the Law of 13 June 2005 on electronic communications.
Personal data concern all information about an identified or identifiable natural person, also known as the data subject. A person is considered as identifiable when a natural person can be directly or indirectly identified, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more elements that are characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
The controller is a natural person or legal person (for example a company), a public authority, agency or other body which, alone or jointly with others, determines the purposes and means for the processing of personal data.
For example, i.deeds nv is a legal person which is the controller that processes the personal data of its employees in the context of its personnel management.
The processor is a natural person or legal person, a public authority, agency or other body that processes personal data on behalf of and only on instructions from the controller.
Processing personal data means any operation or set of operations which is performed upon personal data or a set of personal data, whether or not by automatic means (e.g. software), such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
An example of processing personal data is when the organisation collects and saves the contact details of its clients’ contact persons in the organisation’s Client Relationship Management software system or in a paper filing system.
A filing system means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
This implies both electronic structured filing systems by means of the use of software or cloud applications, and paper files and filing systems, provided that these filing systems are organised and structured in a logical way by connecting them to individuals or which are connected to individuals on the basis of criteria.
As well as the use of specific language, data protection legislation has several basic principles which every controller must comply with in order to be in accordance with this legislation. In the event of doubt regarding the application of these principles in a concrete case, you can always contact the department for this matter for further explanations, and according to the procedure described in Article 8.
Data protection legislation provides that personal data must be processed in agreement with the various basic principles and the conditions that result from them.
Data protection legislation provides that personal data must be processed fairly and lawfully with respect to the data subject.
In order to process personal data lawfully, a legal basis must exist. In principle, personal data can only be processed when:
If you have given your consent for a specific processing purpose to the organisation in order to process your data for that purpose, you can withdraw this consent at any time. The organisation will then stop any further processing of your data for which you gave consent and will inform you of the possible consequences of your withdrawal of consent. If the organisation processes your personal data for other purposes and in order to do so it refers to other legal bases, it will still be able to process your personal data.
The organisation ensures that it always refers to at least one of the above-mentioned legal bases when it processes personal data. If you have questions about the applicable legal basis that the organisation is referring to, you can always contact the in
Some categories of personal data are of a sensitive nature and data protection legislation also has a stricter regime for these special categories of personal data (also known as ‘sensitive personal data’). These are data concerning race or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and processing of genetic data, biometric data for the unique identification of a person, or data about health, sexual behaviour or sexual orientation. Data relating to criminal offences or convictions also form a special category.
In principle it is forbidden to process these sensitive personal data, unless the organisation can refer to one of the exceptions. In a specific limited number of cases, the organisation must process sensitive personal data. In these cases, the data subject will be informed in advance. For these specific purposes, the organisation will provide the person concerned with detailed information in advance about the specific purposes and the legal basis of the processing.For more information about the processing of sensitive personal data by the organisation, you can always contact of this policy.
The organisation ensures that personal data shall be processed:
The organisation processes personal data which, in principle, it has received directly from the data subject. The organisation which processes the data subject’s personal data shall always inform data subjects about the following matters:
When the data subject already has all the information, the organisation will not inform the data subject unnecessarily about the processing of his or her personal data.
If the organisation processes personal data for other purposes which are incompatible with the initial purposes for which the data were initially collected (the new purpose does not appear to be described in the initial information note and the data subject cannot assume that his/her personal data will also be processed for this new purpose), the organisation shall take all the necessary measures to process these personal data lawfully, and shall inform the data subject about this.
The organisation can disclose the information both on a collective and individual basis and shall continue to ensure that it is drafted in plain, intelligible language.
Specific legislation may contain exceptions or set additional requirements which the organisation must comply with, with respect to the provision of information to data subjects. These mandatory legal provisions take precedence over this policy.
The company takes the required technical and organisational measures to ensure that the processing of personal data always takes place with the appropriate guarantees, so that the data are protected against accidental loss and against unlawful processing, destruction or damage. The organisation has, when choosing the proper security measures, considered the nature, context, purpose and scope of the processing, the possible risks when processing the personal data, the costs for the implementation of the measures and the state of the art.
These measures are applicable to the physical access to personal data, access to the personal data via computers, servers, networks or other IT hardware and software applications and databases. In addition to the technical and organisational measures, the organisation’s employees who have access to personal data during the performance of their duties, are bound by different obligations in order to guarantee the confidentiality and integrity of personal data, as summarised in Article 9 of this policy.
The organisation will organise training courses for the employees who will process personal data on the instructions of the organisation when carrying out their duties. The employees may only process the personal data at the organisation’s instruction or if the law requires them to do so. The organisation shall also implement access rights, so that the employees only have access to the data they need when performing their duties. The employees who have access to personal data shall sign a confidentiality agreement.
The organisation shall ensure that the third parties that receive personal data from the organisation will comply with the applicable data protection legislation and this policy.
In some cases, the organisation may be obliged to transfer your personal data to third party receivers. In any event, these personal data are only transferred on a need-to-know basis to these receivers who carry out the processing for specific purposes. The organisation shall always observe the necessary security measures when transferring the data and with respect to the receivers, in order to guarantee the confidentiality and integrity of the personal data.
The transfer to third parties can take several forms, as described below.
The organisation can ask a third party, a processor, to process personal data, on behalf of and only on instructions from the organisation. The processor may not process these personal data for its own purposes which are independent of the purposes for which the organisation uses the processor.
The organisation can opt to work with these processors which deliver services at the organisation’s request, for travel agencies, rental services, medical and other professional consultancy services, etc.
The organisation shall only use processors and provide them with personal data when processor agreements which meet the legal requirements are concluded with the processors. The GDPR provides, among other things, that the agreement must contain a clause which indicates that the processor may only process the personal data at the organisation’s instruction; that the processor must provide the organisation with assistance when it requests it; that personal data must remain confidential, etc.
Part of this processor agreement also concerns the security measures which the processor must implement before processing the personal data and must have throughout the entire duration of the processing in order to ensure the confidentiality and integrity of the data.
The organisation shall take the necessary measures if it establishes that its processors do not comply with the obligations in the agreement.
A standard processor agreement is available from the department for this matter.
It is also possible for the organisation to transfer your personal data to parties that are based in third countries, these are countries outside the European Economic Area (i.e. The European Union, Norway, Iceland and Liechtenstein).
Such a transfer is possible if the country where the receiver is based offers sufficient legal guarantees to protect your personal data and which the European Commission has assessed as being adequate. In other cases, the organisation has concluded a standard contract with the receiver so that equivalent or similar protection to that offered in Europe is offered.
For cases in which this did not or cannot happen, the organisation can always pass on the data subject’s personal data if it obtains consent from the data subject, within the limits of the relationship which the data subject has with the organisation. In order to ensure transfer and thus processing is possible in these cases too, where appropriate, the organisation shall thus ask the data subject whether he/she agrees to this occasional transfer to third countries.
If more information or a copy of the guarantees for these international transfers are desired, the procedure as described under Article 8 can always be followed.
The organisation shall not store personal data any longer than necessary for the specific purpose for which the data were collected. After the final time limit has passed, the organisation shall delete or anonymise the personal data. The organisation shall anonymise the data if it still wishes to use them for statistics. The organisation may store the personal data for a longer period for its dispute management, research or archiving purposes.
Data protection legislation provides for different rights for data subjects with respect to the processing of personal data so that the data subject can still exercise sufficient control over the processing of his or her personal data.
The organisation tries, via current policy, to already provide as much information as possible to the data subjects in order to be as transparent as possible with respect to the processing of personal data. This general policy must be read together with more specific information notes which give more explanations about the organisation’s specific processing purposes.
The organisation understands that the data subject may still have questions or desire additional clarifications with respect to the processing of his or her personal data. The organisation thus understands the importance of the rights and shall therefore comply with these rights, considering the legal limitations in the exercising of these rights. The different rights are described in detail below.
The data subject has the right to obtain confirmation from the organisation of whether or not his or her personal data are being processed. If his or her data are being processed, the data subject may request the right to consult his or her personal data.
The organisation shall inform the data subject about the following matters:
The organisation shall also supply a copy of the personal data that are being processed. For any further copies requested by the data subject, the controller may charge a reasonable fee.
When the data subject establishes that the organisation has incorrect or incomplete data about him/her, the data subject always has the right to inform the organisation of this fact so that appropriate action can be taken to rectify or supplement these data. It is the data subject’s responsibility to provide correct personal data to the organisation.
The data subject can ask to have his or her personal data erased if the processing is not in accordance with data protection legislation and within the limits of the law (Article 17 GDPR).
The data subject may ask to have the processing restricted if:
The data subject has the right to obtain his or her personal data which he or she provided to the organisation in a structured, commonly-used and machine-readable format. The data subject has the right to have those personal data transmitted to another controller (directly by the organisation). This is possible if the data subject has consented to the processing and if the processing is carried out via an automated process.
When personal data are processed for direct marketing purposes (including profiling), the data subject can always object to this processing.
The data subject can also object to processing due to a specific situation regarding the data subject. The organisation shall stop processing the personal data unless the organisation demonstrates compelling legitimate grounds for the processing which override the interests of the data subject or for the exercise or defence of legal claims.
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her such as evaluating personal aspects with respect to the performance of work, reliability, creditworthiness, etc.
This right not to be subjected to such automated decision-making does not exist when the decision is permitted by a mandatory legal provision.
Nor may the data subject invoke this right when the decision is necessary for entering into, or the performance of, a contract between the data subject and the organisation or is based on the data subject's explicit consent. In these last two cases, the data subject does have the right to obtain human intervention from someone at the organisation and he or she has the right to make his or her point of view known and to challenge the automated decision process.
If you have given your consent for a specific processing purpose to the organisation in order to process your data, you can withdraw this consent at any time by sending an e-mail.
The data subject may exercise his or her rights by sending an e-mail to the responsible for data protection (see art. 3). The organisation can ask the data subject to identify himself /herself in order to ensure that it is indeed the data subject requesting to exercise his or her rights.
If you have any questions about the application of the principles or the organisation’s (legal) obligations, you can always contact the responsible for data protection (see art.3).
In principle the organisation shall respond to the data subject’s request within one month. If not, the organisation shall inform the data subject why the request received no response or why it did not receive a response in good time. The organisation shall take the necessary measures to inform the receivers of the data subject’s personal data about exercising the right to correction, right to erasure or the limitation of processing by the data subject.
The organisation expects its employees to comply with this policy and it ensures that the persons it is responsible for comply with this policy.
It is crucially important that the employees understand the aims of this policy and familiarise themselves with it so that they can comply with the provisions contained in this policy. The employees must therefore:
Each person who has access to personal data processed by the organisation must comply with this policy. Non-compliance with this policy can lead to disciplinary measures/sanctions such as a warning, dismissal or any other sanction permitted by law, without prejudice to the right to initiate civil or criminal proceedings.
The organisation reserves the right to adjust and review this policy when it deems necessary and to remain coherent with the legal obligations and/or recommendations of the competent supervisory authority for data protection.
The organisation shall inform the person responsible for data protection when it is impossible for it to comply with this policy due to mandatory legal provisions which are imposed upon the organisation.
This policy applies as of May, 25th 2018.