Privacy Policy

Privacy policy BIRD Group vzw - 18/01/2022

 

BIRD Group vzw, with registered office at Leuvensesteenweg 643, 1930 Zaventem (hereinafter: “BIRD”), in its capacity as data controller, values privacy and is therefore committed to protect the (personal) data of all its stakeholders with the greatest possible care, and to process personal data only in a fair and lawful manner in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter: “GDPR”) as well as any applicable current or future national legislation in execution or replacement thereof. 

This privacy policy provides for an overview of the importance BIRD attaches to privacy and personal data protection, how the organisation goes about it, stakeholders involved, and roles and responsibilities assigned. This privacy policy is part of a set of data protection guidelines and procedures and does not intend to stand on its own or contradict other BIRD policies. 

The BIRD website may include links to other websites over which we have no control. BIRD is not responsible for the privacy policies or practices of other websites. If you access these websites via our website, you should review the privacy policies of those sites so you can understand how they collect, use and share your information. 

 

1. Scope

This privacy policy serves as a guiding instrument for all parties involved that process personal data for BIRD: 

This privacy policy applies to the personal data as classified below, regardless of whether it is stored electronically, on paper or on other materials: 

  • Shareholders’ and partners’ personal data; 
  • On-site visitors’ personal data;

  • Website visitors’ personal data;

  • Suppliers and customers contact persons’ personal data.

Stakeholders involve third parties with whom BIRD works or needs to provide personal data to under its legal obligation to do so. BIRD will, to the extent possible, carefully select its partners in order to guarantee confidentiality and the processing of personal data in accordance with the GDPR, applicable local data protection and privacy laws and this policy. 

2. Definitions

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. 

“Data subject” is defined as a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

“Data Protection Authority” or “DPA” means an independent public authority which is established by a Member State to supervise, through investigative and corrective powers, the application of the data protection law. 

“Data Protection Impact Assessment” or “DPIA” is a (sometimes mandatory) assessment of the risk related to a new project that formulates how these risks can be minimized. 

“Data Protection Officer” or “DPO” as defined in the GDPR and local regulations, and is officially registered with the Supervisory Authority (also known as Data Protection Authority, hereinafter: “DPA”) 

“PA” is a processing agreement as defined in the GDPR 

“Personal data” is defined as any information relating to an identified or identifiable natural person. An identifiable natural person is the one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or, or access to, personal data transmitted, stored or otherwise processed. 

“Privacy responsible” is the person that is responsible for the compliance with data protection laws and regulations, and that fulfills the same role as a DPO but is not officially registered with the DPA. 

“Processing” is defined as any operation or a set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

“Processor” is defined as a natural or legal person (other than an employee of the controller) who processes personal data on behalf of the controller. BIRD has for all relations with processor a valid processing agreement. 

“RPA” Records of Processing Activities as defined in the GDPR 

“Special categories of data” is defined as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation (art. 9). Data relating to criminal convictions or offences is also sensitive (art. 10). 

3. Commitment to personal data protection 

BIRD wants to continue being an organization that cares about the privacy of people and their data and creates a culture and environment that is resilient to any accidental and deliberate personal data infringement occurring. 

With all privacy and data protection efforts in place and envisioned, the achievement of the following objectives is paramount to BIRD: 

  • Protection of confidential and privacy-sensitive information 
  • Respect and protect the fundamental rights and freedoms of all data subjects 
  • Ensure transparency, confidentiality and integrity of the processed personal data 
  • Compliance with existing laws and regulations 

BIRD processes personal data from customers and suppliers on a daily basis. Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or, or access to, personal data transmitted, stored or otherwise processed, can lead to, among other things: 

  • A breach of the trust of customers of BIRD 
  • Damage for customers and/or suppliers with claims for damages as a result 
  • Reputational damage to BIRD 
  • Violation of legislation 
        
4. Roles and responsibilities 

In order to guarantee confidentiality and careful handling of personal data, all individuals working for BIRD must ensure that personal data that is being processed happens in line with this policy and the data protection principles. Therefore employees, contractors and other stakeholders involved have the responsibility to: 

  • Identify personal data processing activities and the risks that accompany the processing of personal data 
  • Only process the data necessary to achieve a predefined purpose 
  • Execute the proposed measures by BIRD and follow up on the changes in the policies and procedures 
  • Informing the privacy responsible and DPO on major changes in the entity 
  • Inform the privacy responsible and DPO if any doubts and/or questions arise 
  • Know BIRD’s vision on privacy and recognize what this means for his/her responsibilities 

BIRD is responsible for this privacy policy. The implementation of this policy falls under the responsibility of Marjan Steppe, marjan.steppe@birdgroup.be.  

For questions relating to privacy and data protection, BIRD has appointed a Data Protection Officer which you can reach at louis.longeval@cranium.eu

5. Processing of personal data 

Personal data can be defined as any information that allows a natural person to be identified, directly or indirectly. You can provide us with your personal data in the context of the following activities, for the corresponding purposes and based on the stated grounds:

  • Contact form or correspondence: By completing the contact form on the website, you consent to BIRD processing your name, email address and your question or message. If you contact us directly (by e-mail, telephone or letter), we will process your contact details and the content of this correspondence. We only use this information to sufficiently handle your question or message. 

  • List of members: You can sign up as a member on the website. In this context, personal identification data is processed. We rely on consent for the processing of this personal data and will delete your data as soon as you leave the company. 

  • Events: When you register for one of our events, we ask you to provide certain information to participate in that particular event. For example, we will usually ask for identification data, contact details and whether you have food allergies. We collect this information based on your consent in order to complete your registration and guarantee the best event experience for everyone. After the event is over, all personal data will be deleted.

    We can keep you up to date on future events if you have given us consent for this purpose.
        
  • Other relations: We collect contact details of our current or future suppliers and partners. We process this information to enter into our agreements and to manage our relationships or collaborations. This processing is therefore based on the conclusion and execution of our contracts and business relations. 

BIRD considers your personal data as confidential and commits to process it only in a way that is compatible with the purposes for which the data were initially collected. 


6. Data subject rights 

Every individual has the possibility to exercise the freedoms and rights as described in the GDPR. BIRD has the obligation to respond in a timely manner to data subject requests and to make sure that the legal deadlines are met. 

When dealing with a data subject request for exercising his/her rights, please consult the DPO at louis.longeval@cranium.eu. 

The data subject rights explained: 

  1. Right to information
    Data subject always has the opportunity to request his/her personal data (including processing purposes, categories of personal data, estimated retention period) and to be informed about what happens with the data collected from data subject. 
       
  2. Right to access
    Data subject has the right to access their personal data and to request a copy of the personal data. 
       
  3. Right to rectification
    You have the right to have incorrect personal data corrected, or incomplete personal data completed. 
        
  4. Right to erasure
    You can request the erasure of the personal data that is being kept about you. The request to erase your personal data cannot always be granted, for example due to contractual or legal obligations. 
       
  5. Right to restriction of processing
    You have the right to obtain restriction of processing in certain situations, for example if you contest the accuracy of the personal data, for a period enabling BIRD to verify the accuracy. 

  6. Right to object
    You have the right to object to the processing of your personal data, for example if the processing takes place on the ground of the legitimate interest or on the ground of the public interest of BIRD processing your data. When your personal data is used for direct marketing purposes, you have an absolute right to object to this processing activity. 
        
  7. Right to data portability
    Data subject has the right to receive their personal data, processed by BIRD in a structured, commonly used and machine-readable format and/or to transmit those data to another controller. 
         
  8. Right not to be subjected to automated individual decision-making including profiling Data subject has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects on the data subject or similarly significantly affects the data subject.    
        
  9. Right to lodge a complaint
    In case of issues, we encourage you to contact BIRD in order to reach an amicable solution. However, if you believe an amicable solutions is not possible or desirable, you can use your right to lodge a complaint with the Belgian Data Protection Authority: Gegevensbeschermingsautoriteit, Drukpersstraat 35, 1000 Brussels, Tel +32 (0)2 274 48 00, e-mail: contact@apd-gba.be. 
       

As BIRD is acting as a data controller for the purposes of this website, you, as a data subject, can send a request to exercise your rights to us. We will make sure to handle your request in accordance with the GDPR. 

When submitting a request to exercise your rights, BIRD may ask for additional information to identify yourself. 

If processing your request requires unreasonable measures (e.g. it is technically or organisationally almost impossible or extremely costly) then BIRD can charge you reasonable compensation in light of the administrative costs involved in fulfilling the request. BIRD can also refuse to process requests that are excessive, particularly due to their repetitive nature. 

You can contact us with any questions or requests by sending an e-mail to louis.longeval@cranium.eu.

7. Recipients of international transfers 

BIRD will refrain from disclosing or selling personal data of data subjects to third parties as well as publicly disclosing data subjects’ personal data, unless in the following specific cases: 

  • Purchasers, or potential purchasers, of all or part of BIRD’s business (and their professional advisors); 
  • Personal data can be shared with third party service providers to which BIRD outsourced certain processing activities. These third parties are bound by contractual obligations to keep your personal data confidential and appropriately secure, such as ((i) hosting companies (hosting our online platforms), (ii) technology / marketing tool companies (helping us manage our customers and deliver messages), (iii) analytics companies (helping us improve the experience) and (iv) event companies (helping us manage events); and 
  • Government authorities, regulatory agencies and law enforcement officials, if required for the purposes specified above, if mandated by law, or if required for the legal protection of our legitimate interests in compliance with applicable data protection laws. 

Regarding international transfers of personal data and processing outside the European Economic Area (EEA), your data are only transferred to parties in third countries, such as software providers and cloud or mailing services, when permitted under the applicable data protection legislation. We guarantee appropriate safeguards which ensure that your rights are also respected by the data recipient outside the EEA in accordance with an adequate level of data protection. 

8. Retention of your Personal Data 

BIRD acknowledges the importance of the protection of personal data. We do not retain your personal data longer than strictly necessary for the realisation of the purposes for which we received the data, or for the execution of a contract or for fulfilling a legal obligation. The retention periods differ with regards to the type of processing activity and the purpose for which the personal data were collected. 

The personal data that we collect on the basis of your consent will be kept by us for as long as your consent remains valid. 

We keep customer and supplier information about your purchases for as long as reasonably necessary to execute our agreements, to comply with our legal obligations (such as accounting and tax obligations) and to resolve disputes or enforce agreements. Therefore, this personal information is retained for the duration of our contractual relationship. 

In all cases, personal data may be retained for a longer period if there is a legal or regulatory reason to do so, or for a shorter period if the data subject objects to the processing of his/her personal data and if there is no longer a legitimate reason to retain them. 

We guarantee to only provide limited access to archived data and to remove or render anonymous your personal data if the retention period has passed. 

9. Security and confidentiality of your Personal Data 

BIRD has taken technical and organizational security measures to prevent the destruction, loss, falsification, alteration, unauthorized access or disclosure of your personal data to third parties and any other unauthorised processing of these data. 

We have made every effort to ensure the confidentiality, integrity and availability of the information systems and services that process personal data. The measures include physical and operational security measures, access control, awareness raising and confidentiality clauses. All our employees and third parties engaged by us are obliged to respect the privacy and security of your data. 

Examples of measures: 

  • Firewalls and encryption 
  • Application of principle of access to data on a ‘need-to-know’-basis 
  • Password policy 
  • Avoidance of creating unnecessary data sets 
  • No informal sharing of Personal Data 
  • Locking screens of computers when unattended
        
10. Contact Details 

If you have any questions with regard to the content of this policy, the processing of personal data or the exercise of data subject rights in relation to this data processed by BIRD, you can contact louis.longeval@cranium.eu. 

11. Changes to this policy 

Changes to this privacy policy can be made from time to time. This will be in accordance with the GDPR or other privacy related regulations and laws. When we change the content of this policy we will change the date and version number of the ‘last update’ of this privacy policy. Significant changes will be reported on our homepage. Nevertheless, we encourage you to read our Privacy Statement periodically. 

Last update: 18/01/2022