I. DATA PROTECTION POLICY
For the performance of its activities, TPF Group (hereinafter called TPF) processes various data, both commercial data and personal data. This policy concerns the processing of personal data by TPF. The personal data of different categories of identifiable persons such as employees, clients and suppliers, users of the website and other stakeholders are processed.
TPF understands the importance of the protection of personal data and the concerns of its employees, clients and clients’ contact persons, suppliers and suppliers’ contact persons and other persons with whom it has contact regarding the processing of their personal data. TPF always carefully considers the protection of personal data during the different personal data processing operations.
Different persons within the company may have access to the personal data of its employees (the term employees shall include: managers and everyone who works for TPF, including independent service providers and consultants, temporary workers such as agency workers, interns, student workers and ex-employees) and other individuals (clients and suppliers) during the performance of their role. Each of these persons within TPF is bound by this policy on the protection of personal data.
The applicable data protection legislation imposes obligations on TPF regarding the way in which it must process data. In addition, the legislation provides for rights for the persons whose data is processed, so that they have more control over their own personal data.
This policy gives an overview of the general obligations under data protection legislation which the company and its employees must comply with. Compliance with this policy is important for the following reasons:
- Compliance with data protection legislation is a legal obligation and failure to comply with these duties can lead to liability, sanctions and fines;
- Compliance with data protection legislation leads to more satisfactory and efficient processing of personal data;
- Compliance with data protection legislation is the basis for a relationship of trust between TPF and its business relations and employees.
This policy is applicable to TPF, which processes personal data, and contains the guidelines which each personal data processing operation must comply with. This processing occurs either fully or partly via automated processes which are part or will form part of a structured filing system.
This policy is written in such a way that it refers to a uniform minimum standard for the protection of personal data which is applicable to the whole group of TPF companies. This policy will be applied within the group of companies, except if other compulsory data protection legislation containing stricter obligations and conditions is applicable.
3. Contact person for the protection of personal data
The company has appointed a person, supported by a team, to ensure the implementation of and compliance with data protection legislation and this policy.
The person in charge of data protection can be contacted via e-mail firstname.lastname@example.org or by telephone +32 2 370 19 70. In order to exercise your rights, please refer to Article 8 of this policy.
The applicable data protection legislation refers to an abstract matter using its own idiom. Below you will find several definitions that should enable you to better understand the terminology, and by extension, this policy.
a. Data protection legislation
Various regulations may apply, depending on the concrete application in which personal data are processed.
Beside European regulations, specific national data protection legislation also applies, such as the Law of 8 December 1992 on the protection of privacy with regard to the processing of personal data and the Law of 13 June 2005 on electronic communications.
b. Personal data
Personal data concern all information about an identified or identifiable natural person, also known as the data subject. A person is considered as identifiable when a natural person can be directly or indirectly identified, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more elements that are characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
The controller is a natural or a legal person (for example a company), a public authority, agency or other body which, alone or jointly with others, determines the purposes and means for processing personal data.
TPF for example, a legal person, is the controller processing the personal data of its employees in the context of its personnel management.
The processor is a natural or a legal person, a public authority, an agency or another body processing personal data on behalf of and only on instructions from the controller.
e. Personal data processing
Processing of personal data means any operation or set of operations which is performed upon personal data or a set of personal data, whether or not by automatic means (e.g. software), such as collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting and using data, disclosing by transmission or dissemination or otherwise making available, by alignment or combination, blocking, erasure or destruction.
An example of processing personal data is when the company collects and saves the contact details of its clients’ contact persons in the company’s Client Relationship Management software system or in a paper filing system.
f. Filing system
A filing system means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.
This refers to both electronic structured filing systems using software or cloud applications, and paper files and filing systems, provided that these filing systems are organized and structured in a logical way by connecting them to individuals or which are connected to individuals on the basis of criteria.
5. Principles applicable when collecting and processing personal data
As well as the use of specific language, data protection legislation has several basic principles which every controller must comply with in order to be in accordance with this legislation. In the event of doubt regarding the application of these principles in a concrete case, you can always contact TPF for further explanations, and according to the procedure described in Article 8.
Data protection legislation provides that personal data must be processed in agreement with the various basic principles and the conditions resulting therefrom.
Data protection legislation provides that personal data must be processed fairly and lawfully with respect to the data subject.
In order to process personal data lawfully, a legal basis must exist. In principle, personal data can only be processed when:
The data subject has given his or her consent. The company shall inform the person concerned at the latest before the data is collected about the purpose for which consent is required, which personal data will be collected for the processing, the right to revoke consent, the possible consequences for the data subject in the context of automated individual decision-making and profiling, and transfer to third countries.
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation which is imposed upon the company;
- Processing is necessary in order to protect the vital interests of the data subject or another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the company acting as the controller;
- Processing is necessary in view of the legitimate interests pursued by the company as a controller or the interests of a third party, except where the fundamental rights and freedoms of the data subject regarding the protection of his or her personal data override these interests.
If you have given your consent for a specific processing purpose to the company in order to process your data for that purpose, you can withdraw this consent at any time. The company will then stop processing the data for which you gave consent, and will inform you of the possible consequences of the withdrawal of your consent. If the company processes your personal data for other purposes and in order to do so refers to other legal bases, it will still be allowed to process your personal data.
The company ensures that it always refers to at least one of the above-mentioned legal bases when it processes personal data. If you have questions about the applicable legal basis the company is referring to, you can always contact the company in accordance with the procedure provided in Article 8.
Some categories of personal data are of a sensitive nature and data protection legislation therefore has a stricter regime for these special categories of personal data (also known as ‘sensitive personal data’). These are data concerning race or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and processing of genetic data, biometric data for the unique identification of a person, or data about health, sexual behavior or sexual orientation. Data relating to criminal offences or convictions also form a special category.
In principle it is forbidden to process these sensitive personal data, unless the company can refer to one of the exceptions. In a limited number of specific cases, the company must process sensitive personal data. In these cases, the data subject will be informed in advance. For these specific purposes, the company will provide the person concerned with detailed information in advance about the specific purposes and the legal basis of the processing. For more information about the processing of sensitive personal data by the company, you can always contact the company according to the procedure described in Article 8 of this policy.
The company ensures that personal data shall be processed:
- For specific, explicit and legitimate purposes and may not be processed further on in a way incompatible with the purposes for which the data were initially collected. The company shall always clearly communicate the purposes before starting the processing.
- This processing shall be limited to what is necessary for the purposes for which the data were collected. If possible, the company will anonymize the data or use pseudonyms in order to limit the impact for the data subject as much as possible. This means that the name or identifier will be replaced to make it difficult or even impossible to identify an individual.
- Limited in time and only as necessary for the specific purpose.
- Accurately, and the data shall be updated where necessary. The company shall take all reasonable measures to erase or update the personal data, taking into account the purposes for which they are being processed.
The company processes personal data which, in principle, it has received directly from the data subject. The company processing the data subject’s personal data shall always inform the latter about the following matters:
- Identity and contact details of the controller;
- Processing purposes and legal basis;
- If the personal data processing is supported by a legitimate interest, an explanation of this interest;
- The (categories of) receivers of the personal data;
- Transfer of personal data to third countries (outside the EU) or international organizations (+ on what basis);
- Time limit for the storage of personal data or the criteria used to determine the time limit;
- Data subject’s rights (including the right to revoke consent);
- The right to lodge a complaint with the supervisory authority;
- Explanation when the transmission of personal data is a contractual or legal obligation;
- The logic behind automated decision-making processes and the possible legal consequences for the data subject;
When the data subject already has all the information, the company will not inform the data subject unnecessarily about the processing of his or her personal data.
If the company processes personal data for other purposes which are incompatible with the purposes for which the data were initially collected (the new purpose does not appear to be described in the initial information note and the data subject cannot assume that his/her personal data will also be processed for this new purpose), the company shall take all the necessary measures to process these personal data lawfully, and shall inform the data subject about this.
The company can disclose the information both on a collective and individual basis and shall continue to ensure that it is drafted in plain, intelligible language.
Specific legislation may contain exceptions or set additional requirements which the company must comply with, with respect to the provision of information to data subjects. These mandatory legal provisions take precedence over this policy.
d. Confidentiality and integrity
The company takes the required technical and organizational measures to ensure that the processing of personal data always takes place with the appropriate guarantees, so that the data are protected against accidental loss and against unlawful processing, destruction or damage. The company has, when choosing the proper security measures, considered the nature, context, purpose and scope of the processing, the possible risks when processing the personal data, the cost of implementation of the measures and the state of the art.
These measures are applicable to the physical access to personal data, access via computers, servers, networks or other IT hardware and software applications and databases. In addition to the technical and organizational measures, the company’s employees who have access to personal data during the performance of their duties, are bound by a number of obligations set out to guarantee the confidentiality and integrity of personal data, as summarized in Article 9 of this policy.
The employees may only process the personal data at the company’s instruction or if the law requires them to do so. The company shall also implement access rights, so that its employees only have access to the data they need when performing their duties.
A general summary of the technical and organizational security measures which TPF has introduced, can be found in the Security Policy.
6. Transfer of personal data
In some cases, the company may be obliged to transfer your personal data to third party receivers, both within the TPF group of companies and outside it. In any event, these personal data are only transferred on a need-to-know basis to these receivers who carry out the processing for specific purposes. The company shall always observe the necessary security measures when transferring the data, namely with respect to the receivers, in order to guarantee the confidentiality and integrity of the personal data.
The transfer to third parties can take several forms, as described below.
a. Transfer within TPF
The transfer of personal data between TPF’s companies is considered as a transfer to a third party. Consequently, this transfer may only occur when the company has complied with the different principles and obligations of the data protection legislation. This means, among other things, that the data subject must be informed about the transfer and the reason for the transfer and that the transferring company must be relying on a legal basis for this transfer (consent from the data subject, performance of an agreement, legitimate interest, etc.). The company must also comply with the other principles as summarized in Article 5 of this policy for this additional processing.
When your personal data are passed on to companies within the group which are located outside the European Economic Area (i.e. The European Union, Norway, Iceland and Liechtenstein), TPF provides binding corporate rules which are approved by the competent supervisory authorities (Art. 47 GDPR) or the appropriate guarantees as described under point c.
b. Transfer to processors
The company can ask a third party, a processor, to process personal data, on behalf of and only on instructions from the company. The processor is not allowed to process these personal data for its own purposes, different from the purposes for which the company uses the processor.
The company can opt to work with processors delivering services at the company’s request, for travel agencies, rental services, medical and other professional consultancy services.
The company shall only use processors and provide them with personal data after processing agreements meeting the legal requirements are concluded with these processors. The GDPR provides, among other things, that the agreement must contain a clause which indicates that the processor may only process the personal data at the company’s instruction; that the processor must provide the company with assistance if asked for; that personal data must remain confidential, etc.
Part of this processor agreement also concerns the security measures which the processor must implement before processing the personal data and maintain throughout the entire duration of the processing in order to ensure the confidentiality and integrity of the data.
The company shall take the necessary measures if it appears that its processors do not comply with the obligations in the agreement.
A standard processor agreement is available at TPF’s offices.
c. Transfer to third countries – outside the European Economic Area
It is also possible for the company to transfer your personal data to parties that are based in third countries, these are countries outside the European Economic Area (i.e. The European Union, Norway, Iceland and Liechtenstein).
Such a transfer is possible if the country where the receiver is based offers sufficient legal guarantees to protect your personal data and which the European Commission has assessed as being adequate. In other cases, the company has concluded a standard contract with the receiver, guaranteeing a protection that is equivalent or similar to the one offered in Europe.
For cases in which this did not or cannot happen, the company can always pass on the data subject’s personal data if it obtains consent from the data subject, within the limits of the relationship which the data subject has with the company. In order to ensure transfer and thus processing is possible in these cases too, the company may ask the data subject whether he/she agrees to this occasional transfer to third countries.
If more information or a copy of the guarantees for these international transfers is desired, the procedure as described under Article 8 is to be followed.
7. Time limit for the storage of personal data
The company shall not store personal data any longer than necessary for the specific purpose for which the data were collected. After the final time limit has passed, the company shall delete or anonymize the personal data. The company shall anonymize the data if it still wishes to use them for statistics. The company may store the personal data for a longer period for its dispute management, research or archiving purposes.
8. Rights of the data subjects
Data protection legislation provides for different rights for data subjects with respect to the processing of personal data so that the data subject can still exercise sufficient control over the processing of his or her personal data.
The company tries, by this policy, to already provide as much information as possible to the data subjects in order to be as transparent as possible with respect to the processing of personal data. Nevertheless, this general policy must be read together with more specific information notes which give more explanations about the company’s specific processing purposes.
The company understands that the data subject may still have questions or desire additional clarifications with respect to the processing of his or her personal data. The company thus understands the importance of the rights it is willing to comply with, considering the legal limitations in the exercising of these rights. The different rights are described in detail below.
a. Right of access
The data subject has the right to obtain confirmation from the company that his or her personal data are being processed. If so, the data subject may request the right to consult his or her personal data.
- The company shall inform the data subject about the following matters:
- the processing purposes;
- the categories of personal data concerned;
- the receivers or categories of receivers to which the personal data are supplied;
- transfer to receivers in third countries or international organizations;
- if possible, the period during which it is expected that the personal data will be stored, or if this is not possible, the criteria used to determine this period;
- that the data subject has the right to ask the company to correct or erase personal data, or to limit the processing of his or her personal data, as well as the right to object to this processing;
- that the data subject has the right to lodge a complaint with a supervisory authority;
- if the personal data are not collected from the data subject, all available information about the source of the data;
- the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The company shall also supply a copy of the personal data that are being processed on request.
b. Right to rectification
When the data subject establishes that the company has incorrect or incomplete data about him/her, the data subject always has the right to inform the company about this, so that appropriate action can be taken to rectify or supplement these data. It is the data subject’s responsibility to provide correct personal data to the company.
c. Right to be forgotten
The data subject can ask to have his or her personal data erased if the processing is not in accordance with data protection legislation and within the limits of the law (Article 17 GDPR).
d. Right to restriction of processing
The data subject may ask to have the processing restricted when:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to check their accuracy;
- the processing is unlawful and the data subject opposes the erasure of the data;
- the company no longer needs the data, but the data subject requests not to remove them, given that he or she needs them for the exercise or defense of legal claims;
- he or she has objected to processing, pending the verification whether legitimate interests override those of the data subject.
e. Right to data portability
The data subject has the right to obtain his or her personal data which he or she provided to the company in a structured, commonly used and machine-readable format. The data subject has the right to have those personal data transmitted to another controller (directly by the company).
f. Right to object
When personal data are processed for direct marketing purposes, the data subject can always object to this processing.
The data subject can also object to a specific situation being processed. The company shall thereupon stop processing the personal data, unless the company demonstrates it has compelling legitimate interests for the processing which override the interests of the data subject or serve to exercise or underpin legal claims.
g. The right to withdraw consent
If you have given your consent to the company to process your data for a specific purpose, you can withdraw this consent at any time by sending an e-mail
h. Procedure for exercising rights and other provisions
The data subject may exercise his or her rights by sending an e-mail to TPF’s e-mail address email@example.com or by calling number +32 2 370 19 40. The company may ask the data subject to identify himself /herself in order to ensure that it is indeed the data subject requesting to exercise his or her rights.
If you have any questions about the application of the principles or the company’s (legal) obligations, you can always contact TPF by email or by phone.
In principle the company shall respond to the data subject’s request within one month.
9. Employees’ responsibilities
The company expects its employees to comply with this policy and to ensure that the persons they are responsible for equally comply with this policy.
It is crucially important that the employees understand the aims of this policy and familiarize themselves with it so that they can comply with all its provisions. The employees must therefore:
- Ask advice from their manager or their data controller if they have doubts about the application of this policy or compliance with data protection legislation when performing their duties;
- Only process personal data in the frame of their duties / on instructions from the company;
- Follow training courses about the confidential processing of personal data and the general principles and obligations which result from data protection legislation;
- Provide assistance to the data controller;
- Not save any copies of personal data on their desktop or personal portable storage if the company has centralized and secure storage, given that saving your own files or copies can lead to incorrect personal data and higher risks of breaches.
- Immediately inform the data controller if he or she establishes a potential or actual breach of personal data or personal data legislation.
All entities that make part of TPF shall guarantee that this policy is complied with. Each person who has access to personal data processed by the company must comply with this policy. Non-compliance with this policy can lead to disciplinary measures/sanctions such as a warning, dismissal or any other sanction permitted by law, without prejudice to the right to initiate civil or criminal proceedings.
11. Audit and review
The company reserves the right to adjust and review this policy when deemed necessary and to remain coherent with the legal obligations and/or recommendations of the competent supervisory authority for data protection.
12. Entry into force
This policy applies as of 01.08.2018
13. Technical and organisational security measures
- Security consultant
- Security and risks plan
- Security policy
- Raising awareness among staff through information
- Information classification
- Emergency plan in the event of physical or technical incidents
- Sporadic check of the processing systems and adequacy of the services
- Back-up system
- Measures for fire, break-in, water damage or physical/technical incidents
- Authentication system
- Password policy
- User ID policy
- Logging system, access detection and analysis (building)
- Patching (research and maintenance of the systems)
- Network security
TPF understands that privacy is very important to its clients and partners, as is the protection of their personal data. This policy describes how we are using the personal data we collect and how these data are being processed.
This website is operated by TPF. We very much want to create and maintain an environment in which our clients and partners can be sure that their data are not misused.
We comply with applicable personal data protection legislation, e.g. the General Data Protection Regulation (GDPR) EU 2016/679 as well as all applicable national legislation. This legislation provides that personal data be protected and therefore grants a number of rights.
This policy not only intends to explain which personal data we are collecting about you and how we shall process them when you have used our website, but also to ensure you that your data will be processed correctly.
2. What personal data do we collect ?
You don’t have to provide personal data to us in order to use most of our website.
For the purposes mentioned below, TPF may collect and process the following categories of personal data:
- Name, title, address ;
- Contact details (e-mail, telephone number) ;
You may also decide to provide additional/optional data when you fill out forms on our web site or when we contact you (by phone or e-mail, or at fairs and events).
In addition, we may collect and process data obtained from the websites you use. Next are a few examples:
- Data collected from other websites, e.g. when you request a connection to social media like Snapchat, Google or Facebook.
TPF may collect data readily available to the public to check the personal data we have collected and to manage and grow our business.
3. Why do we collect these data ?
TPF collect the above-mentioned data to identify your needs and to improve your experience on our websites. We may collect your personal data for the following purposes:
- To answer queries about our products and services (online or by e-mail);
- To comply with legal, regulatory and other compliance based obligations and requirements ;
- To analyze and check the use of accounts to avoid and investigate fraudulent and terrorist activities, scams, safety incidents or offences and to inform the relevant authorities about them;
- To periodically send e-mails/newsletters about our services and projects and other information we think you may be interested in;
- To contact you from time to time for market research, by e-mail or by phone;
- To process your personal data for specific purposes as mentioned on specific forms published on our websites, in written communications or by e-mail.
4. How do we use and share your personal data ?
TPF may share personal data:
- With other entities of TPF and/or affiliates ; or
- With third party companies with which you allowed us to share your personal data.
We may also share your personal data with suppliers assisting us with our activities, to serve our legitimate interests. This may be the case when hosting our internet servers, analyzing our data, assisting us with marketing operations and aftersales services.
These companies will only be granted access to your personal data in so far as they need them to perform their duties and they have no right to use the data for other purposes.
Your personal data will neither be sold nor hired out to third parties.
We may disclose your personal data to apply our policies, to comply with legal obligations, for safety reasons, in the public interest or for law enforcement in any country in which we have entities or affiliated companies. We may e.g. respond to an official request by a law enforcement agency, a regulatory body or a government authority. We may also disclose personal data in the frame of actual or potential disputes or to safeguard our property, our safety, our staff and other rights and interests.
If the company TPF is sold or merges with another company, your personal data will be disclosed to the potential purchaser’s financial advisor and they will be transferred to the new owners of the company. If this were to be the case, we would take all necessary measures to guarantee your personal data’s integrity and confidentiality. The use of your personal data would remain subject to the application of this policy.
5. Data transfer outside the European Economic Area
We may transfer your personal data to third parties located in third countries (outside the European Economic Area (EEA). Data can be lawfully transferred to countries outside the EEA if the beneficiary of the data is located in a country that guarantees adequate protection levels, confirmed by an adequacy finding from the European Commission.
A number of these countries may not have equivalent personal data protection laws. For these cases, we have examined ways to apply protection measures which are equivalent to the EU’s, e.g. by signing standard contractual clauses. In these particular cases, we shall ask your consent before transferring your personal data outside the EEA. To learn more about data transfers, we refer to the procedure described in the article about the “Rights of the data subjects”.
Cookies may contain identifiers. They allow us to know how our web sites are being used. This information may be analyzed on our behalf by a third party.
a. On our website, we use the following categories of cookies :
They are essential to navigate around our website and use its features. Without them, we would not be able to offer services as basic as e.g. remembering your logging data.
They record your preferences, e.g. the country from which you logged into our site, your language and your search parameters. They can be used to customize your experience by taking into account your preferences, to customize your visits and to provide relevant content to you. Data collected by these cookies may be anonymized and they cannot collect information about your activity on other websites.
Social media cookies
We also use third party services such as Google Analytics to collect information about individuals visiting our websites. This information is aggregated to calculate the number of visits and their average duration, the pages visited etc. We use the information to know how our website is being used, but also to improve its contents and its usefulness.
b. How to disable and remove cookies
Certain cookies are removed when you close your web browser (session cookies). Others stay on your device until their validity expires or until you remove them from your cache (persistent cookies or tracking cookies).
If you want to remove cookies that are already sitting on your computer, you may consult the help section of your internet browser. For more details on cookies, you may visit www.allaboutcookies.org or www.youronlinechoices.eu.
7. Rights of the data subject
You have the right to consult your personal data and obtain a copy of the data in our possession. If your personal data have changed, you have the right to ask us to correct, complete or remove any outdated information we have on you. Moreover, you have the right to restrict the processing of your personal data and to object to these data being processed.
You’re also entitled to receive personal data you provided to a controller in a structured, commonly used and machine-readable format. As the data subject, you have the right to have those personal data transmitted to another controller.
If you requested for commercial e-mails, information letters etc. from our company, you can opt out of this in case you change your mind.
We may ask you to prove your identity, to make sure you indeed are the data subject and therefore have a legitimate right to the personal data you request. Note that there may be situations in which we have a legal right to refuse you to consult your personal data or to reply negatively to any request from your part, if applicable data protection legislation allows us to do so.
To learn more about how your personal data are processed or about how to exercise your rights, you may contact us:
- via e-mail at firstname.lastname@example.org;
- By phone on +32 2 370 19 70.
You have the right to lodge a complaint with the competent data protection authorities.
TPF are committed to keeping your personal data as safe as possible. We have taken reasonable technical and organizational measures to protect your personal data against destruction, loss, accidental or illicit alteration, unauthorized disclosure of personal data you transmitted, or which are stored or processed in any other way, or unauthorized access to these data. You should bear in mind, however, that the Internet is an open system and we cannot guarantee that third parties will never be able to steer around our data protection measures or use your personal data for purposes that are inappropriate.
This web site may contain links to third party websites. TPF is responsible neither for the content of these sites nor for the privacy standards and practices used by third parties. We highly recommend you to read and understand the privacy policies of these third parties and their websites before accepting their cookies and to visit their website to check if your personal data are sufficiently protected.