2: What is the scope of this policy?
What does “processing personal data” mean and who is responsible for it? We only collect and use personal data that is required to enable us to carry out our activities and that allows us to provide quality products and services to you. College of Art & Design, having its registered office at Vilvoordsesteenweg 92, 1120 Brussels, is responsible for processing of the personal data that it must process.
Therefore, any questions you, or a supervisory body (e.g. the “Data Protection Authority”), has regarding the use of your personal data by our company can be directed to us.
We ensure that these subcontractors only receive data that is strictly necessary for them to carry out their part of the contact. We may also act as a subcontractor for other entities that may or may not be part of the College of Art & Design. In this case, these entities are responsible for processing the personal data. We will then follow their instructions.
3: What types of data are included in this policy?
In the context of your relationship and interactions with College of Art & Design, we can collect various personal data from you, such as:
- Identification and contact details (e.g. your title, name, address, date and place of birth, national identification number, bank account number, phone number, email address, IP address, occupation);
- Family situation (examples: martial status, number of children);
- Banking, financial and transaction details (examples: bank details, account numbers, data relating to transfers including references, and, in general, all data that is collected during your bank transfers);
- Data relating to your behaviour and habits when using our channels (examples: our stores, our websites, our tablet and smartphone applications) or relating to your consumption behaviour (number of products ordered, time between orders etc.);
- Data relating to your preferences and interests, that you directly or indirectly share with us, for example, by taking part in our competitions or events etc.;
- Data derived from your interactions on our pages on social networking sites.
We never process data relating to your racial or ethnic background, political opinions, religion, personal beliefs or trade union membership, genetics, sex life or sexual orientation, unless we are legally obliged to do so, or if we acquire this data as a result of your use of our products and services (for example, if you provide this type of information yourself).
4: Guidelines for the processing of personal data
College of Art & Design shall take the following principles into account when processing personal data in the context of meeting and executing its commitments:
- Legal data processing: College of Art & Design processes personal data in a legal manner in the context of its activities;
- Purpose limitation:College of Art & Design collects and processes personal data for the legal purposes that are described below;
- Minimising the data processing: College of Art & Design limits the processing of personal data to that which is necessary in the context of its activities;
- Accuracy of the personal data: College of Art & Design takes all reasonable measures to ensure that the personal data is accurate and that it is immediately corrected and/or deleted if it is no longer accurate;
- Limitation of the processing and retention period: College of Art & Design shall process and store the personal data for no longer than is necessary for the execution of its activities;
- Security measures: College of Art & Design takes the necessary and adequate technical and/or organisational measures for the protection of personal data.
5: When will your personal data be collected?
The data we use may be collected directly from you or from the following sources, the purpose of which is to verify or enrich our databases;
- Publications/databases made accessible by official bodies;
- Our business clients or our service providers;
- Websites/social networking pages that contain information that you have made public (for example, your website or social network);
- Databases that are made public by third parties.
Some of your data may also be collected by College of Art & Design
- If you are a customer or supplier;
- If you register to use our online services (every time you log in or use our services);
- If you complete the forms and contracts we present to you;
- If you register for our newsletters, take part in our competitions, you register on our website;
- If you contact us via the various channels available to you;
- If data is published or forwarded by authorised third parties or professional data providers;
6: On what basis and why do we use your personal data?
We process your personal data for numerous purposes. Every time we process data, we only process the data that is relevant to the intended purpose.
In general, we use your personal data:
- in the context of the execution of a contract or to implement precontractual measures;
- to comply with the legal and regulatory requirements that we are subject to;
- for reasons within the scope of the legitimate interests of the company (see the illustrations below). When we carry out this type of processing, we ensure a balance between these legitimate interests and the safeguarding of your privacy;
- if we have received your consent.
Personal data is processed by College of Art & Design for purposes including the following (non-exhaustive list):
- To provide you with information about our products and services;
- To help you and answer your questions;
- To facilitate a successful execution of the contract entered into;
- To guarantee the financial and accounting management of College of Art & Design;
- To comply with legal requirements, such as responding to an official request from a competent public or judicial body;
- To detect and prevent misuse and fraud: we process and manage contact and security data (card reader, password etc.) to validate, monitor and guarantee the security of the transactions and communication carried out via our channels;
- To monitor our activities;
- To improve the navigation, user-friendliness and functionality of College of Art & Designs website and the pages on the website that are restricted to holders of a user account;
College of Art & Design will not take any decisions that are solely based on automated processing — whether or not a profile has been created — and that may result in judicial consequences or significant damages for you, except:
- if it is essential to conclude or execute the contract;
- if it is legally permitted (for example, to uncover tax fraud);
- if we have received your explicit consent to do so.
In these situations, you will be informed in advance about the automated decision, your right to human intervention and how you can appeal this decision.
7: Who has access to your data and who is it passed on to?
Only authorised users have access to your personal data to achieve the aforementioned purposes. Authorised users are persons who, in the context of the execution of their tasks at College of Art & Design, are authorised to process personal data according to College of Art & Design’s guidelines.
We pass data on to third parties only if:
- It is necessary for a successful execution ofCollege of Art & Design services. This data is transferred to third parties with the sole purpose of carrying out the task that has been outsourced to them by College of Art & Design
We ensure that these third parties handle your data in a secure, respectful and responsible manner, just as we do, and we provide the appropriate contractual guarantees.
- there is a legal requirement, specifically, to prevent money laundering.
- it is in the legitimate interests of College of Art & Design or the third party involved.
We only pass on your personal data if your interests or fundamental rights and freedoms do not prevail. You will always be informed of this in full transparency (except in the case of legal exceptions). Your personal data may, for example, be passed on to partners, debt collection agencies and legal service providers, but also to partners with whom we are collaborating in the context of a specific action.
- you provide us with your consent for this.
If College of Art & Design provides personal data to third parties in other situations, you will always be expressly informed of this, and provided with information about the third party, the purpose of the communication and the processing. If legally required, we will always ask for your explicit consent.
8: For how long do we store your data?
We store your personal data for as long as is necessary to satisfy the applicable laws and regulations, or for the length of time required to satisfy operational obligations, such as to carry out correct accounting, the efficient management of the customer relationship and responding to a legal claim or a request from the regulator.
The customer data will be stored for the duration of the contract and, in principle, for a maximum of ten years following the end of the contractual relationship. Data relating to potential customers is stored for a maximum of three years, depending on the life cycle of the project for which this personal data is collected, and if the person has shown interest.
Certain data is stored for a longer time to allow us to comply with our legal obligations and to serve as evidence, in particular, to protect your rights and the rights of our company. This archived data can only be accessed to be used as evidence in legal proceedings, when audited by a competent authority (such as the tax authorities), and to allow these documents to be presented to judicial, administrative or police authorities.
9: Security and confidentiality
College of Art & Design commits to taking all the necessary and adequate technical, physical and organisational measures to protect personal data against unauthorised access, illegal and unauthorised processing, accidental loss or damage, and unauthorised deletion. These measures are as follows: password security, software to encrypt the hard drive, firewall, antivirus, intrusion and anomaly detection and access checks for our employees. If data is leaked with damaging consequences for your personal data, College of Art & Design will take the necessary/appropriate measures to establish the scope and consequences of the leak. College of Art & Design shall stop the leak as quickly as possible and, if necessary, limit the consequences for the data subjects affected, insofar as possible, as stated below in section 12. As our customer, you will be personally contacted and informed in the event of situations described by law.
The software for the management and storage of the data is continually updated. These measures are regularly evaluated and amended, if necessary, to ensure the maximum protection of the personal data of the data subjects. Your personal data is stored on computer servers at our head office and on servers that are hosted by our IT service providers.
10: What are your rights and how do you exercise them?
10.1 Rights of data subjects
In accordance with the applicable regulations, you have the following rights:
- Right of access to personal data (A);
- Right to rectification (A);
- Right to erasure (A);
- Right to object to the processing (B);
- Right to withdraw consent (B);
- Right to limit the processing (B);
- Right to data portability (C);
- Right to access, rectification and erasure of data
Every data subject has the right to access their personal data. If a data subject exercises this right, College of Art & Designis obliged to provide them with this information, including:
- a description and a copy of the personal data;
- information about the purposes for which College of Art & Design processes this data.
If the data is incorrect or incomplete, the data subject can request a rectification of the data. In certain circumstances, the data subject, in accordance with the rules regarding data protection, can submit a request for their personal data to be erased. This is possible if:
- the personal data is no longer necessary for the purposes for which it was collected or processed;
- you have withdrawn your consent for the processing and there are no other legal grounds for processing by College of Art & Design
- you have exercised your right to object (see below);
- your personal data has been unlawfully processed;
- your personal data must be erased to comply with a legal obligation;
- your personal data was collected when you were still a minor.
Bear in mind that we are not always able to erase personal data as requested, for example, if processing is necessary to institute, exercise or substantiate legal proceedings or because we are legally required to process the data. In our response to your request, we will provide further information regarding this.
To keep your data fully up-to-date, we ask you to inform us of any changes to your data (e.g. change of martial status or change of address).
B.: Right to object and limit the processing of your data and the right to withdraw consent
You have the right to object to certain types of personal data processing. Specifically, you have the right to object, without justification, to the use of your personal data for prospecting purposes. You can also ask us to limit the processing of your data. You can determine the privacy settings for your personal data by contacting us, or if applicable, via your personal user account on our website.
If you no longer wish to receive any form of commercial communication, you have the right to object to the full or partial use of your personal data by College of Art & Design for direct marketing purposes at any time and without providing a reason. You can do this by:
- clicking on the link “unsubscribe” at the bottom of the commercial email you have received and/or by changing your “preferences”;
- by sending an email to email@example.com.
This right can only be exercised under specific conditions:
- Your request must be signed and dated;
- If the objection is to the processing of personal data for purposes other than direct marketing, you must present serious and legitimate reasons that relate to your specific situation to submit an objection to the processing. In the case of a legitimate objection, we will cease the processing to which you have objected. You do not have the right to object to processing that is necessary to execute a contract concluded with you or for precontractual measures that we have implemented upon your request; in addition, you may not object to our compliance with the legal or regulatory requirements that we are subject to.
If you have given your consent for the processing of your personal data, you have the right to withdraw this consent at any time.
- Right of data portability
If necessary and insofar as applicable, data subjects can ask to receive certain personal data that they have provided to College of Art & Design, in the context of the execution of their activities, and to pass on this data to another Data Controller, for example, to allow them to switch service providers more easily. If it is technically possible, the data subject can ask College of Art & Design to forward the data directly to another Data Controller.
This is only possible for data that you have provided directly to College of Art & Design, after you have given your consent, or in the context of a service that you have entrusted to College of Art & Design. In all other cases, you cannot make use of this right (for example, when the processing of the data is carried out based on a legal obligation).
10.2 Who can I contact?
- How can I exercise my rights to privacy?
You can send an email to firstname.lastname@example.org
To exercise your right of access and to prevent your personal data from being unlawfully published, we must verify your identity. If the request is dubious or ambiguous, we will first ask you to provide additional information (preferably a copy of the front of your identity card).
- Will this cost me money?
You can exercise your rights for free, unless your request is clearly unfounded or excessive, i.e, if you repeatedly send requests. In this case, we have the right and the freedom to — in accordance with privacy laws — (i) charge you a reasonable fee (taking into account the administrative costs for the provision of the requested information or communication and the costs of taking the requested action), or (ii) refuse to fulfil your request.
- In what format will the response be provided?
If you submit your request electronically, we will send you the data, if possible, electronically, unless you explicitly ask for it to be sent in another format. Either way, we will provide you with a brief, transparent, comprehensible and simple response.
- When will I receive a response?
We will respond to your request as quickly as possible, and always within a month after receiving your request. Depending on the complexity and quantity of the requests, this term can be extended by two months. If the term is extended, we will inform you within a month of receiving the request.
- What can I do if College of Art & Design does not fulfil my request?
In our response, we will always inform you about the option to submit a complaint to the supervisory body and to bring proceedings before a court.
11: Transfer of data outside the EER
In the case of international transfers from the EER to a third party, which the European Commission recognises as ensuring a level of protection that is equal to that of the EER regulations (adequacy decision), your personal data will be transferred on the basis of this.
For transfers to countries outside the EER, which the European Commission has not recognised as providing adequate protection, we base our actions on a derogation that applies to the situation (for example, in the case of international payments, transfer is necessary to execute the contract) or on the fact that the recipient of the data has agreed to process the data in accordance with the “standard contractual clauses” that were drafted by the European Commission for data processors and subcontractors.
To receive a copy of these documents or to find out where you can consult them, you can submit a written request, as stated in section 10.2.
If and to the extent that the personal data is processed outside the European Union, we will ensure that this data is always guaranteed a suitable level of protection, through contractual or other measures, comparable with the protection that the data would be afforded in the European Union, based on EU regulations.
12: Violation of personal data
12.1: Reporting an infringement of personal data
Authorised users must, when carrying out their tasks, avoid incidents (accidental or otherwise) that could violate the privacy of the data subjects.
In the event of a violation of personal data, adequate measures will be taken as quickly as possible to limit the risk of damage to the data subject and College of Art & Design to a minimum (reputational damage, sanctions etc.).
In all cases, every authorised user and all other persons who consult, use or manage College of Art & Design data must immediately report any security breach and every incident related to data security, so that an analysis can be carried out immediately, the necessary measures can be taken and we can assess whether the breach must be report to the data protection authority and/or the data subjects.
If the report is made by email, it is important that this email is sent to the email address stated in section 10.2 and the subject of the email must clearly state that the message is urgent and concerns a possible breach of personal data.
The information must contain a complete and detailed description of the incident, including the identity of the person making the report (full name, address, email address (if applicable) and phone number), the type of incident and how many people are affected.
12.2: Investigation and analysis of the risks
In principle, College of Art & Design will initiate an investigation within 24 hours following the moment when College of Art & Designdiscovers the incident or breach, or after it receives a report from a subcontractor, authorised user, recipient, data subject or third party.
In the investigation, the nature of the incident will be stated, along with the type of data it concerns and whether specific personal data has been affected (if so, it will state which data subjects are affected and how much personal data is involved). The investigation will determine whether there has been a breach of personal data.
If there is a data breach, a risk analysis will be carried out to establish what the potential consequences of the breach could be/are, and in particular what the (potential) consequences may be for the data subjects.
College of Art & Design will decide whether it has an obligation to inform the data protection authority and/or the affected persons, based on the nature of the breach.
12.3: Registering the breach
All breaches are recorded in a log. In the log, the main cause of the incident and the secondary causes, the chronology of events, the measures, the recommendations and the lessons learnt are described in detail to identify the points of improvement. Recommended changes to systems and procedures will be documented and implemented as soon as possible.
13: How can I find out more about this policy and any changes made to it?
Please consult the latest version of this document on our websites. We will inform you of any substantial changes via our websites or our usual communication methods.
14: How can you contact us?
If you have questions about the use of your personal data, as described in this policy, you can contact us by email at email@example.com.
15: Supervisory authority
For complaints relating to the processing of your personal data, you can contact the Belgian Data Protection Authority, rue de la Presse 35, 1000 Brussels /
+32 (0)2 274 48 00 / firstname.lastname@example.org / www.autoriteprotectiondonnees.be