TrustBuilder Privacy Statement for Business Relations
TrustBuilder is committed to protecting and respecting your privacy.
- Last date of revision: March 1, 2023
- WHO DOES THIS PRIVACY STATEMENT APPLY TO?
- This Privacy Statement applies to TrustBuilder nv, with registered offices at Poortakkerstraat 93, 9051 Gent, company number 0466.701.444.
- TrustBuilder nv (“We”) processes various personal data in the context of its activities. We act as data controller for the processing of your personal data in your capacity of (contact person of) a customer, supplier or any other business contact. During the course of our business, we can also act as a data processor when we process data on behalf of a customer.
- We are committed to protect the personal data entrusted to us in a correct and transparent manner, in accordance with the applicable law and in particular with respect of the General Data Protection Regulation 2016/679 of 27 April 2016 (“GDPR”).
- WHAT IS COVERED BY THIS PRIVACY STATEMENT?
- With this Privacy Statement we would like to inform you about why and how we process your personal data as data controller when we perform our business activities, who we give that information to, what your rights are and who you can contact for more information or queries.
- FOR WHAT PURPOSES DO WE PROCESS PERSONAL DATA?
-
We process your personal data for legitimate business reasons. These purposes include, but are not limited to:
- customer and supplier management;
- business contacts management;
- orders and supply management;
- invoicing and accounting;
- the provision of information on our company, products, services and special offers;
- the good organisation of our services;
- sales;
- marketing purposes;
- dealing with enquiries, requests and complaints;
- dispute management;
- public relations;
- statistics and market research;
- safety and well-being;
- respecting our legal obligations.
-
We process your personal data for legitimate business reasons. These purposes include, but are not limited to:
- ON WHAT LEGAL GROUNDS DO WE PROCESS YOUR PERSONAL DATA?
- We process your personal data on the following legal grounds:
- for the purpose of concluding and performing contracts concluded with you, including (but not limited to) accounting, invoicing and deliveries;
- for complying with our legal obligations;
- for the purpose of the legitimate interests of our company and/or a third party, including (but not limited to) our business activities, customer and supplier management etc. and after conducting a balancing test with your interests. If you would like more information about this, you can always contact us.
- If we have the legal obligation to obtain your free, informed, specific and unambiguous consent to process your personal data for certain purposes, we will only process your data for such purposes to the extent that we have obtained such consent from you.
For example, We will always ask your explicit consent for sending direct marketing, unless We have obtained your e-mail address in the context of the sale of related products or services and you have not opposed to such use of your data. You may unsubscribe at any time by clicking unsubscribe at the bottom of the direct marketing message.
- We process your personal data on the following legal grounds:
- WHAT ARE YOUR RIGHTS?
- You have several rights concerning the personal data we process about you. In particular, you have the right to:
- gain access to your personal data and request a copy thereof;
- ask that We update or correct your personal data when you believe they are incorrect or incomplete;
- ask that We delete your personal data, or restrict the way in which We use such personal data when you believe that We have no (longer a) lawful ground to process it;
- withdraw consent to the processing of your personal data (to the extent such processing is based on your consent);
- receive your personal data in a structured, commonly used and machine-readable format and to transfer such data to another party (to the extent the processing is based on consent or on the execution of a contract);
- object to the processing of your personal data for which We use legitimate interest as a legal ground, in which case We will cease the processing unless We have compelling legitimate grounds for the processing.
- You also have the right to object at any time to the processing of personal data for direct marketing by contacting us (see below) or by clicking the unsubscribe link in the direct marketing messages We sent. In that case, We will no longer process your personal data for direct marketing purposes.
- In order to exercise any of your rights, you can send us a request, indicating the right you wish to exercise,
- by sending an e-mail to [email protected];
- by sending a written query to: TrustBuilder, Kris Van Opstaele, Poortakkerstraat 93, 9051 Ghent.
You may also use these contact details if you wish to make a complaint to us relating to the processing of your personal data.
- If you are unhappy with the way We handle your personal data, you have the right to lodge a complaint with a supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement.
- You have several rights concerning the personal data we process about you. In particular, you have the right to:
- HOW DO WE OBTAIN PERSONAL DATA?
- We may obtain your personal data in the framework of the execution of our business activities.
- We may obtain such personal data because you give them to us (e.g. by contacting us etc.), because others give them to us (e.g. third party service providers that we use in the framework of our activities) or because they are publicly available.
We may also obtain your personal data through the way you interact with us.
- When We obtain personal data from external parties, we make reasonable efforts to enter into contractual clauses with these parties obliging them to respect the data protection legislation. This can be done by obliging this party to provide you with all necessary information or – if necessary – to obtain your consent for processing the personal data as described in this Privacy Statement.
- WHICH PERSONAL DATA DO WE COLLECT?
-
The personal data that We collect may include:
- standard identification and contact data (e.g. name, address (private / work), telephone number (private/work), e-mail address (private/work);
- personal characteristics (e.g. age, gender, date of birth, place of birth, nationality, language …);
- financial data (e.g. bank account number, VAT-numbers of one-man businesses …);
- employment data (e.g. organisation you work for, job title …);
- the information you provide us in forms and to all possible services and communication channels that We offer;
- data about how you use our products and services;
- camera images;
- information about delivered products and/or services;
- data about how you interact with us (e.g. enquiries, requests and complaints) and other similar information.
-
The personal data that We collect may include:
- TO WHOM CAN WE DISCLOSE YOUR PERSONAL DATA?
- We may disclose your personal data to affiliated companies or third parties that reasonably require access to these data for one or more of the purposes referred to above. The following external parties may for instance be involved:
- external service providers We rely on for various business services;
- law enforcement authorities and public authorities in accordance with the relevant legislation;
- external professional advisors (e.g. attorneys or consultants of the company).
With your explicit consent, We may transfer personal data to third parties (e.g. marketeers) for direct marketing purposes, including targeted advertising.
- We do not transfer your personal data to countries outside the European Economic Area.
- We may disclose your personal data to affiliated companies or third parties that reasonably require access to these data for one or more of the purposes referred to above. The following external parties may for instance be involved:
- ARE YOUR PERSONAL DATA PROTECTED?
- We employ strict technical and organizational (security) measures to protect your personal data from access by unauthorised persons and against unlawful processing, abuse, damage, accidental loss and destruction both online and offline.
- TECHNICAL MEASURES
- Access control and authentication:
- An access control system applicable to all users accessing the IT system is implemented. The system allows creating, approving, reviewing and deleting user accounts.
- The use of common user accounts is avoided. In cases where this is necessary, it is ensured that all users of the common account have the same roles and responsibilities.
- When granting access or assigning user roles, the “need-to-know principle” shall be observed in order to limit the number of users having access to personal data only to those who require it for achieving TrustBuilder’s processing purposes.
- Where authentication mechanisms are based on passwords, TrustBuilder requires the password to be at least eight characters long and conform to very strong password control parameters including length, character complexity, and non-repeatability.
- The authentication credentials (such as user ID and password) shall never be transmitted unprotected over the network.
- Logging and monitoring:
- Log files are activated for each system/application used for the processing of personal data. They include all types of access to data (view, modification, deletion).
- Security of data at rest:
- Server/Database security:
- Database and applications servers are configured to run using a separate account, with minimum OS privileges to function correctly.
- Database and applications servers only process the personal data that are actually needed to process in order to achieve its processing purposes.
- Workstation security:
- Users are not able to deactivate or bypass security settings.
- Anti-virus applications and detection signatures is configured on a regular basis.
- Users don’t have privileges to install or deactivate unauthorized software applications.
- The system has session time-outs when the user has not been active for a certain time period.
- Critical security updates released by the operating system developer is installed regularly.
- Server/Database security:
- Network/Communication security:
- Whenever access is performed through the Internet, communication is encrypted through cryptographic protocols.
- Traffic to and from the IT system is monitored and controlled through Firewalls and Intrusion Detection Systems.
- Back-ups:
- Backup and data restore procedures are defined, documented and clearly linked to roles and responsibilities.
- Backups are given an appropriate level of physical and environmental protection consistent with the standards applied on the originating data.
- Execution of backups is monitored to ensure completeness.
- Mobile/Portable devices:
- Mobile and portable device management procedures are defined and documented establishing clear rules for their proper use.
- Mobile devices that are allowed to access the information system is pre-registered and pre-authorized.
- Application lifecycle security:
- During the development lifecycle, best practice, state of the art and well acknowledged secure development practices or standards is followed.
- Data deletion/disposal:
- Software-based overwriting will be performed on media prior to their disposal. In cases where this is not possible (CD’s, DVD’s, etc.) physical destruction will be performed.
- Shredding of paper and portable media used to store personal data is carried out.
- Physical security:
- The physical perimeter of the IT system infrastructure is not accessible by non-authorized personnel. Appropriate technical measures and organizational measures are in place to protect security areas and their access points against entry by unauthorized persons.
- Access control and authentication:
- ORGANIZATIONAL MEASURES
- Security management:
- Security policy and procedures:
- TrustBuilder must document a security policy with regard to the processing of personal data.
- Roles and responsibilities:
- Roles and responsibilities related to the processing of personal data is clearly defined and allocated in accordance with the security policy.
- During internal re-organizations or terminations and change of employment, revocation of rights and responsibilities with respective hand-over procedures is clearly defined.
- Access Control Policy: specific access control rights are allocated to each role involved in the processing of personal data, following the need-to-know principle.
- Resource/asset management: TrustBuilder has a register of the IT resources used for the processing of personal data (hardware, software, and network). A specific person is assigned the task of maintaining and updating the register (e.g. IT officer).
- Change management: TrustBuilder makes sure that all changes to the IT system are registered and monitored by a specific person (e.g. IT or security officer). Regular monitoring of this process takes place.
- Security policy and procedures:
- Incident response and business continuity:
- Incidents handling / Personal data breaches:
- An incident response plan with detailed procedures is defined to ensure effective and orderly response to incidents pertaining personal data.
- TrustBuilder will report without undue delay to the relevant controller any security incident that has resulted in a loss, misuse or unauthorized acquisition of any personal data.
- Business continuity: TrustBuilder establishes the main procedures and controls to be followed in order to ensure the required level of continuity and availability of the IT system processing personal data (in the event of an incident/personal data breach).
- Incidents handling / Personal data breaches:
- Human resources:
- Confidentiality of personnel: TrustBuilder ensures that all employees understand their responsibilities and obligations related to the processing of personal data. Roles and responsibilities are clearly communicated during the pre-employment and/or induction process.
- Training: TrustBuilder ensures that all employees are adequately informed about the security controls of the IT system that relate to their everyday work. Employees involved in the processing of personal data are also properly informed about relevant data protection requirements and legal obligations through regular awareness campaigns
- Security management:
- HOW LONG WILL YOUR PERSONAL DATA BE STORED?
- As a general rule, personal data in the framework of the use of our services are stored for a period of 3 years as from the end of the contractual relationship (including warranty periods and after-sales services).
- Personal data processed in the context of direct marketing, for example for our newsletters, will in principle be stored for a period of 3 years from the last contact with our company. However, We can store your personal data longer for these purposes if in the meantime you have become our customer, namely for a period of 10 years from the delivery of products or services, or from the last contact with our company if that would take place later.
- Camera images are kept for 30 days unless a violation can be detected. In the latter case, we will keep the images for as long as necessary in the context of a possible claim or procedure.
- Depending on the specific situation, we may however retain your personal data for a longer period. This will in particular be the case if any of the following periods is longer : (i) as long as is necessary for the activity or service concerned; (ii) any retention period that is required by law; or (iii) the end of the period in which litigation or investigations might arise.
- ARE YOUR PERSONAL DATA USED FOR AUTOMATED DECISION-MAKING?
- Automated decisions are defined as decisions about individuals that are solely based on the automated processing of data and that produce legal effects that significantly affect the individuals involved.
- As a rule, your personal data will not be used for automated decision-making. We do not base any decisions about you solely on automated processing of your personal data.
- HOW TO CONTACT US?
- If you have any further queries about this Privacy Statement and the Sites in general, you can contact us:
- by e-mailing us at [email protected];
- by calling us at +32 (0)9 265 02 70;
- by addressing your written query to TrustBuilder, Kris Van Opstaele, Poortakkerstraat 93, 9051 Ghent.
- If you have any further queries about this Privacy Statement and the Sites in general, you can contact us:
- CHANGES TO THIS PRIVACY STATEMENT
- We may modify or amend this Privacy Statement from time to time. To let you know when we make changes to this Privacy Statement, we will amend the revision date at the top of this page. The new modified or amended Privacy Statement will apply from that revision date. Please check back periodically to see changes and additions.