INTERNAL PRIVACY POLICY OF BRUSSELS LAW SCHOOL CONSULTANCY
Last update: 6/05/23
1. Parties and Purpose of the Privacy Policy
1.1. The data controller is Brussels Law School Consultancy VZW, whose registered office is located in Brussels (hereinafter referred to as “the data controller”).
1.2. The Data Controller has drawn up this Privacy Policy because it is committed on establishing a culture which protects the rights of its board and consultants that share their data (hereinafter “Members”). Furthermore, the purpose of this Privacy Policy is to inform Brussels Law School Consultancy’s Members in a transparent manner of the way their personal data is collected and processed by the Data Controller. Members must read the Privacy Policy and explicitly sign the Privacy Policy in order to make it enforceable.
1.3. In this respect, the Data Controller and/or the service providers acting in its name and on its behalf shall determine all the technical, legal and organizational means and purposes of the processing of the Members’ personal data. To this end, the Controller undertakes to take all necessary measures to ensure that the processing of personal data complies with the Law of 30 July 2018 on the protection of individuals with regard to the processing of personal data (hereinafter, the “Law”) and the European Regulation of 26 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter, the “GDPR”).
1.4. The data controller is free to choose any natural or legal person who processes the personal data of members at its request and on its behalf (hereinafter “the processor”).
2. Processing of personal data
2.1. Membership of Brussels Law School Consultancy entails the communication of personal data. The personal data that may be processed are referred to in point 4. The processing of such data by the Data Controller, and/or by service providers acting on behalf of and for the Data Controller, shall be in accordance with the Law and the GDPR.
2.2. Personal data will be processed by the Data Controller, in accordance with the purposes mentioned in point 3, through:
keeping a register of members;
the sending of letters, electronic messages or any other means of communication used by the NPO;
the use of external working tools (Google Drive, etc.);
sending out a survey or questionnaire; and
reimbursement of expenses incurred by members on behalf of Brussels Law School Consultancy.
3. Purposes of processing personal data
3.1. The purposes of the processing of personal data are communicated to the Member and are as follows:
to ensure the smooth running of the NPO;
communicating with members during the period of their membership in the NPO (for example inviting them to our events, carry out teambuilding and bonding activities among members or share job opportunities from our partners);
to keep statistics on the functioning of the NPO. This will help the NPO to improve its organization and management in the future;
promote the NPO to the outside world, through a website, social networks (Facebook, Linkedin, Instagram) or any other means of communication that seems necessary;
manage and expand the Brussels Law School Consultancy network.
4. Personal data that may be processed
4.1. When joining the NPO, the data controller collects and processes the following personal data in accordance with the procedures, principles and purposes described in this Privacy Policy:
information given by Members to the Data Controller to enable the proper management of the NPO, i.e. surname, first name, address, e-mail address, telephone number, IBAN number and bank details, etc.; and more generally, any information voluntarily given by the Member;
photographs or representations of members used for promotional purposes, through the official internal and external means of communication of the NPO (Google Drive, Facebook, Instagram, Linkedin, etc.);
members’ information that they provide by filling in forms or surveys, or that they provide by communicating with other Members;
with respect to each of the members’ visits to the Site, the information automatically collected through cookies is:
IP addresses, browser types and models, time zones, operating systems, etc.;
all the information concerning the pages that the Member has consulted on the Website, in particular the URL, the navigation time, etc.;
Members’ information they provide using various communication tools within Brussels Law School Consultancy.
5. Legality of treatment
5.1. The processing by the Data Controller of Members’ personal data is based on consent within the framework of the NDA linking the Member to Brussels Law School Consultancy.
5.2. By accessing the tools of the NPO and by signing the NDA, the Member becomes a full and effective Member of Brussels Law School Consultancy. He/she declares that he/she has taken note of this Privacy Policy and signs it in order to make it enforceable.
5.3. The Data Controller processes and collects, in accordance with the methods and principles included in this Privacy Policy, the personal data that the Member communicates in the context of the activity of the NPO and/or on the occasion of the services offered by the Data Controller, for the purposes indicated in point 3.
6. Duration of retention of Members’ personal data
6.1. In accordance with Article 5, §1, e) of the GDPR, the Controller shall keep personal data only for as long as is reasonably necessary for the purposes for which they are processed.
6.2. A Member’s personal data is kept for the duration of his/her membership of Brussels Law School Consultancy.
6.3. After leaving the NPO, only the data strictly necessary for the proper functioning of the NPO are kept, such as name, first name, email address and telephone number, this can be used for example to invite former members to alumni events.
7. Recipients of data and disclosure to third parties
7.1. Personal data may be transmitted to employees or collaborators of the Data Controller who are located in Belgium or in the European Union and who collaborate with the Data Controller in the context of marketing products or providing services. They act under the direct authority of the Controller and are responsible for collecting, processing or subcontracting such data. Personal data may also be made known to employees or collaborators of data controllers if the latter so decide.
7.2. In all cases, the recipients of the data and those to whom the data have been disclosed shall respect the content of this Privacy Policy. The Data Controller ensures that they will process such data only for the purposes set out in point 3, in a discreet and secure manner.
7.3. Members, by signing this Privacy Policy, ensure that they will process the data of other Members and clients of the NPO, in compliance with the GDPR and Brussels Law School Consultancy’s Privacy Policy.
7.4. If the data is disclosed to third parties for direct marketing or prospecting purposes, the Member shall be informed in advance so that he/she may express his/her consent to the use of this personal data.
8. Members’ rights
8.1. At any time, the Member may exercise his/her rights by contacting the Data manager via e-mail to info@blsc.be, in which the Data manager will respond within one month. If several or complex requests are made, the Data manager may need extra time to respond to the request. As an exception to the general rule the Data manager will respond within two months.
8.2. Right of access
8.2.1 In accordance with Article 15 of the GDPR, the Controller guarantees the Member’s right of access to his/her personal data. The Member has the right to obtain access to their personal data that is being processed as well as the following information:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients who are established in third countries or international organizations;
where possible, the period of time for which the personal data are to be kept or, where this is not possible, the criteria used to determine this period; and
the existence of automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the GDPR, and, at least in such cases, relevant information about the underlying logic, as well as the significance and intended consequences of such processing for the data subject.
8.2.2. Where the Member submits such a request electronically (e.g. via the e-mail address), the information shall be provided in a commonly used electronic form, unless the Member requests otherwise.
8.2.3. The copy of his/her data will be communicated to the Member at the latest within one month after receipt of the request.
8.3. Right of rectification
8.3.1. The Member may request the rectification of his/her data from the Data Controller.
8.3.2. In accordance with Article 19 of the GDPR, the Controller shall notify each recipient to whom personal data have been disclosed of any rectification of the personal data, unless such disclosure proves impossible or would require disproportionate effort. The controller shall provide the data subject with information about such recipients upon request.
8.4. Right to erasure
8.4.1. The Member has the right to obtain the deletion of his/her personal data as soon as possible in the cases listed in Article 17 of the GDPR.
These assumptions apply when:
the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
the Member withdraws the consent on which the processing is based, in accordance with Article 6(1)(a) or Article 9(2)(a) of the GDPR, and there is no other legal basis for the processing;
the Member objects to the processing under Article 21(1) of the GDPR and there are no compelling legitimate grounds for the processing, or the Member objects to the processing under Article 21(2) of the GDPR;
the personal data have been processed unlawfully;
personal data must be erased to comply with a legal obligation laid down by European law or by the law of the Member State to which the controller is subject; and
the personal data were collected in the context of the provision of information society services as referred to in Article 8(1) of the GDPR.
8.4.2. Where the controller has made personal data public and is required to erase them pursuant to the preceding paragraph, the controller shall, considering the available technology and the costs of implementation, take reasonable steps, including technical steps, to inform other controllers processing such personal data that the data subject has requested the erasure by those controllers of any links to, or copies or reproductions of, such personal data.
8.4.3. Paragraphs 8.4.1. and 8.4.2. shall not apply to the extent that such processing is necessary:
the exercise of the right to freedom of expression and information;
to comply with a legal obligation which requires processing under Union law or the law of the Member State to which the controller is subject, or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;
the establishment, exercise or defense of legal claims.
8.5. Right to restrict processing
8.5.1. The Member has the right to obtain the deletion of his/her personal data in the cases listed in Article 18 of the GDPR.
These assumptions apply when:
the accuracy of the personal data is contested by the Member, for a period of time allowing the Controller to verify the accuracy of the personal data;
the processing is unlawful and the Member objects to their deletion and demands instead that their use be restricted;
the controller no longer needs the personal data for the purposes of the processing operation but the data are still necessary for the data subject to establish, exercise or defend legal claims;
the Member has objected to the processing under Article 21(1) of the GDPR during the verification as to whether the legitimate grounds pursued by the Controller prevail over those of the data subject.
8.5.2. In accordance with Article 19 of the GDPR, the Controller shall notify each recipient to whom personal data have been disclosed of any restriction on the processing carried out, unless such disclosure proves impossible or would require disproportionate effort. The controller shall provide the data subject with information on such recipients if the latter so requests.
8.6. Right to data portability
8.6.1. In accordance with Article 20 of the GDPR, Members have the right to receive from the Controller personal data concerning them in a structured, commonly used and machine-readable format. Members shall have the right to transmit such data to another controller without the Controller preventing this in the cases provided for by the GDPR.
8.6.2. When the Member exercises his or her right to data portability pursuant to the previous paragraph, he or she has the right to have personal data transmitted directly from one controller to another, where technically possible.
8.6.3. The exercise of the right referred to in paragraph 1 of this article is without prejudice to the right to erasure referred to in point 8.4. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
8.6.4. The right referred to in point 8.6.1. does not affect the rights and freedoms of third parties.
8.7. Right to complain
8.7.1. The Member has the right to lodge a complaint concerning the processing of his/her personal data by the Controller with the Belgian Data Protection Authority. Further information can be found on the website https://www.dataprotectionauthority.be/citizen which can be accessed in English, French, Dutch or German.
8.7.2. Complaints can be submitted to the following addresses:
Belgian Data Protection Authority
Rue de la Presse 35 / Drukpersstraat 35 1000 Bruxelles / Brussel / Brussels
Tel: + 32 2 274 48 00
Fax: + 32 2 274 48 35
E-mail: contact@apd-gba.be
8.7.3. The Member may also lodge a complaint with the court of first instance (‘rechtbank van eerste aanleg’ / ‘tribunal de première instance’) in his place of residence.
9. Data ownership
9.1. The content of e-mails received and sent via the address received from the Association as well as the files that Members process in this context are the property of the NPO.
10. Limitation of responsibility
10.1. Membership of the NPO may result in the member’s registration to other websites held by third parties not linked to the Data Controller. The content of these sites and their compliance with the Law and the RGPD are not the responsibility of the Data Controller.
10.2. The data controller shall not be liable for the loss, corruption or theft of personal data caused by the presence of viruses or as a result of computer attacks in compliance with point 11.
11. Security
11.1. The Data Controller implements organizational and technical measures to guarantee an appropriate level of security for the processing and collection of data. These security measures depend on the costs of implementation in relation to the nature, context and purposes of the processing of personal data.
11.2. Members undertake to implement organizational and technical measures (such as password protection) to protect the personal data of other Members and customers of the NPO.
12. Amendment to the Privacy Policy
12.1. The Data Controller reserves the right to modify this Privacy Policy to comply with legal obligations. The Privacy Policy is permanently available on Brussels Law School Consultancy’s Google Drive (intranet access). Any such modification will be sent by email to the Members for enforceability purposes.
13. Governing law and place of jurisdiction
13.1. The present Charter is exclusively governed by the Belgian law. The Parties shall endeavor, in good faith, to settle amicably any dispute arising out of or relating to this Charter. If the parties fail to reach an amicable resolution of the dispute within 60 days of notification by either party, the courts of the judicial district of Brussels shall have jurisdiction to hear the dispute.