Privacy Policy

Last updated on : 05/03/22

  1. Parties and Purpose of the Privacy Policy

1.1. The Data Controller Brussels Law School Consultancy, whose office is located in Brussels, Belgium (hereinafter “the Controller”).

1.2. The Controller establishes this Privacy Policy because it is committed on establishing a culture which protects the data protection rights of its clients that share their data. Furthermore, the purpose of this Privacy Policy is to inform clients of how their personal data are collected and processed by the Controller. Clients must necessarily acknowledge that they have read the Privacy Policy by explicitly agreeing to the provisions of the Policy.

1.3 The term “Client” refers to any natural or legal person, who contacts the Controller to solve a legal issue by filling in the contact form on the Website in which the inquiry formulated by the Client goes directly to the e-mail address of the Head of Legal. Subsequently a team of consultants will be assembled in order to provide qualitative legal advice to the client. These consultants are also bound to a confidential agreement whereas they ensure that they assess every legal matter to a great extent of confidentiality.

1.4. In this respect, the Controller and/or its service providers acting in its name and on its behalf determine all the technical, legal and organizational means and purposes of the processing of Clients’ personal data. To this end, the Controller undertakes to carry out all necessary measures to ensure that personal data are processed in accordance with the Belgian Act of 30 July 2018 on the protection of individuals with regard to the processing of personal data (hereinafter “the Act”) and with the European Regulation of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR”).

1.5. The Controller is free to choose any natural or legal person who processes the Clients’ personal data upon his/her request and on his/her behalf (hereinafter “the Subcontractor”). When appropriate, the Controller undertakes to select a Subcontractor offering sufficient safeguards as to the technical and organizational security measures for the processing of personal data, in accordance with the Act and the GDPR. 

2. Data processing

2.1. The use of the contact form to seek legal advice through the Website by the client may result in the communication of his/her personal data. In any case, this communication will result from the Clients’ consent to communicate his/her personal data. Personal data likely to be processed are referred to in point 4. The processing of such data by the Controller, acting in his/her capacity as Controller, and/or his/her Subcontractors acting in his/her name and on his/her behalf shall comply with the Act and the GDPR.  

2.2. Personal data shall be processed by the Controller, in accordance with the purposes set out in point 3, via:

  1. the contact form on the Website;
  2. the sending of surveys or questionnaires by the customer service;
  3. email exchange;
  4. the sending of the invoice and the processing of the payment.

3. Purposes of the processing

3.1. Pursuant to Article 13 GDPR, the purposes of the processing are conveyed to the Client and consist in the following:

  1. ensuring the execution of the services offered and indicated on the Website;
  2. ensuring the control of the execution of the services offered;
  3. answering the Clients’ questions;
  4. drawing up statistics in order to improve the Website, the services offered and the Controller’s internal organization and operating methods;
  5. ensuring accurate accounting compliant with the legal requirements; and
  6. ensuring a follow-up with clients in the event of a new request for legal advice.


4. Personal data likely to be processed

4.1. The Client consents, in accordance with point 5, when using the contact form on the website or when communicating with the Controller, that the Controller may collect and process – in accordance with the methods, principles and purposes described in this Privacy Policy – the following personal data:

  1. Personal information that the Client communicates to the Controller for contractual purposes and to enable the proper performance of mutual obligations, namely the name, first name, address, etc. ; and more generally any information voluntarily given by the Clients;
  2. Personal information that the Client communicates by filling in forms or by contacting the Controller by phone, e-mail or any other means, namely the Clients’ name, address, email address and telephone number;

  3. Regarding each visit of the Website by Clients, the following information is automatically collected with the use cookies:
    1. the IP address, the browser type and model, the time zone, the operating system and; 
    2. all information concerning the pages that the Client has consulted on the Website, in particular the URL, the browsing time, etc.
  4. Sensitive data:
    1. Sensitive data are likely to be used in the framework of the contract between the Client and Brussels Law School Consultancy. Sensitive data are any data defined as sensitive by the GDPR (for instance: political opinions, health related data, etc).
    2. Sensitive data are only processed within the framework of the contract between the Client and Brussels Law School Consultancy, by the Controller, the Consultants working on the Clients’ case, the person in charge of Customer Service, the directors of the association as well as the Data Manager.
    3. When sensitive data must be processed following the communication of this data by the Client as part of his request, the Controller will specifically request the Clients’ renewed consent and specify the purposes for which this sensitive data must be collected. The data will be deleted as soon as the invoice has been paid by the client.
    4. In the event of a refusal regarding the processing of sensitive data, the Controller shall delete all sensitive data that have been sent to him and shall not process them under any circumstances. 

5. Consent

5.1. By accessing and using the contact form on the Website, the Client declares to have acknowledged and given his/her consent in a free, specific, informed and unequivocal way to the processing of his/her personal data. The consent relates to the content of this Privacy Policy.

5.2. Consent is given by the positive act through which the Client ticks the box proposing the Privacy Policy as a clickable hyperlink. Any contract between the Controller and a Client relating to the services offered on the Website is subject to the Clients’ acceptance of the Privacy Policy.

5.3. The Client agrees that the Controller may collect and process – in accordance with the terms and principles described in this Privacy Policy – personal data that he/she has communicated through the contact form on the Website and/or through the services proposed by the Controller, for the purposes set out in point 3. 

5.4. The Client retains the right to withdraw his/her consent at any time. Withdrawal of consent shall not affect the legality of the processed data based on prior given consent. The exercise of the right of withdrawal shall be carried out in accordance with point 8.3.

6. Duration of the conservation of Clients’ personal data

6.1. In accordance with Article 5(1) e) GDPR, the Controller may store personal data for no longer than is necessary for the purposes for which the personal data are processed.

6.2. A Clients’ personal data shall be kept no more than 10 years following the termination of the contractual relationship between said Client and the Controller.

7. Recipients of data and disclosure to third parties

7.1. Personal data may be transmitted to the Controller’s consultants or collaborators, located in Belgium or in the European Union, who collaborate with the Controller in the framework of the provision of the legal aid services. They act under the direct authority of the Controller and are responsible, for collecting, processing or subcontracting personal data. Personal data may also be disclosed to consultants or collaborators of managers if the latter so decide.

7.2. In any case, recipients of the data and those to whom the data has been disclosed shall comply with the content of this Privacy Policy. The Controller ensures that they process the data only for the purposes provided for in point 3, in a discreet and secure manner.

7.3. Clients’ personal data shall not be disclosed to third parties for direct marketing or prospecting purposes.

8. Clients’ rights

8.1. At any time, the Client may exercise his/her rights by contacting the Data manager via e-mail to, in which the Data manager will respond within one month. If several or complex requests are made, the Data manager may need extra time to respond to the request. As an exception to the general rule the Data manager will respond within two months.

  • 1. Right of access

8.1.1. Pursuant to Article 15 GDPR, the Controller guarantees the Client the right of access to his/her personal data. The Client has the right to obtain access to said personal data as well as to the following information:

  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipient to whom personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
  4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; and
  5. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

8.1.2. The Controller may require payment of a reasonable fee based on administrative costs for any additional copy requested by the Client.

8.1.3. When the Client introduces such a request by electronic means (for instance by email), the information is provided in commonly used electronic form, unless the Client requests otherwise.

8.1.4. The copy of his/her data shall be transmitted to the Client at the latest within the month following the reception of the request.

8.1.5. Where personal data are transferred to a third country or to an international organization, the Client shall have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.

8.1.6.   The right to obtain a copy shall not adversely affect the rights and freedoms of others.

  • 2. Right to rectification

8.2.1. The Controller guarantees the Clients’ right to rectification of personal data.

8.2.2. In accordance with Articles 16 and 17 GDPR, incorrect, inaccurate or irrelevant data may be corrected or erased at any moment. The Client may make such a request to the Controller.

8.2.3. In accordance with Article 19 GDPR, the Controller must notify each recipient to whom personal data have been disclosed of any rectification regarding the personal data, unless such disclosure proves impossible or requires a disproportionate effort. The Controller shall inform the Client about those recipients if he/she requests it.

  • 3. Right to erasure (‘right to be forgotten’)

8.3.1. In accordance with Article 17 GDPR, the Client has the right to obtain from the Controller the erasure of personal data concerning him/her without undue delay where one of the following grounds applies:

  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. the Client withdraws consent on which the processing is based according to Article 6(1) point a) or Article 9(2) point a) and where there is no other legal ground for the processing;
  3. the Client objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the Client objects to the processing pursuant to Article 21(2);
  4. the personal data have been unlawfully processed;
  5. the personal data have to be erased for compliance with a legal obligation in the Union or a Member State law to which the Controller is subject;
  6. the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).


8.3.2. Where the Controller has made personal data public and is obliged pursuant to the previous paragraph to erase it, the Controller, taking due account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform Controllers which are processing the personal data that the data subject has requested the erasure by such Controllers of any links to, or copy or replication of, those personal data.

8.3.3. Paragraphs 8.3.1. and 8.3.2 shall not apply to the extent that processing is necessary:

  1. for exercising the right of freedom of expression and information;
  2. for compliance with a legal obligation which requires processing by the Union or a Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
  3. for the establishment, exercise or defense of legal claims.

8.4. Right to restriction of processing

8.4.1. Pursuant to Article 18 GDPR, the Client shall have the right to obtain from the Controller restriction of processing where one of the following applies:

  1. the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data;
  2. the processing is unlawful and the data subject opposes the erasure of personal data and requests the restriction of their use instead;
  3. the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
  4. the data subject has objected to processing pursuant to Article 21, paragraph 1, pending the verification whether the legitimate grounds of the Controller override those of the data subject.

8.4.2. Where processing has been restricted under paragraph 8.4.1., such personal data shall, except for storage, only be processed with the Clients’ consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

8.4.3. A Client who has obtained restriction of processing pursuant to paragraph 8.4.1. shall be informed by the Controller before the restriction of processing is lifted.

8.5. Right to data portability

8.5.1. Pursuant to Article 20 GDPR, the Client shall have the right to receive the personal data concerning him/her, which he/she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided in the cases provided for by the GDPR. The Client also has the right to receive data concerning him/her and supplied by him/her in a structured, commonly used and computer-readable format, as well as the right to transfer them to another person in charge of processing, if the data are processed using automated procedures.

8.5.2. In exercising his/her right to data portability pursuant to paragraph 8.5.1., the Client shall have the right to have the personal data transmitted directly from one Controller to another, where technically feasible.

8.5.3. The exercise of the right referred to in point 8.5.1. of this Article shall be without prejudice to the right to erasure provided for in point 8.3. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

8.5.4. The right referred to in point 8.5.1. shall not adversely affect the rights and freedoms of others.

8.6. Right of complaint

8.6.1. The Member has the right to lodge a complaint concerning the processing of his/her personal data by the Controller with the Belgian Data Protection Authority. Further information can be found on the website which can be accessed in English, French, Dutch or German.






8.6.2. Complaints may be lodged at:


Belgian Data Protection Authority

Rue de la Presse 35 / Drukpersstraat 35 1000 Bruxelles / Brussel / Brussels

Tel: + 32 2 274 48 00

Fax: + 32 2 274 48 35



8.6.3. The Client may also file a complaint with the court of first instance (‘rechtbank van eerste aanleg’ / ‘tribunal de première instance’) of his/her domicile.

9. Limitation of the Controller’s liability

9.1. The Website may contain links towards other web pages held by third parties unrelated to the Controller. The content of these web pages and their observance of the GDPR do not fall under the responsibility of the Controller.

9.2. The processing of a child’s personal data shall be lawful where the child is at least 16 years old. The holder of parental authority must give his/her express consent for the minor under 16 years of age to disclose personal information and/or data on the Website. The Controller strongly advises persons exercising parental authority over minors to promote a responsible and secure use of the Internet. The Controller cannot be held liable for having collected and processed personal data of minors under 16 years of age whose consent is not effectively covered by that of their legal parents or for incorrect data – in particular concerning age – entered by minors. Under no circumstances will personal data be processed by the Controller if the Client specifies that he/she is under 16 years of age.

9.3. The Controller shall not be held liable for the loss, corruption or theft of personal data caused, namely, by the presence of a virus or following cyber attacks, in compliance with point 10.

  1. Security

10.1. The Controller shall implement organizational and technical measures to ensure an appropriate level of security for the processing and collection of personal data. These security measures depend on the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.



  1. Amendment of the Privacy Policy

11.1. The Controller reserves the right to amend this Privacy Policy so as to comply with any new legal requirements. The Client is therefore invited to regularly consult the Privacy Policy to be informed of any changes and adaptations. Any such amendment will be posted on the Website for the purposes of third-party effectiveness.

  1. Governing law and place of jurisdiction

12.1. This Privacy Policy is governed by and construed in accordance with Belgian law. The Parties shall, in good faith, use their reasonable endeavors to settle amicably any dispute arising out or in connection with these terms of use. If no solution can be reached by mutual consent, the courts of the Brussels judicial district are competent to hear the dispute. This allocation of jurisdiction is without prejudice to Point 8.6.3. of the Privacy Policy.