The aim of this Privacy Policy is to inform you about how your data is collected and processed by BE-CERT.
BE-CERT collects and processes personal data for its own staff and for the account of its clients and must therefore comply with the privacy regulations in force at national level (Act of 30 July 2018 on the Protection of Privacy regarding the Processing of Personal Data) and at European level (Directive EU 2016/679 of 27 April 2016, referred to as the General Data Protection Regulation or GDPR).
The GDPR, which reinforces the Act of 30 July 2018, provides a new set of rules allowing to manage, process and secure personal data of European citizens more efficiently.
The GDPR provides a more detailed framework of obligations that the data processor needs to fulfil. It also specifies a person’s rights regarding the collection and use of such data.
BE-CERT undertakes towards its own staff, its clients, its subcontractors and its partners to take all reasonable precautions required to protect your personal data against loss, theft and disclosure, as well against them being used in an unauthorised manner, and this in accordance with the national and European regulations.

1. For the purposes of achieving its corporate purpose, BE-CERT (possibly) collects and process the following personal data :  

• Identity data (surname, first name, professional email address, for rental companies only: certificate of successful training course, date of birth);
• Professional data (company name, postal address(es), company number/VAT number, telephone/mobile phone/fax number, function and, for rental companies only: professional vehicle license plate number);
• Other personal data: gender (Mr/Mrs/Ms) and language (FR/NL/EN);
• Data regarding behaviour and habits when visiting the website www.be-cert.be and/or https://extranet.be-cert.be/.

2. BE-CERT may need to collect non-personal data. These data are classified as non-personal data because they do not identify you (directly or indirectly).Such data can therefore be used for any purpose, for example to improve BE-CERT’s website and its services and/or the services of its partners.

3. In the even that both non-personal and personal data are combined, so that it be possible to identify the concerned persons, then both types of data are processed as personal data until it is no longer possible to link the data to a particular person.

1. The data that is collected with your express and informed consent is processed in order to achieve the social object, i.e. the certification and control of concrete, its components and construction products (certification, inspection, attestation, marking, regulations, control and metrology).

2. BE-CERT may also be required to perform processing that has not yet been included in this Privacy Policy. In that case, BE-CERT will contact the concerned person before re-using his or her personal data. For example, BE-CERT may notify the person of the changes and, where appropriate, give them the option of refusing such re-use.

Is your personal data provided to third parties? 

1. Your data is mainly processed by BE-CERT internally. Where appropriate, BE-CERT may call on subcontractors to perform tasks entrusted to it by its clients. These subcontractors will only receive the data necessary to perform the task entrusted to them by BE-CERT and will only be able to use such data to successfully complete the relevant task.

2. BE-CERT is responsible for ensuring that the subcontractors comply with BE-CERT’s obligations within the framework of the GDPR and will conclude an agreement with each of them, guaranteeing at least the same rights and obligations.

3. You may at any time and on simple request consult the list of subcontractors involved in processing the personal data that you have made available to BE-CERT.

4. BE-CERT has provided every client with a list of subcontractors. BE CERT notifies its clients of any planned change (addition to, or substitution of, other subcontractors). You then have the opportunity of opposing such modifications.

5. BE-CERT may also be required to disclose your data. This is the case, for example, when such data transfer is required by law, a court decision or instructions by a government body.

6. No data is transferred to third countries who are not members of the European Union, nor to international organisations.

1. BE-CERT has drawn up documented procedures to guarantee that your data is secure. These documents are validated by the management.

2. Roles and responsibilities within the organisation are clearly defined. This ensures that these guidelines are correctly implemented.

3. The computers and application servers rooms where the software and data are kept, are physically secured and include a cooling system, as well as an emergency power outage system. In addition, these rooms are protected by an alarm system, and access to them is managed centrally and electronically.

4. A multiple back-up policy, both on the local server and the external disks, enable BE-CERT to ensure the continuity of its business operations without data loss.

5. BE-CERT has a logical security plan consisting of:

• an internal firewall, including anti-spam monitoring, virus scanner and live security; 
• access rights based on roles and responsibilities for both internal users and affiliates.

6. A database to manage any complaints is available.

7. Techniques for identity and access control are based on passwords.

8. Provisions relating to confidentiality and/or personal data protection are included in specific BE-CERT agreements with its clients and subcontractors, in its labour regulations, contracts and its other documents to raise awareness among its clients and collaborators.

9. Data transfer and continuity of services are guaranteed in the event of transition to another service provider.

10. Regarding BE-CERT’s Extranet, the following specific measures are taken:

• The Extranet Web API is sufficiently secured so that no unauthorised persons can get access to client data;
• Access following login to the Extranet is granted via the delivery of a (JWT) Token. This token contains the user’s identity information and cannot be modified without it being detected. In the event of an unauthorized modification of the token, no further requests are granted. These tokens are only valid for a limited time period. After expiration of the validity period, the tokens are automatically renewed if the user still has an active account;
• The security provided in the Extranet conceals data that is not explicitly requested to be visible for a defined role within the application;
• The Extranet is accessible only via the secured HTTPS protocol, which encrypts communication between the browser and the server;
• The underlying Extranet technology provides the necessary security to prevent attacks such as cross-site scripting and (SQL) injection;
• Documents uploaded via the Extranet are only visible to authorised BE-CERT employees and the users to whom BE-CERT grants the rights to consult those documents.

11. The data processor may, at any time and on simple request, consult the list of subcontractors involved in processing the personal data that he has made available to BE-CERT.

1. A personal data protection coordinator is appointed. He is responsible for the implementation and monitoring the GDPR procedures within BE-CERT.

2. A register containing all personal data processing activities is set up and regularly updated.

3. Thanks to the security systems mentioned in the previous paragraphs, BE-CERT is able to quickly detect any data leak and deal with it in accordance with the GDPR provisions.

4. BE-CERT endeavours as far as possible to organise the personal data processing internally. BE-CERT requires that each of its subcontractors, likely to process personal data, draw up specific agreements to ensure that it complies with the rules defined in the GDPR.

5. BE-CERT informs, raises awareness, and trains its collaborators so that they can apply the rules defined in the GDPR.

6. If despite all the security measures taken, an infringement is established for which a risk of data loss or theft is proven, BE-CERT will notify by e-mail all persons potentially concerned by the infringement, in accordance with an internal procedure and in compliance with the GDPR requirements.

What are your rights and how can you exercise them? 

1. The right to withdraw your consent. When data processing is solely based on your consent, you are free to withdraw it at any time upon simple request addressed to BE CERT. This withdrawal does not prejudice the lawfulness of any processing performed before the withdrawal of your consent. In the event of data processing in progress (certified company or in the process of certification), this withdrawal can only be carried out if BE-CERT is provided with an alternative contact and/or an alternative email address.

2. The right to access and copy. You can always obtain a copy (including an electronic version) of your personal data free of charge and, as the occasion arises, correct, supplement or erase inaccurate, incomplete or irrelevant data. In principle, you can always access your data, consult them and, if necessary, correct them or erase them by sending an email to info@be-cert.be or, where appropriate, by logging into your online account on the website https://extranet.be-cert.be/.

3. The right to data portability. You can also, at any time, request to receive your personal data in a structured and frequently used machine-readable format with a view to transmitting them to another processor.

4. How can you exercise your rights? If you want to exercise one of the above-mentioned rights, you must address your written request, dated and signed, (including in electronic format) to info@be-cert.be. You will receive an answer as quickly as possible, within two months at the latest. After this time, you may consider that your request has been rejected. If your request has been refused, the President of the Court of first instance has the jurisdiction to make a pronouncement on the request regarding the right to obtain, correct, erase or restrict own personal data.

Do you have a question or wish to file a complaint?  

1. If you wish to react to one of the practices outlined in this Privacy Policy, you can contact BE-CERT at the addresses specified in the following point “How to contact BE-CERT”.

2. 2. You can file a complaint with the Data Protection Authority at the following address:

Data Protection Authority

Rue de la Presse, 35 1000 Bruxelles 

Tél. + 32 2 274 48 00 

Fax. + 32 2 274 48 35 

contact@apd-gba.be 

3. You can also file a complaint with the Court of first instance in the judicial district of your domicile.

4. For further information on complaints and other possible means of recourse to cassation, BE CERT advises you to consult the Data Protection Authority at: https://www.dataprotectionauthority.be/procedures .

How to contact BE-CERT ? 

You can contact BE-CERT for any question/request/complaint:

• by email : info@be-cert.be 
• by telephone : +32 2 234 67 60 
• or by post : BE-CERT asbl - Avenue Jules Bordet, 11 - 1140 Bruxelles.  

Applicable law and jurisdiction 

This Privacy Policy is governed by Belgian law. Any dispute regarding the interpretation or implementation of this Privacy Policy will be subject to Belgian law and will fall under the exclusive jurisdiction of the courts of the judicial district of Brussels (Dutch or French-language division).

What happens if this Privacy Policy is amended? 

BE-CERT reserves the right to amend the provisions of this Privacy Policy at any time. These substantial amendments are published and an announcement on its taking effect will be put on the website at www.be-cert.be.

This version of the Privacy Policy dates from February 16th, 2021.