Privacy
Policy
1. Introduction
Introduction
This privacy policy covers all data that is collected and processed by CHALLENGE HANDLING (LACHS), based in Belgium rue de l’Aéroport Building, 76 in 4460 GRACE-HOLLOGNE, which is registered under the following business registration number 0459.890.856.
2. Definition
Definition
Applicant: The natural person who sends his or her application to the Data Controller in the context of a spontaneous application or following a job offer.
Breach: A breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Controller: the natural or legal person who determines the purposes and means of the Processing;
Customer: The natural or legal person who places an order with the Controller or for whom the Controller offers a service or good ;
Internet user: The natural person who visits the web page https://www.challenge-handling.be.
Notification: the notification of the Authority by the Data Controller, in accordance with Article 33 of the GDPR, in case of a Personal Data Breach;
Personal data (or Data): Any information relating to an identified or identifiable natural person (hereinafter referred to as “Data Subject”). An “identifiable natural person” is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;
Privacy Policy: This policy which concerns the protection of personal data.
Prospect: a person who could potentially become a new customer, i.e. a person whom the Controller seeks to reach in order to generate sales;
Processor: the natural or legal person who processes Personal Data on behalf of the Controller;
Processing: Any operation or set of operations carried out or not by means of automated processes and applied to Data or sets of Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, limitation, erasure or destruction
Sensitive Data: Personal Data related to sensitive aspects such as racial identity or ethnic origin, political opinions, religion or any other beliefs, health or any medical condition, criminal history, union membership or sexual orientation. Sensitive Data may be processed with the consent of the data subject. If the data subject provides Sensitive Data, he or she consents to the Processing of such Data by the Data Controller;
Supervisory Authority: A supervisory authority designated by the Member State under Article 51 of the GDPR. In Belgium this is the Data Protection Authority;
Supplier: Natural or legal person who usually provides certain products and services to the Data Controller;
Third party involved: Any person involved in the management of a claim related to a work accident, civil liability or other insurance policy (doctor, witness, third party, etc.).
3. Which Data is collected and for what purpose does the Data Controller retain the Data?
3.1 Principle
Data collection of ▼
In accordance with the GDPR, Data is collected for specified purposes.
The collection of the Data must also be based on one of the legal basis provided for in Article 6 of the GDPR.
If the Controller decides to use the Data for a purpose other than the one listed in the Privacy Policy, it will provide prior information to the Data Subject about this other purpose.
The purpose of this Policy is to present to the Data Subject the purposes and legal basis that apply to his/her Personal Data.
3.2. The Data Subject is a Customer
A Customer
Customer Data is collected during an order, the opening of a file and during the management of these.
The Data collected are :
- Personal identification data: last name, first name, telephone number, email, company name, …
Legal basis | Purpose |
---|---|
Legal obligation | Accounting: storage and management of invoices, balance sheets and accounting statements Access control: ordering an airport badge |
Consent | Customer relationship management: satisfaction survey
|
Performance of contract | Accounting: management of customer signage
|
Legitimate interests pursued by the controller or by a third party | Improvement of service quality: complaint management Customer management: year-end gift file |
- Current employment data: position
Legal basis | Purpose |
---|---|
Legal obligation | Accounting: storage and management of invoices |
- Financial identification data: bank details
Legal basis | Purpose |
---|---|
Legal obligation | Accounting: management of invoices, balance sheets and accounting declarations |
- Identification data issued by public services: VAT number
Legal basis | Purpose |
---|---|
Legal obligation | Accounting: storage and management of invoices |
Performance of contract | Accounting: management of customer signage |
- Image data: video surveillance
Legal basis | Purpose |
---|---|
Legal obligation | Security: video surveillance |
3.3. The Data Subject is an Internet User:
An Internet User
The Data of the Internet Users are collected at the time of their passage on the Internet site by the Data Controller.
The Data collected are :
- Data related to identifiers issued by IATA: AWB number (Air Way Bill)
Legal basis | Purpose |
---|---|
Performance of contract | Customer management: collection of the AWB number on the website |
- Personal identification data: company name, country of residence, email, phone, AWG, inquiry, subject, remark
Legal basis | Purpose |
---|---|
Legitimate interests pursued by the controller or by a third party | Marketing: management of requests via the contact form https://www.challenge-handling.be |
3.4. The Data Subject is a Supplier
A Supplier
The Suppliers’ Data are collected within the framework of their contractual relationship with the Data Controller and throughout this relationship.
The Data collected are :
- Personal identification data: last name, first name, telephone number, email, company name, signature…
- Données d’identification financières: coordonnées bancaires
Legal basis | Purpose |
---|---|
Legal obligation | Accounting: storage and management of invoices, balance sheets and accounting statements Supplier management: management of customs documents Access control:ordering an airport badge, vérification de l’identité du chauffeur |
Performance of contract | Accounting: management of customer signage Supplier management: purchasing management |
Legitimate interests pursued by the controller or by a third party | Resource planning: maintenance management
|
- Financial identification data: bank details
Legal basis | Purpose |
---|---|
Legal obligation | Accounting: management of invoices, balance sheets and accounting declarations |
- Identification data issued by public services: VAT number, license plate number
Legal basis | Purpose |
---|---|
Legal obligation | Accounting:storage and management of invoices |
Performance of contract | Accounting: management of supplier signage |
- Current employment data: position
Legal basis | Purpose |
---|---|
Performance of contract | Supplier management: purchasing management |
- Image data: video surveillance, visual checks of the drivers
Legal basis | Purpose |
---|---|
Legal obligation | Access control: verification of the driver’s identity Security: video surveillance |
3.5. The Data Subject is a Visitor
A Visitor
The Visitors’ Data are collected in the context of their visits to the Data Controller’s site.
The Data collected are :
- Personal identification data: last name, first name, signature, license plate number…
Legal basis | Purpose |
---|---|
Legal obligation | Access control: control of entries/exits on the site |
- Image data: video surveillance
Legal basis | Purpose |
---|---|
Legal obligation | Security: video surveillance |
3.6. The Data Subject is an Applicant
An Applicant
Applicant Data is collected as part of the application process.
The Data collected are:
- Personal identification data, personal details, current job, career, images, hobbies and interests, affiliations, academic curriculum, qualifications and work experience, publications, recruitment, security, national registry, identification data issued by public services: CV and cover letter, source of recruitment, interview dates, date of recruitment, IT authorizations, national registry number, copy of identity card
Legal basis | Purpose |
---|---|
Performance of contract | Recruitment: reception and follow-up of applications (direct or via agencies) |
Legal obligation | Personnel administration: airport access badge application + mandatory training |
- Judicial data: criminal history for the last 5 years
Legal basis | Purpose |
---|---|
Legal obligation | Personnel Administration: Retention of a copy of the SPF criminal history report |
3.7. The Data Subject is a Prospect
A Prospect
The Data collected from Prospects are :
- Personal identification data: last name, first name, address
Legal basis | Purpose |
---|---|
Legitimate interests pursued by the controller or by a third party | Gestion master data :gestion de la signalétique des prospects |
3.8. The Data Subject is a Driver or a Guard
A Driver or a Guard
The Data of the Drivers and Guards are collected within the framework of the controls carried out for the export of goods.
The Data collected are:
- Personal identification data, personal characteristics, identification data issued by public services, national register, image: copy of identity card or passport, name, surname of driver and guard, license plate number of vehicle and trailers, image
Legal basis | Purpose |
---|---|
Legal obligation | Security: control for import/export of goods, video surveillance
Access control: verification of the driver’s identity
|
3.9. The Data Subject is a Physician or a Third Party involved
A Physician
Physician and Third Party Data is collected in the course of managing a claim related to an insurance policy.
The Data collected are:
- Personal identification data, identification data issued by the public services: INAMI number, name, first name, address, signature, testimony, details and chronology of the claim
Legal basis | Purpose |
---|---|
Legal obligation | Personnel administration: analysis and conservation of documents related to the management of work-related accidents
|
4. How long is the Data kept?
Data storage period
The Data Controller keeps the Data for the time necessary to achieve the purpose of the processing and to comply with its legal obligations.
The retention periods are determined on the basis of several criteria such as the legal obligations to which the profession is subject, the type of processing, the purpose of the processing, the place where the Data is stored, the type of Data subject or the type of Data collected.
The retention period for a particular Data processing operation may be communicated to the Data Subject upon request.
The Data Controller shall in any case keep the Data in accordance with the legal retention periods.
5. Who collects the Data?
Responsible for data collection
The Data may be collected by the Data Controller or through the intermediary of the site host or the Data Controller’s processors. The Data is then passed on to the Data Controller.
The list of Data Processors can be communicated on request.
Some intermediaries may be established in a third country outside the European Economic Area which guarantees an adequate level of protection of Personal Data, as determined by the European Commission.
Where intermediaries are established in countries that do not provide an equivalent level of privacy protection, the Controller declares that it takes specific measures in accordance with the Data Protection legislation in force in the EEA to protect Personal Data.
6. How is the Data collected?
Method
The Data is collected during exchanges with the Data Controller in person, by telephone, post, e-mail or fax, via the web or by its Processors.
Data may also be collected via cookies (see specific information on this subject).
7. Why do we collect your Data?
Reasons
Data is collected primarily to provide the best possible services to Customers.
The Data may also be collected for the purpose of proper performance of the contract, or used for the management of Suppliers, Customers and contracts related to the services of/for the latter.
It may also be used to:
- Respond to requests for information and follow-up.
- Inform about possible changes in the services offered and/or applicable regulations.
The Data is also collected in order to comply with legal obligations, in particular with regard to accounting, to comply with a court order, to respond to a request from the public authorities, to protect the interests of the Data Controller, as well as those of its partners, to protect its services, to ensure compliance with the general terms and conditions, the confidentiality policy and any applicable text, to formulate a possible recourse or to limit any prejudice that the Data Controller may suffer.
Finally, the Data may be collected in the legitimate interest of the Data Controller or of a third party, and in particular for prospecting purposes.
8. With whom will the Data be shared?
Data sharing
The Data may be communicated to third parties in direct relation with the Data Controller, when necessary and in particular to the entities listed below:
- Service providers chosen by the Data Controller, who are in charge of hosting websites, providing infrastructure, IT services, e-mail services, auditing services and any other similar services in order to enable them to provide said services;
- The service providers chosen by the Data Controller, who are in charge of the supply of materials, transport and delivery or any other similar service in order to enable them to provide said services;
- To a potential buyer, in the event of a transfer (total or partial) of the activities of the Controller (merger, sale, transfer of assets, judicial reorganization, etc.);
- In the event of litigation, the Data may be transmitted to a third party in charge of managing litigation (law firm, collection company, etc.), which will also ensure compliance with the applicable legislation regarding this information;
- Accountant, public authority, etc., in order to comply with the legal obligations of the Data Controller (communication of the Data to its accountant, to respond to a request from the public authorities, to comply with a court order, etc.).
The list of service providers can be communicated on request.
9. How do we secure them?
Security
Appropriate technical and organizational measures have been put in place to ensure a level of security appropriate to the risks, including but not limited to, as appropriate:
- Means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;
- Means to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident;
- An internal regulation concerning the processing of Personal Data;
- Limited retention periods;
- Access to the information system is limited to authorized personnel who are responsible for the protection of personal data;
The details of these security measures can be communicated upon request.
10. What rights do you have?
Your rights
Depending on the type of Processing carried out on the Personal Data, the Data Subject may exercise several of the following rights:
A. Right to information
Any Person concerned by the Personal Data has a right to information about the Data collected. It is in particular through this Privacy Policy that the Data Controller wishes to provide this information.
A Data Subject who wishes to obtain more information about the Personal Data collected may be denied this request in the following cases:
- The Data Subject already has this information ;
- If the request requires disproportionate or impossible efforts;
- If the provision of such information would seriously undermine the purpose of the processing.
B. Right of access
Any Data Subject has a right of access to his/her Personal Data.
To do so, the Data Subject must make a request to the relevant department of the Data Controller so that the latter can provide details of the precise Data held about him or her, subject to the rights and freedoms of others which cannot be affected.
A reply must be given within one month of the request made by the Person concerned. However, this deadline may be extended by an additional month depending on the complexity and number of requests. In the latter case, the Person concerned will be informed within one month of his/her request for access.
The Data Controller is entitled to demand the payment of “reasonable costs” in relation to the administrative costs incurred in producing these documents in the event that the request is excessively recurrent, unfounded or manifestly intended to abuse this right of access.
C. Right of rectification
Any Data Subject has the right to obtain from the Data Controller, as soon as possible, the rectification of Personal Data concerning him or her that are inaccurate.
The Data Subject may also request that incomplete data be completed, in particular by providing an additional declaration.
The Data Controller will notify the Data Subject of the completion of this procedure.
D. Right to erasure
The Data Subject shall be entitled to the right to erasure of his/her Data as soon as one of the following reasons arises:
- The Data is no longer necessary for the purposes for which it was collected or processed by the Data Controller;
- The Data Subject wishes to withdraw his or her consent and there is no other legal basis for such processing;
- The Data Subject objects to the processing necessary for the purposes of the legitimate interests pursued by the Controller or by a third party;
- The Data Subject has the right to object and makes use of this right;
- The Data has been processed unlawfully;
- The Data must be erased in order to comply with a legal obligation provided for by Union law or by the law of the Member State to which the Controller is subject;
In connection with such a request, the Controller shall take reasonable steps to erase such Data within one month of the request.
The Data Controller shall notify the Data Subject of the completion of such steps.
In the event that the Data Controller does not wish to comply with this request, reasons will be given for the refusal.
The right to erasure does not apply insofar as the processing of such data is necessary :
- to exercise the right to freedom of expression and information ;
- to comply with a legal obligation which requires the processing and which is provided for by Union law or by the law of the Member State to which the data controller is subject, or to carry out a task carried out in the public interest or in the exercise of official authority vested in the data controller;
- for the establishment, exercise or defence of legal claims;
- for archival or statistical purposes as provided for in Article 89 of the GDPR.
E. Right to restriction of processing
The Data Subject has the right to obtain from the Controller the restriction of processing where one of the following applies:
- the accuracy of the Personal Data is contested by the Data Subject, for a period of time allowing the Controller to verify the accuracy of the Personal Data;
- the processing is unlawful and the Data Subject objects to the erasure of the Personal Data and demands instead the restriction of its use;
- the Controller no longer needs the Personal Data for the purposes of the processing, but the Data are still necessary for the Data Subject for the establishment, exercise or defense of legal claims;
- the Data Subject has objected to the processing by virtue of his or her right to object, while the verification of whether the legitimate grounds pursued by the Controller prevail over those of the Data Subject is under way.
This request for restriction implies that the Personal Data may, with the exception of storage, only be processed with the consent of the Data Subject, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or on important grounds of public interest of the Union or of a Member State.
The Data Controller will notify the Data Subject of this.
F. Right to data portability
Where the processing of the Personal Data of the Data Subject is based on the consent given by the Data Subject or on a contract, and where such processing is carried out by means of automated processes, and provided that the data has not been anonymized, the Data Subject may request to receive such data in a structured, commonly used and machine-readable format.
The Data Subject may pass on the data to another controller, without the Controller being able to prevent this.
G. Right to object
The Data Subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her Personal Data based on the public interest or the legitimate interest of the Controller, including profiling based on such interests.
The Data Subject may also object to the processing of Data based on his/her consent or on a contract, provided that the data has been collected for prospecting purposes or for archival and statistical purposes.
The Data Controller will no longer process such data, unless he can demonstrate compelling legitimate grounds for the processing that override the interests and rights and freedoms of the Data Subject, or for the establishment, exercise or defence of legal claims.
11. How can you assert your rights?
A request for information can be made internally, via the email address: info@challenge-handling.be
In the event that the follow-up given to your request is not satisfactory, you can always exercise one of the rights provided for above, or file a complaint with the Data Protection Authority.
You can contact it in the following ways:
- By telephone: (+32) (0)2 274 48 00 ;
- E-mail: contact@apd-gba.be ;
- Online contact form: https://www.autoriteprotectiondonnees.be/introduire-une-requete-une-plainte ;
- By mail: Data Protection Authority, Rue de la Presse 35, 1000 Brussels, Belgium;
- Fax: (+32) (0)2 274 48 35.
Last update: January 2021.