1. Introduction

Introduction

This privacy policy covers all data that is collected and processed by CHALLENGE HANDLING (LACHS), based in Belgium rue de l’Aéroport Building, 76 in 4460 GRACE-HOLLOGNE, which is registered under the following business registration number 0459.890.856.

2. Definition

Definition

Applicant: The natural person who sends his or her application to the Data Controller in the context of a spontaneous application or following a job offer.

Breach: A breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Controller: the natural or legal person who determines the purposes and means of the Processing;

Customer: The natural or legal person who places an order with the Controller or for whom the Controller offers a service or good ;

Internet user: The natural person who visits the web page https://www.challenge-handling.be.

Notification: the notification of the Authority by the Data Controller, in accordance with Article 33 of the GDPR, in case of a Personal Data Breach;

Personal data (or Data): Any information relating to an identified or identifiable natural person (hereinafter referred to as “Data Subject”). An “identifiable natural person” is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;

Privacy Policy: This policy which concerns the protection of personal data.

Prospect: a person who could potentially become a new customer, i.e. a person whom the Controller seeks to reach in order to generate sales;

Processor: the natural or legal person who processes Personal Data on behalf of the Controller;

Processing: Any operation or set of operations carried out or not by means of automated processes and applied to Data or sets of Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, limitation, erasure or destruction

Sensitive Data: Personal Data related to sensitive aspects such as racial identity or ethnic origin, political opinions, religion or any other beliefs, health or any medical condition, criminal history, union membership or sexual orientation. Sensitive Data may be processed with the consent of the data subject. If the data subject provides Sensitive Data, he or she consents to the Processing of such Data by the Data Controller;

Supervisory Authority: A supervisory authority designated by the Member State under Article 51 of the GDPR. In Belgium this is the Data Protection Authority;

Supplier: Natural or legal person who usually provides certain products and services to the Data Controller;

Third party involved: Any person involved in the management of a claim related to a work accident, civil liability or other insurance policy (doctor, witness, third party, etc.).

3. Which Data is collected and for what purpose does the Data Controller retain the Data?

3.1 Principle

Data collection of ▼

In accordance with the GDPR, Data is collected for specified purposes.

The collection of the Data must also be based on one of the legal basis provided for in Article 6 of the GDPR.

If the Controller decides to use the Data for a purpose other than the one listed in the Privacy Policy, it will provide prior information to the Data Subject about this other purpose.

The purpose of this Policy is to present to the Data Subject the purposes and legal basis that apply to his/her Personal Data.

3.2. The Data Subject is a Customer

A Customer

Customer Data is collected during an order, the opening of a file and during the management of these.

The Data collected are :

Personal identification data: last name, first name, telephone number, email, company name, …

Legal basis	Purpose
Legal obligation	Accounting: storage and management of invoices, balance sheets and accounting statements Access control: ordering an airport badge
Consent	Customer relationship management: satisfaction survey
Performance of contract	Accounting: management of customer signage
Legitimate interests pursued by the controller or by a third party	Improvement of service quality: complaint management Customer management: year-end gift file

Current employment data: position

Legal basis	Purpose
Legal obligation	Accounting: storage and management of invoices

Financial identification data: bank details

Legal basis	Purpose
Legal obligation	Accounting: management of invoices, balance sheets and accounting declarations

Identification data issued by public services: VAT number

Legal basis	Purpose
Legal obligation	Accounting: storage and management of invoices
Performance of contract	Accounting: management of customer signage

Image data: video surveillance

Legal basis	Purpose
Legal obligation	Security: video surveillance

3.3. The Data Subject is an Internet User:

An Internet User

The Data of the Internet Users are collected at the time of their passage on the Internet site by the Data Controller.

The Data collected are :

Data related to identifiers issued by IATA: AWB number (Air Way Bill)

Legal basis	Purpose
Performance of contract	Customer management: collection of the AWB number on the website

Personal identification data: company name, country of residence, email, phone, AWG, inquiry, subject, remark

Legal basis	Purpose
Legitimate interests pursued by the controller or by a third party	Marketing: management of requests via the contact form https://www.challenge-handling.be

3.4. The Data Subject is a Supplier

A Supplier

The Suppliers’ Data are collected within the framework of their contractual relationship with the Data Controller and throughout this relationship.

The Data collected are :

Personal identification data: last name, first name, telephone number, email, company name, signature…

Données d’identification financières: coordonnées bancaires

Legal basis	Purpose
Legal obligation	Accounting: storage and management of invoices, balance sheets and accounting statements Supplier management: management of customs documents Access control:ordering an airport badge, vérification de l’identité du chauffeur
Performance of contract	Accounting: management of customer signage Supplier management: purchasing management
Legitimate interests pursued by the controller or by a third party	Resource planning: maintenance management

Financial identification data: bank details

Legal basis	Purpose
Legal obligation	Accounting: management of invoices, balance sheets and accounting declarations

Identification data issued by public services: VAT number, license plate number

Legal basis	Purpose
Legal obligation	Accounting:storage and management of invoices
Performance of contract	Accounting: management of supplier signage

Current employment data: position

Legal basis	Purpose
Performance of contract	Supplier management: purchasing management

Image data: video surveillance, visual checks of the drivers

Legal basis	Purpose
Legal obligation	Access control: verification of the driver’s identity Security: video surveillance

3.5. The Data Subject is a Visitor

A Visitor

The Visitors’ Data are collected in the context of their visits to the Data Controller’s site.

The Data collected are :

Personal identification data: last name, first name, signature, license plate number…

Legal basis	Purpose
Legal obligation	Access control: control of entries/exits on the site

Image data: video surveillance

Legal basis	Purpose
Legal obligation	Security: video surveillance

3.6. The Data Subject is an Applicant

An Applicant

Applicant Data is collected as part of the application process.

The Data collected are:

Personal identification data, personal details, current job, career, images, hobbies and interests, affiliations, academic curriculum, qualifications and work experience, publications, recruitment, security, national registry, identification data issued by public services: CV and cover letter, source of recruitment, interview dates, date of recruitment, IT authorizations, national registry number, copy of identity card

Legal basis	Purpose
Performance of contract	Recruitment: reception and follow-up of applications (direct or via agencies)
Legal obligation	Personnel administration: airport access badge application + mandatory training

Judicial data: criminal history for the last 5 years

Legal basis	Purpose
Legal obligation	Personnel Administration: Retention of a copy of the SPF criminal history report

3.7. The Data Subject is a Prospect

A Prospect

The Data collected from Prospects are :

Personal identification data: last name, first name, address

Legal basis	Purpose
Legitimate interests pursued by the controller or by a third party	Gestion master data :gestion de la signalétique des prospects

3.8. The Data Subject is a Driver or a Guard

A Driver or a Guard

The Data of the Drivers and Guards are collected within the framework of the controls carried out for the export of goods.

The Data collected are:

Personal identification data, personal characteristics, identification data issued by public services, national register, image: copy of identity card or passport, name, surname of driver and guard, license plate number of vehicle and trailers, image

Legal basis	Purpose
Legal obligation	Security: control for import/export of goods, video surveillance Access control: verification of the driver’s identity

3.9. The Data Subject is a Physician or a Third Party involved

A Physician

Physician and Third Party Data is collected in the course of managing a claim related to an insurance policy.

The Data collected are:

Personal identification data, identification data issued by the public services: INAMI number, name, first name, address, signature, testimony, details and chronology of the claim

Legal basis	Purpose
Legal obligation	Personnel administration: analysis and conservation of documents related to the management of work-related accidents

4. How long is the Data kept?

Data storage period

The Data Controller keeps the Data for the time necessary to achieve the purpose of the processing and to comply with its legal obligations.

The retention periods are determined on the basis of several criteria such as the legal obligations to which the profession is subject, the type of processing, the purpose of the processing, the place where the Data is stored, the type of Data subject or the type of Data collected.

The retention period for a particular Data processing operation may be communicated to the Data Subject upon request.

The Data Controller shall in any case keep the Data in accordance with the legal retention periods.

5. Who collects the Data?

Responsible for data collection

The Data may be collected by the Data Controller or through the intermediary of the site host or the Data Controller’s processors. The Data is then passed on to the Data Controller.

The list of Data Processors can be communicated on request.

Some intermediaries may be established in a third country outside the European Economic Area which guarantees an adequate level of protection of Personal Data, as determined by the European Commission.

Where intermediaries are established in countries that do not provide an equivalent level of privacy protection, the Controller declares that it takes specific measures in accordance with the Data Protection legislation in force in the EEA to protect Personal Data.

6. How is the Data collected?

Method

The Data is collected during exchanges with the Data Controller in person, by telephone, post, e-mail or fax, via the web or by its Processors.

Data may also be collected via cookies (see specific information on this subject).

7. Why do we collect your Data?

Reasons

Data is collected primarily to provide the best possible services to Customers.

The Data may also be collected for the purpose of proper performance of the contract, or used for the management of Suppliers, Customers and contracts related to the services of/for the latter.

It may also be used to:

Respond to requests for information and follow-up.
Inform about possible changes in the services offered and/or applicable regulations.

The Data is also collected in order to comply with legal obligations, in particular with regard to accounting, to comply with a court order, to respond to a request from the public authorities, to protect the interests of the Data Controller, as well as those of its partners, to protect its services, to ensure compliance with the general terms and conditions, the confidentiality policy and any applicable text, to formulate a possible recourse or to limit any prejudice that the Data Controller may suffer.

Finally, the Data may be collected in the legitimate interest of the Data Controller or of a third party, and in particular for prospecting purposes.

8. With whom will the Data be shared?

Data sharing

The Data may be communicated to third parties in direct relation with the Data Controller, when necessary and in particular to the entities listed below:

Service providers chosen by the Data Controller, who are in charge of hosting websites, providing infrastructure, IT services, e-mail services, auditing services and any other similar services in order to enable them to provide said services;
The service providers chosen by the Data Controller, who are in charge of the supply of materials, transport and delivery or any other similar service in order to enable them to provide said services;
To a potential buyer, in the event of a transfer (total or partial) of the activities of the Controller (merger, sale, transfer of assets, judicial reorganization, etc.);
In the event of litigation, the Data may be transmitted to a third party in charge of managing litigation (law firm, collection company, etc.), which will also ensure compliance with the applicable legislation regarding this information;
Accountant, public authority, etc., in order to comply with the legal obligations of the Data Controller (communication of the Data to its accountant, to respond to a request from the public authorities, to comply with a court order, etc.).

The list of service providers can be communicated on request.

9. How do we secure them?

Security

Appropriate technical and organizational measures have been put in place to ensure a level of security appropriate to the risks, including but not limited to, as appropriate:

Means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;
Means to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident;
An internal regulation concerning the processing of Personal Data;
Limited retention periods;
Access to the information system is limited to authorized personnel who are responsible for the protection of personal data;

The details of these security measures can be communicated upon request.

10. What rights do you have?

Your rights

Depending on the type of Processing carried out on the Personal Data, the Data Subject may exercise several of the following rights:

A. Right to information

Any Person concerned by the Personal Data has a right to information about the Data collected. It is in particular through this Privacy Policy that the Data Controller wishes to provide this information.

A Data Subject who wishes to obtain more information about the Personal Data collected may be denied this request in the following cases:

The Data Subject already has this information ;
If the request requires disproportionate or impossible efforts;
If the provision of such information would seriously undermine the purpose of the processing.

B. Right of access

Any Data Subject has a right of access to his/her Personal Data.

To do so, the Data Subject must make a request to the relevant department of the Data Controller so that the latter can provide details of the precise Data held about him or her, subject to the rights and freedoms of others which cannot be affected.

A reply must be given within one month of the request made by the Person concerned. However, this deadline may be extended by an additional month depending on the complexity and number of requests. In the latter case, the Person concerned will be informed within one month of his/her request for access.

The Data Controller is entitled to demand the payment of “reasonable costs” in relation to the administrative costs incurred in producing these documents in the event that the request is excessively recurrent, unfounded or manifestly intended to abuse this right of access.

C. Right of rectification

Any Data Subject has the right to obtain from the Data Controller, as soon as possible, the rectification of Personal Data concerning him or her that are inaccurate.

The Data Subject may also request that incomplete data be completed, in particular by providing an additional declaration.

The Data Controller will notify the Data Subject of the completion of this procedure.

D. Right to erasure

The Data Subject shall be entitled to the right to erasure of his/her Data as soon as one of the following reasons arises:

The Data is no longer necessary for the purposes for which it was collected or processed by the Data Controller;
The Data Subject wishes to withdraw his or her consent and there is no other legal basis for such processing;
The Data Subject objects to the processing necessary for the purposes of the legitimate interests pursued by the Controller or by a third party;
The Data Subject has the right to object and makes use of this right;
The Data has been processed unlawfully;
The Data must be erased in order to comply with a legal obligation provided for by Union law or by the law of the Member State to which the Controller is subject;

In connection with such a request, the Controller shall take reasonable steps to erase such Data within one month of the request.

The Data Controller shall notify the Data Subject of the completion of such steps.

In the event that the Data Controller does not wish to comply with this request, reasons will be given for the refusal.

The right to erasure does not apply insofar as the processing of such data is necessary :

to exercise the right to freedom of expression and information ;
to comply with a legal obligation which requires the processing and which is provided for by Union law or by the law of the Member State to which the data controller is subject, or to carry out a task carried out in the public interest or in the exercise of official authority vested in the data controller;
for the establishment, exercise or defence of legal claims;
for archival or statistical purposes as provided for in Article 89 of the GDPR.

E. Right to restriction of processing

The Data Subject has the right to obtain from the Controller the restriction of processing where one of the following applies:

the accuracy of the Personal Data is contested by the Data Subject, for a period of time allowing the Controller to verify the accuracy of the Personal Data;
the processing is unlawful and the Data Subject objects to the erasure of the Personal Data and demands instead the restriction of its use;
the Controller no longer needs the Personal Data for the purposes of the processing, but the Data are still necessary for the Data Subject for the establishment, exercise or defense of legal claims;
the Data Subject has objected to the processing by virtue of his or her right to object, while the verification of whether the legitimate grounds pursued by the Controller prevail over those of the Data Subject is under way.

This request for restriction implies that the Personal Data may, with the exception of storage, only be processed with the consent of the Data Subject, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or on important grounds of public interest of the Union or of a Member State.

The Data Controller will notify the Data Subject of this.

F. Right to data portability

Where the processing of the Personal Data of the Data Subject is based on the consent given by the Data Subject or on a contract, and where such processing is carried out by means of automated processes, and provided that the data has not been anonymized, the Data Subject may request to receive such data in a structured, commonly used and machine-readable format.

The Data Subject may pass on the data to another controller, without the Controller being able to prevent this.

G. Right to object

The Data Subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her Personal Data based on the public interest or the legitimate interest of the Controller, including profiling based on such interests.

The Data Subject may also object to the processing of Data based on his/her consent or on a contract, provided that the data has been collected for prospecting purposes or for archival and statistical purposes.

The Data Controller will no longer process such data, unless he can demonstrate compelling legitimate grounds for the processing that override the interests and rights and freedoms of the Data Subject, or for the establishment, exercise or defence of legal claims.

11. How can you assert your rights?

A request for information can be made internally, via the email address: info@challenge-handling.be

In the event that the follow-up given to your request is not satisfactory, you can always exercise one of the rights provided for above, or file a complaint with the Data Protection Authority.

You can contact it in the following ways:

By telephone: (+32) (0)2 274 48 00 ;
E-mail: contact@apd-gba.be ;
Online contact form: https://www.autoriteprotectiondonnees.be/introduire-une-requete-une-plainte ;
By mail: Data Protection Authority, Rue de la Presse 35, 1000 Brussels, Belgium;
Fax: (+32) (0)2 274 48 35.

Last update: January 2021.