Legal provisions in accordance with the General Data Protection Regulation
- All personal data provided to Steve Verleure, a one-man business (trading under the commercial name “Spa Différent”), with registered office at Dikkebusseweg 91, 8900 Ieper, and registered with the Crossroads Bank for Enterprises under the number 0704.481.997, will be collected and processed within the scope of its mission, for professional purposes only, and will be processed in a legitimate, proper and transparent manner.
- The Controller is Steve Verleure, a one-man business (trading under the commercial name “Spa Différent”), with registered office at Dikkebusseweg 91, 8900 Ypres and registered with the Crossroads Bank for Enterprises the number 0704.481.997, tel. 057 / 36 60 20, e-mail: email@example.com.
- The personal data provided to us are necessary for the performance of the agreement in which STEVE VERLEURE is involved and/or the fulfillment of the legal obligations that STEVE VERLEURE and/or its customer and/or its supplier and/or its personnel must comply with and/or the representation of the legitimate interests of STEVE VERLEURE.
- The categories of personal data that may be processed are surname, first name (or first names, if applicable), address data (such as street name, house number, P.O. box number, postal code, municipality/village/city, country,…), contact data (e.g. e-mail address, telephone number, cell phone number, fax number,…), gender, national registration number, identity card number, place of birth, date of birth, professional category and KBO and/or VAT number.
- The personal data are made available to STEVE VERLEURE by the person communicating their personal data (customer/supplier/staff member/…) and/or by documents made available to STEVE VERLEURE and/or by publicly available sources such as the CBE, websites,. .
If STEVE VERLEURE uses personal data, this will only be done to parties who necessarily need to know these personal data in order to properly exercise the agreement in which STEVE VERLEURE is involved and/or if the law so provides.
- STEVE VERLEURE does not retain your personal data longer than necessary to fulfill the purposes for which they are collected. Personal data will be kept at least for the legally defined criteria for keeping accounts. Retention of personal data is done with security appropriate and customary for a company of our size in our industry.
- Upon presentation of proof of Your identity, You, as a natural person, have the right to :
- to request from the controller access to and/or rectification and/or erasure of personal data and/or restriction of processing concerning him, as well as the right to object to processing and the right to data portability (see below)
- file a complaint with a supervisory authority, being the Data Protection Authority (= the former Privacy Commission).
In accordance with Article 12 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, you will find below the text of Articles 15 to 22 as well as Article 34 of the aforementioned Regulation:
Article 15 (Data subject’s right of access): “1. The data subject shall have the right to obtain from the controller a confirmation as to whether or not personal data relating to him are being processed and, if so, to obtain access to those personal data and to the following information .
- (a) the processing purposes;
- (b) the categories of personal data concerned
- (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations
- (d) if possible, the period for which the personal data are expected to be stored, or if that is not possible, the criteria for determining that period;
- e) that the data subject has the right to request the controller to rectify or erase personal data, or to restrict the processing of personal data concerning him, as well as the right to object to such processing;
- (f) that the data subject has the right to complain to a supervisory authority;
- (g) where personal data are not collected from the data subject, any available information on the source of those data;
- (h) the existence of automated decision-making, including profiling referred to in Article 22(1) and (4), and, at least in those cases, useful information on the underlying logic, as well as the significance and expected consequences of such processing for the data subject.
- When personal data are transferred to a third country or an international organization, the data subject has the right to be informed of the appropriate safeguards in accordance with Article 46 on the transfer.
- The controller shall provide the data subject with a copy of the personal data being processed. If the data subject requests additional copies, the controller may charge a reasonable fee based on administrative costs. If the data subject submits the request electronically, and does not request any other arrangement, the information shall be provided in a commonly used electronic format.
- The right to obtain a copy referred to in paragraph 3 shall not affect the rights and freedoms of others.”
Article 16 (Right to rectification): “The data subject shall have the right to obtain from the controller without delay the rectification of personal data relating to him that are inaccurate. Subject to the purposes of the processing, the data subject shall have the right to obtain completeness of incomplete personal data, including by providing a supplementary declaration. “
Article 17 (Right to data erasure (“right to oblivion”)): “1. The data subject shall have the right to obtain from the controller erasure of personal data concerning him without unreasonable delay, and the controller shall be obliged to erase personal data without unreasonable delay when one of the following applies: (a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; 4.5.2016 EN Official Journal of the European Union L 119/43 (b) the data subject withdraws the consent to which the processing pursuant to Article 6(1), point (a), or Article 9, paragraph 2, item (a), rests, in, and there is no other legal basis for the processing; (c) the data subject objects to the processing pursuant to Article 21(1), and there are no overriding compelling legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); (d) the personal data have been processed unlawfully; (e) the personal data must be deleted in order to comply with a legal obligation laid down in Union or Member State law that rests on the controller; (f) the personal data were collected in connection with an offer of information society services referred to in Article 8(1).
- Where the controller has disclosed the personal data and is required to erase the personal data pursuant to paragraph 1, it shall, taking into account available technology and implementation costs, take reasonable measures, including technical measures, to notify controllers processing the personal data that the data subject has requested the controller to erase any link to, or copy or reproduction of, that personal data.
- Paragraphs 1 and 2 do not apply to the extent that processing is necessary: (a) for exercising the right to freedom of expression and information; (b) for compliance with a legal processing obligation imposed on the controller by Union or Member State law, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (c) for reasons of public health interest in accordance with Article 9(2) points (h) and (i), and Article 9(3); (d) for archiving in the public interest, scientific or historical research or statistical purposes in accordance with Article 89(1), insofar as the right referred to in paragraph 1 is likely to make impossible or seriously jeopardize the achievement of the purposes of such processing; (e) for the institution, exercise or substantiation of an action.
Article 18 (Right to restrict processing): “1. The data subject has the right to obtain from the controller the restriction of processing if any of the following applies: (a) the accuracy of the personal data is disputed by the data subject, for a period that allows the controller to verify the accuracy of the personal data; (b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests instead that its use be restricted; (c) the controller no longer needs the personal data for the processing purposes, but the data subject needs them for the establishment, exercise or support of a legal claim; (d) the data subject has objected to the processing in accordance with Article 21(1), pending the answer to the question whether the legitimate grounds of the controller outweigh those of the data subject.
- Where processing is restricted pursuant to paragraph 1, personal data, with the exception of their storage, shall only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important grounds of public interest for the Union or for a Member State. L 119/44 EN Official Journal of the European Union 4.5.2016 3. A data subject who has obtained a restriction on processing pursuant to paragraph 1 shall be informed by the controller before the restriction on processing is lifted. “
Article 19 (Duty to notify rectification or erasure of personal data or restriction of processing): “The controller shall notify any recipient to whom personal data have been disclosed of any rectification or erasure of personal data or restriction of processing pursuant to Article 16, Article 17(1) and Article 18, unless this proves impossible or involves a disproportionate effort. The controller shall provide the data subject with information about these recipients if requested by the data subject.”
Article 20 (Right to data portability): “1. The data subject shall have the right to obtain the personal data concerning him that he has provided to a controller in a structured, common and machine-readable form, and he shall have the right to transfer such data to another controller, without hindrance from the controller to whom the personal data had been provided, if: (a) the processing is based on consent under Article 6(1)(1) (a), or Article 9, paragraph 2, item (a), or to an agreement under Article 6(1)(a) (b); and (b) the processing is carried out through automated processes.
- When exercising his right to data portability under paragraph 1, the data subject shall have the right to have the personal data transferred, if technically possible, directly from one controller to another.
- The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 4. The right referred to in paragraph 1 is without prejudice to the rights and freedoms of others. Section 4 Right to object and automated individual decision-making”
Article 21 (Right to object): “1. The data subject shall have the right to object at any time, on grounds relating to his particular situation, to the processing of personal data concerning him on the basis of Article 6(1)(b), (c), (d) and (e). e) or (f), of Article 6(1), including profiling based on those provisions. The controller shall cease processing the personal data unless it adduces compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject or which are connected with the establishment, exercise or defence of legal claims.
- Where personal data are processed for the purpose of direct marketing, the data subject shall have the right to object at any time to the processing of personal data concerning him/her for such marketing, including profiling related to direct marketing.
- If the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for these purposes. 4.5.2016 EN Official Journal of the European Union L 119/45
- The right referred to in paragraphs 1 and 2 shall be expressly brought to the attention of the data subject and displayed clearly and separately from any other information no later than the time of the initial contact with the data subject.
- In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his right to object by means of automated procedures using technical specifications.
- Where personal data are processed for scientific or historical research or statistical purposes pursuant to Article 89(1), the data subject shall have the right to object to the processing of personal data concerning him on grounds relating to his particular situation, unless the processing is necessary for the performance of a task carried out in the public interest.”
Article 22 (Automated individual decision-making, including profiling): “1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her in any other way.
- Paragraph 1 does not apply if the decision: (a) necessary for the establishment or performance of a contract between the data subject and a controller; (b) is permitted by a provision of Union or Member State law applicable to the controller which also provides for appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or (c) relies on the explicit consent of the data subject.
- In the cases referred to in points (a) and (c) of paragraph 2, the controller shall implement appropriate measures to protect the rights and freedoms and legitimate interests of the data subject, including at least the right to human intervention by the controller, the right to express his or her point of view and the right to challenge the decision.
- The decisions referred to in paragraph 2 shall not be based on the special categories of personal data referred to in Article 9(1), unless Article 9(2)(a) or (g) applies and appropriate measures have been taken to protect the data subject’s legitimate interests.”
Article 34 (Notification of a personal data breach to the data subject: “1. Where the personal data breach is likely to present a high risk to the rights and freedoms of natural persons, the controller shall notify the data subject of the personal data breach without undue delay. L 119/52 EN Official Journal of the European Union 4.5.2016
- The communication to the data subject referred to in paragraph 1 of this Article shall contain a description, in clear and simple language, of the nature of the personal data breach and at least the information referred to in Article 33(3) under b), (c) and (d), data and measures referred to.
- The notification to the individual referred to in paragraph 1 is not required when one of the following conditions is met: (a) the controller has implemented appropriate technical and organizational protection measures and these measures have been applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to unauthorized persons, such as encryption; (b) the controller has taken subsequent measures to ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is unlikely to recur; (c) communication would require disproportionate effort. In that case, a public notice or similar measure that informs data subjects as effectively will take its place.
- If the controller has not yet notified the personal data breach to the data subject, the supervisory authority may, after considering the likelihood that the personal data breach poses a high risk, require the controller to do so or decide that one of the conditions referred to in paragraph 3 has been met.”