Mensura External Agency for Prevention and Protection at Work, vzw, with its registered office at Gaucheretstraat 88/90 1030 Brussels, and company number 0410.664.742, registered in the register of legal persons in Brussels, duly represented in this matter by Gretel Schrijvers in their capacity of general director,
hereinafter referred to as “the controller”; (regarding the advice of COPREV, date 26/01/2018)
Declares as follows:
- Point 2. Definitions
- Point 3. Processing personal data
- Point 4. Processing personal data in the context of trainings
- Point 5. Processing sensitive personal data?
- Point 6. Explicit agreement from the Data Subject(s)
- Point 7. Processing personal data for marketing purposes
- Point 8. Anonymous group reporting
- Point 9. The record of processing activities
- Point 10. Appropriate technical and organisational measures
- Point 11. Third parties
- Point 12. Processors
- Point 13. Processing of data outside a Member State of the EU
- Point 14. Minimal processing of personal data
- Point 15. The rights of data subjects:
- Point 16. Portability of Personal Data if the controller changes an external agency
- Point 17. Removal of the Personal Data at the end of the Main Contract
- Point 18. Requests for Personal Data from public government services
- Point 19. Measures in the event of a personal data breach
- Point 20. Miscellaneous provisions
- Point 21. If you need more information or support.
- Appendix 1. The categories of processed personal data and retention period
- Appendix II. Technical and organisational security measures
Point 2. Definitions
“Data subject”: the identified or identifiable natural person
“Data concerning health”: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status
“Sensitive personal data”: personal data that reveals race or ethnic origin, political opinions, religious or philosophical beliefs or membership of a trade union and processing of genetic information or biometric data with a view to the unique identification of a person or data related to health or someone’s sexual behaviour or sexual orientation.
“Personal data breach”: a breach of security that accidentally or unlawfully leads to the destruction, loss, change or unauthorised disclosure or unauthorised access to data that has been sent, stored or processed in any other way.
“Personal data”: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“ Pseudonymisation”: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Consent of the Data Subject”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of their personal data.
“Processor”:a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
“Processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Controller”: : a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Point 3. Processing personal data
The controller guarantees that your personal data will be:
- 1. Processed in a lawful, fair and transparent manner
- 2. Collected for specified, explicit and legitimate purposes
- 3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- 4. Correct and updated when necessary
- 5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- 6. Appropriate technical and organisational measures will be taken to guarantee appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage
Personal data is lawfully processed by the controller as processing is based upon legal grounds. Article 6, 1 C of the GDPR states that Personal Data is lawfully processed if “processing is necessary for compliance with a legal obligation to which the controller (here: the client) is subject”. In this case, our clients have a legal obligation to take the necessary measures within the framework of occupational health and safety. These legal obligations are stipulated in the Code on Well-being at Work.
The aforementioned personal data includes name, address, telephone number, gender and age. An overview is available in appendix 1 to this Policy.
Point 4. Processing personal data in the context of trainings
Mensura can process the next personal data for the purposes of legitimate interests (both physically and on the website):
- When the registration wasn’t done by the participant, we define “Concerned person’ in this point as follows: “Both the person who did the registration, and the participant of the training”
- The next personal data will be processed:
- Of the Concerned person:
- First and second name
- Phone / cell phone number
- Date of birth
- E-mail address
- Other remarks (for example allergies concerning food when lunch is included in the training)
- Data of the company: name and address of the company, address to where the invoices can be send, VAT number, client number, type of company (A, B, C, D, E or M)
- Method of payment
- Of the Concerned person:
- We process the personal data for the next purposes:
- Fulfilling our administrative duties as for example charging the services we’ve done for the client or fulfilling our legal duties in the context of our accountancy
- Creating files for the transferability or the demonstrability of personal data, for purposes of accreditation or certification
- Performing and informing organisational and administrative elements regarding the trainings (for example certification, obtaining subsidies, legal conditions, ….)
- Informing the Concerned person about changes in the context of the followed training due to new legislation, guidelines, insights, evolutions, …
- Informing the Concerned person about the offer of Webinars/info sessions and trainings of Mensura
- Informing the Concerned person about the fact that the legal period to follow a refresher training, has been expired
- Updating the material of the training and updating the trainings
- Delivering and manage the certificates of Mensura, when applicable
The above mentioned personal data will be stored for a period of ten years, following the end of the year where the training has been given.
Point 5. Processing sensitive personal data?
The controller will lawfully process sensitive personal data (more explicitly: “data concerning health”) in conformity with article 9, b) and h) of the GDPR;
- b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller (here: the client) or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
The controller’s services are primarily determined by law, namely the Code on Well-being at Work. Our clients are legally obligated – within Belgian social law – to join an External Agency for Prevention and Protection at Work.
- h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
Sensitive data that is processed by the controller is related to data concerning health; i.e. weight, BMI, working capacity as stated on the HAF (Health Assessment Form) or the RAF (Reintegration Assessment Form), medical data, psychological data, injuries after a serious accident at work, the data subject’s lifestyle, etc.. An overview is available in appendix 1 to this Policy.
Point 6. Explicit agreement from the Data Subject(s)
In the context of the provision of service where the controller (Mensura) must request the Personal Data directly from the Data Subject(s), the controller (Mensura) will inform the Data Subject(s) prior to the processing concerning the following elements, in conformity with article 13 point 1 of the GDPR:
- the identity and contact details of the controller
- the contact details of the Data Protection Officer;
- the purpose and legal grounds for the processing;
- the recipients or the categories of the recipients of the personal data;
- the manner in which the rights of the Data Subject(s) are exercised;
- the fact that the Data Subject can revoke his or her explicit permission and the manner in which this is done;
- the fact that the Data Subject has the right to submit a complaint to the supervisory authority;
- the retention period for Personal Data;
- if applicable, the existence of automated decisions.
Point 7. Processing personal data for marketing purposes
With regard to processing Personal Data for Marketing Purposes, the controller (in case: Mensura) can rely upon a legal basis (recital 47 of the GDPR). An opt-out for the Data Subjects will be always possible.
Promotions and information regarding the offer of products and services of Mensura, will be seen as direct marketing. The personal data of the client (contact details of the client) will be processed for direct marketing purposes, so that Mensura can inform its clients about the offer of products and services.
Point 8. Anonymous group reporting
The controller guarantees that group reporting will be anonymous given that personal data is only shared as from a dataset of 10.
For example, the results of the medical examinations are part of the risk analysis. These results are reported in the form of the anonymous group results.
Point 9. The record of processing activities
The controller has drawn up a record of processing activities in which the following elements of each of their services are described in detail:
- 1° Which categories of personal data are being processed?
- 2° Who can receive this personal data (internal/externally)?
- 3° For how long will the personal data be kept?
- 4° For how long will the personal data be protected?
- 5° Will the personal data be processed outside Belgium?
- 6° Who has access to the personal data (internally/externally)?
- 7° The purposes of processing.
If you have questions within this framework that have not been made clear in this Policy, please contact the persons listed in point 20.
Point 10. Appropriate technical and organisational measures
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure the safe processing of personal data. Appendix II to this Policy contains a summary of these measures.
The controller guarantees that they will take the necessary measures in conformity with article 32 of the GDPR, which, among other things, pertain to the following:
- A - the pseudonymisation and encryption of personal data;
- B - the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- C - the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- D - a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The controller guarantees that the only employees who will have access to personal data are those who are actually involved in implementing the services. Furthermore, these employees will be contractually bound by a duty of confidentiality.
Point 11. Third parties
Third parties who may gain access to personal data will also be restricted to persons involved in implementing the services. An overview of third parties can be given, on demand of the client.
Point 12. Processors
If the controller engages a processor to perform specific processing activities on the behalf of the controller, this processor will be subject to the same obligations with regard to data protection as those arising from this agreement, including the obligation to take appropriate technical and organisational measures for processing personal data. To this end, the processors have signed a processing agreement in accordance with article 28 point 3 GDPR. An overview of processors can be given, on demand of the client.
The controller guarantees that processors may only process personal data under written instructions of the controller. If the processors engage a sub-processor to perform processing activities, the processor will, in principle, remain liable towards the sub-processor.
Point 13. Processing of data outside a Member State of the EU
The controller guarantees that the personal data will not be processed outside a Member State of the EU. The Personal Data will only be processed in Belgium.
Point 14. Minimal processing of personal data
The controller’s services are primarily determined by law, namely the Code on Well-being at Work. The controller will only process the minimum amount of personal data necessary within the framework of implementing the requested services. An overview is available in appendix 1 to this Policy.
The controller guarantees that personal data will not be stored for longer than is necessary for the implementation of the requested services. The controller is obliged to observe statutory retention periods. An overview is available in appendix 1 to this Policy.
Point 15. The rights of data subjects:
Within the framework of the GDPR, data subjects have the following rights with regard to their personal data:
- 1° Right of access
- 2° Right to rectify incorrect personal data
- 3° Right to erasure (Right to be forgotten”)
In most cases, the right to erasure of data will not be executed by the controller, as processing is carried out on the basis of a legal obligation to process data.
- 4° Right to restriction of processing
- 5° Right to data portability
- 6° Right to object
In most cases, the right to object will not be executed by the controller, as processing is carried out on the basis of a legal obligation to process data.
The controller guarantees to answer requests within one month of receiving them. This will be done in conformity with the obligations of the controller stipulated in article 12 point 3 of the GDPR. Depending on the complexity and number of requests, this period may be extended by two months if necessary. The controller will inform the data subject of this extension within one month of receiving their request.
The controller’s internal procedures are set out in points 15.2 and 15.3 so that the data subjects can correctly exercise their rights against the controller. The client must inform data subjects of the controller’s internal procedures in a concise, transparent, comprehensible and easily accessible form and in clear and simple language. If data subjects wish to exercise a right that does not fall under point 15.2. or 15.3. the request can be sent to firstname.lastname@example.org or by post to the DPO (Kempische Steenweg 309 bus 0.01 – 3500 Hasselt.
15.2. Rights of data subjects within the framework of medical supervision
With regard to the exercise of one of the rights related to their medical files, data subjects must respect the following internal procedure of the controller:
- requests must be submitted by means of a registered letter addressed to Marie-Noelle Schmickler, directeur afdeling medisch toezicht, Italiëlei 2 at 2000 Antwerp.
- they must enclose a copy of their identity card.
Access to medical files will not be granted to employees directly but to their attending physician. This is in conformity with the recommendation issued by the Medical Association on 07/09/1996.
15.3. Rights of data subjects within the framework of psychosocial files
With regard to the exercise of one of the rights related to their psychosocial files, Data Subjects must respect the following internal procedure of the controller:
- requests must be submitted by means of a registered letter addressed to the relevant prevention advisor on psychosocial aspects;
- they must also enclose a copy of their identity card.
15.4. Right to submit a complaint to the Belgian supervisory authority (= “the Data Protection Authority”)
In accordance with article 77 of the GDPR, data subjects have the right to submit a complaint directly to the Data Protection Authority if they think that the controller is failing to protect and/or process their personal data in conformity with the GDPR.
Point 16. Portability of Personal Data if the controller changes an external agency
16.1. Transfer of Personal Data in the Medical Supervision Department
The transfer of health files is set out in the provisions of Book 1, Title 3, of the Code on Well-being at Work.
Health files consist of four separate sections:
- a) social-administrative information concerning the identification of the employee and their employer.
- b) occupational history and objective medical personal information that can be established on the basis of compulsory actions undertaken during preventative medical researches. This personal information is related to the employee’s work station or activity.
- c) specific information of a personal nature established by the occupational physician during preventative medical examinations and that are restricted to the last-mentioned doctor.
- d) exposure of all employees employed at a work station or in an activity that exposes them to biological, physical or chemical agents.
Health files do not contain information on cooperation with public health programmes that are not related to work.
The transfer of medical information takes place under the responsibility of the doctor who is in charge of the department tasked with medical supervision (director of medical supervision).
To transfer medical files, the director of medical supervision of the new external service must write to the Mensura’s director of medical supervision to request data transfer. The requested files will not be effectively transferred until this request has been received.
16.2. Transfer of Personal Data in the Psycho Department
The transfer of this personal data is set out in the provisions of article 34 van Book I, Title 3, Prevention of Psychosocial Risks at Work, of the Code on Well-being at Work.
If the client changes the external agency for prevention and protection at work, the transfer of individual files will be arranged as follows:
1° If a request for formal psychosocial intervention is being dealt with at the time of the change:
- a) the prevention advisor on psychosocial intervention will inform the applicant and the other persons directly involved as soon as possible of the fact that the external agency for which he performs tasks will no longer be authorised to deal with the request;
- b) the client will give the prevention advisor for psychosocial aspects to whom the request was submitted with the coordinates of the new external agency upon request;
- c) the prevention adviser for psychosocial aspects to whom the request was submitted will submit the individual file to the prevention adviser for psychosocial aspect of the new external agency;
- d) the prevention advisor on psychosocial aspects will inform the applicant and the other persons directly involved of the fact that they will be taking over the handling of the request;
2° If the handling of the request for formal psychosocial intervention is concluded at the time of the change of external agency for prevention and protection at work, the prevention adviser for psychosocial aspects of the new external agency may obtain a copy of the individual file from the prevention adviser for psychosocial aspect to whom the request was submitted if this is necessary for the performance of their duties.
The transfer of individual files is subject to conditions to safeguard professional secrecy.
Point 17. Removal of the Personal Data at the end of the Main Contract
The controller guarantees that the processed Personal Data will be deleted or transferred at the request of the client within the month following the end of the Main Contract, unless there is a legal provision allowing the controller to retain the Personal Data for a longer period of time.
At the request of the client, the controller will provide the necessary proof of this.
The processors and third parties are also informed by the controller about the removal of the Personal Data received, if the Main Contract has been terminated. Processors and third parties shall delete this Personal Data unless they too can provide proof of legal provisions allowing for the retention of Personal Data for longer periods of time.
Point 18. Requests for Personal Data from public government services
The controller will inform the client within three business days in cases where:
- (a) concerning the processing of Personal Data, a public body requests information from the controller, or the controller receives a summons or a research or inspection request, unless the controller is not legally authorised to provide this;
- (b) the intention is to provide Personal Data to a public body;
- (c) the controller receives a request to publish the client’s Personal Data or to provide information relating to the processing of the client’s Personal Data from a third party, an employee, a customer, or the client’s contractor.
The controller gives the client 72 hours, as from the time of the report, to object to such a transfer of Personal Data.
Point 19. Measures in the event of a personal data breach
The controller is obliged to report breaches of personal data security to the authorised Belgian supervisory authority within 72 hours. This applies unless it is unlikely that the personal data breach will result in a risk to the rights and freedoms of the data subject(s).
The controller will notify the client as soon as they have become aware of a personal data breach, without unreasonable delay. It is agreed that the controller and the client will contact each other within 48 hours of the controller learning of the breach and agree together whether it must be reported to the authorised Belgian supervisory authority.
If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data subject(s) will be informed it in accordance with article 34 of the GDPR.
Both the controller and the client will work together with the authorised Belgian supervisory authority to provide the necessary information and to limit the consequences of the breach.
Point 20. Miscellaneous provisions
Point 21. If you need more information or support.
The controller guarantees that they will provide the client with the necessary additional support and information so that the controller can show that they have complied with their obligations under the GPDR. This information obligation does not apply to information that is confidential or cannot be shared with the client for legal reasons.
Furthermore, the controller will grant the necessary cooperation if an audit is conducted on their premises on the orders of the client or by an auditor authorised by the client. The client will bear the costs of the appointed auditor and audit. The audit will always be limited to the controller’s systems that are used for the processing.
The Data Protection Officer and the Security Officer of the controller can be contacted at the following email address: email@example.com.
Appendix 1. The categories of processed personal data and retention period
Categories of Personal Data that the controller can process
- Personal identification data (e.g. first name, surname, address, telephone number, email address, type of driving licence if applicable)
- Personal characteristics (e.g. age, sex, date of birth, place of birth, marital status, nationality)
- Health data (such as physical and mental health)
- Occupation and relationship (such as employer, title and description of the position, date of recruitment)
- National Registration Number
- Racial or ethnic data
- Pictures (photo)
- Other category of data (e.g. seaman’s book number if applicable)
Medical file = statutory retention period (= 40 years)
Psychosocial files = statutory retention period (= 20 years)
Appendix II. Technical and organisational security measures
- Internal IT policy approved by the management board (contains password policy, acceptable use of company resources, Clean Desk and Clear Screen policy, Software policy, Internet policy, email policy, social media policy, policy on data confidentiality.....)
- Data will only be stored in Belgium
- Our systems are redundant on 2 data centres with TIER III + classification. (DRP and BCP)
- The hosting provider has ISO27001 certification.
- Firewalls on several network layers.
- Network Access Control, separation of networks, etc…
- Data in transit will only be permitted if encrypted.
- Remote access of users is only via VPN with Multi Factor authentication.
- Verified backup and restore procedures.
- Data in rest (backups) will be encrypted
- “Role based access” to applications.
- User Awareness training sessions will be organised.
- Antivirus/Antispam on several layers. (Firewall, Endpoints, Servers, mail systems…)
- SIEM for security devices.
- Logging and reporting.
- Regular security testing.
- Mobile Device management
- Capacity Management
- Regular updates of all systems and reporting on this.
- Regular security meetings met our hosting provider.
- Physical access security.
- Asset Management.
- Network and system monitoring.
- DDOS and IPS measures.
- Data Loss Prevention implementation in the near future.
- Change Management
- Separate Test, Validation and Production environments.
- Regular assessments of suppliers.
What are cookies?
You can find more information about how cookies work on the external website All about cookies.
Digital cookies also have sell-by dates
Exactly how long cookies are valid for depends on how they were programmed when they were created.
What cookies does Mensura use and why?
These cookies help us to ensure that you enjoy maximum user-friendliness. We use them to remember your language preference so that you do not need to re-enter it each time you visit our site. These cookies also ensure that you will not have to fill in a form again when you reload a page [and that you can view our YouTube videos.]Analytical cookies
Mensura strives for continuous improvement of not only our service but also the user-friendliness of our website. Analytical cookies provide us with insight into your surfing behaviour. This enables us to acquire more knowledge and continuously make our site more customer-friendly.Marketing cookies
These cookies allow us to see what you are interested in and which products you are viewing. We can then send personal inspiration and offers via search engines and social media. Without these cookies, we cannot send you offers and you will miss out on personal recommendations on our websites, newsletters, emails, etc.
Where does the name cookie come from?
The name 'cookie' was invented by the web developer Lou Montulli and comes from 'magic cookie', a term used in UNIX programming to describe a particular procedure. The term refers back to the Chinese fortune cookie, a cookie containing a file.
If you want to make optimal use of our website, it is necessary to accept these cookies. You can do this by accepting the cookie notification during your first visit. You can subsequently change your preferences at any time.
Changing or disabling cookies
Respect for privacy
You can also manage the cookies that our partners use via these websites:
Your Online Choices
Your Ad choices
Questions and updates
We will need to amend these statements from time to time, for example because our website or the rules governing cookies change. We may change the contents of the statements and the cookies listed at any time and without prior warning. You can consult this web page for the latest version.
This website is administered by Mensura. For any questions, comments or complaints, you can go through the channels below.
Mensura External Department for Prevention and Protection
Gaucheretstraat 88/90 - 1030 Brussels
T +32 2 549 71 00
Integrity policy & reporting
Secure whistleblowing platform
For Mensura, integrity is one of the cornerstones of its operations. This is why Mensura has set up an internal whistle-blowing platform that offers both employees and external parties the opportunity to report violations of internal policies and procedures, as well as applicable laws and regulations, in a confidential and effective manner, protecting the reporter from retaliation.
If you notice regulatory violations or fraud, you can report it through Mensura's secure whistleblowing platform available at https://mensura.whistlelink.com/.
Through this channel, you can even submit the report anonymously, if you wish. The reports are handled by an external party, BDO, which is also our internal auditor, and are followed up from Mensura by Kris Puelings. More information on how your report will be handled can be found in the whistleblower policy (in Dutch). If you have any questions or comments, you can always contact us via firstname.lastname@example.org.