Privacy policy Mensura EAPPW
Mensura External Agency for Prevention and Protection at Work, vzw, with its registered office at Gaucheretstraat 88/90 1030 Brussels, and company number 0410.664.742, registered in the register of legal persons in Brussels, duly represented in this matter by Gretel Schrijvers in their capacity of general director,
hereinafter referred to as “the controller”; (regarding the advice of COPREV, date 26/01/2018)
Declares as follows:
The controller acknowledges the importance of the safe processing of our clients’ personal data. The controller wishes to provide insight into the processing of your personal data by means of this Privacy Policy.
This Privacy Policy was drawn up in accordance with the European General Data Protection Regulation (GDPR), dated 27 April 2016. This regulation was transposed into the Framework Act of 30 July 2018 on the protection of individuals with regard to the processing of personal data.
Furthermore, as a lex specialis, the new European e-privacy guideline will govern the processing of personal data within the framework of direct marketing and cookies. (*At the time of writing this Privacy Policy, this was still a draft text)
If the content of the above legal texts changes, the controller will amend this Privacy Policy to conform with these changes. Our clients will be informed of fundamental changes in a timely manner. Additional changes will not be informed to our clients. Our Privacy Policy can be freely consulted on our public website.
Point 1. Scope of the privacy policy
This privacy policy and its appendices serve as an appendix to the Main Contract between the controller and our clients. This privacy policy is applicable for the full duration of the Main Contract.
If there are deviating provisions in the Main Contract on the processing of personal data, this privacy policy will have precedence.
Deviations from this privacy policy are only valid if both parties have granted their permission for this in writing.
Point 2. Definitions
In accordance with the text of the GDPR, the following terms will have the following meaning for the application of this Privacy Policy:
“Data subject”: the identified or identifiable natural person
“Data concerning health”: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status
“Sensitive personal data”: personal data that reveals race or ethnic origin, political opinions, religious or philosophical beliefs or membership of a trade union and processing of genetic information or biometric data with a view to the unique identification of a person or data related to health or someone’s sexual behaviour or sexual orientation.
“Personal data breach”: a breach of security that accidentally or unlawfully leads to the destruction, loss, change or unauthorised disclosure or unauthorised access to data that has been sent, stored or processed in any other way.
“Personal data”: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“ Pseudonymisation”: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Consent of the Data Subject”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of their personal data.
“Processor”:a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
“Processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Controller”: a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Point 3. Processing personal data
The controller guarantees that your personal data will be:
Processed in a lawful, fair and transparent manner
Collected for specified, explicit and legitimate purposes
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Correct and updated when necessary
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
Appropriate technical and organisational measures will be taken to guarantee appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage
Personal data is lawfully processed by the controller as processing is based upon legal grounds. Article 6, 1 C of the GDPR states that Personal Data is lawfully processed if “processing is necessary for compliance with a legal obligation to which the controller (here: the client) is subject”. In this case, our clients have a legal obligation to take the necessary measures within the framework of occupational health and safety. These legal obligations are stipulated in the Code on Well-being at Work.
The aforementioned personal data includes name, address, telephone number, gender and age. An overview is available in appendix 1 to this Policy.
Point 4. Processing personal data in the context of trainings
Mensura can process the next personal data for the purposes of legitimate interests (both physically and on the website):
When the registration wasn’t done by the participant, we define “Concerned person’ in this point as follows: “Both the person who did the registration, and the participant of the training”
The next personal data will be processed:
Of the Concerned person:
First and second name
Phone / cell phone number
Date of birth
Function
E-mail address
Language
Signature
Evaluation of the trainer
Other remarks (for example allergies concerning food when lunch is included in the training)
Data of the company: name and address of the company, address to where the invoices can be send, VAT number, client number, type of company (A, B, C, D, E or M)
Method of payment
We process the personal data for the next purposes:
Fulfilling our administrative duties as for example charging the services we’ve done for the client or fulfilling our legal duties in the context of our accountancy
Creating files for the transferability or the demonstrability of personal data, for purposes of accreditation or certification
Performing and informing organisational and administrative elements regarding the trainings (for example certification, obtaining subsidies, legal conditions, keeping track of attendance, evaluation of the trainer, ...)
Informing the Concerned person about changes in the context of the followed training due to new legislation, guidelines, insights, evolutions, …
Informing the Concerned person about the offer of Webinars/info sessions and trainings of Mensura
Informing the Concerned person about the fact that the legal period to follow a refresher training, has been expired
Updating the material of the training and updating the trainings
Delivering and manage the certificates of Mensura, when applicable
The above mentioned personal data will be stored for a period of ten years, following the end of the year where the training has been given.
Point 5. Processing sensitive personal data?
The controller will lawfully process sensitive personal data (more explicitly: “data concerning health”) in conformity with article 9, b) and h) of the GDPR;
b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller (here: the client) or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
The controller’s services are primarily determined by law, namely the Code on Well-being at Work. Our clients are legally obligated – within Belgian social law – to join an External Agency for Prevention and Protection at Work.
h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
Sensitive data that is processed by the controller is related to data concerning health; i.e. weight, BMI, working capacity as stated on the HAF (Health Assessment Form) or the RAF (Reintegration Assessment Form), medical data, psychological data, injuries after a serious accident at work, the data subject’s lifestyle, etc..
An overview is available in appendix 1 to this Policy.
Point 6. Explicit agreement from the Data Subject(s)
In the context of the provision of service where the controller (Mensura) must request the Personal Data directly from the Data Subject(s), the controller (Mensura) will inform the Data Subject(s) prior to the processing concerning the following elements, in conformity with article 13 point 1 of the GDPR:
the identity and contact details of the controller
the contact details of the Data Protection Officer;
the purpose and legal grounds for the processing;
the recipients or the categories of the recipients of the personal data;
the manner in which the rights of the Data Subject(s) are exercised;
the fact that the Data Subject can revoke his or her explicit permission and the manner in which this is done;
the fact that the Data Subject has the right to submit a complaint to the supervisory authority;
the retention period for Personal Data;
if applicable, the existence of automated decisions.
Where the controller provides services in the context of points 3 and 4, the client must share the aforementioned information with the Data Subject(s). The client can use this Privacy Policy to inform the Data Subject(s).
Point 7. Processing personal data for marketing purposes
With regard to processing Personal Data for Marketing Purposes, the controller (in case: Mensura) can rely upon a legal basis (recital 47 of the GDPR). An opt-out for the Data Subjects will be always possible.
Promotions and information regarding the offer of products and services of Mensura, will be seen as direct marketing. The personal data of the client (contact details of the client) will be processed for direct marketing purposes, so that Mensura can inform its clients about the offer of products and services.
No personal data of the customer’s employees are processed by controller for Marketing purposes. This except, the explicit consent of the concerned employee (for example; when the concerned employee has followed a course, as a participant). Personal data will be processed, for Marketing Purposes, of the customer’s employees (in the sense of article 4 of this Privacy Policy). We emphasize the rights of the customer’s employees (article 15 of this Privacy Policy) and more specific article 21 GDPR; the right to object which can be exercised at any time.
Point 8. Anonymous group reporting
The controller guarantees that group reporting will be anonymous given that personal data is only shared as from a dataset of 10.
For example, the results of the medical examinations are part of the risk analysis. These results are reported in the form of the anonymous group results.
Point 9. The record of processing activities
The controller has drawn up a record of processing activities in which the following elements of each of their services are described in detail:
Which categories of personal data are being processed?
Who can receive this personal data (internal/externally)?
For how long will the personal data be kept?
For how long will the personal data be protected?
Will the personal data be processed outside Belgium?
Who has access to the personal data (internally/externally)?
The purposes of processing.
If you have questions within this framework that have not been made clear in this Policy, please contact the persons listed in point 20.
Point 10. Appropriate technical and organisational measures
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure the safe processing of personal data. Appendix II to this Policy contains a summary of these measures.
The controller guarantees that they will take the necessary measures in conformity with article 32 of the GDPR, which, among other things, pertain to the following:
A - the pseudonymisation and encryption of personal data;
B - the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
C - the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
D - a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The controller guarantees that the only employees who will have access to personal data are those who are actually involved in implementing the services. Furthermore, these employees will be contractually bound by a duty of confidentiality.
Point 11. Third parties
Third parties who may gain access to personal data will also be restricted to persons involved in implementing the services. An overview of third parties can be given, on demand of the client.
Point 12. Processors
If the controller engages a processor to perform specific processing activities on the behalf of the controller, this processor will be subject to the same obligations with regard to data protection as those arising from this agreement, including the obligation to take appropriate technical and organisational measures for processing personal data. To this end, the processors have signed a processing agreement in accordance with article 28 point 3 GDPR. An overview of processors can be given, on demand of the client.
The controller guarantees that processors may only process personal data under written instructions of the controller. If the processors engage a sub-processor to perform processing activities, the processor will, in principle, remain liable towards the sub-processor.
Point 13. Processing of data outside a Member State of the EU
The controller guarantees that the personal data will not be processed outside a Member State of the EU. The Personal Data will only be processed in Belgium.
Point 14. Minimal processing of personal data
The controller’s services are primarily determined by law, namely the Code on Well-being at Work. The controller will only process the minimum amount of personal data necessary within the framework of implementing the requested services. An overview is available in appendix 1 to this Policy.
The controller guarantees that personal data will not be stored for longer than is necessary for the implementation of the requested services. The controller is obliged to observe statutory retention periods. An overview is available in appendix 1 to this Policy.
Point 15. The rights of data subjects
15.1. General
Within the framework of the GDPR, data subjects have the following rights with regard to their personal data:
1° Right of access
2° Right to rectify incorrect personal data
3° Right to erasure (Right to be forgotten”)
In most cases, the right to erasure of data will not be executed by the controller, as processing is carried out on the basis of a legal obligation to process data.
4° Right to restriction of processing
5° Right to data portability
6° Right to object
In most cases, the right to object will not be executed by the controller, as processing is carried out on the basis of a legal obligation to process data.
The controller guarantees to answer requests within one month of receiving them. This will be done in conformity with the obligations of the controller stipulated in article 12 point 3 of the GDPR. Depending on the complexity and number of requests, this period may be extended by two months if necessary. The controller will inform the data subject of this extension within one month of receiving their request.
The controller’s internal procedures are set out in points 15.2 and 15.3 so that the data subjects can correctly exercise their rights against the controller. The client must inform data subjects of the controller’s internal procedures in a concise, transparent, comprehensible and easily accessible form and in clear and simple language. If data subjects wish to exercise a right that does not fall under point 15.2. or 15.3. the request can be sent to privacy@mensura.be.
15.2. Rights of data subjects within the framework of medical supervision
With regard to the exercise of one of the rights related to their medical files, data subjects must respect the following internal procedure of the controller:
requests must be submitted by means of a registered letter addressed to dr. An De Roeck, directeur afdeling medisch toezicht, Italiëlei 2 at 2000 Antwerp.
they must enclose a copy of their identity card.
Access to medical files will not be granted to employees directly but to their attending physician. This is in conformity with the recommendation issued by the Medical Association on 07/09/1996.
15.3. Rights of data subjects within the framework of psychosocial files
With regard to the exercise of one of the rights related to their psychosocial files, Data Subjects must respect the following internal procedure of the controller:
requests must be submitted by means of a registered letter addressed to the relevant prevention advisor on psychosocial aspects;
they must also enclose a copy of their identity card.
15.4. Right to submit a complaint to the Belgian supervisory authority (= “the Data Protection Authority”)
In accordance with article 77 of the GDPR, data subjects have the right to submit a complaint directly to the Data Protection Authority if they think that the controller is failing to protect and/or process their personal data in conformity with the GDPR.
Point 16. Portability of Personal Data if the controller changes an external agency
16.1. Transfer of Personal Data in the Medical Supervision Department
The transfer of health files is set out in the provisions of Book 1, Title 3, of the Code on Well-being at Work.
Health files consist of four separate sections:
social-administrative information concerning the identification of the employee and their employer.
occupational history and objective medical personal information that can be established on the basis of compulsory actions undertaken during preventative medical researches. This personal information is related to the employee’s work station or activity.
specific information of a personal nature established by the occupational physician during preventative medical examinations and that are restricted to the last-mentioned doctor.
exposure of all employees employed at a work station or in an activity that exposes them to biological, physical or chemical agents.
Health files do not contain information on cooperation with public health programmes that are not related to work.
The transfer of medical information takes place under the responsibility of the doctor who is in charge of the department tasked with medical supervision (director of medical supervision).
To transfer medical files, the director of medical supervision of the new external service must write to the Mensura’s director of medical supervision to request data transfer. The requested files will not be effectively transferred until this request has been received.
16.2. Transfer of Personal Data in the Psycho Department
The transfer of this personal data is set out in the provisions of article 34 van Book I, Title 3, Prevention of Psychosocial Risks at Work, of the Code on Well-being at Work.
If the client changes the external agency for prevention and protection at work, the transfer of individual files will be arranged as follows:
1° If a request for formal psychosocial intervention is being dealt with at the time of the change:
a) the prevention advisor on psychosocial intervention will inform the applicant and the other persons directly involved as soon as possible of the fact that the external agency for which he performs tasks will no longer be authorised to deal with the request;
b) the client will give the prevention advisor for psychosocial aspects to whom the request was submitted with the coordinates of the new external agency upon request;
c) the prevention adviser for psychosocial aspects to whom the request was submitted will submit the individual file to the prevention adviser for psychosocial aspect of the new external agency;
d) the prevention advisor on psychosocial aspects will inform the applicant and the other persons directly involved of the fact that they will be taking over the handling of the request;
2° If the handling of the request for formal psychosocial intervention is concluded at the time of the change of external agency for prevention and protection at work, the prevention adviser for psychosocial aspects of the new external agency may obtain a copy of the individual file from the prevention adviser for psychosocial aspect to whom the request was submitted if this is necessary for the performance of their duties.
The transfer of individual files is subject to conditions to safeguard professional secrecy.
Point 17. Removal of the Personal Data at the end of the Main Contract
The controller guarantees that the processed Personal Data will be deleted or transferred at the request of the client within the month following the end of the Main Contract, unless there is a legal provision allowing the controller to retain the Personal Data for a longer period of time.
At the request of the client, the controller will provide the necessary proof of this.
The processors and third parties are also informed by the controller about the removal of the Personal Data received, if the Main Contract has been terminated. Processors and third parties shall delete this Personal Data unless they too can provide proof of legal provisions allowing for the retention of Personal Data for longer periods of time.
Point 18. Requests for Personal Data from public government services
The controller will inform the client within three business days in cases where:
a) concerning the processing of Personal Data, a public body requests information from the controller, or the controller receives a summons or a research or inspection request, unless the controller is not legally authorised to provide this;
b) the intention is to provide Personal Data to a public body;
c) the controller receives a request to publish the client’s Personal Data or to provide information relating to the processing of the client’s Personal Data from a third party, an employee, a customer, or the client’s contractor.
The controller gives the client 72 hours, as from the time of the report, to object to such a transfer of Personal Data.
Point 19. Measures in the event of a personal data breach
The controller is obliged to report breaches of personal data security to the authorised Belgian supervisory authority within 72 hours. This applies unless it is unlikely that the personal data breach will result in a risk to the rights and freedoms of the data subject(s).
The controller will notify the client as soon as they have become aware of a personal data breach, without unreasonable delay. It is agreed that the controller and the client will contact each other within 48 hours of the controller learning of the breach and agree together whether it must be reported to the authorised Belgian supervisory authority.
If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data subject(s) will be informed it in accordance with article 34 of the GDPR.
Both the controller and the client will work together with the authorised Belgian supervisory authority to provide the necessary information and to limit the consequences of the breach.
Point 20. Miscellaneous provisions
If one or more of the provisions in this Privacy Policy should become null and void, the remaining provisions are still in full force.
This Privacy Policy is subject to Belgian law. The parties can only present their disputes concerning this Privacy Policy before the courts of Brussels.
Point 21. If you need more information or support
The controller guarantees that they will provide the client with the necessary additional support and information so that the controller can show that they have complied with their obligations under the GPDR. This information obligation does not apply to information that is confidential or cannot be shared with the client for legal reasons.
Furthermore, the controller will grant the necessary cooperation if an audit is conducted on their premises on the orders of the client or by an auditor authorised by the client. The client will bear the costs of the appointed auditor and audit. The audit will always be limited to the controller’s systems that are used for the processing.
The Data Protection Officer and the Security Officer of the controller can be contacted at the following email address: privacy@mensura.be.
Appendix 1. The categories of processed personal data and retention period
Categories of Personal Data that the controller can process
Personal identification data (e.g. first name, surname, address, telephone number, email address, type of driving licence if applicable)
Personal characteristics (e.g. age, sex, date of birth, place of birth, marital status, nationality)
Health data (such as physical and mental health)
Occupation and relationship (such as employer, title and description of the position, date of recruitment)
National Registration Number
Racial or ethnic data
Pictures (photo)
Other category of data (e.g. seaman’s book number if applicable)
Retention period
Medical file = statutory retention period (= 40 years)
Psychosocial files = statutory retention period (= 20 years)
Appendix II. Technical and organisational security measures
Internal IT policy approved by the management board (contains password policy, acceptable use of company resources, Clean Desk and Clear Screen policy, Software policy, Internet policy, email policy, social media policy, policy on data confidentiality.....)
Data will only be stored in Belgium
Our systems are redundant on 2 data centres with TIER III + classification. (DRP and BCP)
The hosting provider has ISO27001 certification.
Firewalls on several network layers.
Network Access Control, separation of networks, etc…
Data in transit will only be permitted if encrypted.
Remote access of users is only via VPN with Multi Factor authentication.
Verified backup and restore procedures.
Data in rest (backups) will be encrypted
“Role based access” to applications.
User Awareness training sessions will be organised.
Antivirus/Antispam on several layers. (Firewall, Endpoints, Servers, mail systems…)
SIEM for security devices.
Logging and reporting.
Regular security testing.
Mobile Device management
Capacity Management
Regular updates of all systems and reporting on this.
Regular security meetings met our hosting provider.
Physical access security.
Asset Management.
Network and system monitoring.
DDOS and IPS measures.
Data Loss Prevention implementation in the near future.
Change Management
Separate Test, Validation and Production environments.
Regular assessments of suppliers.
Privacy policy Certimed
Certimed vzw, which has its registered office at 3500 Hasselt, Kempische Steenweg 309 bus 3.01, with company number 0409.671.085, validly represented at law by Bart Teuwen in his capacity as Managing Director;
referred to hereafter as ‘the Controller’;
Declares as follows:
Certimed vzw recognises the importance of safe processing of personal data. Certimed vzw wishes to provide insight into the processing of your personal data by means of this Privacy Policy.
This Privacy Policy was drawn up in accordance with the European General Data Protection Regulation (GDPR), dated 27 April 2016. This regulation was transposed into the Framework Act of 30 July 2018 on the protection of individuals with regard to the processing of personal data.
Certimed adopts the qualification of the Controller within the scope of the GDPR. This is because the rights of the data subjects must be directly exercised at Certimed vzw. The data subjects cannot submit their rights relating to the GDPR to our clients because our clients may not gain access to the full medical file of the data subject(s).
Furthermore, the transposition of the ePrivacy Directive into a (new) ePrivacy Regulation, as a lex specialis, was observed for the processing of Personal Data in the context of direct marketing and cookies. (The Commission's January 2017 proposal is still under negotiation).
If the content of the above legal texts is amended, Certimed vzw will amend this Privacy Policy to conform with these amendments. Our clients will be notified of essential amendments. Additional amendments will not be communicated to the client. Our Policy can be publicly consulted on our website.
Point 1. Scope of the Privacy Policy
This Privacy Policy and its appendices serve as an appendix to the Principal Contract between the Controller and the client. This Privacy Policy applies for the full duration of the Principal Contract.
If there are derogating provisions in the Principal Contract on the processing of personal data, this Privacy Policy will prevail.
Derogations from this Privacy Policy are only valid if both parties have granted their permission for this in writing.
Point 2. Definitions
In accordance with the text of the GDPR, the following terms will have the following meaning for the application of this Privacy Policy:
‘Data subject’: the identified or identifiable natural person
‘Third parties’: a natural or legal person, public authority, agency or body other than the data subject, the Controller, processor and persons who, under the direct authority of the Controller or processor, are authorised to process personal data;
‘Data concerning health’: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
‘Sensitive personal data’: personal data that reveals race or ethnic origin, political opinions, religious or ideological convictions or membership of a trade union, and processing of genetic data or biometric data with a view to the unique identification of a person, or data related to health, or data related to someone’s sexual behaviour or sexual orientation;
‘Personal data breach’: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
‘Personal data’: any information relating to an identified or identifiable natural person (‘the data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘Pseudonymisation’: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person;
‘Sub-processor’: a processor who, under the direct authority of the processor, is authorised to process personal data;
‘Consent of the data subject’: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘Processor’: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller;
‘Processing’: any operation or set of operations performed on personal data or on a set of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘Controller’: a natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
Point 3. Processing personal data
The Controller guarantees that your personal data will be:
a) processed lawfully, fairly and transparently
b) collected for specified, explicit and legitimate purposes
c) adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
d) correct, and updated when necessary
e) kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed
f) Appropriate technical and organisational measures will be taken to guarantee appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage
One can use Articles 6, 1, (b) and (f) of the GDPR:
Article 6, 1 (b) of the GDPR for the purposes of carrying out medical examinations and drawing up reports relating to absenteeism. “The processing is necessary for the performance of a contract to which the data subject is party”.
-Article 6, 1 (f) of the GDPR: “Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child.”
The client's legitimate interest referred to in Article 6, 1 (f) of the GDPR includes the interest of combating absenteeism in the organisation.
The personal data above refer to matters such as surname, family name(s), address, postcode, city, email address, date of birth, gender, civil status, information on professional position (= employer’s identity, workplace, perhaps job title, date of appointment or date of leaving), etc. An overview can be found in Appendix I to this Policy.
Point 4. Processing personal data in the context of trainings
Certimed can process the next personal data for the purposes of legitimate interests (both physically and on the website):
When the registration wasn’t done by the participant, we define ‘Concerned person’ in this point as follows: ‘Both the person who did the registration, and the participant of the training’
The next personal data will be processed:
Of the Concerned person:
First and second name
Phone / cell phone number
Date of birth
Function
E-mail address
Language
Signature
Evaluation of the trainer
Other remarks (for example allergies concerning food when lunch is included in the training)
Data of the company: name and address of the company, address to where the invoices can be send, VAT number, client number, type of company (A, B, C, D, E or M)
Method of payment
We process the personal data for the next purposes:
- Fulfilling our administrative duties as for example charging the services we’ve done for the client or fulfilling our legal duties in the context of our accountancy
- Creating files for the transferability or the demonstrability of personal data, for purposes of accreditation or certification
- Performing and informing organisational and administrative elements regarding the trainings (for example certification, obtaining subsidies, legal conditions, keeping track of attendance, evaluation of the trainer….)
- Informing the Concerned person about changes in the context of the followed training due to new legislation, guidelines, insights, evolutions, …
- Informing the Concerned person about the offer of Webinars/info sessions and trainings of Certimed
- Informing the Concerned person about the fact that the legal period to follow a refresher training, has been expired
- Updating the material of the training and updating the trainings
- Delivering and manage the certificates of Certimed , when applicable
The above mentioned personal data will be stored for a period of ten years, following the end of the year where the training has been given.
Point 5. Processing sensitive personal data
The processor will lawfully process sensitive personal data (more explicitly: “Data concerning health”) in conformity with Article 9, (b) and (h) of the GDPR;
- b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.
The client has the right to address the Controller, as medical inspection service, within the Article 31 of the Law on Employment Contracts.
- h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services on the basis of Union or Member State law, or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.
The client can request the Controller to obtain analyses and reports relating to absenteeism in his or her organisation. Such service provision falls within the scope of the preventive part of medicine.
The Sensitive Data processed by the Controller relates to Data regarding health; namely physical and mental data, duration of incapacity to work, nature of the incapacity to work, data on the attending doctor, allowed/forbidden to leave home, employee’s hospitalisation, first medical certificate/extension certificate, etc. There is an overview in Appendix I to this Policy.
Point 6. The processing of personal data and sensitive personal data for scientific research purposes or statistical purposes
The Controller will process personal data and sensitive personal data for scientific research purposes or statistical purposes. This within the meaning of article 89 of the GDPR.
The retention period of the personal data and sensitive personal data for these purposes will not be longer, than the retention period for the other purposes mentioned in article 3 and 4. Annex 1 of this Privacy Policy indicates the retention period.
Point 7. Explicit agreement from the data subject(s)
In the context of the provision of service where the Controller must request the personal data directly from the data subject(s), the Controller will inform the data subject(s) in advance concerning the following elements, in conformity with Article 13 point 1 of the GDPR:
- the identity and contact details of Certimed;
- the contact details of the data protection officer;
- the purpose and legal grounds for the processing;
- the recipients or the categories of recipients of the personal data;
- the manner in which the rights of the data subject(s) are exercised;
- the fact that the data subject can still revoke his or her explicit permission and the manner in which this is done;
- the fact that the data subject has the right to lodge a complaint with the supervisory authority;
- the retention period for personal data;
- if applicable, the existence of automated decision-making.
Where the Controller provides services in the context of points 3 and 4, the client must share the aforementioned information with the data subject(s).
Point 8. Processing personal data for marketing purposes
With regard to processing Personal Data for Marketing Purposes, the Controller can rely upon a legal basis (recital 47 of the GDPR). An opt-out for the Data Subjects will be always possible. No personal data of the customer’s employees are processed by Controller for Marketing purposes. Only the customer’s personal details (contact details) are processed for this purpose, so that Controller can keep the customer informed of changes to the services.
Point 9. Anonymous group reporting
The Controller guarantees that group reporting will be anonymous, given that personal data is only shared from a dataset of 20.
Point 10. Records of processing activities
The Controller has drawn up a record of processing activities in which the following elements of each of the Controller’s services are described in detail:
What categories of personal data are being processed?
Who can receive this personal data (internal/externally)?
For how long will the personal data be kept?
For how long will the personal data be protected?
Will the personal data be processed outside Belgium?
Who has access to the personal data (internally/externally)?
The purposes of the processing.
If you have questions within this framework that have not been clarified in this Policy, please contact the persons listed in point 21.
Point 11. Appropriate technical and organisational measures
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Controller shall implement appropriate technical and organisational measures to ensure the secure processing of personal data. Appendix II to this Policy contains a list of these measures.
The Controller guarantees that he, she or it will take the necessary measures in conformity with Article 32 of the GDPR, which, among other things, pertain to the following:
a) the pseudonymisation and encryption of personal data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The Controller guarantees that the only employees who will have access to personal data are those who are actually involved in performing the services. Furthermore, these employees will be contractually bound by a duty of confidentiality.
Point 12. Third parties
Third parties who may gain access to personal data will also be restricted to persons involved in performing the services. The client can ask Certimed a list of applicable third parties.
Point 13. Processors
If the Controller engages a processor to perform specific processing activities on behalf of the client, said processor will be subject to the same obligations with regard to data protection as those arising from this agreement, in particular, including the obligation to take appropriate technical and organisational measures to process personal data. To this end, the processors have signed a processing agreement in accordance with Article 28 point 3 of the GDPR. The client can ask Certimed a list of applicable processors.
The Controller guarantees that the designated processors will process merely and only the personal data based on guidelines written by the Controller. If the appointed processor designates a sub-processor, the processor will, in principle, continue to be liable with regard to said sub-processor.
Point 14. Data Processing Outside a Member State of the European Union
The Controller knows that the Personal Data is also processed outside a member state of the EU. However, the personal data is not stored outside the EU. The necessary standard contractual clauses (in accordance with the Schrems-II judgment) were concluded with the relevant processor of Personal Data outside the EU.
Point 15. Minimal personal data processing
The Controller’s service provision is primarily laid down by law (Article 31 of the Law on Employment Contracts). The Controller will only process the minimum amount of personal data necessary within the framework of performing the requested services. An overview is available in Appendix 1 to this Policy.
The Controller guarantees that the personal data will not be stored for longer than is necessary to perform the requested services. The Controller is obliged to observe statutory retention periods. An overview is available in Appendix 1 to this Policy.
Point 16. The rights of data subjects:
16.1. General
Data subjects have the following rights with regard to their personal data within the framework of the GDPR:
Right of access
Right to rectify incorrect personal data
Right to erasure (“Right to forget”)
In most cases, the right to erasure will not be exercised by the Controller, given that the processing is carried out on the basis of the processor’s legal obligation to process data.
Right to restriction of processing
Right to data portability
Right to object
In most cases, the right to object will not be exercised by the Controller, given that the processing is carried out on the basis of the processor’s legal obligation to process data.
The rights listed above will be exercised with regard to medical files that the client cannot and may not legally process. Therefore, the aforementioned rights/requests must be submitted directly to the Controller. The Controller guarantees to answer requests within one month of receiving them. This will be done in conformity with the obligations stipulated in article 12 point 3 of the GDPR. Depending on the complexity and number of requests, this period may be extended by two months if necessary. The Controller will inform the data subject of this extension within one month of receiving the request.
The Controller's internal procedures are set out in points 16.2 so the client’s data subjects can correctly exercise their rights against the Controller. The client must inform data subjects of the Controller’s internal procedure in a concise, transparent, comprehensible and easily accessible form, and in clear and simple language. If the data subject wants to exercise a right that does not fall under point 16.2, the request can be sent to privacy@certimed.be.
16.2. Rights (= right of access and right of copy) relating to the individual medical file
With regard to the exercise of the right of access or the right of copy related to their medical files, the data subjects must respect the following internal procedure of the Controller:
address the request by registered post to Certimed vzw, (date and signature) attention the head doctor, Kempische Steenweg 309 bus 3.01 - 3500 Hasselt
enclosing a copy of his/her identity card.
16.3. Lodging a complaint with the Belgian Supervisory Privacy Authority (= “the Data Protection Authority”)
In accordance with Article 77 of the GDPR, data subjects have the right to submit a complaint directly to the Belgian Data Protection Authority if they think their personal data is not secured and/or processed in conformity with the GDPR.
Point 17. Portability of personal data if the client changes medical inspection service
The Controller and client will mutually deliberate and agree on how the personal data will be transferred.
Point 18. Removal of the personal data at the end of the Principal Contract
The Controller guarantees that the personal data will be deleted or transferred at the client’s request within one month following the end of the Principal Contract, unless there is a legal provision allowing the Controller to retain the personal data for a longer period of time (see Appendix I).
At the client’s request, the Controller will provide the necessary proof of this.
The Controller will also inform the processors and third parties about the deletion of the personal data received if the Principal Contract has been terminated. unless they, too, can provide proof of legal provisions allowing for the retention of personal data for longer periods of time.
Point 19. Requests for personal data from public government services
The Controller informs the client within three business days if he, she or it:
a) receives a request for information, a summons or a research or inspection request from a government body concerning the processing of personal data, unless the Controller is not legally authorised to provide this;
b) intends to provide personal data to a government body;
c) receives a request from a third party or an employee, client or client’s principal to publish the client’s personal data or information relating to the processing of the client’s personal data.
The Controller gives the client 72 hours, as from the time of the report, to object to such a transfer of personal data.
Point 20. Measures taken in the event of a personal data breach
The Controllers are obliged to report breaches of personal data security to the authorised Belgian supervisory authority within 72 hours. This applies unless it is unlikely that the personal data breach will result in a risk to the rights and freedoms of the data subject(s).
The Controller will notify the client without undue delay as soon as he, she or it has become aware of a personal data breach. It is agreed that the Controller and client will contact each other within 48 hours after learning of the breach of the Controller’s system and agree in mutual deliberation whether it must be reported to the competent Belgian supervisory authority.
If the personal data breach is likely to entail a high risk to the rights and freedoms of natural persons, the data subject(s) will be informed of this without delay in accordance with Article 34 of the GDPR.
Both the Controller and the client will work together with the competent Belgian supervisory authority to provide the necessary information and to limit the consequences of the breach.
Point 21. Miscellaneous provisions
If one or more of the provisions in this Privacy Policy is null and void, the remaining provisions will remain in full force.
This Privacy Policy is subject to Belgian law. The parties can only present their disputes concerning this Privacy Policy before the courts of Brussels.
Point 22. If you need more information or support
The Controller guarantees that he, she or it will provide the client with the necessary additional support and information so that the Controller can show that he, she or it has complied with his, her or its obligations under the GPDR. This information obligation does not apply to confidential information or information that cannot be shared with the client for legal reasons.
Furthermore, the Controller will grant the necessary cooperation if an audit is conducted on his, her or its premises on the orders of the client or by an auditor authorised by the client. The client will bear the costs of the appointed auditor and the audit performed. The audit will always be limited to the Controller’s systems that are used for the processing.
The Data Protection Officer and the Security Officer of the Controller can be contacted at the following email address: privacy@certimed.be.
Appendix 1. The categories of processed personal data and retention period
The categories of personal data that the Controller can process
Surname, first name (s), address, postcode, domicile, email address, date of birth, national register number, personnel number, pedigree number (if there is no national register number), fixed telephone number, private cell phone number, private email address, work telephone number, work cell phone number, work email address (personal data of client personnel), gender, details on health (physical and mental details), place of residence (whether or not abroad), language, information on professional position (= employer’s identity, workplace, any job title, percentage of employment, date of appointment, date on which job was vacated, status, job level, salary scale, network, management, population code, appointment code, scale, competence, group, rank, sub-division, provincial department, medex code, manner of illness management, organisational chart reference, manager, nsso category), block for inspection, duration of occupational disability, nature of occupational disability, details of attending doctor, allowed/forbidden to leave home, employee’s hospitalisation, first/extension medical certificate and date of disposal.
Retention period
The personal data is retained in accordance with Article 15 of the Law on Employment Contracts: ‘until five years after the incident that can generate the claim’. This retention period is respected for the purposes in article 3 and 5 of this Policy.
The same retention period is respected for the processing of personal data and sensitive personal data for scientific research purposes or statistical purposes.
Appendix II. Technical and organisational security measures
Internal IT policy approved by the management board (contains password policy, acceptable use of company resources, Clean Desk and Clear Screen policy, Software policy, Internet policy, email policy, social media policy, policy on data confidentiality.....)
Data will only be stored in Belgium
Our systems are redundant on 2 data centres with TIER III + classification. (DRP and BCP)
The hosting provider has ISO27001 certification.
Firewalls on several network layers.
Network Access Control, separation of networks, etc…
Data in transit will only be permitted if encrypted.
Remote access of users is only via VPN with Multi Factor authentication.
Verified backup and restore procedures.
Data in rest (backups) will be encrypted
‘Role based access’ to applications.
User Awareness training sessions will be organised.
Antivirus/Antispam on several layers. (Firewall, Endpoints, Servers, mail systems…)
SIEM for security devices.
Logging and reporting.
Regular security testing.
Mobile Device management
Capacity Management
Regular updates of all systems and reporting on this.
Regular security meetings met our hosting provider.
Physical access security.
Asset Management.
Network and system monitoring.
DDOS and IPS measures.
Data Loss Prevention implementation in the near future.
Change Management
Separate Test, Validation and Production environments.
Regular assessments of suppliers.