General policy on data processing and protection
Who processes your data?
Your personal data is processed by MELEXIS. This is the controller responsible for the processing activities with regard to your data as they are described and explained in this document. Starting point is that MELEXIS only processes personal data insofar that this is necessary for the purposes and activities it deploys. Furthermore, MELEXIS takes utmost account of the dispositions of the General Data Protection Regulation (GDPR), as the case may be complemented by local [for instance federal and Flemish] regulation on the protection when processing personal data.
For any information and general questions about the way we process your personal data, you can always contact firstname.lastname@example.org. This is also the service/person you can contact with remarks and suggestions, as well as for exercising the rights that the Regulation provides to you (see further).
When do we collect and process your personal data?
We collect and process data about you in various cases:
- when you use our website in such a way that we can identify you (e.g. through the use of forms or certain cookies);
- when you interact with us as a representative of a customer (legal person) or as a customer (natural person);
- when you interact with us as a representative of a supplier (legal person) or as a supplier (natural person);
- when we interact with you as a representative of a (professional) prospect (legal person) or as a prospect (natural person);
- when we ask your professional support and/or assistance or want to use your services (with regard to public relations and/or networking);
- when we interact with you as a shareholder
What personal data do we process about you?
The data we process that allow us to identify you or to make a link with you as a natural person are personal data. Not all data we process about you are necessarily personal data.
The personal data that we process are the following data:
- identification data (such as first and family name, gender, address, phone number, email address …)
- financial data (bank details) - in order to get paid
- function data (such as function and position, in particular in the legal person you represent)
- personal data derived from non-essential cookies
- other data, in function of the processing activity and purpose
The type of data we process depends on the generic purpose of the processing. For instance, for customer management we process your identification and function data, i.e. the data that will allow us to contact you in your capacity of representative of a professional client (who is a legal person). For some purposes we collect additional information.
How do we collect and process your personal data?
The personal data we process are normally collected directly from you, through cookies, questionnaires and other forms we ask you to fill in. In other cases, we also process data from other sources than yourself, such as from colleagues at the legal person you represent. Whenever we process data obtained indirectly, we will inform you of the source where we obtained your data.
For which purposes do we process your personal data?
We process your personal data for the following (generic) purposes: customer relations management, direct marketing, supplier management, accounting and communication/public relations, investor relations, prospects, R&D, safety and health Environment as well as recruitment and selection.
What is the legal basis for processing your personal data?
The processing of your personal data is necessary for the execution of the contractual relation that exists between us. Without those data it is not possible to register your orders and to deliver the ordered products or to register the order of your company and to deliver the products at the right service or department of your company. The contractual relation is also the basis for the processing of data in the recruitment and selection process, albeit that the processing then is necessary to take some (pre-contractual) steps at your request, following your application to our company.
In some cases, the processing will be based upon our legitimate interests, such as our freedom to enterprise, social responsibility, protect and safeguard our sites. This is the case for research & development and communication/public relations and safety and health environment. We take care that there is a balance between our interests and your rights or freedoms, for instance by giving you the possibility to object to the processing.
In some other cases, we also process personal data based on your consent. For example, when personal data is obtained and processed in the context of direct marketing (see below) or when you allow us to store your data after the recruitment process to contact you for new offers.
MELEXIS processes personal data for direct marketing purposes based on your consent. You can allow marketing automation cookies that help us build a profile on your interests and you can request commercial messages when completing forms on our website. You always have the right to object to processing for direct marketing and to profiling to the extent that it is related to such direct marketing. We may process data legitimately obtained from third parties that give us a better understanding on who you are and what your interests are.
How long do we keep your personal data?
In general, we only keep your data for so long as is necessary to realize the purpose for which we process them. In practice, this means that we certainly process your data as long as you have a relationship with us, e.g. as a customer, a supplier, as a contact person or a legal person of one of our clients.
When our relationship with you ends, the data will be kept as long as is necessary and in particular imposed by the legislation. Normally the data is not kept any longer than the period during which legal action is possible regarding the execution of previous contracts.
When you apply for a job, your data will be kept during the recruitment and selection process.
- If you are hired, the data will be transferred to our processing activities with regard to personnel administration and management.
- If you are not selected, the following scenarios are applicable
- Selection process based solely on resume and interviews: In principle your resume will be deleted unless you gave your consent that we could store your data longer, for instance for establishing a reserve list. In this case we will keep your data for two years
- Selection process based on resume, interviews and profiling by third party: Your profiling data will be kept for five years by the external provider used for such profiling. In principle your resume will be deleted unless you gave your consent that we could store your data longer, for instance for establishing a reserve list
When visiting a facility with camera surveillance, your data will be stored for one month.
In keeping the data, we make a distinction between the period when your file and data is active and the period when the file and data become passive. A file and data is active as long as you are in a relationship to us. Afterwards the file and data become passive, which means that only a selected number of collaborators of the competent service or department have access to your data.
MELEXIS does not make decisions based solely on automated processing of personal data which results in legal or similarly significant effects as described in article 22 GDPR. MELEXIS does make use of solely automated decision-making that do not result in such effects and does make decisions with legal or similarly significant effects with human intervention.
Do we transfer or communicate your personal data to others?
Your personal data is mainly processed internally, by our services/departments and collaborators.
For some specific services we do use third parties who act as processors. Whenever we are using a processor, your personal data is transferred to this processor, albeit just to enable that processor to render the service for which we ask his or her assistance and always under our control. To that effect, we conclude a data processing agreement with each and every of our processors. For instance, your personal data are transferred to our customer relationship management (CRM) partners. If you apply for a position your personal data will also be provided to our personnel management partners.
In some cases, we are obliged to transfer or communicate data on you. This is the case when there is a legal obligation, such as the obligation to communicate data to government authorities who are legally entitled to ask them. In that case we always verify whether the conditions to ask us the data, are met.
Are your personal data transferred to third countries, outside of the European Economic Area (EEA)?
It is possible that your data is transferred to third countries, i.e. countries outside the territory of the European Economic Area (European Union + Iceland, Norway and Liechtenstein). This is the case
- when your data is processed by an external processor located in a third country, or
- when your data is shared with a company of the MELEXIS group, having it place of business outside of the EEA
In that case, we always verify whether the recipient is located in a country that provides an adequate level of protection or, if that is not the case, that a standard contractual clause is signed with the recipient, or specific agreements with those external processors are in place. If none of the aforementioned situations apply, the transfer will be based on one of the derogations for specific situations as described in the GDPR.
If you want to know what we do to protect your data in the above mentioned cases, you can always contact email@example.com.
What rights do you have?
You always have the right to have access to the personal data we process about you. If you find those data to be incorrect or incomplete, you can always ask us to rectify or complement the data. To do so, you have to file a request, preferably by filling in the request form you can find at the website of MELEXIS, together with a proof of your identity or by contacting firstname.lastname@example.org.
If you find that your data is no longer relevant and should not be processed anymore, you can also request their erasure following the same procedure. It is important to observe that 1) as long as you’re a customer, supplier, applicant or prospect, your data is processed since this is necessary and indispensable for the execution of the contract and/or the legitimate interest at stake, and 2) local legislations may be applicable, so that during this period they cannot be erased. When we process your personal data based on our legitimate interests you may object to our processing of your personal data on grounds relating to your particular situation. When you object we will no longer process your personal data unless we have compelling, overriding legitimate grounds for the processing. You also have the right to object to all processing related to direct marketing. If you do not agree with the way we process your personal data, for instance, during the selection process, you can take various actions. You can contact email@example.com or you can file a complaint with the competent supervisory authority. In Belgium this is the Data Protection Authority (Drukpersstraat 35 at 1000 Brussels).
How are your personal data secured?
Internal data protection regulations ensure that uniform and high data protection standards apply to all systems. Security measures are in place to protect your data against accidental and deliberate manipulation, loss, destruction and against access by unauthorized persons.
We reserve the right to modify or adapt this policy. You will always be informed of those modifications or adaptations through the usual channels of communication we use in our company.
Latest revision on 18 November 2019.