Policy for the processing of personal data pertaining to the client's registrered users in connection with the Digital Certificates Service

1. General Data Protection Regulation (GDPR)

For the Agreement between the client and Belnet to be performed, a number of essential processing operations must be carried out on personal data. In compliance with the General Data Protection Regulation, processing of personal data must be transparent and secure. Alongside the general policy for the processing of personal data of the client's official contacts published on the Belnet Website, this processing policy encompasses the information pertaining to the client's registered users of the Digital Certificates Service.

Controller: Belnet

As the provider of the service, Belnet will fulfil the role of controller of the personal data pertaining to the client's registered users as designated below. Belnet is a State service with separate management, established within the Federal Science Policy. Its registered offices are located at Boulevard Simon Bolivar 30, 1000 Brussels, Belgium, tel. +32 (0)2 790 33 33, fax +32 (0)2 790 33 34.

Data Protection Officer

The Data Protection Officer at Belnet will be the point of contact for all matters relating to the processing of personal data in general and for this policy for the processing of personal data pertaining to the client's registered users in particular. The Data Protection Officer can be contacted via dpo@belnet.be.

Purposes of Processing and the Legal Basis for Processing

(i) Purposes of Processing

The specific service purchased by the client
The Belnet Service Desk and NOC
Security services (access to infrastructure, such as datacentres)
Incident handling
Access to the Belnet portal
Distribution of surveys commissioned by Belnet
Mailings from Belnet that relate to the service being provided
Invitations to events organized by Belnet

(ii) Legal Basis for Processing

The collection and processing of the personal data of registered users on behalf of the client are necessary for the performance of the Agreement.

Categories of Personal Data of Registered Users on Behalf of the Client

Name
Business e-mail address
Business postal address
Work telephone number
Function

Recipients of Personal Data

Belnet will restrict access to personal data by employees, subprocessors or others to the necessary minimum. In accordance with that policy, Belnet will grant access solely to those employees for whom accessing the personal data is a necessity.

To provide the agreed service, Belnet has recourse to third-party service providers. Third-party contractual partners may be granted access to personal data whenever this is necessary for performance of the Agreement but only within the scope of the purposes of processing referred to above.

Retention Limit

Belnet undertakes not to retain the personal data collected and processed for any period exceeding that which has been legally and contractually stipulated and agreed on.

Rights of the Data Subject and the Exercise There of

(i) Rights of the Data Subject

The data subject is entitled to submit a request to Belnet to view, modify or delete personal data or to restrict the processing of data pertaining to him or her. The data subject is also entitled to object to processing and enjoys the right of data portability.

(ii) Exercising Data Subjects’ Rights

Data subjects can exercise the rights referred to above by sending an e-mail to dpo@belnet.be.

In accordance with the procedures laid down under the Regulation, Belnet will comply with such a request within one month. Depending on the complexity and number of requests submitted, this period may be extended a further two months, if necessary.

Withdrawal of Consent

Whenever a data subject has given consent him- or herself for the processing of his or her personal data for one or more purposes, he or she is entitled to withdraw consent at any time. The withdrawal of consent will not affect the lawfulness of processing based on the consent given before its withdrawal.

Source by Which the Personal Data Were Disclosed

If a data subject did not give consent him- or herself for the processing of his or her personal data, the personal data will be deemed to have originated from the client.

Submission of a Complaint by the Data Subject

To submit a complaint, the data subject can contact the Data Protection Authority at the following address:

Data Protection Authority
Rue de la presse, 35
1000 Bruxelles
E-mail: contact@apd-gba.be

No Automated Individual Decision-making

No automated decision-making will occur while the relevant personal data are being processed by Belnet.

Technical and Organizational Measures

Belnet will take appropriate technical and organizational measures when collecting and processing personal data to ensure a level of security appropriate to the risk, in accordance with the principles of the General Data Protection Regulation.

In assessing the appropriate level of security for personal data, which are transmitted, stored or otherwise processed, potential risks posed will be taken into account, such as accidental or unlawful destruction, loss, alteration or unauthorized access.

2. Amendments to the Processing policy

Belnet reserves the right to amend this policy for the processing of personal data pertaining to the Digital Certificates Service clients registered users if necessary and to ensure that such amendments comply with the General Data Protection Regulation.