PRIVACY POLICY
As an auditing firm, we are responsible for the processing of many data, part of which consists of personal data.
The personal data that we process may concern you as a client of the firm, but also as a business relationship of our clients (if you are a supplier or a client of our client, for example).
We are obliged to inform you, as the data subject whose personal data we process, of the following.
1. Person responsible for processing personal data
The person responsible for the processing of personal data is Vincent DUMONT
The head office is located at BST Réviseurs d’Entreprises-Bedrijfsrevisoren Rue Gachard 88 / 16, 1050 Brussels.
The person in charge is registered with the Institut des Réviseurs d’Entreprises, under the approval number A1905.
For any question relating to the protection of personal data, please contact Vincent DUMONT, by post to the above address or by e-mail gdpr@bst.net.
2. Purposes of the processing of personal data
The firm processes personal data for the following purposes:
- A. Application of the Act of 18 September 2017 on the prevention of money laundering and terrorist financing and on the limitation of the use of cash (hereinafter the law of 18 September 2017).
- Pursuant to article 26 of the law of 18 September 2017, our firm is required to collect the following personal data concerning our clients and their agents: surname, first name, date of birth, place of birth and, as far as possible, address.
- Pursuant to article 26 of the law of 18 September 2017, our firm is required to collect the following personal data concerning the beneficial owners of clients: surname, first name and, as far as possible, date of birth, place of birth and address.
The processing of these personal data is a legal obligation. Without these data, we cannot conclude a business relationship (article 33 of the law of 18 September 2017).
- B. The obligations incumbent upon the firm with respect to the Belgian authorities, foreign authorities or international institutions, pursuant to a legal or regulatory obligation, pursuant to a judicial decision or in the context of the defence of a legitimate interest, in particular, but not exclusively, if current and future tax laws (VAT listings, tax slips, etc.) and social legislation oblige us to process personal data in the context of the assignment for which we have been entrusted.
The processing of these personal data is a legal obligation. Without this data, we cannot conclude a business relationship.
- C. Contractual execution of accounting, tax and audit services. The processing of personal data concerns data of customers themselves, of their staff members, of their administrators, among others, and of other persons, such as customers and suppliers, involved in their activities.
In the absence of communication and processing of this data, we are not in a position to carry out our mission as company auditor, chartered accountant, tax consultant, accountant.
3. What personal data and from whom?
For the purposes mentioned in point 2, our office is authorised to process the following personal data: first name, surname, e-mail address, biometric data (copy of electronic identity card or passport), address, company number, national number…
In the context of personal income tax declarations via Tax-on-Web, the following data are also processed: children, membership of a trade union or political organisation, medical data.
The firm processes personal data that the data subject or his/her relatives have provided themselves.
The firm also processes personal data that have not been provided by the data subject, such as personal data transmitted by the client concerning its employees, directors, clients, suppliers or shareholders.
Personal data may also come from public sources such as the Crossroads Bank for Enterprises, the Belgian Official Journal and its annexes and the National Bank of Belgium (Central Balance Sheet Office).
Data shall be processed only if such processing is necessary for the purposes mentioned in point 2.
Personal data shall not be transmitted to third countries or international organisations.
4. Recipient of the data
In accordance with the foregoing, and except where it is necessary to communicate personal data to organisations or entities whose intervention as third party service providers on behalf and under the control of the responsible party is required for the aforementioned purposes, the firm will not transmit personal data collected in this context, nor will it sell, rent or exchange them with any organisation or entity, unless you have been informed in advance and have explicitly given your consent.
The firm uses third party service providers:
- the firm uses various electronic accounting software and their possible internet portal; and
- the firm calls on external collaborators in order to carry out certain tasks or specific missions (company auditor, chartered accountant, tax consultant, accountant, trainees, …).
The firm can take all necessary measures to ensure proper management of the website and its computer system.
The firm may transmit personal data at the request of any legally competent authority or on its own initiative if it deems in good faith that the transmission of such information is necessary in order to comply with the law or regulations or to defend and/or protect the rights or property of the firm, its clients, its website.
5. Security measures
In order to prevent, as far as possible, any unauthorised access to personal data collected in this context, the firm has developed security and organisational procedures. These procedures concern both the collection and storage of such data.
These procedures also apply to all subcontractors used by the firm.
6. Storage limitation
6.1. Personal data that we must keep in accordance with the law of 18 September 2017 (cf. point 2A)
This includes identification data and copies of evidence concerning our customers, internal and external agents and the beneficial owners of our customers.
In accordance with articles 60 and 62 of the law of 18 September 2017, these personal data are kept for a maximum of ten years after the end of the professional relationship with the client or from the date of an occasional transaction.
6.2. Other personal data.
Personal data of persons not referred to above shall only be kept for the periods provided for by the implementing legislation, such as accounting legislation, tax legislation and social legislation.
Once the aforementioned periods have expired, personal data are deleted, unless other legislation in force provides for a longer retention period.
7. Access rights, rectification, right to be forgottent, data portability, opposition, non-profiling and security breach notification
7.1. Personal data that we must keep in accordance with the law of 18 September 2017
This includes the personal data of our customers, agents and beneficial owners.
In this matter, we must draw your attention to article 65 of the law of 18 September 2017:
“Art. 65. The person concerned by the processing of personal data in application of this law does not benefit from the right of access and rectification of his data, nor from the right to forget, to the portability of said data, or to object, nor from the right not to be profiled or to be notified of security breaches.
The data subject’s right of access to personal data concerning him or her is exercised indirectly, pursuant to Article 13 of the above-mentioned Act of 8 December 1992, before the Commission for the Protection of Privacy established by Article 23 of the said Act.
The Commission for the Protection of Privacy shall communicate only to the applicant that the necessary verifications have been made and of the result with regard to the lawfulness of the processing in question.
Such data may be communicated to the applicant where the Commission for the Protection of Privacy, in agreement with CTIF and after consulting the controller, finds that their communication is neither likely to reveal the existence of a suspicious transaction report as referred to in Articles 47 and 54, the follow-up given to it or the exercise by CTIF of its right to request additional information pursuant to Article 81, nor to call into question the purpose of the fight against the CB/FT, and, on the other hand, that the data concerned relate to the applicant and are held by the reporting entities, CTIF or the supervisory authorities for the purposes of the application of this Law. ”
For the application of your rights relating to your personal data, you must therefore contact the Data Protection Authority (see point 8).
7.2. All other personal data
For the application of your rights relating to all other personal data, you can always contact the person responsible for the processing of personal data (see point 1).
8. Complaints
You can submit a complaint regarding the processing of personal data by our firm with the Data Protection Authority:
Rue de la Presse 35, 1000 Brussels
Tel: +32 (0)2 274 48 00
Fax: +32 (0)2 274 48 35
E-mail: contact@apd-gba.be