Privacy Statement « Whistleblowers »

The security and confidentiality of your personal data is very important to us. This privacy statement informs you about the processing of your personal data under our whistleblowing policy and was last updated on December 17, 2023.

When does this privacy statement apply?

1. We collect and use your personal data when you report a violation as defined in Article 2 of the Act of 28 November 2022 on the protection of whistleblowers of breaches of Union or national law established within a legal entity in the private sector (hereinafter referred to as the “Whistleblower Act”). The full version of the Act can be found here: https://etaamb.openjustice.be/nl/wet-van-28-november-2022_n2022042980.html (only available in Dutch and French).
2. This privacy statement applies to reporters who have received information about breaches in a work-related context, including:

• • Bel V employees, both full-time and part-time;
  • Temporary workers such as interns or job students from Bel V;
  • Self-employed individuals such as consultants from Bel V;
  • Shareholders and members of the administrative, management or supervisory body of Bel V;
  • Suppliers or subcontractors, and anyone working for them.

This statement also applies to reporters whose working relationship has ended (former employees) or to reporters whose working relationship has yet to begin (job applicants).

A reporter may also name a third party in his^[1] report; this privacy statement also applies to those named third parties. In addition, this privacy statement also applies to the so-called facilitators, i.e. persons who assist a reporter in the reporting process.

3. This privacy statement may be amended as indicated in article 8.

Who is “we”?

1. “We” in this privacy statement refers to Bel V:

	Name :	Bel V
	Address:	Rue Walcourt 148, 1070 Anderlecht
	Company number :	0892.419.202
	Email :	info@belv.be

 

2. We are responsible for the collection and use of your personal data as explained in this privacy statement. If you have any questions about this, please contact us by email (privacy@belv.be). Bel V has appointed a Data Protection Officer (hereinafter referred to as “DPO”) to whom you can always address any questions concerning your privacy and the processing of your personal data. The DPO can always be reached at the following email address: privacy@belv.be.

What personal data do WE process and why?

1. We will only process your personal data for the purposes set out in the Whistleblower Act and to the extent permitted by law. We will explain below when we collect and use your personal data. If we do not receive your personal data directly from you, we will also inform you of this below.
2. When you report a breach to us as defined in section 2 of the Whistleblowing Act, we collect and use the following personal data:

What personal data?	Why?	Legal basis?
The information you include in your report.	To investigate and assess your report.	Our legal obligation as set out in Articles 11-12 of the Whistleblower Act.
Your identity, position, contact details and, if applicable, your company number. The technical details of the report itself (e.g. the date and time of submission of the report).	To send you an acknowledgement of receipt, to communicate with you and, if necessary, to request more information and provide you with feedback.	Our legal obligation as set out in Articles 11-12 of the Whistleblower Act.
Your report and the information in your report.	Maintain a register of all reports received. The identity of the reporter will not be included in the register.	Our legal obligation under Article 22 of the Whistleblower Act.
The aforementioned personal data.	To defend ourselves in legal proceedings.	Our legitimate interest to exercise our rights of defence in case of legal proceedings.
The aforementioned personal data.	To comply with our legal obligations or any reasonable request from competent police authorities, judicial authorities, government agencies or bodies, including competent data protection authorities.	Our legal obligation.

 

Who do we share your personal data with?

1. In principle, we share your personal data only with our report manager and with our suppliers who help us process your personal data. Any person who has access to your personal data is always bound by strict legal or contractual obligations to ensure the security and confidentiality of your personal data. This means that only the following parties will receive your personal data:
   • Our external report manager is Timelex BV, with registered office at Joseph Stevensstraat 7, 1000 Brussels, Belgium, with company number 0890.217.005, info@timelex.eu. Timelex acts as a processor and processes your personal data on the basis of our instructions.
   • For the purpose of investigating your report, the external report manager may share the information in your report with other Bel V staff (e.g. company lawyer, members of the executive committee, etc.). The report manager will only share this information if it is necessary for the handling of your report and will keep your identity confidential if possible; and
   • Government bodies or judicial authorities to the extent that we are obliged to disclose your personal data to them (e.g. tax authorities, police or law enforcement agencies).
2. You can always consult your report yourself via the Bel V Whistleblowing reporting channel. You can always modify your report via this reporting channel at a later date or add additional information or documents.
3. We will not transfer your personal data outside the European Economic Area (the European Economic Area includes the countries of the European Union, Liechtenstein, Norway and Iceland). We will transfer your personal data outside the EEA only if you or your employer, as a customer or supplier, have establishments outside the EEA with which we need to communicate. If a transfer takes place, we will take appropriate safeguards to protect your personal data during the transfer (for example, by using the latest European Commission Standard Contractual Clauses).

How long do we keep your personal data?

1. Your personal data will only be processed for as long as necessary to fulfil the purposes described above. In this section, we provide you with the information you need to assess how long we will keep your personal data.
2. As a general rule, we will anonymise your personal data when it is no longer needed for the purposes described above or when the retention period explained in this section 5 has expired. However, we may not anonymise your personal data if there is a legal or regulatory obligation or a court or administrative order that prevents us from anonymising the data.
3. Your name, position and contact details and those of any person to whom the protective measures described in the Whistleblower Act extend, as well as those of the person or third party named in the report, including, where applicable, their company number, will be retained until the violation in the report is time-barred.
4. We keep your report for the duration of your contractual relationship with us, as set out in Article 6, §1-2 of the Whistleblower Act, in order to keep a record of the reports received.

What do we do to protect your personal data?

1. The security and confidentiality of all data we process is very important to us. Therefore, we have taken steps to ensure that all personal data we process is kept secure. Our reporting channel is designed, set up and managed in a secure manner that ensures the confidentiality of your identity and that of third parties named in the report, and prevents unauthorised personnel from accessing them. Our reporting channel is protected by passwords, encryption, firewalls and strict access control measures.
2. We have also taken other measures, including technical and organisational measures to protect our infrastructure, systems, applications and processes, such as the implementation of internal policies and guidelines, the limitation of processing to the personal data necessary to achieve the purposes, transparency regarding the purposes and processing of personal data, and the limitation of access to personal data to those who need access based on their role.

What are your rights regarding your personal data?

1. When we collect and use your personal data, you have a number of rights that you can exercise as described below. When you want to exercise a right, we will ask you for a copy of the front of your identity card. We do this to prevent a data breach, for example because an unauthorised person is impersonating you and exercising a right on your behalf.
2. You have the right to information and access to your personal data, which means you can ask us to provide you with information about the personal data we process about you. You can also ask for a copy of your personal data. Please note that you must specify the processing activities for which you want access to your personal data (e.g. the data we have included in our register of reports).
3. You have the right to ask us to correct your personal data if you can prove that the personal data we process about you is incorrect, incomplete or out of date.
4. You may ask us to delete your personal data if it is no longer necessary for the purposes for which it was collected or if its collection was unlawful. If any of these circumstances apply, we will delete your personal data immediately, unless the law or administrative or judicial orders (e.g. from a court or a data protection authority) prohibit us from deleting your personal data or if we need your personal data for the establishment, exercise or substantiation of a legal claim in the context of legal proceedings.
5. You can ask us to restrict the processing of your personal data:
   • while your request to correct your personal data is being assessed;
   • where such processing was unlawful, but you prefer restriction rather than deletion of your personal data; and
   • we no longer need your personal data, but you need it for the establishment, exercise or defence of legal claims.
6. If you wish to exercise any of these rights, please email our DPO. You can contact our DPO at the following email address: privacy@belv.be. Please note that the above rights may be subject to certain legal conditions or restrictions. Your request must clearly state and specify which right you want to exercise. Your request must also be dated and signed. If we have doubts about your identity, we may ask you to prove your identity, for example by providing a copy of the front of your identity card. Rest assured that we will not interpret an email from you indicating that you wish to exercise a right as consent to the processing of your personal data beyond what is necessary to process your request. We will send you an acknowledgement of receipt upon receiving the request. If the request proves to be justified, we will inform you as soon as possible and at the latest within 30 days of receiving the request.
7. If you repeatedly make the same request and it is clear that you are doing so to cause us inconvenience, we may refuse these successive requests or charge you our administrative fees. We may also refuse your right to access your personal data, or only partially comply with your request, if doing so would cause disproportionate harm to the rights and freedoms of others, including our own.
8. If you have any complaints about the way in which we process your personal data, you can always contact us at the email address mentioned in article 7.6. If you are still not satisfied with our response, you can file a complaint with the competent data protection authority. For Belgium, this is the Belgian Data Protection Authority (https://www.gegevensbeschermingsautoriteit.be/burger).

Changes to this privacy statement

We may change this privacy statement at our discretion and at any time.

Do you have any questions?

If you have any further questions regarding the processing of your personal data, please do not hesitate to contact our DPO. You can reach our DPO at the following address: privacy@belv.be.

URL: Bel V Whistleblowing reporting channel

---

[1] Throughout this statement, the use of the male genre is meant to be gender-neutral.