1. Our details
EBAA is an international not-for-profit organisation incorporated under the laws of Belgium (registration no. 0425.678.758). Our principal place of business is at Square de Meeûs 37, 1000 Brussels. You may contact us by any of the following means:
- by letter, using the postal address indicated above;
- telephone: +32 2 318 28 00
- e-mail: email@example.com.
The data protection declaration of EBAA is based on the terms used by the European legislator for the adoption of the GDPR.
Our data protection declaration should be legible and understandable for the general public, as well as our customers and business partners. To ensure this, we would like to first explain the terminology used. In this data protection declaration, we use, inter alia, the following terms:
- Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Data subject is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.
- Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.
- Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
- Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by EU or member state law.
- Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- Recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
- Third party is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
- Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
3. What personal data we collect
We may also collect data from other legitimate sources such as third-party data aggregators, promotional partners, public sources and third party social networks.
Data you may actively provide include the following:
- your first and last name;
- professional contact details (business e-mail and address, phone and fax number);
- demographic data (age, gender, preferred language);
- company-related information (company name, your position);
- payment data and credentials (login, password and similar security information used for authentication and account access).
Passively collected information as regards the use of our website may include:
- your IP address
- geographical location
- browser type and version
- operating system
- referral source
- page views and website navigation paths
- information about the timing, frequency and pattern of your use.
To the extent possible, the EBAA will limit the collection and processing of your personal data to what is necessary for its intended use.
4. How we use your personal data
EBAA uses personal data for the purpose of operating and ensuring the proper administration of our business and our website, providing services and sending communications.
For personal data you provide directly, whether online, through e-mail, telephone, letter or otherwise relating to inquiries about EBAA or its services, subscriptions or registrations, requests for support or services, we use the information to process your requests, provide the requested information, carry out transactions with you, perform the requested services, providing customer support activities and keep sufficient records of the same. We use data to perform essential business operations. This includes maintaining and improving the performance of our services, developing new services, aggregate analysis and business intelligence that allow us to make informed business decisions.
We also use data we collect to communicate with you and personalize our communications. For example, we may use the information to send you relevant notifications and/or newsletters and information regarding services that may be of interest to you, provided you have given us an opt-in or you have previously ordered services from us and the communication is related to similar services.
Personal data that is collected passively online through cookies or other technical means may be used to operate our website, enable us to provide you with access to all relevant parts of our website, deliver the content of our website correctly, monitor and analyze your use of our website, improve our website, ensure the long-term viability of our information technology systems and website technology, ensure its security or maintain back-ups.
In addition to the specific purposes for which we may process your personal data set out in this Section, we may also process your personal data to provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack or where such processing is otherwise necessary for compliance with a legal obligation to which we are subject, in order to protect your vital interest as data subject or those of another natural person or for the purpose of any other legitimate interest pursued by EBAA or a third party that is not overridden by your fundamental rights and freedoms as data subject.
5. How long do we store your personal data
EBAA shall not store personal data that we process for any purpose for longer than is necessary for that purpose. After expiration of that period, the personal data are routinely deleted, unless retention is necessary (i) to ensure compliance with a legal obligation to which EBAA is subject, (ii) to protect your vital interests or the vital interests of another natural person, or (iii) for the purpose of any other legitimate interest pursued by EBAA or a third party that is not overridden by your fundamental rights and freedoms as data subject.
6. With whom do we share your personal data
Parties or entities we may share your personal data with include EBAA’s affiliated companies, service providers engaged by us to perform certain services such as management of our customer database, processing of orders, online payment, providing professional advice, managing risks, insurance and legal disputes, or to public authorities if required by law or court order.
In addition to the specific purposes of disclosure set out in this section, we may also share your personal data whenever necessary for compliance with a legal obligation to which EBAA is subject, to comply with a court order, to protect your vital interest as data subject or those of another natural person or for the purpose of any other legitimate interest pursued by EBAA or a third party that is not overridden by your fundamental rights and freedoms as data subject.
7. Transfer outside the EEA
You acknowledge that personal data that you submit or for which you have given your consent for publication through our website or services may be available, via the internet, around the world. EBAA cannot prevent the use (or misuse) of such personal data by others.
We will only transfer your personal data to persons or entities in countries outside the EEA if you have not opted out of having your information transferred to such third countries and the Commission has issued an adequacy decision in respect of the third country. In the absence of an adequacy decision, EBAA will ensure that appropriate safeguards are in place. You will be informed whenever EBAA intends to transfer your personal data to a third country or international organization, the existence of an adequacy decision or the appropriate safeguards and how to obtain a copy of them or where they have been made available prior to such transfer taking place.
The GDPR applies to countries of the European Economic Area (EEA), which includes all EU countries and in addition, non-EU countries Iceland, Liechtenstein and Norway. While personal data can be transferred freely between EEA member states, special precautions need to be taken when personal data is transferred to countries outside the EEA to avoid undermining of the high standards of protection established by the GDPR.
Data adequacy is a status granted by the European Commission to non-EEA countries whose legal regime is deemed to ensure an adequate level of data protection essentially equivalent to that ensured within the EU. The Commission has so far recognized Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection (click here for more information). For the United States, a special EU-US Privacy Shield arrangement is currently in place. The purpose of this framework is to protect the fundamental rights of anyone in the EU whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers.
In the absence of a data adequacy decision, transfers of personal data outside the EEA are allowed only under certain circumstances, if appropriate safeguard are used, such as binding corporate rules or standard contractual clauses adopted by the Commission or by a supervisory authority and approved by the Commission. Other safeguards include:
- Legally binding and enforceable instruments between public authorities or bodies.
- An approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards the rights of data subjects’ rights; or
- An approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards the rights of data subjects.
8. Automated decision-making and profiling
As a responsible company, EBAA does not make decisions which produce legal effects concerning you, or similarly significantly affects you solely by automated means and without human involvement, including profiling.
9. Data security and integrity
EBAA takes reasonable and appropriate measures to maintain the confidentiality and integrity, prevent the unauthorized use or disclosure, of your personal data and to protect your personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction.
EBAA maintains a system of appropriate administrative, physical and technical safeguards to secure such information. Where your personal data can be accessed by or is transferred to processors, EBAA has made contractual arrangements in order to ensure the confidentiality and security of your personal data and, more generally, their processing in accordance with the applicable legal provisions.
EBAA processes your personal data only in ways compatible with the purpose for which it was collected and in accordance with this policy. We take reasonable steps to make sure that the information is accurate, complete, current and otherwise reliable with regard to its intended use. However, EBAA expects that you will provide EBAA with updated personal data as necessary as described in section 1.
10. Links to Unaffiliated Third Party Websites
EBAA’s website may contain links to unaffiliated third party websites. EBAA has no control over, nor is it responsible or liable for, the policies and practices followed by such third parties. If you link to or otherwise visit any other websites managed by third parties, EBAA strongly encourages you to review the privacy and other policies of such third parties.
You have the right to access, rectify or have your personal data erased or restricted of processing or to object to processing of your personal data. You also have the right to data portability. Where the processing is based on consent, you have the right to withdraw your consent at any time.
To exercise your rights, please send us an e-mail at firstname.lastname@example.org or a letter to EBAA, Square de Meeûs, 37, 1050 Brussels, Belgium.
To protect your privacy and security, we will take reasonable steps to verify your identity before granting access or making corrections. EBAA reserves the right to ask you to establish your identity by means of your passport or other valid identity document.
Right to access: You have the right to obtain confirmation from EBAA as to whether or not personal data concerning you are being processed and, where that is the case, access to your personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject, or to object to such processing;
- the existence of the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence or not of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject;
- whether personal data are transferred to a third country or to an international organization and, where this is the case, information as regards the appropriate safeguards relating to the transfer.
Right to rectification: you have the right to obtain from EBAA without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to rectify: If you inform EBAA that personal data held by EBAA is inaccurate or incomplete, requesting that it be rectified, the personal data in question will be rectified, and you will be informed of that rectification, within one month of receipt of your notice (this can be extended by up to two months in the case of complex requests, and in such cases you will be informed of the need for the extension). In the event that any affected personal data has been disclosed to third parties, those parties will be informed of any rectification of that personal data.
Right to erasure: you have the right to obtain from EBAA the erasure of your personal data without undue delay, and EBAA shall erase such personal data without undue delay where one of the following grounds applies and where there is no other legal ground for the processing:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- you withdraw your consent on which the processing is based.
- you object to the processing of your personal data (see hereafter);
- your personal data have been unlawfully processed.
- your personal data must be erased for compliance with a legal obligation under EU law or the laws of a member state to which EBAA is subject.
Where EBAA has made certain personal data public and is obliged to erase such data on any of the above grounds, EBAA shall take all reasonable steps, taking into account the available technology and the cost of implementation, to inform other controllers processing the personal data that you have requested its erasure, as far as processing is not required on any other grounds
Right to restrict processing: You may obtain restriction of processing of your personal data in any of the following cases:
- you contest the accuracy of your personal data: processing shall be restricted for a period enabling EBAA to verify the accuracy of the personal data.
- The processing is unlawful but you oppose the erasure of your personal data and request the restriction of their use instead.
- EBAA no longer needs the personal data for the purposes of our processing, but you require the personal data for the establishment, exercise or defense of legal claims.
- You have objected to the processing (see hereafter), pending verification whether the legitimate grounds of the EBAA override your rights as data subject.
Right to object processing: you have the right to object to the processing of your data for reasons relating to your particular situation and where the legal ground for processing is that the processing is necessary for the performance of a task carried out in the public interest or in the exercise of any official authority vested in us, or for the purposes of the legitimate interests pursued by us or by a third party. In case you raise an objection, EBAA shall no longer process the personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms as the data subject, or for the establishment, exercise or defense of legal claims.
If EBAA processes personal data for direct marketing purposes, you furthermore have the right to object at any time to processing of your personal data for this purpose. EBAA will then no longer process your data for for direct marketing purposes.
Finally, you have the right, on grounds relating to your particular situation, to object to processing of your personal data by EBAA for scientific, historical research or statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Data portability: you have the right to receive your personal data that has been provided to EBAA in a structured, commonly used and machine-readable format. You may transmit or have those data transmitted to another controller without hindrance from EBAA, as long as the processing is based on consent or on a contract, and is carried out by automated means, as long as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in EBAA.
You have the right to lodge a complaint if you consider that EBAA’s processing of your personal data constitutes a violation of applicable data protection laws. The complaint may be lodged with the supervisory authority of the member state of your residence, place of employment or the place of the alleged infringement.
We recommend that you check back frequently to see if changes have been made.