Privacy policy

Summary

This privacy policy contains the approach, responsibilities and related procedures regarding data protection.

Purpose

DeltaBlue values privacy and is therefore committed to protect the (personal) data of all its stakeholders. To demonstrate compliance to the latest regulations, such as GDPR, we have implemented ISO 27001 and set up an information security management system (ISMS).

This privacy policy is part of a set of information security guidelines and procedures and does not intend to stand on its own or contradict other DeltaBlue policies.

Scope

This privacy policy is part of a set of information security guidelines and procedures and does not intend to stand on its own or contradict other DeltaBlue policies.

Definitions

GDPR	EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016, or the European General Data Protection Regulation ("GDPR"), defines the rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
Controller	is defined as a natural or legal person who (either alone, jointly or together with other persons) determines the purpose(s) “for which” and the manner “in which” any personal data is or will be processed
Processor	is defined as a natural or legal person (other than an employee of the controller) who processes personal data on behalf of the controller.
Processing	is defined as any operation or a set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Personal Data	is defined as any information relating to an identified or identifiable natural person. An identifiable natural person is the one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Data Subject	is defined as a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Data Breach	means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or, or access to, personal data transmitted, stored or otherwise processed
DPA	Data Processing Agreement ("DPA") is a contract between the controller and the processor. It regulates the particularities of data processing – such as its scope and purpose – as well as the appropriate technical and organisational measures and the relationship between the controller and the processor.
Supervisory Authority	is an independent public authority which is established by a Member State to monitor and enforce the national and/or local application of GDPR.

General Principles

DeltaBlue wants to continue being an organisation that cares about the privacy of people and their data and creates a culture and environment that is resilient to any accidental and deliberate personal data infringement occurring.

With all privacy and data protection efforts in place and envisioned, the achievement of the following objectives is paramount to DeltaBlue:

Protection of confidential and privacy-sensitive information;
Respect and protect the fundamental rights and freedoms of all data subjects;
Ensure transparency, confidentiality and integrity of the processed personal data;
Compliance with existing laws and regulations.

DeltaBlue processes personal data from customers, employees and suppliers, both as Controller and as Processor, on a daily basis. Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or, or access to, personal data transmitted, stored or otherwise processed, can lead to, among other things:

A breach of the trust of customers and employees of DeltaBlue;
Damage for customers and/or suppliers with claims for damages as a result;
Reputational damage to DeltaBlue;
Violation of legislation.

Data Protection Principles

Every company is obliged to process personal data in accordance with the data processing principles as described in the GDPR. DeltaBlue has put the appropriate organisational and technical measures in place to assure compliance with these principles and ensures continues evaluation of these measures.

Therefore, it is also important for every employee dealing with personal data to be aware of the data processing principles. In addition DeltaBlue employees and stakeholders involved should only process personal data after analysis and application of the following six principles.

DeltaBlue should assure that:

personal data is collected and further processed in a lawful, fair and transparent manner.
personal data is only processed for specific, explicit and legitimate purposes. If afterwards the personal data is processed for a new purpose, incompatible with the initial one, the data subject concerned is duly informed and has to provide his/her consent or is allowed to object to such processing.
we only gather personal data which is adequate, relevant and limited to what is necessary to achieve the purposes for which it is processed. When possible, personal data should be pseudonymised or anonymised.
personal data is kept accurate and up to date throughout its lifecycle (from the collection to the destruction / deletion).
personal data is no longer kept than necessary to meet the legitimate business purposes for which the personal data was collected and in compliance with DeltaBlue’s Information retention policy, unless EU or national laws state otherwise.
we protect personal data in a way that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.
we take responsibility for what it does with personal data and how it complies with the other principles.

The right of access, correction and erasure

Every individual (“data subject”) has the possibility to exercise the freedoms and rights as described in the GDPR. DeltaBlue has the obligation to respond in a timely manner to data subject requests and to make sure that the legal deadlines are met.

The data subject rights explained:

Right to information: Data subject always has the opportunity to request his/her personal data (including processing purposes, categories of personal data, estimated retention period) and to be informed about what happens with the data collected from data subject.
Right to access: Data subject has the right to access his/personal personal data.
Right to rectification, erasure, restriction and objection: Data subject is entitled to have incorrect personal data corrected or completed. Under certain circumstances, the data subject has the right to have his/her personal data removed from any files. Moreover, the data subject has the right to object to or ask for the restriction of the processing of your personal data. However, that in certain cases the processing of the personal data is necessary to comply with legal obligations or to be able to execute contractual obligations. In that case, compliance with those obligations will prevail over the data subject’s right to object or restriction or erasure. Therefore, DeltaBlue will evaluate case by case whether or not the request can be complied with.
Right to data portability: Data subject has the right to receive his/her personal data, processed by DeltaBlue in a structured, commonly used and machine-readable format and/or to transmit those data to another controller.
Right not to be subjected to automated individual decision-making including profiling: Data subject has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects on the data subject or similarly significantly affects the data subject.
Right to lodge a complaint: If, at any time, the data subject is of the opinion that DeltaBlue infringes his/her privacy, the data subject has the right to lodge a complaint with: The Belgian supervisory authority: Gegevensbeschermingsautoriteit, Drukpersstraat 35, 1000 Brussel, Tel +32 (0)2 274 48 00.

Requests to exercise the right of access, correction and erasure can be submitted through the Security officer.

Data breach

There is a personal data breach whenever there is breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data or if the data is made unavailable and this unavailability has a significant negative effect on individuals. Examples of a data breach are: accidental disclosure of e-mail addresses, loss of laptop, theft of a database, password leakage, etc…

Data retention

In line with the data protection principles of storage limitation and accuracy, it is required to set out clear data retention periods for the personal data being processed by DeltaBlue. Processes have been adjusted to make sure data is never stored longer than necessary to perform our services.

Technical and organisation security measures

DeltaBlue guarantees implementation of the appropriate technical and organisational measures to ensure a level of security appropriate to the risk and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

If you want to find out which measures and security controls have been implemented, we have prepared an Assurance statement which is available upon request.

Third parties and Data Processing Agreements

As a controller DeltaBlue has the obligation to ensure that it only uses processors providing appropriate guarantees to implement appropriate technical and organisational measures in such manner that processing will meet the requirements of the GDPR and ensure protection of the rights of the data subjects. Following this, a due diligence shall be conducted before a contract with a new processor is signed. A contract (DPA) with the processor shall include the clauses on personal data processing, in which the appropriate instructions on how to process personal data is given to the processor, as well as, appropriate technical and organisational measures are agreed upon.

Roles and responsibilities

In order to guarantee confidentiality and careful handling of personal data, all individuals working for DeltaBlue must ensure that personal data that is being processed happens in line with this policy and the data protection principles. Therefore employees, contractors and other stakeholders involved have the responsibility to:

Identify personal data processing activities and the risks that accompany the processing of personal data;
Only process the data necessary to achieve a predefined purpose;
Execute the proposed measures by DeltaBlue and follow up on the changes in the policies and procedures;
Informing the privacy responsible on major changes in the entity;
Inform the privacy responsible if any doubts and/or questions arise;
Know DeltaBlue’s vision on privacy and recognise what this means for his/her responsibilities.

The Management of DeltaBlue is jointly responsible for this privacy policy.

Management will approve the policy after significant changes;
The implementation of this policy falls under the responsibility of the Security officer;
We may update this policy at any time and make the updated version available to all employees.