GDPR policy

Groupe Fidentia[1]  – General Privacy Policy

May 2018

0          Scope of Policy

As from 25 May 2018, Fidentia will be subject to and will comply with the revised data protection rules applicable in the European Union under the General Data Protection Regulation (the “GDPR”)[2].

In accordance with the GDPR this data privacy policy (the « Policy« ) is addressed to

• our prospective, current and former members of personnel;
• the employees, workers, directors, officers, legal or professional representatives, beneficial owners of Fidentia Group’s shareholders, prospective clients and clients or their affiliates and agents, professional contacts and suppliers; and
• our website’s visitors and any other individuals in contact with Fidentia from which personal data might be collected by Fidentia.

The policy does not apply to any information processed about legal entities.

You are receiving this Privacy Policy because Fidentia Real Estate Investments SA or an entity of the Fidentia group (“FIDENTIA”) is processing information about you which constitutes “personal data” and Fidentia considers the protection of your personal data and privacy a very important matter.

Fidentia or  another  entity  of  the  Fidentia  group  (as  identified  in  Footnote 1  below)  is responsible  for the processing of your personal data as it decides why and how it is processed, thereby acting as the “controller”. In this Privacy Policy, “we” or “us” refers to Fidentia or the relevant entity of the Fidentia group.

As controller, we comply with applicable data protection laws and in particular with the GDPR to ensure the relevant standard of protection and privacy is applied to the personal data that we collect.

In line with our commitment to protect your personal data, we want to inform you and explain in all transparency the processing of your personal data and notably:

• what type of personal data is collected,
• why and how Fidentia collects, uses and stores your personal data; and
• what your rights and our obligations are in relation to such processing.

1         Who is responsible for the processing of your personal data?

Unless  otherwise  specified  in  this  Section  1,  FIDENTIA  is  responsible,  as  controller,  for  the processing of your personal data.

In the following case, the controller in relation to your personal data will be another entity of the Fidentia group, namely:

• for representatives (natural persons) of FIDENTIA’s shareholders, prospective clients and clients or their affiliates and agents, professional contacts and suppliers: the FIDENTIA entity with which you or your employer have a commercial and/or contractual relationship or are/is being contacted for the purpose of developing such a relationship.
• The relevant controller will be identified separately in each communication containing a link to this statement or to which this statement is attached in relation to each relevant processing.

2         What type of personal data do we collect?

As controller we  collect  basic  identification  information  about  all  individuals  with  whom  we  interact, including  the  categories  of  data  subjects  described  in  the  introduction  of  this  General Privacy  Policy  such  as  your  name,  title,  position, company  name,  email  and/or  postal address  and  fixed  and/or  mobile  phone  number.  We also  process  the  content  of  any electronic communications with you. 

This information may either be directly provided by you, communicated to us by the legal entity for whom you work (e.g. if you are the contact person designated by your employer to manage the FIDENTIA relationship), supplied to us by one of our service providers (e.g. financial institutions  or  recruiters)  or  obtained  from  publicly  available  sources  (e.g. social media profiles).

2.1     Prospective, current and former members of personnel

  For our prospective, current and former employees, we may in addition also collect the following information: 

• additional identification information (e.g. date and place of birth, nationality, ID card or passport numbers and copy of ID card  or passport, contact person in case of emergency);
• your family information (e.g. marital status, number of children, date of birth and household composition, as well as working status of the spouse and as the case may be, copy of their ID card/passports);
• your education and experience (e.g. employment and education history, other details included in the CVs, professional qualifications and experience);
• other information relating to your recruitment (e.g. information you provided during your interview, handwriting sample and psycho-social tests for personality assessment, notes and comments made during the recruitment process);
• your function (e.g. position information such as position title and reference number, supervisor and subordinates, employment dates such as dates of hiring/promotion/position change, work schedule, performance evaluations, language skills);
• your remuneration  data (such as salary level and amount, years of experience, bonus, stocks, options, expenses information, mobile phone invoices, cars and fuel cards, insurance and other benefits, pension entitlements and bank account details);
• your financial information (such as your bank account number, credit card number, and number of payments);
• your social security information (such as tax/social security status, insurance details, disabilities, attendance information including illness or leaves of absence);
• your electronic identification data (e.g. login, passwords, IP address, badge number, logs  relating to the usage of IT tools, FIDENTIA group professional email address, sound or image recording such as CCTV);
• information required to set up insider lists imposed under Belgian law (required by the FSMA and/or counterparts);
• your picture; and
• more generally, information about the activities you are carrying out in your professional capacity at FIDENTIA.

2.2      (Representatives of) shareholders

For (the representatives of) the shareholders of FIDENTIA, we may in addition also collect the following information:

• additional identification information (e.g. copy of ID card and passport);
• information relating to your shares (e.g. number and type of rights);
• power of attorney or mandate related information when you act as board member or legal representative of shareholders
• tax-domicile and other tax-related documents and information such as tax residency, TIN, beneficial ownership, percentage of holding in a corporate entity notably in the context of compliance with the Foreign Account Tax Compliance Act (“FATCA”), Automatic Exchange of Information (“AEOI”), or local tax or corporate laws (e.g. Law of 18/09/2017 providing for the creation of a centralized register in which Belgian companies must register and update information about their ultimate beneficial owners, i.e the UBO register)
• your financial information (bank account number for payment of dividends);
• your family information (parents, spouse, children, brothers/sisters or other heirs); and
• notes about our meetings (if any).

2.3      (Representatives of) Prospective clients, clients (or their affiliates and agents) and Professional contacts

For (the representatives of) our clients, clients (or their affiliates and agents) and professional contacts, we may, in addition also collect the following information:

• your attendance to events;
• your ID/passport when required to participate in events;
• your financial information (bank card/accountthe information).

2.4     (Representatives of) suppliers 

For  (the  representatives  of)  our  suppliers,  we  may  in  addition  also  collect  the  following information:

your electronic identification data where required for the purpose of the delivery of products or services to our company (e.g. access right, image recording or sound such as badge pictures, CCTV or voice recordings);

and for natural persons acting as suppliers or service providers, financial information (e.g. bank account details, bills and invoices) and information relating to the contract (e.g. type of agreement, parties and duration).

2.5      (Website) visitors

For visitors we may in addition also collect the following information:

• information in relation to your visit (such as the day, time); and
• your electronic identification data (such as sound or image recorded by CCTV).
• For website visitors, we may in addition also collect the following information:
• electronic identification data (http header fields, IP address, browser identification information, information on hardware and software location data if available); and
• information regarding your browser and device (e.g. internet service provider’s domain, browser’s  type and version, operating system and platform, screen resolution, device manufacturer and model).

To the extent authorized or required by law, we may also process sensitive data, such as health data. FIDENTIA will only do so as strictly required for the relevant purposes listed in Section 4 below or to comply with a legal obligation and, where required, subject to having obtained your prior consent. In such case, the data will be accessed and processed solely under the responsibility of a representative of FIDENTIA who is subject to an obligation of confidentiality.

Whenever personal data is collected (e.g. in forms), we will indicate whether the provision of such data is  mandatory (e.g. with an asterisk) and the consequences of a refusal to provide the requested data.

We may also collect your national registry number or social security number but will only process such data if and when legally required.

3         When do we collect personal data?

Personal data will be collected by FIDENTIA:

• whenever individuals apply to become an employee of a FIDENTIA entity;
• whenever  employees interact  with  FIDENTIA,  its  personnel,  its  IT  equipment  and  other systems;
• whenever FIDENTIA interacts with former employees;
• whenever FIDENTIA interacts with (the representatives of) our professional contacts, shareholders and suppliers;
• whenever individuals visit our website; and
• when receiving requests from analysts and journalists.

4         On which legal basis and for which purposes do we process personal data?

4.1       Legal basis for the processing

We are not allowed to process personal data if we do not have a valid legal ground. Therefore, we will only process personal data if:

• we have obtained your prior consent;
• the processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request;
• the processing is necessary to comply with our legal or regulatory obligations, including banking and financial regulations, anti-money laundering/counter financing legislation, company law, tax law or to reply to any official request from a public or judicial authority;
• the processing is necessary to protect your vital interests or those of another natural person; or
• the processing is necessary for the legitimate interests of FIDENTIA in order to provide and develop its services, to improve its risk management and/or defend its legal and does not unduly affect your interests or fundamental rights and freedoms.

Please note that, when processing your personal data on this last basis, we always seek to maintain a balance between the above-listed purposes/legal bases including our legitimate interest and your privacy. For more specific examples, processing activities include:

• Client on-boarding processes, including verifying the legal capacity of (representatives of) our professional contacts/clients/shareholders to enter into contractual relations with FIDENTIA;
• Providing the services in accordance with our contractual arrangements;
• Assisting our clients and answering their request;
• Managing our relationship with clients and prospective clients, including communications in relation to our services;
• Compliance with legal and regulatory duties imposed upon FIDENTIA within the framework of the services provided to the clients;
• Compliance with any regulatory and compliance obligations (including Know Your Customer (KYC) and Anti-Money Laundering (AML) provisions);
• Prevention of fraud or criminal activity as well as to protect the security of FIDENTIA’s IT systems, architecture and networks; and
• Meeting our corporate and social responsibility objectives.

4.2       Purposes of the processing

We  always  process  your  personal  data  for  a  specific  purpose  and  only  process  the personal data which is relevant to achieve that purpose. In particular, we process personal data for one of the following purposes.

4.2.1     Prospective, current and former members of personnel

In relation to prospective, current and former members of the personnel, we process personal data for:

• recruitment activities;
• personnel administration (including organization of work, tasks, benefits, expenses and absence management, performing employment and background checks, creating and maintaining employee directories, travel arrangements);
• payroll management (such as administering remuneration and other contractual benefits, salaries and pay reviews and other awards such as stock options, stock grants and bonuses, pensions and saving plans, benefits to families, business expenses, salary benchmarking);
• performance reviews (such as appraisals, promotions, career and succession planning, staffing and talent management);
• monitoring employees’ activities in the workplace, including compliance with policies as well as health and safety rules in place;
• managing any disciplinary action and handle internal complaints relating to violence, moral harassment and undesirable (sexual) conduct;
• replying to an official request from a public or judicial authority with the necessary authorization;
• ensuring compliance and reporting (such as complying with our policies and legal requirements, income tax and insurance deductions, managing alleged cases of misconduct fraud; conducting audits, defending litigation);
• ensuring business continuity;
• managing mergers and acquisitions involving our company;
• any other purposes imposed by law and authorities.

4.2.2     (Representatives of) shareholders

In relation to (representatives of) our shareholders, we process personal data to:

• prepare for shareholders meetings and pay dividends to shareholders, where applicable;
• manage schedules and agendas; and
• assist in organizing events.

4.2.3     Professional contacts

In relation to our professional contacts, we process personal data to:

• manage our public relations;
• organize events (including sending out invitations, thank you notes);

4.2.4     (Representatives of) suppliers

In relation to (representatives of) our suppliers, we process personal data to:

• implement tasks in preparation of or under existing contracts;
• monitor activities at our premises, including compliance with applicable policies as well as health and safety rules in place;
• manage our IT resources, including infrastructure management and business continuity; and
• billing and invoicing.

4.2.5     (Website) visitors and any third parties following our company such as journalists and analysts

In  relation  to  FIDENTIA’s  (website)  visitors  and  any third  parties  following  our  company such as analysts and journalists, we process personal data to:

• manage suppliers and service providers, analysts and journalists relationships;
• improve our website (e.g. diagnose server problems, optimize traffic, integrate and optimize web pages where appropriate);
• measure the usage of our website (e.g. by drawing up statistics about the traffic or by gathering  information regarding the users’ behaviour and the pages they visit);
• monitor and prevent fraud, infringement and other potential misuse of our website; and
• manage our premises.

4.2.6     General

In addition to the above specific purposes, we process all collected personal data for the following general purposes:

• storing contact details (e.g. business cards);
• manage and administer the relationship between FIDENTIA and the data subjects;
• manage our IT resources, including infrastructure management & business continuity;
• preserve FIDENTIA’s economic interests and ensure compliance and reporting (such as complying with our policies and local legal requirements, tax and deductions, managing alleged cases of misconduct or fraud, conducting audits and defending litigation);
• comply with any legal obligations imposed on FIDENTIA in relation to its activities;
• reply to an official request from a public or judicial authority with the necessary authorization;
• accounting, archiving and record-keeping; and
• manage mergers and acquisitions involving any company of the FIDENTIA group.

5         How do we protect personal data?

We have implemented appropriate technical and organizational measures to provide a level of security and confidentiality to your personal data.  These measures take into account:

1. the state of the art of the technology;
2. the costs of its implementation;
3. the nature of the data;
4. and the risk of the processing.

The purpose thereof is to protect it against accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure or access and against other unlawful forms of processing.

Moreover, when handling your personal data, we:

• only collect and process personal data which is adequate, relevant and not excessive, as required to meet the above purposes; and
• ensure that your personal data remains up to date and accurate.  

For the latter, we may request you to confirm the personal data we hold about you. You are also invited to spontaneously inform us whenever there is a change in your personal circumstances so we can ensure your personal data is kept up-to-date.

6         Who has access to personal data and with whom are they shared?

6.1       Transfers within FIDENTIA

We may transfer personal data to our members of personnel or other entities of FIDENTIA. Such other FIDENTIA entities will either act as another independent controller or will process your personal data on our behalf and upon our request (thereby acting as processor). In all cases, the personal data will be processed only for the purposes set out in Section 4.2.

6.2       Transfers to third parties

We may transfer or give access to personal data to third parties outside FIDENTIA to complete the purposes listed in Section 4.2 above, to the extent they need it to carry out the instructions we have given to them. Such third parties may include:

• third parties who process personal data, such as our payroll provider, our (IT) systems providers, payment services providers, banks, insurances companies and pensions funds, social security bodies, event organisers psycho-social tests providers, recruiters/head hunters, travel agencies, banks, funds, notaries, other regulated professions and consultants;
• any third party to whom we assign or novate any of our rights or obligations under a relevant agreement;
• our advisors and external lawyers in the context of the sale or transfer of any part of our business or its assets; and
• any national and/or international regulatory, enforcement or exchange body or court where we are  required to do so by applicable law or regulation or at their request.

The above third parties shall be contractually obliged to protect the confidentiality and security of your personal data, in compliance with applicable law.

6.3       Transfers of personal data outside the European Economic Area (« EEA« )

In case of international transfers of personal data to a non-EEA country, we ensure that the transferred personal data is protected with adequate levels of data protection and appropriate measures in accordance with the GDPR and the European Commission’s decisions and guidelines. You may request additional information in this respect and obtain a copy of the relevant safeguard by exercising your rights as set out below.

We may also have to disclose personal data upon request to the official bodies and administrative or judicial authorities of a country located outside the EEA, in particular in the context of money laundering and terrorist financing. We do so in strict compliance with applicable law.

7         How long do we store your data?

We will only retain personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal, regulatory or internal policy requirements.

We only keep data related to candidates for recruitment purposes for a maximum period of two years. For current employees, the retention period is the time of your employment, unless overriding legal or regulatory schedules require a longer or shorter retention period.

For contracts, the retention period is the term of your (or your company’s) contract with us, plus the period of time until the legal claims under this contract become  time-barred, unless overriding legal or regulatory schedules require a longer or shorter retention period.

Personal data collected and processed in the context of a dispute are deleted (i) as soon as an amicable settlement has been reached, (ii) once a decision in last resort has been rendered or (iii) when the claim becomes time barred.

When the above retention periods expire, your personal data is removed from our systems. However, if individuals wish to have their personal data removed from our databases, they can make a request as described in Section 8, which we will review as set out below.

8         What are your rights and how can you exercise them?

8.1       Your rights

You have a right of access to your personal data as processed by FIDENTIA under this policy. If you believe that any information we hold about you is incorrect or incomplete, you may also request the correction thereof. FIDENTIA will promptly correct any such information.

You also have the right to:

• request the erasure of your personal data;
• request the restriction of the processing of your personal data;
• withdraw your consent where FIDENTIA obtained your consent to process personal data (without this withdrawal affecting the lawfulness of processing prior to the withdrawal);
• object to the processing of your personal data for direct marketing purposes or for other purposes in certain cases where FIDENTIA processes your personal data on another legal basis than your consent,

FIDENTIA will review such requests, withdrawal or objection and fulfill them as required under the applicable data protection rules. 

In addition, you also have the right to data portability and transfer the personal data to another controller where technically feasible and  here it does not affect the provision of our activities and services.

8.2       Exercising your rights

If you have a question or want to exercise the above rights, you may send an email to the FIDENTIA’s data protection officer: Mrs. Laetitia Etienne (l.etienne@fidentia.be) or a letter to Fidentia Real Estate Investments SA at 120 Chaussée de la Hulpe, 1000 Bruxelles (attn.: Laetitia Etienne) with a scan of your identity card for identification purpose, it being understood that we shall only use such data to verify your identity and shall not retain the scan after completion of the verification.

In any case, you also have the right to file a complaint with the competent data protection authorities, in addition to your rights above.

9         Status of and Amendments to this policy

This policy is current as of May 2018 in compliance with GDPR. It aims to inform you, as data subjects, about FIDENTIA’s organization regarding personal data processing and your rights according to GDPR.

It is not a binding document

This policy may be subject to amendments. Although we may request our clients/professional contact/shareholders to inform you about that update, we may not be able to personally notify you. We kindly ask you to review the FIDENTIA’s website from time to time for possible changes.

---

[1] For  the  purposes  of  this  policy,  « Groupe  Fidentia »  or  « Fidentia  group »  means  Fidentia Real Estate Investments  SA  and  its affiliates  with  holding  activities  under  its  exclusive  (direct  or  indirect)  control  (including,  in  particular,  Fidentia BeLux Investments SCA).

[2]    Regulation 2016/679 of the EU Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or “GDPR”).