Privacy policy

1 Objective

This document constitutes the Data Privacy Policy implemented by CRM asbl and AC & CS SC, which constitute CRM Group, as part of their activities.

The protection of your privacy and your personal data is of paramount importance for CRM Group.

Data Privacy Policy is drafted in order to ensure compliance with the European Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter General Data Protection Regulation, or GDPR).

This "Data Privacy Policy" is intended to inform you on how CRM Group collects, uses and stores your personal data.

As CRM Group entities jointly process personal data,  CRM Group has chosen to share the commitments made in the context of this Data Privacy Policy. This obviously does not mean that any personal data processed by one of the two entities is also and necessarily subject to processing by the other entity.

2 What is the scope of this Policy?

What does the "processing of your data" cover and who is responsible for it?

We collect and use only the personal data that are necessary in the course of our activities and that enable us to offer quality services.

CRM asbl and AC & CS SC, having respectively their registered office at 1000 Brussels, rue Ravenstein, 4 and 4000 Liege, Allée de l'Innovation 1, are each responsible for the processing of the personal data they are brought to process.

We are therefore your partner as well as that of the supervisory authorities (for example, "the Data Protection Authority") for any question relating to the use of your data by our entities.

For some services, we use specialized third parties who, in some cases, act as subcontractors. They must then follow our guidelines and comply with our Data Privacy Policy. In other cases, these third parties are also joint controllers for the processing and must respect their legal obligations in this respect.

We make sure that these subcontractors only receive the data strictly necessary to fulfill their part of
the contract.

We are also likely to act as subcontractors for other legal entities. In this case, it is these entities that are responsible for the processing of personal data. We follow their instructions.

3 What data are covered by our Policy?

The data covered by this Policy are the personal data of natural persons, i.e. data that directly or indirectly identify a person.

In the context of your relations and interactions with CRM Group, we may collect various personal data such as:

  • identification and contact data (examples: your title, name, address, date and place of birth, national
  • register number, bank account number, telephone number, email address, IP address, profession);
  • family situation (examples: marital status, number of children);
  • banking, financial and transaction data (examples: bank details, account numbers, transfer data including communication, and, in general, any data recorded during your bank transfers);
  • data relating to your behaviour and habits concerning the use of our channels (examples: our website, our applications for tablet and smartphone);
  • data relating to your preferences and interests, which you communicate to us directly or indirectly, for example via participation in our events or surveys,;
  • data from your interactions on our dedicated pages on social networks (examples: Facebook and LinkedIn).

We never process data about your racial or ethnic background, your political opinions, your religion, your philosophical beliefs or trade union membership, your genetic data, your sex life or sexual orientation unless the law requires it or that this results from the performance you use of our products and services.

4 Guidelines for processing personal data

Among other things, we respect the following principles when processing personal data as part of the management and execution of our commitments:

  • Lawful processing of data: we process personal data lawfully in the course of our activities;
  • Defined aims and purpose limitation: we collect and process personal data for the lawful purposes specified below;
  • Minimization of data processing: we limit the processing of personal data to what is necessary in the course of our activities;
  • Accuracy of personal data: we take all reasonable measures to ensure that personal data are accurate and that they are rectified and/or deleted without delay if they appear to be no longer accurate;
  • Limitation of processing and retention: we will not process or store personal data for any longer than is necessary for the performance of our activities;
  • Security measures: we take the technical and/or organizational measures necessary and adequate for the security of personal data.


5 When are your personal data collected?

The data we use to verify or enrich our databases can be collected either directly from you or from the following sources:

  • publications/databases made accessible by official authorities (example: the Moniteur Belge);
  • our client companies or service providers;
  • websites/pages of social networks containing information that you have made public (example: your website or social network);
  • databases made public by third parties.

Some of your data may also be collected by CRM Group:

  • when you become a customer, member or supplier;
  • when you register at the entrance of one of our sites;
  • when you register to use our online services (at each identification or use) ;
  • when you fill out the forms and contracts we submit to you;
  • when you use our services and products following the signing of a contract;
  • when you subscribe to our newsletters;
  • when you contact us through the different channels available to you;
  • when your data is published or transmitted by authorized third parties or professional data providers;
  • when you are filmed by our surveillance cameras located in and around our premises/buildings.

The images are recorded solely for the purpose of protecting the security of property and people and to prevent abuse, fraud and other offenses against our customers and/or our staff (the presence of recording devices is indicated by stickers with our contact details).

6 On what grounds and why do we use your personal data?

We process your personal data for various purposes. For each treatment, only the data relevant to the purpose pursued are processed.

In general, we use your personal data:

  • in the context of the performance of a contract or the taking of precontractual measures;
  • in order to comply with the legal and regulatory provisions to which we are subject;
  • for reasons that are in the legitimate interest of the company (see illustrations below). When we do this type of treatment, we take care to preserve the balance between this legitimate interest and the respect of your privacy;
  • when we have obtained your consent.

Personal data are processed by CRM Group for purposes that include, but are not limited to:

  • providing you with information about our products and services;
  • assisting you and responding to your requests;
  • enabling the proper execution of the agreements concluded;
  • ensuring the financial and accounting management of CRM Group entities;
  • obtaining subsidies and instruments to protect intellectual property for or with its members;
  • ensuring good management of customers, equipment and suppliers;
  • establishing user profiles and if you have signed your consent; carry out information and/or promotion operations on products and services, those of companies in CRM Group and / or its commercial partners;
  • improving existing (or under development) services through surveys of current or potential members, statistics, tests, comments that you send us directly or that you post on our websites;
  • responding to legal obligations, including responses to formal requests from duly authorized public or judicial authorities;
  • detecting and preventing abuse and fraud: we process and manage contact and security data (card reader, password ...) to validate, monitor and ensure the security of transactions and communications via our remote channels;
  • ensuring the provision of services by using subcontractors;
  • monitoring our research and development activities;
  • improving the quality of the individual service to our members;
  • prospecting for CRM Group services;
  • ensuring the security of our premises and infrastructure, as well as people in these places.

7 Who has access to your personal data and to whom are they transferred?

Only authorized users have access to your personal data in order to fulfill the aforementioned purposes. Authorized user means persons who, in the course of performing their duties within  CRM Group, are authorized, as part of the activities carried out, to process personal data on the basis of CRM Group guidelines.

In order to fulfill the aforementioned purposes, the entities CRM asbl and AC & CS SC disclose
your personal data to each other and to:

  • sponsoring authorities;
  • bodies granting intellectual property rights, such as patents;
  • an external auditor;
  • a licensed commissioner;
  • a legal advisor;
  • a financial consultant;
  • another professional and/or service provider/advisor;
  • a social secretariat, banking organization, insurer/Fund;
  • IT companies or service providers for software programmes and electronic data storage (servers, etc.);
  • judicial, administrative or police authorities.

8 How long do we retain your personal data?

We keep your personal data for the longest period of time necessary to comply with the applicable legal and regulatory provisions or another period given the operational constraints such as good bookkeeping, effective management of the relationship with members, the management of our intellectual property rights and responses to claims in court or by the regulator.

The data relating to the members are kept during the life of the contract and for a maximum period of ten years after the end of the contractual relationship.

Data on potential members may be kept for up to one year, depending on the life cycle of the project for which they were collected and when the person indicated an interest.

Some data are archived for longer periods of time in order to meet our legal and evidentiary obligations, in particular to safeguard your rights and the rights of our entities and, in particular, the intellectual property rights to which they may be entitled, but also in order to respond to requests from the subsidizing authorities. This archived data is only accessible for purposes of proof in court, control by an Authorized Authority (for example by the tax authority), for reasons of document production before the judicial, administrative or police authorities.

9 Security and confidentiality

CRM Group undertakes to adopt the technical, physical and organizational measures necessary and adequate to protect personal data against unauthorized access, unlawful and unauthorized processing, accidental loss or damage, and unauthorized destruction. These measures are regularly assessed and, if necessary, updated in order to guarantee the maximum protection of the personal data of the persons concerned.

In the event of a breach or computer leak, as described below, we will take the necessary/appropriate measures to ascertain the extent and consequences, terminate it as soon as possible and, if necessary, limit its impact on persons concerned.

10 What are your rights and how can you exercise them?

10.1 Rights of the data subjects

In accordance with the applicable regulations, you have different rights:

  • the right to request access to personal data (A)
  • the right to rectification (A)
  • the right to erase data (A)
  • the right to oppose the treatment (B)
  • the right to withdraw consent (B)
  • the right to request a limitation of treatment (B)
  • the right to data portability (C)

A. Right of access, rectification and erasure

Any data subject concerned has the right to request access. If a data subject exercises this right,  CRM Group is obliged to provide information on this matter, including:

  • to give a description and a copy of the personal data;
  • inform the data subject of the reasons why CRM Group processes this data.

If data is inaccurate or incomplete, the data subject may ask that it be rectified.

In certain circumstances, the data subject may, in accordance with the data protection regulations, request the deletion of personal data concerning him/her, inter alia if the personal data are no longer necessary for the purposes for which such had been collected or processed. CRM Group can however refuse to erase this data, for example for the introduction, the execution or the proof of a right in court.

In order to keep your data perfectly up to date, please inform us of any changes (example: change of marital status, domicile).

B. Right to oppose and limit the processing of your data and right to withdraw your consent

You have the right to object to certain treatments of your personal data that we would like to make.
In particular, you have the right to object, without justification, to the use of your data for prospecting purposes. You can also request the limitation of the processing of your data.

However, this right can only be exercised under certain conditions

  1. your application must be dated and signed;
  2. for cases other than the opposition for the purpose of prospecting, you must have serious and legitimate reasons in your particular situation to oppose the processing. In the event of a justified opposition, the processing in question can no longer relate to this data.

On the other hand, you can not oppose the treatment necessary for the execution of a contract concluded with you, for the execution of the pre-contractual measures taken at your request or for the respect of any legal or regulatory provision to which we are subject.

If you have given your consent to the processing of your personal data, you have the right to withdraw that consent at any time.

C. Right to data portability

Where necessary and to the extent applicable, the data subject may request to receive certain personal data which he/she has provided to  CRM Group in the context of the management and execution of his/her/its activities, and to transfer these data to another controller. Where technically possible, the data subject may request CRM Group to transfer the data directly to another controller.

10.2 Who can you contact?

If the data subject wishes to exercise his/her rights in relation to his/her personal data, he/she may report it to the DPO of the group: dpo@crmgroup.be

In accordance with the regulations, you are entitled to lodge a complaint with the relevant Control Authority.

11 Transfer outside of the EEA

In the event of international transfers from the EEA to a third country for which the European Commission has made a decision of adequacy recognizing that such country has a level of protection of personal data equivalent to that provided for by EEA legislation, your personal data will be transferred on this basis.

For transfers to countries outside the EEA for which the European Commission has not made a decision on adequacy, we rely on either a derogation applicable to the situation (e.g. in case of international payments, the transfer is necessary for the execution of the contract), or on the fact that the recipient of the data has agreed to process the personal data in accordance with the "Standard Contractual Clauses" established by the European Commission for data or subcontractors.

To obtain a copy of these texts or to know how to access them, you can send a written request in the manner indicated in Section 10.2.

12 Breach of personal data

12.1 Statement of violations relating to personal data

Authorized users must ensure, in the exercise of their function, to avoid incidents (deliberate or otherwise) that may affect the privacy of those concerned.

In case of a personal data breach, adequate measures are taken as soon as possible to minimize the risk of harm to the data subjects and CRM Group (damage to reputation, penalties imposed, ...).

In all cases, all authorized users, as well as all others who consult, use or manage CRM Group information, must immediately report any security breaches and incidents related to information security to the DPO so that an analysis can be immediately made, the necessary measures taken and a decision taken as to whether the violation should be reported to the Data Protection Authority and/or to the persons concerned.

When the report is made by email, it is important that it be sent to the DPO (see Section 10.2) and that it is expressly indicated in the subject of the email that it is a high urgency message. about a possible violation in relation to personal data.

The information must contain a complete and detailed description of the incident, including the identity of the person making the report (surname, first name, address, email (if any) and telephone number), of what type of incident it is, and how many people are concerned.

12.2 Investigation and risk analysis

In principle, within 24 hours after the incident or violation has been identified by CRM Group or reported by a subcontractor, an authorized user, a recipient, a data subject or a third party, an investigation will be initiated at CRM Group’s initiative

The investigation will determine the nature of the incident, the type of data targeted and whether specifically personal data are affected (and if so, who are the data subjects and how much personal data are affected) . The investigation will seek to determine whether this is a violation of personal data or not.

If this is a violation, a risk analysis will be carried out to find out what are (may be) the possible consequences of the breach, and in particular the (possible) impact on the data subjects.

CRM Group will then decide, on the basis of the nature of the breach, whether or not there is an obligation to notify the Data Protection Authority and/or the person concerned.

12.3 Documentation of the breaches

All violations will be documented in a register. The registry will detail the main cause of the incident and the contributing factors, the chronology of events, responses, recommendations and lessons learned to identify areas that need improvement. Recommended changes to systems and procedures will be documented and implemented as quickly as possible.

As part of its data protection compliance oversight mission, the DPO of the group will also review the follow-up given to the treatment of the violation recorded in the report.

13 How to become acquainted with this Policy and its modifications?

In a world of constant technological change, we will regularly update this Data Privacy Policy.

We invite you to read the latest version of this document on our sites and we will inform you of any substantial changes through our sites or by our usual methods of communication.

14 How to contact us?

If you have any questions regarding the use of your personal data covered by this Policy, you can contact our contact person by e-mail at dpo@crmgroup.be.

With respect to our staff members, they may also consult the "Data Privacy Policy for Employees" on the intranet.