Privacy and protection of personal data
As an auditing firm, we are responsible for processing a great deal of data. Some of this data involves personal data and, in this context, we inform you of the following.
The personal data we process may relate to you in your position as a client of the firm but also to you as a business relation of our clients (such as the case where you are a supplier or customer of our client). In any case, we should draw your attention to the following as a data subject whose personal data are processed by us.
- Controller of personal data processing.
The party responsible for processing personal data is BVBA Guy Parmentier.
The registered office of the controller is located at 2900 Schoten, Valkenlaan no. 31 with company number 0480.463.170.
The responsible party is registered with the Institute of Company Auditors under approval number A01479.
For all questions relating to the protection of personal data, please contact BV mentioning BVBA Guy Parmentier by letter at the above address or by e-mail firstname.lastname@example.org.
If applicable: details of DPO (data protection officer) or individual data protection officer.
- Purposes of processing personal data.
The firm processes personal data for the following purposes:
- Application of the Law of September 18th 2017 on the prevention of money laundering and the financing of terrorism and on the restriction of the use of cash.
1° In application of the article 26 of the law of September 18th 2017, our firm must collect the following personal data with respect to our clients and their agents :the surname, first name, date and place of birth and, to the possible extent, address
2 ° In application of the article 26 of the law of September 18th 2017, our firm must collect the following personal data regarding the clients’ beneficial owners: the surname, first name and, to the possible extent, the date and place of birth and address
The processing of these personal data is a legal obligation. Without these data, we cannot enter into A. business relationship (art.33 Law of September 18th 2017 on the prevention of money laundering and the financing of terrorism and on the restriction of the use of cash.).
- The obligations resting on the firm towards the Belgian government, foreign governments or international institutions in execution of a legal or regulatory obligation, in execution of a judicial decision, or in the context of the defence of a legitimate interest by, inter alia, but not exclusively, current and future tax (e.g. VAT listings, tax sheets) and social laws, require us to process personal data within the framework of the assignment with which we have been entrusted.
The processing of these personal data is a legal obligation and without them we cannot enter into a business relationship.
- Execution of an agreement concerning accounting and tax services. The processing of personal data concerns the data of the clients themselves, their staff members, their directors and the like, as well as other persons involved in the activity as customers or suppliers, among others.
Without the provision and processing of this data, we cannot properly carry out our duties as auditors.
- What personal data and from whom?
In the context of the purposes mentioned under 2, our firm may process the following personal data: first name, name, e-mail address, biometric data (copy of e-id or passport), address, company number, national number …
List but always clearly limit to what is necessary for the intended purpose.
Within the framework of personal tax returns via Tax-on-web, the following data are also processed: children, union membership, political organisations, medical data,
The firm processes personal data provided by the persons concerned or their relatives.
The firm also processes personal data not provided by the data subject, such as personal data provided by the client concerning its employees, directors, customers, suppliers or shareholders.
The personal data may also originate from public sources such as the Crossroads Bank for Enterprises, the Belgian Official Gazette and its annexes, the National Bank of Belgium (Central Balance Sheet Office) and the like.
The data will only be processed to the extent necessary for the purposes mentioned under item 2.
The personal data will not be passed on to third countries or international organisations.
If yes then a clause should be added – see Art 45 GDPR
If applicable: include automated decision-making/ profiling and why
- Recipient of data
In accordance with the foregoing and except to the extent that the communication of personal data to organisations or entities whose intervention as third service providers on behalf and under the control of the controller is required to achieve the aforementioned purposes, the firm will not communicate, sell, rent or exchange the personal data collected in this context with any other organisation or entity, unless you have been informed in advance and explicitly agreed to it.
The firm uses third-party service providers:
The firm uses an e-bookkeeping software and an associated portal
The firm makes use of external staff to perform certain tasks or specific assignments (auditor, notary, etc.).
The firm may take all measures necessary to ensure proper management of the website and its IT system.
The firm may transmit personal data at the request of any legally competent authority, or even on its own initiative if it believes in good faith that the transmission of such information is necessary to comply with laws and regulations, or to defend and/or protect the rights or property of the firm, its clients, its website and/or you.
- Security measures.
In order to prevent, as far as possible, unauthorised access to personal data collected in this context, the firm has established security and organisational procedures, which cover both the collection of these data and their storage.
These procedures also apply to all processors engaged by the firm.
- Retention period
6.1. Personal data we are required to retain under the Act of September 18th 2017 (see 2.A.)
This concerns the identification data and the copy of supporting documents regarding our clients, internal and external agents as well as the beneficial owners of our clients.
In accordance with Article 60 of the Law of September 18th 2017, these personal data will be kept for no later than 10 years after the end of the business relationship with the client or from the date of an occasional transaction.
6.2.Other personal data
The personal data of the persons other than those mentioned above shall be kept only for the periods provided for in the applicable legislation such as accounting legislation, tax legislation, social legislation.
6.3 After the expiry of the aforementioned periods, the personal data will be deleted, unless other applicable legislation provides for a longer retention period.
- Rights of access, rectification, oblivion, data portability, objection, non-profiling and regarding security breach notification
7.1. Concerning the personal data we are required to keep in application of the Law of September 18th 2017.
This concerns the personal data of our clients, their agents and ultimate beneficiaries.
In this regard, we should draw your attention to the Article 65 of the Law of September 18th 2017 :
“Art. 65. The person to whom the processing of personal data under this law applies does not have the right to access and rectify his data, nor the right to be forgotten, to data portability or to raise objections, nor the right not to be profiled, nor the notification of security breaches.
The right of access of the person concerned to personal data concerning him is carried out indirectly, pursuant to the article 13 of the aforementioned Act of 8 December 1992, with the Commission for the Protection of Privacy as established by article 23 of the same Act.
The Privacy Protection Commission shall only inform the applicant that the necessary verifications have been carried out and of their outcome as regards the lawfulness of the processing in question.
This information may be communicated to the applicant when the Commission for the Protection of Privacy, in consultation with CTIF-CFI and after obtaining the opinion of the controller, determines, on the one hand, that its communication is not susceptible to disclosure of the existence of a notification of a suspicion referred to in Articles 47 and 54, of the consequences given to it or of the exercise by CTIF-CFI of its right to request additional information under Article 81, nor is it susceptible of jeopardising the objective of combating WG/FT, and on the other hand establishes that the information in question relates to the applicant and is held by subject entities, CTIF-CFI or the supervisory authorities for the purposes of this Law. ”
For the application of your rights regarding your personal data, you should therefore turn to the Data Protection Authority (see point 8.)
7.2. All other personal data
For the application of your rights regarding all other personal data, you can always contact : Mr. Guy Parmentier
With regard to the processing of personal data by our office, You may file a complaint with the Data Protection Authority :
Commission for the Protection of Privacy
Press Street 35, 1000 Brussels
Tel +32 (0)2 274 48 00
Fax : +32 (0)2 274 48 35
E-mail : email@example.com
URL : https://www.privacycommission.be