Privacy Policy External 

1. 1. Purpose

This document describes NORTH HILL BV’ policies on user data collection and usage in accordance with the GDPR requirements.

 

2. Scope

Applicable for ISMS Annex A18. 

 

3. Responsibility

The GDPR North Hill Team is responsible for this procedure and responsible for executing this procedure when needed.

 

4. Process

4.1.General 

4.2. Introduction 

This privacy policy indicates what to expect from NORTH HILL BV regarding personal data when you contact us or use any of our services. In what follows we will tell you why we process your data, for what purpose we process it, why you need to provide it to us and how it is stored. We will also mention whether there are other recipients of your personal data, whether we intend to transfer it to another country, and whether we make automated decisions or use profiling. 

In collecting and using this data, the organization is subject to a variety of laws that control how such 

activities can be carried out and what safeguards must be in place to protect them. 

The purpose of this policy is to set out the relevant legislation and describe the steps NORTH HILL BV takes to ensure compliance with this legislation. 

This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, employees, suppliers and other third parties who have access to NORTH HILL BV’ systems. 

4.3. Identity  

NORTH HILL BV, with registered office at Posthofbrug 6 – 8 Bus 5/147 in 2600 Antwerpen-Berchem / Belgium, registered in the Register of Legal Persons, with VAT-number BE0762.647.058, hereby legally represented by Alban Nuytten, Managing Director NORTH HILL BV. 

 4.4. GDPR (General Data Protection Regulation) 

 The General Data Protection Regulation (GDPR) is one of the most important pieces of legislation that affects the way NORTH HILL BV carries out processing activities. 

GDPR was transposed in Belgium by the ‘Data Protection Act’ of 30 July 2018. 

Significant fines can be imposed if there is a breach under GDPR, which is designed to protect the 

personal data of citizens of the European Union. This policy of NORTH HILL BV ensures that our compliance with GDPR and other relevant legislation is clear and demonstrable at all times. 

 4.4.1. Personal Data 

 Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an 

identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 

 4.4.2. Processing 

 Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; 

 4.4.3. Controller 

 The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; 

 4.4.4. Principles 

Personal Data shall be: 

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); 

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’); 

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); 

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); 

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’); 

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’). 

 4.5. Data Transparency 

4.5.1. What type of personal data is collected? 

 Various types of personal data are processed relating to what you provide to us yourself through our website and / or other communication channels. 

 When you visit our website, we collect and process: 

– Technical information related to the device you are using, such as your IP address, browser type, geographical location and operating system. 

– Information related to your browsing habits, such as the time you spend on a page, which links you click, which pages you visit and how often you visit a particular page. 

When you fill out our contact form or contact us, we collect and process: 

– The personal identification data you provide us, such as your name, email address, phone number, organization. 

– The content of the message and its technical details (with whom of us you are communicating, the date, time, etc.); 

– Any other personal data you provide to us. 

When you sign up for our newsletter, we collect and process: 

– Personal identification data such as name and email address 

When you negotiate, conclude and perform a contract with us, we collect and process: 

– Your personal identification information, such as your name, email address, employer and position; 

– Your signature; 

– Any other personal data you provide to us during the term of the contract. 

When we deliver certain services to you, we collect and process: 

– Your contact and billing information 

When you apply for a job on our job website, we collect and process: 

– The personal identification data you provide us, such as your name, email address, phone number, organization. 

– CV with all relevant information such as education, work experience, interests, etc…. 

– Any other personal data you provide to us through the cover letter or CV. 

 4.5.2. What is the purpose of personal data processing?  

We process your personal data for several reasons, including enabling you to visit our websites and to communicate with us. In this paragraph we provide you with an overview of all the reasons why we process your personal data. 

 We process your personal data for the following reasons: 

1. a) To provide you with the requested information and services in a tailor-made and efficient manner;
2. b) To carry out statistical analyses and to be able to improve our website and services;
3. c) To be able to process and perform the contract to which you or your company or employer is aparty, including the administration thereof; 

1. d) To be able to defend ourselves and our interests in legal proceedings;
2. e) For security reasons and to be able to detect, prevent and report abuse;
3. f) To notify any third party in the context of a possible merger with, acquisition of/by or spin-off by that third party, even if that third party is located outside the EU; 

1. g) To comply with our legal obligations and any valid request from police, judicial or governmental authorities. 

 4.5.3. Lawful processing of your personal data 

 The law requires us to clarify which legal ground we rely on to process your personal data (e.g. your consent). In this article, we indicate for each purpose, as mentioned above, which legal ground we use. Data protection legislation requires us to tell you precisely which legal ground we are relying on to make the processing of your personal data lawful. We must do this for each of the purposes listed in the previous section. For the purpose under (a), we rely on your consent. For sending newsletters, advertising, promotions and offers, we will always ask you for your expressive prior consent, which you can withdraw at any time. You can unsubscribe in the e-mails we send you. 

For the purpose under (g) we need to process your personal data to comply with our legal obligations. For the purposes under (b) to (f), we process your personal data because it is necessary for the 

protection of our legitimate interests, which in this case relate to: 

– monitoring the quality level of our websites and services; 

– Being able to conduct our administration and services in a normal and professional manner; 

– Obtaining insight into the way in which the website is used; 

– our commercial interests to improve and expand our customer relationships, activities and services; 

– our interest in the context of safety and security; 

 4.5.4. Who can access your personal data? 

 We do not sell or disclose to third parties the personal data we have collected, except as described in this Privacy Policy or as disclosed to you at the time of collection. We may share personal information with affiliated entities or with third party data processors on our behalf. When these service providers act as data processors on our behalf, we do not permit them to use or disclose this information in a way that is inconsistent with the cases described in this Privacy Policy. We require these data processors to ensure the privacy and security of the personal data they process on our behalf. 

 We may also disclose your personal data: 

– When certain legislation or legal proceedings require us to do so; 

– When government agencies require us to do so; 

– when we believe that disclosure is necessary and appropriate to prevent physical integrity or any financial loss, or in connection with an investigation of suspected or actual fraudulent and illegal activities. We reserve the right to transfer personal data in the event that we sell part or all of our business or assets. If such a sale occurs, we will take all reasonable steps to encourage the transferee to process the personal data provided to us properly and in a manner consistent with our Privacy Policy. 

 4.5.5. personal data availability timeframe? 

We will retain your personal data only to the extent and for as long as necessary to achieve the purposes set out in the previous sections. Your personal data will only be processed for as long as necessary to achieve the purposes listed above or until you withdraw your consent for processing. We will de-identify your personal data when it is no longer needed for these purposes unless: 

– A legal or regulatory obligation or a court or administrative order prevents us from de-identifying the data. 

 4.5.6. Security and Confidentiality 

 NORTH HILL BV guarantees that the processing of your personal data is performed in an adequate, correct and secure manner. Appropriate technical and organizational measures have been taken to prevent any loss, falsification or unlawful alteration of, as well as unlawful access to, the personal data. 

4.6. Data Management 

4.6.1. Rights of the Data Subject 

The data subject also has rights under GDPR. These consist of: 

– the right to information 

– the right of access 

– the right to rectification 

– the right to erasure 

– the right to restrict processing 

– the right to data portability 

– the right to object 

– rights related to automated decision-making and profiling. 

 Each of these rights is supported by appropriate procedures within the client’s company that allow for the necessary action to be taken within the timeframes set out in the GDPR. 

These timelines are outlined below.