GDPR
Introduction
As a firm of chartered accountants, we are responsible for processing numerous data, some of which are personal data.
The firm collects and processes identity data and contact details that it receives from the client regarding the client themselves, their family members, their staff, their collaborators, their agents, their business relations (suppliers or clients of the client), and any other useful contact persons. This personal data is processed by the firm in accordance with Belgian data protection legislation and the provisions of Regulation 2016/679 of 27 April 2016 concerning the protection of natural persons with regard to the processing of personal data and the free movement of such data, applicable from 25 May 2018 (hereinafter referred to as the "General Data Protection Regulation").
The client is responsible for the accuracy and up-to-date nature of the personal data they provide to the firm and undertakes to strictly comply with the provisions of the General Data Protection Regulation regarding the individuals whose personal data they have transmitted, as well as concerning all possible personal data they may receive from their clients, staff, collaborators, and agents.
The client acknowledges having read the information below and authorises the firm to process the personal data that he provides in the context of the services that will be provided by the firm, in accordance with the provisions set out in this privacy statement.
1. Data controller
The data controller is RED & BLACK ACCOUNTANCY
The registered office of the responsible party is located at 4570 Marchin, Armand Bellery Street No. 5 and its company number is BE1004.705.808
The responsible person is registered with the ITAA, under the approval number 13.325.675
For any questions regarding the protection of personal data, please contact RED & BLACK ACCOUNTANCY, by post at the address above or by email (d.kabili@redblack.be).
1. Purposes of processing personal data
2.1 For each processing operation, only the data relevant to the pursuit of the intended purpose is processed. The processing consists of any operation (manual or automated) on a personal data.
These data will only be transmitted to subcontractors, recipients and/or third parties as necessary for the purposes mentioned above for the said processing.
2.2 In general, the firm processes personal data for the following purposes:
A. Implementation of the law of 18 September 2017 on the prevention of money laundering and the financing of terrorism and on the limitation of the use of cash (hereinafter, the law of 18 September 2017).
1° In accordance with Article 26 of the law of 18 September 2017, our firm is required to collect the following personal data concerning our clients and their representatives: surname, first name, date of birth, place of birth and, where possible, address.
2° In accordance with Article 26 of the law of 18 September 2017, our firm is required to collect the following personal data concerning the beneficial owners of clients: surname, first name and, where possible, date of birth, place of birth and address.
The processing of this personal data is a legal obligation. Without this data, we cannot enter into a business relationship (Article 33 of the law of 18 September 2017).
B. The obligations incumbent upon the firm in relation to Belgian authorities, foreign authorities, or international institutions, in accordance with a legal or regulatory obligation, in accordance with a judicial decision, or in the context of defending a legitimate interest, notably, but not exclusively, if current and future tax laws (VAT listings, tax forms...) and social laws compel us to process personal data in the context of the mission we have been assigned..
The processing of this personal data is a legal obligation. Without this data, the firm cannot establish a business relationship.
C. Execution of the engagement letter relating to accounting and tax services. The processing of personal data concerns the data of the clients themselves, their staff members, their directors, among others, as well as other individuals, such as clients and suppliers, involved in their activities..
In the absence of communication and processing of this data, we are unable to successfully carry out our duties as accountants.
D. Direct marketing activities, such as sending promotional or commercial information in the form of "newsletters". The client can unsubscribe at any time from the newsletters and other communications from the firm. The client can unsubscribe by sending an email to the following address: d.kabili@redblack.be
2.3 Specifically, the firm collects, records, and uses client data for the following purposes :
- establish and manage the contractual relationship with the client;
- analyse, adapt and improve the content of the firm's website;
- carry out the mission ;
- allow the client to receive communications and information ;
- respond to information requests;
- for any communication activity by the firm to clients who have given their consent ;
- to inform clients of any changes to the firm's website and its features and to the general terms and conditions ;
- for any other reason to which the customer has expressly consented.
2.4 The legal basis for the processing of personal data by the firm is :
(i) the client's consent;
or
If the legal basis for the processing is the client's consent, the client has the right to withdraw it at any time without affecting the lawfulness of the processing carried out before the client's withdrawal of consent.
(ii) the execution of any request from the client or the necessity to fulfil a contract concluded with the client.
The firm needs to collect certain data from the client in order to respond to their requests. If the client chooses not to share this data with the firm, it may make the execution of the contract impossible.
(iii) a legal obligation imposed on the professional who needs to collect and store certain client data to comply with various legal requirements, including those related to taxes, accounting, and anti-money laundering legislation.
(iv) the legitimate interest of the firm in processing the client's personal data, provided that it is in accordance with the client's interests, freedoms, and fundamental rights.
The firm has a legitimate interest in interacting with clients, particularly for:
- respond to their requests or improve the mission,
- prevent abuse and fraud, monitor the regularity of operations, exercise, defend and preserve the rights of the firm, for example in litigation,
- provide evidence of a possible violation of the firm's rights,
- manage and improve customer relationships,
- continuously improve the services of the firm.
The firm ensures in all cases to maintain a proportionate balance between its legitimate interest and the respect for clients' privacy.
1. What personal data and from whom?
3.1 The firm processes personal data that the data subject or their relatives have provided themselves.
- The identification data, such as the first name and surname, marital status, date of birth, address, employer, job title, telephone number and email address, national number and company number ;
- Biometric data (copy of the electronic identity card or passport) ;
- The banking information necessary for the firm to carry out its mission, such as bank account numbers, IBAN, and BIC/SWIFT ;
- Billing information ;
- The communications between the client and the firm ;
- As part of the personal income tax declarations via Tax-on-web, the following data is also processed: children, membership in a trade union or a political organisation, medical data.
-
Any other personal data required in order to carry out the mission.
3.2 The firm processes personal data that has not been provided by the data subject :
- the personal data transmitted by the client concerning its employees, directors, customers, suppliers.
3.3 The firm processes personal data that has not been provided by the client :
- Personal data may come from public sources such as the Crossroads Bank for Enterprises, the Belgian Official Gazette and its annexes, and the National Bank of Belgium (Central Balance Sheet Office) ;
-
As part of the mission, the firm may also collect certain data through other companies, particularly from the following sources :
- other companies that have requested our services in connection with a matter that concerns you (for example, as a third party, contractor, partner, tax declaration for related family members, etc.) ;
- the jurisdictions;
- the bailiffs or the notaries;
- the tax or social administration;
- the clients/suppliers…
1. Data recipient
4.1 Communication to third parties other than service providers
The firm may transmit personal data at the request of any legally competent authority or on its own initiative, if it believes in good faith that the transmission of this information is necessary in order to comply with the law or regulations, or to defend and/or protect the rights or property of the firm, its clients, its website, and/or yourself.
4.2 Communication to third-party service providers
The firm engages third-party service providers:
- the firm uses electronic accounting software and its portal;
- the firm calls upon external collaborators for the execution of certain tasks or specific missions (company auditor, notary...).
The firm may communicate its clients' personal information to third parties to the extent that this information is necessary for the performance of a contract with its clients. In this case, these third parties will not disclose this information to other third parties, except in one of the following two situations :
- the communication of this information by these third parties to their suppliers or subcontractors is necessary for the performance of the contract;
- when these third parties are required by the applicable regulations to provide certain information or documents to the competent authorities in the field of anti-money laundering, as well as, in general, to any competent public authority.
The communication of this information to the aforementioned persons must, in all circumstances, be limited to what is strictly necessary or required by the applicable regulations..
4.3 Transfer to a country outside the European Economic Area (if applicable)
The firm only transfers data to a country outside the European Economic Area when that country provides an adequate level of protection as defined by applicable legislation and, in particular, by the General Data Protection Regulation, or within the limits permitted by applicable legislation, for example by ensuring data protection through appropriate contractual provisions.
1. Security measures
The firm has taken appropriate organisational and technical measures regarding both the collection and storage of data in order to ensure a level of security suitable to the risk and to prevent, as far as possible:
- unauthorised access to or modification of this data ;
- the inappropriate use or disclosure of this data ;
- the illegal destruction or accidental loss of this data.
These procedures also apply to all subcontractors that the firm engages.
In this regard, the employees, partners, or collaborators of the firm who have access to this data are subject to a strict confidentiality obligation.
The firm cannot be held responsible in the event of theft or misuse of this data by a third party despite the security measures adopted.
1. Retention period
6.1 Personal data that must be retained by the firm in accordance with the law of September 18, 2017 (see point 2.2A)
This concerns identification data and copies of evidence regarding clients, internal and external agents, as well as the actual beneficiaries of the clients.
In accordance with Articles 60 and 62 of the law of 18 September 2017, this personal data is retained for a maximum of ten years after the end of the professional relationship or an occasional transaction with the client.
6.2 Other personal data
The personal data not mentioned above is only retained for the durations specified by applicable legislation, such as accounting legislation, tax legislation, and social legislation, except for personal data that the firm is required to keep for a longer period based on specific legislation or in the event of an ongoing dispute for which the personal data is necessary.
6.3 Once the retention periods have expired, the personal data is deleted, unless another applicable legislation provides for a longer retention period.
1. Rights of access, rectification, right to be forgotten, data portability, objection, non-profiling, and notification of security breaches
7.1 In accordance with the regulations on the processing of personal data, the client has the following rights, subject to the specific case mentioned in Article 7.2 :
- Right to be informed about the purposes of the processing and the identity of the data controller;
- Right of access: the client has the right to request at any time whether their data has been collected, for how long, and for what purpose;
- Right to object: the client may at any time object to the use of their data by the firm;
- Right to rectification: the client has the right to request that their incorrect or incomplete data be corrected or completed at any time upon simple request;
- Right to restriction of processing: the client can request a restriction on the processing of their data. This means that the data in question must be 'marked' in the firm's computer system and cannot be used for a certain period of time;
- Right to erasure of data (right to be forgotten): subject to exceptions provided by law, the client has the right to demand that their data be erased, except for those that the firm is legally required to retain;
- Right to data portability: the client may request that their data be transmitted to them in a 'structured, commonly used, and machine-readable format' and may also request the firm to transmit this data to another data controller;
- Right to lodge a complaint: the client may lodge a complaint with the Data Protection Authority.
To exercise your rights, you can always send a written request, accompanied by a copy of your identity card or passport, to the data controller (or the DPO) by email: d.kabili@redblack.be or by regular mail.
7.2 Personal data that the firm must retain in accordance with the law of September 18, 2017
This concerns the personal data of clients, agents, and the actual beneficiaries of the clients.
In this matter, we must draw your attention to Article 65 of the law of September 18, 2017:
« Art. 65. The person concerned by the processing of personal data under this law does not have the right of access and rectification of their data, nor the right to be forgotten, to data portability, to object, nor the right not to be profiled or to be notified of security breaches.
The right of access of the person concerned to their personal data is exercised indirectly, in accordance with Article 13 of the law of December 8, 1992 mentioned above, through the Commission for the Protection of Privacy established by Article 23 of the said law.
The Commission for the Protection of Privacy only informs the applicant that the necessary verifications have been carried out and the result regarding the lawfulness of the processing in question.
This data may be communicated to the applicant when the Commission for the Protection of Privacy finds, in agreement with the CTIF and after consulting the data controller, that their communication is neither likely to reveal the existence of a suspicious transaction report referred to in Articles 47 and 54, the follow-up given to it or the exercise by the CTIF of its right to request additional information pursuant to Article 81, nor to jeopardize the purpose of combating money laundering and terrorist financing (AML/CFT), and also that the data in question relates to the applicant and is held by the obliged entities, the CTIF, or the supervisory authorities for the purposes of applying this law.
"To exercise your rights related to your personal data, you should therefore contact the Data Protection Authority (see point 8).
1. Complaints
You can lodge a complaint regarding the processing of personal data by our firm with the Data Protection Authority:
Data Protection Authority
Rue de la Presse 35, 1000 Brussels
Fax : +32 (0)2 274 48 35
URL : https://www.privacycommission.be/
1. Updates and modifications to the privacy statement
By informing clients via the firm's website or by email, the firm can modify and adapt the privacy statement, in particular to comply with any new legislation and/or regulation applicable in the field of personal data protection, the recommendations of the Belgian Data Protection Authority, the guidelines, recommendations, and best practices of the European Data Protection Board, and the decisions of courts and tribunals on this matter.