Privacy Statement Discai NV
THIS PRIVACY STATEMENT APPLIES AS OF MARCH 07, 2022
Table of contents
Part 1: We must work together to safeguard your privacy
Your privacy is very important to us. Our aim is to process your personal data in a manner that is lawful, appropriate and transparent. In this Privacy Statement, we explain which of your personal details we collect from you as a natural person and then process. Throughout this document, this means details of you as a client, a possible future client or other affected party. Regardless of what capacity you act in, your rights do not change and Discai NV (hereinafter ‘Discai’) will treat your data with equal care.
1.1 Make sure you read all of this information and look at what action is open to you
We recommend that you read this information carefully, so that you know the purposes for which Discai uses your data. This Privacy Statement also contains more information about your privacy rights and how you can exercise them.
Discai may amend this Privacy Statement. The most recent version can always be found at www.discai.com.
Discai will inform you of all substantive changes to the terms of the Privacy Statement via its website. You will also find more information about Belgian privacy legislation on the website of the Belgian Data Protection Authority (previously called the Privacy Commission) at www.gegevensbeschermingsautoriteit.be.
1.2 Discai treats your personal details with care
Discai is a fintech company which is active in Belgium and selected other countries. Discai has its head office at Havenlaan 2, 1080 Brussels, Belgium. Discai is part of KBC Group (hereinafter ‘KBC’), which is an ‘integrated bank-insurance and asset management group’ (a group of companies that, through close cooperation, create and distribute banking, investment and insurance products and provide financial services). You can find more information about KBC’s different companies and activities at www.kbc.com.
Discai is responsible for processing personal data.
Contact Discai if you have any questions about the processing of your data.
If you have any questions about privacy or would like to adjust your privacy settings or exercise your rights, you can contact Discai via a dedicated mailbox: firstname.lastname@example.org.
Part 2: Your right to privacy
You have a lot of rights when it comes to the processing of your data. When Discai asks for your permission to process your data, you can revoke that permission whenever you wish.
There are no data processing operations and processes that are fully automated, without any human intervention.
2.1. You can inspect your data
If you would like to inspect the data that Discai processes about you, let us know.
If you exercise your right of inspection, Discai will give you as complete a list as possible of your data. It can happen that some personal data from back-up files, logs and stored records is not included in that list. Such data is not within scope of the data processed on an ongoing basis and it is not therefore immediately available. For that reason, it will also not be communicated to you. However, it is removed from those files in accordance with standard maintenance procedures.
2.2. You can have your data corrected
It can happen that certain information held on you by Discai is not (or is no longer) correct. You can ask for the data to be corrected or completed at any time.
2.3. You can have your data deleted
You can ask Discai to erase your personal data. If Discai no longer has an overriding ground for processing your personal data, it will erase it. Statutory duties can preclude erasure.
2.4. You can object to your data being used for certain purposes
If you disagree with how Discai invokes its legitimate interests to process certain data, you can object. We will heed objections unless there are overriding grounds not to do so.
2.5. You can ask for your data to be transferred to a third party.
You are entitled to ask for personal data that you yourself have provided to Discai to be transferred back to you or to a third party. The data protection laws place a number of restrictions on the exercise of this right, which means it is not applicable to all data.
2.6. You may exercise your rights.
Be as specific as possible any time you wish to exercise your rights. Discai can only properly answer queries for which sufficient detail is provided. Discai will need to verify your identity in as much detail as possible in case someone else tries to exercise your rights.
You may therefore be asked to provide ID when making such a request.
Do you have a question or a comment? If so, you can contact Discai via a mailbox: email@example.com.
If this route does not resolve the matter satisfactorily, you can contact the Discai Data Protection Officer: in writing, by sending a letter to Discai NV, Data Protection Officer, Havenlaan 2, 1080 Brussels, or by e-mail to firstname.lastname@example.org.
If you would like more information or if you do not agree with the standpoint adopted by Discai, make sure to visit the website of the Belgian Data Protection Authority (previously called the Privacy Commission) at www.gegevensbeschermingsautoriteit.be. You can also lodge complaints there.
Part 3: Discai has many reasons for processing your personal data
3.1. Discai’s compliance with laws and legal requirements
The main legal grounds for Discai having to process your data are summed up here.
- Discai must be able to respond correctly when you exercise your rights under privacy legislation. Discai is also required to answer questions from the Data Protection Authority, e.g. in the event of complaints.
- Discai has reporting duties towards company auditors.
- Discai has to answer questions posed by the tax authorities or exchange information spontaneously as required by tax legislation.
- Discai is also required to answer questions from the judicial authorities (police, public prosecutors, investigating magistrates and the courts).
3.2. Discai has to be able to assess whether an agreement or service may be contracted and has to be able to perform its contracts duly and properly
Discai processes the personal data of representatives of legal persons in order to authenticate and communicate with the legal persons and to exercise the company powers for Discai services and products.
3.3. Discai has to be able to function as a business
This is known as its ‘legitimate interests’.
In addition to the purposes set out above, Discai has a number of legitimate interests that form the basis for processing personal data. In that regard, Discai ensures that the impact on your privacy is kept to a minimum and that, in all events, Discai’s legitimate interests remain proportionate to the impact that upholding them has on your privacy. If you nonetheless object to this data being processed, you can exercise your right to object.
There are various situations in which personal data could be processed in Discai on the basis of legitimate interest:
- When applications are developed, tests need to be carried out using personal data, including the final acceptance test before an application can be put into production.
- Personal data may be used as evidence (stored records).
- It may be used to ascertain, exercise and safeguard the rights of Discai (e.g. in disputes).
- For direct marketing based on legitimate interests, further details are given in 3.6.
3.4. Discai uses your personal data for direct marketing
Discai wants to promote and offer its products and services via informing you of and/or inviting you at the webinars or events we organize or more generally for direct marketing purposes. We may do so not only in response to explicit requests but also where Discai feels you might be interested in or could benefit from a given product or service .
This information can reach you in all sorts of ways: via the internet and apps, by e-mail, by post, by phone and through events. Discai will make every effort to communicate the information clearly.
If you do not wish to receive any offers at all, you should exercise your right to object to direct marketing through the mailbox: email@example.com.
3.5. Discai will not sell your personal data
Discai does not sell or hire your personal data to third parties for their own use, unless you opt for this yourself and give your consent.
Anonymised insights into the market derived from your personal data may nevertheless be offered, so long as those receiving the insights are unable to ascertain the identity of the person whose data was processed. You can also object to your personal data being used to generate insights.
Part 4: Discai may process different types of data depending on the intended purpose
Discai processes your personal data for a variety of purposes. The different types of data that can be used are set out below.
4.1. Information to identify you, contact you and offer you the right product or service
Which data Discai uses for these purposes is set out below.
- To identify you: your name, date of birth, nationality, address, identity card, client number and national registration number.
- To contact you: your telephone number, e-mail address and language.
4.2 Information in the public domain and information obtained through third parties
Discai can sometimes process data that is available in the public domain.
Data that can be used is the data you have placed in the public domain yourself, such as information on your website, your blog or via your publicly accessible social media profile, or information about you that Discai has obtained from third parties.
It can also comprise data that is in the public domain, e.g: because it is common knowledge in your area or because it has appeared in the press. Information from sources such as the companies register and Graydon also fall into this category.
This data can be relevant and may be used for the purposes given by Discai in this privacy statement.
4.3. Information you give to Discai staff may also be processed
Whenever you contact a member of Discai staff, this is generally recorded in order to build a contact list, to have a report of the contact or as a reminder of tasks that our staff member has yet to carry out.
Even if you are not a client, Discai may store such information disclosed by you. This information can be used later if you do become a client. By adopting this approach, Discai seeks to avoid you having to repeatedly provide the same information. It also allows us to improve the continuity of our service to you.
4.4. Written Discai correspondence is carefully monitored
Correspondence with members of staff in their capacity as Discai employee (office address, job-linked or personal Discai e-mail address, etc.) is deemed to be business-related and may thus be examined in the context of their duties, the production of evidence, workplace checks, security and service optimisation and/or continuity.
4.5. More than just your own personal details may be involved
If you have a company, you agree that Discai can also keep a record and process the details of any associated persons.
Please note that legal entities may only provide us with personal details of natural persons associated with them if those persons are sufficiently informed of this and, where necessary, have given their consent.
Furthermore, the company is responsible for complying with the data protection legislation when it submits lists of users for online applications. The legal entity accordingly indemnifies Discai in respect of all liability in this regard (vis-à-vis those concerned).
Part 5: Security and confidentiality
5.1. Not everyone gets to see your data at Discai
Only those with appropriate authorization can access personal data, and then only if it is relevant to the performance of their duties.
In principle, within Discai, your personal data will only be processed and consulted by certain departments:
- with which you currently have a contractual relationship or are in contact, or where this has been the case in the past or you would like it to be so in the future;
- the involvement of which is required for the provision or aftercare of services.
The individuals who are authorized to consult your data are moreover bound by a strict professional duty of confidentiality and must abide by all technical instructions to ensure the confidentiality of your personal data and the security of the systems in which the data is held.
5.2. Your data is processed at a limited number of locations
Discai uses the services of processors to process personal data. These are companies that process data on the instructions of Discai.
Discai may engage the services of other processors, such as:
- lawyers and consultants;
- ICT service providers and specialist fintech companies.
5.3. Discai takes specific measures to protect your data
Discai ensures that strict rules are followed and that the processors concerned:
- only have the data they need in order to perform their tasks;
- have provided Discai with an undertaking that they will process this data securely and confidentially and only use it to carry out the instructions given to them.
Discai will not be liable if these processors lawfully disclose personal data to local authorities or if incidents occur at those processors despite the measures they have taken.
Discai takes internal technical and organizational measures to prevent personal data finding its way into the hands of, or being processed by, unauthorized parties or being accidentally altered or deleted.
Strict security measures are in place to protect premises, servers, the network, data transfers and the data itself, and extra checks are also carried out in this regard.
You and us together need to be aware that information shared by e-mail can sometimes be intercepted and, where possible, we must aim to use a different means of communication or to limit the amount of information sent.
5.4 Discai does not keep your data forever
Discai uses your personal data where Discai has a clear aim in mind. Once that aim no longer exists, we delete the data.
The starting point for storing your personal data is the statutory retention period. The period can be longer where needed for the exercise of our rights. If no retention period is stipulated by law, it can be shorter.
5.5. Discai thinks before it answers queries from external parties
As Discai has to comply with its confidentiality obligations and with the privacy legislation, it may only answer queries from third parties if (i) they arise pursuant to a legal requirement or a legitimate interest; (ii) doing so is a prerequisite for performing the contract; or (iii) the data subject has given their permission.
In the last case, Discai actually advises third parties to request the information direct from the relevant person.
Discai declines liability if, under applicable (foreign) legal obligations, the lawful recipients of personal data are required to pass personal data about clients on to the local authorities or process it without an adequate level of security.