BioLizard values privacy and is therefore committed to protect the (personal) data of all its stakeholders with the greatest possible car, and to process personal data only in a fair and lawful manner.
- Employees’ personal data (applicants (present and past), current employees (full-time, part-time and temporary), former employees, external employees, interns and contractors;
- Shareholders’ and partners’ personal data;
- On-site visitors’ personal data;
- Website visitors’ personal data;
- Suppliers and customers contact persons’ personal data.
|Controller||is defined as a natural or legal person who (either alone, jointly or together with other persons) determines the purpose(s) “for which” and the manner “in which” any personal data is or will be processed.|
|Data subject||is defined as a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.|
|DPA||Data Protection Authority.|
|DPIA||Data Protection Impact Assessment as defined in the GDPR.|
|DPO||Data Protection Officer as defined in the GDPR and local regulations, and is officially registered with the Supervisory Authority (also known as Data Protection Authority : “DPA”).|
|PA||Processing agreements as defined in the GDPR.|
|Personal data||is defined as any information relating to an identified or identifiable natural person. An identifiable natural person is the one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.|
|Personal data breach||means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or, or access to, personal data transmitted, stored or otherwise processed.|
|Privacy responsible||is defined as nominated person who is responsible for data protection and privacy compliance and fulfills the tasks of a Data Protection Officer as defined in the GDPR and local regulations, but is not officially registered with the DPA.|
|Processing||is defined as any operation or a set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.|
|Processor||is defined as a natural or legal person (other than an employee of the controller) who processes personal data on behalf of the controller. BioLizard has for all relations with processor a valid processing agreement.|
|RoPA||Records of Processing Activities as defined in the GDPR.|
|Special categories of data||is defined as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (art. 9). Data relating to criminal convictions or offences is also sensitive (art. 10).|
4. General principles
BioLizard wants to continue being an organisation that cares about the privacy of people and their data and creates a culture and environment that is resilient to any accidental and deliberate personal data infringement occurring.
With all privacy and data protection efforts in place and envisioned, the achievement of the following objectives is paramount to BioLizard:
- Protection of confidential and privacy-sensitive information
- Respect and protect the fundamental rights and freedoms of all data subjects
- Ensure transparency, confidentiality and integrity of the processed personal data
- Compliance with existing laws and regulations
BioLizard processes personal data from customers, employees and suppliers on a daily basis. Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or, or access to, personal data transmitted, stored or otherwise processed, can lead to, among other things:
- A breach of the trust of customers and employees of BioLizard
- Damage for customers and/or suppliers with claims for damages as a result
- Reputational damage to BioLizard
- Violation of legislation
5. Roles and responsibilities
In order to guarantee confidentiality and careful handling of personal data, all individuals working for BioLizard must ensure that personal data that is being processed happens in line with this policy and the data protection principles. Therefore employees, contractors and other stakeholders involved have the responsibility to:
- Identify personal data processing activities and the risks that accompany the processing of personal data
- Only process the data necessary to achieve a predefined purpose
- Execute the proposed measures by BioLizard and follow up on the changes in the policies and procedures
- Informing the privacy responsible on major changes in the entity
- Inform the privacy responsible if any doubts and/or questions arise
- Know BioLizard’s vision on privacy and recognize what this means for his/her responsibilities
- For questions relating to privacy and data protection, BioLizard appointed a Data Protection Officer (DPO). This policy and the implementation thereof fall under the responsibility of the DPO.
All BioLizard policies related to the protection of personal data are evaluated on a continues basis and are adjusted when necessary under the coordination of the DPO. New developments in the organisation, technology or applicable regulations may lead to changes to this policy and/or other documents.
6. Data protection approach
6.1. Personal data protection framework
In this section the relevant privacy data protection laws and regulations, the personal data protection principles and BioLizard procedures and policies are being explained. The personal data protection framework serves as the knowledge base for the DPO and can also provide for an in-depth guidance for all stakeholders involved.
6.1.1.Laws and regulations
EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016, or the European General Data Protection Regulation (GDPR), defines the rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. In addition, the GDPR foremost protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
6.1.2.Data processing principles
Every company is obliged to process personal data in accordance with the data processing principles as described in the GDPR. BioLizard has put the appropriate organisational and technical measures in place to assure compliance with these principles and ensures continues evaluation of these measures.
Therefore, it is also important for every employee dealing with personal data to be aware of the data processing principles. In addition, BioLizard employees and stakeholders involved should only process personal data after analysis and application of the following six principles.
184.108.40.206. Lawfulness, fairness and transparency
BioLizard should assure that personal data is collected and further processed in a lawful, fair and transparent manner.
Irrespectively of the personal data collected, whether it is direct or indirect, personal data processing by BioLizard needs to be based on one of the legal grounds listed under the GDPR, namely:
- Consent of the data subject should be informed explicit, specific and unambiguous e.g. to use pictures of data subjects on BioLizard website;
- Legitimate interest pursued by BioLizard could be used as legal basis, unless such interest is overridden by the interests for fundamental rights and freedoms of the data subject;
- Performance of the contract to which the data subject is a party or in order to take steps (at the request of the data subject) prior to entering into a contract e.g. employment contract;
- Legal obligation to which BioLizard is a subject;
- Vital interest of the data subject e.g. in case of accident at work, BioLizard as employer may provide the name of the employee to the hospital;
- Public interest e.g. performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the personal data is disclosed.
Personal data processing shall not have an adverse impact on the data subjects concerned, unless the EU or national law states otherwise. BioLizard intends to only handle data subject’s data in ways he/she would reasonably expect, or BioLizard can explain why any unexpected processing is justified.
The data subjects, whose personal data is collected directly or indirectly, must be informed in a timely manner about the processing, unless the EU or national law states otherwise. Transparent processing is about being clear and honest with people about BioLizard intentions and the purposes of processing.
BioLizard should assure that personal data is only processed for specific, explicit and legitimate purposes. If afterwards the personal data is processed for a new purpose, incompatible with the initial one, the data subject concerned is duly informed and has to provide his/her consent or is allowed to object to such processing.
BioLizard should only gather personal data which is adequate, relevant and limited to what is necessary to achieve the purposes for which it is processed. When possible, personal data should be pseudonymised or anonymised.
BioLizard should assure that personal data is kept accurate and up to date throughout its lifecycle (from the collection to the destruction / deletion).
BioLizard should assure that personal data is no longer kept than necessary to meet the legitimate business purposes for which the personal data was collected and in compliance with BioLizard data retention procedure, unless EU or national laws state otherwise.
220.127.116.11. Integrity and confidentiality
BioLizard protects personal data in a way that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.
The accountability principle requires BioLizard to take responsibility for what it does with personal data and how it complies with the other principles.
6.1.3. Data protection policies
Please find in this section an overview of the BioLizard policies in place. This list is not exhaustive and is subject to change.
An overview of the importance BioLizard attaches to privacy and personal data protection and serves as a guide for all BioLizard stakeholders.
18.104.22.168. Internal privacy statement
The internal privacy statement for employees explains which data is being processed from internal and external employees and contractors, the purpose and the legal grounds to do so.
22.214.171.124. External privacy statement
The external privacy statement provides information about the personal data that BioLizard collects through its website and contact form, and the purposes for and legal bases on which BioLizard processes that personal data.
The cookie statement provides information about what cookies are, which cookies BioLizard applies and how BioLizard uses them on its website.
126.96.36.199. Data retention policy
In line with the data protection principles of storage limitation and accuracy, it is required to set out clear data retention periods for the personal data being processed by BioLizard. We do not retain personal data no longer than strictly necessary for the realisation of the purposes for which we received the data, or for the execution of a contract or for fulfilling a legal obligation. The retention periods differ with regards to the type of processing activity and the purpose for which the personal data were collected.
6.1.4. Data protection procedures
Please find in this section an overview of the BioLizard procedures in place. This list is not exhaustive and is subject to change.
Every individual has the possibility to exercise the freedoms and rights as described in the GDPR. BioLizard has the obligation to respond in a timely manner to data subject requests and to make sure that the legal deadlines are met.
When dealing with a data subject request for exercising his/her rights, please consult the procedure data subject requests and contact email@example.com.
At all times, the Data Subject has the possibility to exercise his or her rights as described in the GDPR. The data subject can exercise the following rights:
Right to information
Data subject always has the opportunity to request his/her personal data (including processing purposes, categories of personal data, estimated retention period) and to be informed about what happens with the data collected from data subject.
Right to access
Data subject has the right to access his/personal data and to request a copy of the personal data that collects BioLizard about him/her.
Right to rectification, erasure, restriction and objection
Data subject is entitled to have incorrect personal data corrected or completed. Under certain circumstances, the data subject has the right to have his/her personal data removed from any files. Moreover, the data subject has the right to object to or ask for the restriction of the processing of your personal data. However, that in certain cases the processing of the personal data is necessary to comply with legal obligations or to be able to execute contractual obligations. In that case, compliance with those obligations will prevail over the data subject’s right to object or restriction or erasure. Therefore, BioLizard will evaluate case by case whether or not the request can be complied with.
Right to data portability
Data subject has the right to receive his/her personal data, processed by BioLizard in a structured, commonly used and machine-readable format and/or to transmit those data to another controller.
Right not to be subjected to automated individual decision-making including profiling
Data subject has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects on the data subject or similarly significantly affects the data subject.
Right to lodge a complaint
If, at any time, the data subject is of the opinion that BioLizard infringes his/her privacy, the data subject has the right to lodge a complaint with:
The Belgian Data Protection Authority: Gegevensbeschermingsautoriteit – Autorité de Protection des Données
Drukpersstraat 35, 1000 Brussels
Tel +32 (0)2 274 48 00
Any possible personal data breach, even if the impact is minimal, must immediately being reported to Data Protection Officer.
There is a personal data breach whenever there is breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data or if the data is made unavailable and this unavailability has a significant negative effect on individuals. Examples of a data breach are: accidental disclosure of e-mail addresses, loss of laptop, theft of a database, password leakage, etc.
Please read the procedure on the handling of a data breach. When there exists any doubt on a possible data breach, please contact firstname.lastname@example.org
188.8.131.52. Maintaining the registry of processing activities
BioLizard is required to maintain a records of processing activities under its responsibility according to the GDPR. That record contains an overview of all processing activities, purpose of processing, categories of Data Subjects, categories of personal data, recipients, transfers to countries outside the EEA, retention periods and a description of the organisational and technical security measures.
The Data Protection Officer, together with all stakeholders involved, are responsible to keep the records of processing activities accurate.
Please read the procedure (guidelines) on maintaining the records of processing activities (ROPA).
184.108.40.206. Data protection impact assessment (DPIA)
Where a type of processing in particular makes use of new technologies and/or is likely to result in a high risk to the rights and freedoms of natural persons, BioLizard should, prior to the processing, carry out an assessment of the impact on the person(s) involved. This is also called a data protection impact assessment (DPIA).
When any doubt exist that the current processing of personal data might constitute a high risk to the rights and freedoms of natural persons, please contact email@example.com.
Please read the procedure on data protection impact assessment and use the template for executing a Pre DPIA.
220.127.116.11. Legitimate interest balancing test
When a new processing activity is based on the legitimate interest of BioLizard, the organization will need to do an assessment in order to make sure that that interest does not override the rights and freedoms of the data subject(s) involved.
6.2. Concrete measures
Therefore, it is in general very important for BioLizard employees and partners to:
- Always minimize the processing of personal data in terms of: nature, quantity, access and retention;
- Evaluate new/changed procedures or systems in which personal data is processed in order to take appropriate technical and organisational measures in advance including Privacy by Design and Privacy be default;
- Have technical and organisational security controls with different access privileges based on a “need to know” (and not “nice to know”).
6.2.1. Security measures
18.104.22.168. Technical and organisational security measures
BioLizard guarantees implementation of the appropriate technical and organisational measures to ensure a level of security appropriate to the risk and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
BioLizard acknowledges its responsibility to ensure an appropriate level of security with regard to the information you provide. Therefore, BioLizard has implemented various measures in order to protect the personal data against loss, alteration, accidental or unlawful destruction, unauthorized disclosure of, or access to the personal data. On organisational level measures are taken such as the limitation of access to and monitoring of the buildings and systems. While on technical level firewalls and encryption is in place, personal passwords are used and verified and verification requirements regarding access to personal data on a ‘need-to-know’-basis are provided.
22.214.171.124. Data use and disclosure
When personal data is accessed, disclosed or transferred, the risk of loss, corruption or theft arises.
Some measures, please note that these measures are not exhausitve:
- Avoidance of creating any unnecessary additional data sets;
- Personal data should not be shared informally;
- Personal data should not be disclosed to unauthorized people, either within the company or externally;
- When working with personal data, employees should ensure the screens of their computers are always locked when left unattended;
- Personal data sent by email or being transferred electronically to external parties must be encrypted or protected by other appropriate technical and organisational security measures;
- Every opportunity should be taken to ensure personal data is reviewed and, if needed, updated (e.g. by confirming a business’ contact details when they call or meet);
- BioLizard employee must not take any personal information away from BioLizard premises except when prior consent is obtained. Any employee taking records off site must ensure that appropriate technical and organisational measures are taken to protect it.
When personal data is stored on paper, it should be kept in a secure place where unauthorized people cannot see or access it.
- Do not print when not needed;
- When not required, the paper or files should be kept in a locked drawer or filing cabinet;
- Employees should make sure paper and printouts are not left where unauthorized people could see them, like on a printer;
- Data printouts should be shredded and disposed of securely when no longer required.
When personal data is stored electronically, it must be protected from unauthorized access, accidental deletion and malicious hacking attempts. In addition, personal data should only be stored on designated and secure drivers and servers and should only be uploaded to approved cloud computing services.
6.2.2.Third parties and data processing agreements (DPA)
As a controller BioLizard has the obligation to ensure that it only uses processors providing appropriate guarantees to implement appropriate technical and organisational measures in such manner that processing will meet the requirements of the GDPR and ensure protection of the rights of the data subjects. Following this, a due diligence shall be conducted before a contract with a new processor is signed. A contract with the processor shall include the clauses on personal data processing, in which the appropriate instructions on how to process personal data is given to the processor, as well as, appropriate technical and organisational measures are agreed upon.
Personal data transfer to the processors or the third parties who are based or are processing personal data outside the EEA needs to be:
- Justified (lawfulness of the transfer);
- Compliant with personal data processing principles;
- Secure (appropriate personal data protection level shall be ensured).
In order to ensure appropriate personal data protection level, BioLizard shall:
- Check whether the country to which personal data is transferred is covered by an adequacy decisions approved by the EU Commission. If the country is covered, the transfer of personal data is allowed;
- If the transfer is directed to a third party in the USA and if the third party is certified under the Privacy Shield (i.e. adequacy decision between the USA and the EU);
- If the country is not covered by an adequacy decision, Standard Contractual Clauses shall be signed between BioLizard and the third party who is processing personal data outside the EEA.
Processing of personal data starts with building awareness. Being in the loop on what personal data is, which personal data is being processed and for which purposes are key. Depending on the type of personal data (esp. special categories of data) might need some extra attention. Next to this, it is important to follow the BioLizard privacy and data protection policies in order to be compliant with the personal data protection principles as well as being able to respond to data subject requests in an appropriate way.
It is the task of the DPO to ensure regular communication towards all BioLizard stakeholders, as well as inform them in case of any changes to the personal data protection framework conditions (laws and regulations, principles, policies and procedures). Awareness sessions and e-learnings are methods to actively educate all stakeholders on data protection and its effects.
7. Changes to this policy
If you have any questions with regard to the content of this policy, the processing of personal data or the exercise of data subject rights in relation to this data processed by BioLizard, you can contact firstname.lastname@example.org.