1. Who is Valpeo?
VALPEO CVBA (incorporated under the laws of Belgium with registered offices at B-9830 Sint-Martens-Latem, Karel Lodewijk Maenhoutstraat 77a, with enterprise number 0669 916 444 and hereinafter referred to as “Valpeo”) is the developer and owner of an array of services for online collaboration and management including certain software to give organizations a fully integrated insight into, among others, the level at which value is created, the extent to which strategy, culture and organizational structure support that value creation process, the current capability and performance of current and new employees to add value, the cultural fit of employees with the organization, the future potential of people to add value, the way value is rewarded in a fair, competitive, equitable way and the dynamics of the board to support that value creation process. More information about Valpeo can be found on www.valpeo.com.
Such services are offered among others through a Valpeo proprietary cloud-based hosted secured web browser portal and interface which provides with scientifically based analyses and reports.
2. Processing of Personal Data
For the provision of its services Valpeo requires certain personal data, which will have necessarily to be provided directly by Data Subject (as defined below) or indirectly by Customer (as defined below).
Valpeo attaches great importance to the protection of the personal data it Processes. In the context legally responsible dealing, Valpeo undertakes to comply with the GDPR (as defined below).
By this policy Valpeo intends to inform about its Processing activities of Personal Data (as defined below) and the rights of Data Subjects. This policy describes, among other things, the measures taken by Valpeo to protect privacy in the context of Valpeo’s services, including its Website (as defined below). It applies to all services rendered by Valpeo and supersedes all discussions, agreements and understandings of any nature with Valpeo with regard to Valpeo’s services. By accepting this document, you unconditionally accept this document as binding upon you regardless any stipulations to the contrary in any document issued by you or any third party. In case of conflict between this document and any terms and conditions issued by you or any third party, the former shall prevail, notwithstanding any stipulation to the contrary in the latter.
Customers and Data Subjects (as defined below) are therefore requested to read this policy carefully, with the understanding that it may be modified from time to time in the light of the feedback or changes to services, conditions or legal or regulatory provisions.
“Agreement” means the agreement concluded between the Parties in relation to the Service under the terms and conditions set out in the General Terms and Conditions and supplemented by other terms and conditions that may be agreed between the Parties;
“Customer” means a legal of physical person wishing to use the Service or entering in contact with Valpeo for the provision of Services;
“Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, being, as the case may be Valpeo;
“Data Subject” means a natural person whose Personal Data is Processed by Valpeo;
“GDPR” means EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
“General Terms and Conditions” means Valpeo’s General Terms and Conditions that can be found under www.valpeo.com/generalterms;
“Personal Data” means any information relating to an identified or identifiable Data Subject in terms of the GDPR;
“Personal Data Breach” shall have the same meaning as defined in the GDPR;
“Processing” any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, adoption, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Processing Agreement” means Valpeo’s Processing Agreement that can be found under www.valpeo.com/processingagreement;
“Processor” means a natural or legal person, public authority, agency or another body, that Processes Personal Data on behalf of the Controller, being, if Customer is Controller, Valpeo.
“Representative” means with respect to Valpeo its directors, officers, employees, agents, advisors, counsellors, auditors, accountants or lawyers;
“Service” means the service provided by Valpeo under the Agreement as defined in the Agreement;
4 Consent for Processing
By using Valpeo’s Service under the Agreement and/or by visiting the Website and/or by transferring Personal Data to Valpeo via the Website or in any other way, and to the extent that the Processing is not based on any other ground for Processing as set out in article 6 GDPR:
− Data Subject, in case it provides Personal Data, gives Valpeo the permission to Process his Personal Data in accordance with the purposes described below;
− Customer, in case it provides Personal Data of Data Subject, accepts the Processing Agreement and warrants that it has the necessary consent and/or other legal basis to give Valpeo the permission to Process Personal Data in accordance with the purposes described below.
5 Collection of Personal Data
Valpeo collects Personal Data through the transfer thereof by Data Subject or third parties (such as Customers, including credit reference agencies) who are legally entitled to do so, in particular within the framework of the Agreement, via the Website, via publicly accessible sources and via sources to which access is legally restricted.
In addition, when visiting the Website, registering with Valpeo (including as a partner, client or candidate) or signing up to receive Valpeo’s e-newsletters or information about Valpeo’s products or services, Valpeo may collect, store and use certain Personal Data about Data Subject.
Like most website providers, Valpeo also analyses server log files to collect statistical information about how the Website is used only at an aggregate level and includes browser types, operating systems, IP addresses, referring/exit pages, platform types and date/time stamps.
The Service is related to and the Website contains business-related content and are specifically aimed at and designed for use by adults. Valpeo does not knowingly solicit or collect personal information from children.
6 Nature of Personal data
7 The purpose of Processing
Valpeo Processes Personal Data within the framework of the Agreement with a view of its performance for Data Subject and/or Customer (including maintenance and support of registered account that Data Subject or Customer holds with Valpeo and facilitating access and provision with resources, tools and other materials available to Data Subject and/or Customer), i.a. for the purpose of recruitment, selection and development by potential employers, managing recruitment and human resource processes and any related purpose where Data Subject has consented to the Processing or where other grounds for lawful Processing exist.
Valpeo also Processes Personal Data to respond to inquiries that Website users submit via the Website, for technical administration of the Website, for research and analysis to maintain and improve the Service, to develop new services among others on the basis of Data Subjects views on Valpeo’s products and services and for customer satisfaction purposes.
All Personal Data will be Processed exclusively for the purpose for which it was collected and to the extent that is necessary to achieve that finality. This restriction applies both to the quantity of Personal Data and to the scope of Processing, the retention period and the accessibility.
If Personal Data should be Processed for a different purpose than those for which they were initially collected, Valpeo ensures that the Processing does not take place in a manner that is incompatible with the purpose for which Personal Data has been provided. In case the desired finality is incompatible with the initial finality for which Personal Data has been provided, Valpeo will seek the consent of the relevant Data Subject for the Processing of his Personal Data in the light of this new purpose, provided that the consent is given freely.
Valpeo shall not to make decisions based solely on automated Processing, including profiling, which would produce legal effects concerning Data Subject or similarly significantly affects him.
8 The lawfulness of Processing
Valpeo Processes Personal Data when this is necessary (a) for the performance of the Agreement or for the execution of the pre-contractual measures requested by Customer or Data Subject, or (b) to comply with its legal obligations or (c) for advertising and marketing purposes aimed at conducting a policy for provision of information to Customers and/or Data subjects and conducting a policy of customer binding, or (d) for representing the legitimate interest of Valpeo.
If the Processing cannot be justified by one of the aforementioned legal grounds, Valpeo may seek the consent of Data Subject, provided that this consent is freely given.
With regard to the Processing of sensitive Personal Data, Valpeo Processes these Personal Data when (a) explicit consent from Data Subject has been obtained to Process one or more special categories of Personal Data for one or more well-defined purposes or (b) when necessary for the performance of the Agreement, in particular within the framework of the assertion, exercise or substantiation of a legal claim, or (c) to comply with the legal obligations of Valpeo or (d) if the Processing relates to Personal Data that have manifestly been made public by Data Subject.
9 The recipients and (sub-)Processors
Valpeo may transfer Personal Data (or may be required to transfer Personal Data) to public authorities and may transfer Personal Data to (sub-)Processors so that they can Process these data on behalf of Valpeo on the condition that (sub-)Processors guarantee an adequate level of protection regarding Personal Data and are contractually obliged to comply with the GDPR. Personal data will not be transferred to countries that do not offer protection that is at least equivalent to the protection within the EEA.
Personal Data can be communicated for internal use to Valpeo’s Representatives, though always insofar as and to the extent that this is necessary for the performance of their duties, such as the execution of the Agreement, administrative follow-up and follow-up of customer relations.
Valpeo may also transfer Personal data (or may be obliged to transfer Personal data) in connection with its use of external (sub-)Processors (such as suppliers of IT services, including services relating to software for Processing and follow-up of dossiers or accounting, the accountant, the cooperating partners and other persons involved in the follow-up of the Agreement), provided that they offer sufficient guarantees with respect to the implementation of appropriate technical and organizational measures to ensure that the Processing complies with the requirements of the GDPR and the protection of Personal Data rights and when the transfer is necessary within the applicable legal or regulatory framework taking into account the purposes of the Processing.
To the extent required by the GDPR, Valpeo has entered into a contract with the (sub-)Processors in which the purpose of the Processing is determined, the Processor undertakes, among other things, to respect the confidentiality of Personal data, to limit the Processing to what is in line with Valpeo’s instructions or with what is legally permitted and to cooperate with the exercise of the rights by Customer and Data Subject granted to them by the GDPR.
10 The storage of personal data
Valpeo can store Personal Data on servers that are outside of Belgium or in a cloud-environment. In such a case, Valpeo ensures that Personal Data are stored in an EU Member State and/or in a country that is recognized to offer an equivalent level of data protection and/or that compliance with the provisions of the GDPR is contractually guaranteed.
11 Record of Processing activities
To the extent required by law, Valpeo shall keep a register of the Processing Activities carried out by it or under its responsibility. In that case, the register will contain the information required by GDPR, such as the name and contact details of the (joint) data protection officer, the Processing purposes, the description of the categories of Data Subjects, of Personal Data and of recipients, the retention period, etc.
12 The rights of Customers and data subjects
Data Subject may exercise the rights set out below by submitting a written notification to the following e-mail address: firstname.lastname@example.org
Valpeo draws attention to the fact that if Data Subject objects to the Processing of his Personal Data in question or exercises the rights set out below, this may result in Valpeo being unable to further execute the Agreement and/or that Customer or Data Subject will no longer be able to make use of the Services.
12.1 Right to withdraw consent
If the Processing is based on consent only, Data Subject shall at all times have the right to withdraw this consent, without this withdrawal affecting the legality of the Processing that took place before the withdrawal of the consent.
12.2 Right of access
Data Subject may at any time inspect its Personal Data and any information relating to the Processing of his Personal Data.
12.3 Right to rectification
Data Subject will be entitled to have any Personal Data concerning himself that is incorrect or incomplete, corrected, insofar as this is legally possible.
12.4 Right to erasure
Unless Processing is necessary for the assertion, exercise or substantiation of a legal claim or for compliance with a statutory obligation resting upon Valpeo, Data Subject will be entitled to have his Personal Data erased if (a) Personal Data are no longer necessary for the purposes for which they were Processed, or (b) the consent, insofar as the Processing is solely based on it, is withdrawn or (c) Data Subject objects to the Processing and there are no compelling justified grounds for Valpeo or (d) Personal Data have been unlawfully Processed, or (e) Personal Data must be erased in order to comply with a statutory obligation.
If the request for erasure forms part of objection to Processing for reasons relating to the specific situation of Customer and/or Data Subject concerned, Valpeo will erase the data, subject to compelling justified grounds for Processing that outweigh the interests and rights of Customer and/or Data Subject concerned or that relate to the assertion, exercise or substantiation of a legal claim.
12.5 Right to restriction of Processing
Data Subject has the right to obtain from Valpeo the restriction on Processing if (a) the accuracy of Personal Data is disputed by him, or (b) the Processing is unlawful and he objects to the erasure of Personal Data or (c) he needs Personal Data for the assertion, exercise or substantiation of a legal claim while Valpeo no longer needs it for Processing purposes, or (d) he has objected to Processing on the basis of the justifiable grounds stated in article 21 GDPR.
12.6 Right to data portability
Data Subject is entitled to obtain Personal Data concerning him in a structured, customary and legible form and to transfer that Personal Data to another Processor if (a) the Processing is based on consent or (b) the Processing is necessary for the execution of the assignment following the Agreement.
12.7 Right to object
Customer and/or Data Subject is entitled to submit a complaint to the Data Protection Authority (Drukpersstraat 35, 1000 Brussels (www.privacycommission.be)) in case he believes that the Processing is unlawful.
13 The obligation of Valpeo
Valpeo has taken appropriate measures to protect Personal Data in order to ensure that Personal Data is used in accordance with the aforementioned purposes and that their correctness and updating are assured.
14 The security of personal data
Valpeo ensures that Personal Data of Data Subjects are protected and secured to the maximum extent possible in order to ensure their confidentiality and to prevent them from being distorted, damaged, destroyed or disclosed to an unauthorized third party. The specific measures taken by Valpeo in this perspective are described in the information security policy, a copy of which can be obtained by Data Subject.
In the event of an infringement and the associated violation of the availability, integrity or confidentiality of Personal Data, Valpeo shall ensure that the infringement in connection with Personal Data is reported to the Data Protection Authority within 72 hours of it becoming aware of it, unless it is unlikely that the infringement poses any risk to the rights and freedoms of Data Subjects concerned. Valpeo will also report Personal Data Breach to Customers and/or Data subjects concerned if it is likely that the breach will entail an increased risk for the rights and freedoms of Customers or Data Subjects.
Whilst Valpeo takes appropriate technical and organizational measures to safeguard Personal Data, it is highlighted that no transmission over the Internet can ever be guaranteed secure. Consequently, Data Subject notes that Valpeo cannot guarantee the security of any personal data in the process of its transmission and that that the effective security depends, in part, on Data Subject (or Customer) ensuring that any IDs and passwords that have been issued to them are kept confidential and secure.
15 Retention period of personal data
15.1 Personal Data will not be retained longer than necessary for the purpose for which it is Processed.
15.2 Where Personal Data is Processed for the purpose of executing the Agreement, upon termination or expiry of the Agreement Data Subject (and/or Customer) may request Valpeo not later than 30 (thirty) days after the date of the termination or expiry of the Agreement to return Personal Data to Data Subject (or, as the case may be, Customer).
Unless the applicable law prevents Valpeo from doing so, Valpeo shall comply with such request provided that Customer has, at that time, paid all amounts due to Valpeo, including amounts resulting from termination or expiry (whether or not due at the date of termination or expiry). In the event of return of Personal Data to Customer Valpeo shall no longer retain Personal Data unless Data Subject (or Customer) so legally requests and subject to conditions then agreed.
Failing the said instruction to return Personal Data, Valpeo shall have no obligation to maintain, forward or return any Personal Data, unless Valpeo has retained Personal Data as provided by this article.
Unless Data Subject (or Customer) requests Valpeo to return Personal Data or has requested Valpeo to delete or to anonymize Personal Data, Valpeo may, taking into account the requirement to keep Personal Data for follow-up tasks, retain Personal Data during 10 (ten) years after the completion of the performance of the Agreement, being understood that Data Subject (or Customer) may request Valpeo to continue the retention thereof for the term indicated by them and subject to conditions then agreed.
Valpeo may in any event further use any data if Valpeo does so in aggregate and non-Customer identifiable and non-person identifiable formats thus ensuring that Personal Data no longer qualifies as Personal Data under the Privacy Legislation.
17 Disputes and applicable law