Privacy Statement

EFQM AssessBase

BACKGROUND

This is the Registered User Privacy Statement of Private Foundation EFQM, whose place of business is at Avenue des Olympiades, 2, B-1140 Brussels, Belgium and registered with the Crossroads Bank for Enterprises under number 0871.740.087 (“EFQM”). In the context of the operation of the AssessBase, EFQM collects, holds, discloses and/or otherwise processes personal data of Registered Users as “data controller” within the meaning of the EU General Data Protection Regulation 2016/679 (“GDPR”).

EFQM strives to protect personal data in accordance with the GDPR and its national implementing and supplementing legislation. This Privacy Statement explains how EFQM collects personal data, how and for which purposes it may use personal data and to whom personal data of Registered Users is disclosed. Furthermore, this Privacy Statement includes important information regarding Registered Users’ legal rights with respect to the processing of their personal data. Therefore, EFQM strongly encourages all Registered Users to read this Privacy Statement carefully.

From time to time, EFQM may need to change this Privacy Statement. In such a case, EFQM will send Registered Users a copy of this new version.

COLLECTION OF PERSONAL INFORMATION

EFQM collects personally identifiable information, such as the e-mail address, name, work address or telephone number of Registered Users, and the user group they are assigned to. This information is obtained from the Customer and sometimes also directly from the Registered User (e.g. when he/she updates his/her online profile). It is used to create and allocate online accounts for Registered Users upon request of Customers, and in the Registered Users’ personal profile. EFQM also collects demographic information, such as ZIP code, age, gender, preferences, interests and favorites for analytical purposes.

There is also information about the computer hardware and software that is automatically collected by EFQM. This information is collected through cookies and plug-ins and can include: the IP address, browser type, domain names, access times and referring website addresses. This information is used by EFQM for the operation of the service, to maintain quality of the service, and to provide general statistics regarding use of the AssessBase.

Finally, also the name and contact details of the main contact persons of EFQM within the Customer’s organization are collected and processed.

USE OF PERSONAL INFORMATION

EFQM collects and uses personal information:

  • to operate AssessBase and deliver the services Customer has requested;
  • to inform the Customer of other products or services available from EFQM, EFQM and its affiliates;
  • to contact the Customer via surveys to conduct research about his opinion of current services or of potential new services that may be offered; and
  • to improve its online platforms and the online experience of the Registered Users.

EFQM may also, from time to time, contact the Customer on behalf of external business partners about a particular offering that may be of interest to him. In those cases, the unique personally identifiable information (e-mail, name, address, telephone number) is not transferred to the third party.

For the processing of personal information of Registered Users for electronic direct marketing purposes (e.g. sending an electronic newsletter), EFQM relies on an opt-in consent. Only persons that have actively subscribed to receive electronic newsletters will be registered for the electronic mailings. Any such consent can also be easily withdrawn at any time, by clicking the unsubscribe button or by contacting EFQM at assessbase@efqm.org . An opt-in possibility is also provided in the user profile for Registered Users that wish to be included in the user directory and/or to be contacted by other Registered Users.

In all other cases, the processing of personal information is based on the legitimate interests of EFQM (see above – i.e. the interest of improving the content and quality of the online platforms, improving user experience, operating the AssessBase portal, etc.).

DISCLOSURE TO THIRD PARTIES

EFQM will disclose the Customer’s personal information, without notice, only if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to the edicts of the law or comply with legal process served on EFQM or the site; (b) protect and defend the rights or property of EFQM; and, (c) act under exigent circumstances to protect the personal safety of users of EFQM, or the public.

In addition, EFQM may share data with trusted partners to help perform statistical analysis, send email or postal mail, provide Customer support, or arrange for deliveries. All such third parties are prohibited from using this personal information except to provide these services to EFQM, and they are required to maintain the confidentiality of the information. Where required, data processing agreements will be entered into with such third parties.

EFQM does not sell, rent or lease its Customer lists or any personal data relating to Registered Users to third parties.

In case the AssessBase platform would however be transferred by EFQM to an affiliate, a joint venture partner or another third party, or co-managed with such party, EFQM may also share personal information of Registered Users with such party in order to ensure the continuity of the services offering and of the Registered Users’ subscription to the AssessBase.

RETENTION PERIOD

Any personal information will not be stored for longer than is necessary in relation to the purposes for which EFQM processes it (as listed above). Afterwards it is still possible that such information can be found in our back-ups or archives, but it will no longer be actively processed in a file.

More specifically, the personal information of active Registered Users will be retained for administration purposes for as long as the user profile remains active. If a user account is closed, the personal information of the former Registered User will no longer be actively processed by EFQM.

Any personal information used for marketing purposes (e.g. for the newsletter) will be retained for as long as EFQM is sending such newsletters. As soon as EFQM notes that contact details are no longer accurate or active, or whenever anyone decides to use his/her unsubscribe right, EFQM will no longer keep the personal data for these purposes.

More information on the retention periods applied by EFQM is available upon simple request.

SECURITY OF PERSONAL INFORMATION

EFQM secures the Customer’s and Registered Users’ personal information from unauthorized access, use or disclosure. EFQM secures the personally identifiable information provided on computer servers in a controlled, secure environment, protected from unauthorized access, use or disclosure. When personal information (such as a credit card number) is transmitted to other websites, it is protected through the use of encryption, such as the Secure Socket Layer (SSL) protocol.

More information on the data security measures applied by EFQM is available upon simple request.

LEGAL RIGHTS OF DATA SUBJECTS

Registered Users and other Data Subjects have (under certain conditions, as explained in more details on the website of the Belgian Data Protection Authority (www.dataprotectionauthority.be) the right to:

  • information about and access to their personal data;
  • rectify their personal data;
  • request erasure of their personal data (‘right to be forgotten’);
  • restriction of processing of their personal data;
  • object to the processing of their personal data;
  • receive their personal data in a structured, commonly used and machine-readable format and to (have) it transmit(ted) to another organisation.

On their online user profile, Registered Users can also decide which information to add/remove and whether or not their personal information can be shown to other Registered Users.

Finally, if reaching out directly to EFQM does not result in the desired effect, they also have the right to lodge a complaint with the Belgian Data Protection Authority relating to the processing of personal data by EFQM.

EFQM aims to respond as quickly as possible to any such requests or questions. It might request a proof of identity in advance in order to double-check the request. In principle these rights can be exercised free of charge. Only where requests are manifestly unfounded or excessive EFQM may charge a reasonable fee.

CONTACT

In case of any questions, comments or complaints in relation to this Privacy Statement or the processing of your personal data by EFQM, data subjects are free to contact EFQM by writing to the following address or to the following email address: [EFQM, Avenue des Olympiades 2, B-1140 Brussels, Belgium – assessbase@efqm.org].

Data Processing for AssessBase Customers

1. DEFINITIONS

In this Data Processing Agreement, the following terms shall have the meanings set out below:

  • Personal Data” means any personally identifiable information disclosed by the Controller to the Processor and processed by the Processor on behalf and under the instructions of the Controller pursuant to or in connection with the License Agreement;
  • EU Data Protection Laws” means the GDPR and any applicable national laws implementing or supplementing the GDPR;
  • GDPR” means EU General Data Protection Regulation 2016/679; and
  • the terms, “Third Country”, “Member State”, “Data Subject“, “Personal Data“, “(Personal) Data Breach“, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

The definitions used in the License Agreement shall also apply to this Data Processing Agreement, which is deemed to be an inextricable part of the License Agreement insofar as the AssessBase is concerned.

2. PROCESSING OF PERSONAL DATA

The Parties acknowledge that in the performance of the License Agreement, the Processor may process Personal Data on behalf of the Controller. When Processing such Personal Data, the Processor shall:

  • comply with the applicable EU Data Protection Laws; and
  • not process Personal Data other than for the purpose of Controller’s documented instructions, including with regard to transfers of Personal Data to a Third Country or an international organisations, unless required to do so by EU or Member State Law to which the Processor is subject. In such a case the Processor shall inform the Controller of that legal requirement, unless that law prohibits such information on important grounds of public interest.

The Processor shall also ensure that all persons authorised to process Personal Data perform such Processing activities in accordance with the instructions given by the Controller and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes with the GDPR or other EU or Member State data protection provisions.

Schedule 1 to this Data Processing Agreement sets out certain additional information regarding the Processor’s Processing of the Personal Data as required by article 28(3) of the GDPR.

3. SECURITY

The Processor shall refrain from transmitting Personal Data provided by the Controller to third parties that are not sub-processors, unless the Controller has given its prior written consent to this end.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of security that is deemed appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

The Processor shall provide a high-level overview and description of the (technical, logical and organizational) security measures put in place in Schedule 2 to this Data Processing Agreement, which are deemed to be appropriate. This list will be reviewed and updated by the Processor from time to time, in order to ensure a continuous level of appropriate data security.

4. SUB-PROCESSING

The Processor is authorized to engage sub-processors (such as cloud hosting providers or data analytics service providers) to perform certain tasks. The most recent list of sub-processors shall be communicated to Controller upon its first request. No sub-processors shall process or host any Personal Data outside the European Economic Area. Also, the AWS servers used by the Processor are all located within the European Economic Area.

The Processor shall ensure that each sub-processor performs the obligations under this Data Processing Agreement, as they apply to Processing of Personal Data carried out by that sub-processor, as if it were party to this Data Processing Agreement in place of the Processor. Where that other processor fails to fulfil its contractual or legal obligations, the Processor shall be liable to the Controller for the performance of that sub-processor’s obligations.

5. PERSONAL DATA BREACH

The Processor shall notify the Controller in writing without undue delay upon becoming aware of a Personal Data Breach affecting Personal Data, providing the Controller with sufficient information to allow it to meet any obligations to report or inform Data Subjects or the authorities of the Personal Data Breach under EU Data Protection Laws.

Such notification shall describe (to the extent this information is known to the Processor) the nature of the Personal Data Breach (within the limits of allowed confidentiality only) and an estimation the categories and numbers of Data Subjects concerned, the likely consequences of the Personal Data Breach, and the measures taken or proposed to be taken to address the Personal Data Breach.

The Processor shall co-operate with the Controller and take reasonable measures to assist to Controller in the investigation, mitigation and remediation of a Personal Data Breach.

6. FURTHER ASSISTANCE

Taking into account the nature of the Processing, the Processor shall assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible and reasonable, for the fulfilment of the Controller’s obligations to respond to requests to exercise Data Subject rights under EU Data Protection Laws.

The Processor shall also provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with the data protection authorities, in each case solely in relation to Processing of the Personal Data by and taking into account the nature of the Processing and information and means available to the Processor.

7. DELETION OR RETURN OF PERSONAL DATA

Subject to what is mentioned below the Processor shall, at the written request of the Controller delete and procure the deletion of all copies of Personal Data. The Controller may in its reasonable discretion by written notice to the Processor require the Processor to (a) return a copy of all the Personal Data to the Controller by secure file transfer in such format as is reasonably notified by the Controller to the Processor; and/or (b) delete and procure the deletion of all other copies of Personal Data. The Processor shall comply with all reasonable written requests without undue delay.

The Processor may still retain Personal Data to the extent required by EU or Member State law and to the extent and for such period as required by EU or Member State law and always provided that the Processor shall ensure the confidentiality of all such Personal Data.

8. AUDIT RIGHTS

The Processor shall make available to the Controller on its written request all information necessary to demonstrate its compliance with EU Data Protection Laws, and shall allow for and contribute to reasonable audits, including inspections, by the Controller or an auditor mandated by the Controller in relation to the Processing of the Controller Personal Data by the Processor. Such audits shall be conducted during normal business hours, maximum 2 times per year, at the Controller’s expense and the Processor shall be notified hereof in writing at least one (1) week in advance.

9. TERM AND TERMINATION

This Agreement is entered into at the same time and will terminate together with the License Agreement for the AssessBase.

10. LIABILITIES

The liability provisions as included in the GDPR shall be applied to this Data Processing Agreement.

11. MISCELLANEOUS

If any provision of this Data Processing Agreement is declared void or unenforceable by any court or tribunal of competent jurisdiction, the other provisions hereof shall remain to be of effect, unless they provisions must be deemed to be indissolubly connected with the void or unenforceable provision. In the event that the other provisions remain valid, both Parties shall endeavor to replace the void or unenforceable provision by a valid provision which reflects the Parties’ original intent.

The Processor may assign this Data Processing Agreement to one of its affiliates without prior written permission of the Controller.

This Data Processing Agreement shall be exclusively governed by and construed in accordance with the laws of Belgium, excluding its conflict of laws rules. For all disputes arising in connection with this Agreement, the parties hereto submit to the exclusive jurisdiction of the courts Brussels, Belgium.

DPA – SCHEDULE 1 – DETAILS OF THE DATA PROCESSING ACTIVITY

This Schedule 1 includes certain details of the Processing of the Personal Data as required by Article 28(3) GDPR.

Subject matter, nature, purpose and duration of the Processing

The following basic processing activities will be performed by the Processor as part of its “AssessBase” services offering (“SaaS” solution):

  • Hosting of any Personal Data included in the information, materials and supporting documents uploaded to the AssessBase by Contributors or Assessors; and
  • Processing such information in order to include it in an assessment feedback report.

The duration of the Processing of the Personal Data is set out in the License Agreement, as supplemented by the Data Processing Agreement. As long as the License Agreement is in effect and the Controller uses the AssessBase, the data processing activity will continue (provided that personal data is indeed inputted into the AssessBase, which will be rare).

Types of Personal Data and categories of Data Subjects

Types of Personal Data – Any information relating to individual persons that is deemed relevant by a Contributor or an Assessor for the Assessor to make its evaluation.
Data Subjects – Employees, agents, managers, etc. working for the customer, whose information is relevant for the Assessor to make its evaluation.
All in all, the Personal Data that is included in the AssessBase is expected to be limited, as the purpose of the AssessBase is not to host or otherwise perform processing operations on Personal Data.

Rights and obligations of the Processor and the Controller

The obligations and rights of the Processor and the Controller are set out in the License Agreement, as supplemented by the Data Processing Agreement.

***