Privacy Statement

General privacy policy

1. Purpose

This General Privacy Policy (hereinafter: the “Policy”) applies to Merkator NV (“Merkator NV”), a Belgian company with its registered office at Vliegwezenlaan 48, 1731 Asse, Belgium, registered under company number 0839.944.576.

This Policy aims to establish appropriate safeguards for the processing of personal data (as defined below) by Merkator NV.

This Policy sets out all relevant information and instructions for anyone who, in the course of their duties at Merkator NV, processes personal data as described in this Policy.

This Policy has been drafted to ensure compliance with European Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation, or GDPR).

This Policy does not intend to provide stronger protection than what is required under applicable legislation.

2. To whom does this Policy apply?

This Policy has been drawn up for any person who, in the performance of their role at Merkator NV, processes personal data as described in this Policy.

Examples of data subjects include:

  • Current employees

  • Prospective employees (applicants)

  • Former employees

  • Family members of employees

  • Contractors/consultants/freelancers

  • Temporary agency workers

  • Directors and shareholders

  • Contact persons at customers

  • Contact persons at suppliers

  • Prospects

  • Etc.

This Policy applies to every department in which personal data are processed.

3. Scope

This Policy applies to the processing of personal data in the context of the activities of Merkator NV.

4. Definitions

The GDPR contains a list of definitions, the most important of which are set out below:

  • “Controller”: a natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data. Within the scope of this Policy, the aforementioned Merkator NV entities act as Controllers, either individually or jointly.

  • “Employee”: for practical reasons, the term “employee” is used broadly in this Policy and includes any current or former employee.

  • “European Economic Area (EEA)”: currently includes Belgium, Bulgaria, Cyprus, Denmark, Germany, Estonia, Finland, France, Greece, Hungary, Ireland, Iceland, Italy, Croatia, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Austria, Poland, Portugal, Romania, Slovenia, Slovakia, Spain, the Czech Republic, the United Kingdom, and Sweden.

  • “Personal data”: any information relating to an identified or identifiable natural person (“data subject”).

  • “Data subject”: an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

  • “Sensitive personal data”: personal data revealing:

    • racial or ethnic origin;

    • political opinions;

    • religious or philosophical beliefs;

    • trade union membership;

    • health data or data concerning sexual life;

    • data relating to criminal convictions and offences or related security measures.

  • “Processing”: any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

  • “Personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

5. Application of local legislation

This Policy has been drafted to ensure compliance with the GDPR. Merkator NV acknowledges that the legislation of certain countries may further specify certain aspects of data processing where permitted by the GDPR. In such cases, the more detailed national provisions will apply in conjunction with the GDPR.

Any questions regarding applicable legislation and Merkator NV’s compliance can be addressed to the GDPR Officer at privacy@merkator.com.

6. Principles relating to the processing of personal data

Merkator NV respects the privacy of the above-mentioned data subjects whose personal data are processed and is committed to protecting their personal data in accordance with the GDPR.

Merkator NV observes the following principles:

  • Personal data are processed lawfully, fairly, and transparently.

  • Personal data are collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

  • Personal data are adequate, relevant, and limited to what is necessary for the purposes of processing.

  • Personal data are accurate and, where necessary, kept up to date.

  • Personal data are kept no longer than necessary for the purposes for which they are processed.

  • Personal data are deleted or amended following a justified request by the data subject.

  • Personal data are processed in accordance with the rights of data subjects.

  • Appropriate technical and organisational measures are taken to prevent unauthorised access, unlawful processing, and accidental loss, destruction, or damage.

7. Personal data processed by Merkator NV

Personal data is a broad concept and should be interpreted widely. Whenever a natural person is identifiable based on data processed in Merkator NV’s systems or structured files, this Policy applies.

Examples include identification data (name, address, phone number, email address, electronic identifiers), photos, audio or video recordings, financial data, personal characteristics, employment data, and more.

This Policy does not apply to anonymous information. Data relating solely to legal entities fall outside the scope unless they allow identification of a natural person.

8. Information on processing activities under Merkator NV’s responsibility

Merkator NV processes personal data on a lawful basis, primarily:

  • for the performance of a contract;

  • to comply with legal obligations;

  • for legitimate interests, unless overridden by the interests or rights of the data subject.

In specific cases, processing may also be based on consent or vital interests.

Sensitive data are processed only where permitted under the GDPR and applicable law.

Further details can be found in:

  • the general privacy statements on the websites;

  • the privacy notice for applicants;

  • the privacy notice for employees.

9. Security and confidentiality

Merkator NV implements appropriate technical, physical, and organisational measures to protect personal data.

This includes secure IT systems, access controls, backups, training, and confidentiality obligations.

10. Data protection by design and by default

Merkator NV integrates data protection principles into new and existing initiatives and performs Data Protection Impact Assessments (DPIAs) where required.

11. Rights of data subjects

Data subjects have rights including:

  • access and copy;

  • rectification;

  • erasure (“right to be forgotten”);

  • withdrawal of consent;

  • restriction of processing;

  • data portability;

  • objection;

  • protection against automated decision-making.

Requests can be addressed to privacy@merkator.com. Complaints may also be lodged with the Data Protection Authority.

12. Retention of personal data

Personal data are not retained longer than necessary for the purposes for which they are processed.

13. Transfer of data

Personal data may be shared within the Merkator NV group or with external parties, subject to appropriate safeguards and agreements.

14. Automated decision-making

Merkator NV does not, as a rule, engage in automated decision-making with legal or significant effects.

15. Personal data breaches

Merkator NV has procedures for identifying, reporting, investigating, and managing personal data breaches, including notification to the Data Protection Authority where required.

16. Specific staff instructions

All employees with access to personal data must comply strictly with this Policy. Non-compliance may result in disciplinary measures.

17. Enforcement

Merkator NV ensures compliance with this Policy. Violations may result in fines, claims, or internal sanctions, including dismissal.

18. Communication of this Policy

Merkator NV provides mandatory training on this Policy and makes it available via the employee portal.

19. Amendments

Merkator NV reserves the right to amend this Policy as required by law or regulatory guidance and will inform data subjects of any material changes.