top of page

GENERAL PRIVACY POLICY

 

1 Purpose

This General Privacy Policy (hereinafter: the “Policy”) applies to Merkator NV (“Merkator NV”), a Belgian company with registered office at 1731 Asse, Vliegwezenlaan 48, with company number 0839.944.576.

This Policy aims to establish appropriate safeguards for the processing of personal data (as defined below) by Merkator NV.

This Policy sets out all relevant information and instructions for anyone who, in the performance of their role at Merkator NV, processes personal data as described in this Policy.

This Policy has been drawn up to ensure compliance with European Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, or GDPR).

This Policy does not intend to provide a higher level of protection than what is required by applicable law.

​

2 For whom?

This Policy has been drafted for every person who, in the performance of their role at Merkator NV, processes personal data as described in this Policy.

Examples of data subjects include:

  • Current staff

  • Potential staff (applicants)

  • Former staff

  • Family members of employees

  • Contractors/consultants/freelancers

  • Temporary workers

  • Directors and shareholders

  • Contact persons at customers

  • Contact persons at suppliers

  • Prospects

  • And so on

This Policy applies to every department where personal data are processed.

​

3 Scope

This Policy applies to the processing of personal data in the context of the activities of Merkator NV.

​

4 Definitions

The GDPR contains a list of definitions, the most important of which are set out below:

  • “Controller” means a natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of this Policy, the aforementioned Merkator NV entities act as Controller, either separately or jointly.

  • “Employee”: For practical reasons, “employee” in this Policy is understood in a broad sense and includes any current or former employee.

  • “European Economic Area (EEA)” currently includes the following countries: Belgium, Bulgaria, Cyprus, Denmark, Germany, Estonia, Finland, France, Greece, Hungary, Ireland, Iceland, Italy, Croatia, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Austria, Poland, Portugal, Romania, Slovenia, Slovakia, Spain, Czech Republic, United Kingdom, Sweden.

  • “Personal data” means any information relating to an identified or identifiable natural person (“data subject”).

  • “Data subject” means an identifiable person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

  • “Special categories of personal data” (sensitive data) means personal data revealing:

    • racial or ethnic origin;

    • political opinions;

    • religious or philosophical beliefs;

    • trade union membership;

    • data concerning health or sexual behaviour;

    • data relating to criminal convictions and offences or related security measures.

  • “Processing” is defined in the GDPR as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” This reflects a broad interpretation of the term “processing”.

  • “Personal data breach” is defined in the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

 

5 Application of local law

This Policy is drawn up to ensure compliance with the GDPR. Merkator NV recognises that the legislation of certain countries may specify particular aspects of data processing in more detail, insofar as the GDPR allows this. In such cases, the more detailed specific provisions of that country will apply together with the GDPR.

All questions regarding the applicable legislation and Merkator NV’s compliance with it can be addressed to the GDPR Officer (privacy@merkator.com).

 

6 Principles relating to the processing of personal data

Merkator NV respects the privacy of the above-mentioned data subjects whose personal data are processed and is committed to protecting their personal data in accordance with the GDPR. Compliance with the GDPR is in line with Merkator NV’s desire to inform its employees and any other data subject about the processing of their personal data and to recognise and respect their privacy rights.

Merkator NV observes the following principles when processing personal data:

  • Personal data are processed lawfully, fairly and in a transparent manner in relation to the data subject.

  • Personal data are collected for specified and legitimate purposes; they are not further processed in a manner that is incompatible with those purposes.

  • Personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

  • Personal data must be accurate and, where necessary, kept up to date. Every reasonable step is taken to ensure that personal data that are inaccurate or incomplete are rectified or erased without delay.

  • Personal data are kept only for as long as is necessary for the purposes for which they are processed. These purposes are set out in this Policy.

  • Personal data will be deleted or adjusted following a justified request by the data subject.

  • Personal data are processed in accordance with the legal rights of the data subject as described in this Policy or as provided by law.

  • Appropriate technical and organisational measures are taken to prevent unauthorised access, unlawful processing and accidental or unlawful loss, destruction or damage of personal data. In case of non-compliance as described in the previous sentence and/or in case of an accidental data leak, Merkator NV will take appropriate measures to remedy the breach/data leak and determine responsibilities in accordance with the GDPR and will, where necessary, cooperate with the competent authorities, insofar as they are involved in such a breach or data leak.

 

7 Personal data processed by Merkator NV

Personal data is a very broad concept that must be interpreted broadly. When a natural person, regardless of the category, is identifiable on the basis of data processed in Merkator NV’s systems or structured files, this Policy applies.

Types of personal data which, alone or in combination with other data, allow a natural person to be identified include, for example: identification data (name, address, telephone number, email address, logged electronic identification data, etc.), photos or images, sound recordings, CCTV images, unique identification numbers, financial details, personal characteristics (such as age, gender, date of birth, place of birth, marital status, nationality), physical or psychological data, lifestyle and consumption habits, data about family, training, education, employment, and so on.

In essence, all information about a person qualifies as personal data. Not all such data will, however, lead to the unique identification of a person. For example, if you only have a person’s name and gender, this will not be sufficient to uniquely identify a person from the entire population of a country, but it may allow identification within Merkator NV’s staff.

To determine whether a person is identifiable, all means reasonably likely to be used must be taken into account, considering the cost and time required for identification, the technology available at the time of processing and technological developments (e.g. combining a job title and a name may take only a few minutes online – for example via LinkedIn – to find out who it is).

This Policy does not apply to anonymous information.

Given that this Policy only applies to natural persons, data relating to legal entities also fall outside its scope, unless such data allow a natural person to be identified.

​

8 Information on processing activities under the responsibility of Merkator NV

To process personal data, Merkator NV must have a legal basis.

Merkator NV will process personal data lawfully and mainly on the basis of one of the following (relevant) legal grounds:

  • because it is necessary for the performance of a contract, or in order to take steps at the request of the data subject prior to entering into a contract;

  • because it is necessary for compliance with Merkator NV’s legal obligations;

  • because it is necessary for the purposes of the legitimate interests pursued by Merkator NV or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

    • This last legal ground, which will often have to be used, requires a balancing test between the interests of Merkator NV on the one hand and the persons whose data are processed on the other.

In addition, there are some less common legal grounds on which Merkator NV may occasionally rely to process personal data, such as:

  • A person’s free, specific, informed and unambiguous consent to the processing of his/her personal data for one or more specific purposes.

    • Where there may be a real or potential disadvantage arising from refusal to give consent, that consent is not valid, as it is not considered to be freely given (e.g. in the context of an employment relationship).

  • When processing is necessary in order to protect the vital interests of the data subject or of another natural person (which must be interpreted restrictively), e.g. in the event of a medical emergency.

For each specific purpose for which Merkator NV processes personal data, it will rely on only one legal basis.

Merkator NV will occasionally also need to process special categories of data in the context of the employment relationship.
These will mainly be data concerning a person’s health.

The processing of such data is logically restricted and Merkator NV will only do so if:

  • the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where the law provides that the prohibition cannot be lifted by the data subject (which is often the case in the context of the employment relationship where local law provides that consent can only be given if the employee obtains a benefit);

  • the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of Merkator NV or of the employee/external party in the field of employment and social security and social protection law;

  • the processing relates to personal data which are manifestly made public by the data subject;

  • the processing is necessary for the establishment, exercise or defence of legal claims;

  • the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment.

For more information on the specific categories of personal data and the purposes for which Merkator NV processes personal data, reference is made to:

  • the general privacy statement on the websites;

  • the privacy notice for applicants on the recruitment website;

  • the privacy notice to our staff.

 

9 Security/confidentiality

Merkator NV undertakes to take appropriate technical, physical and organisational measures to protect personal data against unauthorised access, unlawful processing, accidental loss or damage and unauthorised destruction.

9.1 Equipment and information security

To prevent unauthorised access to personal data by third parties, all electronic personal data held by Merkator NV are stored in systems protected by secure, up-to-date network architecture equipped with firewalls and intrusion detection equipment. A backup of the data stored on the servers exists so that the consequences of accidental deletion, destruction or loss can be avoided. The servers are located in facilities with a high level of security, preventing access by unauthorised persons, and are equipped with fire detection and response systems.

9.2 Access security

The security of personal data relating to Merkator NV is of great importance. Merkator NV is committed to safeguarding the integrity of personal data and preventing unauthorised access to Merkator NV’s information. These measures are designed to prevent data fraud, to deter unknown and unauthorised access to our computer systems and information, and to provide appropriate protection for personal data held by Merkator NV.

No one, except occasional visitors with an appointment, can enter Merkator NV sites where personal data are stored without a validated access badge. All personnel files are kept confidentially in the HR department in secure and locked filing cabinets or rooms. Access to automated databases is controlled by login credentials and requires identification by means of a password before access is granted. Users have access to data only to the extent necessary to perform their role. The security features of our software and developed procedures are used to protect personal data against loss, misuse and unauthorised access, disclosure, alteration or destruction.

9.3 Training

Merkator NV is responsible for providing appropriate training on the legitimate purposes for which personal data may be processed, on the need to keep data accurate and up to date, on the lawful purposes for collecting and handling data, and finally on the need to keep data to which employees have access confidential. Authorised users will comply with this Policy and Merkator NV will take appropriate measures in accordance with applicable law if personal data are accessed, processed or used in a manner that is contrary to the requirements of this Policy.

 

10 Data protection by design and by default

10.1 General principle

For new initiatives as well as ongoing projects (business initiatives, new systems, tools or applications), Merkator NV is responsible for ensuring that data protection principles are built in from the development phase (“data protection by design”) and throughout the lifecycle (“data protection by default”).

10.2 Data Protection Impact Assessment (DPIA)

The GDPR introduced the concept of the data protection impact assessment (DPIA), which is a type of risk analysis of a planned processing operation. A DPIA must only be carried out when a type of processing, in particular using new technologies, taking into account its nature, scope, context and purposes, is likely to result in a high risk to the rights and freedoms of natural persons.

In general, Merkator NV can assume that, when a processing operation meets 2 of the 9 criteria listed below, a DPIA must be carried out:

  • Evaluation or scoring, including profiling and prediction, in particular with regard to the assessment of a data subject at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements;

  • Automated decision-making with legal or similarly significant effect;

  • Processing of personal data on a large scale;

  • Special categories of personal data or data of a highly personal nature;

  • Systematic monitoring;

  • Data relating to vulnerable data subjects, such as employees;

  • Matching or combining datasets in a way that goes beyond the reasonable expectations of the data subject;

  • Innovative use or application of new technological or organisational solutions, such as combining the use of fingerprints and facial recognition for enhanced access control;

  • When the processing itself prevents the data subject from exercising a right or using a service or contract.

Local data protection authorities may publish lists of processing activities that are subject to the requirement to carry out a DPIA.

 

11 Rights of data subjects

11.1 Procedure

Merkator NV must facilitate the exercise of the rights of data subjects whose personal data it processes. Requests from data subjects will be handled by the GDPR Officer (privacy@merkator.com).

Where Merkator NV has reasonable doubts concerning the identity of the natural person making a request, it may request additional information necessary to confirm the identity of the data subject.

Merkator NV must inform the data subject without undue delay and in any event within 1 month of receipt of the request of the action taken on the request. Taking into account the complexity and number of the requests, that period may be extended by a further 2 months if necessary. Merkator NV must inform the data subject of any such extension within 1 month of receipt of the request.

Where the data subject makes the request by electronic means, the information shall be provided by electronic means where possible, unless the data subject requests otherwise.

Where Merkator NV does not act on the request of the data subject, it shall inform the data subject without delay and at the latest within 1 month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Providing communication and taking the measures shall be free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, Merkator NV may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the requested action; or (b) refuse to act on the request.

11.2 Which rights?

Data subjects have the following rights:

a) Right of access and copy: the data subject has the right to obtain from Merkator NV confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to those personal data and to the legally required information, which can be found in the above-mentioned privacy statements and notices. Merkator NV must, upon request, also provide the data subject with a copy of the personal data undergoing processing. If the data subject requests additional copies, Merkator NV may charge a reasonable fee based on administrative costs.

This right shall not adversely affect the rights and freedoms of others. This means, for example, that the rights of other persons must also be protected: data carriers that contain not only the personal data of the applicant but also those of other persons cannot be fully disclosed to the data subject. The rights of Merkator NV also play a role here: to the extent that Merkator NV has good reasons not to disclose certain information, for example for reasons of confidentiality or its interest in discreet management in certain areas, this may mean that a data subject will not have access to certain data.

b) Right to rectification: the data subject has the right to obtain from Merkator NV without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by providing a supplementary statement. Where such data have been disclosed to others, Merkator NV must also inform them.

c) Right to erasure (“right to be forgotten”): the data subject has the right to obtain from Merkator NV the erasure of personal data concerning him or her without undue delay and Merkator NV is obliged to erase personal data without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

  • the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;

  • the data subject objects to the processing and there are no overriding compelling legitimate grounds for the processing;

  • the personal data have been unlawfully processed;

  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which Merkator NV is subject.

This right does not apply, among other things, to the extent that processing is necessary:

  • for exercising the right of freedom of expression and information;

for compliance with a legal obligation which requires processing

​

c) Right to erasure (“right to be forgotten”) (continued)

This right does not apply, among other things, to the extent that processing is necessary:

for exercising the right to freedom of expression and information;

for compliance with a legal obligation which requires processing and which is laid down in Union or Member State law to which Merkator NV is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in Merkator NV;

for the establishment, exercise or defence of legal claims.

d) Withdrawal of consent: If Merkator NV has relied on consent as the legal basis for processing, the data subject may withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.

e) Right to restriction of processing: the data subject has the right to obtain from Merkator NV restriction of processing, for example where the accuracy of the personal data is contested.

f) Right to data portability: the data subject has the right to receive the personal data concerning him or her, which he or she has provided to Merkator NV, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from Merkator NV, where:

the processing is based on consent or on a contract; and

the processing is carried out by automated means.

Again, this right shall not adversely affect the rights and freedoms of others.

g) Right to object: the data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on the legitimate interests of Merkator NV, including profiling based on those provisions. Merkator NV must then no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or which relate to the establishment, exercise or defence of legal claims.

h) Automated individual decision-making, including profiling: the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. In such cases, Merkator NV will take appropriate measures to safeguard the data subject’s rights and freedoms and legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

If a data subject has complaints regarding the processing of his or her personal data, the data subject must first raise this with:

The HR department for applicants, (former) employees, etc.;

For all other data subjects: the GDPR Officer (privacy@merkator.com).

The data subject may also lodge a complaint with the Data Protection Authority.

 

12 Retention of personal data

Merkator NV will not retain personal data for longer than is necessary for the purposes for which they are processed.

 

13 Transfer of data

13.1 Within the Merkator NV group

Each establishment of Merkator NV can have different roles under data protection regulations:

It may act as a separate controller with regard to certain processing activities (e.g. payroll for its own employees);

It may act together with other Merkator NV establishments as joint controller with regard to other processing activities (e.g. where the different establishments use a joint system or database, documents and/or other devices in relation to shared personal data);

It may act as a processor on behalf of other Merkator NV establishments (e.g. where a central service within one establishment processes personal data on behalf of another Merkator NV establishment).

To determine their respective roles and responsibilities, the Merkator NV establishments have concluded an intra-group processing agreement.

13.2 To external parties

Personal data may be transferred by Merkator NV to external parties if the disclosure falls within one of the processing purposes on which the data processing is based and if the disclosure is considered lawful and fair to the data subject.

Merkator NV has identified all external parties that have access to the personal data processed under the responsibility of Merkator NV and has, where necessary, concluded contractual safeguards with these parties to secure the personal data as effectively as possible. Merkator NV will only use processors that provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR and ensures the protection of the rights of data subjects. Whenever a new service provider is engaged that will have access to personal data under the responsibility of Merkator NV, it will be determined whether this service provider is a processor and the necessary steps will be taken accordingly.

 

14 Automated decision-making

Automated decision-making is defined as decisions about individuals that are taken solely on the basis of automated processing of data and that produce legal effects concerning them or similarly significantly affect them.

Merkator NV’s basic principle is that it does not engage in automated decision-making. If automated decisions are taken, data subjects will be given the opportunity to express their views on the automated decision in question and to object to it.

 

15 Personal data breaches

In the event of a personal data breach as described below and in the list of definitions in this Policy, it is essential that appropriate measures are taken as quickly as possible to minimise the risk of harm to the data subject and ultimately also to Merkator NV itself (reputational damage, imposed sanctions, etc.).

15.1 What is a personal data breach?

There is, for example, a security breach in the event of theft or loss of a USB stick, mobile device or laptop, or in the event of a hacker intrusion into any system containing personal data. However, not every security breach also constitutes a personal data breach. The diagram below shows when a security breach becomes a personal data breach that must be notified.
(Note: in the original document, this is likely illustrated with a visual scheme.)

15.2 Notification of personal data breaches

a) Internal notification

In any case, all individuals who consult, use or manage Merkator NV information are responsible for immediately reporting any security breach and information security incidents to the Privacy Department, so that it can be analysed without delay whether the breach must be notified. The Privacy Department will, where appropriate, send a form allowing the person concerned to provide more details about the incident.

b) External notification

Everyone who, in the performance of his/her role at Merkator NV, processes personal data (of colleagues, applicants, customers, third parties, etc.) must take care to avoid (intentional or unintentional) incidents that may affect the privacy of data subjects.

Merkator NV is obliged, within 72 hours after becoming aware of it, to notify the Data Protection Authority of any personal data breach that has serious adverse consequences or may have serious adverse consequences for the protection of personal data. In some cases, Merkator NV must also inform the data subject(s) affected by the breach.

15.3 Investigation and risk analysis

Depending on the type of incident, Merkator NV will investigate the incident. Where possible, an investigation will be initiated within 24 hours of the incident being reported.

The investigation will determine the nature of the incident, the type of data involved and whether personal data are involved (and if so, who the data subjects are and how many personal records have been affected).

The investigation will analyse the extent to which the system has been compromised or how sensitive the data involved are, and a risk analysis will be carried out to determine the possible consequences of the incident, for example whether data subjects have been harmed or access to data or IT services has been disrupted.

15.4 Management and remediation

The Privacy Department determines the appropriate course of action and the resources required to limit the impact of the incident. This may require isolating part of the network, notifying relevant employees or disabling certain equipment.

Appropriate measures will be taken to restore lost systems or data and to resume normal operations. This may include attempting to recover lost equipment, reverting to backup mechanisms to restore affected or stolen data, and changing compromised passwords.

Advice from (external) experts may be sought to resolve the incident promptly and appropriately.

15.5 Notification

The company will then decide, based on the seriousness of the breach, whether the competent Data Protection Authority must be notified by law. Where the decision is taken to notify the Data Protection Authority of a particular incident, and possibly also the affected data subject(s), the following assessment will be made:
(Note: in the original, this is likely further detailed or structured, possibly with criteria or a template.)

15.6 Evaluation

Once the incident has been handled, a thorough evaluation must take place. The report describes the origin of the incident and the factors that contributed to it, the chronological sequence of events, the reactive measures, recommendations and lessons learned to identify areas for improvement. Recommended changes to systems, policies and procedures will be documented and implemented as soon as possible thereafter.

​

16 Specific staff instructions

All persons working at Merkator NV who, in the performance of their role, have access to personal data are obliged under this Policy to do what is necessary to comply with this Policy. Consequently, these persons must recognise the importance of correct and lawful handling of personal data and must handle such data with the utmost care, strictly in accordance with this Policy.

Furthermore, the aforementioned persons must be aware that non-compliance with this Policy may have serious adverse consequences for the privacy of the data subjects whose personal data are processed under the responsibility of Merkator NV, as well as for Merkator NV itself (for example, high fines imposed by the Data Protection Authority, reputational damage, etc.).

The technical and organisational measures are laid down in the “Statement of Applicability” as part of Merkator NV’s ISO 27001 management system.

 

17 Enforcement of this Policy

Merkator NV ensures that this Policy is observed and properly implemented. All persons who have access to personal data must comply with this Policy.

Breach of the applicable data protection legislation in the EEA may result in Merkator NV being subject to fines or claims for damages imposed by the Data Protection Authority or by the competent court. If such damage directly results from a breach of this Policy by employees, this will give rise to the sanctions set out in Merkator NV’s work regulations, including, but not limited to, dismissal.

​

18 Notification of this Policy

Merkator NV will provide periodic training on this Policy. Attendance is mandatory.

In addition, Merkator NV will communicate this Policy to current and new employees by making it available via the employee portal.

​

19 Changes to the Policy

Merkator NV reserves the right to amend this Policy where necessary, for example to comply with new legal obligations, guidelines or requirements imposed by the Data Protection Authority. Merkator NV will inform data subjects of any material change to this Policy.

bottom of page