This policy is provided by Traxgo bvba for information purposes only without any form of representation or warranty and Traxgo bvba is not liable for errors or omissions in relation to this policy. The only warranties for the products and services of Traxgo bvba are those set out in the warranty certificates accompanying the products and services, if applicable. Nothing in this policy may be considered as an additional warranty.
The registered office of Traxgo bvba is located in Belgium, a member of the EU. Hence, it is subject to the basic principles of European data protection and privacy legislation as laid down in REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and Directive 95/46/EC (General Data Protection Regulation). For specific cases where stricter legislation applies with respect to this policy, the strictest regulations shall prevail.
Any questions in this regard may be sent directly to the CEO (firstname.lastname@example.org), who performs the role of Data Protection and Privacy Officer (DPPO).
This policy applies to all activities involving the processing of personal data. It lays down the requirements for operational processes and more clearly defines the roles, responsibilities and structure. It is the responsibility of all employees within Traxgo to follow the rules and agreements that are laid down in this policy when they handle personal data during their daily duties.
Personal data includes the data of employees, former employees, job applicants, customers, stakeholders, suppliers, partners, users of Traxgo products and services and all other parties involved.
Traxgo is the controller for the personal data of its own employees, job applicants, former employees, customers, suppliers, partners and other stakeholders. This means that Traxgo determines what is done with these data and how they are handled.
However, Traxgo is always a processor in relation to the products and services delivered to its customers. In this case, the customer is the controller for the personal data it enters into Traxgo’s systems. Traxgo may only act as the processor of personal data instead of the customer and in accordance with the customer’s instructions if a relevant data processing agreement, as applicable between a processor and a controller, has been drawn up.
The terminology used in this policy has the same meaning as defined in REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and the associated Directive 95/46/EC (General Data Protection Regulation).
5 Principles for managing personal data privacy and protection
Traxgo bvba has committed to complying with the requirements of the data protection principles as described in REGULATION (EU) 2016/679, whereby personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’).
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organisational measures required to safeguard the rights and freedoms of the data subject (‘storage limitation’). This means that the period for which the personal data are stored must be kept to a strict minimum; To ensure that the personal data are not stored longer than necessary, the responsible party must lay down deadlines for the erasure or periodic review of the data. Every reasonable step must be taken to ensure that personal data that are inaccurate are rectified or erased.
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
- processed in accordance with the rights of data subjects.
- not transferred to a country outside the European Economic Union, unless the necessary protection has been ensured.
Traxgo bvba shall not sell personal data to third parties.
The manner in which Traxgo applies the requirements of the data protection principles are described in further detail in this document. A distinction is made between Traxgo as processor and controller.
Traxgo acts as controller for customers solely on the instructions of the customer. In the absence of such instructions, the internal processes of Traxgo are adjusted accordingly.
Adequate organisational and technical measures
The legal responsibility for collecting, processing and using personal data within Traxgo bvba is entrusted to the managers of the company that collects, processes or uses the personal data for its business purposes. Within Traxgo bvba, the responsibilities are delegated based on the organisational structure, via specific positions and roles, enforced through the policy, processes and documented instructions issued by senior management to managers at different levels and employees, where additional support is provided through appropriate trainings.
The CEO ensures that people in all roles and positions within Traxgo are aware of the rules regarding the use of personal data.
Data security measures
Traxgo bvba has implemented the ISO 27001:2013 Information Security Management framework to provide the means to ensure adequate data security. In addition to approved technical controls, structured documentation, monitoring and continuous improvement, the implementation of ISO 27001 promotes a culture and awareness of data protection within Traxgo bvba.
A non-exhaustive list of ISO 27001 Controls is provided below, which are applicable to personal data as well as to the other information assets for which Traxgo bvba is responsible.
Risk assessment & treatment
Privacy and data protection legislation defines what constitutes personal data and the special categories of personal data (ISO Control A.8.2.1: Classification of Information) which is taken into account in the classification of information (as confidential, internal or public). Privacy and data protection legislation also determines what constitutes high-risk processing.
Based on the classification of information and whether or not high-risk data is being processed, the necessary assessments are performed prior to the processing and these are validated by the CEO.
Our customers, acting as controllers, provide information about the classification of their personal data and the level of risk entailed with respect to the data processing. Under privacy and data protection legislation, they are required to carry out this risk assessment, which is taken into account by the Traxgo for determining the technical and organisational measures.
It is mandatory to have a list of relevant legal, regulatory and contractual requirements (ISO Control A.18.1.1: Identification of Applicable Legislation and Contractual Requirements) and ensure the privacy and protection of personally identifiable information as required by privacy and data protection legislation (ISO Control A.18.1.4 Privacy and Protection of Personally Identifiable Information).
Traxgo bvba only processes personal data for which it can demonstrate a legitimate legal basis. Compliance with privacy and data protection legislation can be demonstrated based on an appropriate framework, implemented organisational and technical measures and possession of the ISO 27001:2013 certification.
ISO 27001 Control A.8 (Asset Management) concerns the management of assets containing personal data. An asset management system has been set up to ensure that the necessary security measures are present for data storage, access and erasure.
Privacy by design and by default
Traxgo bvba applies the principles of privacy by design and by default in the development of products and systems as part of an integral component of its information systems during the complete life-cycle of products and services. Privacy by design and by default are also applied when designing new processes and process activities, supported by information systems. The ISO 27001 Control A.14 (System Acquisition, Development and Maintenance) ensures that ‘information security’ is a specific requirement as an integral part of the functional and technical requirements for the design and development of information systems.
Data breach notification
Traxgo bvba has implemented a procedure for the handling and notification of data security breaches, ensuring a consistent and effective approach to the management of information security incidents, including communication regarding such incidents.
The CEO of Traxgo bvba is the designated contact person for all communication related to data leaks (email@example.com) as well as the contact person for supervisory authorities and stakeholders.
Suppliers and subcontractors
Acting as controller, Traxgo bvba informs its customers about the suppliers and subcontractors engaged by it for processing data under its instructions. The requirements laid down in the data processing agreements between Traxgo bvba and its customers are enforced in all agreements with our subcontractors and suppliers.
All personal data, for which Traxgo bvba acts as controller or which are stored by it under the instructions of its customers acting as controller, shall be stored in a secure manner within the EEA and not transferred outside the EEA. This rule is also applied by the suppliers and subcontractors working under the instructions of Traxgo bvba. Only after a formal written request and with the approval of the controller, territorial transfers outside of the EEA shall be handled in the manner agreed on with the controller, where the controller must ensure that the necessary transfer agreements, contractual provisions and binding requirements are in place with the party to whom the data must be transferred.
The storage of personal data for which Traxgo bvba acts as controller must comply with its internal data retention and erasure policy. The storage of personal data owned by customers and stored by Traxgo bvba are subject to the data retention policy of the customer (in this case, the controller). If no such retention policy is provided for by the controller in the data processing agreement, the internal data retention and erasure policy of Traxgo bvba shall apply.
Rights of data subjects
For the activities in which Traxgo bvba acts as controller of personal data, we have introduced and implemented an appropriate policy as well as various guidelines, standards, procedures and instructions to ensure that all rights and freedoms of data subjects are respected.
Right to information
Data subjects are entitled to information about the identity of the controller, reasons for the processing of their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data. Data subjects, with respect to whom Traxgo bvba acts as controller, shall be informed via various channels, depending on the type of data subject (for example, privacy statement, privacy notifications on digital touchpoints, data protection for employees and data protection notifications).
Right of access
Data subjects have the right to obtain:
- confirmation from the controller about whether or not his or her personal data is being processed and if so, access to these personal data.
- information about the purposes of the processing.
- information about the categories of data being processed.
- information about the categories of recipients with which the data may be shared.
- information about the period for which the data will be stored (or the criteria used to determine this period).
- information about the existence of the rights to erasure, rectification, restriction of processing and objection to processing.
- information on the existence of the right to lodge a complaint with the data protection authority.
- information about the source of the data if the data have not been collected directly from the data subject.
- information on the existence and explanation of the logic involved in automated processing that has a significant effect on data subjects.
In addition, data subjects may request a copy of the processed personal data.
Right to rectify, complete or update personal data
Data subjects are entitled to request a controller to rectify any errors in their personal data.
Right to erasure (the ‘right to be forgotten’)
Data subjects are entitled to require a controller to erase their personal data if further processing of these data is not justified. Data subjects are entitled to delete personal data (the ‘right to be forgotten’) if:
- the data are no longer needed for their original purpose (and there is no new legitimate purpose).
- the legal basis for the processing is the data subject’s consent to such processing and the data subject withdraws such consent, as a result of which no other legal basis exists.
- the data subject lodges an objection and the controller has no decisive reasons for continuing with the processing.
- the data have been processed unlawfully.
- erasure of the data is necessary in order to comply with EU legislation or the national legislation of the Member State concerned.
Right to restriction of processing
Data subjects are entitled to restrict the processing of personal data (this means that the data may only be stored by the controller and used for limited purposes) if:
- the accuracy of the data is disputed (and only for as long as necessary to verify that accuracy).
- the processing is unlawful and the data subject requests a restriction of processing (as opposed to exercising the right to erasure).
- the controller no longer requires the data for the original purpose, but the data are still required by the controller to determine, exercise or defend legal rights.
- a verification of compelling reasons is pending, in the context of a request for erasure.
Right to object
Data subjects are entitled to object, for reasons related to their specific situation, to:
- the processing of personal data, where such processing is either based on public interest or the legitimate interests of the controller.
- processing with a view to direct marketing.
- processing for scientific, historical or statistical purposes, unless such processing is necessary for the performance of a task for public interest purposes.
Right to data portability
Data subjects are entitled to:
- receive a copy of their personal data in a structured, widely used, readable format that can be reused.
- transfer their personal data from one controller to another.
- store their personal data for further personal use on a private device.
- transfer their personal data directly between the controllers without any hindrance.