When we offer our business solutions ("Services") to our customers, we process personal data as a Processor on behalf of our customers, with whom TRAXGO enters into a processor agreement. We also impose the requirements that arise from this on our suppliers via a processing agreement.
We act as Data controller in respect of data that we process for our own purposes, for example in the areas of marketing, HR, legal affairs, statistics, administration and compliance (see below).
FOR WHAT PURPOSES AND ON WHAT BASIS DO WE PROCESS YOUR PERSONAL DATA?
We process personal data for the following processing purposes and on the following legal basis:
To provide the Services, we process personal data as Processor on behalf of our customers. The purpose and legal basis of such processing is determined individually by each customer and not by Traxgo.
As the Data controller, we process personal data for the following purposes:
- Maintaining an adequate level of security (security). We consider the security of our services and in general our information security to be our legal obligation under Art. 6 (1) (c) of the GDPR and our legitimate interests under Art. 6 (1) (f) of the GDPR. In doing so, we monitor the use of our systems internally to detect violations of internal policies, unauthorised operations in our systems or malicious bots, codes or behaviour. This objective includes the adoption of adequate security measures, their periodic review and revision.
- Direct marketing communication & online marketing. We consider the processing of personal data for direct marketing as our legitimate interests in accordance with Art. 6 (1) (f) of the GDPR. Where required by ePrivacy or other legal requirements, we rely on the consent of the data subject in accordance with Art. 6 (1) (a) of the GDPR. This purpose relates to TRAXGO’s direct marketing communication, for example through our own marketing campaigns, newsletters, events, blogs and our social media channels, online interaction with users, maintenance of our websites and publication of team or event photos where permitted.
- Exercising or defending legal claims. Like any business, from time to time we must file legal claims, request compensation or settlement and preserve legal evidence, obtain legal advice from outside counsel, ensure compliance with regulations, be represented by legal counsel in judicial, criminal, administrative or other proceedings or report to law enforcement authorities or otherwise. We do this based on our legitimate interests under Art. 6 (1) (f) of the GDPR or based on the performance of the contract in accordance with Art. 6 (1) (b) of the GDPR.
- Tax, invoicing and accounting. To comply with tax, invoicing and accounting regulations, we need to process a certain limited scope of personal data. We do this because we are obliged to do so under Article 6 (1) (c) of the GDPR.
- Contract performance. We conclude contracts with both individuals and other companies whereby we process personal data on staff, personnel or contacts in a B2B context, for the conclusion, performance and administration of the contract (legal basis = contractual performance Art. 6 (1) (b) of the GDPR. This purpose also includes any pre-contractual negotiation or processing of data via a contact form on our website or other channels.
- Quality & service improvement. We process your personal data to perform statistical analyses to improve our websites, products and services or to develop new products and services.
- If you apply for a job via our website or in some other way, we will process the candidates' data for the purpose of hiring and concluding a contract. Unsuccessful candidates are asked for permission to keep personal data on file to contact them for future job vacancies.
WHAT PERSONAL DATA DO WE PROCESS?
We only process personal data that is necessary, both in terms of type and for the purposes of processing explained above. For most purposes, we only process basic identification and contact data, including typical communication data and content.
- When you fill in a contact form on our websites or contact us by email, telephone, fax or any other channel, we may collect the following: name, email address, postal address, telephone number, as well as the log data of your message (date, time)
- To reach contractual agreements with customers, in addition to contact and identification data, we also process public data, i.e. data contained in public databases such as the Crossroads Bank of Enterprises, data that you yourself have made public on a website, data that are generally known or have appeared in the press.
- In the context of hiring, we process personal data of candidates such as CVs.
- We do not use automated data processing or profiling.
- We process email address and contact data for direct marketing purposes, if you have given your consent.
WHO ARE THE RECIPIENTS OF YOUR PERSONAL DATA?
TRAXGO does not share your personal data with third parties, except to third parties in the context of providing its services, and only if this is necessary for technical support or if it is obliged to do so on the basis of a statutory provision or a court ruling. These third parties may only process your personal data on our behalf and with our express written consent and in accordance with the purposes outlined above. We guarantee that all third party processors are carefully selected and committed to safeguarding the security and integrity of your personal data.
When you are looking for a job, we may work with third parties who perform tasks on our behalf, such as checking references, psychometric evaluations and skills testing.
Within TRAXGO, your data is only shared with authorised staff (internal recipients) or a verified/authorised third party. Our employees or internal contractors may have access to your personal data on a strictly necessary basis, which is usually determined and limited by the position, role and department of the employee concerned.
We use subcontractors to assist us in providing services that may process personal data for us. We ensure that the selection of our subcontractors and any processing of personal data by them complies with the GDPR. TRAXGO uses the following categories of subcontractors for the provision of services: hosting or cloud service providers, suppliers of standard software solutions (such as Microsoft, Google); providers of marketing and analysis software and operators of social media platforms (such as Google and Facebook).
We aim to have all cloud and servers in the EU. However, some of our subcontractors or the abovementioned recipients of personal data may be located outside the EU or their servers may be located outside the EU. Any transfer of personal data outside the EU is only done by us in strict compliance with the GDPR. We ensure that the external recipients in non-eligible countries have concluded the EU Standard Contractual Clauses (EU SCC) with us or ensure equivalent safeguards.
SECURITY OF YOUR PERSONAL DATA
TRAXGO guarantees a qualitative level of data and data security by taking all necessary and reasonable technical and organisational measures. We aim to evaluate these measures at regular intervals and adjust them if necessary. TRAXGO is ISO 27001 certified.
HOW LONG DO WE RETAIN YOUR PERSONAL DATA?
TRAXGO will retain your personal data for a period that is necessary for the performance of the agreement and as a function of the purposes of the processing, as described above. Because of this legal obligation, but also because of technical and financial aspects of data storage, we actively delete data where it is no longer needed. Retention periods are either provided for in the respective laws, data processing agreements, instructions from our data controllers or are set out by us in our internal policies. If the processing of your personal data is based on consent and you decide to withdraw your consent, we will not process your personal data for the specific purpose.
Your personal data will thus be retained as follows: for the duration of the services in accordance with the purposes described above (active retention period) and, as soon as there is no longer any contact, for a passive retention period of 5 years.
All retention periods in relation to the personal data we process for our customers are determined by our customers. We may retain such personal data only for the duration of our data processing agreement, after which we must return or delete all personal data relating to customer data subjects. However, we may delete personal data even earlier if the customer instructs us to do so, for example, if the customer no longer considers the storage of such data necessary for the specified purpose.
You have various rights with regard to the processing of your personal data. If we ask you for permission to process your data, you can withdraw your permission at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before the withdrawal.
If you wish to exercise any of these rights, please contact us at the following address firstname.lastname@example.org:
You have the right:
- to request information and access your personal data
- to the rectification of incorrect data (and the completion of incomplete data)
- to erasure of personal data (right to be forgotten);
- to restriction of processing based on legitimate interest
- to object, without justification and free of charge, to direct marketing
- to the portability of data
- to not to be subject to individual decision making
To process your request quickly and correctly, we ask you to be as specific as possible when sending your request. If there is any doubt about the identity of the applicant, additional information will be requested to establish it.
TRAXGO is entitled to refuse your requests if the requests are 'manifestly unfounded or excessive' (in particular due to their repetitive nature) or to charge a reasonable fee of € 60 excl. VAT per request.
QUESTIONS OR COMPLAINTS
If you have any questions or complaints about the way we process your personal data, you can always contact us at the following email address email@example.com. In addition, you always have the option of submitting a complaint to the Data Protection Authority: Drukpersstraat 35, 1000 BRUSSELS, email firstname.lastname@example.org.