PRIVACY AND DATA PROTECTION
As an accounting firm, we process a lot of data. This includes personal data and, in this regard, we would like you to know the following:
The personal data that we process may pertain to your capacity as a client of the firm or to you as a business contact of our clients (if you are a supplier or customer of our client, say). In all cases, in your capacity as data subject whose personal data is processed by us, we must notify you of the following.
1. Controller of personal data
ECOVIS ACTA Consult BV is appointed as controller of the personal data. The controller’s registered office is at Auguste Reyerslaan 80, 1030 Schaarbeek and its company identifier is 0413.789.528. The controller is registered with the ITAA under accreditation number 50.065.538.
You can contact ECOVIS ACTA Consult BV by letter at the above address or by email at email@example.com with any questions you may have regarding the protection of personal data.
2. Purposes of the processing of personal data
The firm processes the personal data for the following purposes:
A. Pursuant to the Law of 18 September 2017 to prevent money laundering and funding of terrorism and to limit the use of cash.
1° Pursuant to article 26 of the Law of 18 September 2017, our firm must collect the following personal data of our clients and their authorised agents: surname, first name, date and place of birth, and, where possible, address.
2 ° Pursuant to article 26 of the Law of 18 September 2017, our firm must collect the following personal data of the ultimate beneficiaries of our clients: surname, first name, and, where possible, date and place of birth, and address.
The processing of these personal data is a legal obligation. Without these data, we are unable to enter into a business relationship (article 33, Law of 18 September 2017 to prevent money laundering and funding of terrorism and to limit the use of cash).
B. The obligations of the firm with regard to the Belgian authorities, foreign authorities or international institutions, by virtue of a legal or regulatory obligation, by virtue of a legal decision or as part of the promotion of a legitimate interest (as part of an assignment we have been given, whereby the current and future tax and social laws oblige us to process personal data).
The processing of these personal data is a legal obligation. Without these data we are unable to enter into a business relationship.
C. Performance of an agreement on accounting and tax services. The processing of the personal data concerns the data of the clients themselves, their members of staff, their directors and the like, as well as other people that are connected with the activity as a customer, supplier or in another capacity.
We are unable to perform our duties as accountant/tax consultant if these data are not provided and processed.
3. What and whose personal data?
Our firm is permitted to process the following personal data as part of the purposes stated under point 2: first name, surname, email address, biometric data (copy of eID or passport), address, company identifier, national identification number and other personal data needed for those purposes.
The data of the client and the client’s partner with regard to the following are also processed for income tax returns via Tax-On-Web: children, degree of disability, kinship, date of birth, dependents, real estate, gifts, foreign accounts, foreign life insurance, loans to small start-ups, Belgian bank account number and confirmation of whether the person is the founder of legal structures.
The firm processes the personal data provided by the data subjects or their relations.
The firm processes the personal data that were not provided by the data subject, such as personal data provided by the client concerning its employees, directors, customers and suppliers.
The personal data may also come from public sources, such as the Crossroads Bank of Enterprises, Belgisch Staatsblad/Moniteur belge and its annexes, the National Bank of Belgium (Central Balance Sheet Office) and the like.
The data are processed only insofar as necessary for the purposes stated under point 2.
The personal data are not transferred to third countries or international organizations.
ECOVIS ACTA Consult BV uses programs and applications to provide the agreed service. Final decisions are only taken after assessment by an authorised natural person of the automated decision-making that may occur on the basis of the programs and applications used.
4. Recipient of data
In accordance with the foregoing and except where and insofar as the sharing of personal data with organisations or entities whose involvement as third party service providers for account of and under the control of the controller is required to realise the aforementioned purposes, the firm shall not share, sell, rent out or exchange the personal data collected within this scope with any other organisation or entity, unless you have been notified of and agree to this in advance.
The firm uses third party service providers;
- The firm uses various (cloud and non-cloud) applications to provide, process and report on financial data;
- The firm uses external staff and/or entities to perform certain tasks or specific assignments;
- The firm is in contact with third party service providers who process its own data or data of clients (such as social secretariats).
The firm is permitted to take the steps needed to ensure the proper management of its website and IT infrastructure.
The firm is permitted to transfer the personal data on the request of any legally authorised authority or even on its own initiative if it feels, on good faith, that transferring these data is needed to comply with laws and regulations or to defend and/or protect the rights or the property of the firm, its clients, website and/or yourself.
5. Security measures
To prevent, insofar as possible, unauthorised access to the collected personal data, the firm has drawn up security and organisational procedures for the collection and storage of these data.
These procedures also apply to all processors used by the firm.
6. Retention term
6.1. Personal data that must be retained by virtue of the Law of 18 September 2017 (see 2.A.)
This concerns the identifying data and the copy of the documentary proofs concerning our clients, the internal and external authorised agents and the ultimate beneficiaries of our clients.
In accordance with article 60 of the Law of 18 September 2017, these personal data are retained for up to ten years after the end of the business relationship with the client or from the date of an occasional action.
6.2. Other personal data
The personal data of other persons not stated above are only retained for the terms as provided for in the applicable laws, such as the accounting laws, tax laws and social laws.
6.3 Expiry of the retention term
The personal data are erased upon the expiry of the aforementioned terms, unless another applicable law provides for a longer term.
7. Right of access, right of rectification, right to be forgotten, right to data portability, right to object, right not to be profiled and right to be notified of security breaches
7.1. Concerning the personal data that we must retain by virtue of the Law of 18 September 2017.
This concerns the personal data of our clients, the authorised agents and the ultimate beneficiaries of the clients.
We refer you to article 65 of the Law of 18 September 2017 in this regard:
“Article 65. The person to whom the processing of personal data applies by virtue of this law does not have the right to access and rectify his or her data, the right to be forgotten, the right to data portability, the right to object, the right not to be profiled or the right to be notified of security breaches.
The right of the data subject to access his or her personal data is exercised indirectly, by virtue of article 13 of the aforementioned Law of 8 December 1992 at the Data Protection Authority, as established by article 23 of the same law.
The Data Protection Authority only notifies the applicant that the appropriate verifications have been performed and of the results of these with regard to the lawfulness of the processing in question.
These data may be shared with the applicant if the Data Protection Authority, in consultation with the Financial Intelligence Processing Unit and based on the advice of the controller, on the one hand, establishes that this sharing does not require the announcement of the existence of a mention of a suspicion as referred to in articles 47 and 54, of the consequences that have been set out for this or of the exercise by the Financial Intelligence Processing Unit of its right to request additional information by virtue of article 81 and does not potentially compromise the goal of fighting money laundering or funding of terrorism, and, on the other hand, establishes that the data in question relate to the applicant and are retained by entities subject to this law, the Financial Intelligence Processing Unit or the supervisory authorities in order to comply with this law.”
You must therefore contact the Data Protection Authority (see point 8.) to exercise your rights.
7.2. All other personal data
You can contact us by email (firstname.lastname@example.org) to exercise your rights concerning all other personal data.
8. Use of the website
We use your data for the following purposes:
- To contact you when you make a request
- To investigate data breaches and unlawful use of the website
- To produce statistics and analyses concerning our website For these purposes, your data are anonymised
The following data must be provided on our contact page:
- Email address
- Phone number
You may make a complaint to the Data Protection Authority concerning the processing of personal data by our firm:
Data Protection Authority