Privacy policy on the Balencio platform

Why this policy and what does it apply to?

Bright Link SA is committed to privacy and places great importance on the protection of the data it deals with as well as the inherent privacy legislation.

Our policy on the protection of personal data is based on the applicable legal provisions in this area, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereafter, the « GDPR ») and the Belgian law of 30 July 2018 on the protection of individuals regarding personal data processing.

This policy responds to the requirements of Articles 13 and 14 of the GDPR and aims to inform users of Bright Link SA’s Balencio  platform (https://app.balencio.com) in a concise, transparent and understandable manner about practices regarding the protection, collection, use and sharing of personal information provided.

It applies only to processing data that can identify or make identifiable users oft he platform, directly or indirectly (‘Personal Data’).

Bright Link SA undertakes to always comply with the requirements of the Privacy Regulations and to process users’ personal data only under the following conditions.

Bright Link SA, as a SAAS supplier, acts as a data controller and processor depending on the data processing activities.

Bright Link SA is « data controller  » when collecting personal data from users of the platform:

  • User management of the platform (socio-demographic file)
  • Operational management of the platform
  • All processes related to platform protection and security.

Bright Link SA is a « data processor » and its Customers are data controllers for all the processes carried out by the users themselves in the platform (surveys, results).

Bright Link SA as Data Controller

Who is responsible for processing personal data?

Bright Link SA, headquartered in:

Rue du Cyclotron, 6

1348 LOUVAIN-LA-NEUVE

Belgium

, registered at the Crossroads Bank for Enterprises under the number 0662.639.464, is responsible for the processing of personal data.

What type of information do we process?

The personal data and/or categories of personal data that we are likely to process are:

  • Indirect individual IDs (e-mail address, login)
  • Personal characteristics (sex, age, nationality, education level)
  • Career information (seniority, function, department, contract status)
  • Digital individual IDs (IP address, cookies)
  • Login data, statistics, and logs (date/time of connection, activities, …)
  • Results of analyses and statistics
What are we treating your personal data for and on what legal basis?

The personal data is collected and processed for the following purposes:

  • When it collects personal data from the Users of the Platform
    • Management of opening and use of the User’s Account on the Platform (sociodemographic file)
  • To operate the platform
    • Operational management of the Platform
    • Monitoring and analysis of traffic of the Platform and of the Site
  • To protect the platform
    • All processing related to the protection and security of the Platform itself

This data is processed in accordance with this statement and in accordance with the provisions of the European Data Protection Regulation.

They will only be handled by Bright Link SA staff and subcontractors for the sole purposes described above and to improve service and provide industrial benchmarks. The aggregated data allow Bright Link SA to calculate industrial benchmarks. Bright Link aggregates the data in such a way that, in accordance with applicable laws and regulations, including (without limitation) the GDPR and the Belgian data protection law, the data processed becomes anonymized.

In all circumstances, Bright Link SA undertakes to collect and process your personal data collected on its platform only to the extent that this is strictly necessary for the fulfillment of any of the purposes set out in this policy. In principle, your personal data will never be used in any other setting than the one advertised.

When collecting your Personal Data, you will be informed that certain Personal Data must or may not be provided to achieve the expected result. Failing to provide the so-called mandatory information, the execution of the application may not be possible.

The following table summarizes each of the treatments performed, as well as the legal basis for treatment:

Purposes Legal basis Source of data
To manage the opening and use of the user’s account on the platform (sociodemographic file) ·        Executing a contract to which the data subject is a party ·        Your employer

·        The user of the platform

To operate the platform ·        Executing a contract to which the data subject is a party

·        Our legitimate interest in providing you with a quality navigation experience and a continuously functional platform

·        The user of the platform

·        IT subcontractors

To protect the platform

 

·        Our legitimate interest in ensuring the computer security of the site and your personal data

·        Compliance with our legal security obligations (Art 32 GDPR)

·        Finding, exercising or defending a right in court

·        Executing a contract to which the data subject is a party

·        The user of the platform

·        IT subcontractors

 

There is no processing for automated decision-making.

Who are the recipients of the collected data?

This processing of personal data is carried out under a strict principle of confidentiality to which these persons are contractually bound. In this respect, Bright Link SA is totally independent of the employer and guarantees the confidentiality of the information collected towards the employer and any other third party. Personal data is used to provide a confidential and pseudonymised individual report. This report is never and under no circumstances shared with the employer or any other third party.

The employer has only access to consolidated reports where the ‘rule of 10’ is applied (a minimum of 10 observations or individuals is required for Bright Link SA to be able to present consolidated results, in order to avoid the possibility of identification of the persons whose data is included in the report).

As part of the above data processing, Bright Link SA may be required to share your data with the following individuals or organizations:

Internally to Bright Link SA:

  • Executive staff
  • Staff in charge of the operations and support of the platform
  • Potentially to any internal service on the basis of the need to know

To other organizations:

  • Sub-contractors involved in the platform’s various business processes, platform security and responses to attacks
  • Any public authority legally entitled to receive data in the event of a computer attack or attempted attack, any jurisdiction, or any government and police service in the chain of investigations, lawyers, and bailiffs mandated by Bright Link SA, and any judicial personnel intervening for the prosecution of offences and their compensation

Bright Link SA works closely with third-party companies that perform IT services necessary for the website to function properly (hosting, storage, maintenance, invitations to register, etc.).

The Customer expressly acknowledges and accepts that Bright Link SA may contract out all or part of the Customer Data Processing activities. Bright Link SA undertakes to inform the Customer of any planned changes regarding the addition or replacement of a subcontractor and to give the Customer the opportunity to object to this change.

The user accepts that this information is in accordance with this policy to the clause entitled « 2.4.1 List of subcontractors » which he must consult regularly. When a subcontractor hires another subcontractor, the subcontractor undertakes to ensure that the same obligations are imposed on that subcontractor as those set out in this policy, in relation to the protection of personal data and to ensure that that subcontractor meets the requirements of the above regulation.

Bright Link SA ensures that these subcontractors act solely on the basis of documented instructions and implement appropriate technical and organisational measures, so that the personal data processing they perform meets the requirements of the GDPR and guarantees the protection of the rights of the data subjects. Bright Link SA remains responsible to the Customer for the performance of its obligations by its own subcontractors.

No personal data is transmitted to third parties that are not part of the recipients or fall within the stated legal framework, without prejudice to their possible transmission to the bodies responsible for a monitoring or inspection mission under Belgian law, such as an investigating judge.

In any event, Bright Link SA will not disclose personal data to third parties for direct marketing purposes.

List of subcontractors
Subcontractor Treatment Location of data
Amazon Web Services (AWS) Hosting applications, databases, data and files that allow Balencio to work, including access control (via Cognito) Frankfurt (DE)
Nexylan Monitoring and administering our infrastructure hosted by AWS Lille, Valenciennes, Marcq-en-Baroeul (FR)
Microsoft Hosting and operating our Office365 infrastructure Europe
PDFMonkey Pdf generation for individual or consolidated reports Ireland, France
Mailjet Massive sending of individual emails inviting people to participate in scans Frankfurt (DE), Saint Ghislain (BE)

 

How long do we store your information?

In addition to its legal retention obligations, Bright Link SA uses the purpose as one of the criteria to define the period during which the data should be retained. Depending on the processing involved, your data is kept only for the time required for processing and subsequently deleted, unless an investigation is underway. The data will then be kept for the time required to complete the investigation.

Personal data collected during the use of the platform, in any capacity, is retained as long as the User uses the Platform.

Regarding the technical login data, statistics and computer traces related to the platform, personal data will be kept strictly for as long as is necessary for the purposes set out above and in accordance with legal and regulatory requirements.

Is your Personal Data transferred outside the European Union?

We do not transfer your Personal Data outside the European Union. Indeed, we call on providers who guarantee us European hosting of data.

How do we protect your data?

Bright Link SA has implemented appropriate technical and organizational security measures, which it regularly re-evaluates and updates to avoid destruction, loss, falsification, modification, unauthorized access, accidental communication to third parties, as well as to ensure its safety and ensure the correct use of the information collected for the purpose of carrying out the relevant treatment. Bright Link SA implements a variety of security measures to keep your personal information safe, including (non-exhaustive list):

  • Authentication of users;
  • Securing workstations;
  • Protecting the internal computer network;
  • Securing servers;
  • Securing websites;
  • Protecting premises;
  • Framing IT developments
  • User awareness
  • Empowerment management
  • Access tracing and incident management
  • Backups and business continuity
  • Securing exchanges with other agencies
  • Encryption
  • Separation of platform data processing functions from access control
    • Amazon Cognito allows user registration, registration and access control. Bright Link SA does not store user credentials.
  • Multi-certified secure accommodation – ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 27017, ISO/IEC 27018 and ISO 9001
  • Encrypting data in transit and on the server block
  • 24/7, 365 days-a-year monitoring through an outsourcing service provider
  • Managing vulnerabilities and regular updates
  • Regular and independent external review of information security (penetration test)
  • Balencio pseudonymizes all individual user sessions. The principle of systematic pseudonymization, when and where possible, is a central axiom of Balencio’s  handling of data protection issues.
  • Rule of « 10 » for disclosure of consolidated results. Individual results are protected and undisclosed.

Bright Link SA ensures that the outsourcing provider complies with its security obligations prior to the disclosure of your Personal Data.

Bright Link SA has also appointed a Data Protection Officer to monitor and validate compliance with privacy regulations. This Officer can be contacted via the email address dataprotection@balencio.com .

What are your rights?
  • Your right to information

You have the right to be informed concisely, transparently, in an intelligible and easily accessible manner about how your Personal Data is handled.

  • Your right of access

You have the right to ask us for copies of your personal information.

  • Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

  • Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances.

  • Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances.

  • Your right to object to processing

You have the the right to object to the processing of your personal data in certain circumstances.

  • Your right to data portability

You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.

  • Your Right to withdraw your consent at any time

You can withdraw your consent to the processing of your Personal Data when this treatment is based on your consent. The withdrawal of consent does not compromise the legality of the treatments performed prior to the withdrawal.

All rights regarding the processing of data on the Balencio platform (scan results, reports, etc.) can be exercised via the employer and will be subject to the employer’s agreement.

All rights to data processing for which Balencio is considered responsible for processing may be exercised at any time by email to support@balencio.com  or  dataprotection@balencio.com. Users exercising the right to delete and the right to object should understand that this may result in a service interruption, as data processing is necessary to manage their account and platform, to communicate with them, in accordance with the contract between the employer and Bright Link SA.

How do you enforce your rights? Who can you direct your questions/complaints to?

You can submit your rights requests:

e-mail to support@balencio.com or dataprotection@balencio.com

OR

by regular mail at:

Bright Link SA

Rue du Cyclotron, 6

1348 LOUVAIN-LA-NEUVE

Belgium

To ensure your privacy and security, we will take the necessary steps to verify your identity before allowing you to view, and possibly correct, data.

If you believe that we are breaching any of our legal and/or contractual obligations, we invite you to contact us at the same addresses, or directly our DPO dataprotection@balencio.com .

We will do everything we can to ensure that you are followed up as soon as possible.

In case your response does not satisfy you, you have the right to file a complaint with the Belgian Data Protection Authority (DPA).

Data Protection Authority
Rue de la Presse 35

1000 Brussels

Tel: +32 (0)2 274 48 00

E-mail: contact@apd-gba.be

Bright Link SA as Data Processor

Digital human capital management services, such as the organization of scans, individual and aggregated reporting, and the storage of associated data are provided by Bright Link SA as a data processor, the Customer of Bright Link SA being data controller for such scans to improve the management of its human capital.

As part of these activities, Bright Link SA may have to access the personal data of individuals (the « Customer Data ») and thus process this personal data for the aforementioned purposes.

As a processor, the Customer undertakes to strictly comply with privacy regulations when processing Customer Data and guarantees Bright Link SA against any recourse by third parties to protect their personal data.

As a subcontractor, Bright Link SA is committed to meeting the following obligations and enforcing them by its staff:

  • Treat Customer Data within the strict and necessary framework of the services provided under the contract binding it to the Customer, and act only on the documented instructions of the Customer.
  • Ensure the confidentiality of Customer Data and ensure that each person it authorizes to process Customer Data is committed to confidentiality or subject to an appropriate obligation of
  • Ensure the confidentiality and integrity of Customer Data under the same conditions as previously provided for in this policy.
  • Do not keep Customer Data beyond the duration of the contract linking it to the Customer or any other duration specified by the customer.
  • Do not concede, rent, transfer or otherwise disclose to another person, all or part of Customer Data.
  • Given the nature of the treatment, as far as possible, to give assistance to the Customer to enable him to respond, on time and according to the conditions provided by the regulations applicable to the protection of personal data, to any request to exercise a right, request or complaint of a person concerned with the processing of Customer Data or a data protection authority or any other regulator.
  • To assist the Customer in the conduct of privacy impact assessments and/or in the context of formalities that the Customer would have to perform in relation to Customer Data. The Customer acknowledges and accepts that the assistance provided in this context could be the subject of a separate service proposal from Bright Link SA
  • To make available to the Customer, subject to compliance with a confidentiality agreement, all the information necessary to demonstrate compliance with the obligations set out in this article and to enable the conduct of audits, including inspections, by the Customer or any auditor mandated by him and to contribute to these audits. Audits carried out in this context will have to comply with the terms and conditions of the contract linking Bright Link SA to the The latter acknowledges and accepts that the assistance provided in this context could be the subject of a separate service proposal from Bright Link SA
  • Notify the Customer as soon as possible in the event of a breach of Customer Data of which he is aware, the notification being accompanied by any useful documentation to allow the Customer, if necessary, to notify the competent supervisory authority, and assist him in the implementation of any action to deal with this data breach.

Dispute resolution

This policy is governed by Belgian law. Any dispute arising from, or related to the use of, this service will be the subject of an attempt at amicable mediation. In the event of failure, the dispute will be subject to the jurisdiction of the courts of the judicial order judicial district of Nivelles, Belgium.

Bright Link SA reserves the right to go to another competent court if it deems it appropriate.

Update and effective date

This policy came into effect on March 15, 2021.

It can be amended at any time, including to consider possible legislative, regulatory or processing changes.

Bright Link SA therefore reserves the right, at its full discretion, to change, modify, add, or remove parts of this policy at any time.

We therefore encourage you to consult it regularly.