1. Who processes your personal data?
1.1 Abbove SA, a limited liability company under Belgian law, having its registered office at Cours Saint-Michel 30a, 1040 Etterbeek (Belgium) and registered with the Crossroads Bank for Enterprises under company number 0678.616.849 (the "Company", "we", "us", "our") processes personal data relating to the users of the wealth management Platform that it has developed (the "Platform"), representatives of its clients, representatives of its suppliers, candidates for work with the Company, visitors of the Company’s website, visitors to the Company workplaces and other persons concerned (the "persons concerned", "you", "your", “data subject”).
2. What is our commitment to data protection?
2.1 The Company undertakes to use its best efforts to ensure that its personal data processing activities comply with applicable data protection legislation, including EU Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the "GDPR") and the Law of 30 July 2018 on the protection of individuals with regard to the processing of personal data, as amended, supplemented or replaced from time to time (the "Applicable Data Protection Legislation").
3. For what purposes do we process your personal data?
3.1 If you are a data subject (i.e. any person concerned by data processing carried out through the Platform), we process the following categories of personal data, in particular for the purposes described below:
- Your personal identification data, your telephone number and your e-mail address to identify you on the Platform;
- Your family composition to feed a family structure;
- Your financial and patrimonial data to complete the patrimonial and donation inventory and to feed our financial projection tool, our reporting tool and our inheritance simulator;
- Your personal data included in the files (for example, contracts or certain official documents concerning yourself) for secure hosting in the Platform's digital safe.
3.2 If you are a user of the Platform, we process the following categories of personal data, in particular for the purposes described below:
- Your personal identification data, telephone number and e-mail address, to create your user profile on the Platform;
- Your telephone number and e-mail address to enable our support team to contact you for support activities or to contact you for marketing and/or transactional communications;
- Your electronic identification data to authenticate you on the Platform, for the activation, suspension and withdrawal of user accounts and for the detection and prevention of fraud and computer security breaches;
- Your bank details to check the payment of invoices related to your use of the Platform (only insofar as you are also a Platform subscriber).
3.3 If you are the representative of one of our customers or prospects, we process your personal identification data, your professional identification data and your contact data (telephone number, email address, etc.) to contact you for the provision of our services, to send you order forms, to organise business meetings or to develop our business relationship.
3.4 If you are a representative of one of our suppliers, we process your personal identification data, your professional identification data and your contact data (telephone number, email address, etc.) for the management of our business relationship.
3.5 If you are a candidate for a job with the Company, we process your personal identification data, professional identification data and data relating to your professional life (skills, qualifications, experience, etc.), to assess your profile in relation to our recruitment needs.
3.6 If you visit our website, we process electronically identifying data about you in the aggregate to measure frequency on our website, to improve the browsing experience and for the detection and prevention of fraud and computer security breaches.
3.7 If you visit our workplaces, we are able to request access to images of you recorded by surveillance cameras only where such access is necessary to pursue our legitimate interest in detecting offences or incivilities and to the extent permitted by applicable law.
3.8 We may also process your personal data:
- To carry out company restructuring operations;
- For the performance of internal and external audits ;
- For the management of disputes with customers, suppliers and other data subjects and when the processing is necessary for the establishment, exercise or defence of a legal claim.
3.9 The Company does not subject data subjects to decisions based exclusively on automated processing that produces legal effects concerning them or affects them in a similarly significant way.
4. In what capacity do we process your personal data?
4.1 We process your personal data in the capacity of data controller, with the exception of processing that we carry out when we provide the Platform to clients in the context of their wealth and financial management consulting activities. In this case, we process your personal data (in particular personal identification data, telephone number, e-mail address, postal address, bank details, identification data, family composition and financial and asset data of the data subjects and/or users as well as the personal data of the data subjects contained in the files saved in the Platform) in the capacity of processor on behalf of our clients and in accordance with their instructions.
4.2 However, we process in our capacity as data controllers the electronic identification data of users for the purposes of authenticating them on the Platform, for the activation, suspension and withdrawal of their accounts and for the detection and prevention of fraud and computer security breaches.
5. On what basis do we process your personal data?
5.1 The provision of your personal data may be necessary:
- To the execution of a contract to which you are a party (for example, the contract for the supply of the Platform) or to the execution of pre-contractual measures taken at your request (for example, in the event of solicitation for work with our human resources team) ;
- Compliance with a legal obligation applicable to the Company (e.g. invoicing, fraud detection, building security, taxation, etc.) ;
- For the purposes of the legitimate interests pursued by the Company (or a data recipient) provided that these interests take precedence over your fundamental rights and freedoms (for example, if the processing takes place in the context of securing our IT systems, carrying out corporate restructuring operations, etc.).
5.2 We ask for your prior, free and informed consent before processing some of your personal data (e.g. the use of photographs of you for corporate communications, the use of your email address for marketing purposes if you are not yet a user with us, etc.).
5.3 The provision of certain of your personal data (e.g. your personal identification data, your professional identification data, etc.) is a condition for the conclusion of the contract concluded with us for the supply of the Platform.
5.4 The possible consequences of not providing your personal data could include our inability to fulfill our obligations under a contract (for example, the contract for the supply of the Platform) or a breach by us of one or more obligations under applicable legislation (for example, accounting and tax legislation).
6. How do we collect your personal data?
6.1 The personal data we process is collected from the following information sources:
- Information that we receive from the Users of the platform;
- Information that we receive directly from you through our website or any other media;
- Information that we receive from a third party, provided that you gave your explicit consent to this third party to share that information with us;
- Information that is publicly available.
7 Who has access to your personal data?
7.1 The following recipients may receive or have access to some of your personal data (only if necessary for the performance of their tasks):
- The customer support team has access to the personal identification data, professional identification data and contact data of Platform users only in the context of their support operations. Members of our support team do not have access to the assets and financial data of the persons concerned;
- The business development team has access to the personal identification data, business identification data and contact data of representatives of our customers or prospects and representatives of our suppliers only for the purposes of our business management and supplier management;
- Our legal advisers and lawyers have access to certain personal data of the persons concerned in the context of corporate restructuring operations or litigation.
- Our accountants and auditors have access, within the framework of their mission, to financial data (including invoices) which may include personal data of representatives of our clients and suppliers.
7.2 Our subcontractors may process certain personal data concerning you only to the extent necessary to carry out their tasks in accordance with Applicable Data Protection Legislation.
7.3 In the case of a corporate reorganization transaction (e.g. a merger, acquisition or financing transaction), we may transfer certain personal data about representatives of our customers and suppliers to a third party involved in the transaction (e.g. a buyer or investor) in accordance with Applicable Data Protection Legislation.
8. How do we manage our subcontractors?
8.1 We take adequate measures to ensure that our contractors process your personal data in accordance with Applicable Data Protection Legislation.
8.2 Among other things, we ensure that our subcontractors undertake to process personal data only on our instructions, not to engage another subcontractor without our prior consent or without having had the opportunity to object, and to take the appropriate technical and organisational measures to guarantee the security of personal data, to ensure that persons authorised to access personal data are subject to adequate obligations of confidentiality, to return and/or destroy the personal data they process at the end of their services, to comply with audits and to provide us with assistance in following up on requests from data subjects to exercise their rights in relation to their personal data.
9. Where do we process your personal data?
9.1 We host users' personal data exclusively on servers located in the European Economic Area ("EEA").
9.2 Some of the recipients of personal data may be companies whose registered office is located in a country outside the EEA such as, for example, the United States.
9.3 The Company will not transfer Personal Data to a Third Country unless:
(i) there has been an adequacy decision made by the European Commission in respect of that Third Country in accordance with Applicable Data Protection Legislation and the transfer falls within the scope of that adequacy decision, or
(ii) the Subscriber and/or the Company has entered into an agreement with the entity located in a Third Country containing the the standard contractual clauses as approved by the European Commission pursuant to its decision 2021/914 of 4 June 2021 (“EU SCCs”) or by another competent public authority in accordance with Applicable Data Protection Legislation (to the extent necessary, the Subscriber authorises the Company to enter into such agreement in the name and on behalf of the Subscriber). The Company shall ensure that it implements all appropriate measures to ensure an essentially equivalent level of protection of Personal Data in the Third Country compared to the level of protection in the European Economic Area. The Company will terminate any transfer in respect of which an essentially equivalent level of protection of Personal Data cannot be guaranteed.
9.4 If you would like more information about the Company's safeguards for transfers of personal data outside the EEA, please contact our Data Protection Officer using the contact details set out in the Policy.
10. What are the applicable retention periods?
10.1 We ensure that your personal data is only kept for as long as is necessary for the purposes for which it is processed.
10.2 The Company uses the following criteria to determine the length of time personal data is kept according to the context and purposes of each processing operation:
- The date on which the licence to use the Platform or services provided by the Company expires;
- The date of the end of the relationship with the customer or supplier;
- Security reasons (e.g. security of buildings or our information systems);
- Any current or potential dispute or litigation with the person concerned;
- Any legal obligation to retain or delete personal data (e.g. a retention obligation imposed by an accounting or tax law).
11. What are your rights?
11.1 Subject to Applicable Data Protection Legislation, you have a right to information, a right of access to, correction of and deletion of your personal data, a right to object to or limit the processing of your personal data, a right to portability of personal data and a right to withdraw your consent.
11.2 You will find below a table describing each of your rights in more detail:
- The right to information
You have the right to obtain clear, transparent and comprehensible information on how we process your personal data and on the exercise of your rights. This information is contained in the Policy. If it is not clear enough, we invite you to contact us (via our contact details in the Policy).
- The right of access
You have the right to obtain confirmation as to whether or not personal data concerning you are being processed and, if so, access to such personal data. You have the right to obtain a copy of your personal data, unless the exercise of this right infringes the rights and freedoms of others.
- The right of rectification
You have the right to obtain the rectification of your personal data if they prove to be inaccurate. You also have the right to obtain the completion of your personal data if it proves to be incomplete.
- The right to erasure (the "right to forget")
You have the right to obtain the deletion of your personal data. However, the right to erasure (or the "right to forget") is not absolute and is subject to specific conditions. We may retain some of your personal data to the extent permitted by applicable law, and in particular where processing remains necessary to comply with a legal obligation to which the Company is subject or to establish, exercise or defend a legal claim.
- The right to object to processing
You have the right to object to certain types of processing (e.g. where the processing is based on the legitimate interests of the Company and, taking into account your particular circumstances, your interests or fundamental rights and freedoms prevail).
- The right to object to processing for canvassing purposes
You have the right to object at any time to the processing of your personal data when we process this data for canvassing purposes.
- The right to limitation of processing
You have the right to obtain the limitation of the processing in certain circumstances (e.g. when the Company no longer needs your personal data but they are still necessary for the establishment, exercise or defence of a legal claim).
- The right to the portability of personal data
You have the right, in certain circumstances, to receive the personal data concerning you that you have provided to the Company in a structured, commonly used and machine-readable format and to pass it on to another controller.
- The right to withdraw your consent
If you have given your consent to the Company's processing of your personal data, you have the right to withdraw it at any time.
11.3 Please note that you may only exercise your rights vis-à-vis the Company to the extent that we process your personal data in the capacity of data controller. We will forward to the relevant controller any request to exercise your rights in relation to your personal data if such request relates to a processing operation for which we act in a processing capacity.
11.4 Please address any request relating to your rights in relation to your personal data that we process in our capacity as data controller to our Data Protection Officer using the contact details provided in the Policy. We undertake to deal with your request as soon as materially possible and always within the time limits provided for by the Applicable Data Protection Legislation. Please note that we may retain your personal data for certain purposes where required or permitted by law. Please note that if we have any doubts about your identity, we may ask you for proof of identity to prevent unauthorised access to your personal data.
12. What level of security do we provide?
12.1 We take appropriate technical and organisational measures to ensure a level of security appropriate to the risks associated with the processing of your personal data.
12.2 We undertake to maintain at all times during your use of the Platform appropriate technical and organisational measures to guarantee the security, confidentiality and integrity of your personal data. More specifically, we take appropriate measures to prevent the occurrence of any security incident. In this regard, we undertake, in particular, to (i) maintain secure access to the Platform through a double authentication factor or any other authentication system that meets the applicable security standards; and (ii) encrypt/encrypt your personal data (in transit and/or on disk) to the extent provided in accordance with the applicable security standards.
13. Do you have any questions or complaints?
13.1 Should you have any questions or complaints about the way in which the Company processes your personal data, please address them in advance to the Data Protection Officer by email at GDPR@abbove.com or by post to Abbove SA, Cours Saint-Michel 30a, 1040 Etterbeek (Belgium).
13.2 You have the right to lodge a complaint with the competent supervisory authority. The competent authority for Belgium is:
Data Protection Authority
Rue de la Presse 35, 1000 Brussels
+32 (0)2 274 48 00
14. Anything else?
14.1 The Company reserves the right to update the Policy from time to time. We will notify you of any changes we make to the Policy.
14.2 In the event of a conflict or inconsistency between a provision of the Policy and a provision of another Company policy or document relating to the processing of personal data, the provision of the Policy shall prevail.