Personal data processing policy
(LAST UPDATE: 15 July 2022)
1. Objective of this policy
1.1 Information
This policy informs you (as the data subject) about how we process your personal data, in our capacity as controller.
This information is provided in accordance with all applicable data protection and privacy laws and regulations (hereinafter referred to as "Data Protection Laws"), and in particular pursuant to Articles 13 and 14 of the Regulation (EU) 2016/679 (or “GDPR”).
This policy is also intended to inform you of your rights regarding the processing of your personal data.
1.2 Informed consent
In some cases (specified below), the legal basis for our processing is your informed consent. In such cases, the further purpose of this policy is to provide you with the information necessary to obtain valid consent from you in a transparent manner.
Where our processing of personal data is based on your consent, you have the right to withdraw your consent at any time, but such withdrawal will not affect the lawfulness of the processing carried out prior to such withdrawal. To withdraw your consent, you are invited to use the easy unsubscribe procedures provided to you through our communications tools or by sending us an email (to the address set out below).
Where our processing of personal data is based on your consent, it is our duty to be able to demonstrate that you have consented to the processing of your personal data. In order to do this, we retain your consent data for as long as we need to demonstrate full compliance with Data Protection Laws.
If you are under 16 years of age, it is our duty to make reasonable efforts to verify, in such cases, that consent is given or authorised by the holder of parental authority, taking into account available technology. This is why, where appropriate, we may need to request more information about the parental authority.
2. Information on the data controller
Controller’s Identity:
OH Concept SRL, a Belgian company, with its registered office at Rue de l'industrie 20, 1400 Nivelles (Belgique), with official registration number 0675.819.091, and with the following email address : contact@gabylou.eu, (hereunder referred to as « OH Concept » or « we »).
3. Information on the different personal data processing activities
In this section, for each Personal Data processing activity that we carry out when providing our services to Customers in the EU, we provide you with information on:
- The categories of data subjects (who are concerned by the processed data);
- The purposes of the processing for which the Personal Data are intended (why we process your data);
- The legal basis of the processing (and, where applicable, the legitimate interest pursued by us or by a third party);
- The categories of Personal Data concerned (what types of data are processed);
- The sources of your data;
- If applicable, the recipients, or categories of recipients of Personal Data (with whom we share data);
- Where appropriate, the transfer of personal data to recipients in countries outside the EU or to international organizations and the safeguards allowing such transfer;
- The retention period during which Personal Data are kept, or if it is not possible to specify, the criterion used to determine this duration;
In order to be as transparent and clear as possible, this information is presented in the table below, and is provided by processing activity:
|
Management of the " E-commerce " platform |
Categories of data subjects: any buyer who places an order via our E-commerce platform Purpose: Online sales (customer profile, order interface, collection of customer and order data, online payment) Legal basis: performance of contractual or pre-contractual measures (GDPR, art. 6, §1 b) Data categories: classic identifiers (name, first name, address, telephone); Electronic identifiers (IP address, email address, platform identifier); Administrative data; Customer code; Language; Currency; Financial details (payment information); Communication content; Commercial information Sources: data subjects themselves, the controller (E-Commerce platform) and the online payment solution provider (payment status) Recipients: Payment solution providers, Public administrations Transfer outside the EU: / Retention period: 10 years from the end of the contractual relationship. |
|
Management and security of this website |
Categories of data subjects: any visitor to our site (including you, since you are consulting this policy on our website) Purpose: to ensure the proper connection to the website, and to ensure the protection of the website and the systems used to put it online. Legal basis: legitimate interest (GDPR, art. 6, §1 f): securing the website. Data categories: electronic identifier (IP address) and connection data Sources: internet connections Recipients: / Transfer outside the EU: / Retention period: as long as necessary for the security of the site |
|
Cookies |
See the specific "cookies" policy |
|
Contact form of the website |
Categories of data subjects: any user of the contact form Purpose: to allow the user to contact us easily (this form generates emails to our staff which will be processed as part of our "public relations" processing - see below) Legal basis: consent (GDPR, art. 6, §1 a) Categories of data: form data, classic identifiers (name, surname), electronic identifiers, contact data (address, telephone, email), administrative data, content of communications. Sources: data subjects themselves Recipients: (see "public relations") Transfer outside the EU: (see "public relations") Retention period: (see "public relations") |
|
Customer management |
Categories of data subjects: clients and related persons (contact persons, representatives). Purpose: contract negotiation, commercial information, follow-up and execution of orders, file management, invoicing, after-sales service, communication content. Legal basis: performance of contractual or pre-contractual measures (GDPR, art. 6, §1 b), performance of legal and regulatory obligations (GDPR, art. 6, §1 c). Data categories: classic identifiers (name, first name), electronic identifiers, contact data (address, telephone, email), administrative data, sector data, customer code, function, category / group of membership, language, currency, financial particulars, representative, communication content, commercial information. Sources: data subjects themselves, official and publicly available databases, public commercial databases. Recipients: sales representatives, distributors and commercial intermediaries, administrations and public authorities, service providers and possible subcontractors. Transfer outside EU: / Retention period: 10 years from the end of the contractual relationship. |
|
Supplier management |
Categories of data subjects: suppliers and related persons (contact persons, representatives). Purpose: supplier management: selection, contract negotiation, order follow-up, file management, accounting and administration, quality control, communication content. Legal basis: performance of contractual or pre-contractual measures (GDPR, art. 6, §1 b), performance of legal and regulatory obligations (GDPR, art. 6, §1 c). Data categories: classic identifiers (name, first name), electronic identifiers, contact data (address, phone, email), administrative data, sector data, supplier code, function, category / group of membership, language, currency, financial particulars, representative, communication content, commercial information Sources: data subjects themselves, official and publicly available databases, public commercial databases. Recipients: administrations and public authorities, subcontractors Transfer outside EU: / Retention period: 10 years from the end of the contractual relationship. |
|
Prospection |
Categories of data subjects: prospects and related persons (contact persons, representatives). Purpose: general prospecting, development of the company's activities and its clientele. Legal basis: legitimate interest (GDPR, art. 6, §1 f): business customer prospecting, business development. Data categories: classic identifiers (name, first name), electronic identifiers, contact data (address, phone, email), sector data, function, category / group of membership, language, representative, content of communications, commercial information. Sources: data subjects themselves, official and publicly available databases, public commercial databases. Recipients: sales representatives, distributors and sales intermediaries. Transfer outside the EU: / Retention period: 3 years. |
|
Public Relations |
Categories of data subjects: customers and prospects Purpose: public relations and customer information (general information, complaints, after-sales service). Legal basis: consent (GDPR, art. 6, §1 a), fulfilment of legal and regulatory obligations (GDPR, art. 6, §1 c) Categories of data: classic identifiers (name, first name), electronic identifiers, contact data (address, telephone, email), content of communications, commercial information. Sources: data subjects Recipients: / Transfer outside the EU: / Retention period: 5 years, and earlier if consent is withdrawn (for processing based on consent) |
|
Email marketing |
Categories of data subjects: customers, prospects. Purpose: marketing communication by e-mail. Legal basis: consent (GDPR, art. 6, §1 a), legitimate interest (GDPR, art. 6, §1 f): "soft opt-in" allowing the sending of marketing information to existing customers Data categories: classic identifiers (name, first name), electronic identifiers, contact data (email), content of communications. Sources: people involved. Recipients: subcontractors Transfer outside the EU: /. Retention period: until you unsubscribe. |
|
Organization of events |
Categories of persons concerned: invited persons (customers / prospects / partners / suppliers). Purpose: promotional events. Legal basis: legitimate interest (GDPR, art. 6, §1 f): business prospecting, development of economic activities Data categories: classic identifiers (name, first name), electronic identifiers, contact data (address, phone, email), presence. Sources: data subjects. Recipients: suppliers and subcontractors Transfer outside the EU: /. Retention period: 1 year from the end of the event. |
|
Recruitment (unsolicited applications & unsuccessful applications) |
Categories of data subjects: Job applicants. Purpose: selection of candidates for recruitment purposes, carrying out assessments in order to select the most suitable candidates for the position. Legal basis: performance of contractual or pre-contractual measures (GDPR, art. 6, §1 b), consent for the establishment of a recruitment pool (GDPR, art. 6, §1 a) Data categories: classic identifiers (name, first name), electronic identifiers, contact data (address, phone, email), education, professional data, references, CV data Sources: data subjects themselves Recipients: / Transfer outside the EEA: /. Retention period: The data of unsuccessful candidates is deleted 6 months after the end of the recruitment procedure. If the candidate expresses his or her wish to have his or her data retained in the context of a recruitment reserve, the data will be retained until the withdrawal of his or her consent or at the latest 3 years after the end of the recruitment procedure. |
Where the provision and processing of Personal Data is necessary for compliance with laws or contractual obligations, your refusal to provide us with the data or your provision of false or incomplete data may result in us refusing or stopping any business relationship with you or your company.
If we process personal data for purposes other than those set out in this article, we will provide you with information about this new purpose and any other relevant information before starting the new processing.
4. Your rights as a data subject
Data protection laws grant you rights in certain cases and under certain conditions, including the rights of access, rectification, request for deletion of your personal data, as well as the right to request the limitation of processing or to oppose processing. In certain cases and under certain conditions, you also have a right to the portability of your data.
Please contact us as specified in the section “who to contact about your personal data” below to make any request to exercise your rights or if you have any questions or concerns about how we handle your Personal Data.
You can, in principle, exercise these rights free of charge. Please note, however, that the processing of external requests, which are found to be unfounded or excessive, may sometimes be subject to reasonable administrative fees.
Please note that some Personal Data may be exempted from the rights of access, rectification, objection, deletion, limitation or portability in accordance with personal data protection laws or other legislation.
5. Safety and security
OH Concept shall take appropriate technical, physical, legal and organizational measures, which comply with the Laws on the Protection of Personal Data.
Unfortunately, no data transmission over the Internet or data storage system can be guaranteed to be 100% secure. If you have reason to believe that an interaction with us is no longer secure (for example, if you believe that the security of any personal data you may have with us has been compromised), please notify us immediately. Please contact us as specified in the section “who to contact about your personal data” below.
Where OH Concept entrusts a service provider with the processing of personal data, the service provider shall be carefully selected and shall use appropriate measures to protect the confidentiality and security of personal data.
6. Complaints
If you are not satisfied with our handling of your personal data and you think that contacting us will not solve the problem, the Data Protection Laws give you the right to file a complaint with the competent supervisory authority (more information on the latter's website):
IN BELGIUM:
https://www.autoriteprotectiondonnees.be
Autorité de Protection des Données
Rue de la Presse, 35
1000 Bruxelles (Belgique)
Tel. : +32 (0)2 274 48 00
Fax : +32 (0)2 274 48 35
Email : contact(at)apd-gba.be
ELSEWHERE IN EUROPE :
A list of the other European Data Protection Authorities is available on the website of the European Data Protection Board:
https://edpb.europa.eu/about-edpb/board/members_en
7. Who to contact about your Personal Data
Questions or requests relating to our processing of personal data may be addressed by email : contact@gabylou.eu
or you can send a letter to OH Concept at its official address mentioned in section 2.
8. Changes to this Policy
We regularly review this Policy and reserve the right to make changes at any time to reflect changes in our business or new legal requirements.
To inform you of the changes, we will inform you by email or through the communication channels of your Company.
Please check the "last updated" date at the top of this Policy to see when it was last revised.