The first line of defense in data security is the informed behavior of personnel, who play a significant role in ensuring the security of all data, regardless of format. Such behaviors include those listed in this section as well as any additional requirements specified in the employee handbook, specific security processes, and other applicable codes of conduct.
All employees and contractors must attend the WeGroup security training program, offered at least twice annually, to inform all users of the requirements of this Policy.
It is the responsibility of all personnel to take positive action to maintain physical security. Challenge any unrecognized person present in a restricted office location. Any challenged person who does not respond appropriately should be immediately reported to supervisory staff and the security team. All visitors to WeGroup offices must be registered as such or accompanied by a WeGroup employee.
Personnel should maintain workspaces clear of sensitive or confidential material and take care to clear workspaces of such material at the end of each workday.
Unattended devices must be locked. All devices will have an automatic screen lock function set to automatically activate upon no more than fifteen minutes of inactivity.
Systems are to be used for business purposes in serving the interests of the company, and of our clients and partners in the course of normal business operations. Personnel are responsible for exercising good judgment regarding the reasonableness of personal use of systems. Only WeGroup-managed hardware and software is permitted to be connected to or installed on corporate equipment or networks and used to access WeGroup data. WeGroup-managed hardware and software includes those either owned by WeGroup or owned by WeGroup personnel but enrolled in a WeGroup device management system. Only software that has been approved for corporate use by WeGroup may be installed on corporate equipment. All personnel must read and understand the list of prohibited activities outlined in this Policy. Modifications or configuration changes are not permitted without explicit written consent by the WeGroup security team.
Use of removable media such as USB drives is prohibited. Personnel may not configure work devices to make backups or copies of data outside corporate policies. Instead, personnel are expected to operate primarily “in the cloud” and treat local storage on computing devices as ephemeral. WeGroup data must be saved to company-approved secure cloud storage (e.g. Google Docs) to ensure that even in the event of a corporate device being lost, stolen, or damaged, such artifacts will be immediately recoverable on a replacement device.
The following activities are prohibited. Under certain conditions and with the explicit written consent of the security team, personnel may be exempted from certain of these restrictions during the course of their legitimate job responsibilities (e.g. planned penetration testing, systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).
The list below is by no means exhaustive, but attempts to provide a framework for activities which fall into the category of unacceptable use.
WeGroup (hereinafter referred to as “We” or “Our” or “Us”) understands that your privacy is important to you and that you are concerned about how your personal data are used. We respect and value the privacy of everyone who visits our website (https://www.wegroup.be) or makes use of our services. When you use our services or visit our website, we shall only collect and use personal data in a manner described herein and in a manner consistent with our obligations and rights under applicable privacy laws.
Personal data are defined in the GDPR as “any information relating to an identified or identifiable natural person... who can be identified, directly or indirectly.” Personal data are, in simpler terms, any information about you that makes it possible to identify you. Personal data refers to obvious information, such as your name and contact details, but also to less obvious information, such as identification numbers, electronic location data and other online identifiers.
In order to comply with the above, the following principles apply:
Our website and services are offered and managed by WeGroup NV. We are registered in Belgium under registration number 0680.957.816, and our registered office is located at Bomastraat 12a in Ghent. You can contact us:
(a) by post to the above postal address;
(b) via the contact form on our website;
(c) by telephone, on +32 92 27 93 02; or
(d) by email, through email@example.com
In this section, we explain the following topics:
(a) The general categories of personal data we can process;
(b) in the case of personal data that we have not obtained directly from you, the source and specific categories of such data;
(c) the purposes for which we may process personal data; and
(d) the legal bases of the processing.
In addition, we may process your personal data where necessary to comply with a legal obligation to which we are subject, or to protect your vital interests or the vital interests of another natural person.
We may process your account data (“account data”). Account data may include your name and email address. The source of the account data is you or your employer. Account data may be processed to manage our website, provide our services, ensure the security of our website and services, maintain backups of our databases and communicate with you. The legal basis for this processing is the execution of the agreement, namely the correct administration of our website and the provision of our services and/or entering into an agreement.
We may process your information contained in your personal profile on our website (“profile data”). Profile data may include your name, address, phone number, email address, chosen avatar, gender, date of birth and employment information. Profile data may be processed to enable and monitor your use of our website and services. The legal basis for this processing is the execution of the agreement, namely the proper administration of our website and our company and for the execution of an agreement between you and us and/or the taking of measures, at your request, to enter into such an agreement.
We may process information relating to our customer relationships, including customer contactdetails (“customer contact details”). The customer’s details may include your name, your employer, your position or function, your contact details and information in the communication between us and you. The source of the customer relationship data is you or your employer. Customer relationship data may be processed to manage our customer relationships, communicate with customers, keep track of this communication and promote our relevant products and services to customers. The legal basis for this processing is our legitimate interests, namely the proper management of our customer relationships.
We may process information contained in any survey you submit to us relating to goods and/or services (“survey data”). The survey data may be processed for the purpose of offering, placing on the market and selling relevant goods and/or services to you. The legal basis for this processing is our legitimate interests.
We may process information relating to transactions, including purchases of services, that you enter into with us and/or through our website (“transaction data”). The transaction data may include your contact details, your card details and the transaction details. The transaction data may be processed for the purpose of providing the goods and services purchased and keeping proper records of those transactions. The legal basis for this processing is the performance of a contract between you and us and/or the taking of steps, upon your request, to enter into such a contract and our legitimate interests, namely the sound management of our website and our company.
We may process information that you provide to us to subscribe to our email messages and/or newsletters (“communication data”). The communication data can be processed to send you relevant notifications and/or newsletters. The legal basis for this processing is consent.
We may process information contained in or relating to any communication you send us (“correspondence data”). The correspondence data may include the content of the communication and the metadata related to the communication. Our website shall generate the metadata related to the communication obtained using the contact forms on the website. Correspondence data may be processed for the purpose of communicating with you and of tracking data. The legal basis for this processing is our legitimate interests, namely the sound management of our website and our business and communication with users.
A processor is a natural or legal person who processes personal data at the request of or on behalf of us. We may sometimes enter into a contract with this party to provide certain products and/or services. In other words, we rely on processors because this is necessary for the provision of services. In this case, we shall enter into a written agreement with the processor whereby the security of your personal data is guaranteed by the processor. The processor always acts in accordance with our instructions.
We use processors for IT technical, administrative and analytical purposes (e.g. CRM system), hosting, communication purposes, (e.g. live chat on the website).
We shall not use your personal data for automated decision-making.
We shall store or transfer your personal data within the European Economic Area (“EEA”) as much as possible. The EEA consists of all EU Member States plus Norway, Iceland and Liechtenstein. In such cases, your personal data is fully protected by the GDPR or equivalent legal standards. When you use our services (and in particular our virtual assistant Louise), we may store or transfer personal data outside of the EEA.In such cases, we shall only transfer them:
Personal data that we process for the purposes described in Section 3.2 shall not be stored for longer than is necessary for that purpose or those purposes.
In some cases, it is not possible for us to determine in advance the periods for which your personal data shall be kept.In such cases, we shall determine the retention periods on the basis of the following criteria:
(a) The retention period of account data, profile data and transaction data is determined based on the period of use of our services and shall only be applied when using our services.
Without prejudice to the above, we may retain your personal data where necessary to comply with a legal obligation to which we are subject or to protect your vital interests or the vital interests of other natural persons.
We shall take appropriate technical and organisational measures to protect your personal data and to prevent the loss, misuse or alteration of your personal data.
We store your personal data on secure servers, PCs and mobile devices. Password(s) are stored encrypted by us.
You must ensure that your password cannot be guessed, whether by a human or a computer program. You are responsible for keeping the password you use for accessing our services confidential, and in this connection we shall not ask you for your password (except when you log into our platform).
Some rights are complex and not all details are included here. Therefore, please read the relevant provisions and guidelines of supervisory authorities for a full explanation of these rights.
Your main rights under the GDPR are:
(a) right of access;
(b) right to correction;
(c) right to erasure (to be forgotten);
(d) right to restrict processing;
(e) right to object to processing;
(f) right to data portability;
(g) right to lodge a complaint with a supervisory authority; and
(h) right to withdraw your consent.
You may exercise your rights in relation to your personal data by giving us written notice. See Section 2 for contactdetails.
We shall respond to your request within14 days and in any event no more than one month after receiving your request.We usually aim to provide a full answer within that time. However, in some cases, especially if your request is more complex, more time may be required, up to a maximum of three months from the date on which we receive your request.You shall be kept fully informed of the progress.
You have the right to confirm whether or not we may process your personal data and, where we may, to have access to the personal data, along with certain additional information. This additional information includes data on the purpose of the processing, the categories of personal data concerned and the recipients of the personal data. Provided that the rights and freedoms of others are not affected, we shall provide you with a copy of your personal data. The first copy is provided free of charge, but additional copies may be provided for a reasonable fee.
You have the right to have incorrect personal data about you corrected and, taking into account the purposes of the processing, to have incomplete personal data about you filled in.
In some cases, you have the right to have your personal data erased without undue delay. These circumstances include: the personal data are no longer necessary in connection with the purposes for which they were collected or otherwise processed; you withdraw your consent for processing based on consent; you object to the processing under certain provisions of the applicable data protection law; the processing is for direct marketing purposes; and the personal data have been unlawfully processed. However, there are exclusions from the right to erase data. General exclusions include where processing is necessary: to exercise the right to freedom of expression and information; to comply with a legal obligation; or to establish, exercise or defend legal claims.
In some cases, you have the right to restrict the processing of your personal data. These circumstances are: you dispute the accuracy of the personal data; the processing is unlawful, but you object to the erasure; we no longer need the personal data for our processing, but you require personal data for the establishment, exercise or defence of legal claims; and you have objected to the processing, pending the verification of that objection. If the processing on this basis is limited, we may continue to store your personal data. However, we shall only process these in other ways: with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of overriding public interest.
You have the right to object to our processing of your personal data for reasons related to your specific situation, but only to the extent that the legal basis for the processing is that the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we shall cease processing the personal data unless we can demonstrate that there are compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or that the processing is intended to establish, exercise or defend legal claims.
In addition, you have the right to object to our processing of your personal data for direct marketing purposes(including profiling for direct marketing purposes). If you object to this, we shall cease processing your personal data for this purpose.
Furthermore, you have the right to object to our processing of your personal data for scientific or historical research purposes or statistical purposes for reasons related to your specific situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
To the extent that the legal basis for our processing of your personal data is based on:
(a) consent; or
(b) that the processing is necessary for the performance of a contract to which you area party or to take measures at your request before concluding a contract, and this processing is carried out automatically, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would compromise the rights and freedoms of others.
If you believe that our processing of your personal data violates data protection legislation (GDPR), you have the right to lodge a complaint with a data protection supervisory authority. InBelgium, the supervisory authority is the Data Protection Authority (DPA).
Data Protection Authority
Rue de laPresse/Drukpersstraat 35, 1000 Brussels
+32 (0)2 274 4800
To the extent that the legal basis for our processing of your personal data is consent, you have the right to revoke this consent at any time. Revocation does not affect the lawfulness of the processing prior to the revocation.
Please let us know if the personal data that we hold about you needs to be corrected or updated.
As part of our services, we provide a virtual assistant, Louise, which allows our users to communicate with their customers digitally. For the processing of personal data within the scope of this service, WeGroup does not act as a controller for the processing of personal data, but as a processor of personal data.
To the extent that we act as a processor and not as a controller, this policy does not apply. Our legal obligations as a processor are instead laid down in the agreement between us and the controller.
The contact details of our Data Protection Officer are:
Name: Sebastiaan Van Hoecke
Email adress: firstname.lastname@example.org
Postal address: Bomastraat 12a, 9000 Ghent, Belgium