2.1. Work Behaviors

The first line of defense in data security is the informed behavior of personnel, who play a significant role in ensuring the security of all data, regardless of format. Such behaviors include those listed in this section as well as any additional requirements specified in the employee handbook, specific security processes, and other applicable codes of conduct.

Training

All employees and contractors must attend the WeGroup security training program, offered at least twice annually, to inform all users of the requirements of this Policy.

Unrecognized Persons and Visitors

It is the responsibility of all personnel to take positive action to maintain physical security. Challenge any unrecognized person present in a restricted office location. Any challenged person who does not respond appropriately should be immediately reported to supervisory staff and the security team. All visitors to WeGroup offices must be registered as such or accompanied by a WeGroup employee.

Clean Desk

Personnel should maintain workspaces clear of sensitive or confidential material and take care to clear workspaces of such material at the end of each workday.

Unattended Devices

Unattended devices must be locked. All devices will have an automatic screen lock function set to automatically activate upon no more than fifteen minutes of inactivity.

Use of Corporate Assets

Systems are to be used for business purposes in serving the interests of the company, and of our clients and partners in the course of normal business operations. Personnel are responsible for exercising good judgment regarding the reasonableness of personal use of systems. Only WeGroup-managed hardware and software is permitted to be connected to or installed on corporate equipment or networks and used to access WeGroup data. WeGroup-managed hardware and software includes those either owned by WeGroup or owned by WeGroup personnel but enrolled in a WeGroup device management system. Only software that has been approved for corporate use by WeGroup may be installed on corporate equipment. All personnel must read and understand the list of prohibited activities outlined in this Policy. Modifications or configuration changes are not permitted without explicit written consent by the WeGroup security team.

Removable Storage, No Backups, Use of Cloud Storage

Use of removable media such as USB drives is prohibited. Personnel may not configure work devices to make backups or copies of data outside corporate policies. Instead, personnel are expected to operate primarily “in the cloud” and treat local storage on computing devices as ephemeral. WeGroup data must be saved to company-approved secure cloud storage (e.g. Google Docs) to ensure that even in the event of a corporate device being lost, stolen, or damaged, such artifacts will be immediately recoverable on a replacement device.

Prohibited Activities

The following activities are prohibited. Under certain conditions and with the explicit written consent of the security team, personnel may be exempted from certain of these restrictions during the course of their legitimate job responsibilities (e.g. planned penetration testing, systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).

The list below is by no means exhaustive, but attempts to provide a framework for activities which fall into the category of unacceptable use.

  • Under no circumstances are personnel of WeGroup authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing WeGroup-owned resources.
  • Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by WeGroup.
  • Violating or attempting to violate the terms of use or license agreement of any software product used by WeGroup is strictly prohibited.
  • Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which WeGroup or the end user does not have an active license is strictly prohibited.
  • Exporting software, technical information, encryption software or technology may result in a violation of international or regional export control laws. The appropriate management should be consulted prior to export of any material that is in question.
  • Revealing your account password to others or allowing use of your account by others. This includes colleagues, as well as family and other household members when work is being done at home.
  • Making fraudulent offers of products, items, or services originating from any WeGroup account.
  • Making statements about warranty, expressly or implied, unless it is a part of normal job duties and then only to the extent the warranties are consistent with WeGroup’s authorized warranties.
  • Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
  • Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, ping floods, packet spoofing, denial of service, and forged routing information for malicious or unlawful purposes.
  • Except by or under the direct supervision of the security team, port scanning or security scanning, or other such software designed to exploit or find computer, software, or network vulnerabilities.
  • Executing any form of network monitoring which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s normal job/duty.
  • Circumventing user authentication or security of any host, network or account or attempting to break into an information resource or to bypass a security feature. This includes running password-cracking programs or sniffer programs, and attempting to circumvent file or other resource permissions.
  • Attempting to interfere with or deny service to any other user.
  • Providing information about, or lists of, WeGroup personnel to parties outside WeGroup.
  • Installation of software which installs or includes any form of malware, spyware, or adware as defined by the security team.
  • Crashing an information system. Deliberately crashing an information system is strictly prohibited. Users may not realize that they caused a system crash, but if it is shown that the crash occurred as a result of user action, a repetition of the action by that user may be viewed as a deliberate act.
  • Attempts to subvert technologies used to effect system configuration of company-managed devices (e.g. MDM) or personal devices voluntarily used for company purposes (e.g. mobile Work Profiles).

Privacy Policy

1. Introduction

1.1. General

WeGroup (hereinafter referred to as “We” or “Our” or “Us”) understands that your privacy is important to you and that you are concerned about how your personal data are used. We respect and value the privacy of everyone who visits our website (https://www.wegroup.be) or makes use of our services. When you use our services or visit our website, we shall only collect and use personal data in a manner described herein and in a manner consistent with our obligations and rights under applicable privacy laws. 

This Privacy Policy applies when we act as the controller for the processing of the personal data of our website and our services, in other words when we determine the purpose and means of the processing of those personal data. 

Transparency in the processing of personal data is a crucial part of the General DataProtection Regulation (GDPR, EU Regulation 2016/679). The basic principle of this Privacy Policy is that your personal data are processed in accordance with the relevant laws and regulations. Principles such as proper and careful processing are also taken into account. 

Please read this Privacy Policy carefully and make sure you understand it. In the event that you do not agree with or consent to this Privacy Policy, you must immediately stop using our services.

1.2. What are personal data?

Personal data are defined in the GDPR as “any information relating to an identified or identifiable natural person... who can be identified, directly or indirectly.” Personal data are, in simpler terms, any information about you that makes it possible to identify you. Personal data refers to obvious information, such as your name and contact details, but also to less obvious information, such as identification numbers, electronic location data and other online identifiers.

1.3. Principles in the processing of personal data

In order to comply with the above, the following principles apply:

  • All processing of personal data is based on one of the grounds set out in Article 6of the GDPR and the Framework Law of 30 July 2018;
  • The legitimate purposes are formulated prior to processing. The purposes for which the personal data are processed are explicitly described in simple language;
  • The processing of personal data is relevant given the purpose. This means that the amount and type of personal data is limited to the personal data considered necessary for the specified purpose;
  • The processing of personal data is in reasonable proportion to the intended purpose. As a consequence, the processing of personal data takes place in the least intrusive manner;
  • Technical and organisational measures shall be taken to ensure that the personal data to be processed are accurate and up to date;
  • Personal data are adequately protected in accordance with the applicable security standards;
  • Personal data are not further processed in a way that is incompatible with the purposes for which they were originally obtained;
  • Personal data are not processed for longer than is considered necessary for the specified purposes of the processing;
  • The rights of data subjects are respected and observed;
  • To the extent applicable and technically possible, the data subject shall be offered an opt-out option when the registration of the personal data is not strictly necessary.

2. Contact data

Our website and services are offered and managed by WeGroup NV. We are registered in Belgium under registration number 0680.957.816, and our registered office is located at Bomastraat 12a in Ghent. You can contact us:

(a) by post to the above postal address;
(b) via the contact form on our website;
(c) by telephone, on +32 92 27 93 02; or
(d) by email, through hello@wegroup.be

3. Which personal data are processed, and how are these data used?

3.1. Which personal data are processed, and for what purposes?

In this section, we explain the following topics:
(a)   The general categories of personal data we can process;
(b)   in the case of personal data that we have not obtained directly from you, the source and specific categories of such data;
(c)    the purposes for which we may process personal data; and
(d)   the legal bases of the processing. 

We may process any of your personal data identified in this Privacy Policy when necessary to establish, exercise or defend legal claims, whether in judicial proceedings or in administrative or out-of-court proceedings. The legal basis for this processing is our legitimate interests, namely the protection and exercise of our legal rights, your legal rights and the legal rights of others. 

In addition, we may process your personal data where necessary to comply with a legal obligation to which we are subject, or to protect your vital interests or the vital interests of another natural person.

3.1.1. Usage data

We may process data relating to your use of our website and services (“usage data”). The usage data may include your IP address, geographical location, browser type and version, operating system, referral source, duration of your visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your use of the service. The source of the usage data is our analytical tracking system. These usage data may be processed to analyse the use of the website and services. The legal basis for this processing is consent (for the IP address) and/or our legitimate interests (for the other personal data), namely monitoring and improving our website and services. We do this by using cookies. See our cookie policy in this regard.

3.1.2. Account data

We may process your account data (“account data”). Account data may include your name and email address. The source of the account data is you or your employer. Account data may be processed to manage our website, provide our services, ensure the security of our website and services, maintain backups of our databases and communicate with you. The legal basis for this processing is the execution of the agreement, namely the correct administration of our website and the provision of our services and/or entering into an agreement.

3.1.3. Profile data

We may process your information contained in your personal profile on our website (“profile data”). Profile data may include your name, address, phone number, email address, chosen avatar, gender, date of birth and employment information. Profile data may be processed to enable and monitor your use of our website and services. The legal basis for this processing is the execution of the agreement, namely the proper administration of our website and our company and for the execution of an agreement between you and us and/or the taking of measures, at your request, to enter into such an agreement.

3.1.4. Customer contact details

We may process information relating to our customer relationships, including customer contactdetails (“customer contact details”). The customer’s details may include your name, your employer, your position or function, your contact details and information in the communication between us and you. The source of the customer relationship data is you or your employer. Customer relationship data may be processed to manage our customer relationships, communicate with customers, keep track of this communication and promote our relevant products and services to customers. The legal basis for this processing is our legitimate interests, namely the proper management of our customer relationships.

3.1.5. Survey data

We may process information contained in any survey you submit to us relating to goods and/or services (“survey data”). The survey data may be processed for the purpose of offering, placing on the market and selling relevant goods and/or services to you. The legal basis for this processing is our legitimate interests.

3.1.6. Transaction data

We may process information relating to transactions, including purchases of services, that you enter into with us and/or through our website (“transaction data”). The transaction data may include your contact details, your card details and the transaction details. The transaction data may be processed for the purpose of providing the goods and services purchased and keeping proper records of those transactions. The legal basis for this processing is the performance of a contract between you and us and/or the taking of steps, upon your request, to enter into such a contract and our legitimate interests, namely the sound management of our website and our company.

3.1.7. Communication data (as well as direct marketing data)

We may process information that you provide to us to subscribe to our email messages and/or newsletters (“communication data”). The communication data can be processed to send you relevant notifications and/or newsletters. The legal basis for this processing is consent.

3.1.8. Correspondence data

We may process information contained in or relating to any communication you send us (“correspondence data”). The correspondence data may include the content of the communication and the metadata related to the communication. Our website shall generate the metadata related to the communication obtained using the contact forms on the website. Correspondence data may be processed for the purpose of communicating with you and of tracking data. The legal basis for this processing is our legitimate interests, namely the sound management of our website and our business and communication with users.

3.2. Processors

A processor is a natural or legal person who processes personal data at the request of or on behalf of us. We may sometimes enter into a contract with this party to provide certain products and/or services. In other words, we rely on processors because this is necessary for the provision of services. In this case, we shall enter into a written agreement with the processor whereby the security of your personal data is guaranteed by the processor. The processor always acts in accordance with our instructions.

We use processors for IT technical, administrative and analytical purposes (e.g. CRM system), hosting, communication purposes, (e.g. live chat on the website).

4. Automated decision-making

We shall not use your personal data for automated decision-making.

5. 1. International (non-EEA) transfer of your personal data

We shall store or transfer your personal data within the European Economic Area (“EEA”) as much as possible. The EEA consists of all EU Member States plus Norway, Iceland and Liechtenstein. In such cases, your personal data is fully protected by the GDPR or equivalent legal standards. When you use our services (and in particular our virtual assistant Louise), we may store or transfer personal data outside of the EEA.In such cases, we shall only transfer them:

  • to countries which, in the opinion of the European Commission, provide an adequate level of protection of personal data. Further information is available from the European Commission.
  • where there are specific contracts with external third parties that have been approved by the European Commission for the transfer of personal data to third countries. These contracts guarantee the same level of personal data protection as would apply under the GDPR. Further information is available from the European Commission.

6. Retention and deletion of your personal data

Personal data that we process for the purposes described in Section 3.2 shall not be stored for longer than is necessary for that purpose or those purposes. 

In some cases, it is not possible for us to determine in advance the periods for which your personal data shall be kept.In such cases, we shall determine the retention periods on the basis of the following criteria:
(a)  The retention period of account data, profile data and transaction data is determined based on the period of use of our services and shall only be applied when using our services. 

Without prejudice to the above, we may retain your personal data where necessary to comply with a legal obligation to which we are subject or to protect your vital interests or the vital interests of other natural persons.

7. Security of your personal data

We shall take appropriate technical and organisational measures to protect your personal data and to prevent the loss, misuse or alteration of your personal data. 

We store your personal data on secure servers, PCs and mobile devices. Password(s) are stored encrypted by us. 

You must ensure that your password cannot be guessed, whether by a human or a computer program. You are responsible for keeping the password you use for accessing our services confidential, and in this connection we shall not ask you for your password (except when you log into our platform).

8. Changes

We may update this policy from time to time by posting a new version on our website. This may be necessary, for example, if the law changes, or if we change things in a way that affects the protection of personal data. We recommend that you check this page occasionally to ensure that you are satisfied with any changes to this Privacy Policy. 

We shall inform you in advance of any important changes to this Privacy Policy by email or via our website.

9. Your rights

Some rights are complex and not all details are included here. Therefore, please read the relevant provisions and guidelines of supervisory authorities for a full explanation of these rights. 

Your main rights under the GDPR are:
(a)  right of access;
(b)  right to correction;
(c)   right to erasure (to be forgotten);
(d)  right to restrict processing;
(e)  right to object to processing;
(f)   right to data portability;
(g)  right to lodge a complaint with a supervisory authority; and
(h)  right to withdraw your consent. 

You may exercise your rights in relation to your personal data by giving us written notice. See Section 2 for contactdetails. 

We shall respond to your request within14 days and in any event no more than one month after receiving your request.We usually aim to provide a full answer within that time. However, in some cases, especially if your request is more complex, more time may be required, up to a maximum of three months from the date on which we receive your request.You shall be kept fully informed of the progress.

9.1. Right of access

You have the right to confirm whether or not we may process your personal data and, where we may, to have access to the personal data, along with certain additional information. This additional information includes data on the purpose of the processing, the categories of personal data concerned and the recipients of the personal data. Provided that the rights and freedoms of others are not affected, we shall provide you with a copy of your personal data. The first copy is provided free of charge, but additional copies may be provided for a reasonable fee.

9.2. Right of correction

You have the right to have incorrect personal data about you corrected and, taking into account the purposes of the processing, to have incomplete personal data about you filled in.

9.3. Right of erasure (to be forgotten)

In some cases, you have the right to have your personal data erased without undue delay. These circumstances include: the personal data are no longer necessary in connection with the purposes for which they were collected or otherwise processed; you withdraw your consent for processing based on consent; you object to the processing under certain provisions of the applicable data protection law; the processing is for direct marketing purposes; and the personal data have been unlawfully processed. However, there are exclusions from the right to erase data. General exclusions include where processing is necessary: to exercise the right to freedom of expression and information; to comply with a legal obligation; or to establish, exercise or defend legal claims.

9.4. Right to restrict processing

In some cases, you have the right to restrict the processing of your personal data. These circumstances are: you dispute the accuracy of the personal data; the processing is unlawful, but you object to the erasure; we no longer need the personal data for our processing, but you require personal data for the establishment, exercise or defence of legal claims; and you have objected to the processing, pending the verification of that objection. If the processing on this basis is limited, we may continue to store your personal data. However, we shall only process these in other ways: with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of overriding public interest.

9.5. Right to object to processing

You have the right to object to our processing of your personal data for reasons related to your specific situation, but only to the extent that the legal basis for the processing is that the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we shall cease processing the personal data unless we can demonstrate that there are compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or that the processing is intended to establish, exercise or defend legal claims. 

In addition, you have the right to object to our processing of your personal data for direct marketing purposes(including profiling for direct marketing purposes). If you object to this, we shall cease processing your personal data for this purpose. 

Furthermore, you have the right to object to our processing of your personal data for scientific or historical research purposes or statistical purposes for reasons related to your specific situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

9.6. Right to data portability

To the extent that the legal basis for our processing of your personal data is based on:
(a)  consent; or
(b) that the processing is necessary for the performance of a contract to which you area party or to take measures at your request before concluding a contract, and this processing is carried out automatically, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would compromise the rights and freedoms of others.

9.7. Right to lodge a complaint with a supervisory authority

If you believe that our processing of your personal data violates data protection legislation (GDPR), you have the right to lodge a complaint with a data protection supervisory authority. InBelgium, the supervisory authority is the Data Protection Authority (DPA). 

DPA contactdetails
Data Protection Authority
Rue de laPresse/Drukpersstraat 35, 1000 Brussels
+32 (0)2 274 4800
contact@apd-gba.be
https://www.gegevensbeschermingsautoriteit.be

9.8. Right to withdraw your consent

To the extent that the legal basis for our processing of your personal data is consent, you have the right to revoke this consent at any time. Revocation does not affect the lawfulness of the processing prior to the revocation.

10. Updating your personal data

Please let us know if the personal data that we hold about you needs to be corrected or updated.

11. WeGroup as processor

As part of our services, we provide a virtual assistant, Louise, which allows our users to communicate with their customers digitally. For the processing of personal data within the scope of this service, WeGroup does not act as a controller for the processing of personal data, but as a processor of personal data. 

To the extent that we act as a processor and not as a controller, this policy does not apply. Our legal obligations as a processor are instead laid down in the agreement between us and the controller.

12. Data Protection Officer

The contact details of our Data Protection Officer are:
Name: Sebastiaan Van Hoecke
Email adress: security@wegroup.be
Postal address: Bomastraat 12a, 9000 Ghent, Belgium