Apollo at work NV, which has its registered office at: Italiëlei 2, 2000 Antwerp, with company number 0644.639.135, validly represented at law by Dirk Oosterlinck, in his capacity as Managing Director;
referred to hereafter as “the controller”;
Declares as follows:
Within the framework of GDPR, Apollo at Work assumes the qualification of a Processor with regard to its task as an absence consultant. This is because the rights of the Data Subjects must be exercised directly with Apollo at Work NV.
Furthermore, as a lex specialis, the European e-privacy guideline will govern the processing of personal data within the framework of direct marketing and cookies. (*the European e-privacy guideline was still a draft text at the time this Privacy Police was drawn up).
Point 2. Definitions
“Data subject”: the identified or identifiable natural person
“Third parties”: a natural or legal person, public authority, agency or body other than the data subject, the controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
“Data concerning health”: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
“Sensitive personal data”: personal data that reveals race or ethnic origin, political opinions, religious or ideological convictions or membership of a trade union, and processing of genetic data or biometric data with a view to the unique identification of a person, or data related to health, or data related to someone’s sexual behaviour or sexual orientation;
“Personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
“Personal data”: any information relating to an identified or identifiable natural person (“the data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“ Pseudonymisation”: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person;
“Sub-processor”: a processor who, under the direct authority of the processor, is authorised to process personal data;
“Consent of the data subject”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
“Processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
“Processing”: any operation or set of operations performed on personal data or on a set of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Controller”: a natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
Point 3. Processing personal data
The controller guarantees that your personal data will be:
a) processed lawfully, fairly and transparently
b) collected for specified, explicit and legitimate purposes
c) adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
d) correct, and updated when necessary
e) kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed
f) Appropriate technical and organisational measures will be taken to guarantee appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage
For the performance of its consulting services, including the preparation of the project plan and the 5-step plan to a better absenteeism policy within the company, one can use Articles 6, 1, (b) and (f) of the GDPR:
- Article 6, 1 (b) of the GDPR for the purposes of carrying out medical examinations and drawing up reports relating to absenteeism. “The processing is necessary for the performance of a contract to which the data subject is party”.
- Article 6, 1 (f) of the GDPR: “Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child.”
The client's legitimate interest referred to in Article 6, 1 (f) of the GDPR includes the interest of combating absenteeism in the organisation.
The above personal data refers to the national register number, personnel number, surname, first name, sex, date of birth, language, start date of the employment contract, home address and additional address information, residential address with validity dates and additional address information, fixed telephone number, private cell phone number, private email address, telephone number work, cell phone number work, e-mail address work (personal data of the client’s personnel) and company related data such as name client, branch, department, start date client relationship, end date client relationship, function level employees, status (worker/employee), form of contract, function, % employment, Medex code and workstation.
These data are always entered by the client and/or the client’s own staff member. An overview can be found in Annex I of this Policy.
Point 4. The processing of personal data within the framework of training courses / inspiration sessions
Apollo at work can process the following Personal Data on the basis of the legitimate interest (both physically and via website):
- If registration is not done by the participant himself, the Data Subject in this point 4 is understood to be "both the person who has made the registration and the participant in the training".
- The following personal data are processed:
o From the Data Subject
▪ First name and surname
▪ Telephone number / cell phone number
▪ Date of birth
▪ Job title
▪ Email address
o Comments (e.g. food allergies)
o Company data: company name, branch address, billing address, VAT number, affiliation number,
o Method of payment
We collect this personal data for the following purposes:
- Fulfilling our administrative obligations such as charging for the services provided to the client by Apollo at work or keeping our legally required accounts.
- The creation of files regarding the transferability and demonstrability of data for e.g. accreditation or certification.
- Executing and informing about organizational and administrative elements related to the training courses (including certification, obtaining subsidies, legal conditions, etc.)
- Keeping the Data Subject up to date with changes to the content of the course taken as a result of new legislation, guidelines, insights, developments, etc.
- Informing the Data Subject about webinars/info sessions and training courses offered by Apollo at work
- Updating course material or training courses
- Delivering and managing a certificate issued by Apollo at work, if applicable
The above Personal Data is kept internally for a duration of 10 years which follows the end of the year in which the training took place.
Point 5. Processing sensitive personal data
The processor will lawfully process sensitive personal data (more explicitly: “Data concerning health”) in conformity with Article 9, (a) of the GDPR;
- A) the data subject has given explicit consent to the processing of that personal data for one or more specified purposes.
The client can request the controller to draw up an absence policy within the company. In addition, Apollo at Work will also offer other support services to its clients.
The Sensitive Data processed by the controller relates to Data regarding health; namely physical and mental data, duration of incapacity to work, nature of the incapacity to work, data on the attending doctor, allowed/forbidden to leave home, employee’s hospitalisation, first medical certificate/extension certificate, etc. There is an overview in Appendix I to this Policy.
Point 6. The processing of personal data and sensitive personal data for scientific research purposes or statistical purposes
The controller will process personal data and sensitive personal data for scientific research purposes or statistical purposes. This within the meaning of article 89 of the GDPR.
Point 7. Explicit agreement from the data subject(s)
In the context of the provision of service where the controller must request the personal data directly from the data subject(s), the controller will inform the data subject(s) in advance concerning the following elements, in conformity with Article 13 point 1 of the GDPR:
- the identity and contact details of Apollo at Work;
- the contact details of the data protection officer;
- the purpose and legal grounds for the processing;
- the recipients or the categories of recipients of the personal data;
- the manner in which the rights of the data subject(s) are exercised;
- the fact that the data subject can still revoke his or her explicit permission and the manner in which this is done;
- the fact that the data subject has the right to lodge a complaint with the supervisory authority;
- the retention period for personal data;
- if applicable, the existence of automated decision-making.
Where the controller provides services in the context of points 3 and 4, the client must share the aforementioned information with the data subject(s).
Point 8. Joint controllers
Apollo at Work NV is the data controller in collaboration with Certimed VZW, Mensura EDPB and Mensura Support ESV and determines which personal data is collected, as well as the purpose and means of processing these personal data. Apollo at Work NV will act as your contact point for requests relating to personal data which are processed through Apollo at Work NV. Apollo at Work can no longer be considered a contact point if you wish to remove your data from the websites, customer files, registers, newsletters,… of the other processing agents. You must contact the relevant partner yourself for this purpose. In some cases Apollo at Work NV together with its partners will be qualified as joint controllers.
Point 9. Processing personal data for marketing purposes
With regard to processing Personal Data for Marketing Purposes, the controller can rely upon a legal basis (recital 47 of the GDPR). An opt-out possibility is provided in each case. Promotions and information regarding the products and services provided by Apollo at Work are considered direct marketing purposes. The personal data of the customer (contact details) are processed, for marketing purposes, so Apollo at Work can keep the customer informed about our product and services.
Point 10. Anonymous group reporting
The controller guarantees that group reporting will be anonymous.
Point 11. Records of processing activities
The controller has drawn up a record of processing activities in which the following elements of each of the controller’s services are described in detail:
1° What categories of personal data are being processed?
2° Who can receive this personal data (internal/externally)?
3° For how long will the personal data be kept?
4° For how long will the personal data be protected?
5° Will the personal data be processed outside Belgium?
6° Who has access to the personal data (internally/externally)?
7° The purposes of the processing.
If you have questions within this framework that have not been clarified in this Policy, please contact the persons listed in point 21.
Point 12. Appropriate technical and organisational measures
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure the secure processing of personal data. Appendix II to this Policy contains a list of these measures.
The controller guarantees that he, she or it will take the necessary measures in conformity with Article 32 of the GDPR, which, among other things, pertain to the following: a) the pseudonymisation and encryption of personal data; b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The controller guarantees that the only employees who will have access to personal data are those who are actually involved in performing the services. Furthermore, these employees will be contractually bound by a duty of confidentiality.
Point 13. Third parties
Third parties who may gain access to personal data will also be restricted to persons involved in performing the services. The client can ask Apollo at Work a list of applicable third parties.
Point 14. Processors
If the controller engages a processor to perform specific processing activities on behalf of the client, said processor will be subject to the same obligations with regard to data protection as those arising from this agreement, in particular, including the obligation to take appropriate technical and organisational measures to process personal data. To this end, the processors have signed a processing agreement in accordance with Article 28 point 3 of the GDPR. The client can ask Apollo at Work a list of applicable processors.
The controller guarantees that the designated processors will process merely and only the personal data based on guidelines written by the controller. If the appointed processor designates a sub-processor, the processor will, in principle, continue to be liable with regard to said sub-processor.
Point 15. Processing of data outside a Member State of the European Union
The controller guarantees that the personal data will not be processed outside a Member State of the EU. The Personal Data will only be processed in Belgium.
Point 16. Minimal personal data processing
The controller guarantees that the personal data will not be stored for longer than is necessary to perform the requested services.
Point 17. The rights of data subjects:
Data subjects have the following rights with regard to their personal data within the framework of the GDPR:
1. Right to withdraw consent
2. Right of access
3. Right to rectify incorrect personal data
4. Right to erasure (“Right to forget”)
5. Right to restriction of processing
6. Right to data portability
7. Right to object
The controller guarantees to answer requests within one month of receiving them. This will be done in conformity with the obligations stipulated in article 12 point 3 of the GDPR. Depending on the complexity and number of requests, this period may be extended by two months if necessary. The controller will inform the data subject of this extension within one month of receiving the request.
The controller's internal procedures are set out in points 17.2 so the client’s data subjects can correctly exercise their rights against the controller. The client must inform data subjects of the controller’s internal procedure in a concise, transparent, comprehensible and easily accessible form, and in clear and simple language. If the data subject wants to exercise a right that does not fall under point 17.2, the request can be sent to email@example.com or by letter to the DPO (Italiëlei 2 – 2000 Antwerp).
17.2. Right to withdraw consent at any time
In accordance with Article 7 (3) GDPR, the data subject has the right to withdraw his consent at any time. The withdrawal of consent shall not affect the lawfulness of the processing based on the consent before its withdrawal. Before giving the consent, the data subject shall be informed thereof. The withdrawal of consent is as simple as giving it.
17.3 Right of access and right of copy
With regard to the exercise of the right of access or the right of copy related to their medical files, the data subjects must respect the following internal procedure of the controller:
- address the request by registered post to Apollo at Work, (date and signature) attention to the DPO, Italiëlei 2, 2000 Antwerp
- enclosing a copy of his/her identity card.
17.4 Lodging a complaint with the Belgian Supervisory Privacy Authority (= “the Data Protection Authority”)
In accordance with Article 77 of the GDPR, data subjects have the right to submit a complaint directly to the Belgian Data Protection Authority if they think their personal data is not secured and/or processed in conformity with the GDPR.
Point 18. Portability of personal data if the client changes medical inspection service
The controller and client will mutually deliberate and agree on how the personal data will be transferred.
Point 19. Removal of the personal data at the end of the Principal Contract
The controller guarantees that the personal data will be deleted or transferred at the client’s request within one month following the end of the Principal Contract, unless there is a legal provision allowing the controller to retain the personal data for a longer period of time (see Appendix I).
At the client’s request, the controller will provide the necessary proof of this.
The controller will also inform the processors and third parties about the deletion of the personal data received if the Principal Contract has been terminated. unless they, too, can provide proof of legal provisions allowing for the retention of personal data for longer periods of time.
Point 20. Requests for personal data from public government services
The controller informs the client within three business days if he, she or it:
(a) receives a request for information, a summons or a research or inspection request from a government body concerning the processing of personal data, unless the controller is not legally authorised to provide this;
(b) intends to provide personal data to a government body;
(c) receives a request from a third party or an employee, client or client’s principal to publish the client’s personal data or information relating to the processing of the client’s personal data.
The controller gives the client 72 hours, as from the time of the report, to object to such a transfer of personal data.
Point 21. Measures taken in the event of a personal data breach
The controllers are obliged to report breaches of personal data security to the authorised Belgian supervisory authority within 72 hours. This applies unless it is unlikely that the personal data breach will result in a risk to the rights and freedoms of the data subject(s).
The controller will notify the client without undue delay as soon as he, she or it has become aware of a personal data breach. It is agreed that the controller and client will contact each other within 48 hours after learning of the breach of the controller’s system and agree in mutual deliberation whether it must be reported to the competent Belgian supervisory authority.
If the personal data breach is likely to entail a high risk to the rights and freedoms of natural persons, the data subject(s) will be informed of this without delay in accordance with Article 34 of the GDPR.
Both the controller and the client will work together with the competent Belgian supervisory authority to provide the necessary information and to limit the consequences of the breach.
Point 22. Miscellaneous provisions
Point 23. If you need more information or support.
The controller guarantees that he, she or it will provide the client with the necessary additional support and information so that the controller can show that he, she or it has complied with his, her or its obligations under the GPDR. This information obligation does not apply to confidential information or information that cannot be shared with the client for legal reasons.
Furthermore, the controller will grant the necessary cooperation if an audit is conducted on his, her or its premises on the orders of the client or by an auditor authorised by the client. The client will bear the costs of the appointed auditor and the audit performed. The audit will always be limited to the controller’s systems that are used for the processing.
The Data Protection Officer and the Security Officer of the controller can be contacted at the following email address: Privacy@apollo.be.
Appendix 1. The categories of processed personal data and retention period
The categories of personal data that the controller can process
The personal data refers to the national register number, personnel number, surname, first name, sex, date of birth, language, start date of the employment contract, home address and additional address information, residential address with validity dates and additional address information, fixed telephone number, private cell phone number, private email address, telephone number work, cell phone number work, e-mail address work (personal data of the client’s personnel) and company related data such as name client, branch, department, start date client relationship, end date client relationship, function level employees, status (worker/employee), form of contract, function, % employment, Medex code and workstation.
The Sensitive Data processed by the controller relates to Data regarding health; namely physical and mental data, duration of incapacity to work, nature of the incapacity to work, data on the attending doctor, allowed/forbidden to leave home, employee’s hospitalisation, first medical certificate/extension certificate, etc.
The personal data is kept for the duration of the master agreement.
With regard to the processing of personal data for scientific or statistical purposes, a retention period of 5 years is also applied.