Privacy policy

1. Introduction

This privacy policy concerns all data collected and used by Marchandise S.A. (hereinafter referred to as "Marchandise"), whose registered office is located at Rue des Tuiliers, 10, 4480 Engis, and which has the ECB number 0464.499.544.
Marchandise is primarily active in the purchase and sale of equipment, as well as the marketing of all products for industrial, construction, works and agricultural companies.

This Privacy Policy concerns the processing carried out by Marchandise S.A. in relation to the https://marchandise.be website.
There are two other Privacy Policies: the HR Privacy Policy for processing relating to personnel management and the General Privacy Policy which relates to Marchandise's commercial relations.

2. Definitions

Supervisory authority: A supervisory authority designated by the Member State pursuant to Article 51 of the GDPR. In Belgium, this is the Data Protection Authority.
[If applicable] Candidate: A natural person who applies via the Website following a job/internship offer or spontaneously for a vacant or unoccupied position within Marchandise.
Personal data (or Data): Any information relating to an identified or identifiable natural person (hereinafter referred to as the "Data Subject"). An "identifiable natural person" is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity.
Sensitive data: personal data relating to sensitive aspects such as racial identity or ethnic origin, political opinions, religion or any other beliefs, health or any medical condition, criminal record, trade union membership or sexual orientation. Sensitive data may be processed with the consent of the person concerned. If the data subject provides sensitive data, he or she consents to the Processing of this data by the Data Controller.
Internet user: An individual visiting the https://marchandise.be domain name.
Notification: The notification to the Authority by the Controller, in accordance with Article 33 of the RGPD, in the event of a Personal Data Breach.
Data Subject: The natural person whose Data is being Processed by the Controller.
Privacy Policy or Policy: This policy which concerns the protection of Personal Data.
Data Controller: The natural or legal person, public authority, department or other body that determines the purposes and means of the Processing, in this case Marchandise S.A..
GDPR: The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Processing: Any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Breach: A breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.

3. What Data is collected and for what purpose does the Data Controller keep this Data?

3.1 Principle

In accordance with the RGPD, Data is collected for specific purposes.
The collection of Data must also be based on one of the legal grounds set out in Article 6 of the RGPD.
If the Data Controller decides to use the Data for a purpose other than that set out in the Policy, it will provide prior information to the Data Subject about this other purpose.
The purpose of this Policy is to present to the Data Subject the purposes and grounds that apply to his or her Personal Data.

3.2 Categories of Data collected

Personal Data are categorised in accordance with the Recommendation of the Data Protection Authority (Recommendation No. 06/2017 of 14 June 2017 on the Register of Processing Activities (Article 30 RGPD)).
The data included in each category is cited so that the Data Subject can measure the data that relates for a stated category without all the cited data actually being processed by the Data Controller.

Hobbies and interests Hobbies, sport, other interests.
Career previous jobs and employers, periods out of work, military service.

Academic curriculum history of schools, colleges and universities attended, nature of courses taken, diplomas obtained, examination results, other diplomas obtained, assessments of academic progress.

Personal details age, gender, date of birth, place of birth, marital status and nationality.

Personal identification data name, title, address (private and professional), previous addresses, telephone number (private, professional), identifiers allocated by the data controller.

Current job employer, job title and description, grade, date of recruitment, place of work, specialisation or type of company, working terms and conditions, previous jobs and previous experience with current employer.

Image recordings Films, photographs, video recordings, digital photos.

Job-related training Details of job-specific training needs and training received, qualifications obtained and skills acquired.

Professional qualifications certificates and professional training, special licences.

3.3 The Data Subject is an Internet user

The Data processing carried out is as follows:
Contact via the online form:
 Purpose: Management of requests;
 Categories of personal data: Personal identification data;
 Legal basis: Legitimate interests of the Data Controller or a third party (Answering questions when making contact).

3.4 The Data Subject is a Candidate

The Data processing carried out is as follows:
Receipt and storage of applications (unsolicited/open positions):
 Purpose: Administration of personnel and intermediaries;
 Categories of personal data: Leisure activities and interests, Career, Academic curriculum, Personal details, Personal identification data, Current employment, Image recordings, Job training, Professional qualifications;
 Legal basis: Necessary for the performance of a contract.

4. How long is the Data kept?

The Data Controller keeps the Data for the time necessary to achieve the purpose of the processing and to comply with its legal obligations.
Retention periods are determined on the basis of several criteria such as the legal obligations to which the profession is subject, the type of processing, the purpose of the processing, the place where the Data is stored, the type of Data Subject or the type of Data collected. The retention period for a particular Data processing operation may be communicated to the Data Subject on request.
In any event, the Data Controller will keep the Data in accordance with the legal retention periods.

5. Who collects the Data?

Data may be collected by the Data Controller or via the site host or the Data Controller's subcontractors. The Data is then passed on to the Data Controller.
The list of Subcontractors may be communicated on request.
Some intermediaries may be established in a third country outside the European Economic Area which guarantees an adequate level of protection of Personal Data, as determined by the European Commission.
Where intermediaries are established in countries that do not grant an equivalent level of privacy protection, the Data Controller declares that it takes specific measures, in accordance with the Data protection legislation in force in the EEA, to protect Personal Data.

6. How is Data collected?

Data is collected during exchanges with the Data Controller in person, by telephone, post, e-mail or fax, via the web or by its sub-contractors.
Data may also be collected via cookies (see specific information on this subject in the cookies policy [insert link to this policy] ).

7. Why do we collect your Data?

The Data is collected in order to offer services for the purchase and sale of equipment, as well as the marketing of all products intended for industrial, construction, works or agricultural companies.
The Data may also be collected for the purpose of properly executing the contract, or be used to manage Suppliers, subsidies and contracts linked to services provided by/for the latter.
It may also be used to:
- Respond to requests for information and ensure follow-up.
- Inform you of any changes in the services offered and/or applicable regulations.
The Data is also collected in order to comply with legal obligations, in particular with regard to accounting, to comply with a court order, to respond to a request from the public authorities, to protect the interests of the Data Controller, as well as those of its partners, to protect its services, the confidentiality policy and any applicable texts, to formulate a possible appeal or to limit any prejudice that the Data Controller may suffer.
Finally, in certain cases relating to security, the Data may be collected in the legitimate interests of the Data Controller or a third party.

8. With whom will the Data be shared?

Where necessary, Data may be communicated to third parties in direct contact with the Data Controller, and in particular to the entities listed below:
- Service providers chosen by the Data Controller, who are responsible for the supply of materials, transport and delivery or any other similar service in order to enable them to provide said services;
- To a potential buyer, in the event of a (total or partial) transfer of the Data Controller's activities (merger, sale, transfer of assets, legal reorganisation, etc.).
- In the event of a dispute, the Data may be passed on to a third party responsible for managing disputes (law firm, debt collection company, etc.), which will also ensure that it complies with the applicable legislation with regard to this information;
- Accountant, public authority, etc., in order to comply with the Data Controller's legal obligations (communication of Data to its accountant, responding to a request from the public authorities, complying with a court order, etc.).
The list of service providers is available on request.

9. How do we secure it?

Appropriate technical and organisational measures have been put in place to guarantee a level of security appropriate to the risks, including, among others, as required:
- Means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;
- Means to restore the availability of and access to Personal Data within an appropriate timeframe in the event of a physical or technical incident;
- An internal policy concerning the processing of personal data;
- Limited retention periods;
- Access to the information system limited to authorised personnel who are responsible for protecting personal data;
Details of these security measures are available on request.

10. What rights do you have?

Depending on the type of Processing carried out on Personal Data, the Data Subject may assert several of the following rights:

10.1 Right to information
Any Person concerned by this Personal Data has a right to information concerning the Data collected. It is in particular through this Privacy Policy that the Data Controller wishes to provide this information.
A Data Subject who wishes to obtain more information about the Personal Data collected may be refused this request in the following cases:
a) The Data Subject already has this information;
b) If the request requires disproportionate or impossible efforts;
c) If providing this information could seriously compromise the purpose of the processing.

10.2 Right of access
All Data Subjects have a right of access to their Personal Data.
To do so, the Data Subject must make a request to the relevant department of the Data Controller so that the latter can provide details of the precise Data it holds about him/her, subject to the rights and freedoms of others which cannot be affected.
A response must be provided within one month of the request being made by the Data Subject. However, this deadline may be extended by a further month depending on the complexity and number of requests. In the latter case, the Data Subject will be informed within one month of his/her request for right of access.
The Data Controller is entitled to demand payment of "reasonable costs" based on the administrative costs incurred in producing these documents in the event that the request is excessively recurrent, unfounded or manifestly intended to abuse this right of access.

10.3 Right of rectification
Any Data Subject has the right to obtain from the Data Controller, as soon as possible, the rectification of any Personal Data concerning him or her that is inaccurate.
The Data Subject may also request that incomplete data be completed, in particular by providing an additional declaration.
The Data Controller will notify the Data Subject that this has been done.

10.4 Right to erasure
The Data Subject will be entitled to the right to erasure of his/her Data if one of the following reasons arises:
- The Data is no longer necessary for the purposes for which it was collected or processed by the Data Controller;
- The Data Subject wishes to withdraw his/her consent and there is no other legal basis for such processing;
- The Data Subject objects to the processing being necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party;
- The Data Subject has a right to object, which he or she exercises;
- The Data has been processed unlawfully ;
- The Data must be erased in order to comply with a legal obligation laid down by Union law or by the law of the Member State to which the Data Controller is subject;
In the event of such a request, the Data Controller will take reasonable steps to erase the Data within one month of the request.
The Data Controller will notify the Data Subject that this has been done.
If the Data Controller does not wish to comply with this request, it will give reasons for its refusal.
The right to erasure does not apply insofar as the processing of this data is necessary :
- to exercise the right to freedom of expression and information ;
- to comply with a legal obligation which requires processing under European Union law or the law of the Member State to which the controller is subject, or to carry out a task carried out in the public interest or in the exercise of official authority vested in the controller;
- to establish, exercise or defend legal claims;
- for archival or statistical purposes as provided for in article 89 of the RGPD.
It should be noted that if the data subject requests the total erasure of his/her data, and his/her request has been granted, the data subject will no longer be able to request duplicates of his/her certificates obtained during the accompaniment.

10.5 Right to limit processing
The Data Subject has the right to obtain from the Controller the restriction of processing where any of the following applies:
- the accuracy of the Personal Data is contested by the Data Subject, for a period allowing the Controller to verify the accuracy of the Personal Data;
- the processing is unlawful and the Data Subject objects to the erasure of the Personal Data and requests instead that its use be restricted;
- the data controller no longer needs the personal data for the purposes of processing, but it is still necessary for the data subject to establish, exercise or defend legal claims;
- the Data Subject has objected to the processing by virtue of his or her right to object, during the verification as to whether the legitimate grounds pursued by the Controller prevail over those of the Data Subject.
This request for restriction implies that the Personal Data may, with the exception of storage, only be processed with the consent of the Data Subject, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or on important grounds of public interest of the Union or of a Member State.
The Data Controller will notify the Data Subject that this has been done.

10.6 Right to portability
Where the processing of the Data Subject's Personal Data is based on consent given by the Data Subject, or on a contract, and such processing is carried out by automated means, and provided that the data has not been rendered anonymous, the Data Subject may request to receive such data in a structured, commonly used and machine-readable format, where technically possible.
The Data Subject may forward this data to another data controller, without the Data Controller being able to prevent this.

10.7 Right to object
The Data Subject has the right to object at any time, on grounds relating to his or her particular situation, to processing of Personal Data concerning him or her based on the public interest or the legitimate interest of the Controller, including profiling based on these interests.
The Data Subject may also object to the processing of Data based on his/her consent or on a contract, provided that the Data has been collected for canvassing purposes or for archival and statistical purposes.
The Data Controller will no longer process such data unless it can demonstrate compelling legitimate grounds for the processing which override the interests and rights and freedoms of the Data Subject, or for the establishment, exercise or defence of legal claims.

11. How can you assert your rights?

A request for information may be submitted via the following e-mail address: [RGPD internal e-mail address].

If you are not satisfied with the response to your request, you can always exercise one of the rights set out above, or lodge a complaint with the Data Protection Authority.

You can contact the Data Protection Authority as follows

- By telephone: (+32) (0)2 274 48 00 ;
- E-mail: contact@apd-gba.be ;
- Online contact form:
https://www.autoriteprotectiondonnees.be/introduire-une-requete-une-plainte ;
- By post: Data Protection Authority, Rue de la Presse 35, 1000 Brussels, Belgium;
- Fax: (+32) (0)2 274 48 35.