The Belgian Audit Oversight College (hereinafter also referred to as the ‘College’ or ‘us’) makes sure it complies with the European data-protection legislation, the GDPR (General Data Protection Regulation), and the Belgian legislation concerning the protection of personal data.
The present Data Protection Policy provides an overview of the personal data processed by the College, the purposes of and basis for this processing, the period for which the personal data will be stored, the sharing of data with third parties, your rights as a data subject and the measures put in place by the College to protect this personal data.
When does the present data protection policy apply? (CTR)
The present Data Protection Policy applies to the tasks and services of the College and to the websites, including the College’s business portals (such as www.ctr-csr.be).
The present Data Protection Policy does not apply to the processing of personal data governed by a specific Data Protection Policy.
The College benefits from some exemptions to the obligation of providing information which in principle rests on the controller in the cases referred to in Article 54/3 of the Law of 7 December 2016 on the organization of the profession and the public supervision of auditors (hereinafter also referred to as the Law of 7 December 2016). These include, in particular, cases where the College acts (i) for the exercise of its tasks as listed in Article 32 of the Law of 7 December 2016 or of other tasks entrusted to it under any other provision of national or European legislation where these data have not been obtained from the person concerned and (ii) in the context of the procedures for imposing the administrative measures and penalties referred to in Articles 56, 58 and 59 of the Law of 7 December 2016.
Who is the controller of the personal data? (CTR)
The Belgian Audit Oversight College (the College, rue du Congrès/Congresstraat 12-14, 1000 Brussels), is the controller of your personal data. This means that the College determines the purposes and means of the processing of your personal data.
The College has designated a data protection officer (or ‘DPO’) who is your point of contact for all questions or requests in connection with the processing of your personal data. You will find the contact details of the DPO in the question 'How can you contact us?' of this Data Protection Policy.
What personal data do we process? (CTR)
The College collects your personal data in several ways:
1. The data you have supplied yourself
The College first of all processes the data you have supplied yourself:
- as part of our public-interest tasks and the exercise of public authority: these are, inter alia, personal data that you provide to us (in any way whatsoever, including through the business portals) as part of the public supervision we exercise on auditors.
- by filling in the contact form on the College website: these are data such as your title, first name, surname, email address, telephone number, whether or not you are a resident of Belgium, and the additional data in your question, comment, complaint or other message. In the contact form for professionals, these data may (if applicable) also be the name of your company and your registration number.
- as the case may be, by subscribing to a newsletter: these are data such as your email address, your first name and surname.
- by participating in a College consultation: these are data on your identification, your role and other personal data that may be sent as part of a consultation (open or limited), organized by the College, mainly on legislative projects.
- by entering into a contract with the College: these are personal data relating to you as a natural person such as your name and email address, as well as any other data you provide in the pre-contractual or contractual stage.
- by visiting the College: these are data you need to fill in on the visitor registration sheet such as your name, your company, your number plate, and the images recorded by the security cameras in our building and car park.
2. Data obtained from a third party
The College also processes personal data obtained from a third party:
- as part of our public-interest tasks and the exercise of public authority: these are, among others, your personal data that have been provided to us (in any way whatsoever, including through the business portals) by a third party (such as the natural or legal person under our supervision with which you work or have a role, other national or foreign authorities or someone who lodges a complaint or asks us a question) as part of the public supervision we exercise on auditors.
- as part of a contract between the contracting party for which you work and the College: this is your name, your email address and other data such as, in certain cases, references to your previous work, which are provided to us by the contracting party for which you work as part of the pre-contractual measures or the provision of services to the College.
3. Data obtained automatically
What are the purposes of and basis for our use of your personal data? (CTR)
The College collects, stores, uses and processes your personal data:
- for the purpose of exercising the public-interest tasks listed in Article 32 of the Law of 7 December 2016 or other tasks entrusted to it by any other provision of national or European law and the exercise of public authority entrusted to the College;
- based on our legal obligations, especially the record-keeping obligation under the Law of 24 June 1955 on archives;
- based on your consent, without prejudice to the processing conducted in accordance with the legal bases and the purposes mentioned above:
- to register you as a user of one of the business portals on the website (except where your registration is obligatory);
- to be able to get in touch with you as part of a consultation;
- to send newsletters;
- to respond to all other requests you may make, for example through the contact forms.
- based on pre-contractual measures or measures for the performance of a contract that the College has entered into with you or the party for which you work in order to provide us with all the necessary information for deciding whether to enter into a contract, or to be able to communicate with you as part of the provision of services;
- based on our legitimate interest:
- for visitor management. Based on the number of forms filled in at reception, we also compile anonymous statistics on visitor numbers;
- for the security of our building and car park;
- for assessment, security (including fraud) and improvement/optimization of our website and business portals.
For how much time will we store your personal data? (CTR)
The College only processes personal data for as long as necessary to accomplish the purpose for which we have collected it and within the limits provided for by the law if it allows a longer time.
- The personal data processed by the College for the exercise of the public-interest tasks and of public authority with which the College is tasked will be kept for as long as you are supervised by the College, or for as long as the natural or legal person under our supervision with which you work or exercise a role or have exercised a role is supervised by the College. Even if this is no longer the case, the College can still process your personal data for a longer time, for example to the extent that they may again become pertinent for the exercise of our supervision or as part of potential liability claims;
- Without prejudice to the storage timescales that apply to the processing referred to hereinabove, the personal data the College receives:
- to register you as a user of one of the business portals on the website, will be kept for as long as you have an account on the application concerned;
- to be able to get in touch with you as part of a consultation, will be kept until the project on which you have been consulted is closed (either because it has become final or because it has been definitively deleted, with the proviso that a project is not considered closed while it remains contested);
- to send you newsletters, will be kept until you unsubscribe;
- to respond to all other requests you may make, for example through the contact forms, will be kept for two years from the last response on our part;
- in the pre-contractual or contractual stage, will be kept for the duration of the contract and 10 years after the end of the contract. If no contract is entered into, your data will be deleted more rapidly;
- as part of your visit, will be kept for 30 days.
Notwithstanding the foregoing, the College is subject to the Law of 24 June 1955 on Archives and some information is consequently kept for more time as provided for under this Law for archiving purposes, albeit with the appropriate guarantees.
With whom do we share your data? (CTR)
The College processes personal data only for the specific purposes for which they have been collected. The personal data collected are in no case used for commercial purposes.
The College may share your data:
- with service providers with which the College works (e.g. IT service providers, the platform the College uses for managing newsletters, lawyers or other service providers necessary for the exercise of the College’s tasks). Access by these providers to your data shall be limited to the strictly necessary for their tasks;
- in the cases provided for by Articles 44 and 45 of the Law of 7 December 2016 (and even if the data in question are not covered by the professional secrecy referred to in said Articles):
- in cases where the communication of such information is provided for or authorized by or pursuant to the Law and laws governing the tasks conferred on the College (including the cases referred to in Article 45 of the same Law and including the tasks conferred on the FSMA as part of its role as Secretariat of the College );
- during a witness testimony in a criminal case;
- to report criminal offences to the judicial authorities (in the knowledge that in such a case the College may publish its decision to report criminal offences to the judicial authorities);
- as part of administrative or judicial appeals against acts or decisions of the College and in all other cases in which the College is a party;
- in a collective or aggregate form in such a way that you are unable to be identified.
Does the college process your data outside the European Economic Area? (CTR)
The College will not itself process your personal data outside the European Economic Area (EEA).
Service providers who work for the College may process your personal data outside the EEA (e.g. in the United States). Where this is the case, the College shall ensure that the service provider enters into a contract with the College and that the level of protection is guaranteed, for example by way of a decision of the European Commission that a third country provides an adequate level of protection (Article 45 of the GDPR), by way of a certification from the data importer under the EU-US Privacy Shield (Article 45 GDPR), by using standard data-protection clauses adopted by the European Commission between the parties that process data outside the EEA (Article 46 of the GDPR) or by way of another legal instrument containing appropriate guarantees.
The College may, as part of its public-interest tasks and of the exercise of public authority, and within the limits provided for by Articles 44 and 45 of the Law of 7 December 2016, exchange personal data with a competent authority of a third country outside the EEA. Where this is the case, the College ensures that this third country or international organization guarantees an adequate level of protection (Article 45 of the GDPR) or that it may make use of a derogation, such as the derogation for necessary transfers for reasons of public interest (Article 49 of the GDPR) or another instrument containing appropriate guarantees and satisfying the provisions of Chapter V of the GDPR on transfers of personal data to third countries or international organizations.
If you have any questions on this subject or if you would like to obtain more information, you may send a dated and signed request to the College for the attention of the data protection officer. You will find the contact details of the DPO in the following question ‘How can you contact us?’ of this Data Protection Policy.
How do we protect your personal data? (CTR)
The College puts in place technical means and security measures to protect your personal data and to prevent its accidental or illegal destruction, loss or alteration, unauthorized access or disclosure, or amendment.
By virtue of Article 44 of the Law of 7 December 2016, the College, its president, the members of its Committee and FSMA staff members contributing to the exercise of tasks entrusted to the College, are bound by professional secrecy and may not disclose to any person or authority whatsoever the confidential information they have become aware of (without prejudice to the exceptions mentioned in the following question ‘With whom do we share your data?’ of this Data Protection Policy).
Moreover, the College asks its service providers that process personal data for the College also to always take the necessary security measures.
What about links to other websites and to social media? (CTR)
Our website contains links to third-party websites (e.g. social media such as LinkedIn or Twitter), the terms & conditions of which do not come under the scope of this Data Protection Policy, or under our responsibility. We therefore recommend that you carefully read their data protection policy to understand how they respect your privacy.
What are your rights and how can you exercise them? (CTR)
You have certain rights in connection to your personal data. Some of these rights have a very specific scope or are subject to special conditions or exceptions. As a result, you will not be able to benefit from the right of information (under Articles 12 and 13 of the GDPR), access, correction, notification of certain users of the personal data of the exercise of certain rights, or of objection in the cases referred to in Article 54/3 of the Law of 7 December 2016. This is the case, in particular, when:
i. the College exercises its tasks listed in Article 32 of the Law of 7 December 2016 or of other tasks entrusted to it under any other provision of national or European legislation where such data have not been obtained from the person concerned;
ii. the College acts in the context of the procedures for imposing the administrative measures and penalties referred to in Articles 56, 58 and 59 of the Law of 7 December 2016, provided that the personal data concerned be related to the subject matter of the investigation or control.
The derogations referred to in point i. apply as long as you have not obtained, where applicable, legal access to the administrative dossier which the College holds on you and that contains the personal data in question.
Other than in these cases, you may at any time exercise your right to access the personal information about you in order to supplement it, amend it, rectify it, delete it or object to its processing for legitimate reasons in accordance with the applicable laws on data protection.
Furthermore, you may in certain cases ask for a restriction to the processing of your personal data and, in some cases, you may ask us to send your data to you, or (if possible from a technical point-of-view and within the limits of the College’s professional secrecy) to another controller.
Where the processing of your personal data is based on consent, you have the right at all times to withdraw your consent. Where you withdraw your consent, this will have no effect on the validity of the processing of your personal data prior to the withdrawal.
If you wish to exercise these rights, all you have to do is send a request with a copy of the front of your ID card, of your passport or any other proof of ID by e-mail to firstname.lastname@example.org, or in writing to the College’s Data Protection Officer. You will find the contact details of the DPO in the following question ‘How can you contact us?’ of this Data Protection Policy. We ask for a proof of ID in order to be certain that we are respecting your personal data and that we are not sending it to a third party.
We reserve the right not to respond to clearly unfounded or excessive requests. We will send you the information we have about you, or notify you that we do not have any, free-of-charge, within a month of your request. If necessary, this deadline may be extended by two months to take account of the complexity and number of requests. Your request will be kept for as long as legal remedies are possible.
At any time, if you consider that your rights have not been respected, you may also make a complaint to the Data Protection Authority, Rue de la Presse/Drukpersstraat 35, 1000 Brussels, email: email@example.com (see also www.dataprotectionauthority.be).
How can you be updated as to any amendments to this data protection policy? (CTR)
The present Data Protection Policy was last amended on 20 February 2019.
This Data Protection Policy may be amended. You may consult the latest version of our Data Protection Policy at any time on our website. Moreover, we will do our best to keep you updated as to any major amendments via other communication channels.
How can you contact us? (CTR)
As part of the role of the FSMA as Secretariat of the College, and in agreement with the FSMA, the College has appointed the data protection officer of the FSMA as data protection officer of the College.
If you have questions or comments on the subject of the present Data Protection Policy, or if you would like to exercise your rights or update information we have about you, please contact us here:
- by e-mail to firstname.lastname@example.org; or
- by post to
Belgian Audit Oversight College
FAO: Data Protection Officer
rue du Congrès/Congresstraat 12-14
1000 Brussels (Belgium)