Data protection policy of the Belgian Audit Oversight Board

The present Data Protection Policy applies to the tasks and services of the Board and to the websites, including the Board’s business portals (such as www.ctr-csr.be).

The present Data Protection Policy does not apply to the processing of personal data governed by a specific Data Protection Policy.

The present Data Protection Policy must be read in particular in relation with our Cookie Policy. For more information, please see the Cookie Policy.

The Board benefits from some exemptions to the obligation of providing information which in principle rests on the controller in the cases referred to in Article 54/3 of the Law of 7 December 2016 on the organization of the profession and the public supervision of auditors (hereinafter also referred to as the Law of 7 December 2016). These include, in particular, cases where the Board acts (i) for the exercise of its tasks as listed in Article 32 of the Law of 7 December 2016 or of other tasks entrusted to it under any other provision of national or European legislation where these data have not been obtained from the person concerned and (ii) in the context of the procedures for imposing the administrative measures and penalties referred to in Articles 56, 58 and 59 of the Law of 7 December 2016.

The Belgian Audit Oversight Board (the Board, rue du Congrès/Congresstraat 12-14, 1000 Brussels), is the controller of your personal data. This means that the Board determines the purposes and means of the processing of your personal data.

The Board has designated a data protection officer (or ‘DPO’) who is your point of contact for all questions or requests in connection with the processing of your personal data. You will find the contact details of the DPO in the question 'How can you contact us?' of this Data Protection Policy.

The Board collects your personal data in several ways:

1. The data you have supplied yourself

The Board first of all processes the data you have supplied yourself:

• as part of our public-interest tasks and the exercise of public authority: these are, inter alia, personal data that you provide to us (in any way whatsoever, including through the business portals) as part of the public supervision we exercise on auditors.
  This also includes data you have supplied as a whistleblower, such as your contact details and other data (unless you have chosen to make an anonymous report and cannot in fact be identified);
• by filling in the contact form on the Board website: these are data such as your title, first name, surname, email address, telephone number, whether or not you are a resident of Belgium, and the additional data in your question, comment, complaint or other message. In the contact form for professionals, these data may (if applicable) also be the name of your company and your registration number. 
• as the case may be, by subscribing to a newsletter: these are data such as your email address, your first name and surname.
• by participating in a Board consultation: these are data on your identification, your role and other personal data that may be sent as part of a consultation (open or limited), organized by the Board, mainly on legislative projects.
• by entering into a contract with the Board: these are personal data relating to you as a natural person such as your name and email address, as well as any other data you provide in the pre-contractual or contractual stage.
• by visiting the Board: these are data you need to fill in on the visitor registration sheet such as your name, your company, your number plate, and the images recorded by the security cameras in our building and car park.

2. Data obtained from a third party

The Board also processes personal data obtained from a third party:

• as part of our public-interest tasks and the exercise of public authority: these are, among others, your personal data that have been provided to us (in any way whatsoever, including through the business portals) by a third party (such as the natural or legal person under our supervision with which you work or have a role, other national or foreign authorities, whistleblowers, or someone who lodges a complaint or asks us a question) as part of the public supervision we exercise on auditors.
• as part of a contract between the contracting party for which you work and the Board: this is your name, your email address and other data such as, in certain cases, references to your previous work, which are provided to us by the contracting party for which you work as part of the pre-contractual measures or the provision of services to the Board.

3. Data obtained automatically

• through cookie providers: the Board does not register names or other data that reveals the identity of visitors to its website. However, important statistical data for website optimization are registered with the use of cookies. The cookies collect data on visits to the website, personal settings, and browsing behaviour. This information is collected automatically during website navigation. For more information, please see the Cookie Policy.

The Board collects, stores, uses and processes your personal data:

• for the purpose of exercising the public-interest tasks listed in Article 32 of the Law of 7 December 2016 or other tasks conferred upon the Board by any other provision of national or European law and the exercise of public authority entrusted to the Board;
• based on our legal obligations, especially the record-keeping obligation under the Law of 24 June 1955 on archives;
• based on your consent, without prejudice to the processing conducted in accordance with the legal bases and the purposes mentioned above:
  • to register you as a user of one of the business portals on the website (except where your registration is obligatory);
  • to be able to get in touch with you as part of a consultation;
  • to send newsletters;
  • to respond to all other requests you may make, for example through the contact forms.
• based on pre-contractual measures or measures for the performance of a contract that the Board has entered into with you or the party for which you work in order to provide us with all the necessary information for deciding whether to enter into a contract, or to be able to communicate with you as part of the provision of services;
• based on our legitimate interest:
  • for visitor management. Based on the number of forms filled in at reception, we also compile anonymous statistics on visitor numbers;
  • for the security of our building and car park;
  • for assessment, security (including fraud) and improvement/optimization of our website and business portals.

The Board only processes personal data for as long as necessary to accomplish the purpose for which we have collected it and within the limits provided for by the law if it allows a longer time.

More specifically:

• The personal data processed by the Board for the performance of its public-interest tasks and of the public authority with which the Board is tasked will be kept for as long as you are under the Board’s oversight, or for as long as the natural or legal person under our oversight with which you work or hold a position or have held a position is overseen by the Board. Even if this is no longer the case, the Board may still process your personal data for a longer time, for example in so far as that they may again become pertinent for the exercise of our oversight or as part of potential liability claims;
• Without prejudice to the storage periods that apply to the processing referred to above, the personal data the Board receives: 
  • to register you as a user of one of the business portals on the website will be kept for as long as you have an account on the application concerned;
  • to be able to get in touch with you as part of a consultation will be kept until the project on which you have been consulted is closed (either because it has been finalized or because it has been definitively deleted, with the proviso that a project is not considered closed while it is being contested);
  • to send you newsletters will be kept until you unsubscribe;
  • to respond to any other request you may make, for example through the contact forms, will be kept for two years from the last response on our part;
  • in the pre-contractual or contractual stage will be kept for the duration of the contract and for 10 years after the end of the contract. If no contract is entered into, your data will be deleted more rapidly;
  • as part of your visit will be kept for 30 days.

Notwithstanding the foregoing, the Board is subject to the Law of 24 June 1955 on archives, and some information is consequently kept for more time as provided for under this Law for archiving purposes, albeit with the appropriate guarantees.

The Board processes personal data only for the specific purposes for which they have been collected. The personal data collected are under no circumstances case used for commercial purposes.

The Board may share your data:

• with service providers with which the Board works (e.g. IT service providers, the platform the Board uses for managing newsletters, lawyers or other service providers necessary for the performance of the Board’s tasks). Access by these providers to your data shall be limited to the strictly necessary for their tasks;
• in the cases provided for by Articles 44 and 45 of the Law of 7 December 2016 (and even if the data in question are not covered by the professional secrecy referred to in said Articles):
  • in cases where the communication of such information is provided for or authorized by or pursuant to the Law and laws governing the Board’s tasks (including the cases referred to in Article 45 of the same Law and including the tasks conferred on the FSMA as part of its role as Secretariat of the Board);
  • during a witness testimony in a criminal case;
  • to report criminal offences to the judicial authorities (in the knowledge that in such a case the Board may publish its decision to report criminal offences to the judicial authorities);
  • as part of administrative or judicial appeals against acts or decisions of the Board and in all other cases in which the Board is a party;
  • in collective or aggregate form, in such a way that you are unable to be identified.

The Board will not pass the personal data of a whistleblower on to the statutory auditor or third parties, unless it is legally obliged to do so or provided the whistleblower has given his or her consent to do so (for more information, see whistleblowing procedure CTR-CSR (only available in French or Dutch)).

The Board will not itself process your personal data outside the European Economic Area (EEA).

Service providers who work for the Board may process your personal data outside the EEA (e.g. in the United States). Where this is the case, the Board will ensure that the service provider enters into a contract with the Board and that the level of protection is guaranteed, for example by way of a decision of the European Commission that a third country provides an adequate level of protection (Article 45 of the GDPR), by way of a certification from the data importer under the EU-US Privacy Shield (Article 45 GDPR), by using standard data-protection clauses adopted by the European Commission between the parties that process data outside the EEA (Article 46 of the GDPR) or by way of another legal instrument containing appropriate guarantees.

The Board may, as part of its public-interest tasks and of the exercise of public authority, and within the limits provided for by Articles 44 and 45 of the Law of 7 December 2016, exchange data with a financial supervisory authority of a country outside the EEA (‘third country’) for the purposes of international cooperation. 

Where this is the case, the Board ensures that:

• the third country or international organisation guarantees an adequate level of protection (adequacy decision of the European Commission – Article 45 of the GDPR); or
• appropriate safeguards are in place (Article 46 of the GDPR), in particular where the non-EEA financial supervisory authority has undertaken to provide appropriate safeguards laid down in an administrative arrangement, such as the one currently in place with the Public Company Accounting Oversight Board (“PCAOB”); or
• it may make use of a derogation, such as the one applicable in the event of a transfer of information necessary for important reasons of public interest (Article 49 of the GDPR).

If you have any questions on this subject or if you would like to obtain more information, you may send a dated and signed request to the Board for the attention of the data protection officer. The contact details of the DPO are provided in the question 'How can you contact us?' of this Data Protection Policy.

The Board puts in place technical means and security measures to protect your personal data and to prevent their accidental or illegal destruction, loss or alteration, unauthorized access or disclosure, or amendment.

Pursuant to Article 44 of the Law of 7 December 2016, the Board, the chair and members of its Committee, and the FSMA staff members who contribute to the performance of tasks entrusted to the Board are bound by professional secrecy and may not disclose to any person or authority whatsoever the confidential information they have become aware of (without prejudice to the exceptions mentioned in the question “With whom do we share your data?” of this Data Protection Policy).

Moreover, the Board also asks its service providers that process personal data on its behalf always to take the necessary security measures.

Our website contains links to third-party websites (e.g. social media such as LinkedIn or Twitter), the terms & conditions of which do not come under the scope of this Data Protection Policy, or under our responsibility. We therefore recommend that you carefully read their data protection policy to understand how they respect your privacy.

You have certain rights in connection to your personal data. Some of these rights have a very specific scope or are subject to special conditions or exceptions. As a result, you will not be able to benefit from the rights, referred to in Article 54/3 of the Law of 7 December 2016, to information (under Articles 12 and 13 of the GDPR), access, correction, notification of data users of the exercise of certain rights, or of your right to object. This is the case, in particular, when:

i.    the Board performs its tasks listed in Article 32 of the Law of 7 December 2016 or of other tasks entrusted to it under any other provision of national or European legislation where such data have not been obtained from the person concerned;
ii.    the Board acts in the context of the procedures for imposing the administrative measures and penalties referred to in Articles 56, 58 and 59 of the Law of 7 December 2016, provided that the personal data concerned are related to the subject matter of the investigation or verification. 

The derogations referred to in point (i) apply as long as you have not obtained, where applicable, legal access to the administrative dossier which the Board holds on you and that contains the personal data in question.

Other than in these cases, you may at any time exercise your right to access the personal information about you in order to supplement it, amend it, rectify it, delete it or object to its processing for legitimate reasons in accordance with the applicable laws on data protection.

Furthermore, you may in certain cases ask for a restriction to the processing of your personal data and, in some circumstances, you may ask us to send your data to you or (if possible from a technical point of view and within the limits of the Board’s professional secrecy) to another controller.

Where the processing of your personal data is based on consent, you have the right at all times to withdraw your consent. If you withdraw your consent, this will have no effect on the validity of the processing of your personal data prior to the withdrawal.

If you wish to exercise these rights, you have to send a request with a copy of the front of your ID card, your passport or any other proof of ID by email to dataprotection@fsma.be, or in writing to the Board’s Data Protection Officer. You will find the contact details of the DPO in the question 'How can you contact us?' of this Data Protection Policy. We ask for a proof of ID in order to be certain that we are respecting your personal data and that we are not sending it to a third party.

We reserve the right not to respond to clearly unfounded or excessive requests. We will send you the information we have about you, or notify you that we do not have any, free of charge, within a month of your request. If necessary, this deadline may be extended by two months to take account of the complexity and number of requests. Your request will be kept for as long as legal remedies are possible.

At any time, if you consider that your rights have not been respected, you may also make a complaint to the Data Protection Authority, Rue de la Presse/Drukpersstraat 35, 1000 Brussels, email: contact@apd-gba.be (see also www.dataprotectionauthority.be).

The present Data Protection Policy was last amended on 6 September 2021.

This Data Protection Policy may be amended. You may consult the latest version of our Data Protection Policy at any time on our website. Moreover, we will do our best to keep you updated as to any major amendments via other communication channels.

As part of the role of the FSMA as Secretariat of the Board, and in agreement with the FSMA, the Board has appointed the data protection officer of the FSMA as data protection officer of the Board.

If you have questions or comments on the subject of the present Data Protection Policy, or if you would like to exercise your rights or update the information we have about you, please contact us here:

• by e-mail to dataprotection@fsma.be; or
• by post to

Belgian Audit Oversight Board
Attn: Data Protection Officer
rue du Congrès/Congresstraat 12-14
1000 Brussels (Belgium)