You have a set of rights as regards your Data. Some of these rights have a very specific scope or are subject to special conditions or exceptions.
The GDPR provides for certain exceptions, such as the one regarding your right to be informed, referred to above in the answer to the question ‘When does the present Privacy Policy apply?’ In addition, you will not be able to benefit from the right to be informed, to access or correct your Data, to have recipients of your Data notified of your exercise of certain rights, or to object in the cases referred to in Articles 46bis and 46ter of the Law of 2 August 2002. This is the case, in particular, where:
i. the FSMA acts with a view to performing its tasks as listed in Article 45, § 1 of the Law of 2 August 2002 or other tasks entrusted to it under any other provision of national or European legislation where these data have not been obtained from the person concerned;
ii. the FSMA exercises its powers as laid down in Article 87quinquies of the Law of 2 August 2002 (‘mystery shopping’) where such Data are obtained from the person concerned under the conditions set out in the aforementioned Article;
iii. the FSMA acts within the framework of the administrative sanctions procedures concerning the matters referred to in Article 45 of the Law of 2 August 2002 and for the imposition of the administrative measures and penalties referred to in Article 59 of the Law of 7 December 2016 on the organization of the profession and on the public supervision of auditors, conducted in accordance with section 5 of Chapter III of the Law of 2 August 2002, in so far as the Data in question relate to the subject of the enquiry or supervision; or
iv. the FSMA acts in its capacity of administrative authority within the meaning of Article 22quinquies of the Law of 11 December 1998 on security classification, security clearances and security advice. In the latter case, the FSMA also enjoys a derogation from the rights in respect of automated individual decisions and profiling (under Article 22 of the GDPR).
The derogations referred to in points i. and ii. apply as long as you have not obtained, where applicable, legal access to the administrative dossier which the FSMA holds on you and that contains the Data in question.
Other than in these cases, you may at any time exercise your right to access the personal information about you in order to supplement it, amend it, rectify it, delete it or object to its processing for legitimate reasons in accordance with the applicable laws on data protection.
Furthermore, you may at times ask for a restriction of the processing of your Data and, in some cases, you may ask us to send your Data to you, or (if possible from a technical point-of-view and within the limits of the FSMA’s professional secrecy) to another controller.
Where the processing of your Data is based on consent, you have the right at all times to withdraw your consent. A withdrawal of consent will have no effect on the validity of the processing of your personal data prior to the withdrawal.
If you wish to exercise these rights, all you have to do is send an email to dataprotection@fsma.be, or by post to the FSMA’s Data Protection Officer. You will find the contact details of the DPO in the answer to the question ‘How can you contact us?’ of this Policy. We may ask you to provide proof of identity (for example, a copy of the front of your identity card, of your passport or any other proof of identity) in order to be certain that we are respecting your Data and that we are not sending it to a third party.
If you contact us to exercise your rights, we will inform you within one month of receiving your request of the action we have taken. If necessary, this deadline may be extended by two months to take account of the complexity and number of requests. In that case, we will inform you within one month of receiving your request. We reserve the right not to respond to clearly unfounded or excessive requests. Your request will be kept for as long as legal remedies are possible.
At any time, if you consider that your rights have not been respected, you may also make a complaint to the Data Protection Authority, Rue de la Presse/Drukpersstraat 35, 1000 Brussels, email: contact@apd-gba.be (see also www.dataprotectionauthority.be).