FSMA Privacy Policy

The present Policy applies to the tasks and services of the FSMA and to the website www.fsma.be, the business portals and any other sites referred to under the domain name ‘.fsma.be’ (hereafter ‘the Website’).

This Policy does not apply to the processing of Data governed by a specific Privacy Policy, such as the one for Wikifin and for the FSMA’s recruitment site.

The Policy must be read in conjunction with our Cookie Policy. For more information on the use of cookies, please see the Cookie Policy.

The present Policy is intended to inform you about the collection and use of Data by the FSMA, in accordance with the latter’s obligation under the GDPR to provide information. It should be noted that the GDPR provides for certain exceptions to this obligation. These include, in particular, cases where your Data have been obtained from a third party and i) these Data must remain confidential subject to our legal obligation of professional secrecy, ii) obtaining or disclosing said Data is expressly laid down by a law to which the FSMA is subject and which provides appropriate measures to protect your legitimate interests, or iii) where informing you is likely to render impossible or seriously impair the achievement of the objectives of the processing of your Data.

Furthermore, the FSMA enjoys specific derogations from the obligation to provide information, as regards the cases referred to in Articles 46bis and 46ter of the Law of 2 August 2002 on the supervision of the financial sector and on financial services (hereafter ‘the Law of 2 August 2002’). These include, in particular, cases where the FSMA acts (i) to exercise its powers as laid down in Article 87quinquies of the said Law (‘mystery shopping’), where such Data are obtained from the data subject, (ii) within the framework of the administrative sanction procedures concerning the matters referred to in Article 45 of the said Law and with a view to imposing the administrative measures and fines referred to in Article 59 of the Law of 7 December 2016 on the organization of the profession and on the public supervision of auditors, or (iii) in its capacity of administrative authority within the meaning of Article 22quinquies of the Law of 11 December 1998 on security classification, security clearances and security advice.

The Financial Services and Markets Authority (FSMA), Rue du Congrès/Congresstraat 12-14, 1000 Brussels, registered with the Crossroad Bank of Enterprises under number 0544.279.965, is the controller of your Data. This means that the FSMA determines the purposes and means of processing your Data.

The FSMA has designated a Data Protection Officer (‘DPO’), who is your point of contact for all questions or requests in connection with the processing of your Data. You will find the contact details of the DPO in the answer to the question 'How can you contact us?' in this Policy.

The FSMA collects your Data in several ways:

1. The Data you have supplied yourself

We first process the data you have supplied yourself:

• as part of our public-interest tasks and the exercise of public authority: these are, among other things, Data that you provide to us (in any way whatsoever, including through the business portals and via the external platform used by the FSMA for the exchange of documents) as part of a request for registration, recognition or authorization, of our supervision of the conditions for conducting a regulated activity, of our supervision of compliance with the rules governing conduct of business, products and commercial practices, of a request for approval of a document, of our enforcement of the supplementary pensions legislation and of our role as Secretariat of the Belgian Audit Oversight College.

This also covers:

- the Data you have provided to us as a whistleblower (including via the application https://www.fsma.be/en/whistleblowing): these are data such as your contact details and other Data that you provide on this occasion (except if you opt to remain anonymous and are effectively not identifiable).

- the Data you provide to us after having received a request for the requisite information, notably in order to enable us to verify if an operation or activity falls within the scope of laws or regulations that we are tasked with enforcing or in order to carry out our legal mandate, to monitor developments nationally or at a European or international level within the domains in question and to shape our supervisory policies (Article 78 of the Law of 2 August 2002).

• by filling in the contact form on the website (in particular https://www.fsma.be/en/consumer-contact-form, https://www.fsma.be/en/professional-contact-form and servicedesk@fsma.be): these are Data such as your title, first name, surname, email address, telephone number, whether or not you are a resident of Belgium, and the additional Data in your question, comment, complaint or other message. In the contact form for professionals, we also ask (if applicable) for the name of your company and your FSMA or company number;
• by subscribing to a newsletter: these are Data such as your email address, your first name and surname;
• by participating in a consultation: these are Data on your identity, your role and other Data that may be sent as part of a consultation (open or limited), organized by the FSMA, mainly on legislative projects;
• by filling in an order form (for example, to obtain a copy of our annual report or a brochure, in particular via https://www.fsma.be/en/order-form): these are Data such as your title, first name, surname, email, company, street and number, postcode, location and country;
• by entering into a contract with us: these are your personal Data such as your name and email address, as well as any other Data you provide in the pre-contractual or contractual stage;
• by visiting us: these are Data you need to fill in on the visitor registration sheet such as your name, your company, your number plate, and the images recorded by the security cameras in our building and car park;
• by participating in an event, conference or training programme run by the FSMA: these are Data that you provide when registering (such as your name, contact details, occupation or position);
• by using the visitors’ Wi-Fi network: these are Data that you enter on the self-registratiojn portal (first name, mobile phone number) in order to receive your personal username and password by SMS).

2. Data obtained from a third party

We also process personal data obtained from a third party:

• as part of our public-interest tasks and the exercise of public authority: these include your Data found in public sources or that have been provided to us (in any way whatsoever, including through the business portals) by a third party (such as the natural or legal person under our supervision for which you work or where you hold a position, whistleblowers, other national or foreign authorities or someone who lodges a complaint or asks us a question) as part of a request for registration, recognition or authorization, of our supervision of the conditions for conducting a regulated activity, of our supervision of compliance with the rules governing conduct of business, products and commercial practices, of a request for approval of a document, of our enforcement of the supplementary pensions legislation and of our role as Secretariat of the Belgian Audit Oversight College, or in response to a request to provide us with the requisite information pursuant to Article 78 of the Law of 2 August 2002;
• as part of a contract with a contracting party for which you work or on behalf of which you provide or wish to provide services to the FSMA: these are Data such as your name, your email address and other data such as, in certain cases, your CF and/or references to your previous work, which are provided to us by our co-contractor as part of the pre-contractual measures or the provision of services to the FSMA.

3. Data obtained automatically

• through cookies on our website: cookies automatically collect certain types of data (such as IP addresses, language preference or browsing behaviour) on visits to the website. For more information, please see the Cookie Policy.
• through pixels or similar technologies in our newsletters: these enable us to determine whether messages have been opened and whether links have been clicked on, for the sole purpose of improving the quality of our services. For more information, please consult the privacy policy of the Mailchimp mailer platform we use to manage the mailing of our newsletters, at http://mailchimp.com/legal/privacy/;
• as part of your use of the visitors’ Wi-Fi network: if you connect to the visitors’ Wi-Fi network, some technical data (such as your unique username, date, the time and length of the connection, your IP address and the MAC address of your device) are automatically recorded;
• as part of your use of the external platform for document exchange: if you exchange documents with the FSMA via the external platform used by the FSMA for this purpose, some metadata (such as the date when a document was uploaded) are automatically stored;
• for meetings or training sessions via Microsoft Teams.

The FSMA collects, stores, uses and processes your Data:

• for the purpose of exercising the public-interest tasks listed in Article 45, § 1 of the Law of 2 August 2002, or other tasks entrusted to it under any other provision of national or European law and of the exercise of public authority entrusted to the FSMA;
• based on its legal obligations, such as the record-keeping obligation under the Law of 24 June 1955 on archives;
• based on your consent, without prejudice to the processing conducted in accordance with the legal bases and the purposes mentioned above:
  • to register as a user of one of the business portals on the website (except where your registration is obligatory);
  • to be able to get in touch with you as part of a consultation;
  • to send newsletters;
  • to respond to all other requests you may make, for example through the contact forms;
  • to register for an event, conference or training programme run by the FSMA (unless the training is mandatory):
  • to gather statistical information on the use of the website or to facilitate integration with sites and social media or certain types of media on our website using cookies;
  • to register as a user of the external platform for document exchange with the FSMA;
• based on pre-contractual measures or measures for the performance of a contract that the FSMA has entered into, in order to process all the information necessary for deciding whether to enter into a contract or in order to be able to communicate with you as part of the provision of services;
• based on its legitimate interest:
  • for visitor management. Based on the number of forms filled in at reception, we also compile anonymous statistics on visitor numbers;
  • for the security of its building and car park;
  • to secure the website (including against fraud) and ensure its optimal operation (including via essential and functional cookies);
  • to secure the visitors’ Wi-Fi network.

The FSMA processes Data solely for the specific purposes for which they were collected or for purposes compatible therewith, in accordance with the rules governing the further processing of Data provided for in European and Belgian legislation and regulations on the protection of personal data. Pursuant to Article 75, § 3 of the Law of 2 August 2002, the FSMA may also use the Data it has collected for the performance of one of its tasks carried out in the public interest, for the performance of other public-interest tasks which have been entrusted to it, where the processing of the said Data is necessary for these tasks.

The Data collected will under no circumstances be used for commercial purposes.

The FSMA stores Data only for the period necessary to accomplish the purpose for which we have collected it and within the limits provided for by the law if it allows a longer period.

The Data processed by the FSMA for the exercise of its public interest tasks and of the public authority with which the FSMA is entrusted will be kept for as long as you are supervised by the FSMA, or for as long as the natural or legal person for which you work or where you hold or held a position is supervised by the FSMA. The FSMA can store your Data for a longer time, for example in so far as the Data may again become pertinent for the exercise of its supervision or as part of potential liability claims.

Without prejudice to the above-mentioned storage periods, the FSMA applies the following storage periods for the Data it receives:

• when you register as a user of one of the business portals on the website: for as long as you have an account on the application concerned;
• to be able to get in touch with you as part of a consultation: until the project on which you have been consulted is closed (either because it has been definitively adopted or rejected, with the proviso that a project is not considered closed as long as it is being challenged);
• to send you newsletters: until you unsubscribe;
• to respond to any other request you may make, for example via the contact forms: for two years from the last response on our part;
• if you register as a user of the external platform for document exchange with the FSMA: for 3 months after the last exchange, unless you delete your user account on the platform before then;
• if you attend a meeting or training session via Microsoft Teams: the metadata collected automatically by Microsoft Teams are stored for 30 days;
• in the pre-contractual or contractual stage: for the duration of the contract and 10 years after the end of the contract. If no contract is entered into, your Data will be deleted more rapidly;
• as part of your visit: for 30 days;
• if you use the visitors’ Wi-Fi network: for 1 year.

Notwithstanding the foregoing, the FSMA is subject to the Law of 24 June 1955 on the National Archives, and some information is consequently kept for a longer period as provided for under this Law for archiving purposes, albeit with the appropriate guarantees.

The FSMA may share your data:

• with service providers with which the FSMA works (for example IT service providers, the platform the FSMA uses for managing newsletters, the platform used by the FSMA for the exchange of documents, lawyers or other service providers necessary for the exercise of the FSMA’s tasks). Access by these providers to your Data will be limited to what is strictly necessary for their tasks;
• in the cases provided for by Article 74 of the Law of 2 August 2002 (and even if the Data in question are not covered by the professional secrecy referred to in the said Article):
  • in cases where the communication of such information is provided for or authorized by or pursuant to the said Law and laws governing the tasks entrusted to the FSMA (including the cases referred to in Article 75 of the same Law). This includes (but is not limited to) situations in which the FSMA transfers data to other national authorities such as the National Bank of Belgium, the Belgian Audit Oversight College, the Federal Public Service for the Economy, SMEs and Energy or the Belgian Financial Intelligence Processing Unit (CTIF-CFI), or to foreign authorities that hold one or more comparable powers to those of the FSMA and with which the latter has entered into a cooperation agreement;
  • during testimony in a criminal case;
  • to report criminal offences to the judicial authorities (in the knowledge that in such a case the FSMA may publish its decision to report criminal offences to the judicial authorities);
  • as part of administrative or judicial appeals against acts or decisions of the FSMA and in all other cases in which the FSMA is a party;
  • in summary or aggregate form, in such a way that you are unable to be identified.
• where the FSMA transfers public information to third parties.

Where the Data have been provided by a whistleblower, the FSMA may only transmit these data to third parties under the conditions provided for by the FSMA Regulation laying down procedural rules for the receipt and treatment of reports of infringements, enacted by the Royal Decree of 24 September 2017 (for more information, see https://www.fsma.be/en/faq/whistleblowers-point-contact).

The FSMA will not itself process your Data outside the European Economic Area (EEA).

It is possible that service providers whose services the FSMA use may process your Data outside the EEA (for example in the United States). Where this is the case, the FSMA ensures that the service provider enters into a contract with the FSMA and that the level of protection is guaranteed, for example by way of a decision of the European Commission determining that a third country provides an adequate level of protection (Article 45 of the GDPR), by way of standard data protection clauses drawn up by the European Commission and entered into by the parties for the purpose of processing data outside the EEA (Article 46 of the GDPR) or by way of another legal instrument that provides appropriate guarantees.

The FSMA may, as part of its public-interest tasks and of the exercise of public authority, and within the limits provided for by Articles 74 and 75 of the Law of 2 August 2002, exchange personal data with a financial supervisory authority of a country outside the EEA (hereafter ‘third country’) for purposes of international cooperation. Where this is the case, the FSMA ensures that:

• the third country ensures an adequate level of protection (adequacy decision of the European Commission - Article 45 of the GDPR); or
• appropriate safeguards are in place (Article 46 of the GDPR), in particular, where the non-EEA financial supervisory authority has undertaken to provide the safeguards laid down in an administrative arrangement such as the Administrative arrangement for the transfer of personal data between EEA and non-EEA authorities; or
• it may make use of a derogation such as the one applicable in the event of a transfer necessary for important reasons of public interest (Article 49 of the GDPR).

The FSMA will only transfer personal data that are adequate, relevant and limited to what is necessary for the purposes for which they are transferred.

If you have any questions about this subject, please feel free to send a dated and signed request to the FSMA for the attention of the Data Protection Officer. You will find the contact details of the DPO in the answer to the question below on ‘How can you contact us?’.

The FSMA puts in place technical means and security measures to protect your Data and to prevent any accidental or illegal destruction, loss, alteration or amendment, as well as any unauthorized access or disclosure.

By virtue of Article 74 of the Law of 2 August 2002, the FSMA, members of its bodies and members of its staff are bound by professional secrecy and may not disclose to any person or authority whatsoever the confidential information they have become aware of (without prejudice to the exceptions mentioned in the answer to the question ‘With whom do we share your data?’ in this Policy).

Moreover, the FSMA asks its service providers that process Data for the FSMA also to always take the necessary security measures.

Our website contains links to third-party websites (in particular, to social media such as LinkedIn or Twitter). If you click on an external website via a link on our site, the confidentiality policy of that website applies. We therefore recommend that you carefully read the confidentiality policy of the third parties in question to understand how they respect your privacy.

You have a set of rights as regards your Data. Some of these rights have a very specific scope or are subject to special conditions or exceptions.

The GDPR provides for certain exceptions, such as the one regarding your right to be informed, referred to above in the answer to the question ‘When does the present Privacy Policy apply?’ In addition, you will not be able to benefit from the right to be informed, to access or correct your Data, to have recipients of your Data notified of your exercise of certain rights, or to object in the cases referred to in Articles 46bis and 46ter of the Law of 2 August 2002. This is the case, in particular, where:

i. the FSMA acts with a view to performing its tasks as listed in Article 45, § 1 of the Law of 2 August 2002 or other tasks entrusted to it under any other provision of national or European legislation where these data have not been obtained from the person concerned;

ii. the FSMA exercises its powers as laid down in Article 87quinquies of the Law of 2 August 2002 (‘mystery shopping’) where such Data are obtained from the person concerned under the conditions set out in the aforementioned Article;

iii. the FSMA acts within the framework of the administrative sanctions procedures concerning the matters referred to in Article 45 of the Law of 2 August 2002 and for the imposition of the administrative measures and penalties referred to in Article 59 of the Law of 7 December 2016 on the organization of the profession and on the public supervision of auditors, conducted in accordance with section 5 of Chapter III of the Law of 2 August 2002, in so far as the Data in question relate to the subject of the enquiry or supervision; or

iv. the FSMA acts in its capacity of administrative authority within the meaning of Article 22quinquies of the Law of 11 December 1998 on security classification, security clearances and security advice. In the latter case, the FSMA also enjoys a derogation from the rights in respect of automated individual decisions and profiling (under Article 22 of the GDPR).

The derogations referred to in points i. and ii. apply as long as you have not obtained, where applicable, legal access to the administrative dossier which the FSMA holds on you and that contains the Data in question.

Other than in these cases, you may at any time exercise your right to access the personal information about you in order to supplement it, amend it, rectify it, delete it or object to its processing for legitimate reasons in accordance with the applicable laws on data protection.

Furthermore, you may at times ask for a restriction of the processing of your Data and, in some cases, you may ask us to send your Data to you, or (if possible from a technical point-of-view and within the limits of the FSMA’s professional secrecy) to another controller.

Where the processing of your Data is based on consent, you have the right at all times to withdraw your consent. A withdrawal of consent will have no effect on the validity of the processing of your personal data prior to the withdrawal.

If you wish to exercise these rights, all you have to do is send an email to dataprotection@fsma.be, or by post to the FSMA’s Data Protection Officer. You will find the contact details of the DPO in the answer to the question ‘How can you contact us?’ of this Policy. We may ask you to provide proof of identity (for example, a copy of the front of your identity card, of your passport or any other proof of identity) in order to be certain that we are respecting your Data and that we are not sending it to a third party.

If you contact us to exercise your rights, we will inform you within one month of receiving your request of the action we have taken. If necessary, this deadline may be extended by two months to take account of the complexity and number of requests. In that case, we will inform you within one month of receiving your request. We reserve the right not to respond to clearly unfounded or excessive requests. Your request will be kept for as long as legal remedies are possible.

At any time, if you consider that your rights have not been respected, you may also make a complaint to the Data Protection Authority, Rue de la Presse/Drukpersstraat 35, 1000 Brussels, email: contact@apd-gba.be (see also www.dataprotectionauthority.be).

This Policy may be amended. You can consult the most recent version of our Policy at any time on our website.

The present Policy was last amended on 12 April 2021.

If you have questions or comments on the subject of the present Policy, or if you would like to exercise your rights, please send:

• an email to dataprotection@fsma.be; or
• a letter to:

Financial Services and Markets Authority (FSMA)
Attn: Data Protection Officer
rue du Congrès/Congresstraat 12-14
1000 Brussels (Belgium)