The Financial Services and Markets Authority (hereafter also referred to as the ‘FSMA’, ‘we’ or ‘us’) attaches great importance to compliance with the European data-protection legislation, the GDPR (General Data Protection Regulation) and with the Belgian legislation concerning the protection of personal data.
When does the present data protection policy apply?
The present Policy applies to the tasks and services of the FSMA and to the website www.fsma.be, the business portals and any other sites referred to under the domain name ‘.fsma.be’ (hereafter ‘the website’).
The present Policy is intended to inform you about the collection and use of Data by the FSMA, in accordance with the latter’s obligation under the GDPR to provide such information. It should be noted that the GDPR provides for certain exceptions to this obligation. These include, in particular, cases where your Data have been obtained from a third party and i) these Data must remain confidential subject to our legal obligation of professional secrecy, ii) obtaining or disclosing said Data is expressly laid down by a law to which the FSMA is subject and which provides appropriate measures to protect your legitimate interests, or iii) where informing you is likely to render impossible or seriously impair the achievement of the objectives of the processing of your Data.
Furthermore, the FSMA enjoys certain specific derogations from the obligation to provide information, as regards the cases referred to in Articles 46bis and 46ter of the Law of 2 August 2002 on the supervision of the financial sector and on financial services (hereafter ‘the Law of 2 August 2002’). These include, in particular, cases where the FSMA acts (i) to exercise its powers as laid down in Article 87quinquies of the said Law (‘mystery shopping’), where such Data are obtained from the person concerned, (ii) within the framework of the administrative sanction procedures concerning the matters referred to in Article 45 of the said Law and with a view to imposing the administrative penalties referred to in Article 59 of the Law of 7 December 2016 on the organization of the profession and on the public supervision of auditors, or (iii) in its capacity of administrative authority within the meaning of Article 22quinquies of the Law of 11 December 1998 on the system of classification and security clearances.
Who is the controller of the personal data?
The FSMA (Rue du Congrès/Congresstraat 12-14, 1000 Brussels) is the controller of your Data. This means that the FSMA determines the purposes for and means of processing your Data.
The FSMA has designated a Data Protection Officer (‘DPO’) who is your point of contact for all questions or requests in connection with the processing of your Data. You will find the contact details of the DPO in the answer to the question 'How can you contact us?' in this Policy.
What personal data do we process?
The FSMA collects your Data in several ways:
1. The Data you have supplied yourself
We first of all process the data you have supplied yourself:
- as part of our public-interest tasks and the exercise of public authority: these are, among other things, Data that you provide to us (in any way whatsoever, including through the business portals) as part of a request for registration, recognition or authorization, of our supervision of the conditions for conducting a regulated activity, of our supervision of compliance with the rules governing conduct of business, products and commercial practices, of a request for approval of a document, of our enforcement of the supplementary pensions legislation and of our role as Secretariat of the Belgian Audit Oversight College.
This also covers:
- the Data you have provided to us as a whistleblower (including via the application https://www.fsma.be/en/faq/whistleblowers-point-contact): these are data such as your contact details and other Data that you provide on this occasion (except if you opt to remain anonymous and are effectively not identifiable).
- the Data you provide to us after having received a request for the requisite information, notably in order to enable us to verify if an operation or activity falls within the scope of laws or regulations that we are tasked with enforcing or in order to carry out our legal mandate, to monitor developments nationally or at a European or international level within the domains in question and to shape our supervisory policies (Article 78 of the Law of 2 August 2002).
- by filling in the contact form on the website (in particular https://www.fsma.be/en/consumer-contact-form, https://www.fsma.be/en/professional-contact-form and email@example.com): these are Data such as your title, first name, surname, email, telephone number, whether or not you are a resident of Belgium, and the additional Data in your question, comment, complaint or other message. In the contact form for professionals, we also ask (if applicable) for the name of your company and your FSMA number.
- by subscribing to a newsletter: these are Data such as your email address, your first name and surname.
- by participating in a consultation: these are Data on your identity, your role and other Data that may be sent as part of a consultation (open or limited), organized by the FSMA, mainly on legislative projects.
- by filling in an order form (for example to obtain a copy of our annual report, or a brochure, in particular via https://www.fsma.be/en/order-form): these are Data such as your title, first name, surname, email, company, street and number, postcode, location and country.
- by entering into a contract with us: these are your personal Data such as your name and email address, as well as any other Data you provide in the pre-contractual or contractual stage.
- by visiting us: these are Data you need to fill in on the visitor registration sheet such as your name, your company, your number plate, and the images recorded by the security cameras in our building and car park.
2. Data obtained from a third party
- as part of our public-interest tasks and the exercise of public authority: these are, among others, your Data that have been provided to us (in any way whatsoever, including through the business portals) by a third party (such as the natural or legal person under our supervision with which you work or hold a position, whistleblowers, other national or foreign authorities or someone who lodges a complaint or asks us a question) as part of a request for registration, recognition or authorization, of our supervision of the conditions for conducting a regulated activity, of our supervision of compliance with the rules governing conduct of business, products and commercial practices, of a request for approval of a document, of our enforcement of the supplementary pensions legislation and of our role as Secretariat of the Belgian Audit Oversight College, or in response to a request to provide us with the requisite information pursuant to Article 78 of the Law of 2 August 2002.
- as part of a contract with the contracting party for which you work: this is your name, your email address and other data such as, in certain cases, references to your previous work, which are provided to us by the contracting party for which you work as part of the pre-contractual measures or the provision of services to the FSMA
We also process personal data obtained from a third party:
3. Data obtained automatically
What are the purposes of and basis for our use of your personal data?
The FSMA collects, stores, uses and processes your Data:
- for the purpose of exercising the public-interest tasks listed in Article 45, § 1 of the Law of 2 August 2002, or other tasks entrusted to it under any other provision of national or European law and the exercise of public authority entrusted to the FSMA;
- based on its legal obligations, especially the record-keeping obligation under the Law of 24 June 1955 on archives;
- based on your consent, without prejudice to the processing conducted in accordance with the legal bases and the purposes mentioned above:
- to register as a user of one of the business portals on the website (except where your registration is obligatory);
- to be able to get in touch with you as part of a consultation;
- to send newsletters;
- to respond to all other requests you may make, for example through the contact forms.
- based on pre-contractual measures or measures for the performance of a contract that the FSMA has entered into with you or the party for which you work in order to provide us with all the necessary information for deciding whether to enter into a contract, or to be able to communicate with you as part of the provision of services;
- based on its legitimate interest:
- for visitor management. Based on the number of forms filled in at reception, we also compile anonymous statistics on visitor numbers;
- for the security of its building and car park;
- for assessment, security (including fraud) and improvement/optimization of its website and business portals.
HOW LONG WILL WE STORE YOUR PERSONAL DATA?
The FSMA stores Data only for the period necessary to accomplish the purpose for which we have collected it and within the limits provided for by the law if it allows a longer period.
- The Data processed by the FSMA for the exercise of its public-interest tasks and of the public authority with which the FSMA is entrusted will be kept for as long as you are supervised by the FSMA, or for as long as the natural or legal person with which you work or hold a position is supervised by the FSMA. The FSMA can store your Data for a longer time, for example insofar as the Data may again become pertinent for the exercise of its supervision or as part of potential liability claims.
- Without prejudice to the storage timescales that apply to the processing referred to above, the Data the FSMA receives:
- to register you as a user of one of the business portals on the website, will be kept for as long as you have an account on the application concerned;
- to be able to get in touch with you as part of a consultation, will be kept until the project on which you have been consulted is closed (either because it has become final or because it has been definitively deleted, with the proviso that a project is not considered closed while it remains contested);
- to send you newsletters, will be kept until you unsubscribe;
- to respond to all other requests you may make, for example through the contact forms, will be kept for two years from the last response on our part;
- in the pre-contractual or contractual stage, will be kept for the duration of the contract and 10 years after the end of the contract. If no contract is entered into, your Data will be deleted more rapidly;
- as part of your visit, will be kept for 30 days.
Notwithstanding the foregoing, the FSMA is subject to the Law of 24 June 1955 on Archives, and some information is consequently kept for a longer period as provided for under this Law for archiving purposes, albeit with the appropriate guarantees.
With whom do we share your data?
The FSMA processes Data only for the specific purposes for which they have been collected or for purposes compatible with them, in accordance with the rules governing further processing of Data provided for in European and Belgian data protection legislation. The Data collected are in no case used for commercial purposes.
The FSMA may share your data:
- with service providers with which the FSMA works (for example IT service providers, the platform the FSMA uses for managing newsletters, lawyers or other service providers necessary for the exercise of the FSMA’s tasks). Access by these providers to your Data shall be limited to what is strictly necessary for their tasks;
- in the cases provided for by Article 74 of the Law of 2 August 2002 (and even if the Data in question are not covered by the professional secrecy referred to in the said Article):
- in cases where the communication of such information is provided for or authorized by or pursuant to the Law and laws governing the tasks conferred on the FSMA (including the cases referred to in Article 75 of the same Law);
- during a witness testimony in a criminal case;
- to report criminal offences to the judicial authorities (in the knowledge that in such a case the FSMA may publish its decision to report criminal offences to the judicial authorities);
- as part of administrative or judicial appeals against acts or decisions of the FSMA and in all other cases in which the FSMA is a party;
- in a collective or aggregate form in such a way that you are unable to be identified.
Where the Data have been provided by a whistleblower, the FSMA may only transmit these data to third parties under the conditions provided for by the regulation of the FSMA laying down procedural rules for the receipt and treatment of reports of infringements, enacted by the Royal Decree of 24 September 2017 (for more information see https://www.fsma.be/en/faq/whistleblowers-point-contact).
Does the FSMA process your data outside the European economic area?
The FSMA will not itself process your Data outside the European Economic Area (EEA).
Service providers who work for the FSMA may process your Data outside the EEA (for example in the United States). Where this is the case, the FSMA ensures that the service provider enters into a contract with the FSMA and that the level of protection is guaranteed, for example by way of a decision of the European Commission determining that a third country provides an adequate level of protection (Article 45 of the GDPR), by way of standard data-protection clauses adopted by the European Commission and entered into by the parties for the purpose of processing data outside the EEA (Article 46 of the GDPR) or by way of another legal instrument that provides appropriate guarantees.
The FSMA may, as part of its public-interest tasks and of the exercise of public authority, and within the limits provided for by Articles 74 and 75 of the Law of 2 August 2002, exchange personal data with a financial supervisory authority of a country outside the EEA (hereafter ‘third country’) for purposes of international cooperation. Where this is the case, the FSMA ensures that:
- this third country ensures an adequate level of protection (adequacy decision of the European Commission - Article 45 of the GDPR); or
- appropriate safeguards are in place (Article 46 of the GDPR), in particular, where the non-EEA financial supervisory authority has undertaken to have in place the safeguards set out in an administrative arrangement, such as the Administrative arrangement for the transfer of personal data between EEA and non-EEA authorities; or
- it may make use of a derogation, such as the one applicable in the event of a transfer necessary for important reasons of public interest (Article 49 of the GDPR).
The FSMA will only transfer personal data that are adequate, relevant and limited to what is necessary for the purposes for which they are transferred.
If you have any questions about this subject, please feel free to send a dated and signed request to the FSMA for the attention of the data protection officer. You will find the contact details of the DPO in the answer to the question below on ‘How can you contact us?’.
How do we protect your personal data?
The FSMA puts in place technical means and security measures to protect your Data and to prevent any accidental or illegal destruction, loss, alteration or amendment, as well as any unauthorized access or disclosure.
By virtue of Article 74 of the Law of 2 August 2002, the FSMA, members of its bodies and members of its staff are bound by professional secrecy and may not disclose to any person or authority whatsoever the confidential information they have become aware of (without prejudice to the exceptions mentioned in the answer to the question ‘With whom do we share your data?’ in this Policy).
Moreover, the FSMA asks its service providers that process Data for the FSMA also to always take the necessary security measures.
What about links to other websites and to social media?
What are your rights and how can you exercise them?
You have a set of rights as regards your Data. Some of these rights have a very specific scope or are subject to special conditions or exceptions.
- the FSMA acts with a view to performing its tasks listed in Article 45, § 1 of the Law of 2 August 2002 or other tasks entrusted to it under any other provision of national or European legislation where these data have not been obtained from the person concerned;
- the FSMA exercises its powers as laid down in Article 87quinquies of the Law of 2 August 2002 (‘mystery shopping’) where such Data are obtained from the person concerned under the conditions set out in the aforementioned Article;
- the FSMA acts within the framework of the administrative sanctions procedures concerning the matters referred to in Article 45 of the said Law and for the imposition of the administrative measures and penalties referred to in Article 59 of the Law of 7 December 2016 on the organization of the profession and on the public supervision of auditors, conducted in accordance with section 5 of chapter III of the Law of 2 August 2002, insofar as the Data in question relate to the subject of the enquiry or supervision; or
- the FSMA acts in its capacity of administrative authority within the meaning of Article 22quinquies of the Law of 11 December 1998 on the system of classification and security clearances. In the latter case, the FSMA also enjoys a derogation from the rights in respect of automated individual decisions and profiling (under Article 22 of the GDPR).
The derogations referred to in points i. and ii. apply as long as you have not obtained, where applicable, legal access to the administrative dossier which the FSMA holds on you and that contains the Data in question.
Other than in these cases, you may at any time exercise your right to access the personal information about you in order to supplement it, amend it, rectify it, delete it or object to its processing for legitimate reasons in accordance with the applicable laws on data protection.
Furthermore, you may at times ask for a restriction to the processing of your Data and, in some cases, you may ask us to send your Data to you, or (if possible from a technical point-of-view and within the limits of the FSMA’s professional secrecy) to another controller.
Where the processing of your Data is based on consent, you have the right at all times to withdraw your consent. A withdrawal of consent will have no effect on the validity of the processing of your personal data prior to the withdrawal.
If you wish to exercise these rights, all you have to do is send a request with a copy of the front of your ID card, of your passport or any other proof of identity by email to firstname.lastname@example.org, or in writing to the FSMA’s Data Protection Officer. You will find the contact details of the DPO in the answer to the question ‘How can you contact us?’ of this Policy. We ask that you provide proof of identity in order to be certain that we are respecting your Data and that we are not sending it to a third party.
If you contact us to exercise your rights, we will inform you within one month of receiving your request of the action taken on it. If necessary, this deadline may be extended by two months to take account of the complexity and number of requests. In this case, we will inform you within one month of receiving your request. We reserve the right not to respond to clearly unfounded or excessive requests. Your request will be kept for as long as legal remedies are possible.
At any time, if you consider that your rights have not been respected, you may also make a complaint to the Data Protection Authority, Rue de la Presse/Drukpersstraat 35, 1000 Brussels, email: email@example.com (see also www.dataprotectionauthority.be).
This Policy may be amended. You may consult the most recent version of our Policy at any time on our website. Moreover, we will do our best to keep you updated as to any major amendments via other communication channels.
The present Policy was last amended on 17 September 2020.
How can you contact us?
If you have questions or comments on the subject of the present Policy, or if you would like to exercise your rights, please send:
- an email to firstname.lastname@example.org; or
- a letter to:
Financial Services and Markets Authority (FSMA)
Attn: Data Protection Officer
rue du Congrès/Congresstraat 12-14
1000 Brussels (Belgium)