Introduction

In our capacity as a firm of auditors, accountants and tax consultants, we are responsible for processing a large amount of data, some of which is personal data. The personal data we process may concern you as a client of the firm, but also as a business contact of our clients (if you are a supplier or a customer of our client, for example). We are required to give you the following information, in your capacity as a person concerned whose personal data we are processing.

1. Personal data controller

The personal data controller is SRL BMA, represented by Hélène SPEGELAERE, Corporate auditor, Partner. The data controller’s office is at Boulevard Lambermont 430/3, 1030 BRUSSELS, company registration number BE0461.440.381. The data controller is registered with the Institute of Corporate Auditors (Institut des Reviseurs d’Entreprises) under accreditation number B315 and with the Institute of Certified Accountants (ITAA) under number 224103. For any questions concerning the protection of personal data, please contact BMA SRL by post at the above address or by email at info@bma.be.

2. Purposes of personal data processing

The firm processes personal data for the following purposes: A. Application of the Law of 18 September 2017 on the prevention of money laundering and terrorist financing and on the restriction of the use of cash (hereinafter Law of 18 September 2017). 1° Pursuant to Article 26 of the Law of 18 September 2017, our firm is required to collect the following personal data concerning our clients and their agents: first name, last name, date of birth, place of birth and, where possible, address. 2° Pursuant to Article 26 of the Law of 18 September 2017, our firm is required to collect the following personal data concerning the clients’ beneficial owners: first name, last name and, where possible, date of birth, place of birth and address. Processing this personal data is a legal requirement. Without this data, we cannot enter into a business relationship (Article 33 of the Law of 18 September 2017). B. The obligations incumbent on the firm in respect of the Belgian authorities, foreign authorities or international institutions, pursuant to a legal or regulatory obligation, a court decision or to defend a legitimate interest, specifically but not exclusively, if the current and future tax (VAT listings, tax forms, etc.) and social security laws require us to process personal data in the context of the mission we have been entrusted with. Processing this personal data is a legal requirement. Without this data, we cannot enter into a business relationship. C. Performance of this contract in relation to accounting, tax and auditing services. Processing of personal data concerns data belonging to clients, the members of their personnel, their directors, among others, and other persons such as customers and suppliers involved in their activities. If this data is not sent and processed, we will be unable to perform our mission as a corporate auditor, certified accountant or tax consultant.

3. What is the personal data and who is it from?

In relation to the purposes referred to in point 2, our firm is authorised to process the following personal data: first name, last name, email address, biometric data (copy of electronic identity card or passport), address, company registration number, national number, etc. With regard to tax declarations for natural persons via Tax-on-Web, the following data is also processed: children, membership of a trade union or political organisation, medical data. The firm processes the personal data that the person concerned or their relatives have provided themselves. The firm also processes personal data that has not been provided by the person concerned, such as personal data transmitted by the client concerning its employees, directors, customers, suppliers or shareholders. The personal data may also come from public sources such as the Crossroads Bank for Enterprises, the Moniteur Belge (Belgian Official Journal) and its appendices and the National Bank of Belgium (Central Balance Sheet Office). The data will only be processed if required for the purposes referred to in point 2. The personal data will not be transmitted to third countries or international organisations.

4. Data recipient

In accordance with the foregoing, and except where it is necessary to send personal data to organisations or entities whose involvement as third party service providers, on behalf of and under the supervision of the data controller, is required for the aforementioned purposes, the firm will not transmit the personal data collected in this regard, nor sell, rent or exchange it with any organisation or entity, unless you have been previously informed thereof and have explicitly given your consent. The firm may take all necessary measures to guarantee the correct management of its website and IT system. The firm may transmit personal data on request from any legally competent authority or on its own initiative if it considers in good faith that transmitting this information is necessary in order to comply with the law or the regulations or to defend and/or protect the rights or assets of the firm, its clients, its website and/or yourself.

5. Security measures

In order to prevent, insofar as possible, any unauthorised access to the personal data collected in this regard, the firm has drawn up security and organisational procedures. These procedures concern both the collection and retention of this data. These procedures also apply to all sub-contractors used by the firm.

6. Retention period

6.1. Personal data that we are required to retain under the Law of 18 September 2017 (see point 2A) This concerns identification data and copies of evidence concerning our clients, internal and external agents and the beneficial owners of our clients. In accordance with Articles 60 and 62 of the Law of 18 September 2017, this personal data will be retained for a maximum of ten years following the end of the business relationship with the client or from the date of a one-off transaction. 6.2. Other personal data. Personal data belonging to persons not referred to above will only be retained for the duration set out in the applicable legislation, such as accounting, tax and social security legislation. 6.3. Once the aforementioned periods have expired, the personal data will be erased, unless another law in force provides for a longer retention period.

7. Rights of access, rectification, the right to be forgotten, portability of data, objection, non-profiling and notification of security faults

7.1. Personal data that we are required to retain in accordance with the Law of 18 September 2017 This concerns the personal data of our clients, agents and beneficial owners of clients. In this regard, we must draw your attention to Article 65 of the Law of 18 September 2017: “Art. 65. The person concerned by personal data processing under this law does not have the right of access and rectification of their data, nor the right to be forgotten, portability of the said data, nor objection, nor the right not to be profiled or be notified of security faults. The right of access of the person concerned by the personal data is exercised indirectly, pursuant to Article 13 of the aforementioned Law of 8 December 1992, with the Commission for the Protection of Privacy set up by Article 23 of the said law. The Commission for the Protection of Privacy will only notify the applicant that the necessary verifications have been performed and of the result regarding the legality of the processing in question. This data may be sent to the applicant when the Commission for the Protection of Privacy [CVP] notes, in agreement with the CTIF-CFI, after receiving the opinion of the data controller, on the one hand that communication of the data is not liable to reveal the existence of a declaration of suspicion as referred to in Articles 47 and 54, the action taken or the exercise of CTIF-CFI’s right to request additional information pursuant to Article 81, nor to challenge the purpose of the prevention of money laundering/terrorist financing, and on the other hand that the data concerned relates to the applicant and is held by the regulated entities, the CTIF-CFI or the supervisory authorities for the purposes of enforcing this law.” To enforce your rights concerning your personal data, you must therefore apply to the CVP or the Data Protection Authority (see point 8). 7.2. All other personal data To enforce your rights concerning all other personal data, you can always contact Ms Hélène SPEGELAERE, Corporate auditor, Partner in the firm BMA SRL.

8. Complaints

You may lodge a complaint concerning the processing of your personal data by our firm with the Data Protection Authority: Commission pour la protection de la vie privée (Commission for the Protection of Privacy) Rue de la Presse 35, 1000 Brussels Tel.: +32 (0)2 274 48 00 Fax: +32 (0)2 274 48 35 E-mail: commission@privacycommission.be URL: https://www.privacycommission.be