Privacy Policy

1     Scope. 3

2     Definitions. 3

3     Commitment to personal data protection. 5

4     Roles and responsibilities. 5

5     Set-up of data protection approach. 6

5.1        Personal data protection framework. 7

5.1.1     Laws and regulations. 7

5.1.2     Data processing principles. 7

5.1.3     Policies. 10

5.1.4     Procedures. 10

5.2        Concrete measures. 13

5.2.1     Technical and organisational security measures. 13

5.2.2     Third parties and data processor agreements (PA) 15

5.2.3     Records of processing activities (RPA) 15

5.2.4     Data protection impact assessment (DPIA) 15

5.3        Awareness. 16

6     Changes to this policy. 16

7     Contact 16

Last updated: 01/11/2020 – BIRD Group vzw

BIRD Group vzw (also referred to below as BIRD) values privacy and is therefore committed to protect the (personal) data of all its stakeholders. This privacy policy provides for an overview of the importance BIRD attaches to privacy and personal data protection, how the organisation goes about it, stakeholders involved, and roles and responsibilities assigned.

This privacy policy is part of a set of data protection guidelines and procedures and does not intend to stand on its own or contradict other BIRD policies.

 

1    Scope

This privacy policy serves as a guiding instrument for all parties involved that process personal data for BIRD:

This privacy policy applies to the personal data as classified below, regardless of whether it is stored electronically, on paper or on other materials:

  • Employees’ personal data (applicants (present and past), current employees (full-time, part-time and temporary), former employees, external employees, interns and contractors;
  • Shareholders’ and partners’ personal data;
  • On-site visitors’ personal data;
  • Website visitors’ personal data;
  • Suppliers and customers contact persons’ personal data.

 

This privacy policy is applicable to all internal and external employees of BIRD and subcontractors who have an agreement with BIRD. Other stakeholders involve third parties with whom BIRD works, or needs to provide personal data to under its legal obligation to do so. BIRD  will, to the extent possible, carefully select its partners in order to guarantee confidentiality and the processing of personal data in accordance with the GDPR, applicable local data protection and privacy laws and this policy.

2    Definitions

Controller

is defined as a natural or legal person who (either alone, jointly or together with other persons) determines the purpose(s) “for which” and the manner “in which” any personal data is or will be processed

Data subject

is defined as a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

DPA

Data Protection Authority

DPIA

Data Protection Impact Assessment as defined in the GDPR

DPO

Data Protection Officer as defined in the GDPR and local regulations, and is officially registered with the Supervisory Authority (also known as Data Protection Authority, hereinafter: “DPA”)

PA

Processing agreements as defined in the GDPR

Personal data

is defined as any information relating to an identified or identifiable natural person. An identifiable natural person is the one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Personal data breach

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or, or access to, personal data transmitted, stored or otherwise processed

Privacy responsible

Data Protection Officer as defined in the GDPR and local regulations, but is not officially registered with the DPA

Processing

is defined as any operation or a set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor

is defined as a natural or legal person (other than an employee of the controller) who processes personal data on behalf of the controller. BIRD has for all relations with processor a valid processing agreement

RPA

Records of Processing Activities as defined in the GDPR

Special categories of data

is defined as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation (art. 9). Data relating to criminal convictions or offences is also sensitive (art. 10)

3    Commitment to personal data protection

BIRD wants to continue being an organisation that cares about the privacy of people and their data and creates a culture and environment that is resilient to any accidental and deliberate personal data infringement occurring.

With all privacy and data protection efforts in place and envisioned, the achievement of the following objectives is paramount to BIRD:

  • Protection of confidential and privacy-sensitive information
  • Respect and protect the fundamental rights and freedoms of all data subjects
  • Ensure transparency, confidentiality and integrity of the processed personal data
  • Compliance with existing laws and regulations

BIRD processes personal data from customers, employees and suppliers on a daily basis. Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or, or access to, personal data transmitted, stored or otherwise processed, can lead to, among other things:

  • A breach of the trust of customers and employees of BIRD
  • Damage for customers and/or suppliers with claims for damages as a result
  • Reputational damage to BIRD
  • Violation of legislation

4    Roles and responsibilities

In order to guarantee confidentiality and careful handling of personal data, all individuals working for BIRD must ensure that personal data that is being processed happens in line with this policy and the data protection principles. Therefore employees, contractors and other stakeholders involved have the responsibility to:

  • Identify personal data processing activities and the risks that accompany the processing of personal data
  • Only process the data necessary to achieve a predefined purpose
  • Execute the proposed measures by BIRD and follow up on the changes in the policies and procedures
  • Informing the privacy responsible on major changes in the entity
  • Inform the privacy responsible if any doubts and/or questions arise
  • Know BIRD’s vision on privacy and recognise what this means for his/her responsibilities

 

The implementation of this policy falls under the responsibility of CRA.

 

For questions relating to privacy and data protection, BIRD has appointed a Data Protection Officer which you can reach at enzo.marquet@cranium.eu.

5    Set-up of data protection approach

5.1  Personal data protection framework

In this section the relevant privacy data protection laws and regulations, the personal data protection principles and BIRD procedures and policies are being explained.

5.1.1      Laws and regulations

EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016, or the European General Data Protection Regulation (GDPR), defines the rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. In addition, the GDPR foremost protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

 

5.1.2      Data processing principles

Every company is obliged to process personal data in accordance with the data processing principles as described in the GDPR. BIRD has put the appropriate organisational and technical measures in place to assure compliance with these principles and ensures continues evaluation of these measures.

 

Therefore, it is also important for every employee dealing with personal data to be aware of the data processing principles. In addition, BIRD employees and stakeholders involved should only process personal data after analysis and application of the following six principles.

 

5.1.2.1      Lawfulness, fairness and transparency 

BIRD should assure that personal data is collected and further processed in a lawful, fair and transparent manner.

a)    Lawfulness

Irrespectively of the personal data collected, whether it is direct or indirect, personal data processing by BIRD needs to be based on one of the legal grounds listed under the GDPR, namely:

  • Consent of the data subject should be informed explicit, specific and unambiguous e.g. to use pictures of data subjects on BIRD website;
  • Legitimate interest pursued by BIRD could be used as legal basis, unless such interest is overridden by the interests for fundamental rights and freedoms of the data subject;
  • Performance of the contract to which the data subject is a party or in order to take steps (at the request of the data subject) prior to entering into a contract e.g. employment contract;
  • Legal obligation to which BIRD is a subject;
  • Vital interest of the data subject e.g. in case of accident at work, BIRD as employer may provide the name of the employee to the hospital;
  • Public interest e.g. performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the personal data is disclosed.

 

b)    Fairness

Personal data processing shall not have an adverse impact on the data subjects concerned, unless the EU or national law states otherwise. BIRD intends to only handle data subject’s data in ways he/she would reasonably expect, or BIRD can explain why any unexpected processing is justified.

 

c)     Transparency

The data subjects, whose personal data is collected directly or indirectly, must be informed in a timely manner about the processing, unless the EU or national law states otherwise. Transparent processing is about being clear and honest with people about BIRD intentions and the purposes of processing.

 

5.1.2.2      Purpose Limitation

BIRD should assure that personal data is only processed for specific, explicit and legitimate purposes. If afterwards the personal data is processed for a new purpose, incompatible with the initial one, the data subject concerned is duly informed and has to provide his/her consent or is allowed to object to such processing e.g. collected samples should only be tested for the specified test.

 

5.1.2.3      Data minimization 

BIRD should only gather personal data which is adequate, relevant and limited to what is necessary to achieve the purposes for which it is processed. When possible, personal data should be pseudonymised or anonymised e.g. remove the name of the sample and add an identifier, which is then listed on a separate document.

 

5.1.2.4      Accuracy

BIRD should assure that personal data is kept accurate and up to date throughout its lifecycle (from the collection to the destruction / deletion).

 

5.1.2.5      Storage limitation 

BIRD should assure that personal data is no longer kept than necessary to meet the legitimate business purposes for which the personal data was collected and in compliance with BIRD data retention procedure in the Record of Processing Activites, unless EU or national laws state otherwise. 

 

5.1.2.6      Integrity and confidentiality 

BIRD protects personal data in a way that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.

5.1.2.7      Accountability

The accountability principle requires BIRD to take responsibility for what it does with personal data and how it complies with the other principles.

5.1.3      Policies

Please find in this section an overview of the BIRD policies in place. This list is not exhaustive and is subject to change:

5.1.3.1      Privacy policy

An overview of the importance BIRD attaches to privacy and personal data protection and serves as a guide for all BIRD stakeholders. 

 

5.1.3.2      Internal privacy statement

The internal privacy statement explains which data is being processed from internal and external employees and contractors, the purpose and the legal grounds to do so.

 

5.1.3.3      External privacy statement

An external privacy statement (such as the consent forms when signing up for membership) provides information about the personal data that BIRD collects through its website and contact form, and the purposes for and legal bases on which BIRD processes that personal data.  

 

5.1.3.4      Cookie statement

The website of BIRD does not collect cookies.

 

5.1.4      Procedures

Please find in this section an overview of the BIRD procedures in place. This list is not exhaustive and is subject to change.

 

5.1.4.1      Data subject rights

Every individual has the possibility to exercise the freedoms and rights as described in the GDPR. BIRD has the obligation to respond in a timely manner to data subject requests and to make sure that the legal deadlines are met.

 

When dealing with a data subject request for exercising their rights, please consult the DPO at enzo.marquet@cranium.eu.

 

The data subject rights explained:

a)    Right to information

Data subject always has the opportunity to request his/her personal data (including processing purposes, categories of personal data, estimated retention period) and to be informed about what happens with the data collected from data subject.

 

b)    Right to access

Data subject has the right to access their personal personal data.

 

c)     Right to rectification, erasure, restriction and objection

Data subject is entitled to have incorrect personal data corrected or completed. Under certain circumstances, the data subject has the right to have their personal data removed from any files. Moreover, the data subject has the right to object to or ask for the restriction of the processing of your personal data. However, that in certain cases the processing of the personal data is necessary to comply with legal obligations or to be able to execute contractual obligations. In that case, compliance with those obligations will prevail over the data subject’s right to object or restriction or erasure. Therefore, BIRD will evaluate case by case whether or not the request can be complied with.

 

d)    Right to data portability

Data subject has the right to receive their personal data, processed by BIRD in a structured, commonly used and machine-readable format and/or to transmit those data to another controller.

 

e)    Right not to be subjected to automated individual decision-making including profiling

Data subject has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects on the data subject or similarly significantly affects the data subject.

 

f)     Right to lodge a complaint

If, at any time, the data subject is of the opinion that BIRD infringes his/her privacy, the data subject has the right to lodge a complaint with:

 

The Belgian supervisory authority:

Gegevensbeschermingsautoriteit

Drukpersstraat 35, 1000 Brussel

+32 (0)2 274 48 00
+32 (0)2 274 48 35
contact@apd-gba.be

 

5.1.4.2      Data breach

Any possible personal data breach, even if the impact is minimal, must immediately being reported to marjan.steppe@birdgroup.be and the DPO at enzo.marquet@cranium.eu.

 

There is a personal data breach whenever there is breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data or if the data is made unavailable and this unavailability has a significant negative effect on individuals. Examples of a data breach are: accidental disclosure of e-mail addresses, loss of laptop, theft of a database, password leakage, etc.  

 

5.1.4.3      Data retention

In line with the data protection principles of storage limitation and accuracy, it is required to set out clear data retention periods for the personal data being processed by BIRD.

 

5.1.4.4      Maintaining the record of processing activities

In line with all the data protection principles, it is required to keep the record of processing activities accurate and thus ensure the quality of the record.

 

Please read the procedure on maintaining the records of processing activities.

 

5.1.4.5      Data protection impact assessment (DPIA)

Where a type of processing in particular makes use of new technologies and/or is likely to result in a high risk to the rights and freedoms of natural persons, BIRD should, prior to the processing, carry out an assessment of the impact on the person(s) involved. This is also called a data protection impact assessment (DPIA) (see also under section 5.2.4).

 

5.1.4.6      Legitimate interest balancing test

When a new processing activity is based on the legitimate interest of BIRD the organization will need to do an assessment in order to make sure that that interest does not override the rights and freedoms of the data subject(s) involved.

 

5.2  Concrete measures

The degree of applicability of this privacy policy depends on the nature of the concerned personal data and the conformity with the six principles of the GDPR.

 

Therefore, it is in general very important for BIRD employees and partners to:

  • Always minimise the processing of personal data in terms of nature, quantity, access and retention;
  • Evaluate new/changed procedures or systems in which personal data is processed in order to take appropriate technical and organisational measures in advance including Privacy by Design and Privacy be default;
  • Have technical and organisational security controls with different access privileges based on a “need to know” (and not “nice to know”).

 

Further, this privacy policy may be supplemented by local or more specific personal data protection procedures and other internal procedures and policies.

 

Please consult DPO via enzo.marquet@cranium.eu when having questions or assistance is needed.

 

5.2.1      Technical and organisational security measures

BIRD guarantees implementation of the appropriate technical and organisational measures to ensure a level of security appropriate to the risk and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

 

5.2.1.1      Security measures (and IT Security)

BIRD acknowledges its responsibility to ensure an appropriate level of security with regard to the information you provide. Therefore, BIRD has implemented various measures in order to protect the personal data against loss, alteration, accidental or unlawful destruction, unauthorized disclosure of, or access to the personal data. On organisational level measures are taken such as the limitation of access to the premises. While on technical level firewalls and encryption is in place, personal passwords are used and verified and verification requirements regarding access to personal data on a ‘need-to-know’-basis are provided.

 

5.2.1.2      Data use and disclosure

When personal data is accessed, disclosed or transferred, the risk of loss, corruption or theft arises.

 

Some measures, please note that these measures are not exhaustive:

  • The only people able to access data covered by this privacy policy should be those who need it for executing their work;
  • Avoidance of creating any unnecessary additional data sets;
  • Personal data should not be shared informally;
  • Personal data should not be disclosed to unauthorized people, either within the company or externally;
  • When working with personal data, employees should ensure the screens of their computers are always locked when left unattended;
  • Personal data sent by email or being transferred electronically to external parties must be encrypted or protected by other appropriate technical and organisational security measures;
  • Every opportunity should be taken to ensure personal data is reviewed and, if needed, updated (e.g. by confirming a business’ contact details when they call or meet);
  • BIRD employee must not take any personal information away from BIRD premises except when prior consent is obtained. Any employee taking records off site must ensure that appropriate technical and organisational measures are taken to protect it.

 

5.2.1.3      Data storage

When personal data is stored on paper, it should be kept in a secure place where unauthorized people cannot see or access it.

 

Some measures:

  • Do not print when not needed;
  • When not required, the paper or files should be kept in a locked drawer or filing cabinet;
  • Employees should make sure paper and printouts are not left where unauthorized people could see them, like on a printer;
  • Data printouts should be shredded and disposed of securely when no longer required.

 

When personal data is stored electronically, it must be protected from unauthorized access, accidental deletion and malicious hacking attempts. In addition, personal data should only be stored on designated and secure drivers and servers and should only be uploaded to approved cloud computing services.

 

5.2.2      Third parties and data processor agreements (DPA)

As a controller BIRD has the obligation to ensure that it only uses processors providing appropriate guarantees to implement appropriate technical and organisational measures in such manner that processing will meet the requirements of the GDPR and ensure protection of the rights of the data subjects. Following this, a due diligence shall be conducted before a contract with a new processor is signed. A contract with the processor shall include the clauses on personal data processing, in which the appropriate instructions on how to process personal data is given to the processor, as well as, appropriate technical and organisational measures are agreed upon.

 

Personal data transfer to the processors or the third parties who are based or are processing personal data outside the EEA needs to be:

  • Justified (lawfulness of the transfer);
  • Compliant with personal data processing principles;
  • Secure (appropriate personal data protection level shall be ensured).

 

In order to ensure appropriate personal data protection level, BIRD shall:

  • Check whether the country to which personal data is transferred is covered by an adequacy decisions approved by the EU Commission. If the country is covered, the transfer of personal data is allowed;
  • If the country is not covered by an adequacy decision, Standard Contractual Clauses shall be signed between BIRD and the third party who is processing personal data outside the EEA.

 

5.2.3      Records of processing activities (ROPA)

BIRD is required to maintain a records of processing activities under its responsibility according to the GDPR. That record contains an overview of all processing activities, purpose of processing, categories of data subjects, categories of personal data, recipients, transfers to countries outside the EEA, retention periods and a description of the organisational and technical security measures.  

 

5.2.4      Data protection impact assessment (DPIA)

In the case that a processing activity, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, BIRD should prior to the processing, carry out an assessment of the impact on the protection of personal data.

 

When any doubt exist that the current processing of personal data might constitute a high risk to the rights and freedoms of natural persons, please contact enzo.marquet@cranium.eu.

 

5.3  Awareness

Processing of personal data starts with building awareness. Being in the loop on what personal data is, which personal data is being processed and for which purposes are key. Depending on the type of personal data (esp. special categories of data) might need some extra attention. Next to this, it is important to follow the BIRD privacy and data protection policies in order to be compliant with the personal data protection principles as well as being able to respond to data subject requests in an appropriate way.

 

It is the task of the CRA to ensure regular communication towards all BIRD stakeholders, as well as inform them in case of any changes to the personal data protection framework conditions (laws and regulations, principles, policies and procedures).  Awareness sessions and e-learnings are methods to actively educate all stakeholders on data protection and its effects.

 

6    Changes to this policy

Changes to this privacy policy can be made from time to time. This will be in accordance with the GDPR or other privacy related regulations and laws. When we change the content of this policy we will change the date and version number of the ‘last update’ of this privacy policy. You will be informed about these changes in an appropriate manner.

 

7    Contact

If you have any questions with regard to the content of this policy, the processing of personal data or the exercise of data subject rights in relation to this data processed by BIRD, you can contact enzo.marquet@cranium.eu.

 

COVID-19: Informatie voor IBD patiënten
More
COVID-19: Information pour des patients MICI
More
Scientific papers
More

LIST OF PARTICIPANTS

Legend:       Coordinating PI     Participants

1. BE-SMART | 2. CEDAR-UC | 3. COMBINED THERAPY OF BIOLOGICALS AND NEW ORAL DRUGS. | 4. DETECT | 5. DNA BANKING | 6. GENGISCAN | 7. HELP-AID | 8. I-CARE | 9. IMMUNIZATION | 10. LOVE | 11. PACIFIC | 12. PEDIATRIC | 13. SPARE
1 2 3 4 5 6 7 8 9 10 11 12 13
Karen Van Hoeve
- - x x x x
Leila Amininejad x x x
Saskia Appelmans
Thomas Billiet
Patrick Bontems
Isabelle Bueres
Katrien Bulté
Guillaume Burnet
Peter Burvenich
Julie Busschaert
Philippe Caenepeel
Olivier Cajot
Christophe Claessens x
Jean-Charles Coche
Jean-Louis Coenegrachts
Arnaud Colard x
Filip Couturier
Lara Crapé
Anneline Cremer
Anneline Cremer x x
Cléo Croonen
Francois D'Heygere x
Steven De Coninck
Leentje De Facq
Elisabeth De Greef x
Marc De Maeyer
Marc De Reuck
Elodie De Ruyck
Nicolas de Suray
Martine De Vos x x x x
Benedicte De Vroey
Astrid De Zutter
Stefan Delen
Marie-Armelle Denis
Pieter Dewint x x
Olivier Dewit x x x
Sophie Dewit x x
Joris Dutre
Anke Engelen
Marc Etienne
Marc Ferrante x x x x x
René Fiasse
Fernand Fontaine x x
Denis Franchimont x x x x x x
Silke François
Jeroen Geldof
Bruno Hauser
Pieter Hindryckx x
Ilse Hoffman
Tom Holvoet
Alice Hoyois
Evelien Humblet x
Saskia Ilegems
Aranzazu Jauregui Amezaga
Guy Lambrecht x x x
Pierre Lammens
Katrien Lecluyse
Claire Liefferinckx x
Triana Lobaton
Edouard Louis x x x x x
Elisabeth Macken x
Marie-Christine Mairlot
Jean-Marc Maisin
Fazia Mana x
Ludwig Marchal
Walter Margos
Fady Mokaddem
Kim Moubax
Vinciane Muls
Carmen Musala
Michele Ngassa
Maja Noman
Hanne Ooms
An Outtier
Romy Ouziel
Harald Peeters
Annelies Posen
Philippe Potvin
Lieven Pouillon
Jean-Francois Rahier x x x x x x
Catherine Reenaers x x x
João Sabino
João Sabino
Michael Schapira
Patrick Schoenaers
Nathalie Schoofs
Nele Schoofs
Alexandra Sermeus
Francoise Smets
Michaël Somers
Dirk Staessen
Marjan Steppe
Beatrijs Strubbe x
Jo Swinnen
Clara Thienpont
Marie Truyens
Haydeh Vafa
Stephanie Van Biervliet
Frank Van De Mierop
Gaëtan Van Den Steen
Edwin Van der Wijst
Jurgen Van Dongen
Evi Van Dyck
Andre Van Gossum
Karen Van Hoeve
Philippe Van Hootegem x x
Catherine Van Kemseke
Wouter Van Moerkercke x x x
Steven Van Outryve
Stijn Vanden Branden x x x x
Katrien Vandenbroucke
Sofie Vanderhasselt
Liv Vandermeulen
Jo Vandervoort
Laura Vansteenkiste
Gigi Veereman x
Severine Vermeire x x x
Annelies Verreth
Bram Verstockt
Sophie Vieujean
Francis Weyn
Barbara Willandt