Data protection policy

This "data protection policy" describes how APRAGAZ Ltd manages the processing of personal data:

• what personal data are processed, for what purposes, to whom are they transferred.
• what are the rights of the persons concerned.

It includes the company's data protection policy.

1. Introduction

In the course of its activities, APRAGAZ Ltd processes various data, both commercial and personal. This policy concerns the processing of personal data by APRAGAZ Ltd. Personal data of various categories of identifiable persons are processed, for example employees, customers and suppliers, website users, subscribers and other stakeholders.

APRAGAZ Ltd understands the importance of personal data protection and the concerns of its employees, (contact persons) customers, (contact persons) suppliers and other persons with whom they have contact in terms of processing their personal data. When processing personal data, APRAGAZ Ltd always takes careful account of their protection.

Various persons within the organisation may have access to the personal data of its employees (the term employee should be understood as: managers and all those who work for APRAGAZ Ltd, including independent service providers and consultants, temporary workers such as temporary employees, trainees, students, volunteers, former employees) and other persons (customers and suppliers) in the performance of their duties. Each of these persons within APRAGAZ Ltd is bound by this personal data protection policy.

The applicable data protection regulation imposes obligations on APRAGAZ Ltd concerning the way it must process data. In addition, the regulation provides for rights for individuals whose data is processed, so that they have more control over their personal data.

This policy provides an overview of the general obligations that the company and its employees have to comply with under the data protection regulations. Compliance with this policy is important for the following reasons

• Compliance with data protection regulations is a legal obligation. Failure to comply with these duties may result in liability, sanctions and fines.
• Compliance with data protection regulations leads to more correct and efficient processing of personal data.
• Compliance with data protection regulations forms the basis for a relationship of trust between APRAGAZ Ltd and its business relations, consumers and employees.

2. Scope of application

This policy applies to APRAGAZ Ltd which processes personal data and includes the guidelines with which any data processing must comply, whether by a fully or partially automated process, and which are or will be part of a structured file.

3. Contact point for personal data protection

The company has appointed two data protection officers, assisted by a team, to ensure the implementation of and compliance with data protection legislation and this policy.

 The two data protection officers can be contacted by e-mail This email address is being protected from spambots. You need JavaScript enabled to view it. & This email address is being protected from spambots. You need JavaScript enabled to view it..

For the exercise of your rights, please see Article 8 of this policy.

4. Definitions

Data protection legislation is an abstract subject with its own language. Below are some definitions that will help you to better understand the terminology and, by extension, this policy.

a. Data protection legislation

Various laws may apply, depending on the specific case of application of the processing of personal data.

The purpose of this Data Protection Policy is to support the 10 Data Security Standards, the General Data Protection Regulation (2016), the Data Protection Act (2018), the common law duty of confidentiality and all other relevant national legislation.

b. Personal data

Personal data are any information relating to an identified or identifiable natural person, also referred to as the "data subject". A person is deemed to be identifiable when a natural person can be identified, directly or indirectly, in particular by means of an identifier (a name, an identification number, location data, an online identifier) or by one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;

c. Data controller

The controller is a natural or legal person (e.g. a company), a public authority, a service or any other body which, alone or jointly with others, determines the purpose and means of the processing of personal data.

For example, APRAGAZ Ltd is a legal entity, responsible for processing the personal data of its employees in the context of personnel management.

d. Subcontractor

The processor is a natural or legal person, a public authority, a service or other body which processes personal data on behalf of the controller and on the latter's instructions.

e.Processing of personal data

Processing of personal data is any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means (e.g. software), such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

An example of processing of personal data is the collection and storage in the organisation's customer relationship management (CRM) software, or in a paper customer file, of contact details of its customers.

f. File

A file is any structured set of personal data that can be accessed according to specific criteria, whether this set is centralised, decentralised or distributed functionally or geographically.

This includes both electronic files structured by means of software or cloud applications and paper files and folders, provided that they are logically organised and structured by a connection to persons or are linked to persons by means of criteria.

5. Principles applicable to the collection and processing of personal data

In addition to having its own language, data protection legislation prescribes a number of basic principles that any data controller must respect in order to comply with this legislation. If in doubt about the application of these principles in a specific case, do not hesitate to contact the person in charge of this matter for clarification, in accordance with the procedure described in Article 8.

The data protection legislation prescribes that personal data must be processed in compliance with the various basic principles and the conditions derived from them.

a. Lawfulness

 Data protection law requires that personal data must be processed lawfully and fairly with regard to the data subject.

The lawfulness of processing implies the existence of a legal basis.

In principle, personal data can only be processed if :

• The data subject gives his/her consent. The organisation should at least inform the data subject in advance of the purpose for which the data are requested, which data will be collected for processing, the right to withdraw consent, the possible consequences for the data subject in the context of automated individual decision-making and profiling, as well as the transfer of the data to third countries.
• The processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the request of the data subject.
• The processing is necessary to comply with a legal obligation imposed on the organisation.
• The processing is necessary to protect the vital interests of the data subject or of another natural person.
• The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the organisation acting as controller.
• The processing is necessary for the purposes of the legitimate interests pursued by the organisation acting as controller or by a third party, unless the fundamental rights and freedoms of the data subject which require the protection of personal data prevail.

You may at any time revoke the consent you have given to the organisation to process your data for a particular purpose. The organisation will then stop processing your data, for which you have given your consent, and will inform you of the possible consequences of withdrawing your consent. If the organisation processes your personal data for other purposes and there are other legal grounds for doing so, it may continue to process your data.

When processing personal data, the organisation ensures that it always uses at least one of the above legal grounds. If you have any questions about the legal grounds invoked by the organisation, please do not hesitate to contact it following the procedure mentioned in Article 8.

Certain categories of personal data are sensitive, so data protection legislation has provided for a stricter regime for these categories of data (also referred to as "sensitive data"). This includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, as well as genetic data, biometric data which uniquely identify a natural person, data concerning health or data concerning the sex life or sexual orientation of a person. Data relating to criminal offences or convictions are also a special category.

In principle, the processing of such sensitive data is prohibited, unless the organisation can invoke one of the exceptions. In a limited number of cases, the organisation has to process sensitive data, in which case the data subject will be informed in advance. In the case of processing for these specific purposes, the organisation will have to inform the data subject in advance in detail of the specific purposes and the basis for the processing. For more information about the organisation's processing of sensitive data, please contact the organisation in accordance with the procedure set out in Article 8 of this policy.

b. Loyalty

The organisation guarantees that personal data will be processed :

• For specified, explicit and legitimate purposes and will not be further processed in a way incompatible with those original purposes for which the data were collected. The organisation shall at all times clearly communicate the purposes before processing begins.
• To the extent necessary for the purposes for which the data were collected. Where possible, the organisation will anonymise or pseudo anonymise data to minimise the impact on the data subject. This means that the name or identifier will be replaced in such a way as to make it difficult or impossible to identify an individual.
• For a limited period of time and as far as necessary for the purpose concerned.
• Correctly and, if necessary, the data will be updated. The organisation will adopt all necessary measures to erase or correct personal data, taking into account the purposes of the processing.

c. Transparency

In principle, the organisation processes personal data directly provided by the data subject. The organisation processing the personal data of the data subject shall systematically provide him/her with the following information :

• the identity and contact details of the controller
• the purpose of the processing and its legal basis;
• if the controller claims a legitimate interest in processing the personal data, an explanation of that interest;
• the (categories of) recipients of personal data;
• transfer of personal data to third countries (outside the EU) or international organisations (+ on what basis);
• the length of time the data will be kept or the criteria according to which the retention period is defined;
• the rights of the data subject (including the right to withdraw consent);
• the right to lodge a complaint with the supervisory authority;
• a justification if the disclosure of personal data is a contractual or legal obligation;
• the logic behind the automated decision-making processes and their possible legal consequences for the data subject;
• If the organisation receives personal data from a third party, it should clearly inform the data subject of the categories of data received and the identity of the third party.

If the person subject already has all the information, the organisation will not inform him/her unnecessarily about the processing of his/her personal data.

If the organisation processes personal data for other purposes, which are incompatible with the purposes for which they were originally collected (the new purpose is not described in the original information notice and the data subject cannot guess that his or her personal data will also be processed for this new purpose), the organisation will take all necessary measures to process the data lawfully and will inform the data subject accordingly.

The organisation may provide the information on both a collective and individual basis and will always ensure that it is written in understandable and simple language.

Some legislation may contain exceptions or impose additional requirements with regard to the provision of information to data subjects with which the organisation must comply. These binding legal provisions take precedence over this policy.

d. Confidentiality and integrity

The company adopts the technical and organisational measures required to ensure that the processing of personal data is always carried out with appropriate safeguards to protect the data against unauthorised access or unlawful processing and against loss, destruction or accidental damage. In selecting appropriate security measures, the organisation has taken into account the nature, context, purpose and scope of the processing, the possible risks involved in processing personal data, the costs of implementing the measures and the state of the art.

These measures apply to physical access to personal data, access to personal data by computers, servers, networks or other hardware, software applications and databases. In addition to the technical and organisational measures, the company's employees who, in the course of their duties, have access to personal data, are required to comply with various obligations aimed at guaranteeing the confidentiality and integrity of the personal data referred to in Article 9 of this policy.

The organisation will provide training for its employees who, in the course of their duties, will be required to process personal data on the instructions of the organisation. Employees are only allowed to process personal data if instructed to do so by the organisation or if they are required to do so by law. The organisation will also put in place access rights to ensure that employees only have access to the data they need to perform their duties. Workers who have access to personal data will sign a confidentiality agreement.

The organisation will ensure that third parties who receive personal data from the organisation comply with data protection legislation and this policy.

The Security Policy contains a general enumeration of the technical and organisational security measures implemented by the organisation.

6. Transfer of personal data

In some cases, the organisation may be required to transfer your personal data to third party recipients, both within and outside the organisation. In all cases, personal data is only transferred to these recipients, who process it for specific purposes, on a "need to know" basis. During the transfer, the organisation systematically adopts the necessary security measures, in particular with regard to the recipients, in order to guarantee the confidentiality and integrity of the personal data.

The transfer to third parties can take various forms, as described in more detail below.

a. Transfer within the organisation

The transfer of personal data within the organisation is considered as a transfer to a third party. It can therefore only take place if the organisation has complied with the various principles and obligations imposed by data protection legislation. This means, among other things, that the data subject must be informed of the transfer and the reason for it, and that the sending organisation must have a legal basis (consent of the data subject, performance of a contract, justified interest, etc.) for the transfer. In such further processing, the organisation must also respect the other principles listed in Article 5 of this Policy.

b. Transfer to collaborators

The organisation may ask a third party, a processor, to process personal data exclusively on behalf of the organisation and on the instructions of the organisation. The processor may not process the data for its own purposes independent of the purposes for which the organisation engages the processor.

The organisation may decide to collaborate with such subcontractors, who provide services at the request of the organisation, such as travel agencies, rental services, providers of medical and other professional advice, etc. The organisation will only use subcontractors who have been appointed by the organisation.

The organisation will only use subcontractors and provide them with personal data on the basis of a subcontracting agreement that complies with legal requirements. The GDPR prescribes, among other things, that the contract must contain a clause stating that the processor may only process personal data on the instructions of the organisation; that the processor must assist the organisation at its request; that the data must remain confidential; etc.

Part of the outsourcing contract also covers the security measures that the processor must implement before processing the personal data and maintain throughout the processing to ensure the confidentiality and integrity of the data.

The organisation will take the necessary measures if it becomes aware that its workers are not complying with their obligations under the contract.

A standard outsourcing contract is available from the competent person for this matter].

c. Transfer to third countries - outside the European Economic Area

It is also possible that the organisation may transfer your personal data to parties in third countries, i.e. countries outside the European Economic Area (i.e. the European Union, Norway, Iceland and Liechtenstein).

Such a transfer is possible if the country where the recipient is established offers sufficient legal safeguards for the protection of your personal data and is deemed appropriate by the European Commission. In other cases, the organisation has concluded a standard contract with the recipient so that a protection comparable and equivalent to that in Europe is offered.

Where this has not happened or is not possible, the organisation may still transfer the data subject's personal data, subject to the data subject's consent, within the limits of the relationship between the data subject and the organisation. In order to allow the transfer, and therefore the processing, also in these cases, the organisation will, where appropriate, ask the data subject whether he or she consents to this occasional transfer to third countries.

If you wish to obtain further information or a copy of the safeguards in place for such international transfers of your personal data, you can always follow the procedure set out in Article 8.

7. Duration of retention of personal data

The organisation will not keep your personal data longer than is necessary for the specific purpose for which it is collected. At the end of the ultimate retention period, the organisation will delete or anonymise the personal data. The organisation will anonymise the data if it still wishes to use them for statistical purposes. The organisation may keep personal data for a longer period of time for litigation, research or archiving purposes.

8. Rights of data subjects

Data protection legislation provides data subjects with various rights in relation to the processing of personal data, so that data subjects can continue to exercise sufficient control over the processing of their personal data.

With this policy, the organisation is already trying to provide as much information as possible to data subjects in order to be as transparent as possible about the processing of personal data. However, this general policy should be read in conjunction with more detailed information notes containing further information on the specific processing purposes of the organisation.

The organisation understands that the data subject may have further questions or seek clarification about the processing of his/her personal data. The organisation therefore also understands the importance of the rights it undertakes to respect, taking into account the legal limitations imposed when exercising those rights. The various rights are described in more detail later in this policy.

a. Right of access

The data subject has the right to obtain confirmation from the organisation that his/her personal data are being processed. If this is the case, the data subject may request access to his/her data.

The organisation shall inform the data subject of the following :

• the purposes of the processing
• the categories of personal data concerned
• the recipients or categories of recipients of the personal data;
• the transfer to recipients in third countries or international organisations;
• if possible, the envisaged period of storage of personal data or, if this is not possible, the criteria used to determine this period
• the right of the data subject to request from the organisation the correction or erasure of personal data, or a restriction of the processing of his or her personal data, or the right to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• where personal data are not obtained from the data subject, any available information as to their source;
• the existence of automated decision-making, including profiling, and relevant information about the logic behind such decision-making, as well as the significance and foreseeable consequences of such processing for the data subject.

The organisation shall also provide a copy of the personal data processed. If the data subject requests additional copies, the organisation may charge a reasonable fee.

b. Right of rectification

If the data subject becomes aware that the organisation holds inaccurate or incomplete data about him or her, he or she has the right to notify the organisation at any time so that the organisation can take steps to correct or complete the data. It is the responsibility of the data subject to provide the organisation with correct personal data.

c. Right to be forgotten

The data subject may request the erasure of his/her personal data if the processing is not in compliance with data protection legislation and within the limits of the Act (Art. 17 GDPR).

d. Right to restrict processing

The data subject may request the restriction of processing if

• the accuracy of the personal data is in question and for the period necessary to verify their accuracy;
• the processing is unlawful and the data subject does not wish the data to be erased;
• the organisation no longer needs the data, but the data subject requests that they not be deleted because he or she needs them for the exercise or justification of a legal claim;
• a complaint is lodged against the processing pending an explanation of the legitimate interests which override the interests of the data subject.

 e. Right to portability

Data subjects have the right to receive the personal data concerning them that they have provided to the organisation in a structured, commonly used and machine-readable format. The data subject has the right to transmit this personal data (directly by the organisation) to another controller. This is possible if the processing is based on the consent of the data subject and on processing by an automated process.

f. Right to object

When personal data are processed for direct marketing purposes (including profiling), the data subject may always object to the processing.

The data subject may also object to the processing of a specific situation concerning him or her. The organisation will then cease processing unless it can demonstrate compelling legitimate grounds for the processing which override the interests of the data subject, or which relate to the exercise or justification of legal claims.

g. Automated individual decision making

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her in a similar way, e.g. evaluation of personal aspects relating to the performance of work, reliability, creditworthiness.

This right not to be subjected to such automated decision-making does not exist when the decision is authorised by a mandatory legal provision.

However, the data subject cannot invoke this right if the decision is necessary for the creation or performance of the contract between the data subject and the organisation or if it is based on the explicit consent of the data subject. In the latter two cases, the data subject has the right to human intervention by a member of the organisation and the right to make his or her views known and to challenge the automated decision.

h. Right to withdraw consent

If you have given your consent to the organisation for a specific processing purpose, you can withdraw this consent at any time by sending an e-mail.

i. Procedure for exercising rights and other provisions

The data subject may exercise his or her rights by sending an e-mail to the data protection officers] at This email address is being protected from spambots. You need JavaScript enabled to view it. or This email address is being protected from spambots. You need JavaScript enabled to view it. .

The organisation may ask the data subject to identify himself or herself in order to ensure that the effective exercise of rights is requested by the data subject.

If you have any questions regarding the application of the principles or the (legal) obligations on the organisation, please do not hesitate to contact the data protection officers] at This email address is being protected from spambots. You need JavaScript enabled to view it. or This email address is being protected from spambots. You need JavaScript enabled to view it. .

In principle, the organisation will respond to the data subject's request within one month. Failing that, the organisation shall inform the data subject of the reasons for its inaction or delay in following up the request. The organisation shall make every effort to inform the recipients of the data subject's personal data that the data subject is exercising his/her right to correction, erasure or restriction of processing.

9. Responsibilities of the data subject

The organisation expects its workers to comply with this policy and to ensure that it is complied with by those for whom they are responsible.

It is essential that workers understand and become familiar with the objectives of this policy so that they can comply with its provisions. Workers must therefore :

• Process personal data of colleagues, customers, etc. regularly and appropriately, in accordance with the applicable legislation, the employer's instructions and the company's privacy policy, while guaranteeing its integrity and confidentiality;
• If in doubt about the application of this policy or compliance with data protection regulations in the performance of their duties, seek advice from their superior, or the Data Protection Officer;
• Process personal data only if it is necessary for the performance of their duties / on the instructions of the organisation;
• Undergo training on the confidential handling of personal data and the general principles and obligations under data protection legislation;
• Assist the Data Protection Officer ;
• Do not keep copies of personal data on the office computer or on personal media if the organisation has a central and secure storage place, as saving personal files or copies can cause errors in personal data and increased risks of breaches;
• inform the Data Protection Officer immediately if they become aware of a potential or actual breach of personal data or data protection legislation.

10. Compliance

Apragaz Ltd ensure compliance with this policy. Any person having access to personal data processed by the organisation must comply with this policy. Failure to comply with this policy may result in disciplinary measures/sanctions, such as a warning, dismissal or any other sanction authorised by law, without prejudice to the right to institute civil or criminal proceedings.

11. Audit and review

Apragaz Ltd reserves the right to adapt and revise this policy when it deems it necessary and to continue to comply with legal requirements and/or the recommendations of the competent supervisory authority with regard to data protection.

If Apragaz Ltd is unable to comply with this policy due to mandatory legal requirements imposed on it, it shall inform the persons responsible for data protection.

12. Entry into force

This policy comes into force on 01/01/2023.

13. Technical and organisational security measures

The technical and organisational security measures implemented by Apragaz Ltd can be described here in general terms.

Below is a limited overview of various security measures, by way of example.

Organisational measures

• IT security consultant
• Risk management
• Security, confidentiality and impartiality policy
• Staff awareness through information and training
• Notification procedure for physical/technical incidents
• Disciplinary follow-up in case of non-compliance with any of the measures
• Disaster/emergency and continuity plan in case of, among others, physical/technical incidents
• Plan to ensure that the effectiveness of organisational/technical measures is regularly tested and evaluated (Belac accreditations)
• Monthly monitoring of processing systems and adequacy of services

Technical measures

• Back-up system
• Measures in case of fire, burglary, water damage or physical/technical incidents
• Access control (physical and logical)
• Authentication system
• Password policy
• Identification system, detection and analysis of entries
• Patching
• Anti-virus
• Firewall
• Network security
• System monitoring, review and maintenance
• Encryption of personal data