1 Parties and Purpose of the Privacy Policy

1.1 The Data Controller is ICHEC Junior Consult, ASBL, whose registered office is located at 365 Rue au Bois, 1150 Woluwe-St-Pierre (hereinafter referred to as “the Data Controller”).

1.2 The Data Controller establishes this Privacy Policy in order to inform, in full transparency, the Users of the website hosted at the address www.ichecjuniorconsult.be (hereinafter referred to as the “Website”), of the manner in which their personal data is collected and processed by the Data Controller. Users must read the Privacy Policy by ticking the box provided for this purpose on the Website, in accordance with point 6.

1.3 The term “User” refers to any user, meaning any natural or legal person, registered or not on the Website, who consults the Website, or a form related to the activities of ICHEC Junior Consult, or its content, who inserts personal data on the Website, or a form related to the activities of ICHEC Junior Consult, who downloads files from it, uses it, registers via any form available on the Website, becomes a member, subscribes or enters into a contract with the Data Controller.

1.4 In this respect, the Data Controller and/or its service providers acting in its name and on its behalf determine all the technical, legal and organizational means and purposes of the processing of the Users’ personal data. The Data Controller undertakes to take all necessary measures to ensure that the processing of personal data complies with the Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (hereinafter the “Law”) and the European Regulation of 26 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “GDPR”).

1.5 The Data Controller is free to choose any natural or legal person who processes the Users’ personal data at its request and on its behalf (hereinafter the “Processor”). Where applicable, the Data Controller undertakes to select a Processor providing sufficient guarantees regarding the technical and organizational security measures of the processing of personal data, in accordance with the Law and the GDPR.

2 Processing of personal data

2.1 The use of the Website by Users may result in the communication of personal data. The personal data that may be processed is listed in point 5. The processing of such data by the Data Controller and/or by service providers acting in the name and on behalf of the latter shall comply with the Law and the GDPR.

2.2 Personal data will be processed by the Data Controller, in accordance with the purposes stated in point 3, through:

2.2.1 An automated procedure;

2.2.2 The newsletter subscription form;

2.2.3 The use of Cookies;

2.2.4 The sending of surveys or questionnaires;

2.2.5 The sharing of free content;

3 Purpose of the processing of personal data

3.1 In accordance with Article 13 of the GDPR, the purposes of the processing of personal data are communicated to the User and are as follows:

3.1.1 Ensuring the execution of the services offered and agreed upon on the Website such as the organization of workshops or events related to the activities of ICHEC Junior Consult;

3.1.2 Ensuring the monitoring of the execution of the services offered;

3.1.3 Carrying out marketing activities and promotional information after the User’s prior consent and until the withdrawal of such consent, such as sending promotions relating to the products and services of the Data Controller;

3.1.4 Responding to the User’s questions;

3.1.5 Producing statistics in order to improve the Website, the services offered and the internal organization of the Data Controller;

3.1.6 Improving the quality of the Website and the products and/or services offered by the Data Controller;

3.1.7 Enabling a better identification of the User’s interests;

3.1.8 Complying with obligations defined with the partners of the organized events;

3.1.9 Promoting the organized events through photos and publications on social media;

4 Cookies

4.1 The Website uses Cookies to distinguish Users of the Website. This allows Users to be provided with a better browsing experience and enables the improvement of the Website and its content. The purposes and methods of Cookies are contained in the document “Cookie Policy”, available at the following URL: www.ichecjuniorconsult.be

5 Personal data that may be processed

5.1 The User consents, in accordance with point 6, during the visit and use of the Website, that the Data Controller collects and processes, according to the methods and principles described in this Policy, the following personal data:

5.1.1 Information provided by Users to ICHEC Junior Consult for contractual purposes and to ensure the proper execution of reciprocal obligations, namely the surname, first name, address, email address, IBAN number and banking data, year of study, and more generally any information voluntarily provided by the User;

5.1.2 Information provided by Users by filling in forms or by contacting ICHEC Junior Consult by telephone, email address or other means, such as the name, address, email address and telephone number of the Users;

5.1.3 With regard to each of the User’s visits to the Website, the information automatically collected is:

5.1.3.1 The IP address, browser type and model, time zone, operating system, language;

5.1.3.2 All information relating to the pages consulted by the User on the Website, including the URL, browsing time, etc.

5.1.4 The Users’ curriculum vitae if a selection is required for the organization of an event, for the recruitment of members of ICHEC Junior Consult, within the framework of the Job & Internship Fair or within the framework of the organization of the Brussels Management Challenge;

5.1.5 The image of Users during their participation in events.

6 Consent

6.1 By accessing and using the Website, the User declares that he or she has read and freely, specifically, knowingly and unambiguously agreed to the processing of personal data concerning him or her. This agreement concerns the content of this Policy.

6.2 Consent is given through the positive act by which the User ticks the box referring to this Policy via a hyperlink. This consent is an essential condition for carrying out certain operations on the Website and/or for allowing the User to enter into a contractual relationship with the Data Controller. Any contract binding the Data Controller and a User regarding the services and goods offered on the Website is subject to the User’s acceptance of this Policy.

6.3 The User consents that the Data Controller processes and collects, in accordance with the methods and principles included in this Policy, the personal data that he or she communicates on the Website and/or in the context of the services offered by the Data Controller, for the purposes indicated in point 3.

6.4 The User has the right to withdraw his or her consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent previously given. The exercise of this right is carried out in accordance with point 9 of this Policy.

7 Retention period of Users’ personal data

7.1 In accordance with Article 13, paragraph 2 of the General Data Protection Regulation, the Data Controller retains personal data only for the period reasonably necessary to achieve the purposes for which it is processed.

7.2 The personal data of a User is retained as long as necessary to achieve the purposes determined in point 3. In this context, the following retention periods are applied:

7.2.1 Data relating to participation in events (e.g. Job & Internship Fair, workshops, training sessions, Business Management Challenge)

The data necessary for the organization of the event (surname, first name, email address, telephone number, registration information) is retained for the duration of the mandate of the organizing team responsible for the relevant event, in particular in order to allow:
- the establishment of internal statistics;
- the sending of information to participating companies for recruitment purposes;
- the processing of potential complaints or questions relating to the event;
- the possible organization of post-event evaluation or follow-up meetings.

At the end of this period, all data is deleted, with the exception of data strictly necessary for statistical archiving purposes (aggregated or anonymized data).

7.2.2 Banking data (IBAN or reimbursement information)

When the collection of banking data is necessary in order to reimburse expenses or deposits related to an event, this data is retained for a maximum period of three (3) months after the end of the event in order to allow the administrative and financial processing of reimbursements.

At the end of this period, this data is securely deleted.

7.2.3 Sensitive data (for example dietary restrictions)

Data likely to reveal sensitive information, including dietary restrictions communicated within the framework of the organization of an event, is retained only for the duration strictly necessary for the preparation and the running of the event.

This data is deleted no later than one (1) month after the end of the event.

7.2.4 Photographs and videos taken during events

Photographs and videos taken during events may be retained for an indefinite period when they are used for institutional communication purposes, archival purposes or the promotion of future editions of events organized by the Data Controller.

8 Recipients of the data and disclosure to third parties

8.1 Personal data may be transmitted to the agents, collaborators or partners of the Data Controller who, located in Belgium or in the European Union, collaborate with the Data Controller within the framework of the marketing of products or the provision of services. They act under the direct authority of the Data Controller and are notably responsible for collecting, processing or subcontracting this data. Personal data may also be brought to the attention of employees or collaborators of the responsible persons if they so decide.

8.2 Personal data may also be transmitted to the co-organizers of events organized by the Data Controller, who are partners of the latter, in order to achieve the purposes referred to in point 3. These partners will process their data in accordance with their own Privacy Policy drafted in compliance with the GDPR.

8.3 In all cases, the recipients of the data and those to whom this data has been disclosed respect the content of this Policy. The Data Controller ensures that they will process this data solely for the purposes provided for in point 3, in a discreet and secure manner.

8.4 In the event that data is disclosed to third parties for direct marketing or prospecting purposes, the User will be informed beforehand so that he or she can give consent to the use of his or her personal data.

9 Rights of Users

At any time, the User may exercise his or her rights by sending an email to the address [email protected]
or a letter by post addressed to: ICHEC Junior Consult, 365A Rue au Bois, 1150 Brussels), attaching a copy of his or her identity card.

9.1 Right of access.

9.1.1 In accordance with Article 15 of the GDPR, the Data Controller guarantees the User the right of access to his or her personal data. The User has the right to obtain access to such personal data as well as the following information:

9.1.1.1 the purposes of the processing;

9.1.1.2 the categories of personal data concerned;

9.1.1.3 the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients established in third countries or international organizations;

9.1.1.4 where possible, the envisaged retention period of the personal data or, where this is not possible, the criteria used to determine this period;

9.1.1.5 the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in such cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the User.

9.1.2 The Data Controller may require the payment of reasonable fees based on administrative costs for any additional copy requested by the User.

9.1.3 When the User submits this request electronically (for example through the email address), the information is provided in a commonly used electronic form, unless the User requests otherwise.

9.1.4 The copy of his or her data will be communicated to the User no later than one month after the receipt of the request.

9.2 Right to rectification

9.2.1 The Data Controller guarantees the User the right to rectification and deletion of personal data.

9.2.2 In accordance with Articles 16 and 17 of the GDPR, incorrect, inaccurate or irrelevant data may be corrected or deleted at any time. The User first makes the necessary modifications himself or herself from his or her user account, unless these cannot be carried out independently, in which case the request may be made to the Data Controller.

9.2.3 In accordance with Article 19 of the GDPR, the Data Controller notifies each recipient to whom personal data has been disclosed of any rectification of personal data, unless such communication proves impossible or involves disproportionate effort. The Data Controller provides the User with information about these recipients if the latter so requests.

9.3 Right to erasure

9.3.1 The User has the right to obtain the erasure of his or her personal data as soon as possible in the situations listed in Article 17 of the GDPR.

These situations apply when:

● the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;

● the User withdraws consent on which the processing is based, in accordance with Article 6(1)(a) or Article 9(2)(a) of the GDPR, and where there is no other legal ground for the processing;

● the User objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the User objects to the processing pursuant to Article 21(2) of the GDPR;

● the personal data has been unlawfully processed;

● the personal data must be erased for compliance with a legal obligation under Union law or the law of the Member State to which the Data Controller is subject; or

● the personal data has been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

9.3.2 When the Data Controller has made the personal data public and is obliged to erase it pursuant to the previous paragraph, the Data Controller, taking into account available technology and the cost of implementation, takes reasonable steps, including technical measures, to inform other data controllers processing the personal data that the User has requested the erasure by such controllers of any links to, or copy or replication of, that personal data.

9.3.2.1 Paragraphs 9.3.1 and 9.3.2 do not apply to the extent that such processing is necessary:

● for exercising the right of freedom of expression and information;

● for compliance with a legal obligation requiring processing under Union law or the law of the Member State to which the Data Controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller; or

● for the establishment, exercise or defense of legal claims.

9.4 Right to restriction of processing

9.4.1 The User has the right to obtain the restriction of the processing of his or her personal data in the situations listed in Article 18 of the GDPR.

These situations apply when:

● The accuracy of the personal data is contested by the User, for a period enabling the Data Controller to verify the accuracy of the personal data;

● The processing is unlawful and the User opposes the erasure of the data and requests the restriction of their use instead;

● The Data Controller no longer needs the personal data for the purposes of the processing, but it is still required by the User for the establishment, exercise or defense of legal claims; or

● The User has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the Data Controller override those of the User.

9.4.2 In accordance with Article 19 of the GDPR, the Data Controller notifies each recipient to whom the personal data has been disclosed of any restriction of processing carried out, unless such communication proves impossible or involves disproportionate effort. The Data Controller provides the User with information about those recipients if the latter requests it.

9.5 Right to data portability

9.5.1 In accordance with Article 20 of the GDPR, Users have the right to receive from the Data Controller the personal data concerning them in a structured, commonly used and machine-readable format. Users have the right to transmit this data to another data controller in the cases provided for by the GDPR without hindrance from the Data Controller.

9.5.2 When the User exercises his or her right to data portability pursuant to the previous paragraph, he or she has the right to have the personal data transmitted directly from one data controller to another, where technically feasible.

9.5.3 The exercise of the right referred to in paragraph 1 of this article is without prejudice to the right to erasure referred to in point 9.3. This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.

9.5.4 The right referred to in point 9.5 shall not adversely affect the rights and freedoms of others.

9.6 Right to object and automated individual decision-making

9.6.1 The User has the right at any time to object to the processing of his or her personal data due to his or her particular situation, including automated processing carried out by the Data Controller. In accordance with Article 21 of the GDPR, the Data Controller will no longer process the personal data unless there are compelling legitimate grounds for the processing which override the interests and rights and freedoms of the User, or for the establishment, exercise or defense of legal claims.

9.6.2 Where personal data is processed for direct marketing purposes, the User has the right to object at any time to the processing of personal data concerning him or her for such marketing purposes, including profiling insofar as it is related to such direct marketing.

9.6.3 Where the User objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

9.7 Right to lodge a complaint

9.7.1 The User has the right to lodge a complaint concerning the processing of his or her personal data by the Data Controller with the Data Protection Authority competent for the Belgian territory. More information can be found on the website: https://www.autoriteprotectiondonnees.be/

9.7.2 Complaints can be submitted at the following addresses:

Data Protection Authority

35 Rue de la Presse

1000 Brussels.

Tel. +32 2 274 48 00

Fax. +32 2 274 48 35

E-mail: [email protected]

9.7.3 The User may also lodge a complaint before the court of first instance of his or her place of residence.

10 Limitation of liability of the Data Controller

10.1 The Website may contain links to other websites owned by third parties not connected to the Data Controller. The content of these websites and their compliance with the Law and the GDPR are not the responsibility of the Data Controller.

10.2 The holder of parental authority must give express consent for a minor under the age of 13 to disclose information and/or personal data on the Website. The Data Controller strongly advises persons exercising parental authority over minors to promote responsible and safe use of the Internet. The Data Controller cannot be held responsible for the collection and processing of personal information and data of minors under the age of 13 whose consent is not effectively covered by that of their legal parents or for incorrect data — in particular concerning age — entered by minors. Under no circumstances will personal data be processed by the Data Controller if the User specifies that he or she is under 13 years of age.

10.3 The Data Controller is not responsible for the loss, corruption or theft of personal data caused in particular by the presence of viruses or following cyberattacks, subject to point 11.

11 Security

11.1 The Data Controller implements organizational and technical measures in order to guarantee an appropriate level of security for the processing and collection of data. These security measures depend on the costs of implementation with regard to the nature, context and purposes of the processing of personal data.

11.2 The Data Controller uses standard encryption technologies within the IT sector during the transfer or collection of data on the Website.

12 Modification of the Privacy Policy

The Data Controller reserves the right to modify this Privacy Policy in order to comply with legal obligations in this regard. The User is therefore invited to regularly consult the Privacy Policy in order to take note of any modifications and adaptations. The new version of the Privacy Policy will be posted on the Website for enforceability purposes.

13 Applicable law and competent jurisdiction

This Policy is governed exclusively by Belgian law. Any dispute shall be brought before the courts of the judicial district of Brussels.