Privacy Policy Thesora
Introduction
Thesora is responsible for processing a lot of data. Some of this data relates to personal data and in this context we inform you of the following.
The personal data that we process may relate to you in your capacity as a customer of the office, but also to you as a business relationship of our customers (such as if you are a supplier or customer of our customer). In any case, we must point out the following to you as a data subject whose personal data is processed by us.
1. Responsible for the processing of personal data
The person responsible for processing the personal data is Mr Stef Govaert.
The registered office of the person responsible is located at Ninoofsesteenweg 354 box 201, 1700 Dilbeek with the company number: 0872.362.075.
The person responsible is registered with the ITAA under approval number 50760706.
For all questions regarding the protection of personal data, you can always contact Thesora by letter to the above address or e-mail govaert@thesora.be.
(Stef Govaert: data protection officer)
2. Purposes of processing personal data
The office processes personal data for the following purposes:
A. Application of the Act of 18 September 2017 on the prevention of money laundering and the financing of terrorism and on limiting the use of cash (hereinafter: Act of 18 September 2017)
1° In application of article 26 of the law of 18 September 2017, our office must collect the following personal data with regard to our clients and their agents: the surname, the first name, the date and place of birth and, to the extent the possible, the address.
2 ° In accordance with Article 26 of the law of September 18, 2017, our office must collect the following personal data regarding the ultimate beneficiaries of the clients: the surname, the first name and, to the extent possible, the date and place of birth and address.
The processing of these personal data is a legal obligation. Without this information, we cannot enter into a business relationship (Article 33 of the Act of 18 September 2017 on the prevention of money laundering and the financing of terrorism and on limiting the use of cash).
B. The obligations incumbent on the office towards the Belgian government, foreign governments or international institutions in execution of a legal or regulatory obligation, in execution of a judicial decision, or in the context of the representation of a legitimate interest by including, but not limited to, current and future tax (e.g. VAT listings, tax sheets) and social laws require us to process personal data in the context of the assignment with which we have been charged.
The processing of this personal data is a legal obligation and without this data we cannot enter into a business relationship.
C. Execution of an agreement regarding accounting and tax services. The processing of personal data concerns the data of the clients themselves, their employees, their directors and the like, as well as of other persons who are involved in the activity as customers or suppliers.
Without the provision and processing of this data, we cannot carry out our assignment as [bookkeeper, accountant, company auditor…. ] does not perform properly.
3. Which personal data and from whom?
In the context of the purposes mentioned under 2, our office can process the following personal data: first name, surname, e-mail address, (copy of e-ID or passport), address, company number, national number, etc.
In the context of personal tax returns via Tax-on-web, the following data is also processed: the family status/composition.
The office processes the personal data that the data subjects themselves or their relatives have provided.
The office also processes personal data that was not provided by the data subject himself, such as personal data provided by the client regarding his employees, directors, customers, suppliers or shareholders.
The personal data may also come from public sources such as the Crossroads Bank for Enterprises, the Belgian Official Gazette and its appendices, the National Bank of Belgium (Central Balance Sheet Office) and the like.
The data will only be processed to the extent necessary for the purposes stated under point 2.
Except in cases for which the law provides otherwise, personal data will not be passed on to third countries or international organizations, third parties. Any deviation from this rule requires the prior written consent of the data subject in question.
4. Recipient of data
In accordance with the foregoing, and except to the extent that the communication of personal data to organizations or entities whose intervention as third-party service providers on behalf of and under the control of the controller is required to achieve the aforementioned purposes, the office will process the personal data collected in this context not share, sell, rent or exchange with any other organization or entity unless you have been notified in advance and expressly agree to this.
The office uses third service providers:
- The office uses e-accounting software and an associated portal;
- The office calls on external employees to carry out certain tasks or specific assignments (auditor, notary, etc.);
- …
The office can take all measures necessary to ensure proper management of the website and its IT system.
The office may pass on personal data at the request of any legally competent authority, or even on its own initiative if it believes in good faith that passing on such information is necessary to comply with legislation and regulations, or to protect the rights or to defend and/or protect the goods of the office, its customers, its website and/or yours.
5. Safety measures
In order to prevent, as far as possible, unauthorized access to the personal data collected in this context, the office has drawn up security and organizational procedures, which relate to both the collection of these data and their storage.
These procedures also apply to all processors used by the office.
6. Retention period
6.1. Personal data that we must keep pursuant to the Act of 18 September 2017 (see 2.A.)
This concerns the identification data and copies of supporting documents regarding our clients, the internal and external agents as well as the ultimate beneficiaries of our clients.
The personal data will be kept, in accordance with Article 60 of the Act of 18 September 2017, for a maximum of ten years after the end of the business relationship with the client or from the date of an occasional transaction.
6.2. Other personal data
The personal data of persons other than those mentioned above will only be kept for the periods provided for in applicable legislation such as accounting legislation, tax legislation and social legislation.
6.3. After the aforementioned periods have expired, the personal data will be deleted, unless other applicable legislation provides for a longer retention period.
7. Rights of access, rectification, oblivion, data portability, objection, non-profiling and notification of security defects
7.1. Regarding the personal data that we must keep in accordance with the Act of 18 September 2017.
This concerns the personal data of our clients, the agents and the ultimate beneficiaries of the clients.
In this regard, we must draw your attention to Article 65 of the law of 18 September 2017:
“Art. 65. The person who is subject to the processing of personal data under this law does not enjoy the right to access and rectify his data, nor the right to be forgotten, to data portability or to raise objections, nor of the right not to be profiled, nor of notification of security deficiencies.
The right of access of the data subject to personal data concerning him is exercised indirectly, pursuant to Article 13 of the aforementioned law of 8 December 1992, with the Commission for the Protection of Privacy as established by Article 23 of the same law .
The Commission for the Protection of Privacy will only inform the applicant that the necessary verifications have been carried out and of the outcome thereof as regards the lawfulness of the processing in question.
These data may be communicated to the applicant if the Commission for the Protection of Privacy, in consultation with the CTIF-CFI and after advice from the controller, determines that their communication is not amenable to disclosing the existence of a notification of a suspicion referred to in Articles 47 and 54, of the consequences given thereto or of the exercise by the CTIF of its right to request additional information under Article 81, nor amenable to the objective of the fight against WG/FT and, on the other hand, establishes that the data in question relates to the applicant and is kept by obliged entities, the CTIF-CFI or the supervisory authorities for the purposes of this law.”
To exercise your rights regarding your personal data, you must therefore contact the Data Protection Authority (see point 8).
7.2. All personal data
To exercise your rights regarding all other personal data, you can always contact: [data controller or DPO].
8. Complaints
Notwithstanding our well-considered follow-up of the 13 steps as outlined in the GDPR (General Data Processing Regulation), we also inform you under this article number where you can go for a complaint. You can file a complaint with the Data Protection Authority regarding the processing of personal data by our office:
Commission for the Protection of Privacy
Drukpersstraat 35, 1000 Brussels
Tel 32 (0)2 274 48 00
Fax 32 (0)2 274 48 35
E-mail: commission@privacycommission.be
URL: https://www.privacycommission.be