- our prospective, current and former members of personnel and employees acting directly or indirectly (e.g. through management companies);
- our prospective investors, shareholders and their potential shareholders and Ultimate Beneficial Owners (“UBOs”); suppliers, advisors and counterparties who are natural persons (such as self-employed persons), or the representatives or contact persons of our prospective investors, shareholders; representatives of the entities in which we have invested or contemplate investing, candidates to a position as representatives of the entities in which we have invested or contemplate investing, the shareholders and UBOs of these entities, and our co-investors; suppliers, advisors and counterparties who are legal entities; and
- our website’s and offices' visitors and any third parties following our company, such as analysts and individuals having signed up for our newsletters.
Groupe Bruxelles Lambert SA (“GBL”) is processing information about you which constitutes “personal data” and GBL considers the protection of your personal data and privacy a very important matter.
GBL is subject to and will comply with the data protection rules applicable in the European Union under the General Data Protection Regulation (the “GDPR”)1.
In line with our commitment to protect your personal data, we want to inform you and explain in all transparency:
- why and how GBL collects, uses and stores your personal data; and
- what your rights and our obligations are in relation to such processing.
1. What type of personal data do we collect?
For all data subjects with whom we interact, we collect basic identification information such as your name, title, position, company name, email and/or postal address and fixed and/or mobile phone number.
This information may either be directly provided by you, communicated to us by the legal entity for whom you work (e.g. if you are the contact person designated by your employer to manage the GBL account), supplied to us by one of our service providers (e.g. financial institutions or recruiters) or obtained from publicly available sources (e.g. social media profiles).
You will find below further details on the specific information we are processing depending on the category you belong to as data subject.
1.1. Prospective, current and former members of personnel and employees acting directly or indirectly (e.g. through management companies)
For our prospective current and former employees and employees acting directly or indirectly (e.g. through management companies), we may in addition also collect the following information:
- additional identification information (e.g. date and place of birth, nationality, ID card or passport numbers and copy of ID card, contact person in case of emergency);
- your family information (e.g. marital status, number of children, date of birth and household composition, as well as working status of the spouse);
- your education and experience (e.g. employment and education history, other details included in the CVs, professional qualifications and experience);
- other information relating to your recruitment (e.g. information you provided during your interview, handwriting sample for personality assessment based on your handwriting, notes and comments made during the recruitment process);
- your function (e.g. position information such as position title and reference number, supervisor and subordinates, employment dates such as dates of hiring/promotion/position change, work schedule, performance evaluations, language skills);
- your remuneration data (such as salary level and amount, years of experience, bonus, stocks, options, expenses information, insurance and other benefits, pension entitlements and bank account details);
- your social security information (such as tax/social security status, insurance details, disabilities, attendance information including illness or leaves of absence);
- your electronic identification data (e.g. login, passwords, IP address, badge number, logs relating to the usage of IT tools, GBL professional email address and unique code identifying each employee’s account for expenses, sound or image recording such as CCTV or voice recordings);
- information required to set up insider lists imposed under Belgian law (using the model issued by the FSMA);
- your picture; and
- more generally, information about the activities you are carrying out in your professional capacity at GBL.
1.2. (Representatives of) prospective investors and shareholders and their potential shareholders and UBOs
For (the representatives of) our prospective investors and shareholders and their potential shareholders and UBOs, we may in addition also collect the following information:
- additional identification information (e.g. copy of ID card);
- information relating to your shares (e.g. number and type of rights);
- your financial information (bank account number for payment of dividends);
- your family information (parents, spouse, children, brothers/sisters or other heirs); and
- notes about our meetings (if any).
1.3. ((Representatives of) or (candidates to a position as representative of)) the entities in which we have invested or contemplate investing, the shareholders and UBO of these entities, and our co-investors.
For ((the representatives of) or (candidates to a position as representative of)) entities in which we have invested or contemplate investing, the shareholders and UBO of these entities, and our co-investors, we may in addition also collect the following information:
- identification information (e.g. name, surname, telephone number, postal address, email address, financial data);
- information on their position within the entity concerned;
- information relating to their resume;
- Information on their compensation;
- content of communications (if any);
- professional opinions and judgements ;
- visual images and photographs required for business purposes ;
- information relating to their financial status and dealings;
- references provided by third parties; and
- results of other due diligence carried out.
1.4. (Representatives of) suppliers, advisors and counterparties
For (the representatives of) our suppliers, advisors and counterparties we may in addition also collect the following information:
- your electronic identification data where required for the purpose of the delivery of products or services to our company (e.g. login, access right, passwords, badge number, IP address, logs, access and connexion times, image recording or sound such as badge pictures, CCTV or voice recordings and, to the extend appropriate, your professional opinions and judgements); and
- for natural persons acting as suppliers, advisors and counterparties or service providers, financial information (e.g. bank account details, bills and invoices) and information relating to the contract (e.g. type of agreement, parties and duration) and, to the extend appropriate, your professional opinions and judgements.
1.5. Website’s and offices’ visitors and any third parties following our company such as analysts and individuals having signed up for our newsletters
For website’s and offices’ visitors and any third parties following our company such as analysts and individuals having signed up for our newsletters, we may in addition also collect the following information:
- identification information (e.g. name, surname, telephone number, postal address, email address, financial data, cars brand and plate number);
- information necessary for the use of our Wi-Fi (e.g. telephone number, hostname, website consulted, I.P. address…)
- electronic identification data (http header fields, IP address, browser identification information, information on hardware and software location data if available);
- information regarding your browser and device (e.g. internet service provider’s domain, browser’s type and version, operating system and platform, screen resolution, device manufacturer and model);
- information provided by you during registration to receive one or more newsletters (e.g. address, type of profile and interest in one or several newsletters); and
- for analysts following our company, their estimates and any related opinions, forecasts, or projections.
To the extent authorised or required by law, we may also process sensitive data, such as trade union membership or health data. GBL will only do so as strictly required for the relevant purposes listed in section 4 below or to comply with a legal obligation and, where required, subject to having obtained your prior consent. In such case, the data will be accessed and processed solely under the responsibility of a representative of GBL who is subject to an obligation of confidentiality.
Whenever personal data is collected (e.g. in forms), we will indicate whether the provision of such data is mandatory (e.g. with an asterisk) and the consequences of a refusal to provide the requested data.
We may also collect your national registry number or social security number but will only process such data if and when legally required.
1.6. Website’s visitors and any third parties following our company such as analysts and individuals having signed up for our newsletters
For website’s visitors and any third parties following our company such as analysts and individuals having signed up for our newsletters, we process personal data through cookies.
When do we collect personal data?
Personal data will be collected by GBL:
- whenever individuals apply to become an employee of a GBL entity;
- whenever employees interact with GBL, its personnel, its IT equipment and other systems;
- whenever GBL interacts with former employees;
- whenever GBL interacts with (the representatives of) our actual/prospective investors, shareholders, and their potential shareholders and UBO, suppliers, advisors, counterparties and our co-investors;
- whenever GBL has invested or contemplates investing in a new entity;
- whenever a visitor comes to GBL's offices;
- whenever individuals visit our website or sign up for our newsletters
- when fulfilling our regulatory and legal obligations; and
- upon request from analysts.
2. On which legal basis and for which purposes do we process personal data?
2.1. Legal basis for the processing
We are not allowed to process personal data if we do not have a valid legal ground. Therefore, we will only process personal data if:
- we have obtained your prior consent; or
- the processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request; or
- the processing is necessary to comply with our legal or regulatory obligations; or
- the processing is necessary to protect your vital interests or those of another natural person; or
- the processing is necessary for the legitimate interests of GBL and does not unduly affect your interests or fundamental rights and freedoms.
Please note that, when processing your personal data on this last basis, we always seek to maintain a balance between our legitimate interest and your privacy. In order to strike such balance, we do not process sensitive data. This data will remain strictly confidential. Examples of such ”legitimate interests” are:
- to benefit from cost-effective services (e.g. we may opt to use certain platforms offered by suppliers);
- to facilitate communications with (representatives of) our (prospective) investors/shareholders (e.g. we may communicate professional contact details of one of our employees to an investor, indicating that this person is the contact person within the GBL organisation);
- to prevent fraud or criminal activity as well as to protect the security of our IT systems, architecture and networks;
- to meet our corporate and social responsibility objectives; and
- to assess potential future investments.
2.2. Purposes of the processing
We always process your personal data for a specific purpose and only process the personal data which is relevant to achieve that purpose. In particular, we process personal data for one of the following purposes.
2.2.1. Prospective, current and former members of personnel and employees acting directly or indirectly (e.g. through management companies)
In relation to prospective, current and former members of the personnel and employees acting directly or indirectly (e.g. through management companies), we process personal data for:
- recruitment activities;
- personnel administration (including organisation of work, tasks, benefits, expenses and absence management, performing employment and background checks, creating and maintaining employee directories, travel arrangements);
- payroll management (such as administering remuneration and other contractual benefits, salaries and pay reviews and other awards such as stock options, stock grants and bonuses, pensions and saving plans, benefits to families, business expenses);
- performance reviews (such as appraisals, promotions, career and succession planning, staffing and talent management);
- monitoring employees’ activities in the workplace, including compliance with policies as well as health and safety rules in place;
- managing any disciplinary action and handle internal complaints relating to violence, moral harassment and undesirable (sexual) conduct;
- replying to an official request from a public or judicial authority with the necessary authorisation; and
- ensuring compliance and reporting (such as complying with our policies and legal requirements, income tax and insurance deductions, managing alleged cases of misconduct fraud; conducting audits, defending litigation);
- ensuring business continuity;
- managing mergers and acquisitions involving our company; and
- any other purposes imposed by law and authorities.
2.2.2. (Representatives of) actual/prospective investors and shareholders, and their potential shareholders and UBO
In relation to (the representatives of) our actual/prospective investors and shareholders and their potential shareholders and UBO, we process personal data to:
- analyse the shareholding of our company;
- undertake marketing/procurement activities relating to our portfolios, including roadshows, presentation to potential investors, and other activities (such as sending best wishes cards);
- to fulfil our regulatory and legal obligations; and
- prepare the shareholders’ meeting and pay dividends to our shareholders, when applicable.
2.2.3. ((Representatives of) or (candidates to a position as representatives of)) entities in which we have invested or contemplate investing, the shareholders and UBO of these entities, and our co-investors
In relation to ((the representatives of) or (candidates to a position as representatives of)) entities in which we have invested or contemplate investing, the shareholders and UBO of these entities, and our co-investors, we process personal data for:
- verifying the identity of individuals ;
- maintaining records of investments ;
- administering transactions which are entered into;
- statistical analysis and market research;
- complying with our regulatory and legal obligations, including assessing and managing risk;
- identifying and preventing fraud and other unlawful activity;
- safeguarding our legal rights and interests;
- seeking and receiving advice from our professional advisors, including accountants, lawyers and other consultants;
- organising and holding meetings and events;
- verifying credibility and stability of these entities and of their representatives; and
- our due diligence and background checks.
2.2.4. (Representatives of) suppliers, advisors and counterparties
In relation to (representatives of) supplier, advisors and counterparties, we process data to:
- implement tasks in preparation of or under existing contracts;
- monitor activities at our facilities, including compliance with applicable policies as well as health and safety rules in place;
- manage our IT resources, including infrastructure management and business continuity; and
- billing and invoicing.
2.2.5. Website’s and offices' visitors and any third parties following our company such as analysts and individuals having signed up for our newsletters
In relation to GBL’s website’s visitors and any third parties following our company such as analysts and individuals having signed up for our newsletters, we process personal data to:
- to allow access to GBL's offices and offices equipment and connectivity;
- to fulfil our regulatory and legal obligations;
- periodically send newsletter about our portfolio, and information which you or your company may find interesting, using the email address which you have provided (if you choose to do so);
- analyse the performance of email campaigns and improve the email delivery services to better communicate with our subscribers;
- monitor and prevent fraud, infringement and other potential misuse of our website; and
- communicate the analysts’ opinions for third-parties (primarily investors) on GBL’s website
In addition to the above specific purposes, we process all collected personal data for the following general purposes:
- storing contact details (e.g. business cards);
- manage and administer the relationship between GBL and the data subjects;
- manage our IT resources, including infrastructure management & business continuity;
- preserve the company’s economic interests and ensure compliance and reporting (such as complying with our policies and local legal requirements, tax and deductions, managing alleged cases of misconduct or fraud, conducting audits and defending litigation);
- comply with any legal obligations imposed on GBL in relation to its activities;
- reply to an official request from a public or judicial authority with the necessary authorisation;
- archiving and record-keeping; and
- manage mergers and acquisitions involving our company.
3. How do we protect personal data?
We have implemented appropriate technical and organisational measures to provide a level of security and confidentiality to your personal data. These measures take into account:
(i) the state of the art of the technology;
(ii) the costs of its implementation;
(iii) the nature of the data;
(iv) and the risk of the processing.
The purpose thereof is to protect it against accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure or access and against other unlawful forms of processing.
Moreover, when handling your personal data, we:
- only collect and process personal data which is adequate, relevant and not excessive, as required to meet the above purposes; and
- ensure that your personal data remains up to date and accurate.
For the latter, we may request you to confirm the personal data we hold about you. You are also invited to spontaneously inform us whenever there is a change in your personal circumstances so we can ensure your personal data is kept up-to-date.
4. Who has access to personal data and with whom are they shared?
4.1. Transfers to third parties
We may transfer or give access to personal data to third parties outside GBL to complete the purposes listed in section 2.2 above, to the extent they need it to carry out the instructions we have given to them. Such third parties may include:
- third parties who process personal data, such as our payroll provider, our (IT) systems providers, website designers and hosting provider, payment services providers, banks, insurances companies and pensions funds, social security bodies and social secretary, event organisers (e.g. for shareholders’ meetings), email delivery service providers, database and cloud providers and consultants;
- any third party to whom we assign or novate any of our rights or obligations under a relevant agreement;
- our advisors and external lawyers in the context of the sale or transfer of any part of our business or its assets; and
- any national and/or international regulatory, enforcement or exchange body or court where we are required to do so by applicable law or regulation or at their request.
The above third parties are contractually obliged to protect the confidentiality and security of your personal data, in compliance with applicable law.
4.2. Transfers outside the European Economic Area
The personal data transferred by GBL may also be processed in a country outside the European Economic Area (“EEA”), which covers the EU Member States, Iceland, Liechtenstein and Norway. Non-EEA countries may not offer the same level of personal data protection as EEA countries.
If your personal data is transferred outside the EEA, we will therefore put in place suitable safeguards to ensure such transfer is carried out in compliance with the applicable data protection rules. You may request additional information in this respect and obtain a copy of the relevant safeguard by exercising your rights as set out below.
5. How long do we store your data?
We will only retain personal data for as long as necessary to fulfil the purpose for which it was collected or to comply with legal, regulatory or internal policy requirements or, among others:
- for contracts, the term of such contracts plus the period for claims to be barred;
- for recruitment purposes, for a period of two years;
- for employees, the time of employment, the limitation period or to fulfil our contractual or legal obligations (pension, ...); or
- for disputes, as soon as a settlement is reach, a decision is rendered in last resort, or the related claim is time barred.
The above applies unless any overriding legal or regulatory schedules require longer or shorter time period. When the above retention periods expire, your personal data is removed from our systems.
However, if individuals wish to have their personal data removed from our databases, they can make a request as described in section 6, which we will review as set out below.
6. What are your rights and how can you exercise them?
6.1. Your rights
You have a right of access to your personal data as processed by GBL under this policy. If you believe that any information we hold about you is incorrect or incomplete, you may also request the correction thereof. GBL will promptly correct any such information.
You also have the right to:
- request the erasure of your personal data;
- request the restriction of the processing of your personal data;
- withdraw your consent where GBL obtained your consent to process personal data (without this withdrawal affecting the lawfulness of processing prior to the withdrawal);
- object to the processing of your personal data for direct marketing purposes; or
- object to the processing of your personal data for other purposes in certain cases where GBL processes your personal data on another legal basis than your consent,
GBL will review such requests, withdrawal or objection and honour them as required under the applicable data protection rules.
In addition, you also have the right to data portability. This is the right to obtain the personal data you have provided to GBL in a structured, commonly used and machine-readable format and to request the transmission of such personal data to a third party, without hindrance from GBL and subject to your own confidentiality obligations.
6.2. Exercising your rights
If you have a question or want to exercise the above rights, you may send an email to Priscilla Maters at firstname.lastname@example.org or a letter at Groupe Bruxelles Lambert, to the attention of Priscilla Maters, Avenue Marnix 24, 1000 Brussels, Belgium, with a scan of your identity card for identification purpose, it being understood that we shall only use such data to verify your identity and shall not retain the scan after completion of the verification. When sending us such a scan, please make sure to redact your picture and national registry number or equivalent on the scan.
If you are not satisfied with how we process your personal data, please address your request to Priscilla Maters at email@example.com or by mail at Groupe Bruxelles Lambert, to the attention of Priscilla Maters, Avenue Marnix 24, 1000 Brussels, Belgium who will investigate your concern.
In any case, you also have the right to file a complaint with the competent data protection authorities, in addition to your rights above.
7. Updates to this policy
This policy may be subject to amendments. Any future changes or additions to the processing of personal data as described in this policy affecting you will be communicated to you through an appropriate channel, depending on how we normally communicate with you.
1 Regulation 2016/679 of the EU Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or “GDPR”).