For the contact details of the privacy manager at your supplier, contact your supplier directly.For the processing of your personal data for the purposes described in article 3.2 below, solely Twikey will be responsible.Twikey and your supplier have concluded an agreement that regulates their joint responsibility for the processing of personal data for the purposes described in Article 3.1. In essence this agreement states that:
- Twikey provides the User with the necessary information regarding the processing of personal data, when this user chooses Twikey's electronic mandate solution;
- You, as a User, can always address your questions regarding the exercise of your rights in regard to the processing of your personal data to one of the parties. Twikey and your supplier will ensure that your questions are forwarded to the party who can respond to it appropriately.
3 Why are these personal data processed?
In brief: Your personal data are initially processed to offer you the electronic mandate solution. These data are then also processed to allow (Twikey and the supplier) to communicate and report between themselves. The reasons for the processing are therefore determined jointly by Twikey and your supplier.
However, we also process your personal data for other purposes which in that case are exclusively determined by Twikey. Among others, these purposes include the creation and keeping of statistics, the improvement of our services, etc.
- Twikey and your supplier jointly process your personal data for the following purposes:
- to be able to offer you the electronic mandate solution (as described in the Terms & Conditions of Twikey) in the context of your direct debit agreement;
- to deliver it to the bank;
- for billing, communication and reporting purposes in connection to the operation of the electronic mandate solution;
- to assess the solvency;
- to jointly take the appropriate technical and organizational measures to protect your personal data.
- Twikey also processes your personal data, without the intervention of your supplier, for the following purposes:
- to be able to communicate with you and/or to inform you about the status of our services;
- to be able to perform statistical and other analyses on the use of our electronic mandate solution;
- to improve our products and services;
- to detect abuse and fraud;
- to be able to inform third parties in the context of a possible merger, acquisition, division or similar operation, even if these third parties are located outside the EU;
- to be able to take the appropriate technical and organizational security measures internally in order to protect your personal data;
- to comply with legitimate requests or orders by competent governmental and judicial authorities, including the Data Protection Authority.
4 How do we legitimate the processing of your personal data?
In brief: The applicable legislation concerning the protection of your personal data obliges us to clarify which legal grounds we invoke to legitimize our processing of your personal data. Twikey and your supplier primarily rely on the necessity of processing your personal data in order to be able to execute the agreement that Twikey and your supplier concluded with you. After all, without the processing of your personal data, you cannot use the electronic mandate solution.
- For the purposes described in Article 3.1.a., b., c. and d. Twikey and your supplier each invoke the necessity of the processing for the execution of the agreement with the User.
- For the purpose described in Article 3.1.d. Twikey and your supplier invoke the obligation they have to take appropriate measures in accordance with the provisions of Article 32 of the General Data Protection Regulation.
- For the purposes described in Article 3.2.a. to e. Twikey invokes the legitimate interest of Twikey, which consists of:
- to be able to inform you correctly about the status of our services, eg when an incident occurs;
- the commercial importance of improving products and services;
- the security interest to protect the electronic mandate solution as well as the underlying processes, data and systems from threats;
- the importance of being able to execute company law transactions.
- For the purposes described in Article 3.2.f. and g, Twikey invokes the legal obligations imposed on Twikey, as can be derived, among others, from Article 32 of the General Data Protection Regulation.
5 Who will receive the personal data and to which countries will they be transmitted?
In brief: Your personal data will be shared with a limited number of parties, such as the service providers and partners of Twikey and your supplier, some of which are based abroad. In this section we explain to whom we send your personal data and how we ensure that the security of your personal data is guaranteed when they are sent abroad.
- Your personal data will be received by the following categories of recipients:
- your business relations (such as your bank);
- partners and service providers of Twikey and your supplier;
- our shareholders and potential acquirers;
- companies within the same group (for your supplier);
- governmental and judicial authorities.
- Twikey will send your personal data to the United States of America as far as necessary in the context of our services. The security of your personal data is guaranteed because our service providers have certified themselves under the EU-US Privacy Shield (for more information, see https://www.privacyshield.gov). Your financial identification data and financial transactions, if applicable, are stored entirely within the EU.
6 How long do we keep your personal data?
In brief: Twikey and your supplier will only keep your personal data for as long as necessary to achieve the purposes mentioned in Article 3 above.
- Your personal data will only be processed for as long as necessary to achieve the purposes mentioned in Article 3 above. Twikey and your supplier will de-identify your personal data when they are no longer required for these purposes unless:
- a legitimate interest of Twikey, your supplier or a third party to keep your personal data in identified form outweighs your de-identification interest;
- a legal or regulatory obligation or a court or administrative order prevents such de-identification.
7 What rights can you exercise with regard to the processing of your personal data?
In brief: You have the right to access your personal data, to have them corrected or deleted and to limit or oppose their processing. You are also entitled to data portability. In this article we explain how and under what conditions you can exercise these rights.
- You have the right to request that the personal data that relate to you and which are incorrect are corrected free of charge. You can correct some personal details via your profile with your supplier or Twikey. If a correction is requested, this request must be accompanied by a proof that the data for which the correction is requested are incorrect.
- You have the right to request that your personal data be deleted if they are no longer necessary in the light of the purposes described above. You should, however, take into account that a request for deletion by Twikey and your supplier will be weighed against:
- a legitimate interest of Twikey, your supplier or a third party to keep your personal data, whereby this interest outweighs your right to deletion;
- a legal or regulatory obligation or a court or administrative order which prevents such deletion.
Instead of deleting the data, you can also request that the processing of your personal data be limited when you (a) dispute the accuracy of those data, (b) the processing is unlawful or (c) the data is no longer required for the purposes described above, while you need them to defend yourself in court proceedings.
- You have the right to object to the processing of personal data for the purposes mentioned in Article 3.2.a. to e., but you must clarify the special circumstances on which your request is based.
- Any request that you address to Twikey or your supplier can be sent by e-mail to the e-mail address of Twikey mentioned under Article 2 or directly to your supplier.
An e-mail with a request to exercise a right will not be interpreted as a consent to process your personal data beyond what is necessary for the treatment of your request. Such a request must clearly state the right you wish to exercise and the reasons for it, if this is required in view of what has been stated above. It must also be dated and signed and accompanied by a digitally scanned copy of your valid identity card that proves your identity or be made via the login to Twikey or via a possibly available platform of your supplier.
Without prejudice to the distribution of responsibilities as described in Article 2, we will immediately inform you of the receipt of this request. If the request is valid, we will inform you as soon as reasonably possible and no later than thirty (30) days after its receipt.
If you have a complaint regarding the processing of your personal data by Twikey or your supplier, you can always contact us via the e-mail address mentioned in Article 2 or directly via your supplier. If you are not satisfied with the answer, you can submit a complaint to the competent data protection authority, namely the Belgian Data Protection Authority.