This Privacy Policy and its appendices serve as an appendix to the Main Contract between the controller and our clients. This Privacy Policy is applicable for the full duration of the Main Contract.

If there are deviating provisions in the Main Contract on the processing of Personal Data, this Privacy Policy will have precedence.

Deviations from this Privacy Policy are only valid if both parties have granted their permission for this in writing.

In accordance with the text of the GDPR, the following terms will have the following meaning for the application of this Privacy Policy:

“Data subject”: the identified or identifiable natural person

“Data concerning health”: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status

 “Sensitive personal data”: personal data that reveals race or ethnic origin, political opinions, religious or philosophical beliefs or membership of a trade union and processing of genetic information or biometric data with a view to the unique identification of a person or data related to health or someone’s sexual behaviour or sexual orientation.

 “Personal data breach”: a breach of security that accidentally or unlawfully leads to the destruction, loss, change or unauthorised disclosure or unauthorised access to data that has been sent, stored or processed in any other way.

“Personal data”: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“ Pseudonymisation”: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

“Consent of the Data Subject”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of their personal data.

“Processor”:a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

“Processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 “Controller”: : a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

The controller guarantees that your personal data will be:

• 1. Processed in a lawful, fair and transparent manner
• 2. Collected for specified, explicit and legitimate purposes
• 3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
• 4. Correct and updated when necessary
• 5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
• 6. Appropriate technical and organisational measures will be taken to guarantee appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage

Personal data is lawfully processed by the controller as processing is based upon legal grounds. Article 6, 1 C of the GDPR states that Personal Data is lawfully processed if “processing is necessary for compliance with a legal obligation to which the controller (here: the client) is subject”.  In this case, our clients have a legal obligation to take the necessary measures within the framework of occupational health and safety. These legal obligations are stipulated in the Code on Well-being at Work.

The aforementioned personal data includes name, address, telephone number, gender and age. An overview is available in appendix 1 to this Policy.

Mensura can process the next personal data for the purposes of legitimate interests (both physically and on the website):

• When the registration wasn’t done by the participant, we define “Concerned person’ in this point as follows: “Both the person who did the registration, and the participant of the training”
• The next personal data will be processed:
  • Of the Concerned person:
    • First and second name
    • Phone / cell phone number
    • Date of birth
    • Function
    • E-mail address
    • Language
    • Signature
    • Evaluation of the trainer
  • Other remarks (for example allergies concerning food when lunch is included in the training)
  • Data of the company: name and address of the company, address to where the invoices can be send, VAT number, client number, type of company (A, B, C, D, E or M)
  • Method of payment
• We process the personal data for the next purposes:
  • Fulfilling our administrative duties as for example charging the services we’ve done for the client or fulfilling our legal duties in the context of our accountancy
  • Creating files for the transferability or the demonstrability of personal data, for purposes of accreditation or certification
  • Performing and informing organisational and administrative elements regarding the trainings (for example certification, obtaining subsidies, legal conditions, keeping track of attendance, evaluation of the trainer, ...)
  • Informing the Concerned person about changes in the context of the followed training due to new legislation, guidelines, insights, evolutions, …
  • Informing the Concerned person about the offer of Webinars/info sessions and trainings of Mensura
  • Informing the Concerned person about the fact that the legal period to follow a refresher training, has been expired
  • Updating the material of the training and updating the trainings
  • Delivering and manage the certificates of Mensura, when applicable

The above mentioned personal data will be stored for a period of ten years, following the end of the year where the training has been given.

The controller will lawfully process sensitive personal data (more explicitly: “data concerning health”) in conformity with article 9, b) and h) of the GDPR;

• b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller (here: the client) or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

The controller’s services are primarily determined by law, namely the Code on Well-being at Work. Our clients are legally obligated – within Belgian social law – to join an External Agency for Prevention and Protection at Work.

• h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

Sensitive data that is processed by the controller is related to data concerning health; i.e. weight, BMI, working capacity as stated on the HAF (Health Assessment Form) or the RAF (Reintegration Assessment Form), medical data, psychological data, injuries after a serious accident at work, the data subject’s lifestyle, etc.. An overview is available in appendix 1 to this Policy.

In the context of the provision of service where the controller (Mensura) must request the Personal Data directly from the Data Subject(s), the controller (Mensura) will inform the Data Subject(s) prior to the processing concerning the following elements, in conformity with article 13 point 1 of the GDPR:

• the identity and contact details of the controller
• the contact details of the Data Protection Officer;
• the purpose and legal grounds for the processing;
• the recipients or the categories of the recipients of the personal data;
• the manner in which the rights of the Data Subject(s) are exercised;
• the fact that the Data Subject can revoke his or her explicit permission and the manner in which this is done;
• the fact that the Data Subject has the right to submit a complaint to the supervisory authority;
• the retention period for Personal Data;
• if applicable, the existence of automated decisions.

Where the controller provides services in the context of points 3 and 4, the client must share the aforementioned information with the Data Subject(s). The client can use this Privacy Policy to inform the Data Subject(s).

With regard to processing Personal Data for Marketing Purposes, the controller (in case: Mensura) can rely upon a legal basis (recital 47 of the GDPR). An opt-out for the Data Subjects will be always possible.

Promotions and information regarding the offer of products and services of Mensura, will be seen as direct marketing. The personal data of the client (contact details of the client) will be processed for direct marketing purposes, so that Mensura can inform its clients about the offer of products and services.

No personal data of the customer’s employees are processed by controller for Marketing purposes. This except, the explicit consent of the concerned employee (for example; when the concerned employee has followed a course, as a participant). Personal data will be processed, for Marketing Purposes, of the customer’s employees (in the sense of article 4 of this Privacy Policy). We emphasize the rights of the customer’s employees (article 15 of this Privacy Policy) and more specific article 21 GDPR; the right to object which can be exercised at any time.

The controller guarantees that group reporting will be anonymous given that personal data is only shared as from a dataset of 10.

For example, the results of the medical examinations are part of the risk analysis. These results are reported in the form of the anonymous group results.

The controller has drawn up a record of processing activities in which the following elements of each of their services are described in detail:

• 1° Which categories of personal data are being processed?
• 2° Who can receive this personal data (internal/externally)?
• 3° For how long will the personal data be kept?
• 4° For how long will the personal data be protected?
• 5° Will the personal data be processed outside Belgium?
• 6° Who has access to the personal data (internally/externally)?
• 7° The purposes of processing. 

If you have questions within this framework that have not been made clear in this Policy, please contact the persons listed in point 20.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure the safe processing of personal data. Appendix II to this Policy contains a summary of these measures.

The controller guarantees that they will take the necessary measures in conformity with article 32 of the GDPR, which, among other things, pertain to the following:

• A - the pseudonymisation and encryption of personal data;
• B - the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• C - the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• D - a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

The controller guarantees that the only employees who will have access to personal data are those who are actually involved in implementing the services. Furthermore, these employees will be contractually bound by a duty of confidentiality.

Third parties who may gain access to personal data will also be restricted to persons involved in implementing the services. An overview of third parties can be given, on demand of the client.

If the controller engages a processor to perform specific processing activities on the behalf of the controller, this processor will be subject to the same obligations with regard to data protection as those arising from this agreement, including the obligation to take appropriate technical and organisational measures for processing personal data. To this end, the processors have signed a processing agreement in accordance with article 28 point 3 GDPR. An overview of processors can be given, on demand of the client.

The controller guarantees that processors may only process personal data under written instructions of the controller. If the processors engage a sub-processor to perform processing activities, the processor will, in principle, remain liable towards the sub-processor.

The controller guarantees that the personal data will not be processed outside a Member State of the EU. The Personal Data will only be processed in Belgium.

The controller’s services are primarily determined by law, namely the Code on Well-being at Work. The controller will only process the minimum amount of personal data necessary within the framework of implementing the requested services.  An overview is available in appendix 1 to this Policy.

The controller guarantees that personal data will not be stored for longer than is necessary for the implementation of the requested services. The controller is obliged to observe statutory retention periods. An overview is available in appendix 1 to this Policy.

15.1. General

Within the framework of the GDPR, data subjects have the following rights with regard to their personal data:

• 1° Right of access
• 2° Right to rectify incorrect personal data
• 3° Right to erasure (Right to be forgotten”)

In most cases, the right to erasure of data will not be executed by the controller, as processing is carried out on the basis of a legal obligation to process data. 

• 4° Right to  restriction of processing
• 5° Right to data portability
• 6° Right to object

In most cases, the right to object will not be executed by the controller, as processing is carried out on the basis of a legal obligation to process data. 

The controller guarantees to answer requests within one month of receiving them. This will be done in conformity with the obligations of the controller stipulated in article 12 point 3 of the GDPR. Depending on the complexity and number of requests, this period may be extended by two months if necessary. The controller will inform the data subject of this extension within one month of receiving their request.

The controller’s internal procedures are set out in points 15.2 and 15.3 so that the data subjects can correctly exercise their rights against the controller.  The client must inform data subjects of the controller’s internal procedures in a concise, transparent, comprehensible and easily accessible form and in clear and simple language. If data subjects wish to exercise a right that does not fall under point 15.2. or 15.3. the request can be sent to privacy@mensura.be.

15.2. Rights of data subjects within the framework of medical supervision

With regard to the exercise of one of the rights related to their medical files, data subjects must respect the following internal procedure of the controller:

• requests must be submitted by means of a registered letter addressed to dr. An De Roeck, directeur afdeling medisch toezicht, Italiëlei 2 at 2000 Antwerp.
• they must enclose a copy of their identity card.

Access to medical files will not be granted to employees directly but to their attending physician. This is in conformity with the recommendation issued by the Medical Association on 07/09/1996.

15.3. Rights of data subjects within the framework of psychosocial files

With regard to the exercise of one of the rights related to their psychosocial files, Data Subjects must respect the following internal procedure of the controller:

• requests must be submitted by means of a registered letter addressed to the relevant prevention advisor on psychosocial aspects;
• they must also enclose a copy of their identity card.

15.4. Right to submit a complaint to the Belgian supervisory authority (= “the Data Protection Authority”)

In accordance with article 77 of the GDPR, data subjects have the right to submit a complaint directly to the Data Protection Authority if they think that the controller is failing to protect and/or process their personal data in conformity with the GDPR.

16.1. Transfer of Personal Data in the Medical Supervision Department

The transfer of health files is set out in the provisions of Book 1, Title 3, of the Code on Well-being at Work.

Health files consist of four separate sections:

• a) social-administrative information concerning the identification of the employee and their employer.
• b) occupational history and objective medical personal information that can be established on the basis of compulsory actions undertaken during preventative medical researches. This personal information is related to the employee’s work station or activity.
• c) specific information of a personal nature established by the occupational physician during preventative medical examinations and that are restricted to the last-mentioned doctor.
• d) exposure of all employees employed at a work station or in an activity that exposes them to biological, physical or chemical agents.

Health files do not contain information on cooperation with public health programmes that are not related to work.

The transfer of medical information takes place under the responsibility of the doctor who is in charge of the department tasked with medical supervision (director of medical supervision).

To transfer medical files, the director of medical supervision of the new external service must write to the Mensura’s director of medical supervision to request data transfer. The requested files will not be effectively transferred until this request has been received.

16.2. Transfer of Personal Data in the Psycho Department

The transfer of this personal data is set out in the provisions of article 34 van Book I, Title 3, Prevention of Psychosocial Risks at Work, of the Code on Well-being at Work.

If the client changes the external agency for prevention and protection at work, the transfer of individual files will be arranged as follows: 

1° If a request for formal psychosocial intervention is being dealt with at the time of the change:

• a) the prevention advisor on psychosocial intervention will inform the applicant and the other persons directly involved as soon as possible of the fact that the external agency for which he performs tasks will no longer be authorised to deal with the request;
• b) the client will give the prevention advisor for psychosocial aspects to whom the request was submitted with the coordinates of the new external agency upon request;
• c) the prevention adviser for psychosocial aspects to whom the request was submitted will submit the individual file to the prevention adviser for psychosocial aspect of the new external agency;
• d) the prevention advisor on psychosocial aspects will inform the applicant and the other persons directly involved of the fact that they will be taking over the handling of the request;

2° If the handling of the request for formal psychosocial intervention is concluded at the time of the change of external agency for prevention and protection at work, the prevention adviser for psychosocial aspects of the new external agency may obtain a copy of the individual file from the prevention adviser for psychosocial aspect to whom the request was submitted if this is necessary for the performance of their duties.

The transfer of individual files is subject to conditions to safeguard professional secrecy.

The controller guarantees that the processed Personal Data will be deleted or transferred at the request of the client within the month following the end of the Main Contract, unless there is a legal provision allowing the controller to retain the Personal Data for a longer period of time.

At the request of the client, the controller will provide the necessary proof of this.

The processors and third parties are also informed by the controller about the removal of the Personal Data received, if the Main Contract has been terminated. Processors and third parties shall delete this Personal Data unless they too can provide proof of legal provisions allowing for the retention of Personal Data for longer periods of time.

The controller will inform the client within three business days in cases where:

• (a) concerning the processing of Personal Data, a public body requests information from the controller, or the controller receives a summons or a research or inspection request, unless the controller is not legally authorised to provide this;
• (b) the intention is to provide Personal Data to a public body;
• (c) the controller receives a request to publish the client’s Personal Data or to provide information relating to the processing of the client’s Personal Data from a third party, an employee, a customer, or the client’s contractor.

The controller gives the client 72 hours, as from the time of the report, to object to such a transfer of Personal Data.

The controller is obliged to report breaches of personal data security to the authorised Belgian supervisory authority within 72 hours. This applies unless it is unlikely that the personal data breach will result in a risk to the rights and freedoms of the data subject(s).

The controller will notify the client as soon as they have become aware of a personal data breach, without unreasonable delay. It is agreed that the controller and the client will contact each other within 48 hours of the controller learning of the breach and agree together whether it must be reported to the authorised Belgian supervisory authority.

If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data subject(s) will be informed it in accordance with article 34 of the GDPR.

Both the controller and the client will work together with the authorised Belgian supervisory authority to provide the necessary information and to limit the consequences of the breach.

If one or more of the provisions in this Privacy Policy should become null and void, the remaining provisions are still in full force.

This Privacy Policy is subject to Belgian law. The parties can only present their disputes concerning this Privacy Policy before the courts of Brussels.

The controller guarantees that they will provide the client with the necessary additional support and information so that the controller can show that they have complied with their obligations under the GPDR. This information obligation does not apply to information that is confidential or cannot be shared with the client for legal reasons.

Furthermore, the controller will grant the necessary cooperation if an audit is conducted on their premises on the orders of the client or by an auditor authorised by the client.  The client will bear the costs of the appointed auditor and audit. The audit will always be limited to the controller’s systems that are used for the processing.

The Data Protection Officer and the Security Officer of the controller can be contacted at the following email address: privacy@mensura.be.

Categories of Personal Data that the controller can process

• Personal identification data (e.g. first name, surname, address, telephone number, email address, type of driving licence if applicable)
• Personal characteristics (e.g. age, sex, date of birth, place of birth, marital status, nationality)
• Health data (such as physical and mental health)
• Occupation and relationship (such as employer, title and description of the position, date of recruitment)
• National Registration Number
• Racial or ethnic data
• Pictures (photo)
• Other category of data (e.g. seaman’s book number if applicable)

Retention period

Medical file = statutory retention period (= 40 years)

Psychosocial files = statutory retention period (= 20 years)

• Internal IT policy approved by the management board (contains password policy, acceptable use of company resources, Clean Desk and Clear Screen policy, Software policy, Internet policy, email policy, social media policy, policy on data confidentiality.....)
• Data will only be stored in Belgium
• Our systems are redundant on 2 data centres with TIER III + classification. (DRP and BCP)
• The hosting provider has ISO27001 certification.
• Firewalls on several network layers.
• Network Access Control, separation of networks, etc…
• Data in transit will only be permitted if encrypted.
• Remote access of users is only via VPN with Multi Factor authentication.
• Verified backup and restore procedures.
• Data in rest (backups) will be encrypted
• “Role based access” to applications.
• User Awareness training sessions will be organised.
• Antivirus/Antispam on several layers. (Firewall, Endpoints, Servers, mail systems…)
• SIEM for security devices.
• Logging and reporting.
• Regular security testing.
• Mobile Device management
• Capacity Management
• Regular updates of all systems and reporting on this.
• Regular security meetings met our hosting provider.
• Physical access security.
• Asset Management.
• Network and system monitoring.
• DDOS and IPS measures.
• Data Loss Prevention implementation in the near future.
• Change Management
• Separate Test, Validation and Production environments.
• Regular assessments of suppliers.