1. Who are we?

1.1. XSTONE as data controller

By means of this declaration (hereinafter referred to as the “Declaration”), we wish to inform you of the purposes and methods of collection and processing of your personal data by XSTONE (hereinafter referred to as “we” or “XSTONE”).

We are responsible for processing the personal data that we collect and use. As data controller, we take the necessary measures so that you:

be informed about the processing of your personal data and your rights;
maintain control over the personal data we process;
can exercise your rights with regard to personal data. You will find more information about your rights in point 9 of this Declaration.

2. What data do we collect about you?

2.1. Personal data

We understand by “personal data” all information relating to a living natural person. The type of personal data we collect depends on the services requested. If you have a commercial relationship with us, this includes, among other things, data about you and/or your representatives, your staff, your collaborators and/or independent directors (hereinafter commonly referred to as “you” or “ your your “). If you communicate to us personal data of your representatives, your staff, your collaborators and/or independent administrators, you have the obligation to inform them of the existence and content of this Declaration, as well as of our duties, their rights and how they can exercise these rights. In addition, we collect data from people who show an interest in our services or our business operations, these include, among others, people who are interested in the services offered on the websites (newsletters, contact forms). contact, feedback, etc.).

We collect in particular administrative data and contact details. This data allows us to identify you or contact you, or to do business with you if you are a supplier or business partner. This may include contact details, such as your name, address, telephone number or email address. We do not intentionally collect or process so-called sensitive data, namely:

personal data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;
genetic or biometric data (example: facial images and fingerprints);
health data;
data relating to sexual behavior or sexual orientation.
If such sensitive data is provided to us, we will not use it and will delete it.

2.2. Minors

We do not intend to process the personal data of minors.

3. For what purposes do we need your data?

3.1. Service offering and commercial relationship

What does this purpose consist of?
We may use your personal data to carry out our professional tasks or provide our services.

What personal data do we process in this context?
We collect and process the following data: your name, email address, telephone number and address.

3.2. Information and communication

What does this purpose consist of?

We may use your personal data to inform you about our activities, services or newsletters which we think may be of interest to you. We will contact you if you explicitly request it or if we think you might be interested in a service or that it might benefit your business/organization. If you are not yet in a commercial relationship, you will only receive our marketing communications if you have given us your explicit authorization to contact you. If you already have a business relationship with us or have already provided your contact details, you may receive advertisements from us without your explicit permission. This is for example the case for all people who have subscribed to the newsletter and/or the contact details provided during commercial exchanges. In this context, we base ourselves on our legitimate interest in order to carry out our commercial relationship.

What personal data do we process in this context?

In certain cases, we collect and process the following data: your name, your profession, your email address and your telephone number.

3.3. Operation of the company

What does this purpose consist of?

This purpose constitutes what we call a “legitimate interest”. Indeed, data processing is based on a certain number of legitimate interests. However, we always ensure that the balance between our legitimate interests and their possible impact on your privacy is not disturbed.

If you still wish to object to this processing, you can exercise your right to object, as mentioned in point 9.3 of this Declaration.

Thus, we process personal data in the following situations (non-exhaustive list)

They can be used as proof (archives);
They can be used for the establishment, exercise, defense or protection of our rights or those of the people who represent us, for example in the event of litigation;
They can be used for the administration, (risk) management and control of our organization (example: compliance/prevention against money laundering and fraud and study of these issues, risk management, functions at risk and inspection, complaints management, internal and external audit);
They may be used to simplify the execution, use and termination of services by the customer, among other things to prevent you from having to re-provide information that you have already completed previously;
Personal data as well as your mode of consultation of some of our websites may also be collected for the creation of customer categories/commercial relationships; this in order to know you better as a customer/business relationship, but also to have a more precise idea of your preferences and thus deliver the most relevant message according to your profile and the time of consultation. We call this behavioral targeting.

3.4. Legal obligation

What does this purpose consist of?

XSTONE is obliged to process personal data in certain cases, e.g. legal obligations concerning legislation on the protection of personal data.

3.5. Cookies

We use “cookies” (and similar technologies) on our websites and applications. Thanks to these small computer files which save information on your computer’s browser, we may retain certain data about you (e.g. choice of language). We record them to best adapt our sites and applications to your wishes and keep your preferences for a future visit. We can therefore very quickly increase your comfort of use and offer you relevant offers.

4. Do we ask for your consent before processing data?

4.1. General context

We only have permission to use and process your personal data if one of the following conditions is met:

The use of your personal data is necessary for the execution of a contract that you have concluded with us or in order to carry out, at your request, the steps necessary to conclude this contract. The processing purposes described in point 3.1 of this Statement are based on this principle.
We have your free and explicit consent to use your personal data for a certain purpose.
Indeed, if you do not yet have a relationship with us, we will ask for your authorization to contact you for direct marketing purposes, as indicated in point 3.2 of this Declaration.
The use of your personal data is generated in accordance with our legitimate interests and in accordance with your interests and rights.< /span> of this Declaration.point 3.2 of this Declaration. The same applies to the processing operations necessary for sending direct marketing e-mails to existing contact persons, as described in point 3.3
We base the processing operations necessary for the proper functioning of our business on our legitimate interest, as mentioned in
We are legally required to process certain data and communicate it to the competent authorities, such as the privacy authority (e.g. as part of an audit).

5. Who else do we share your data with?

Employees of the company who must have access to personal data to carry out their professional tasks can access it. These people act under our supervision and responsibility.
We also use external suppliers, who take care of certain processing so that we can offer you our products and services, at namely IT, legal, financial, accounting and other services. Since these third parties have access to personal data in the context of the performance of the requested services, we have taken technical, organizational and contractual measures to ensure that your data is only processed and used for the purposes mentioned in point 3 of this Declaration.
Where we are legally required to do so, we may provide your personal data to supervisory authorities, tax authorities and research services.

6. Where do we store and process your personal data?

Personal data will not be transferred outside the EU. If the employer plans to store and/or process them outside the EU, they will explicitly indicate this and ensure that the same level of protection is guaranteed. If we use subcontractors, the data will be routed to the countries where the data centers of these subcontractors are located. With these subcontractors we conclude an agreement based on a model approved by the European Commission and by which these subcontractors guarantee the same level of protection as that guaranteed by XSTONE for data stored within the EU.

7. How long do we keep your personal data?

We will not keep your data for a longer period than the time necessary to achieve the objectives mentioned in point 3 of this Statement. Any exceptions or clarifications to this principle are explicitly indicated under the various purposes mentioned in point 3 of this Declaration. Since the need to retain data depends on the type of data and the purpose of processing, retention periods may vary considerably.

Below you will find the criteria we use to define retention periods:

How long do we need the data to be able to provide the requested service?
Have we defined and announced a certain retention period?
Have we obtained permission to extend the retention period?
Are we subject to a legal, contractual or comparable obligation?
As soon as we no longer need your data and are no longer legally obliged to retain it, we will permanently delete it or, if this proves impossible, anonymize it in our systems. Your personal data will, however, be kept and used for the period necessary to fulfill our legal obligations, resolve disputes or conclude contracts.

8. How do we secure your personal data?

Your personal data is considered to be strictly personal. We take appropriate technical and organizational measures to protect the personal data provided and collected from any destruction, loss, accidental alteration and any damage, accidental or illegal access or other unjustified processing of data.

9. What are your rights?

9.1. Right of access, opposition, rectification, forgetting and data portability

9.1.1. Permission to access

You have access to the personal data that we process and have the right to review it. If you wish, we will provide you with a copy of this data free of charge.

To exercise your rights, we refer to point 9.3 of this Declaration.

9.1.2. Right of rectification

You have the right to request the deletion or rectification of erroneous, fragmentary, inadequate or obsolete data. To exercise your rights, we refer to point 9.3 of this Declaration.

9.1.3. Right to withdraw your consent

Where processing is based on your consent, as described in point 4.1, you have the right to withdraw it at any time. To exercise your rights, we refer to point 9.3 of this Declaration.

9.1.4. Right to object to certain processing

When your personal data is processed on legitimate grounds, you have the right to object to the processing of your data on grounds relating to your specific situation. To exercise your rights, we refer to point 9.3 of this Declaration.

9.1.5. Right to be forgotten

You have the right to obtain the erasure of your personal data. If you wish to terminate the employment relationship with XSTONE, you can therefore ask us to stop using your personal data. We may, however, retain the data required for evidentiary purposes. In addition to this right to be forgotten, you also have the right to ask us at any time to put an end to the processing of the data processed on the basis of your consent or our legitimate interest. However, in the event of legitimate interest we may continue to process your personal data, unless you decide to terminate the existing commercial relationship. To exercise your rights, we refer to point 9.3 of this Declaration.

9.1.6. Right to data portability

With regard to personal data processed on the basis of your consent or due to their necessity for the delivery of the requested products or services, you can ask us to transfer the data directly to a third party or to yourself of a personal nature that you have communicated to us. The law on the protection of privacy, however, places some limits on this right, which is therefore not applicable to all data.
To exercise your rights, we refer to point 9.3 of this Declaration.

9.2. Right to object to direct marketing

You have the right to object to the processing of your data for direct marketing purposes if you no longer wish to receive this type of communications from us. Your request will be processed as soon as possible and we will no longer process your data for direct marketing purposes. To exercise your rights, we refer to point 9.3 of this Declaration. Even if you have exercised your right to object, you can, if you wish, authorize direct marketing activities again via the same channels.

We draw your attention to the fact that exercising your right to object does not prevent us from contacting you for any other purpose, including the execution of the contract, in accordance with this Declaration.

9.3. How to exercise your rights?

To exercise the aforementioned rights, you can send us a written request by e-mail or by post to the attention of the privacy team at the following email address: info[@]xstone.group.

We ask you to clearly indicate which right you wish to invoke and which processing(s) you wish to object to or which consent you wish to withdraw.

9.4. Points of attention relating to the exercise of rights

We inform you that opposition to certain processing or withdrawal of your consent for various processing of your personal data may have the consequence that you will no longer be informed of the activities or services offered or that you will no longer be able to use them. .

10. How do I ask questions or file a complaint?

If you have any questions or wish to lodge a complaint regarding the processing of your data, you can contact us via the channels described under point 9.3.

If you are not satisfied with our response, if you have any comments regarding the exercise of your rights or if you consider that our processing of your personal data does not comply with the legislation, you have the right to lodge a complaint with the local Data Protection Authority.

11. Modification of this Statement

We reserve the right to modify or supplement this Statement if necessary.

In case of significant changes, the modification date will be updated and we will notify you. We encourage you to review this Statement periodically to understand how we process and protect your personal data.