Last date of revision: 04 November 2022
1. WHO DOES THIS GDPR PRIVACY STATEMENT APPLY TO?
ATENOR (hereafter “ATENOR” or “we”) is a real estate development company listed on NYSE Euronext Brussels. ATENOR is composed of various companies (hereafter the “ATENOR Companies”) that process personal data.
All ATENOR Companies are separate, independent legal entities. Depending on the processing activity and the context in which your personal data is processed, they may be classified as separate data controllers or joint data controllers with one or more other ATENOR Companies. No ATENOR Company may be held liable for any act or omission by another ATENOR Company.
As a company, we make every effort to protect the personal data entrusted to us and to process it in a correct and transparent manner in strict compliance with applicable data protection laws, notably the General Data Protection Regulation No. 2016/679 of 27 April 2016 (“GDPR”).
2. WHAT IS COVERED BY THIS GDPR PRIVACY STATEMENT?
Through this GDPR Privacy Statement, it is our intention to inform you about why and how as a data controller, we process your personal data during the course of our business activities or when you use our website or forms and applications on that website, about the persons to whom we give such information, about your rights and about the people you may contact should you require any further information or have any queries.
For further information on the use of cookies, please refer to our Cookies Policy.
When we refer to “Website”, we mean web pages with a URL commencing https://www.atenor.eu.
That Website may generate links to other websites provided by other affiliated entities or third parties. While we strive to only generate links to websites that share our high standards of personal data protection, we are not responsible for the content or personal data practices of those other websites.
When you click a link on this Website, we strongly advise that you review the GDPR Privacy Statement of the website before disclosing any personal information.
This GDPR Privacy Statement only relates to data processed by us and also covers our presence on social media and platforms for communication with suppliers, customers, prospects and any other parties that may be interested in our business activities. We process your data on our social networks when you interact with us, for example when you respond to our posts or when you send us direct messages.
When you visit our Facebook, YouTube, LinkedIn or Instagram page, via the shortcut on our Website or otherwise, cookies are processed by Facebook, YouTube, LinkedIn and Instagram. On this basis, we can obtain more information – totally anonymously – about the traffic visiting our Facebook, YouTube, LinkedIn and Instagram pages.
For further information about why and how personal data is processed in this context, please refer to the Privacy Policy and Cookies Policy on the Facebook, YouTube, LinkedIn and Instagram websites.
3. WHY DO WE USE YOUR DATA?
3.1. I AM A WEBSITE OR SOCIAL MEDIA VISITOR
We only process your personal data for legitimate business reasons. These reasons include, but are not limited to:
- Offering and effectively organising our services (online);
- Managing requests, queries and complaints;
- Collecting statistics on use of the Website (“measuring Website traffic”);
- Improving the performance and design of the Website;
- Ensuring Website functionality;
- Ensuring the security of our IT systems.
3.2. I AM A CONTACT PERSON RECEIVING ELECTRONIC COMMUNICATION (for newsletters, etc.)
We maintain a database of contact persons (e.g. journalists, shareholders and other business contacts) for forwarding electronic communication. Such communication takes place for three main reasons:
- Regulatory communication: issued in order to comply with our legal obligations, such as our obligation to provide information in our capacity as a listed company;
- General brand communications: sent out for reasons of general brand image and public relations (including invitations to events);
- Sales and direct marketing communications: issued for sales and direct marketing purposes such as messages relating to the services and products we offer (e.g. real estate projects).
We also process personal data from our database in order to:
- Manage requests, queries and complaints relating to such communication;
- Collate communication statistics.
3.3. I AM (A CONTACT PERSON OF) A SUPPLIER, CUSTOMER, PROSPECT OR ANY OTHER INDIVIDUAL WHOSE PERSONAL DATA IS PROCESSED (SUCH AS A JOURNALIST, SHAREHOLDER, BUSINESS CONTACT OR VISITOR, ETC.)
We only process your personal data for legitimate business reasons. These reasons include, but are not limited to:
- Complying with our legal obligations;
- Shareholder administration;
- Supplier and customer administration;
- Order and delivery administration;
- Invoicing and accounting;
- Providing information about ATENOR, our Companies, services and activities;
- Effective organisation of our services (such as day-to-day commercial communication);
- Sales and marketing;
- Public relations and media contact;
- Managing requests, queries and complaints;
- Dispute management;
- Market statistics and surveys;
- Managing visitors and other business contacts;
- Access control;
- Security.
4. LEGAL BASIS FOR THE PROCESSING OF YOUR DATA
4.1. I AM A WEBSITE OR SOCIAL MEDIA VISITOR
When you contact us via a general contact address or via the online contact form on the Website, your personal data will, in principle, be processed in order to protect our legitimate interests (i.e. to manage any request, query or complaint in the best possible manner).
We also process data in our legitimate interest of ensuring the effective functionality of the Website and to maintain the security of our IT systems.
In this context, we will analyse whether our interests outweigh your interests, rights and fundamental freedoms on a case-by-case basis.
For further information on the use of cookies, please refer to our Cookies Policy.
4.2. I AM A CONTACT PERSON RECEIVING ELECTRONIC COMMUNICATION
The legal basis for sending electronic communication depends on the purpose of the communication in question:
- Regulatory communication: your personal data will be processed in order to comply with a legal obligation.
- General brand communications: your personal data will be processed in order to enhance our brand image, which is in our legitimate interest. In this context, we will analyse whether our interests outweigh your interests, rights and fundamental freedoms on a case-by-case basis.
- Sales and direct marketing communications: your personal data will be processed with your explicit consent, unless we have obtained your contact data during a product sale or similar service. In the latter case, our legal basis is our legitimate interests – more specifically the interest of promoting our products and services to existing customers.
4.3. I AM (A CONTACT PERSON OF) A SUPPLIER, CUSTOMER, PROSPECT OR ANY OTHER INDIVIDUAL WHOSE PERSONAL DATA IS PROCESSED (SUCH AS A JOURNALIST, SHAREHOLDER, BUSINESS CONTACT OR VISITOR, ETC.)
We process your personal data for the purposes stated above in the section “Why do we use your data?”:
- If necessary for the effective performance of contracts to which you are party or in order to take steps, at your request, prior to entering into a contract, including, but not limited to, accounting, marketing, delivery and invoicing;
- Where necessary in order to comply with our legal obligations (such as our obligations in our capacity as a listed company);
- In the context of the legitimate interests of ATENOR, our Companies and/or a third party, including, but not limited to, ensuring the effectiveness of our business activities and managing suppliers and customers, etc. In this context, we will analyse whether our interests outweigh your interests, rights and fundamental freedoms on a case-by-case basis.
If we have a legal obligation to obtain your free, informed, specific and unambiguous consent to process your personal data for certain purposes (e.g. specific direct marketing or marketing research activities), we will only process your data for such purposes insofar that we have obtained your consent.
For further information about direct marketing and sales communications, please refer to the section above on electronic communication.
5. YOUR RIGHTS
You have multiple rights to the information we process about you. We would like to inform you that you have the right to:
- Receive confirmation that we are processing your personal data and to request a copy of that data;
- Ask us to update or correct your personal data should you believe that the stored data is incorrect or inaccurate;
- Ask us to delete the personal data we hold about you, or to restrict the manner in which we use such personal data should you consider that there is (no longer) any lawful basis for us to process it;
- Withdraw your consent to the processing of your personal data (to the extent that such processing is based on consent);
- Receive a copy of the personal data you have provided to us, in a structured, commonly used and machine-readable format and to transmit such personal data to another party (to the extent that the processing is based on consent or the performance of a contract);
- Object to the processing of your personal data for which legitimate interests is our legal basis; in such a case, we will cease processing unless we have compelling legitimate grounds.
You also have the right to object to the processing of your personal data for direct marketing purposes at any time. If you do not wish to continue to receive any form of direct marketing from us, you can contact us (see below) or click “Unsubscribe” in any direct marketing communication. In such a case, your personal data will no longer be processed for this purpose.
In order to exercise any of your rights, you simply need to send us a request stating the right you wish to exercise:
- Via e-mail to info@atenor.eu; or
- In writing to: SA ATENOR, 92 Avenue Reine Astrid, 1310 La Hulpe.
You can also use these contact details if you wish to issue a complaint about the processing of your personal data.
If you are not satisfied with the manner in which we have processed your personal data or have any query or request relating to the personal data you have provided, you have the right to lodge a complaint with the data protection authority (“DPA”) in your country of residence. Should you wish to be directed to the appropriate DPA, please do not hesitate to contact us.
6. HOW DO WE OBTAIN YOUR PERSONAL DATA?
6.1. I AM A WEBSITE OR SOCIAL MEDIA VISITOR
We may obtain your personal data when you use the Website or its applications, or when you contact us via a general contact address or via the online contact form on the Website. We may also obtain your data when you respond on our social networks.
For further information on how we collect data for cookies, please refer to our Cookies Policy.
6.2. I AM A CONTACT PERSON RECEIVING ELECTRONIC COMMUNICATION (for newsletters, etc.)
The personal data we hold in our database has been provided to us by you or via the internet and social networks.
6.3. I AM A (CONTACT PERSON OF A) SUPPLIER, CUSTOMER, PROSPECT OR ANY OTHER INDIVIDUAL WHOSE PERSONAL DATA IS PROCESSED (SUCH AS A JOURNALIST, SHAREHOLDER, BUSINESS CONTACT OR VISITOR, ETC.)
We may obtain your personal data in the course of our day-to-day business activities.
We may obtain such personal data because you have provided it to us (e.g. by contacting us, by filling in online forms, etc.), or because others have provided it to us (e.g. your employer or any third-party service providers we use in the course of our business activities), or because it is publicly available.
Where we obtain personal data from third parties, we make every reasonable effort to establish contractual clauses with such third parties obliging them to comply with data protection laws. This may be achieved by obliging the third party to provide you with all necessary information or, if necessary, to obtain your consent to process the personal data described in this GDPR Privacy Statement.
7. DATA COLLECTED
7.1. I AM A WEBSITE OR SOCIAL MEDIA VISITOR
The main personal data we collect through the Website is information provided to us when you contact us via a general contact address or via the online contact form on the Website.
7.2. I AM A CONTACT PERSON RECEIVING ELECTRONIC COMMUNICATION (for newsletters, etc.)
The personal data we hold in our database may consist of:
- Your surname and first name;
- Your e-mail address;
- Your work phone number;
- The company you work for;
- Your position;
- The category of recipients to which you belong (e.g. journalist, shareholder, supplier or customer)
7.3. I AM A (CONTACT PERSON OF A) SUPPLIER, CUSTOMER, PROSPECT OR ANY OTHER INDIVIDUAL WHOSE PERSONAL DATA IS PROCESSED (SUCH AS A JOURNALIST, SHAREHOLDER, BUSINESS CONTACT OR VISITOR, ETC.)
The personal data we collect may include, but is not limited to:
- Identification data (e.g. name, address (private/business), phone number (private/business), e-mail address (private/business) and country of residence);
- Personal characteristics (e.g. marital status, language, etc.);
- Employment data (e.g. the organisation you work for, your position and your current responsibilities);
- Data on the products and services you order;
- Recordings by surveillance cameras and intercom systems;
- Information about how you interact with us (e.g. when you contact us) and other similar information;
- Shareholder information, etc.
8. ACCESS AND DISCLOSURE
8.1. I AM A WEBSITE OR SOCIAL MEDIA VISITOR
Our personnel will have access to your personal data on a strictly “need-to-know” basis for the purposes described above in the section entitled “Why do we use your data?”.
We may disclose your personal data to recipients outside the European Economic Area (EEA) provided that their laws and regulations guarantee an adequate level of data protection (“adequate guarantees”), notably to the US where the protection levels are regulated using mechanisms including “standard contractual clauses”, “binding corporate rules”, or to the United Kingdom where protection levels are regulated via “adequacy decisions”.
For further information about the transmission of your data outside the EEA and/or the protection mechanisms implemented (including how you can receive a copy thereof), please use the contact details provided below in Section 12.
8.2. I AM A CONTACT PERSON RECEIVING ELECTRONIC COMMUNICATION (for newsletters, etc.)
Our personnel will have access to your personal data on a strictly “need-to-know” basis for the purposes described above in the section entitled “Why do we use your data?”.
Your personal data may also be disclosed to any service provider assisting us to send you our electronic communications or providing us with IT database support.
We may disclose your personal data to recipients outside the European Economic Area (EEA) provided their laws and regulations guarantee an adequate level of data protection (“adequate guarantees”), notably to the US where the protection levels are regulated using mechanisms including “standard contractual clauses”, “binding corporate rules”, or to the United Kingdom where protection levels are regulated via “adequacy decisions”.
For further information about the transmission of your data outside the EEA and/or the protection mechanisms implemented (including how you can receive a copy thereof), please use the contact details provided below in Section 12.
8.3. I AM A (CONTACT PERSON OF A) SUPPLIER, CUSTOMER, PROSPECT OR ANY OTHER INDIVIDUAL WHOSE PERSONAL DATA IS PROCESSED (SUCH AS A JOURNALIST, SHAREHOLDER, BUSINESS CONTACT OR VISITOR, ETC.)
Our personnel will have access to your personal data on a strictly “need-to-know” basis for the purposes described above in the section entitled “Why do we use your data?”.
We may disclose your personal data to ATENOR Companies, to our third-party service providers that require reasonable access to your personal data for one or more of the purposes described in the section above entitled “Why do we use your data?”. For example, this may concern the following external parties:
- External service providers used for various business services;
- Law enforcement authorities, in accordance with relevant legislation;
- Public authorities, such as the Belgian Financial Services and Markets Authority (FSMA);
- External professional advisors (e.g. the company’s lawyers or consultants).
We may disclose your personal data to recipients outside the European Economic Area (EEA) provided their laws and regulations guarantee an adequate level of data protection (“adequate guarantees”), notably to the US where the protection levels are regulated using mechanisms including “standard contractual clauses”, “binding corporate rules”, or to the United Kingdom where protection levels are regulated via “adequacy decisions”.
For further information about the transmission of your data outside the EEA and/or the protection mechanisms implemented (including how you can receive a copy thereof), please use the contact details provided below in Section 12.
As a general rule, we will take all steps reasonably necessary to ensure that your personal data is processed securely and in accordance with this Privacy Statement.
We reserve the right to disclose your personal data as provided for by law, or where we believe that disclosure is necessary in order to protect our rights and/or to comply with any legal process, court order, request issued by a regulator or any other legal proceedings to which we are party.
9. SECURITY OF YOUR DATA
We implement strict technical and organisational measures (security) to protect your personal data from being accessed by unauthorised persons and from unlawful processing, accidental loss, destruction and damage, both online and offline.
These measures include:
- Training appropriate personnel to ensure they are aware of our privacy obligations when we process personal data;
- Administrative and technical controls in order to restrict access to personal data on a need-to-know basis (passwords);
- Technological security measures, including firewalls, encryption and anti-virus software;
- Blocking passwords in the event of devices being lost or stolen;
- Physical security measures, such as staff security badges for accessing our premises and physical security in our showrooms.
Although we use appropriate security measures on receipt of your personal data, the transmission of data – especially on the internet and via e-mail – is never completely secure. We strive to protect personal data, but we cannot guarantee the total security of data transmitted to or by us.
We restrict access to your personal data to those persons we reasonably believe need to know such information in order to effectively perform their work.
10. DATA RETENTION
10.1. I AM A WEBSITE OR SOCIAL MEDIA VISITOR
Your personal data will not be retained for longer than is necessary for the purposes described above in the section entitled “Why do we use your data?”.
As a general rule, personal data obtained via the contact form on the Website is stored for a period of 5 years.
Depending on the specific situation and applicable national law, however, we may retain your personal data for a longer period. This will be the case in particular if any of the following periods is of a longer duration:
- For as long as it is necessary for our day-to-day business activities;
- For any retention period specified by law;
- For the period of time required to settle or finalise any dispute or investigation.
For further information about the expiry periods of cookies used on the Website, please refer to our Cookies Policy.
10.2. I AM A CONTACT PERSON RECEIVING ELECTRONIC COMMUNICATION (for newsletters, etc.)
Your personal data will not be retained for longer than is necessary for the purposes described above in the section entitled “Why do we use your data?”:
- Regulatory communication: your personal data will be stored for as long as you are a shareholder or any other person we are legally obliged to inform;
- General brand communications: your personal data will be processed for as long as we have any legitimate interest in sending you communications to enhance our brand image (based on your relationship with ATENOR as a customer, shareholder, etc.);
- Sales and direct marketing communications: your personal data will be stored for a period of 5 years from the time that the data subject was last contacted. If you have become a customer during this period, however, we may retain your personal data for a longer period, i.e. 10 years from delivery of the products or services or from the time you last contacted ATENOR (if such contact occurred at a later date).
However, we may retain your personal data for alternate longer periods:
- For as long as it is necessary for our day-to-day business activities;
- For any retention period specified by law;
- For the period of time required to settle or finalise any dispute or investigation.
10.3. I AM A (CONTACT PERSON OF A) SUPPLIER, CUSTOMER, PROSPECT OR ANY OTHER INDIVIDUAL WHOSE PERSONAL DATA IS PROCESSED (E.G. JOURNALIST, SHAREHOLDER, BUSINESS CONTACT, VISITOR, ETC.)
Your personal data will not be retained for longer than is necessary for the purposes described above in the section entitled “Why do we use your data?”.
As a general rule, personal data obtained through use of our services is stored for a period of 10 years from the end of the contractual relationship.
However, personal data processed for direct marketing purposes will be stored for a period of 5 years from the date of the last contract with the data subject. However, we may retain your personal data for this purpose for a longer period if you have become a customer in the meantime, i.e. for a period of 10 years from delivery of the products or services or from the time you last contacted ATENOR (if such contact occurred at a later date).
Surveillance camera/intercom images are retained for a period of 30 days, unless an offence has been established. We then retain the images for as long as necessary for the complaint or potential proceedings.
However, we may retain your personal data for alternate longer periods:
- For as long as it is necessary for our day-to-day business activities;
- For any retention period specified by law;
- For the period of time required to settle or finalise any dispute or investigation.
11. AUTOMATED DECISION-MAKING PROCESSES
Automated decisions are defined as decisions relating to individuals, made solely on the basis of automated data processing with associated legal consequences and which affect data subjects in a significant manner.
As a general rule, your personal data will not be used for automated decision-making. We do not base any decisions about you solely on the basis of the automated processing of your personal data.
12. HOW CAN YOU CONTACT US?
We trust that this GDPR Privacy Statement will help you to understand and provide you with reassurance about how we process your personal data. Should you have any questions about this GDPR Privacy Statement or the Website in general, please do not hesitate to contact us:
- Via e-mail to info@atenor.eu; or
- In writing to ATENOR SA, 92 Avenue Reine Astrid, 1310 La Hulpe.
13. AMENDMENT OF THIS GDPR PRIVACY STATEMENT
We may amend or modify this GDPR Privacy Statement at any time. In order to notify you of when we last made any changes to this GDPR Privacy Statement, we will also change the revision date at the top of this page. The new modified or amended GDPR Privacy Statement will apply from the relevant revision date.
Please check this page regularly for any changes or additions.