Privacy Policy

Privacy notice Futureproofed

We understand that your trust in us is Futureproofed bvba's most important asset (herein after referred to as "Futureproofed”, “Futureproofed part of Sweco", "we" or "us"). As such, your privacy is essential for us.

This privacy declaration (herein after referred to as "Privacy Declaration") is applicable, inter alia, to (i) our websites futureproofed.com and carboncap.be (herein after referred to as the "Website"), (ii) the online climate plan platform FutureproofedCities from Futureproofed (herein after referred to as the "Platform”) and (iii) all (commercial) relations between Futureproofed and its customers, prospects and business partners.

Futureproofed wishes to emphasize that it always attempts to act in accordance with (i) the Belgian Privacy Law of 8 December 1992 on privacy protection in relation to the processing of personal data(i.e.as long as still in force), (ii) the EU Regulation of 2016 concerning the protection of individuals with regards to the processing of personal data, regarding the free movement of such data and repealing Directive 95/46/EC and/or (iii) all (future) Belgian laws regarding the implementation of this Regulation. This Privacy Declaration includes information about the personal data collected by Futureproofed, as well as the manner in which Futureproofed uses and processes this personal data.

Visiting the Website, creating a demo account for the purpose of using the FutureproofedCities demo, creating an account in order to use the Futureproofed services, subscribing to the newsletters and/or a seminar, webinar or event implies your express approval (through disclosure) of your personal information or opt-in) of the Privacy Declaration and consequently how we collect, use and process your personal data.

Please read this Privacy Declaration in conjunction with Futureproofed's cookie policy.

1. Types of personal data

Futureproofed can collect and process the following personal data:
- Name
- First name
- City name
- Work address
- Invoicing address
- Email address
- Telephone number (landline/mobile phone)
- User name
- Password
- Information concerning your use of the Website, the Platforms: including, but not limited to heatmaps, surf recordings, IP address, browser type, the web pages you visited when you obtained access to the Website.
- The log-in details of your mobile device
- Communication preference
- All personal data freely provided to Futureproofed(e.g.in light of correspondence with Futureproofed).

Futureproofed also automatically collects anonymous information regarding your use of the Website and Futureproofed services via the Platform. As such, Futureproofed shall, for example, automatically log which sections of the Website and/or Platform you visit, which web browser you use and which website you visited when you obtained access to the Website, also what is your IP address. We cannot identify you through these data, but it allows Futureproofed to draw up statistics regarding the use of the Website and/or the Platform.

2. Methods of personal data collection

These personal data are collected in the context of:
- Requesting a quote
- Creating a (demo-)account
- Collaboration with Futureproofed
- Visiting the Website
- Your use of Futureproofed services, whether or not via the Website and/or the Platform, and whether or not using a mobile device
- Subscribing to the newsletter and/or the blog (via the Website or not)
- Subscribing for a webinar, seminar and/or event
- The verification of your identity (e.g.when you contact customer support or update your password)
- Incoming and outgoing correspondence with Futureproofed
- Communicating ideas to Futureproofed with regards to improving the services and/or the Platform
- Drawing up a quote
- The exchange of business cards
- A connection made between the platform and social network platforms
- As professionals, you may have registered your business information and business contact details on public databases. We may retrieve those information related to your business account.

The personal data collected by Futureproofed are therefore expressly and voluntarily provided by you.

3. Who processes your personal data?

3.1. Processing responsible

Futureproofed is responsible for processing your data and determines alone or in cooperation with others which personal data is collected, as well as the purpose and means for the processing of these personal data.

3.2. Processor

Futureproofed is free to invoke data processors. A processor is a natural or legal person who processes personal data on request from or on behalf of the processing responsible. The processor is obliged to ensure the security and confidentiality of the data. The processor always acts according to the instructions of the processing responsible.

Futureproofed invokes among others the following categories of 'Processors':
- Processors engaged for administrative purposes;
- Processors engaged for marketing purposes;
- Processors engaged for ICT services and hosting;
- Processors engaged for customer support purposes.

4. Legal grounds for processing data

In accordance with the Privacy Law and the Regulation, we process personal data based on the following legal grounds:
- Based on the consent obtained by the statement of agreement with this Privacy Declaration;
- On the basis of the execution of the agreement as agreed with the user, or the exercise of pre-contractual steps taken on his application, or;
- On the basis of compliance with legal or regulatory provisions, regarding the management of the contractual relationship, in particular the invoicing
- Based on our legitimate interest in sending information and newsletters to our customers;
- Based on your explicit permission for sending promotional offers (direct marketing).

5. Use of personal data

Futureproofed can use your personal data for the following purposes:
- Creating a(demo)account and confirmation thereof
- Performance of the agreement with Futureproofed(incl.follow-up thereof)
- Providing Futureproofed services, whether or not via the Website, the Platform and/or the App, and whether or not using a mobile device
- Providing support/assistance(e.g.in case of problems)
- Send targeted marketing and advertising, updates and promotional offers based on your communication preferences
- Issuing invoices and collecting payment
- Sending newsletters and/or blog
- Sending a confirmation upon subscription for a webinar, seminar, event
- Optimising the quality, management and content of the Website and/or the Platform
- Creating statistics
- Drawing up a quote
- Conducting customer satisfaction studies, surveys and other market research
- Security of Futureproofed offices

Processing takes place on the following legal grounds, as the case may be:
- You have given consent to the processing of your personal data for one or more specific purposes
- Processing is necessary for the performance of the agreement with Futureproofed or in order to take steps at your request prior to entering into an agreement
- Processing is necessary for compliance with a legal obligation to which Futureproofed is subject
- Processing is necessary in order to protect your vital interests or of another natural person
- Processing is necessary for the performance of a task carried out in the public interest
- Processing is necessary for the purposes of the legitimate interests pursued by Futureproofed or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data (in particular when you are a child).

6. Disclosure of personal data to third parties

Futureproofed shall not disclose your personal data to third parties, unless it is necessary in the context of providing Futureproofed services and optimising them (including but not limited to maintenance works, payment processing, the delivery of services to Futureproofed (e.g.subcontracting) and database management). In this respect, your personal data may be disclosed to payment providers, software providers, cloud partner, datacenter, external IT-consultants and service providers.

If it is necessary that Futureproofed discloses your personal data to third parties in this context, the third party is required to use your personal data in accordance with the provisions of this Privacy Declaration.

Notwithstanding the foregoing, it is however possible that Futureproofed discloses your personal data:
- To the competent authorities(i)if Futureproofed is obliged to do so under the law or under legal or future legal proceedings and(ii)to safeguard and defend our rights;
- If Futureproofed, or the majority of its assets, are taken over by a third party, in which case your personal data – which Futureproofed has collected – shall be one of the transferred assets;
- For the purpose of identifying similar profiles to your own, except if you have expressly opted out in this respect.

In all other cases, Futureproofed will not sell, hire out or pass on your personal data to third parties, except when it(i)has obtained your permission to this end and(ii)has completed a data processing agreement with the third party in question, which contains the necessary guarantees regarding confidentiality and privacy compliance of your personal data.

7. Storage of personal data

Unless a longer storage period is required or justified (i) by the law or (ii) through compliance with another legal obligation, Futureproofed shall only store your personal data for the period necessary to achieve and fulfil the purpose in question, as specified in the Privacy Declaration under'5.Use of personal data'.

8. Your privacy rights

If you wish to invoke your privacy rights, as defined below, please contact support@futureproofed.com or complete the form for exercising your privacy rights and deliver it to Futureproofed by email or post. In light of the processing of your personal data, you enjoy the following privacy rights:
- Right of access to personal data which Futureproofed possibly has concerning you;
- Right to rectification, completion or update of your personal data;
- Right to delete your personal data ('right to be forgotten') (Futureproofed wishes to point out that in this context certain services will no longer be accessible and/or can no longer be provided if you delete resp. request deletion of certain required personal data);
- Right to limit the processing of your personal data;Right to transferability of your personal data;
- Right to object to/oppose the processing of your personal data;
- Right to withdraw your consent.

In principle, you can exercise these rights free of charge via the above-mentioned form. In addition, you can always, via your personal account, update, modify and/or verify your personal data which you were required to submit when creating your (demo-)account.

If you no longer wish to receive newsletters or information about our services, you can unsubscribe at any time by clicking the"unsubscribe"button underneath each of Futureproofed's emails.

9. Security of personal data

Futureproofed undertakes to take reasonable, physical, technological and organisational precautions in order to avoid (i) unauthorised access to your personal information, and (ii) loss, abuse or alteration of your personal data.

Futureproofed shall store all personal data which it has collected in the cloud (with data centre(s) within the EU).

Notwithstanding Futureproofed's security policy, the checks it carries out and the actions it proposes in this context, an infallible level of security cannot be guaranteed. Since no method of transmission or forwarding over the internet, or any method of electronic storage is 100% secure, Futureproofed is, in this context, not in a position to guarantee absolute security.

Finally, the security of your(demo)account will also partly depend on the confidentiality of your password in obtaining access to the Platform. Futureproofed will never ask for your password, meaning that you will never be required to communicate it personally. If you have nonetheless communicated your password to a third party – for example because this third party has indicated that it wishes to offer additional services - this third party shall have access to your (demo) account and your personal data via your password. In such cases, you are liable for the transactions which occur as a result of the use made of your(demo)account. Futureproofed therefore strongly advises you, if you observe that someone has accessed your (demo) account, to immediately change your password and contact us.

10. Cross-border processing of personal data

Any transfer of personal data outside the European Economic Area(EEA)to a recipient whose domicile or registered office is in a country which does not fall under the adequacy decision enacted by the European Commission, shall be governed by the provisions of a data transfer agreement, which shall contain(i)the standard contractual clauses, as referred to in the'EuropeanCommission decision of 5 February 2010(Decision2010/87/EC)', or(ii)any other mechanism pursuant to privacy legislation, or any other regulations pertaining to the processing of personal data.

11. Update Privacy Declaration

Futureproofed is entitled to update this Privacy Declaration by posting a new version on the Website. As such, it is strongly recommended to regularly consult the Website and the page explaining the Privacy Declaration, to make sure that you are aware of any changes.

12. Other websites

The Website may potentially contain hyperlinks to other websites. When you click on one of these links, you may be redirected to another website or internet source that could collect information about you through cookies or other technologies.

Futureproofed does not bear any responsibility, liability or control authority over these other websites or internet resources, nor about their collection, use and disclosure of your personal data.

You must check the privacy declarations of these other websites and internet sources in order to be able to judge whether they act in accordance with the Privacy Legislation.

13. Possibility to submit a complain

In case you are not satisfied with the way Futureproofed handled your questions and/or remarks or have any complaints about the way Futureproofed collects, uses and and/or processes your personal data, note that you have the right to lodge a complaint with the Privacy Commission (forBelgium: Data Protection Authority via https://www.dataprotectionauthority.be).

14. Contact Futureproofed

If you have questions about this Privacy Declaration, or the manner in which Futureproofed collects, uses or processes your personal data, please contact us:
- Via e-mail: info@futureproofed.com
- Via post:
Sweco Belgium bv/srl
Arenbergstraat 13, bus 1
1000 Brussel
Belgium

Privacy notice Sweco

1. Introduction

Sweco (“Sweco Belgium“, “we“, “us” or “our“) is processing your personal data when you interact with us in various contexts. The controller for the processing described in this privacy notice is the Sweco group entity that has provided you with this privacy notice.

We respect your privacy and protect the personal data we process about you. All processing of personal data is carried out in accordance with the requirements set out in the general data protection regulation (“GDPR“) and other applicable personal data protection legislation.

We may at our own discretion update this privacy notice at any given time (see at the end the date this notice was last updated). If material changes are made, we will provid[e notice on this website prior to the change becoming effective.

Throughout this privacy notice the term “processing” is used to cover all activities involving your personal data, including e.g. collecting, handling, storing, sharing, accessing, using, transferring and disposing of your personal data. The term “personal data” refers to any information relating to an identified or identifiable natural person.

You may read this notice as a (i) website visitor, (ii) supplier representative or employee, (iii) client representative or employee, (iv) job candidate, (v) prospective client contact or (vi) government, public authority or international organisation officials or employees. To make this notice more relevant to you, the notice is divided into sections with specific information related to the various roles that you may have when we are processing your personal data.

2. Website visitors

2.1 How do we collect your personal data?

We collect the data directly from you or data that is generated by you, including your devices, when visiting our website.

2.2 Purposes of the processing of your personal data

2.2.1 Maintain, protect and develop the website

When you are browsing the website, we will process your IP address and browser user agent string to help spam detection. In addition, your personal data may be processed to administrate and improve this website, for our internal records and for statistical analysis. We improve website experience by using Microsoft Clarity to see how you use our site. For more info about the way cookies and tracking are used on our websites, please read our cookie statement or go to manage consent for consent options

Categories of personal data Legal basis
·       IP address

·       Browser user agent string (UA)

 

Legitimate interest. The processing is necessary to satisfy our legitimate interest to ensure that our website is continuously maintained and updated, and protected against malicious attacks.

 

Consent. Personal data that is collected for purposes other than for our legitimate interest, will be collected with your consent only.  

 

 

2.2.2 Communicate with you and respond to your questions or feedback

Where we offer you a possibility to communicate with us by asking questions or providing feedback regarding our services and our business, we will process your personal data when you submit a question, comment, feedback or any other message. The purpose of the processing is to be able to communicate with you.

Categories of personal data Legal basis
·       Name

·       E-mail address

·       Address (if needed for communication)

·       Phone number (if provided by you)

·       Any information included in your message.

 

Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to communicate with our website visitors, e.g. to develop our business.

 

2.2.3 Establish, exercise and defend legal claims

For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data.

Categories of personal data Legal basis
·       All information mentioned above.

 

Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to establish, exercise or defend the legal claim, for example in connection with a dispute or legal process.

 

2.2.4 Newsletters

If you sign up for our newsletters, we will process your email address in order to send newsletters to you.

Categories of personal data Legal basis
·       Contact information

 

Legitimate interest. The processing is necessary to satisfy our legitimate interest to provide you with requested newsletters and market our business. As this processing is limited to what is necessary in order to fulfil your request and that you at any time may unsubscribe, we have concluded that our legitimate interest in processing your personal data overweighs your interest in not having your personal data processed for such purposes.

 

2.3 With whom do we share your personal data?

2.3.1 General

Where necessary in order to achieve the purposes set out in this Section 2, we share your personal data with other entities, authorities or actors. Please note however that we, regardless of the recipients’ capacity, only will share your personal data with entrusted actors and only to the extent necessary.

2.3.2 Data processors acting on behalf of us

In order to fulfil the purposes of the processing of your personal data and to be able run our business, we transfer personal data to external parties such as third-party service providers that we have engaged, as well as other partners. These external parties will act as our data processors and may only process your personal data in accordance with our instructions and not for their own purposes. We are the data controller for the processing of personal data that these external parties carry out on our behalf. The purposes of the processing activities carried out by us are outlined in Section 2.2.

2.3.3 Recipients that act as data controllers

The categories of recipients mentioned in the below table will process personal data in the capacity as data controllers, i.e. these recipients will determine the purposes and means of the processing without our involvement.

Recipients Purpose Legal basis
·       Courts and arbitration tribunals

·       Public authorities

·       External advisers

·       Counterparties

 

In order to exercise, establish or defend legal claims, see Section 2.2.3. To fulfil our legitimate interest to manage and defend legal claims, e.g. in relation to a dispute.

 

2.4 For how long to we process your personal data?

Your personal data will be processed for as long as necessary for the purposes described herein. For example, when processing your personal data for the purpose of maintaining the website, we will anonymize your data as soon as practicably possible and then use anonymized data for further website development. With respect to our communication with you, we will process your personal data for as long as it is relevant depending on the reason for our communication and with respect to our provision of newsletters, we will process your personal data until you opt-out from receiving the newsletters.

3. Suppliers (including agents, subcontractors, vendors, service providers, consultants and other counterparties), representative or employee

3.1 How do we collect your personal data?

We collect the personal data that you, or the relevant supplier that you represent, have provided us within the scope of our business relationship with the supplier.

3.2 Purposes of the processing of your personal data

3.2.1 Administration of supplier relationship

Your personal data will be processed because we have a legitimate interest of administering the relationship with our suppliers and to be able to manage the overall cooperation and day-to-day activities relating to e.g. orders of products and services.

Categories of personal data Legal basis
·       Contact information

·       Identity data

Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in being able to administer our supplier relationships, and facilitate e.g. day-to-day communications.

 

3.2.2 Communicate with you

Within the scope of our commercial relationship, we will process your personal data when communicate through various channels. The purpose of the processing is to be able to communicate with you within the scope of the supplier relationship.

Categories of personal data Legal basis
·       Contact information

·       Identity data

·       Any information included in our communication with you

 

Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to communicate with our suppliers within the scope of our commercial relationship.

 

3.2.3 KYC and other background checks

When a supplier enters into a business relationship with Sweco, we may process personal data regarding persons in management position of the supplier in order to carry out KYC or other background checks. Such controls are part of our standard procedures when procuring suppliers.

Categories of personal data Legal basis
·       Identity data

·       Contact information

·       Copy of ID

·       Financial information, e.g. information retrieved from background checks

 

Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to uphold our Code of Conduct.

 

3.2.4 Sanctions screening

Sweco may, before entering into a business relationship, carry out sanctions screening to ensure that Sweco is not entering into a business relationship with anyone that is subject to EU or UN sanctions.

Categories of personal data Legal basis
·       Identity data

·       Contact information

·       Potential data retrieved from sanctions screening, which may include criminal data.

 

Legal obligation. The processing of personal data is necessary in order to comply with our legal obligations.

 

Processing of criminal data is in such case carried out by virtue of our legal obligation to process such data.

 

Legitimate interest. The processing is necessary in order to satisfy our legitimate interest to uphold our Code of Conduct.

 

3.2.5 Establish, exercise and defend legal claims

For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data.

Categories of personal data Legal basis
·       All information mentioned above.

 

Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to establish, exercise or defend the legal claim, for example in connection with a dispute or legal process.

 

3.2.6 Sharing information with public authorities and international organisations and conducting internal investigations in case of suspected law violations

We may process your data for purposes of bidding for or participating in projects that involve public authorities and/or international organizations, and cooperating with such public authorities and international organisation to prevent and counter criminal activity, breaches of contract, and other violations. In pursuit of this objective, it may be necessary to transfer certain necessary data to public authorities or international organisations for the purpose of their lawful investigations and proceedings. Such transfers will be exceptional, and the scope of the transferred data will be limited to what is necessary for conducting the relevant investigation or proceedings. We may also process your data for purposes of conducting internal investigations in the case of suspected violations of applicable laws.

Categories of personal data Legal basis
·       All information mentioned above.

 

Legitimate interest. The processing is necessary in order to fulfil our legitimate interest in bidding for or participating in projects, as well as fulfilling our legal obligations (including contractual obligations) and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings.

The processing is also necessary to fulfil our legitimate interest in conducting internal investigations in the case of suspected violations to make sure that we comply with applicable laws.

 

 

3.3 With whom do we share your personal data?

3.3.1 General

Where necessary in order to achieve the purposes set out in this Section 3, we share your personal data with other entities, authorities,  actors or international organisations. Please note however that we, regardless of the recipients’ capacity, only will share your personal data with entrusted actors and only to the extent necessary.

3.3.2 Data processors acting on behalf of us

In order to fulfil the purposes of the processing of your personal data and to be able run our business, we transfer personal data to external parties such as third-party service providers that we have engaged, as well as other partners. These external parties will act as our data processors and may only process your personal data in accordance with our instructions and not for their own purposes. We are the data controller for the processing of personal data that these external parties carry out on our behalf. The purposes of the processing activities carried out by us are outlined in Section 3.2.

3.3.3 Recipients that act as data controllers

The categories of recipients mentioned in the table below will process personal data in the capacity as data controllers, i.e. these recipients will determine the purposes and means of the processing without our involvement.

Recipients Purpose Legal basis
·       Courts and arbitration tribunals

·       Public authorities

·       External advisers

·       Counterparties

·       International organisations

 

In order to exercise, establish or defend legal claims (see Section 3.2.2.), ensure compliance with the law and our contractual obligations. To fulfil our legitimate interest to manage and defend legal claims, e.g. in relation to a dispute.

To fulfil our legitimate interest in being able to fulfil our contractual obligations under the contracts we have entered into and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings.

 

·       Clients Administrating the client relationship, see Section 4.2.1. To fulfil our legitimate interest in administrating the client relationship, e.g. being able to communicate with the client and provide our services.
·       International organisations To enable an international organisation to conduct its investigation or proceeding and fulfil its statutory and international law duties. To fulfil the legitimate interest pursued by a third party (international organisation) in being able to conduct an investigation or proceeding and achieve its objectives, as well as fulfil its statutory and international law duties.

3.4 For how long to we process your personal data?

Your personal data will be processed for as long as necessary for the purposes described herein, which generally is for as long as you are the representative of our supplier or for as long as we have an ongoing business relationship with the company you represent. When carrying out KYC and background checks we will delete any personal data as soon as possible after we have assessed the result. With respect to sanctions screenings or other legal obligations, we will process personal data for as long as there is a legal obligation to do so.

4. Client representative or employee

4.1 How do we collect your personal data?

We collect the personal data that you, or the client that you represent, have provided us within the scope of our business relationship with the client.

4.2 Purposes of the processing of your personal data

4.2.1 Administration of client relationship

Your personal data will be processed because we have a legitimate interest of administering the relationship with our clients  and to be able to manage the overall cooperation and day-to-day activities necessary to provide our products and services.

Categories of personal data Legal basis
·       Contact information

·       Identity data

 

 

Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in being able to administer our client relationships, and facilitate e.g. day-to-day communications.

 

4.2.2 Provide support services

We will process contact details relating to contact persons representing our clients  that contact us for support. Your personal data will be processed because we have a legitimate interest of providing support for our clients  and enabling usage of our services.

Categories of personal data Legal basis
·       Contact information

·       Identity data

 

Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in being able to provide our supporting services to our clients .

 

4.2.3 Sanctions screening

Sweco may, before entering into a business relationship, carry out sanctions screening to ensure that Sweco is not entering into a business relationship with anyone that is subject to EU or UN sanctions.

Categories of personal data Legal basis
·       Identity data

·       Contact information

·       Potential data retrieved from sanctions screening, which may include criminal data.

 

Legal obligation. The processing of personal data is necessary in order to comply with our legal obligations.

 

Processing of criminal data is in such case carried out by virtue of our legal obligation to process such data.

 

Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest of upholding our Code of Conduct.

 

4.2.4 Establish, exercise and defend legal claims

For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data.

Categories of personal data Legal basis
·       All information mentioned above.

 

Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to establish, exercise or defend the legal claim, for example in connection with a dispute or legal process.
4.2.5 Sharing information with public authorities and international organisations and conducting internal investigations in case of suspected law violations

We may process your data for purposes of bidding for or participating in projects that involve public authorities and/or international organizations, and cooperating with such public authorities and international organisation to prevent and counter criminal activity, breaches of contract, and other violations. In pursuit of this objective, it may be necessary to transfer certain necessary data to public authorities or international organisations for the purpose of their lawful investigations and proceedings. Such transfers will be exceptional, and the scope of the transferred data will be limited to what is necessary for conducting the relevant investigation or proceedings. We may also process your data for purposes of conducting internal investigations in the case of suspected violations of applicable laws.

Categories of personal data Legal basis
·       All information mentioned above and any information included in our communication with you.

 

Legitimate interest. The processing is necessary in order to fulfil our legitimate interest in bidding for or participating in projects, as well as fulfilling our legal obligations (including contractual obligations) and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings.

The processing is also necessary to fulfil our legitimate interest in conducting internal investigations in the case of suspected violations to make sure that we comply with applicable laws.

 

 

4.3 With whom do we share your personal data?

4.3.1 Disclosure and transfer of personal data

Where necessary in order to achieve the purposes set out in this Section 4, we share your personal data with other entities, authorities, actors or international organisations. Please note however that we, regardless of the recipients’ capacity, only will share your personal data with entrusted actors and only to the extent necessary.

4.3.2 Data processors acting on behalf of us

In order to fulfil the purposes of the processing of your personal data and to be able run our business, we transfer personal data to external parties such as third-party service providers that we have engaged, as well as other partners. These external parties will act as our data processors and may only process your personal data in accordance with our instructions and not for their own purposes. We are the data controller for the processing of personal data that these external parties carry out on our behalf. The purposes of the processing activities carried out by us are outlined in Section 4.2.

4.3.3 Recipients that act as data controllers

The categories of recipients mentioned in the table below will process personal data in the capacity as data controllers, i.e. these recipients will determine the purposes and means of the processing without our involvement.

Recipients Purpose Legal basis
·       Courts and arbitration tribunals

·       Public authorities

·       External advisers

·       Counterparties

·       International organisations

 

In order to exercise, establish or defend legal claims (see Section 4.2.3.), ensure compliance with the law and our contractual obligations. To fulfil our legitimate interest to manage and defend legal claims, e.g. in relation to a dispute.

To fulfil our legitimate interest in being able to fulfil our contractual obligations under the contracts we have entered into and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings.

 

·       International organisations To enable an international organisation to conduct its investigation or proceeding and fulfil its statutory or international law duties. To fulfil the legitimate interest pursued by a third party (international organisation) in being able to conduct an investigation or proceeding and achieve its objectives, as well as fulfil its statutory or international law duties.

4.4 For how long to we process your personal data?

Your personal data will be processed for as long as necessary for the purposes described herein, which generally is for as long as you are the representative of our client or for as long as we have an ongoing business relationship with the company you represent. With respect to sanctions screenings or other legal obligations, we will process personal data for as long as there is a legal obligation to do so.

5. Talent acquisition

5.1 How do we collect your data?

We collect your personal data from:

  • Yourself, which you submit to us when you apply for one of our positions, e.g. your CV and cover letter.
  • Publicly available sources, e.g. when carrying out background checks.
  • External recruiters, that have been involved in the recruitment process and that have provided us with information about you.

5.2 Purposes of the processing of your personal data

5.2.1 Managing the recruitment process

Your personal data will be processed by us within the scope of the general management of the recruitment process. Processing activities included in this process are e.g. collection of your personal data, review of CVs and cover letters, conducting interviews, evaluating you as a candidate and communicating with you within the scope of the recruitment process.

Categories of personal data Legal basis
·       Contact information

·       CV

·       Cover letter

·       Internal notes related to evaluating you as a candidate

 

Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in carrying out the recruitment process to ensure that we employ the most suitable candidates.
5.2.2 Job candidate evaluation process

Within the scope of the recruitment, we carry out an evaluation process of potential employees. This may include background checks including and, where permitted under national legislation, criminal background check. The evaluation process may also include scanning of social media activity and other footprints on the internet.

Categories of personal data Legal basis
·       Identity data

·       Contact data

·       Skills data

·       Activity on social media and the Internet

 

Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in carrying out background checks to ensure that we employ appropriate candidates.

 

We will not process any criminal data. Any criminal background checks will be subject to a manual process.

5.2.3 Concluding the employment agreement

We will process your personal data in conjunction with the conclusion of the employment agreement with you e.g., when collecting references. Your personal data will also be processed in the employment agreement that we conclude and upon the initiation of the onboarding process. New employees will receive a more detailed internal privacy notice during onboarding.

Categories of personal data Legal basis
·       Contact information

·       Social security number

·       Organisational information, such as employer company, employment status, operational department, geographical placement, cost centre, organisation, place of employment

·       Salary

·       Benefits data

·       References

 

Agreement. The processing of your personal data is necessary in order for us to take measures prior to entering into an agreement (the employment agreement) with you.
5.2.4 Candidate database

If you do not get the job that you have applied for, we may still have an interest in keeping your personal data to contact you in the event of future vacancies that suits your profile. We will only keep your personal data for this purpose if you consent to the processing.

Categories of personal data Legal basis
·       Contact information

·       CV

·       Cover letter

 

Consent. We will only keep your personal data in a candidate database if you provide us with your consent. We will, annually, ask you to renew your consent if you want to remain registered in the candidate database.
5.2.5 Establish, exercise and defend legal claims

For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data.

Categories of personal data Legal basis
·       All information mentioned above.

 

Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to establish, exercise or defend the legal claim, for example in connection with a dispute or legal process.
5.2.6 Fulfil legal obligations

Besides legal obligations within the field of employment, we will process your personal data for the purposes of fulfilling legal obligations related to work permit checks, including storage of related documentation.

Categories of personal data Legal basis
·       Identity data

·       Social security number

·       Work permit documentation

Legal obligation. The processing is necessary to fulfil our legal obligations.

 

5.3 With whom do we share your personal data?

5.3.1 General

Where necessary in order to achieve the purposes set out in this Section 5, we share your personal data with other entities, authorities or actors. The categories of recipients mentioned in Section 5.3.2 will process personal data on behalf of us in the capacity as data processors (i.e. such actors will only process your personal data in accordance with our instructions). The categories of recipients mentioned in Section 5.3.3 will process personal data in the capacity as data controllers, i.e. these recipients will determine the purposes and means of the processing without our involvement. Please note however that we, regardless of the recipients’ capacity, only will share your personal data with entrusted actors and only to the extent necessary.

5.3.2 Data processors acting on behalf of us

In order to fulfil the purposes of the processing of your personal data and to be able run our business, we transfer personal data to external parties such as third-party service providers that we have engaged, as well as other partners. These external parties will act as our data processors and may only process your personal data in accordance with our instructions and not for their own purposes. We are the data controller for the processing of personal data that these external parties carry out on our behalf. The purposes of the processing activities carried out by us are outlined in this Section 5.

5.3.3 Recipients that act as data controllers
Recipients Purpose Legal basis
·       Courts and arbitration tribunals

·       Public authorities

·       External advisers

·       Counterparties

 

In order to exercise, establish or defend legal claims, see Section 5.2.5. To fulfil our legitimate interest to manage and defend legal claims, e.g. in relation to a dispute.
·       External recruiters Managing and facilitating the recruitment process, see Section 5.2.1. To fulfil our legitimate interest in ensuring that the recruitment process is carried out as efficiently as possible and that we can employ the best candidates.
·       External background check companies Conducting the vetting process, see Section 5.2.2. To fulfil our legitimate interest in carrying out a vetting process before employing an individual to ensure that we employ appropriate candidates.
·       Reference persons Taking references before deciding to conclude the employment agreement, see Section 5.2.3. Necessary as a measure to conclude the employment agreement with you.

 

5.4 For how long will we process your personal data?

Your personal data will be processed for as long as necessary for the purposes described herein, which generally is for as long as you are in the recruitment process. However, if you do not get the job you applied for, we will store your personal data for as long as you may submit a legal claim related to the rejection of your application. If you agree to it, we may store your data in our candidate database for future recruitment processes. In such case, your data will be stored for up to one year after the recruitment process has ended.

5.5 More detailed information

For more detailed information about the way your personal data is handled in your specific recruitment or talent acquisition process, please go to the information available via your local talent acquisition or recruitment channel.

6. Prospective client contact

6.1 How do we collect your data?

We collect the data processed that has been provided by you, or any other representative with the prospect customer, within our process for evaluating, and communicating with, prospect clients .

6.2 Purposes of the processing of your personal data

6.2.1 Management and administration of prospect clients

We will process your personal data for the purpose of managing and administrating the overall process of approaching and evaluating prospect clients .

Categories of personal data Legal basis
·       Contact information

·       Identity data

 

 

Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in being able to administer and manage prospect clients .
6.2.2 Marketing communication

We will process your personal data for the purpose of marketing our services to your organization. You will be able to, at any time, opt-out from our marketing communication, in which case we will cease with our communication.

Categories of personal data Legal basis
·       Contact information

 

 

Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in being able to administer and manage prospect clients .
6.2.3 Establish, exercise and defend legal claims

For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data.

Categories of personal data Legal basis
·       All information mentioned above.

 

Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to establish, exercise or defend the legal claim, for example in connection with a dispute or legal process.
6.2.4 Sharing information with public authorities and international organisations and conducting internal investigations in case of suspected law violations

We may process your data for purposes of bidding for or participating in projects that involve public authorities and/or international organizations, and cooperating with such public authorities and international organisation to prevent and counter criminal activity, breaches of contract, and other violations. In pursuit of this objective, it may be necessary to transfer certain necessary data to public authorities or international organisations for the purpose of their lawful investigations and proceedings. Such transfers will be exceptional, and the scope of the transferred data will be limited to what is necessary for conducting the relevant investigation or proceedings. We may also process your data for purposes of conducting internal investigations in the case of suspected violations of applicable laws.

Categories of personal data Legal basis
·       All information mentioned above and any information included in our communication with you.

 

Legitimate interest. The processing is necessary in order to fulfil our legitimate interest in bidding for or participating in projects, as well as fulfilling our legal obligations (including contractual obligations) and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings.

The processing is also necessary to fulfil our legitimate interest in conducting internal investigations in the case of suspected violations to make sure that we comply with applicable laws.

 

 

6.3 With whom do we share your personal data?

6.3.1 General

Where necessary in order to achieve the purposes set out in this Section 6, we share your personal data with other entities, authorities, actors or international organisations. The categories of recipients mentioned in Section 6.3.2 will process personal data on behalf of us in the capacity as data processors (i.e. such actors will only process your personal data in accordance with our instructions). The categories of recipients mentioned in Section 6.3.3 will process personal data in the capacity as data controllers, i.e. these recipients will determine the purposes and means of the processing without our involvement. Please note however that we, regardless of the recipients’ capacity, only will share your personal data with entrusted actors and only to the extent necessary.

6.3.2 Data processors acting on behalf of us

In order to fulfil the purposes of the processing of your personal data and to be able run our business, we transfer personal data to external parties such as third-party service providers that we have engaged, as well as other partners. These external parties will act as our data processors and may only process your personal data in accordance with our instructions and not for their own purposes. We are the data controller for the processing of personal data that these external parties carry out on our behalf. The purposes of the processing activities carried out by us are outlined in this Section 6.

6.3.3 Recipients that act as data controllers
Recipients Purpose Legal basis
·       Courts and arbitration tribunals

·       Public authorities

·       International organisations

·       External advisers

·       Counterparties

 

In order to exercise, establish or defend legal claims (see Section 6.2.1.), ensure compliance with the law and our contractual obligations. To fulfil our legitimate interest to manage and defend legal claims, e.g. in relation to a dispute.

To fulfil our legitimate interest in being able to fulfil our contractual obligations under the contracts we have entered into and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings.

 

·       International organisations To enable an international organisation to conduct its investigation or proceeding and fulfil its statutory and international law duties. To fulfil the legitimate interest pursued by a third party (international organisation) in being able to conduct an investigation or proceeding and achieve its objectives, as well as fulfil its statutory and international law duties.

 

6.4 For how long to we process your personal data?

Your personal data will be processed for as long as necessary for the purposes described herein, which generally is for as long as we are in contact with you regarding a potential business relationship or if you decide to opt-out from the communication. In general, we will not store your data for longer than one year from our last communication, if we did not enter into a business relationship with the company you represent.

7. Government, public authority or international organisation officials or employees

7.1 How do we collect your personal data?

We collect the personal data that you, or the relevant government, public authority or international organisation that you represent, have provided us within the scope of our professional, commercial or public law relationship.

7.2 Purposes of the processing of your personal data

7.2.1 Administration of professional, commercial or public law relationship

Your personal data will be processed because we have a legitimate interest of administering professional, commercial or public law relationship with an entity you represent and being able to manage the overall cooperation and day-to-day activities relating to e.g. our projects that the public authority or organisation that you represent finance, co-finance or is otherwise involved in.

Categories of personal data Legal basis
·       Contact information

·       Identity data

Legitimate interest. The processing of your personal data is necessary in order to satisfy our legitimate interest in being able to administer our professional, commercial or public law relationships with an entity that you represent, and facilitate e.g. day-to-day communications.
7.2.2 Communicate with you

Within the scope of professional, commercial or public law relationship with an entity that you represent, we will process your personal data when communicate through various channels. The purpose of the processing is to be able to communicate with you within the scope of our relationship.

Categories of personal data Legal basis
·       Contact information

·       Identity data

·       Any information included in our communication with you

 

Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to communicate with our suppliers within the scope of our commercial relationship.
7.2.3 Establish, exercise and defend legal claims

For the purposes of establishing, exercising and defending legal claims (for example in connection with a dispute or legal process) we may process your personal data.

Categories of personal data Legal basis
·       All information mentioned above.

 

Legitimate interest. The processing is necessary in order to fulfil our legitimate interest to establish, exercise or defend the legal claim, for example in connection with a dispute or legal process.
7.2.4 Sharing information with public authorities and international organisations and conducting internal investigations in case of suspected law violations

We may process your data for purposes of bidding for or participating in projects that involve public authorities and/or international organizations, and cooperating with such public authorities and international organisation to prevent and counter criminal activity, breaches of contract, and other violations. In pursuit of this objective, it may be necessary to transfer certain necessary data to public authorities or international organisations for the purpose of their lawful investigations and proceedings. Such transfers will be exceptional, and the scope of the transferred data will be limited to what is necessary for conducting the relevant investigation or proceedings. We may also process your data for purposes of conducting internal investigations in the case of suspected violations of applicable laws.

Categories of personal data Legal basis
·       All information mentioned above.

 

Legitimate interest. The processing is necessary in order to fulfil our legitimate interest in bidding for or participating in projects, as well as fulfilling our legal obligations (including contractual obligations) and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings.

The processing is also necessary to fulfil our legitimate interest in conducting internal investigations in the case of suspected violations to make sure that we comply with applicable laws.

 

 

7.3 With whom do we share your personal data?

7.3.1 General

Where necessary in order to achieve the purposes set out in this Section 7, we share your personal data with other entities, authorities, actors or international organisations. Please note however that we, regardless of the recipients’ capacity, only will share your personal data with entrusted actors and only to the extent necessary.

7.3.2 Data processors acting on behalf of us

In order to fulfil the purposes of the processing of your personal data and to be able run our business, we transfer personal data to external parties such as third-party service providers that we have engaged, as well as other partners. These external parties will act as our data processors and may only process your personal data in accordance with our instructions and not for their own purposes. We are the data controller for the processing of personal data that these external parties carry out on our behalf. The purposes of the processing activities carried out by us are outlined in Section 7.2.

7.3.3 Recipients that act as data controllers

The categories of recipients mentioned in the table below will process personal data in the capacity as data controllers, i.e. these recipients will determine the purposes and means of the processing without our involvement.

Recipients Purpose Legal basis
·       Courts and arbitration tribunals

·       Public authorities

·       External advisers

·       Counterparties

·       International organisations

 

In order to exercise, establish or defend legal claims (see Section 3.2.2.), ensure compliance with the law and our contractual obligations. To fulfil our legitimate interest to manage and defend legal claims, e.g. in relation to a dispute.

To fulfil our legitimate interest in being able to fulfil our contractual obligations under the contracts we have entered into and our broader legitimate interest to cooperate with public authorities or international organisations and to provide them with necessary data for their lawful investigations and proceedings.

 

·       International organisations To enable an international organisation to conduct its investigation or proceeding and fulfil its statutory and international law duties. To fulfil the legitimate interest pursued by a third party (international organisation) in being able to conduct an investigation or proceeding and achieve its objectives, as well as fulfil its statutory and international law duties.

7.4 For how long to we process your personal data?

Your personal data will be processed for as long as necessary for the purposes described herein, which generally is for as long as you are the representative or employee of the respective government, public authority or international organisation or for as long as we have an ongoing professional, commercial or public law relationship with the entity you represent.

8. Appropriate safeguards for transfers of personal data outside of the EU/EEA

We may transfer or disclose personal data to recipients located outside the EU/EEA (third country), mainly in situations where we are using third-party data processors that will process data in a third country.

When we transfer or disclose your personal data to a recipient in a country outside of the EU/EEA, we will always ensure that appropriate safeguards have been taken (such as the EU Commission’s standard contract clauses, including other supplementary safeguards as necessary in each case) to protect the personal data. Further, we are regularly carrying out risk assessments to assess what supplementary measures that needs to be taken to protect the personal data subject to the transfer or disclosure.

We may also transfer your personal data to international organisations, in particular in connection with their investigations or proceedings relating to Sweco projects that these organisations finance or co-finance, or otherwise as needed to fulfil our contractual obligations on those projects or in the course of bidding for projects. In the absence of a decision by the European Commission finding an adequate level of protection in such an international organisation and the impossibility of applying appropriate safeguards, we will transfer your data based on an important public interest derogation under Article 49(1)(d) GDPR. Such transfer will be exceptional and will only occur if it is necessary for important reasons of public interest.

If you would like further details about the processing of your personal data and whether your personal data is transferred to a third country or an international organisation, please contact us on the contact details as set out below under Section 9.

9. Your rights

Under applicable data protection laws, you have certain rights in relation to the processing of your personal data. We process your personal data to the extent necessary in order to fulfil your rights. Please submit requests for exercising your rights by contacting us on the contact details set out in Section 9 below.

You have, under certain circumstances, the right to exercise the following rights:

Access

You may request confirmation whether or not personal data is processed and, if that is the case, access your personal data and additional information such as the purposes of the processing. You are also entitled to receive a copy of the personal data undergoing processing. If the request is made by electronic means the information will be provided in a commonly used electronic format if you do not request otherwise.

Object to certain processing

You have the right to object to the processing of your personal data based on a legitimate interest for reasons which concerns your particular situation. In such a situation, we will stop using your personal data where the processing is based on a legitimate interest, unless we can show that the interest overrides your privacy interest or that the use of your personal data is necessary in order to manage or defend legal claims.

Rectification

You have at any time the right to have inaccurate personal data rectified, as well as, taking into account the purposes of processing, the right to have incomplete personal data completed which relates to you.

Erasure

You may have your personal data erased under certain circumstances, such as when your personal data is no longer needed for the purposes for which it was collected. However, we cannot delete your personal data if we e.g. are obligated under law to keep the data.

Restriction of processing

You may ask us to restrict the processing of your personal data to only comprise storage of your personal data under certain circumstances, such as when the processing is unlawful, but you do not want your personal data erased. If the processing of your personal data has been restricted we may only, besides storing the data, process your personal data with your consent, or in order to establish, exercise or defend legal claims or to defend rights of others.

Withdrawal of consent

You have the right to at any time withdraw your consent to processing of personal data to the extent the processing is based on your consent.

Data Portability

You may ask to receive a machine-readable copy of the personal data processed on the basis of your consent or on the basis that the processing is necessary in order to perform an agreement with you, and which personal data have been provided to us by you (data portability) and ask for the information to be transferred to another data controller (where possible).

Complaints to the supervisory authority

You always have the right to lodge complaints pertaining to the processing of your personal data to the Gegevensbeschermingsautoriteit.

10. Contact information

If you have any questions or concerns regarding the processing of your personal data, please contact  privacyofficer@swecobelgium.be.