1. Introduction 

This Privacy Policy concerns all data collected and used by the Alliance Française de Bruxelles-Europe (hereinafter “Alliance Française”), whose registered office is located at Avenue des Arts 46, 1000 Brussels, company number BCE 0408.099.685.

The objective of the Alliance Française is to promote French thought and culture. To achieve this aim, it holds meetings, conferences, concerts, exhibitions, performances, celebrations and trips, and supports the establishment of clubs, libraries, language courses and French literature courses.

This Privacy Policy concerns the processing carried out by the Alliance Française for processing related to its website.

2. Definitions

Supervisory Authority: An authority designated by the Member State pursuant to Article 51 of the GDPR. In Belgium, this is the Data Protection Authority (Autorité de protection des données).

Personal data (or Data): Any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

Sensitive data: Personal data relating to sensitive aspects such as racial or ethnic origin, political opinions, religion or any other beliefs, health or medical conditions, criminal records, trade union membership, or sexual orientation. Sensitive data may notably be processed with the consent of the data subject. If the data subject communicates sensitive data, they consent to the processing of such data by the Data Controller.

Supplier: A natural or legal person who habitually provides certain products and services to the Data Controller.

Prospective Learner: A natural person who has registered to follow a course at the Alliance Française, without this course having yet started.

Internet User: A natural person visiting the domain www.alliancefr.be.

Notification: The information provided to the Supervisory Authority by the Data Controller, in accordance with Article 33 of the GDPR, in the event of a Personal Data Breach.

Data Subject: A natural person whose Data is processed by the Data Controller.

Privacy Policy or Policy: This document concerning the protection of personal data.

Applicant: A natural person applying for a job or internship following a job posting or spontaneously, for a vacant or non-vacant position within the Alliance Française.

Data Controller: The natural or legal person, public authority, agency or other body which determines the purposes and means of the processing; in this case, the Alliance Française.

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

Processing: Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, restriction, erasure, or destruction.

Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.

3. What Data is collected and why does the Data Controller retain this Data?

3.1 Principle

In accordance with the GDPR, Data is collected for specific purposes.

Data collection must also rely on one of the legal bases provided in Article 6 of the GDPR.

If the Data Controller decides to use the Data for a purpose other than the one indicated in the Policy, the Data Subject will be informed beforehand.

This Policy aims to present to the Data Subject the purposes and the applicable legal grounds for the processing of their personal data.

3.2 Categories of Data collected

Personal data is categorised according to the Recommendation of the Data Protection Authority (Recommendation No. 06/2017 of 14 June 2017 regarding the Record of Processing Activities – Article 30 GDPR).

The types of data listed in each category are mentioned to help the Data Subject understand the data that may be associated with a category, without implying that all listed data is actually processed by the Data Controller.

Leisure activities and interests	Hobbies, sport, other interests.
Career	previous jobs and employers, unemployed periods, military service.
Academic curriculum	History of schools, establishments, universities attended, nature of the courses taken, diplomas targeted, exam results, other diplomas obtained, assessments of academic progression.
Personal details	Age, sex, date of birth, place of birth, marital status and nationality.
Identification data issued by utilities other than national registry number	Identity card, passport, driver’s license, pension, license number number.
Personal Identification Data	Name, title, address (private and professional), previous addresses, telephone number (private, professional), identifiers assigned by the controller.
Current job	Employer, title and description of the position, grade, date of recruitment, place of work, specialization or type of company, working conditions and conditions, previous functions and previous experience with the current employer.
Image recordings	Movies, photographs, video recordings, digital photos.
Function training	Details of training needs specific to the function and the training received, qualifications obtained and skills acquired.
Professional Qualifications	Patents and vocational training, special licenses.

3.3 If the Data Subject is an Internet User

Processing operations include:

Contact form submission:

• Purpose: Handling requests
• Categories: Personal identification data
• Legal basis: Legitimate interest of the Data Controller or a third party

Management of social media competitions:

• Purpose: Direct marketing
• Categories: Personal details; Identification data; Public-service-issued identification data
• Legal basis: Consent

Newsletter management:

• Purpose: Direct marketing
• Categories: Personal identification data; Current employment
• Legal basis: Consent

Marketing studies:

• Purpose: Direct marketing
• Categories: Personal identification data
• Legal basis: Legitimate interest

3.4 If the Data Subject is a Prospective Learner

The data processing activities carried out are as follows:

Organisation of activities at La Fabrique

• Purpose of processing: Communication and marketing.
• Categories of personal data: Personal details, Personal identification data.
• Legal basis: Legitimate interests of the data controller or a third party.

Organisation of cultural events

• Purpose of processing: Communication and marketing.
• Categories of personal data: Academic background, Personal details, Personal identification data.
• Legal basis: Legitimate interests of the data controller or a third party.

Creation of an account on the Alliance Française Bruxelles-Europe website

• Purpose of processing: Management of course registrations.
• Categories of personal data: Personal details, Personal identification data, Current employment.
• Legal basis: Necessary for the performance of a contract.

Invitations and exceptional outreach

• Purpose of processing: Direct marketing.
• Categories of personal data: Personal identification data, Current employment.
• Legal basis: Legitimate interests of the data controller or a third party.

Organisation of events

Legal basis: Legitimate interests of the data controller or a third party.

Purpose of processing: Communication and marketing.

Categories of personal data: Personal details, Personal identification data, Attendance and conduct.

3.5 If the Data Subject is an Applicant

The data processing carried out is as follows:

Reception and storage of applications (spontaneous/vacant positions):

Purpose: Personnel and intermediary administration
Categories of personal data: Leisure activities and interests, Career, Academic background, Personal details, Personal identification data, Current employment, Image recordings, Job-related training, Professional qualifications

Legal basis: Necessary for the performance of a contract

4. How long is Data retained?

The Data Controller retains the Data for the time necessary to fulfil the purpose of the processing and meet legal obligations.

Retention periods depend on various criteria: legal obligations, type of processing, purpose, storage location, type of Data Subject, and type of Data collected.

Retention periods for specific processing operations can be provided upon request.

In all cases, Data is stored in accordance with legal retention periods.

5. Who collects the Data?

Data may be collected by the Data Controller, by the website host, or by processors. The Data is then transmitted to the Data Controller.

A list of processors can be provided upon request.

Some processors may be located in a third country outside the EEA that ensures an adequate level of protection as determined by the European Commission.

Where processors are located in countries that do not provide equivalent protection, the Data Controller takes specific measures in accordance with EEA data protection legislation.

6. How is the Data collected?

Data is collected during interactions with the Data Controller in person, by telephone, by mail, email, via the website, or by its processors.

7. Why do we collect your Data?

Data is collected to promote the dissemination of French thought and culture through meetings, conferences, concerts, exhibitions, performances, celebrations, trips, clubs, libraries, language and literature courses.

Data may also be collected to ensure proper performance of contracts, or for the management of suppliers, subsidies, and service-related contracts.

Data is also collected to comply with legal obligations, including accounting, court decisions, public authority requests, and to protect the interests of the Data Controller and its partners.

Data may also be collected for legitimate interest, particularly for security purposes.

8. With whom is the Data shared?

Data may be shared with third parties directly affiliated with the Data Controller when necessary, including:

• In case of disputes: lawyers, collection agencies, etc.
• Accountant, public authorities, etc., to comply with legal obligations.

A list of providers is available upon request.

9. How do we secure the Data?

Appropriate technical and organizational measures have been implemented to ensure a level of security proportionate to the risks, including, as needed:

• Measures to ensure the confidentiality, integrity, availability, and continuous resilience of processing systems and services;
• Measures to restore the availability of personal data and access to them within appropriate timeframes in the event of a physical or technical incident;
• An internal policy regarding the processing of personal data;
• Limited data retention periods;
• Access to the information system restricted to authorized personnel responsible for the protection of personal data;
• Details of these security measures can be provided upon request.

10. What are your rights?

Depending on the type of processing carried out on personal data, the data subject may exercise several of the following rights:

10.1 Right to information
Every data subject has the right to be informed about the personal data collected. This Privacy Policy is provided by the data controller to fulfill this information obligation.

A data subject who wishes to obtain more information about the personal data collected may be denied this request in the following cases:

• The data subject already has this information;
• The request requires disproportionate or impossible effort;
• Providing this information could seriously compromise the purpose of the processing.

10.2 Right of access
Every data subject has the right to access their personal data.

To do so, the data subject must submit a request to the relevant department of the data controller, so that the controller can provide details of the specific data held, subject to the rights and freedoms of others which cannot be affected.

A response must be provided within one month of the request. This period may be extended by an additional month depending on the complexity and number of requests. In such cases, the data subject will be informed within one month of their request.

The data controller may charge “reasonable fees” based on administrative costs for providing these documents if the request is excessively frequent, unfounded, or manifestly intended to abuse the right of access.

10.3 Right to rectification
Every data subject has the right to obtain from the data controller, without undue delay, the rectification of inaccurate personal data concerning them.

The data subject may also request that incomplete data be completed, for example by providing a supplementary statement.

The data controller will notify the data subject once this has been done.

10.4 Right to erasure
The data subject may request the erasure of their personal data when one of the following applies:

• The data are no longer necessary for the purposes for which they were collected or processed by the data controller;
• The data subject withdraws consent and there is no other legal basis for processing;
• The data subject objects to processing necessary for the legitimate interests pursued by the controller or a third party;
• The data subject exercises their right to object;
• The data have been unlawfully processed;
• The data must be erased to comply with a legal obligation under EU law or the law of a Member State to which the data controller is subject.

Upon such a request, the data controller will take reasonable steps to erase the data within one month and will notify the data subject of the action taken.

If the data controller refuses the request, the refusal will be justified.

The right to erasure does not apply when processing is necessary:

• For the exercise of the right to freedom of expression and information;
• To comply with a legal obligation or to perform a task carried out in the public interest or in the exercise of official authority;
• For the establishment, exercise, or defense of legal claims;
• For archiving or statistical purposes as provided in Article 89 of the GDPR.

10.5 Right to restriction of processing
The data subject has the right to obtain restriction of processing when one of the following applies:

• The accuracy of personal data is contested by the data subject, for a period allowing the controller to verify the accuracy;
• Processing is unlawful and the data subject opposes erasure and requests restriction instead;
• The controller no longer needs the personal data for processing, but the data are still required by the data subject for the establishment, exercise, or defense of legal claims;
• The data subject has objected to processing based on legitimate interests during the verification of whether the controller’s legitimate interests override those of the data subject.

During restriction, personal data may only be processed with the data subject’s consent, for the establishment, exercise, or defense of legal claims, to protect the rights of another individual or legal entity, or for important reasons of public interest of the Union or a Member State.

The data controller will notify the data subject once the restriction has been applied.

10.6 Right to data portability
When the processing of a data subject’s personal data is based on their consent or a contract, and processing is carried out using automated means, and provided the data have not been anonymized, the data subject may request to receive the data in a structured, commonly used, machine-readable format, where technically feasible.

The data subject may transmit these data to another data controller without hindrance from the original controller.

10.7 Right to object
The data subject has the right to object at any time, for reasons related to their particular situation, to the processing of their personal data based on public interest or legitimate interests, including profiling based on such interests.

The data subject may also object to processing based on consent or a contract when the data were collected for marketing, archival, or statistical purposes.

The data controller will no longer process the data unless it demonstrates compelling legitimate grounds that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.

11. How can you exercise your rights?

Requests may be submitted by email to: rgpd@alliancefr.be

If you are not satisfied with the follow-up, you may exercise your rights or lodge a complaint with the Data Protection Authority:

Telephone: (+32) (0)2 274 48 00
Email: contact@apd-gba.be
Online form: official Data Protection Authority website
Address: Autorité de Protection des Données, Rue de la Presse 35, 1000 Brussels, Belgium
Fax: (+32) (0)2 274 48 35