Data protection policy

1. Introduction

The Izimi platform (hereafter referred to as the “Platform”) is managed by the non-profit organisation Royal Federation of Belgian Notaries (hereafter referred to as “Fednot”), whose registered office is at 30-34, Rue de la Montagne in 1000 Brussels, registered with the Crossroads Bank for Enterprises (BCE) under the number 0409.357.321.

Within the framework of management of this Platform and the administration of the services proposed on it, we are required to process your personal data in our capacity as “Data Controller” within the meaning of the EU General Data Protection Regulation ([EU] Regulation 2016/679, hereafter referred to as “GDPR”) and, as such, we acknowledge the importance of respecting your privacy.

This Data Protection Policy (hereafter referred to as the “Policy”) is designed to inform you about the type of data we collect, how we process them, for which purposes and how you may exercise your rights in connection with your personal data.

For any question directly connected with this Policy, please contact our Data Protection Officer, the non-profit organisation Privanot asbl:

• via email: dpofednot@privanot.be
• by post: 30, rue de la Montagne, 1000 Brussels.

This Policy was updated on 3 November 2022.

2. Terminology

“Personal data”: any information relating to an identified or identifiable natural person (hereafter referred to as the “data subject”); a data subject is considered to be an “identifiable natural person” who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or one or more factors specific to the natural person’s physical, physiological, genetic, mental, economic, cultural or social identity.

“Processing”: any operation or any set of operations which is performed on personal data or on sets of data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Data Controller”: the natural or legal person, public authority, agency or other body who or which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the data controller appointed or the specific criteria for its appointment may be provided for by Union or Member State law.

“Subcontractor”: the natural or legal person, public authority, agency or other body who or which processes personal data on behalf of the Data Controller.

“Consent” of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

“DPO” – “Data Protection Officer”: the DPO is the guarantor of personal data protection and privacy. The DPO enables the Data Controller to have the necessary support available in order to ensure that your personal data are processed properly, securely and transparently. The DPO’s role is to advise, monitor, encourage and stimulate the Data Controller. The DPO shall intervene at the appropriate time for any issues relating to personal data processing.

3. Information relating to the processing of personal data carried out

3.1.  What personal data do we collect?

We may collect the following personal data:

• data relating to your identity and your contact data: title, surname, given names, identification number in the National Register (according to authorisations 065/2020 and 098/2020 issued by the FPS Interior), Rbis identification number (according to authorisation 21/086 by the Information Security Committee-Social Security and Health Chamber), account identifier, date of birth, date of death, postcode, email address or any other data contained in your “profile”,
• access logs to your digital vault, to the National Register and to the Rbis identification number,
• the details of other users whom you have appointed as “contacts” or “reference notary”,
• the data contained in the documents present in your digital vault.

These personal data may be connected when:

• you register,
• you connect to the Platform (via your electronic identity card or ITSME®),
• you consult the National Register (according to authorisations issued by the FPS Interior),
• you update your profile data,
• you add users to the list of your “contacts” or your “reference notary”,
• you upload documents to your digital vault.

The personal data relating to notaries come from Notabase, the authentic source of Belgian Notaries containing in particular the details of notaries in Belgium and Fednot’s database (RBRnot).

3.2.  For what purposes do we process your personal data and how long do we store your data?

By collecting your personal data, by storing them and – if necessary – by transmitting them at your request to other users of the Platform or to third party partners, we may perform “personal data processing” within the meaning of GDPR.

Such processing only occurs when the end purposes are the following:

• management of the Platform and its accesses,
• provision of services as described in our Conditions of Use,
• improvement of the Platform and of the services offered there,
• sending of newsletters concerning the Platform and the services offered there.

With the exception of the times mentioned hereafter, we store your personal data as long as you are a user and you have a digital vault within the Platform. Beyond this period, we no longer store any non-anonymised data concerning you apart from any data contained in a document you have exchanged with another user and which the latter might have subsequently saved in his or her vault.

The access logs to your digital vault, to the National Register and to the Rbis are kept for 10 years for evidence purposes.

The data necessary for sending you the newsletters (email address) are saved as long as you do not indicate your wishes to unsubscribe from the newsletter.

3.3.  On what legal bases do we process your personal data?

In accordance with GDPR, the processing of your personal data is based on:

• With regard to your email address and your personal data from the National register or the Rbis collected at the time of your identification via an eID card reader or Itsme®:
  • the performance of our task carried out in the public interest (Art. 6. 1. e) GDPR),
  • our legitimate interest in processing your personal data with a view to ensuring platform security and personal access to your digital vault as long as this proportionate interest respects your fundamental rights and freedoms (Art. 6. 1. f) GDPR),
  • the existence of a contractual relationship between Fednot and you, which justifies the processing of your personal data to enable us to perform the services you require (Art. 6. 1. b) GDPR).

• With regard to your other profile personal data, the details of your “contacts” and “reference notary” together with the data contained in the documents present in your digital vault:
  • your consent (Art. 6. 1. a) GDPR),
  • the existence of a contractual relationship between Fednot and you, which justifies the processing of your personal data to enable us to perform the services you require (Art. 6. 1. b) GDPR),
  • our legitimate interest in processing your personal data as long as this proportionate interest respects your fundamental rights and freedoms (Art. 6. 1. f) GDPR),
  • if appropriate, compliance with a legal obligation to which we might be subject (Art. 6. 1. c) GDPR).

• With regard to your email address for the sending of newsletters:
  • your consent (Art. 6. 1. a) GDPR),
  • our legitimate interest in processing your data for the purpose of keeping you informed of the new features or adaptations of the Platform as long as this proportionate interest respects your fundamental rights and freedoms (Art. 6. 1. f GDPR).

3.4.  Are your personal data communicated to third parties?

Your personal data are likely to be transmitted to:

• other users of the Platform (“contacts” and “reference notary”) you have previously nominated to exchange documents with them,
• third party partners with whom you indicated your wish to connect through the intermediary of the Platform with a view to exchanging documents.

We may also be required to transmit your personal data to the authorities, administrations or jurisdictions if legal provisions compel us to do so.

We will not transmit your personal data to third parties for commercial purposes under any circumstances.

4. What are your rights and how to exercise them?

According to the type of processing and the applicable lawful basis, you have several possibilities to maintain control over your personal data:

• right to access your data,
• right to rectify your data,
• right to object to the processing of your personal data,
• right to restrict the processing of your data,
• right to have your data erased,
• right to withdraw your consent,
• right to request the portability of your personal data.

The exercise of the rights set out above is free of charge. We may, however, charge a reasonable fee if your request is patently unfounded, repetitive or excessive. We may also refuse to respond to your request for these same reasons.

In the context of a request to exercise a previously mentioned right, we will answer you within one month. This time limit may exceptionally be extended, in accordance with legal provisions. In this case, we will notify you in advance while stating the reasons for our decision.

If you have a question or a complaint concerning the way in which we process your personal data, you may contact our Data Protection officer, Privanot asbl:

• via email: dpofednot@privanot.be
• by post: 30, rue de la Montagne, 1000 Brussels.

In addition to the rights listed above, you also have the right to lodge a complaint with the Data Protection Authority (APD-GBA) – 35, rue de la Presse, 1000 Brussels – phone number 02/274 48 00.

5. How do we protect your personal data?

The measures we take

We are aware of the importance of the security of your personal data. We take all necessary measures to ensure the security and confidentiality of your personal data and to ensure an optimum level of security. This way we take particular care in preventing data from being damaged, unintentionally erased or accessed by unauthorised third parties.

To this end, we use access controls, firewalls and secure servers, and we encrypt personal data, particularly the data contained in the documents in your digital vault.

The measures we ask you to take

We do our utmost to provide the best possible protection of your personal data. Nevertheless, effective protection is possible only if you take certain measures yourself.

We therefore ask you in particular to:

• provide us with complete and accurate information,
• ensure the confidentiality of your identifiers that allow you to access the Platform. These are strictly personal and may not be communicated to a third party under any circumstances.