PRIVACY POLICY

Bright Link S.A. takes care of your privacy and always acts in accordance with the provisions of Belgian and European laws applicable to privacy, including in particular the law of 30 July 2018 on the protection of individuals with regard to the processing of personal data and the general data protection regulations (RGPD). This privacy policy applies to all our customers and visitors to our websites and users of our digital platform. By using our website, using the products and services offered by Bright Link S.A. via our platform or participating in our actions, you expressly accept the way in which Bright Link S.A. collects and processes personal data.

LETTER FROM THE CEO

The General Data Protection Regulation (GDPR) is a European Union regulation which, as from 25 May 2018, applies to all organisations that collect and process the personal data of Union citizens. As a responsible and forward-looking company, Bright Link recognizes at the highest level the importance and necessity of complying with the GDPR and ensuring that effective measures are in place to protect the personal data of our customers, employees and other stakeholders. The commitment to personal data security extends to the highest levels of the organization and will be demonstrated by relevant internal policies and the provision of appropriate resources to establish and develop effective data protection and information security controls. In order to comply with our legal obligations, we have put in place a comprehensive program to validate our use of personal data and to confirm the legal basis for our processing. This updated privacy policy is available in electronic form and has been communicated within the organization and to all relevant stakeholders and interested third parties. We will also ensure that a systematic review of this program is carried out on a regular basis to ensure that its objectives are achieved on an ongoing basis, and that relevant issues are quickly identified and addressed.

Where appropriate, a data protection impact assessment approach in accordance with the requirements and recommendations of the DSMP and best practices will be used. Risk management is carried out at several levels within the organisation: risk assessment for the personal data we collect and process, regular assessments of information security risks in specific operational areas, risk assessment in the context of significant changes, including data protection impact assessments (DIPAs).

We encourage all employees and other stakeholders in our company to ensure that they play their part in complying with the principles of the GDPR at all times, and in meeting our information security objectives.

SYNTHESIS

Bright Link S.A. complies with all the principles of the GDPR through organizational and technical measures.

IN ITS ACTIVITIES WITH ITS CUSTOMERS

For PBT product, Bright Link acts as a « subcontractor » while Bright Link’s direct customer functions as « controller ». Due to the small size of Bright Link, the roles of Data Protection Officer (DPO) and Information Security Manager are centralized under the strong responsibility of the company’s CEO.

Bright Link uses several subcontractors, mainly for technical reasons, all of them are RGPD aligned.

Bright Link data processing consists of any automated or manual operations applied to personal or organizational data that globally preserve human capital by creating value-added information through data processing.

The nature of the personal data processed is mainly: personal characteristics, lifestyle and health information. However, the impacts of the GDPR on Bright Link activities are quite limited because Bright Link anonymizes all individual sessions. The principle of « systematic pseudonymization when, and where, it is possible » is a central axiom of how Bright Link deals with privacy, data confidentiality and GDPR issues.

Bright Link has implemented various technical measures to optimize GDPR and data privacy: through the use of its Cloud platform and in the way data is managed and processed. In addition, Bright Link has also implemented organizational measures to ensure the highest possible level of data security.

The main focus of the data privacy policy: pseudonymization and anonymization.

Main technical and organisational measures:

  • Activation of consent prior to the start of the investigation
  • Protection of the survey by personal password
  • Encrypted and password-secured PDF reports
  • Ethical rule of « 10 » for the publication of segmented consolidated results -individual results are protected and not disclosed
  • Third parties must comply with the GDPR
  • Digital platform security (SSH)
  • HTTPS encryption
  • Risk management of personal data
  • Security incident management process
  • Data protection impact assessments

ON THIS WEBSITE

Confidential information is collected only for administrative and account configuration purposes for PBT customers. The information collected and stored is :

  • Email
  • Password
  • Language preference

ROLES AND RESPONSIBILITIES

One of the key attributes of an effective approach to data protection is a clear assignment of roles, each with defined responsibilities. Each of these roles is assigned to specific individuals or groups in Bright Link. It is essential that all Bright Link members understand the role they must play in protecting the personal data we hold and process about individuals.

By ensuring that roles and responsibilities are clearly defined, we are in a good position to prevent many data protection incidents affecting personal data and to react effectively and appropriately, if necessary.

In the data protection framework relevant to our compliance with the GDPR, the following key roles have been defined:

  • Data controller
  • Subcontractor
  • Data Protection Officer (DPO)Information Security Officer

The specific responsibilities for each of these roles are defined in the following sections of this document.

PERSON RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA

Personal data » means any information relating to an identified or identifiable natural person (hereinafter referred to as « data ») as stipulated in the General Data Protection Regulations.

Processing » means any operation or set of operations concerning data or a set of data, whether or not carried out by means of automated processes, such as collection, recording, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, matching or interconnection, limitation, erasure or destruction of data.

Bright Link S.A., chemin du Cyclotron, 6, 1348 Louvain-la-Neuve, with company number 0662.639.464 is the controller of your data (hereinafter referred to as « Bright Link S.A. »).

Bright Link S.A. has a contact point within its company in charge of data protection. You can contact him for any questions via: info@brightlink-solutions.com

However, in order to exercise your rights, we ask you to first use the possibilities provided for in Article 5.

SUBCONTRACTOR

The GDPR defines a « processor » as « a natural or legal person, a public authority, an agency or other body processing personal data on behalf of the controller ». As a result, the responsibilities described below may be assigned to an individual or may be considered applicable to the organization as a whole. Bright Link acts as a subcontractor for Bright Link’s customers in the case of PBT.

The data processor (Bright Link) has the following responsibilities:

  • Ensure that any processing of personal data is governed by a contract or other legal act specifying the purpose and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the controller;
  • Process personal data only on written instructions from the controller, including with regard to the transfer of personal data to a third country or international organisation;
  • Ensure that persons authorised to process personal data have undertaken to respect confidentiality or are subject to an appropriate legal obligation of confidentiality;
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of personal data;
  • Obtain prior written authorization, specific or general, from the controller before hiring another processor;
  • Assist the controller in fulfilling his obligation to respond to requests for the exercise of the data subject’s rights;• Delete or return all personal data to the controller after the end of the provision of the services related to the processing operation;
  • Make available to the controller all the information necessary to demonstrate compliance with the obligations set out in the GDPR and to allow and contribute to audits, including inspections, carried out by the controller or another auditor mandated by the controller;
  • Maintain a record of all categories of processing activities carried out on behalf of a controller;
  • Cooperate, upon request, with the supervisory authority in the performance of its tasks;
  •  Ensure that any person acting under the authority of the controller having access to personal data shall not process them unless instructed by the controller;
  • Notify the controller without delay after becoming aware of a breach of personal data;
  • Appoint a data protection officer when required by the GDPR, publish his or her contact details and communicate them to the supervisory authority;
  • Support the Data Protection Officer in the performance of their tasks by providing the necessary resources for the performance of these tasks and access to personal data and processing operations, and by maintaining their knowledge.

DATA PROCESSING OBJECTIVE

Bright Link data processing includes all automated or manual operations applied to personal or organizational data that globally preserve human capital by creating value-added information as a result of data processing.

This includes:

  • Data collection and extraction
  • Data storage and management
  • Data organization and structuring
  • Data analysis• Transformation of data into individual diagnostic risk reports
  • Consolidation, data fusion and transformation into institutional diagnostic risk reports
  • Communication and sharing of data with persons authorised by the controller
  • Deleting data

More specifically, the objectives of Bright Link data processing are as follows :

  • Create and disseminate an individual risk diagnosis for the prevention of chronic fatigue and absenteeism;
  • Identify at-risk individuals early and connect them confidentially with appropriate individual support channels;
  • Create and implement a balanced global mapping of risks, « well-being and stress », to enable the creation and implementation of improved prevention policies;
  •  Analyze risks on a consolidated basis in several breakdowns to identify the organization’s priority sub-structures and thus allow prevention initiatives adapted and adjusted according to risks.

SECURITY AND CONFIDENTIALITY

Bright Link S.A. has taken all appropriate technical and organisational measures to protect the information and data collected against destruction, loss, unintentional modification, damage, accidental or unauthorised access or any other unauthorised processing of data. To ensure this security, Bright Link S.A. uses, among other things, encryption of communication between the server and your computer, firewalls, antivirus scans, access controls, logs, back ups.The number of employees with access to your data is limited and such access is only granted to the extent necessary for the performance of their duties. While Bright Link S.A. works with subcontractors to provide the various services and products it offers, it has entered into the necessary agreements with these subcontractors to ensure the protection of your data. In addition, we have integrated the necessary policies and procedures within our organisation and have appointed a data protection officer.

NATURE OF PERSONAL DATA

Your data may be collected in various ways when you are an employee of a Bright Link S.A. customer company or organization. However, Bright Link completely anonymizes the information collected and the sessions created. In the GDPR, personal data refers to any information relating to an identified or identifiable natural person (« data subject »); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number identification data, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that physical person. Bright Link processes correspond to the following type of data, listed by GDPR :

  • Direct individual identifiers (name, national security, identity card, passport, biometric data, video, image, voice): NO
  • Indirect individual identifiers (telephone numbers, e-mails, address): YES
  • Personal characteristics (gender, age, nationality, level of education) and career information (seniority, position, department, contract status): YES
  • Lifestyle information (eating habits, social life, finances, logistics, family items, hobbies, travel) YES
  • Digital individual identifiers (IP address, cookies, connected devices): YES
  • Tracking and GPS / IOT: NO
  • Social networks and Internet behaviors: NO
  • Surveys: YES
  • DNA and medical identifiers: NO
  • Data relating to religions, sexual and philosophical orientation, ethnic groups or political opinions: NO
  • Data relating to membership of a trade union or work organisation: NO
  • Individual physical or mental health data: YES
  • Data on judicial administration (detention): NO
  • Financial, investment or insurance data (salaries, assets, debts), pensions, payments, transactions: NO
  • Work services (time sheet, days of absence, specific contract clauses, social and in-kind benefits, results evaluation): NO

NATURE AND RIGHTS OF PROTECTED PERSONS

The following persons are « data subjects »: Individuals (employees, workers, managers, agents) under current employment contracts with an organization, company or public administration. The data subject has rights in the GDPR that are fully reconciled with the Bright Link approach and is managed via Bright Link’s support email, as indicated in the mandatory consent form presented in any start of the data collection process :

  • Right to information
  • Right of access
  • Right of rectification
  • Right to delete (right to be forgotten)
  • Right to restrict processing
  • Right of notification in the event of rectification or deletion
  • Right to data portability
  • Right of objection
  • Right to object to automated decision-making

PLACE OF PROCESSING AND INTERNATIONAL TRANSFER

The Bright Link digital platform is maintained and managed in Belgium. However, the server and database are managed by Amazon Web Services (AWS), used as a subcontractor for its remote services on the server. These are located in Europe, Germany and Frankfurt.The two set up are therefore part of the E.U. See also the presentation of our subcontractors acting for Bright Link and their specific privacy policy (« Roles and Responsibilities »). Bright Link processes personal data only in the European Union and may not grant access to or transfer of personal data (or any other information processed by a processor on behalf of the controller) to a recipient located in a country outside the European Union without the latter’s consent.

The controller may, at his sole discretion, give written consent subject to other conditions, for example the conclusion of a contract on the basis of standard EU contractual clauses. This obligation applies subject to any legal provisions to the contrary in the law of the Union or the Member States.

USE OF DATA FOR RESEARCH AND STATISTICAL PURPOSES

Bright Link is a university spin-off and its scientific DNA remains an important value. Consequently, anonymised data sessions may be further processed for scientific research or statistical purposes (information relating to well-being or stress at work), which implies that the data are aggregated and/or that the personal identification of any natural person or respondent cannot be obtained, stored, managed, used, processed or transmitted.

PRINCIPLE OF CONFIDENTIALITY

Bright Link, as a subcontractor, or any person acting under the authority of Bright Link and having access to personal data, may only process such data if it is required to respect the utmost confidentiality regarding any personal data of which it has knowledge, unless the disclosure of such personal data is required for the proper performance of their duties by the law of the Union or of a Member State to which the subcontractor is subject. In this case, the processor will inform the controller of this legal obligation before disclosing the personal data, unless the law concerned prohibits such information for an important reason of public interest.

COOKIES AND OTHERS TECHNOLOGIES

You can visit our website without providing your personal data. Our website uses « cookies », which are small pieces of information that are stored by the browser on your computer, allowing us to record certain information about users of our website (e.g. language, length of your visit to the page,…).

Cookies will be used on these websites to be able to offer you a better service by, for example, informing us of your language, identifying you the next time you visit the website…They help to better tailor the websites to your needs, preferences and convenience. Cookies can also be used to make the content or advertising of a website more personalized. Cookies themselves cannot collect information stored on your computer or files. For more information about how we use information collected by cookies, please refer to our Privacy Policy posted on the Site.

STORAGE TIME

Bright Link S.A. keeps your data exclusively for as long as we are obliged to keep it under a legal obligation or as long as we can serve you in accordance with our Privacy Policy and the purposes for which it was collected. In this context, Bright Link S.A. will conduct an annual evaluation. Of course, you still have the right to invoke your rights as explained above. Risks associated with the use of Internet and online applications The use of our websites, services and products online implies knowledge and acceptance of the characteristics and limitations of the Internet, in particular with regard to technical performance, response times for consulting, requesting or sending information, or the risks of interruption, and more generally, the risks inherent in all Internet connections and transmissions, the lack of protection of certain data against possible abuse and the risks of contamination by possible viruses circulating on the network.

AMENDMENTS TO THE REGULATIONS

Bright Link S.A. reserves the right to modify the « Privacy Policy » statement. This declaration was last amended and revised on 20.04.2020.

Company details and controller:

Company name: Bright Link S.A.

6, chemin du Cyclotron

1348 Louvain-la-Neuve

Belgium

VAT BE 0662.639.464

*****