Skip to Content

Privacy Policy

1. Objective2. Scope3. Abbreviations and definitions3.1 Abbreviations3.2 Definitions4. Responsibilities4.1  Collaborators 4.2  DPO5. Policy5.1   Introduction  5.2  Principle 1: Lawfulness, fairness and transparency 5.3  Principle 2: Purpose limitation  5.4  Principle 3: Data minimisation  5.5  Principle 4: Accuracy5.6  Principle 5: Storage limitation5.7  Principle 6: Integrity and confidentiality  5.8  Principle 7: Accountability  5.9  Data subject’s rights  5.10  Consent  5.11  Security of data  5.12  Retention and disposal of data 5.13  Data protection register6. References7.1   Regulations and norms   7.2    Other related procedures and documents7.3    Annexes

1. Objective

Our Company Data Privacy Policy refers to our commitment to treat information of employees, customers, stakeholders and other interested parties with the utmost care and confidentiality.  

With this policy, we ensure that we gather, store and handle data fairly, transparently and with respect to individual rights in compliance with the following laws:  

  • The REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the “GDPR”). Its purpose is to protect the rights and freedoms of natural persons and to ensure that data is not processed without their knowledge and, wherever possible, that it is processed with their consent. 
  • (Belgium)The Privacy Act of 8 December 1992 on the protection of privacy in relation to the processing of personal data. 
  • (Belgium) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)  
  • (Belgium) Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws  

2. Scope

This policy refers to all parties (employees, job candidates, customers, suppliers etc.) who provide any amount of information to Inteliphage. 

3. Abbreviations and definitions

3.1 Abbreviations

Abbreviation  

Full description  

DPO 

Data Protection Officer 

Excom  

Executive Committee  

GDPR  

General Data Protection Regulation  


3.2 Definitions

Term  

Definition    

Personal data  

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.  

Personal data breach  

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.  

Supervisory authority  

independent public authority which is established by a Member State responsible for monitoring the application of the GDPR. The Belgian supervisory authority is the Data Protection Authority (www.dataprotectionauthority.be).  

Data processing activity  

any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.  

Data controller  

the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.  

Data processor  

a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.  

Recipient  

a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall follow the applicable data protection rules according to the purposes of the processing.  

4. Responsibilities

4.1  Collaborators 

Employees of our company and its subsidiaries must follow this policy. Contractors, consultants, partners and any other external entity are also covered. Generally, our policy refers to anyone we collaborate with or acts on our behalf and may need occasional access to data. 

4.2  DPO

Our DPO, represented by our Head of Quality (dpo@inteliphage.com) ensures that the organization processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules. 

5. Policy

5.1   Introduction 

The Excom of Inteliphage is committed to compliance with all relevant EU and Member State laws in respect of personal data, and the protection of the rights and freedoms of individuals whose information is collected and processed by Inteliphage in accordance with the GDPR.  

GDPR and this policy apply to all Inteliphage’s personal data processing activities (any personal data that Inteliphage processes from any sources). This policy applies to all staff of Inteliphage as well as partners, suppliers and any third parties working with Inteliphage, who have or may have access to personal data. No third party may access personal data held by Inteliphage without having first entered into a data confidentiality agreement.  

5.2  Principle 1: Lawfulness, fairness and transparency

Lawful means that a lawful basis is identified before the data processing.  

Fairness means that certain information is made available to the data subject as practicable. This applies whether the personal data was obtained directly from the data subjects or from other sources.  

Transparency means that information must be communicated to the data subject in an intelligible form using clear and plain language (for example, through this Privacy Policy).  

 

The specific information that must be provided to the data subject must, as a minimum, includes:  

  • The identity and contact details of Inteliphage  
  • The contact details of the DPO  
  • The purposes of the processing for which the personal data is intended as well as the legal basis for the processing  
  • The period for which the personal data will be stored  
  • The existence of the rights to request access, rectification, erasure or to object to the processing, and the conditions (or lack of) relating to exercising these rights  
  • The categories of personal data concerned  
  • The recipients or categories of recipients of the personal data, where applicable  
  • Where applicable, the transfer of personal data to a recipient in a third country and the level of protection afforded to the data  
  • Any further information necessary to guarantee fair processing  

5.3  Principle 2: Purpose limitation 

Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (except for archiving purposes in public interest, scientific or historical research purposes or statistical purposes that are not considered to be incompatible with the initial purposes). 

5.4  Principle 3: Data minimisation 

The management is responsible for ensuring that Inteliphage does not collect information that is not strictly necessary for the purpose for which it is obtained. All data collection forms must be included in a fair processing statement. 

5.5  Principle 4: Accuracy

Data stored by Inteliphage must be reviewed and updated as necessary. No data should be kept unless it is reasonable to assume that is accurate.  

Staff are required to notify of any changes in circumstance to enable personal records to be updated accordingly.  

On at least an annual basis, the DPO will review the retention dates of all the personal data processed by Inteliphage and will identify any data that is no longer required in the context of the registered purpose.  

The DPO will respond to requests for rectification from data subjects within one month. This can be extended to a further two months for complex requests. If Inteliphage decides not to comply with the request, the DPO must respond to the data subjects to explain the reasons and inform them of their rights to complain to the supervisory authority. 

5.6  Principle 5: Storage limitation

Where personal data is retained beyond the processing date, it will be minimized or encrypted or pseudonymized in order to protect the identity of the data subject in the event of data breach. Personal data will be retained for the retention period defined and, once its retention date is passed, it must be securely destroyed.  

Management and the DPO must specifically approve any data retention that exceeds the retention periods defined and must ensure that the justification is clearly identified in line with the requirements of the data protection legislation. 

5.7  Principle 6: Integrity and confidentiality 

The management will carry out a risk assessment considering all the circumstances of Inteliphage’s controlling and processing operations. The extent of possible damage or loss that might be caused to individuals (e.g. staff or customers) is a security breach occurs, the effect of any security breach on Inteliphage itself, and any likely reputational damage including the possible loss of customer trust.

5.8  Principle 7: Accountability 

Inteliphage will demonstrate compliance with the data protection principles by implementing data protection policies, adhering to codes of conduct (if any), implementing technical and organizational measures, as well as adopting techniques such as data protection by design, DPIAs, breach notification procedures and incident response plans. 

5.9  Data subject’s rights 

Data subjects have the following rights regarding data processing, and the data that is recorded about them:  

  • To request access to information such as the nature of data held and to whom it has been disclosed  
  • To prevent processing likely to cause damage or distress  
  • To be informed about the mechanisms of automated decision-taking process that will significantly affect them  
  • To not have significant decisions that will affect them solely by automated process  
  • To sue for compensation if they suffer damage by any contravention of the GDPR  
  • To take action to rectify, block, erased, including the right to be forgotten or destroy inaccurate data  
  • To request the supervisory authority to assess whether any provision of the GDPR has been contravened  
  • To have personal data provided to them in a structured, commonly used and machine-readable format and the right to have that data transmitted to another controller  
  • To object to any automated profiling that is occurring without consent  

Inteliphage ensures that data subjects may exercise these rights. Data subjects may make data access requests and have the right to complain to Inteliphage related to the processing of their personal data.

5.10  Consent 

For sensitive data (e.g. clinical/health data), explicit written consent of data subjects must be obtained prior to the processing activity, unless an alternative legitimate basis for processing exists.  

Inteliphage understands that a valid consent means:  

  • Freely given (implies real choice and control of data subjects)  
  • Specific (data subjects are free to choose which data processing operations they accept when a service involves multiple processing operation for more than on purpose)  
  • Informed (principle of lawfulness, fairness and transparency)  
  • An unambiguous indication of the data subject’s wishes, by a statement or by a clear affirmative action, that signifies agreement of the processing operations of personal data relating to him/her.  

When consent is the legal basis, Inteliphage must be able to demonstrate that consent was obtained for the processing operation.  

A new and specific consent must be obtained when the purposes of a processing activity change after the data subject consented or if an additional purpose is envisaged. 

5.11  Security of data 

All staff is responsible for ensuring that any personal data that Inteliphage holds and for which they are responsible, is kept securely and is not under any conditions disclosed to third party unless that third party has been specifically authorized by Inteliphage to receive that information and has entered into a confidentiality agreement.  

All personal data should be accessible only to those who need to use it, and access may only be granted in line with this requirement.  

In case of personal data breach, Inteliphage shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. Besides, any personal data breach will be recorded in the data breach register. 

5.12  Retention and disposal of data

Inteliphage will not keep personal data in a form that permits identification of data subjects for a longer period than is necessary, in relation to the purposes for which the data was originally collected. Nevertheless, Inteliphage may store data for longer periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the implementation of appropriate technical and organizational measures to safeguard the rights and freedoms of the data subject. 

5.13  Data protection register

Inteliphage will maintain a record of processing activities under its responsibilities, when acting as a controller, and of processing activities carried out on behalf of a controller, when acting as a processor, in accordance with Article 30 of the GDPR.

6. References

7.1   Regulations and norms   

References 

Section covered 

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 

All 

(Belgium)The Privacy Act of 8 December 1992  

All 

(Belgium) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 

All 

(Belgium) Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC 

All 

7.2    Other related procedures and documents

N/A

7.3    Annexes

N/A