Balansys SA (“Balansys”, hereafter also “we” or “us”) is committed to protecting and respecting your privacy.
This document contains all legally mandatory information required by the applicable data protection legislation and more specifically the GDPR (General Data Protection Regulation).
What information do we process about you?
We process the following categories of personal data about you:
Identification data, such as, for example, name, e-mail address, phone number, job title…
Why do we process your personal data?
Your personal data are processed to carry out our business activities, among which the following purposes:
- to carry out our obligations arising from any contracts entered into with you/your company and to provide you with the information and services that you or your company request from us;
- to notify you/your company about changes to our services;
- to organise events;
- prospect and stakeholder management;
- to invite your company to market consultations, e.g. on applicable balancing tariffs or introduction of new products and/or services.
What is the legal basis for processing your personal data?
The aforementioned processing is carried out on the following legal bases:
- it is necessary for performing the contract we have with your company (e.g. balancing agreement);
- it is necessary in the context of our legitimate interests or a third party (such as our shareholders) (e.g. when we register your personal data in our internal administration tool, processing contact data in order to remedy and/or prevent fraudulent activities);
- it is necessary in order to meet our legal obligations (e.g. market consultations);
- to the extent applicable, when you have consented to the processing (e.g. you subscribed to a newsletter with the possibility to unsubscribe at any time).
How do we collect your personal information?
The personal data we process are partially provided by yourself, and partially by other sources (such as, for example, the customer management system of our shareholders Fluxys Belgium SA and Creos Luxembourg SA).
With whom do we share your personal information?
Internally, access to your information will exclusively be given to those collaborators who need this information to carry out their job.
In addition, we may need to share, in the context of the purposes mentioned above, specific information with third parties such as:
- our shareholders Fluxys Belgium SA and Creos Luxembourg SA (e.g. in case contact details of customers change);
- our professional advisors such as, for example, law firms;
- public authorities (including judicial and police authorities, regulatory authorities);
- our suppliers of IT related services;
- our suppliers of marketing related services;
- analytics and search engine providers that assist us in the improvement and optimisation of our website.
It is furthermore possible that personal data are transferred outside of the European Economic Area. In such case, we will provide you with the additional information as laid down in Article 14 of the GDPR and make sure that the information is protected by safeguards by making, for example, the necessary agreements with the service provider concerned.
We will also disclose your information to third parties:
- in the event that we sell or buy any business or assets, in which case we may disclose your information to the prospective seller or buyer of such business or assets;
- if we or substantially all of our assets are acquired by a third party, in which case information held by us about our customers may be one of the transferred assets;
- if we are under a duty to disclose or share your information in order to comply with any legal obligation or to protect our rights, property, or safety, our customers, or others. This includes exchanging information with public authorities (including judicial and police authorities) in the event of, for example, fraude or a cyber security incident;
- if that is appropriate to achieve any of the purposes set out above (“Why does we process your personal data?”).
How long do we keep your personal data?
In particular, we will only keep information relating to you that we collect as mentioned above or that you provide to us for as long as it is required to fulfil the purpose for which it was collected, unless:
- the processing of your information is necessary in connection with any actual or potential dispute (e.g. we need this information to establish or defend legal claims), in which case we will keep your information until the end of such dispute; and/or
- the retention is necessary for us to comply with any legal or regulatory obligation, in which case we will keep your information for as long as required by that obligation.
What are your rights regarding the processing of your personal data?
You have certain legal rights regarding the processing of your personal information:
- Access – You can ask access to the personal data we process about you.
- Rectification – If your information is inaccurate or incomplete, you have the right to request the rectification of your information.
- Deletion – Under certain circumstances, you have the right to request deletion of your information (for example when you think it has been processed illegally).
- Transfer – You have the possibility to obtain, under certain circumstances, your information in a structured and machine readable form so you can reuse it for your own purposes.
- Limitation of further use – Under certain circumstances, you can ask us to limit (further) use of your information. For example, when you dispute the correctness of some information, you can limit further processing of the data during the time we controls their correctness.
- Objection – You can object some processing, for example when the processing is based on Balansys’ or a third party’s legitimate interests (cfr. above) you can object based on reasons that are specifically linked to your situation.
- Withdraw of consent – If you have given your consent for a specific processing, you have the right to withdraw your consent. This has no impact on the legitimacy of the data processing carried out before your withdrawal.
- Press charges – If you have charges against the processing of your personal data by Balansys, we ask you to contact the Compliance Officer first. If you wish to do so, you can register a complaint at the National Commission for Data Protection (contact data available at https://cnpd.public.lu/en.html).
More information can be obtained via the Compliance Officer see contact details below) or via the website of the National Commission for Data Protection (https://cnpd.public.lu/en.html).
If you wish to exercise one of your rights, you can contact the Compliance Officer by sending an e-mail to email@example.com. This email needs to have in the subject line “data privacy request” and include a proof of your identity to help us prevent unauthorised individuals from accessing, changing or deleting your information. We will respond to your request as soon as practically possible. If it appears that we need more than one month (from receipt of your request) to deal with your request, we will let you know.
The above mentioned rights are not absolute. This means Balansys has the right to reject your request under certain circumstances (for example when consent with your request would undermine Balansys’ rights or legitimate interests) and/or will collect reasonable administrative charges (for example in case of very extensive requests).
How are the collected data being secured?
All information you provide to us, is being stored on our secure servers.
We furthermore rely on the organisation and technical measures which have been implemented by our shareholders Fluxys Belgium SA and Creos Luxembourg SA, who apply an information security policy inspired by the ISO 27002 standards. The control measures being taken in accordance with the aforementioned policy are subject to numerous reviews and audits carried out both internally (security testing, internal audits) and externally (auditor, external audits) at a frequency of more than once a year. The data are furthermore protected by various technical measures such as passwords, encryption and layered protection mechanisms.
Who is the data controller?
Who to contact for further questions?