Privacy Policy

1. WHO WE ARE?

We are NormNest, located at Aalterseweg 80, 9910 Aalter, Belgium, with company number BE1026 379 764, telephone number +32 (0)9 424 01 18, and email address info@normnest.eu

We value your privacy. Whenever we process your personal data, we do so in accordance with the provisions of the General Data Protection Regulation (GDPR) and the national laws governing the processing of personal data.

Privacy legislation requires us to make the information contained in this privacy statement accessible to you. This privacy statement explains the measures we take to protect your privacy when you use our services or products and outlines the rights you have.

In the context of our services and product offerings, we collect certain personal data about you and process it in accordance with the purposes described in this privacy statement. We invite you to read this statement carefully. Robin Millecam is our privacy coordinator and can be contacted at dpo@normnest.eu for any questions you may have or to exercise your rights. This statement may be amended in the future.

We therefore encourage you to review this privacy statement regularly.

2. PROCESSING YOUR PERSONAL DATA

Personal data means any information about an individual that can be used to identify that person. This does not include data where the identity has been removed (anonymous data). We aim to collect as little personal data as possible in order to achieve our objectives.

We comply with data protection laws which require that the personal data we process about you:

  • is collected only for valid purposes about which we have informed you;
  • is used in a lawful, fair, and transparent manner, and is adequate, relevant, and limited to what is necessary for the purposes for which it is processed;
  • is accurate and, where necessary, kept up to date;
  • is not retained longer than necessary for the purposes communicated to you; and
  • is processed securely.

We may request certain information from you to enable you to purchase or use our goods or services. If you have any questions, please do not hesitate to contact our privacy coordinator.

More specifically, we may collect some or all of the following data elements:

  • Address
  • VAT number
  • Bank account
  • Company address
  • Company position/function
  • Company name
  • Payment history
  • Payment overview / customer account
  • Date & time
  • Third-party cookies
  • Electronic identification data
  • Email address
  • Essential cookies
  • Signature
  • IP address
  • Content of correspondence
  • Customer file
  • Name of the concerned party
  • Name of the customer
  • Circumstances of the claim / case
  • Performance cookies
  • Telephone number
  • Home address

We rely on you to provide us with accurate information. Please inform us if information about you changes so that we can keep our records up to date.

The processing of personal data allows us to provide our services and products, to continuously improve the services and products available to you, and to adapt them to your needs. More specifically, we carry out the following processing activities:

  • Customer Appointments

    Description: Registration of customer appointments on paper or electronically.

    Purpose: Management of availability and calendar.

    Legal basis: Contract.

    Retention period: During the validity of the contract with the customer and, after termination of the contract, for the applicable statutory limitation period and/or limitation periods relevant for legal actions.

    Data items: Customer name, Date & time, Email address, Address, Telephone number.

    Data is processed within the EU.

  • Delivery of Goods and/or Services

    Description: Sale and/or delivery of goods or services to customers.
    Purpose: Ensuring correct delivery of goods and/or services, enabling track & trace and feedback.
    Legal basis: Contract.

    Retention period: During the validity of the contract with the customer and, after termination of the contract, for the applicable statutory limitation period and/or limitation periods relevant for legal actions.

    Data items: Home address, Customer name, Customer file, Signature, Email address, Telephone number.

    Data is processed within the EU.

  • Correspondence:

    Description: Communication with interested parties in paper or electronic form. Purpose: Ensuring proper service. Legal basis: Contract.

    Retention period: During the validity of the contract with the customer and, after termination of the contract, for the applicable statutory limitation period and/or limitation periods relevant for legal actions.

    Data items: Customer name, Company address, Content of correspondence, Email address.

    Data is processed within the EU.

  • Corporate Website

    Description: Corporate website available for public consultation. It may contain a login section for customers.
    Purpose: To inform interested parties and/or business partners.
    Legal basis: Legitimate Interest.

    a) Legitimate interest of the company
    The company has a legitimate interest in ensuring the security, continuity and optimal functioning of its website. This includes, among other things, preventing misuse, fraud and cyberattacks, as well as analysing website usage to improve services.
    b) Necessity of the processing
    The processing of the indicated personal data is necessary to achieve these purposes. Without this processing, the security and proper functioning of the website cannot be guaranteed.
    c) Balancing test with the rights and freedoms of data subjects
    The impact on the privacy of website visitors is limited because:
    • Only data necessary for the intended purpose is processed;
    • No sensitive personal data is processed;
    • The data is not retained longer than necessary;
    • Appropriate technical and organisational security measures are applied;
    • Data subjects can exercise their rights under the GDPR.
      Conclusion
      After balancing the respective interests, it has been determined that the legitimate interests of the company are not overridden by the rights and freedoms of the data subjects. The processing can therefore be based on Article 6(1)(f) GDPR..
      Retention period:
    • Electronic identification data:
      • Server logs: 45 days
      • Security logs: 6 months
    • Essential cookies:
      • Session cookies: until the end of the browser session
    • Functional cookies: 6 months
    • Marketing cookies: 13 months

      Data items:
      Electronic identification data, Essential cookies, Customer name, Third-party cookies, Performance cookies, Email address.
      Data is processed within the EU.

  • Customer Invoicing and Accounting

    Description: Calculation of the fees or remuneration due, handling invoicing and obtaining payment. Purpose: Ensuring correct payment.
    Legal basis: Contract.
    Retention period: During the validity of the contract with the customer and, after termination of the contract, for the applicable statutory limitation period and/or limitation periods relevant for legal actions.
    Data items: Home address, Bank account, Payment history, Customer name, VAT number, Payment overview / customer account, Company address, Signature, Email address.
    Data is processed within the EU.

  • Customer Prospecting
    Description:     Management of information related to prospects.
    Purpose: Communicating goods and services to potential customers.
    Legal basis: Legitimate Interest.

    Specific balancing test when relying on Legitimate Interest

    a) Legitimate interest of the company
    The company has a legitimate and commercial interest in promoting its products and services and in maintaining and expanding its customer base. Prospecting is a normal and accepted activity within economic and commercial relations.
    b) Necessity of the processing
    For prospecting purposes, the company processes limited identification and contact data. This processing is necessary to:
    • Inform potential customers about relevant products or services;
    • Identify business opportunities;
    • Build sustainable commercial relationships.
      No sensitive personal data is processed as part of this processing.

c) Balancing of interests

When balancing the interests of the company against the rights and freedoms of the data subject, the following factors are taken into account:

  • The fact that the data typically concerns professional contact details;
  • The reasonable expectation that companies receive commercial communications in a B2B context;;
  • The limited impact on the private life of the data subject;
  • Data subjects can exercise their rights under the GDPR;
  • Appropriate technical and organisational measures are taken to prevent misuse.
    Conclusion
    Based on this balancing test, it has been determined that the legitimate interests of the company are not overridden by the rights and freedoms of the data subjects. The processing may therefore be based on Article 6(1)(f) GDPR.

    Retention period: During the validity of the contract with the customer. In addition, all prospects who are not converted into customers will be deleted after two (2) years.
    Data items: Customer name, Company function/position, Email address, Telephone number.
    Data is processed within the EU.
  • Providing offers
    Description:     Providing offers to potential customers.
    Purpose: Generating revenue.
    Legal basis: Contract.
    Retention period: During the validity of the contract with the customer and, after termination of the contract, for the applicable statutory limitation period and/or limitation periods relevant for legal actions.
    Data items: Customer name, Email address, Address.
    Data is processed within the EU.
  • Guest or Visitor Wi-Fi Provision
    Description:     Provision of Wi-Fi for guests or visitors.
    Purpose: Providing Wi-Fi access.
    Legal basis: Legitimate Interest.
    Data items: IP address.

    Specific balancing test when relying on Legitimate Interest
    a) Legitimate interest of the company
    The company has a legitimate interest in providing a guest or visitor Wi-Fi network in order to offer visitors, customers and business relations accessible and efficient services. The company also has a legitimate interest in ensuring the security, integrity and proper functioning of its IT infrastructure.
    b) Necessity of the processing
    For the provision and security of the Wi-Fi network, limited electronic identification data is processed.
    This processing is necessary to:
    • Enable access to the network;
    • Detect and prevent misuse, fraud or cyberattacks;
    • Investigate incidents;
    • Guarantee the security and stability of the network.
      No sensitive personal data is processed as part of this processing.

c) Balancing of interests
When balancing the interests of the company with the rights and freedoms of the data subject, the following factors are considered:

    • The limited and technical nature of the processed data;
    • The fact that the data is necessary for network security;
    • The limited retention period;
    • The implementation of appropriate technical and organisational security measures;
    • Transparent information provided through the privacy policy;
    • The impact on the user’s private life is considered limited.
      Conclusion
      In view of the above, the legitimate interests of the company are not overridden by the rights and freedoms of the data subjects. The processing may therefore be based on Article 6(1)(f) GDPR.
      Retention period: 45 days.
      Data is processed within the EU.
  • Customer Support
    Description:     Receiving and handling customer questions and complaints.
    Purpose: Ensuring problem resolution and optimal business operations.
    Legal basis: Contract.
    Retention period: During the validity of the contract with the customer and, after termination of the contract, for the applicable statutory limitation period and/or limitation periods relevant for legal actions.
    Data items: Customer name, Circumstances of the claim/case, Content of correspondence, Email address, Telephone number.
    Data is processed within the EU.
  • Meeting and Event Planning
    Description:     Communicating with customers and suppliers in order to plan meetings, events and group bookings.
    Purpose: Planning and organising events.
    Legal basis: Contract.
    Retention period: During the validity of the contract with the customer and, after termination of the contract, for the applicable statutory limitation period and/or limitation periods relevant for legal actions.
    Data items: Name of the concerned party, Customer file, Date & time, Email address, Address, Telephone number, Company name.
    Data is processed within the EU.

For these processing activities, we act as the data controller.

If you have given consent for a specific processing activity, you always have the right to withdraw that consent.

If you do not want your data to be processed, please contact us so that we can jointly assess whether a contractual relationship between us is still possible and whether you can continue to use our goods and/or services.

We also process data related to our suppliers. When we collect, process and store data about our suppliers, we ensure that we only collect, process and store the data that is necessary and that we are permitted to process.

In our dealings with suppliers, we generally collect, process and store:

  • the name,
  • work email address,
  • work telephone number

of the person or persons communicating with us.

We also collect, process and store the VAT number of our suppliers.

3. PROCESSING PERSONAL DATA ON YOUR INSTRUCTIONS

The specific nature of our relationship makes it unlikely that you will ask us to process personal data of third parties. In the exceptional event that this does occur, we will act as the data processor and you will act as the data controller. In such case, we will follow your instructions regarding the processing, possible subcontracting, the handling of the data at the end of the agreement, and any possible transfer of data. We will also implement the necessary security measures and assist you in complying with your obligations under the GDPR.

4. SHARING PERSONAL DATA

It is possible that we may work with third parties in order to provide certain services or products, such as IT partners, insurance partners, accounting partners and legal advisers. More specifically, we reserve the right to share your personal data with the following partners:

  • Social Media – Facebook / Instagram
    Purpose: Promotion of the company and its services.
    Legal basis: Legitimate Interest.
    Specific balancing test when relying on Legitimate Interest
    a) Legitimate interest of the company
    The company has a legitimate interest in using social media platforms such as Instagram and Facebook to promote its activities, strengthen its visibility and communicate with (potential) customers. Sharing certain personal data via these
    platforms contributes to an efficient marketing strategy and maintaining an active online presence.

    b) Necessity of the processing
    This processing is necessary to:
    • enable targeted communication;
    • optimise marketing campaigns;
    • measure the effectiveness of advertisements;
    • enable interaction with the public.

c) Balancing of interests
 When balancing the interests of the company with the rights and freedoms of the data subjects, the following factors are taken into account:

    • the fact that individuals themselves actively use social media;
    • the reasonable expectation that interaction with a company through these platforms involves data processing;
    • the limited nature of the data shared;
    • the fact that users can manage their privacy settings on the platform;
    • the possibility to object to processing for direct marketing purposes.
      If tracking or marketing cookies are used, this is done on the basis of prior consent, in accordance with the ePrivacy legislation.

Conclusion

Insofar as the processing is limited to maintaining a social media profile and interacting with users, it can be based on the legitimate interest of the company pursuant to Article 6(1)(f) GDPR.

Data items: Date & time, Customer name, Electronic location data, Electronic identification data, Photos / images.

Data is processed outside the EU.

META PLATFORMS IRELAND LIMITED (formerly Facebook) receives the data.

  • Accounting
    Purpose: Ensuring proper accounting and/or correct tax and VAT declarations.
    Legal basis: Legal obligation.
    Data items: Home address, Email address, Payment overview / customer account, VAT number, Bank account, Customer name, Name of the concerned party, Employee name, Telephone number, Company address.
    Data is processed within the EU.
    Cobofisk receives the data.
  • Social Media – LinkedIn
    Purpose: Promotion of the company and its services.
    Legal basis: Legitimate Interest.
    Specific balancing test when relying on Legitimate Interest

    a) Legitimate interest of the company
    The company has a legitimate interest in using LinkedIn as a professional networking platform to make its activities visible, maintain business contacts and promote its services. Sharing personal data via LinkedIn contributes to transparent communication, professional profiling and the development of business opportunities.

    b) Necessity of the processing
    This processing is necessary to:

  • enable professional communication;
  • maintain relationships with customers and business partners;
  • share information about services or activities;
  • develop networking activities.

    c) Balancing of interests
    When balancing the interests, the following factors are taken into account:
  • the professional nature of LinkedIn as a business platform;
  • the fact that individuals publish their data themselves in a professional context;
  • the reasonable expectation that professional interaction implies data processing;
  • the limited nature of the data processed;
  • the possibility for individuals to manage their privacy settings or object to direct marketing.
    If LinkedIn tracking tools or advertising features are used (e.g. Insight Tag), this is done on the basis of prior consent, in accordance with the ePrivacy legislation.

    Conclusion
    Insofar as the processing relates to maintaining a professional network and business communication, it may be based on the legitimate interest of the company pursuant to Article 6(1)(f) GDPR.
    Data is processed outside the EU.

    LinkedIn Ireland Unlimited Company receives the data.
    Business Management – Software
    Purpose:     Proper management of the business.
    Legal basis: Legitimate Interest.
    Specific balancing test when relying on Legitimate Interest

    a) Legitimate interest of the company
    The company has a legitimate interest in using business management software to efficiently manage its administrative, financial and operational processes. Processing personal data within this software contributes to the proper management of customer files, communication with customers and involved parties, invoicing and payment management.
    The use of an integrated software system such as Odoo supports a structured and secure organisation of business activities and promotes efficient service delivery to customers.

    b) Necessity of the processing
    This processing is necessary in order to:

  • Properly manage customer files and administrative data;
  • Monitor correspondence with customers and involved parties;
  • Organise invoicing and payment follow-up;
  • Enable internal organisation and follow-up of files by employees;
  • Manage financial administration and customer accounts.
    The processing of data such as name, email address, company address, VAT number, customer file, correspondence and payment information is necessary for the proper execution of these business activities.

    c) Balancing of interests
    When balancing the interests, the following factors are taken into account:
  • The professional and business nature of the processing;
  • The fact that the data mainly relates to business relationships;
  • The reasonable expectation of customers and involved parties that their data will be processed for administrative and communication purposes;
  • The limited and purpose-specific nature of the processed data;
  • The fact that the data is processed within the European Union;
  • The implementation of technical and organisational measures to protect the data.


Conclusion
Insofar as the processing relates to the administrative management of customer relationships, correspondence and financial follow-up within business management software, it may be based on the legitimate interest of the company pursuant to Article 6(1)(f) of the General Data Protection Regulation (GDPR).
Data items: Content of correspondence, Email address, Payment overview / customer account, Customer file, VAT number, Customer name, Name of the concerned party, Employee name, Company address.
Data is processed within the EU.
Odoo receives the data.

Sales / CRM Partner
Purpose: Managing the sales process and customer support.
Legal basis: Legitimate Interest.

Specific balancing test when relying on Legitimate Interest

a) Legitimate interest of the company
The company has a legitimate interest in using a Sales and CRM system to manage the sales process, maintain customer relationships and provide customer support. Processing personal data within this system enables the company to manage contacts with customers and potential customers in a structured manner, monitor commercial opportunities and ensure efficient customer service.
The use of an integrated CRM solution such as Odoo supports efficient monitoring of sales activities and communication with customers.

b) Necessity of the processing
This processing is necessary in order to:

  • Manage contact details of customers and prospects;
  • Monitor correspondence with customers;
  • Manage sales opportunities and commercial processes;
  • Efficiently handle customer support and service requests;
  • Maintain relationships with customers and business partners.
    The processing of data such as name, email address, telephone number, company function, address and correspondence content is necessary to properly manage the sales process and customer relationships.

c) Balancing of interests
When balancing the interests, the following factors are taken into account:

  • The professional nature of the relationship between the company and the customer or prospect;
  • The reasonable expectation that contact details will be used for commercial communication and customer follow-up;
  • The fact that mainly business contact details are processed;
  • The limited and purpose-specific nature of the processed data;
  • The processing of data within the European Union;
  • The implementation of appropriate technical and organisational security measures to protect the data.

    The data is processed through Odoo and remains within the European Union, in accordance with the requirements of the General Data Protection Regulation (GDPR).

    Conclusion
    Insofar as the processing relates to the management of sales activities, customer relationships and customer support within a CRM system, it may be based on the legitimate interest of the company pursuant to Article 6(1)(f) GDPR.
    Data items: Content of correspondence, Email address, Company function, Address, Customer name, Telephone number.
    Data is processed within the EU.
    Odoo receives the data.

  • IT support
    Purpose: Ensuring the proper functioning of IT systems.
    Legal basis: Legitimate Interest.
    Specific balancing test when relying on Legitimate Interest

    a) Legitimate interest of the company
    The company has a legitimate interest in ensuring the proper functioning, security and continuity of its IT systems and digital infrastructure. Processing certain personal data is necessary to provide IT support, resolve technical problems, maintain systems and ensure the security of the IT environment.

    b) Necessity of the processing
    Deze verwerking is noodzakelijk om:

  • Analyse and resolve technical problems with IT systems;
  • Manage user accounts and access rights;
  • Manage system and data backups and restore them if necessary;
  • Ensure the security and integrity of IT systems;
  • Support users in the use of IT applications and infrastructure.

    c) Balancing of interests
    When balancing the interests, the following factors are taken into account:

  • The operational and technical nature of the processing;
  • The fact that the processing is necessary for the functioning and security of IT systems;
  • The reasonable expectation of users that their data may be processed in the context of IT support;
  • Limited access to personal data by authorised IT staff or IT service providers;
  • The purpose-specific and proportionate nature of the processing;
  • The processing of data within the European Union;
  • The implementation of appropriate technical and organisational security measures.

    The data is processed by CloudCom in the context of IT support and system management and remains within the European Union, in accordance with the requirements of the General Data Protection Regulation (GDPR).

    Conclusion
    Insofar as the processing relates to IT support, system management, backup management and ensuring the security and continuity of IT systems, it may be based on the legitimate interest of the company pursuant to Article 6(1)(f) GDPR. The interests of the data subjects are not overridden by the legitimate interests of the company.
    Data items: Backup data, Email address, Username, Customer name, Profile preferences, Electronic identification data.
    Data is processed within the EU.
    CloudCom receives the data.

If we receive your personal data from a third party who refers you to us, we assume that this data has been obtained directly from you or with your consent. If this is not the case, please inform us immediately.

These third parties will generally act as data processors. Please note that social media platforms, trading platforms and permanent sales partners are often considered joint data controllers.

If you participate in an online conversation, meeting, conference, or similar event, please be aware that all information you share may be visible and/or audible to other participants. Please take this into consideration before sharing your personal data, video, audio or other information.

If you object to the sharing of your data, we ask you to contact us so that we can jointly assess whether a contractual relationship between us remains possible and whether you can continue to use our services and/or goods.

Please note that we may be legally required to process certain data and possibly transfer it to the relevant authorities. As this constitutes a legal obligation, you cannot object to such transfer.

5. SECURITY AND CONFIDENTIALITY

We aim to store your personal data securely and confidentially and have implemented security procedures to prevent the loss, misuse or alteration of such personal data. These procedures are functionally and technically aligned with industry best standards.

6. WEBSITE AND COOKIES

When you visit our website, cookies may be stored on your computer. These help make your visit to the website easier and improve your user experience.

When visiting our website, you will receive information about the cookies we use and will be asked to give your consent where required. Each time you visit our website, the web server will also automatically process your IP address and/or your domain name.

We may publish links to websites owned and operated by third parties. If you click on such a link, you will be redirected to another website. Please ensure that you read and understand the privacy policy of that website, as it may differ from our privacy policy. If you are not comfortable with or do not agree with that privacy policy, we recommend that you leave the website immediately.

7. SOCIAL MEDIA

If you use social media features such as the “like” or “share” buttons that may appear on our website, or if you visit our social media pages, please be aware that your personal data may be processed by the social media platform.
For this processing, the European regulator considers both us and the social media platform to be joint data controllers, meaning that we jointly determine why and how your personal data is processed.
Information on how we process your personal data can be found in this privacy policy. Information about the processing carried out by the social media platform can be found in its own privacy policy. We ask you to carefully read the privacy policy of the relevant social media platform before using social media features on our website or visiting our pages on such platforms.
If we organise events such as networking events, opening events, premieres, or similar occasions, photographers or videographers may be present. The photos and videos they produce may be used in marketing materials and/or published on our social media pages.
Before taking a photo or video of you, we will always request your explicit consent. If you object to this (and therefore to the use of materials in which you appear), please inform us.

8. EXERCISING YOUR RIGHTS

In accordance with the General Data Protection Regulation (GDPR), you have the right to:

  • Request access to your personal data (the right of access of the data subject). This allows you to receive a copy of the personal data we hold about you.
  • Request correction of the personal data we hold about you. This enables you to correct any incomplete or inaccurate information we hold about you.
  • Request the deletion of your personal data. This allows you to ask us to delete all your personal data when there is no valid reason for us to continue processing it. You also have the right to request the deletion of your personal data when you have exercised your right to object to certain processing activities (see below).
  • Object to the processing of your personal data where we rely on our legitimate interest (or that of a third party) and you wish to object to processing on this basis due to your particular situation. You also have the right to object where we process your personal data for direct marketing purposes.
  • Request the restriction of the processing of your personal data. This enables you to ask us to suspend the processing of your personal data, for example if you want us to verify the accuracy of the data or the reason for processing.
  • Withdraw your consent at any time where the processing is based on consent.
  • Not to be subject to a decision based solely on automated processing.
  • Receive your personal data in a structured, commonly used and machine-readable format and transfer it to another controller (the right to data portability).

In certain cases, we may need to request additional information from you to confirm your identity and ensure that your right to access information (or the exercise of any of your other rights) is exercised correctly. We take this measure to ensure that your personal information is not disclosed to anyone other than yourself or to any person who does not have the right to receive it.
You may exercise your rights by contacting our privacy coordinator, Robin Millecam, via dpo@normnest.eu or by writing to the company at:

NormNest
T.a.v. Robin Millecam
Aalterseweg 80 9910 Aalter Belgium
Telefoonnummer: +32 (0)9 424 01 18
E-mailadres: info@normnest.eu

9. DATA PROTECTION AUTHORITY

Any complaint or comment may be addressed to the Data Protection Authority at the following address:

Data Protection Authority / Autorité de protection des données
Drukpersstraat 35
1000 Brussels
Belgium
https://gegevensbeschermingsautoriteit.be
https://autoriteprotectiondonnees.be

Telephone: +32 (0)2 274 48 00
Email: contact@apd-gba.be