Privacy policy – openthebox.com (ENG)

Last updated: January 14th 2025

‍

As a data driven company which specializes in making information more transparent, it is very important for us to find the right balance with privacy. On the other hand the safety and confidentiality of the personal data we process, are a key concern for us. Moreover, we wish to be very clear and transparent about what happens when we collect and use your personal data. Hence this privacy policy.

1. WHEN ARE YOUR PERSONAL DATA COLLECTED AND USED?

We collect and use your personal data whenever you:

• use our website or social media or communicate with us via e-mail, phone, or any other digital communication channel;
• register for our newsletter;
• leave us your business card when we have the pleasure of meeting you in person;
• contract and communicate with us as our client or supplier;
• consent to the tracking of your web behaviour;
• apply for one of our vacancies.

When we process the company data from the publically available data sources we also collect and use personal data of the active as well as inactive administrators (officers) or other stakeholders of these companies.

2. WHAT IF THIS PRIVACY POLICY DOES NOT ANSWER ALL OF YOUR QUESTIONS?

The data protection laws oblige us to provide you with quite a lot of information, so please bear with us. Should you have further questions regarding the processing of your personal data, do not hesitate to contact our DPO, (which is short for “data protection officer”). You can contact our DPO via e-mail: privacy@mediafin.be.  

3. WHO IS "WE"?

Whenever you see a reference to “we” in this privacy policy, it actually refers to Mediafin, who is considered to be the data controller with regard to the processing of your personal data:

Mediafin NV

Tour & Taxis

Havenlaan 86 C b 309

1000 Brussels

Belgium

Company number 0404.800.301

The company Mediafin, as data controller, is responsible for collecting and using (or – as the law calls it – “processing”) your personal data as explained in this privacy policy.

4. WHAT PERSONAL DATA DO WE PROCESS AND WHY?

When you use our website, social media or communicate with us via phone, e-mail or other digital communication channel, we will collect and use your personal data to:

1. allow for the communication between you and us, for which we rely on our legitimate interest to be able to respond to requests, questions or remarks or to contact you proactively for inquiries of whatever kind (e.g. when you respond to a blog, use our contact form or contact us via social media, phone or e-mail);
2. improve the website’s and social media pages’ content and the overall experience, for which we rely on our own legitimate interest to offer our visitors an interesting online space;
3. detect and prevent malware, illegal content and behaviour and other types of misuse, for which we rely on our legitimate interest to keep our online presence safe.
4. to send you our newsletter or other electronic communications. This might be about product improvements, service communications or direct marketing. You will always have the opportunity to unsubscribe from our newsletter.
5. personalize your experience on the website and the improve the services we offer. Therefore we build up a profile of you when you visit our website after you have provided your consent. We may also match this information with datasets of our affiliated companies. In doing so, we can provide you with content that is specifically tailored to you. The reason is simple: personalization boosts relevance. When content is more relevant, it’s more likely to speak to users’ unique behavior and motivations. The legal basis we apply in this case is consent. You always have the right to withdraw your consent.”

To achieve the above-mentioned purposes, we process the following personal data:

1. the basic identity information you provide us with, such as name, e-mail address, postal address, telephone number, the company you work for, your function;
2. the content of your communication and the technical details of the communication itself (with whom you correspond at our end, date and time, etc.);
3. technical information associated with the device you use, such as your IP address, your preferred language, the Referer HTTP header, browser type, geographical location and operating system;
4. information concerning your browsing behavior, such as how long you visit and what pages you visit.
5. any other personal data you choose to provide to us.

When you leave us your business card, we collect and digitally register the personal data which are written on that card for normal business relationship management purposes. We thus rely on our legitimate interest to process these personal data, which is to be able to build up our network of contacts.

When we have the pleasure of being able to enter into a contract with you, either as a client or as a supplier, we will collect and use your personal data to:

1. be able to execute and perform our end of the contract, while strictly complying with our obligations as a company, including our deontology. When you as an individual are our client or supplier, we rely on the necessity of processing your personal data for executing and performing the contract we have with you. However, if you act on behalf of a company or other legal entity, we rely on our legitimate interest to be able to contract with clients and suppliers when processing your personal data;
2. do our normal business administration (e.g. invoicing and relationship management), for which we rely on our legitimate interest to manage our business responsibly and professionally;
3. defend ourselves in legal proceedings, when it is in our legitimate interest to use your personal data in these proceedings.

The personal data we process for these purposes will always involve your basic identity information such as name, e-mail address, postal address, telephone number, the company you work for and your function. We may also process other personal data you provide us with, dependent on our contractual relationship with you.

When you apply for one of our vacancies, we will collect and use your personal data to:

1. assess your application, for which we rely on our legitimate interest to find a suitable candidate;
2. defend ourselves in legal proceedings, when it is in our legitimate interest to use your personal data in these proceedings.
3. keep you in our recruitment reserve, for which we will ask your consent;

The personal data we process when you apply with us, are:

1. your basic identity information such as name, e-mail address, postal address and telephone number;
2. any other personal data you have chosen to include in your application.
3. information you have included in your resumé and cover letter;
4. information you have made publicly available LinkedIn;

Openthebox uses an analytical tool, which is operated and deployed by Mediafin, to collect information on how the website is used by its visitors.  This tool will only be used for non-essential purposes when you provide your consent via the cookie banner. By doing this, we wish to gain statistical insights about your web behaviour (e.g., on how many times a specific page has been viewed, how long you looks at our website, where you come from before entering the site,…) to improve your experience on our website and to improve traffic and conversions. We will only collect this information after you have consented to this. You always have the right to withdraw your consent by configuring your cookie settings. One year after you have provided consent, we will ask your consent again.

We believe that the above-mentioned purposes for processing your personal data are within anyone’s reasonable expectations. However, for all of the personal data we have collected in the aforementioned circumstances, we wish to make it clear that we will also process your personal data to:

1. comply with legal obligations or to comply, insofar we are legally allowed to as a company, with any reasonable request from competent law enforcement agents or representatives, judicial authorities, governmental agencies or bodies, including competent data protection authorities;
2. inform a third party in the context of a possible merger with, acquisition from/by or demerger by that third party, even if that third party is located outside the EU, in which case we rely on our legitimate interest to engage in corporate transactions.

We would like to stress that for us, as a data driven company, professional secrecy and confidentiality is of paramount importance. This means that we will only process your personal data when such is allowed given these confidentiality obligations.

For the personal data of the administrators and other stakeholders of the companies that is collected from the open data sources: the personal data consists of the name and optionally the address of the data subject. If the data subject is a politician the personal data also optionally includes the political party of the data subject. We collect this publically available personal data in order to improve the transparency behind the organizational structures in the public interest as well as in our own legitimate interest to provide objective and complete information about companies and the persons who represent them, thus also supporting the legitimate and lawful processing of that information by our clients to find or verify potential business partners, to estimate credit risks or to check the compliance of companies or persons.

According to Article 14 of the GDPR the data subject must be informed before processing his data, except if the provision of such information proves impossible or would involve a disproportionate effort (art. 14.5 b). In accordance with sector practices, we inform the data subjects solely via our website, based on the consideration that the information we process is already publicly available (and we may reasonably assume that the data subjects is aware of this), and that informing data subjects on a direct and individual basis would involve a disproportionate effort, both financially and logistically, as in many cases required accurate contact information is not available to us.

5. WITH WHOM DO WE SHARE YOUR PERSONAL DATA?

In principle we will not share your personal data with anyone but the people working for Mediafin, as well as our suppliers who help us process your personal data. Anyone who has access to your personal data will always be bound by strict legal or contractual obligations to keep your personal data safe and confidential. This means that only the following recipients will receive your personal data:

• you;
• governmental or judicial authorities insofar we are required to send them your personal data (e.g. tax authority, police or law enforcement).
• Mediafin’s staff and suppliers;
• Different branches/affiliates of openthebox, in case this transfer is required for the provision of our products or services in line with the predetermined purpose;
• Purchasers, or potential purchasers, of all or part of Openthebox’s business (and their professional advisors);
• your employer or business partners, but only when required given the purposes mentioned above (e.g. when your employer is our supplier or client);

Your personal data are not sent outside the European Economic Area by us (the European Economic Area consists of the EU, Liechtenstein, Norway and Iceland), except where one of our suppliers or partners is established outside the European Economic Area. We will only transfer your personal data outside the EEA after having taken adequate safeguards to protect your personal when transferred (e.g. by putting in place standard contractual clauses as drafted by the European Commission).

For the personal data of the administrators and other stakeholders of the companies that is collected from the open data sources: the personal data - with the exception of the street number which is never shared with anyone but the people working for Mediafin, as well as our suppliers who help us process your personal data - is shared with the visitors of our site and our customers worldwide.

6. HOW LONG DO WE KEEP YOUR PERSONAL DATA?

Your personal data are only processed for as long as needed to achieve the purposes which are described above or, when we asked for your consent, up until such time where you withdraw your consent. In this article we provide you with the information you need to assess how long we will keep your personal data identifiable. As a general rule, we will de-identify your personal data when they are no longer necessary for the purposes outlined above or when the retention period as explained in this article has expired. However, we cannot de-identify your personal data if there is a legal or regulatory obligation or a judicial or administrative order that prevents Mediafin from de-identifying them.

All personal data we collect through our interactions with you via the website, social media, phone, e-mail and other digital communication channels we keep for as long as required to communicate with you, but also to keep an historical archive of our communications. This allows us to revert back to earlier communications if you return to us with new questions, request, remarks or other input.

All personal data we collect to send you our newsletter we will keep for as long as you remain subscribed to our mailing list or for as long as you remain our client.

All personal data we collect when you hand us your business card we will keep for as long as you do not request us to erase your personal data.

All personal data we collect in the context of a contractual relationship with you or the organization you represent, we will keep for the duration of the contractual relationship and at least until 7 years thereafter.

All personal data we collect in the context of your application with us we will keep for the duration of the application process and, if we choose to engage your services, for the whole duration of your contract with us and until 7 years after such contract has terminated, unless in the case of ongoing litigation. If you consent to including your personal data in our recruitment reserve, we will retain your personal data for 1 year after having received your personal data. If after 1 year we wish to keep you in our recruitment reserve, we will contact you to obtain your renewed consent.

For the personal data of the administrators and other stakeholders of the companies that is collected from the open data sources: the personal data is kept for 30 years.

7. WHAT DO WE DO TO KEEP YOUR PERSONAL DATA SAFE?

‍

As explained earlier, the security and confidentiality of all data we process is very important to us. Hence, we have taken steps to ensure that all personal data processed are kept safe. These steps include processing only the personal data required for achieving the purposes we have communicated to you. We have also taken technical and organizational measures to secure our infrastructure, systems, applications, premises and processes.

8. WHICH RIGHTS DO YOU HAVE WITH REGARD TO YOUR PERSONAL DATA?

‍

When we collect and use your personal data, you enjoy a number of rights which you can exercise in the manner described below. Please be aware that whenever you wish to exercise a right, we will ask you for a proof of identity. We do this to avoid that we have a data breach on our hands, e.g. because an unauthorized person pretends to be you and exercises a right in your name.

You have the right to access your personal data, which means that you can ask us to provide you information regarding the personal data we have about you. You can even ask for a copy of your personal data. However, note that you must specify for which processing activities you would like to have access to your personal data. If you make the same request repeatedly, clearly causing us nuisance, we are allowed to refuse granting you these subsequent requests or charge an administrative fee covering the expenses. We can also refuse granting you a right to access your personal data, or only grant it partially, if such access would risk disproportional detriment to the rights and freedoms of others, including Mediafin.

You have the right to ask that we correct your personal data if you can show that the personal data we process about you are incorrect, incomplete or outdated. Please specify the context in which we use your personal data (e.g. to send you newsletters or to respond to a request), so that we may assess your request swiftly and accurately.

If we asked for your consent to collect and use your personal data, e.g. to send you newsletters, you have the right to withdraw that earlier given consent.

You can ask that we delete your personal data, if these personal data are no longer needed for the purposes for which we collected them in the first place, if our collection of them was illegitimate or if you have successfully exercised your right to withdraw your consent or your right to object to the processing of your personal data. When one of these circumstances applies, we will immediately delete your personal data unless the law, regulatory obligations or administrative or judicial orders prohibit us to delete your personal data.

You can ask that we restrict the processing of your personal data:

• during the time we are assessing your request for correction of your personal data;
• we no longer need your personal data, but you require them for the establishment, exercise or defence of a legal claim.
• when such processing was unlawful but you prefer restriction to erasure;
• during the time we are assessing your objection to the processing of your personal data;

When we process your personal data on the basis of our own interests, i.e. you have not given us your consent and we do not need them for the execution or performance of an agreement nor to comply with legal obligations, you have the right to oppose our processing of your personal data. When our interest relates to direct marketing, we will grant you your request immediately. For other interests, e.g. our security interests, our legitimate interest or the public interest, we will ask you to describe your specific circumstances giving rise to request. We then need to balance your circumstances against our interests. If this balancing exercise results in your circumstances outweighing our interests, we will cease processing your personal data.

When we have collected your personal data on the basis of your consent or because they were necessary for the execution or the performance of an agreement with you, you have the right to obtain a copy from us in a structured, commonly used and machine-readable format. However, this right only applies to personal data you have provided to us.

If you would like to exercise any of these rights, we ask that you send us an e-mail. You can reach us at privacy@mediafin.be.   Rest assured that we will not interpret an e-mail from you requesting to exercise a right as your consent with any processing of your personal data beyond what is required for handling your request. A request should clearly state and specify which right you wish to exercise. Always indicate the context in which we have obtained your personal data so that we may handle your request swiftly and diligently. Your request should also be dated and signed, and accompanied by a digitally scanned copy of your valid identity card proving your identity. We will promptly inform you of having received this request. If the request proves valid, we will notify you as soon as reasonably possible and at the latest thirty (30) days after having received the request. If you have any complaint regarding the processing of your personal data by Mediafin, you may always contact us via the e-mail address mentioned in the first paragraph of this clause. If you remain unsatisfied with our response, you may file a complaint with the competent data protection authority, i.e. the Belgian data protection authority (https://www.dataprotectionauthority.be).