The employee and Paymate* agree that they intend to enter into a temporary employment contract in accordance with the provisions of the Law of July 24th 1987. This declaration of intent needs to be signed only once and applies to all orders, even if they follow each other at intervals.

Regulations FOR the protection of the personal data of the employee within the framework of their personnel file and payroll data

Paymate handles the personal data collected from all employee and candidate-employees collectively referred to as ’employee(s)’ in this privacy policy in a secure and confidential manner. Paymate undertakes to strictly comply with all legal provisions regarding the protection of personal data when collecting and processing the personal data of its employees. This policy describes what personal data Paymate processes, on what basis and why they are processed, and how they are protected. The policy also contains and describes the rights of employees in the processing of personal data and the rules for data exchange between them (who can access the personal data?).

This policy particularly concerns the protection of personal data when it is processed in the context of the personnel file and payroll data. It applies to all employees who are linked to the employer by a temporary employment contract or a (labour) contract with the subsidiary company ergoflex, as well as to individuals:

• who are no longer employed but whose employer is legally obliged to keep some data;
• who are in contact with the employer as part of an ongoing recruitment process.

All the above categories are intended in this policy when referring to the ’employee’.

1. Whom to contact in case of questions?

Agilitas Group, registered in the Crossroads Bank for Enterprises under the number (VAT BE) 0478.971.449, with registered office at 2800 Mechelen, Stationsstraat 120, is the Controller for the processing of the personal data. Paymate declares that, as the Controller of Processing, it complies with Belgian privacy legislation, as well as the provisions of the General Data Protection Regulation as of its entry into force.

2. What is personal data?

The General Data Protection Regulation defines personal data as “all information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

If this Privacy Policy refers to personal data, reference is made to this definition in the Regulation.

In principle, no special categories of personal data are processed, unless the performance of the employment contract requires it. Processing of special categories of personal data means:

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and processing of genetic data, biometric data with a view to the unique identification of an individual, or data concerning health, or data concerning a person’s sexual behaviour or orientation.

3. What data is processed?

Nature of the personal data

Paymate collects and processes various personal data of its employees that relate to their employment. These data primarily concern all data resulting from the application of legal, regulatory or conventional provisions relating to the employment of staff. They are generally related to:

• the status and subjection to labour law, social law and tax law;
• the presences and absences and the interpretation of them;
• the components of the wage, the amount, the payment and the evolution of the wage;
• all other legal, regulatory and conventional aspects of personnel administration, covering e.g. work accident insurance, occupational medicine, medical checks on incapacity for work, extralegal insurances granted by the employer, …

The data may also and more specifically, within the framework of the execution of the employment contract and the application of legal, regulatory or conventional provisions, concern different categories of personal data:

• identification data (name, address, national register number, identity card number, )
• financial data (bank account number,…)
• personal characteristics (age, sex, marital status, work permit, etc.)
• family composition (dependents, date of birth of children, …)
• curriculum vitae, cover letters, notes taken during the job interview
• salary and wage slips
• work schedules
• data relating to occupation and employment (personnel file in the strict sense)

• • job title
  • data needed to determine remuneration, including wages, variable remuneration, performance evaluation, premiums, group insurance, benefits in kind (perks) …
  • overview of presences and absences
  • agreements and targets to be met by the employee in his job
  • evaluation and assessment data
  • competences he/she should possess or acquire
  • …

• national registry number (as a tax identification number and in relation to social security institutions)
• if required: physical data (size, weight,… for e.g. working clothes,…)
• information on certain habits of life (details about travel and journeys, civilian awards, information on an accident, etc.)
• memberships (only if paid by the employer)
• housing characteristics (only if the employer provides housing)
• data on education and training, including training received, planned training, need for training, … (educational leave, promotion, …)
• some judicial data that have an impact on the employment contract (pre-trial detention, wage attachment,…)
• if necessary: political, philosophical or religious views (for the application of small leave for Holy Communion, secular celebration of youth, political leave, etc.)
• membership of a health insurance fund (in accident files,…)
• administrative-medical data (disability rates, medical certificates, HR-related examinations…)
• career planning data
• photos and videos (e.g. on the occasion of a staff outing)
• name of a contact person in case of emergency

These categories of personal data are intended to be exhaustive and do not in any way imply that the employer processes all such data.

Personal information

The employee shall provide all relevant information required by the employer.

At the time of recruitment or when new measures are applied, the employee shall provide the employer with all the necessary information for the application of the compulsory formalities, either in the field of social legislation, or for the granting, suspension or termination of entitlement to allowances and other benefits.

The employer reserves the right to request a copy of the diplomas and/or certificates obtained if these documents are important in the job that the employee performs. The employer shall treat the information collected with the required confidentiality. He may read them, but he may not keep them.

Any change in the original personal information (change of address, marital status, dependent family members, etc.) shall be spontaneously communicated in writing or by e-mail to the agency concerned without delay.

The employee is responsible for not informing the employer or for not informing the employer in time and, if necessary, will have to reimburse the allowances, benefits or contributions that have been wrongly collected.

Protected personal data

Some of the data are processed solely for the purpose of conferring a benefit to the employee.

“Sensitive data” may be processed if they are necessary for the implementation of the employment rights and obligations of the holder of the file.

(Article 9 of the General Data Protection Regulation, Article 8 of the Law of December 8th 1992, Articles 25 to 27 of the Royal Decree of February 13th 2001)

“The membership of a health insurance fund” may be processed to satisfy a legitimate interest of the data subject if the purpose of the processing is to provide a real benefit and in so far as the data subject does not object to the processing.

(Articles 25 to 27 of the Royal Decree of February 13th 2001)

Processing of personal data

The personal data held by the employer can be obtained both by the employee and through other information channels.

If the employer does not obtain the personal data from the employee, the employee shall be informed of this within a reasonable period of time.

The processing of these data is subject to the Law of December 8th 1992 on the protection of privacy and the Regulation 2016/679 of April 27th 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

The controller is the employer who processes personal data with due care.

More information on the rights of the employee in connection with this processing and on the security of processing follows.

4. Why are these personal data processed and what is the legal basis for the processing?

General

The personal data of the employee are processed:

• because of laws, regulations and instructions at regional, federal and international level concerning labour law, social security and tax law, including collective and individual labour agreements and working regulations;
• within the framework of the employment contract;
• a legitimate interest of the controller or a third party.

Within the framework of the personnel file and payroll administration, a large amount of personal data is processed that is required by laws, regulations and instructions at regional, federal and international level concerning labour law, social security, tax law, including collective and individual labour agreements and the labour code. If necessary, the purposes will be more clearly formulated and communicated to the employee.

Personal data is used mainly for payroll management, with the possible assistance of a social secretarial service, as well as for personnel administration. They are processed within the framework of the employment contract for temporary work. These are mainly data that appear on the annual individual statement. Marital status and dependent children are necessary for the calculation for tax and social purposes.

CV, cover letter and notes made during the job interview as well as evaluation forms are processed in order to complete the application process, as a legitimate interest. Personal data obtained from evaluations of the employee or monitoring of the employee will also be processed due to the existence of an employment contract. If this information is used for other purposes, the employee will be informed in time according to the legal rules. Photographs and videos are collected and processed for use in internal communication but only with prior consent.

The name of a contact person is collected in order to contact a family member or relative in case of an emergency, with the legal basis of the need to protect the vital interests of the employee. The surname and first name of the partner are necessary in case hospitalisation insurance is offered and the partner and children are insured.

Various data will also be processed due to a legal obligation incumbent on the employer or when the processing is necessary and reasonable for the interests of the Controller (employer) or a third party. The employer shall inform the employee in good time of this, if applicable.

In some cases, the processing of personal data is based on the explicit consent of the employee.

This data will not be used for purposes other than personnel management or payroll administration. If this data is used for purposes other than personnel management and payroll administration, the employee is informed of this as soon as possible in accordance with the statutory regulations.

Special cases

In some special situations, further data are processed in addition to those listed above:

Camera surveillance: ☑ applicable □ not applicable

• Legal basis:
  • □ Within the framework of the agreement
  • □ Legitimate interest
• Objectives:
  • □ Safety and health
  • ☑ Protection of company assets
  • □ Control of production process
  • □ Exercising control over labour

• Retention period: 1 month

Control e-mail and internet:

• Legal basis:
  • □ Within the framework of the agreement
  • □ Legitimate interest
  • □ Consent of the employee
• Objectives:
  • □ Preventing unlawful / defamatory acts, contrary to good morals, which harm the dignity of others
  • □ Protection of confidential commercial, economic and financial interests and conflicting interests
  • □ Safety and/or proper technical functioning of IT network systems, physical protection of the company
  • □ compliance in good faith with the applicable principles and rules regarding use of the company’s online technologies
  • □ Follow-up production process
• Retention period: 3 years

Photos of the employee:

• Legal basis:
  • □ Legitimate interest
  • □ Agreement
• Objectives:
  • □ Promotion
  • □ Communication
• Retention period: 10 years

Time registration:

• Legal basis:
  • □ Within the framework of the agreement
  • □ Legal obligation
  • □ Legitimate interest
  • □ Consent of the employee
• Objectives:
  • □ Correct remuneration
  • □ Commercial building security
  • □ Use of utilities
• Retention period: 5 years

5. Rights of the employee in the processing of personal data

Processing of personal data by clients

Paymate’s clients may process personal data of the employees. This processing of personal data is governed by the customer’s privacy policy.

Right of access and copy

The employee has the right to obtain free access to the personal data that the employer processes about him, as well as why the employer does this, where the employer has obtained the data and who receives the data. In this case, the employee can also learn how long the employer intends to keep the data, whether the data will be used for automatic decision-making and whether the employer intends to send data to a country outside the European Union. The employee may exercise this right by requesting it in writing or electronically via the contact details listed under point 1.

The employer shall provide the requested information in writing or electronically within a reasonable period of time. If the employee so requests, the information may be given orally, provided that the identity of the person concerned is proven by other means.

The employee is also entitled to a copy of the personal data being processed. If the employee submits his request electronically, and does not request any other arrangement, this information shall be delivered in an electronic manner.

In case the pay slips are made available to the employee electronically, he can consult these data at any time.

Right to rectify

The employee may ask to correct or supplement (inaccurate) personal data. The employer undertakes to respond to this request as soon as possible.

Right to erase

The employee has the right to have personal data concerning him removed. The employer shall comply with the employee’s request within a reasonable period of time, for example in the following situations:

• when the personal data are no longer necessary for the purposes for which they were collected or processed;
• when the processing was based solely on the employee’s consent and he withdraws his consent;
• if the employee objects to the processing for legitimate reasons;
• when the employer did not have a legal basis to process the data.

This request for erasure of personal data can only be refused by the employer when justified, such as in the exercise or substantiation of a legal claim or due to a legal obligation to keep and process certain data. The employee may not oppose the processing of personal data necessary for payroll administration.

Right to restrict personal data

The employee may ask the employer to restrict the processing of his personal data if he disputes the accuracy of the data, the processing is unlawful or the employer no longer needs the data for the processing purposes. In this case, personal data may only be processed in the following cases:

• with the consent of the employee;
• and for the purpose of legal proceedings or to protect the rights of others.

Right to lodge an objection

An employee has the right to object to the processing of his personal data, including profiling on the basis of those provisions. The processing shall then be stopped, unless it is necessary for compliance with social and fiscal legislation, to protect the interests of the employer or a third party, or for the establishment, exercise or substantiation of legal claims.

Right to transfer data

An employee may, for all processing of personal data based on the explicit consent or the exercise of the employment contract, ask the employer to obtain it in a structured, commonly used and machine-readable form. Moreover, the employee may subsequently transfer this data to another employer or data controller.

Right to lodge a complaint

The employee may at any time lodge a complaint about the processing of personal data with the competent authority in the Member State where he normally resides, where he has his place of work or where the alleged infringement was committed.

In Belgium, a complaint can be submitted to the Belgian Privacy Commission: Commission for the Protection of Privacy, Drukpersstraat 35, 1000 Brussels (Tel: +32 22744800; Fax: +32 22744835, e-mail: commission@privacycommission.be). As from May 25th 2018, this commission will become the Belgian Data Protection Authority.

In addition, the employee can always bring a civil action and claim compensation if, for example, he or she suffers damage as a result of the processing of his or her personal data.

Right to withdraw consent

Where the processing of personal data is based on the employee’s consent, the employee may withdraw such consent at any time, without prejudice to the lawfulness of the processing based on consent before the withdrawal.

6. Safeguards and security of personal data

Security of personal data

The employer shall make every effort to ensure compliance with the technical and organisational security measures for the processing of personal data, in particular to avoid the destruction, loss, falsification, alteration, unauthorised access or accidental disclosure to third parties of collected personal data, as well as any other unauthorised processing of such data. This security is guaranteed by high-tech tools and the quality of the staff. The staff are bound by professional secrecy.

• Technical measures

• • Use of virus scans, firewalls, ….
  • Passwords that are changed regularly
  • No unsecured hard disks
  • Access security to data
  • Encryption of data
  • No unsecured backups
  • Working on secure hard disks

• Organisational measures

• • Selected persons have access
  • Incident management procedure
  • Policy towards employee & staff
  • Training for employee & staff
  • Confidentiality clauses

If some documents are sent to the employee electronically (e.g. the pay slip) and are kept electronically, this is done via the social secretarial service, where strict security standards are applied.

When transferring personal data to countries outside the European Union, appropriate safeguards will be taken by the employer or the consent of the employee will be sought.

Controller and Data Protection Officer

The controller – employer – ensures the accuracy and relevance of the personal data being processed. He shall ensure that they comply with the applicable regulations.

The employee may always contact the controller, or the controller’s representative, to exercise his or her rights or request additional information.

Where appropriate, the Data Protection Officer will monitor compliance with personal data protection.

7. Retention period of personal data

The personal data of candidate-employees are kept for 3 years after the first registration. After the expiry of the 3-year period, the employee is contacted again and asked to give his/her consent if he/she wishes to be kept in the database for a longer period.

The personal data of employees who have actually worked at Paymate are kept active for 5 years after the conclusion of the last contract. After the expiry of the 5-year period, the employee will be contacted again with the request to give his/her consent, if he/she wishes to be kept in the database for a longer period, without prejudice to legal, regulatory or conventional provisions or limitation periods that oblige or require the preservation of the personnel file or part of the personnel file for a longer period in the organisation, e.g. for or as a result of legal action.

8. Who can consult the personal data?

Data consultations

Only authorised members of staff of the employer, including those designated by the company and the employer’s clients, are entitled to carry out internal searches in the personal data. These persons reasonably need the data by virtue of their duties or for the needs of the service. The company shall provide for a system of restricted access and an appropriate level of security.

(Categories of) persons to whom the personal data are transferred (external communications)

The communication of personal data to third parties is limited to the application of legal and regulatory provisions or if the communication is necessary for the normal performance of personnel management or payroll administration, such as government agencies, social security institutions and cooperating social security institutions.

Some personal data is passed on to third parties:

• The payroll information is passed on to our social secretarial service Acerta for payroll administration as well as to the competent government authorities on the basis of legal obligations (e.g. Belgian and/or foreign judicial services, police services and social security authorities);
• The necessary information will be passed on to the provider for the granting of meal vouchers and/or eco vouchers Edenred;
• Name, first name, address and function are passed on to the external service for prevention and protection at work (EDPW) Attentia Prevention & Protection so that it can perform its tasks properly;
• Name, first name, address and function will be passed on to Certimed to enable it to carry out its tasks properly;
• Name, first name, address, job title and work risk are communicated to the insurance company Ethias for the insurance of the risk of work accidents;
• Name, first name, address and bank account number to multibank Isabel for the purpose of paying wages, expenses, …
• Surname, first name, curriculum vitae can be distributed via the candidate database to the potential employers/users of the temporary workers;

Surname, first name and the data required for the execution of the payroll administration are passed on to Paymate’s clients in the event that work activities are commenced there.

The employee’s personnel file can also be transferred to the auditing firm for the purpose of carrying out an audit in the context of obtaining/maintaining the professional federation’s quality label.

The above-mentioned third parties process personal data on behalf of the employer in order to perform a certain task. A processing agreement is concluded with the above processors so that, among other things, the employee’s personal data is sufficiently protected and secured.

In exceptional circumstances, personal data is passed on to third parties for the performance of their duties, such as accountants, consultants and lawyers in the context of tax and/or legal support, researchers and ICT service providers. These third parties process personal data on behalf of the employer in order to perform a certain task. A processing agreement is concluded with the above processors so that, among other things, the personal data of the temporary agency worker is sufficiently protected and secured.

The personal data will not be sold, rented, distributed or otherwise made commercially available to third parties, except as described above or unless with prior consent.

The employer may be obliged to transfer personal data by court order or to comply with other mandatory laws or regulations.

9. When does this policy enter into force?

This policy shall enter into force on May 25th 2018.

Agreement and receipt

I confirm the letter of intent with Paymate containing the parties’ intention to conclude a temporary employment contract in accordance with the provisions of the Law of July 24th 1987. I confirm that this Declaration of Intent needs to be signed only once and applies to all assignments, even if they follow each other at intervals.

I declare that I have received a copy of the regulations on ‘Protection of the personal data of freelance workers in relation to their personnel files and salary details’. I have read it carefully and declare my full and express agreement with its contents.