Privacy Policy

24/05/2018.

This Privacy Policy (“Privacy Policy”) informs you about the processing of personal data that takes place when you, the "User", opt for Twikey's electronic mandate solution (for signing online direct debits) in the context of your agreement with your supplier.

Twikey and your supplier work together to offer you this electronic mandate solution. Twikey and your supplier hereby respect your right to privacy and protection of your personal data.

In this Privacy Policy we will explain how we (Twikey) deal with your personal data. We advise you to read this Privacy Policy with the required attention.

Please note that this Privacy Policy solely relates to the processing of your personal data when you use Twikey's electronic mandate solution or when you requested additional information from Twikey, such as the Newsletter.

For more information about the processing of your personal data in connection with your use of the services of your supplier in general, please refer to the applicable privacy policy of the supplier with whom you signed a service agreement. Twikey is not involved in these processing operations.

1 Which categories of personal data are processed?

In brief: When you use Twikey's electronic mandate solution, different categories of your personal data are processed. This always concerns data that relate directly or indirectly to you. For example, it concerns your personal and financial identification data and electronic data that identify your device (eg an IP address).

  1. When you use Twikey's electronic mandate solution, the following categories of personal data are processed:
    1. Personal identification data (eg your name and address);
    2. Electronic identification data (eg your IP address);
    3. Financial identification data (eg your bank account number);
    4. Financial transactions;
    5. Agreements (eg the agreement you have with the supplier);
    6. Personal characteristics (eg your gender and date of birth).
  2. If you do not use Twikey's electronic mandate solution, but your data are available at Twikey (eg by your subscription to our newsletter), the following categories of personal data will be processed:
    1. Personal identification data (eg your name and address);
    2. Electronic identification data (eg your IP address).

In this case, only the responsibility of Twikey will be involved and not that of the supplier. Article 3.2 states what the Twikey objectives could be.

2 Who is responsible for the processing of your personal data?

In brief: Below, under Article 2, we explain who is responsible for which processing of your personal data. For some processing purposes the responsibility of both Twikey and your supplier may be involved. For other purposes, only the responsibility of Twikey may be involved.

  1. For the processing of your personal data for the purposes described in Article 3.1 below, the following parties are jointly responsible:
    1. NV/SA Twikey (BE0533.800.797) – “Twikey”:
      • Address: Kortrijksesteenweg 1110, bus 202, 9051 Gent, Belgium
      • Phone number: +32 (0)9 395 45 00
      • E-mail: support@twikey.com

        You can contact Twikey's privacy manager via this e-mail address.

    2. Your supplier:
      For the contact details of the privacy manager at your supplier, contact your supplier directly.
  2. For the processing of your personal data for the purposes described in article 3.2 below, solely Twikey will be responsible.
  3. Twikey and your supplier have concluded an agreement that regulates their joint responsibility for the processing of personal data for the purposes described in Article 3.1. In essence this agreement states that:
    1. Twikey provides the User with the necessary information regarding the processing of personal data, when this user chooses Twikey's electronic mandate solution;
    2. You, as a User, can always address your questions regarding the exercise of your rights in regard to the processing of your personal data to one of the parties. Twikey and your supplier will ensure that your questions are forwarded to the party who can respond to it appropriately.

3 Why are these personal data processed?

In brief: Your personal data are initially processed to offer you the electronic mandate solution. These data are then also processed to allow (Twikey and the supplier) to communicate and report between themselves. The reasons for the processing are therefore determined jointly by Twikey and your supplier.

However, we also process your personal data for other purposes which in that case are exclusively determined by Twikey. Among others, these purposes include the creation and keeping of statistics, the improvement of our services, etc.

  1. Twikey and your supplier jointly process your personal data for the following purposes:
    1. to be able to offer you the electronic mandate solution (as described in the Terms & Conditions of Twikey) in the context of your direct debit agreement;
    2. to deliver it to the bank;
    3. for billing, communication and reporting purposes in connection to the operation of the electronic mandate solution;
    4. to assess the solvency;
    5. to jointly take the appropriate technical and organizational measures to protect your personal data.
  2. Twikey also processes your personal data, without the intervention of your supplier, for the following purposes:
    1. to be able to communicate with you and/or to inform you about the status of our services;
    2. to be able to perform statistical and other analyses on the use of our electronic mandate solution;
    3. to improve our products and services;
    4. to detect abuse and fraud;
    5. to be able to inform third parties in the context of a possible merger, acquisition, division or similar operation, even if these third parties are located outside the EU;
    6. to be able to take the appropriate technical and organizational security measures internally in order to protect your personal data;
    7. to comply with legitimate requests or orders by competent governmental and judicial authorities, including the Data Protection Authority.

4 How do we legitimate the processing of your personal data?

In brief: The applicable legislation concerning the protection of your personal data obliges us to clarify which legal grounds we invoke to legitimize our processing of your personal data. Twikey and your supplier primarily rely on the necessity of processing your personal data in order to be able to execute the agreement that Twikey and your supplier concluded with you. After all, without the processing of your personal data, you cannot use the electronic mandate solution.

  1. For the purposes described in Article 3.1.a., b., c. and d. Twikey and your supplier each invoke the necessity of the processing for the execution of the agreement with the User.
  2. For the purpose described in Article 3.1.d. Twikey and your supplier invoke the obligation they have to take appropriate measures in accordance with the provisions of Article 32 of the General Data Protection Regulation.
  3. For the purposes described in Article 3.2.a. to e. Twikey invokes the legitimate interest of Twikey, which consists of:
    1. to be able to inform you correctly about the status of our services, eg when an incident occurs;
    2. the commercial importance of improving products and services;
    3. the security interest to protect the electronic mandate solution as well as the underlying processes, data and systems from threats;
    4. the importance of being able to execute company law transactions.
  4. For the purposes described in Article 3.2.f. and g, Twikey invokes the legal obligations imposed on Twikey, as can be derived, among others, from Article 32 of the General Data Protection Regulation.

5 Who will receive the personal data and to which countries will they be transmitted?

In brief: Your personal data will be shared with a limited number of parties, such as the service providers and partners of Twikey and your supplier, some of which are based abroad. In this section we explain to whom we send your personal data and how we ensure that the security of your personal data is guaranteed when they are sent abroad.

  1. Your personal data will be received by the following categories of recipients:
    1. yourself;
    2. your business relations (such as your bank);
    3. partners and service providers of Twikey and your supplier;
    4. our shareholders and potential acquirers;
    5. companies within the same group (for your supplier);
    6. governmental and judicial authorities.
  2. Twikey will send your personal data to parties in the EU as far as necessary in the context of our services. Your financial identification data and financial transactions, if applicable, are also stored entirely within the EU.

6 How long do we keep your personal data?

In brief: Twikey and your supplier will only keep your personal data for as long as necessary to achieve the purposes mentioned in Article 3 above.

  1. Your personal data will only be processed for as long as necessary to achieve the purposes mentioned in Article 3 above. Twikey and your supplier will de-identify your personal data when they are no longer required for these purposes unless:
    1. a legitimate interest of Twikey, your supplier or a third party to keep your personal data in identified form outweighs your de-identification interest;
    2. a legal or regulatory obligation or a court or administrative order prevents such de-identification.

7 What rights can you exercise with regard to the processing of your personal data?

In brief: You have the right to access your personal data, to have them corrected or deleted and to limit or oppose their processing. You are also entitled to data portability. In this article we explain how and under what conditions you can exercise these rights.

  1. You have the right to request access to all personal data referred to in this Privacy Policy in so far as they relate to you. You can exercise this right in the first place via your profile in Twikey itself. Twikey and your supplier reserve the right to refuse multiple requests for access that are clearly submitted to cause nuisance or damage to Twikey, your supplier or third parties.
  2. You have the right to request that the personal data that relate to you and which are incorrect are corrected free of charge. You can correct some personal details via your profile with your supplier or Twikey. If a correction is requested, this request must be accompanied by a proof that the data for which the correction is requested are incorrect.
  3. You have the right to request that your personal data be deleted if they are no longer necessary in the light of the purposes described above. You should, however, take into account that a request for deletion by Twikey and your supplier will be weighed against:
    1. a legitimate interest of Twikey, your supplier or a third party to keep your personal data, whereby this interest outweighs your right to deletion;
    2. a legal or regulatory obligation or a court or administrative order which prevents such deletion.

    Instead of deleting the data, you can also request that the processing of your personal data be limited when you (a) dispute the accuracy of those data, (b) the processing is unlawful or (c) the data is no longer required for the purposes described above, while you need them to defend yourself in court proceedings.

  4. You have the right to object to the processing of personal data for the purposes mentioned in Article 3.2.a. to e., but you must clarify the special circumstances on which your request is based.
  5. Any request that you address to Twikey or your supplier can be sent by e-mail to the e-mail address of Twikey mentioned under Article 2 or directly to your supplier.

An e-mail with a request to exercise a right will not be interpreted as a consent to process your personal data beyond what is necessary for the treatment of your request. Such a request must clearly state the right you wish to exercise and the reasons for it, if this is required in view of what has been stated above. It must also be dated and signed and accompanied by a digitally scanned copy of your valid identity card that proves your identity or be made via the login to Twikey or via a possibly available platform of your supplier.

Without prejudice to the distribution of responsibilities as described in Article 2, we will immediately inform you of the receipt of this request. If the request is valid, we will inform you as soon as reasonably possible and no later than thirty (30) days after its receipt.

If you have a complaint regarding the processing of your personal data by Twikey or your supplier, you can always contact us via the e-mail address mentioned in Article 2 or directly via your supplier. If you are not satisfied with the answer, you can submit a complaint to the competent data protection authority, namely the Belgian Data Protection Authority.