STAS-21 is committed to abide by the provisions of the GDPR.
What is the GDPR?
The General Data Protection Regulation (hereafter referred to as “the GDPR”) applies from 25 May 2018 onwards. Its ambition is to lay down “rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data”. With respect to the territorial scope, the GDPR applies only in relation to natural persons who are residents of EAA countries.
Which of your personal data is kept by STAS-21?
Personal data concerns only natural persons. However, there are two categories of personal data:
- data with which a natural person can be identified, and
- data with which a natural person can be identifiable, meaning that the person can be identified, directly or indirectly by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What is not personal data: information about individuals from which individuals cannot be identified (such as collection of anonymised statistics), as well as general information about companies and organisations.
STAS-21 keeps on file the following personal data:
- names and surnames,
- contact details (e-mail address, phone numbers)
- details about the employer of the person (name of the company, position within the company/institution, job details),
- photographs collected during STAS-21 events.
In handling this data, STAS-21 can act as either a data controller or rarely as a data processor (processing data for another data controller).
Why do we keep your personal data?
STAS-21 utilizes your personal data in order to fulfil its mission – being the voice of savings and retail banks. Keeping your data in our databases ensures that you will continue to receive invitations to our events, latest updates and other relevant information.
Where do we get your data from?
We collect your personal data from the following sources:
- public websites,
- data of STAS-21 member’s employees provided by these persons willingly,
- from application forms filled out for purposes of STAS-21’s events, and
- photographs made at STAS-21.’s events.
Basis for data handling with and storing personal data
The primary and most common basis is your consent. In this respect STAS-21 undertakes steps to be able to at any time demonstrate that where needed consent for processing has been acquired.
Other bases for keeping and handling with personal data are:
I. when this is necessary for the performance of a contract
This applies especially in respect of the data of STAS-21 employees.
II. compliance with a legal obligation or task carried out in the public interest (stemming from either national or EU law),
Some personal data of STAS-21 employees must also be processed due to applicable Belgian law.
III. when this is necessary to protect the vital interest of the data subject or another natural person, and
IV. processing for legitimate interests pursued. This legal basis may not be used in cases when overridden by the interests or fundamental rights and freedoms of a person.
STAS-21 stores and uses personal data of representatives of its members for legitimate purposes, i.e. to provide them services which are expected by them.
Principles of data processing
In accordance with the principle of accountability enshrined in the GDPR, STAS-21 is committed to observe the following principles when processing personal data:
- purpose limitation, i.e. processing only for the initial purpose (a second consent or another legal basis is needed for further processing)
- data minimisation, i.e. acquiring the minimum extent of data required,
- exactidata accuracy, i.e. keeping the data up to date,
- storage limitation, i.e. retaining the data for no longer than what is necessary,
- integrity and confidentiality, i.e. adopting appropriate technical and organisational measures.
Your rights with respect to your personal data held by STAS-21
STAS-21 undertakes to respect the following rights of the data subject:
I. Right of access
This right is twofold; you have the right to find out whether or not personal data is being processed. Secondly, on request you will be granted access to your data as well as certain information (such as that on the purposes of processing, the period for which the data will be stored, the source of the data in cases when this is not collected from the data subject).
II. Right of rectification/ the right to correct inaccurate data
You have the right to ask of STAS-21 to rectify inaccurate personal data as well as, taking into account the purposes of processing, the right to have incomplete data completed.
III. Right to be forgotten
In certain cases, (including when objecting to the processing, and/or withdrawing consent) you can request that your personal data are deleted without undue delay.
IV. Right to restriction of processing
You can obtain from STAS-21 a restriction of processing of your data. This is possible in cases where you have contested the accuracy of the data, where the processing is unlawful, where the data is in fact no longer needed by STAS-21 and finally in cases where you have objected to the processing.
V. Right to object
You are granted this right on grounds relating to your particular situation. STAS-21 undertakes to notify you of this right at the time of the first communication.
VI. Right to data portability
When the legal basis for STAS-21 storing your data is your consent or a contractual obligation, you have the right to receive personal data held by STAS-21 in a format which can be easily transferable to another legal entity to use.
Who receives your data?
STAS-21 utilizes personal data solely for its own purposes. Accordingly, personal data from STAS-21’s databases is not forwarded to entities other than STAS-21’ members. However, this does not happen often.
How long do we keep your data?
keeps your data for a period which is needed for the fulfilment of STAS-21’s mission. When the legal basis for this is consent, it will be refreshed on an appropriate basis.
Generally speaking STAS-21 shall:
- implement appropriate technical and organisational measures in order to comply with GDPR obligations,
- keep records of data processing activities in order to be presented on demand (this should also include the purpose of processing, the categories of recipients of the data, including those in third countries and information on these transfers)
- notify breaches of personal data to the Belgian Data Protection Authority (as the competent data protection authority – this is because all STAS-21 data processing takes place in Brussels)
However, in accordance with the GDPR STAS-21 is not obliged to designate a data protection officer as:
- STAS-21 is not a public authority or body,
- the core activities of STAS-21 do not require regular and systematic monitoring of data subjects on a large scale,
- the core activities of STAS-21 do not consist of large scale processing of special categories of personal information or data on criminal offences.
Do you have questions/concerns?
If this is the case you can always contact STAS-21 at firstname.lastname@example.org or at the following address:
Avenida Ramon d’Olzina N° 87 local 7 – 43480 – VILASECA, TARRAGONA, SPAIN
 Article 1(1) of the GDPR
 As required per Article 7(1) of the GDPR.