LETTER FROM THE CEO
Where appropriate, a data protection impact assessment approach in accordance with the requirements and recommendations of the DSMP and best practices will be used. Risk management is carried out at several levels within the organisation: risk assessment for the personal data we collect and process, regular assessments of information security risks in specific operational areas, risk assessment in the context of significant changes, including data protection impact assessments (DIPAs).
We encourage all employees and other stakeholders in our company to ensure that they play their part in complying with the principles of the GDPR at all times, and in meeting our information security objectives.
Bright Link S.A. complies with all the principles of the GDPR through organizational and technical measures.
IN ITS ACTIVITIES WITH ITS CUSTOMERS
For PBT product, Bright Link acts as a « subcontractor » while Bright Link’s direct customer functions as « controller ». Due to the small size of Bright Link, the roles of Data Protection Officer (DPO) and Information Security Manager are centralized under the strong responsibility of the company’s CEO.
Bright Link uses several subcontractors, mainly for technical reasons, all of them are RGPD aligned.
Bright Link data processing consists of any automated or manual operations applied to personal or organizational data that globally preserve human capital by creating value-added information through data processing.
The nature of the personal data processed is mainly: personal characteristics, lifestyle and health information. However, the impacts of the GDPR on Bright Link activities are quite limited because Bright Link anonymizes all individual sessions. The principle of « systematic pseudonymization when, and where, it is possible » is a central axiom of how Bright Link deals with privacy, data confidentiality and GDPR issues.
Bright Link has implemented various technical measures to optimize GDPR and data privacy: through the use of its Cloud platform and in the way data is managed and processed. In addition, Bright Link has also implemented organizational measures to ensure the highest possible level of data security.
Main technical and organisational measures:
- Activation of consent prior to the start of the investigation
- Protection of the survey by personal password
- Encrypted and password-secured PDF reports
- Ethical rule of « 10 » for the publication of segmented consolidated results -individual results are protected and not disclosed
- Third parties must comply with the GDPR
- Digital platform security (SSH)
- HTTPS encryption
- Risk management of personal data
- Security incident management process
- Data protection impact assessments
ON THIS WEBSITE
Confidential information is collected only for administrative and account configuration purposes for PBT customers. The information collected and stored is :
- Language preference
ROLES AND RESPONSIBILITIES
One of the key attributes of an effective approach to data protection is a clear assignment of roles, each with defined responsibilities. Each of these roles is assigned to specific individuals or groups in Bright Link. It is essential that all Bright Link members understand the role they must play in protecting the personal data we hold and process about individuals.
By ensuring that roles and responsibilities are clearly defined, we are in a good position to prevent many data protection incidents affecting personal data and to react effectively and appropriately, if necessary.
In the data protection framework relevant to our compliance with the GDPR, the following key roles have been defined:
- Data controller
- Data Protection Officer (DPO)Information Security Officer
The specific responsibilities for each of these roles are defined in the following sections of this document.
PERSON RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA
Personal data » means any information relating to an identified or identifiable natural person (hereinafter referred to as « data ») as stipulated in the General Data Protection Regulations.
Processing » means any operation or set of operations concerning data or a set of data, whether or not carried out by means of automated processes, such as collection, recording, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, matching or interconnection, limitation, erasure or destruction of data.
Bright Link S.A., chemin du Cyclotron, 6, 1348 Louvain-la-Neuve, with company number 0662.639.464 is the controller of your data (hereinafter referred to as « Bright Link S.A. »).
Bright Link S.A. has a contact point within its company in charge of data protection. You can contact him for any questions via: firstname.lastname@example.org
However, in order to exercise your rights, we ask you to first use the possibilities provided for in Article 5.
The GDPR defines a « processor » as « a natural or legal person, a public authority, an agency or other body processing personal data on behalf of the controller ». As a result, the responsibilities described below may be assigned to an individual or may be considered applicable to the organization as a whole. Bright Link acts as a subcontractor for Bright Link’s customers in the case of PBT.
The data processor (Bright Link) has the following responsibilities:
- Ensure that any processing of personal data is governed by a contract or other legal act specifying the purpose and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the controller;
- Process personal data only on written instructions from the controller, including with regard to the transfer of personal data to a third country or international organisation;
- Ensure that persons authorised to process personal data have undertaken to respect confidentiality or are subject to an appropriate legal obligation of confidentiality;
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of personal data;
- Obtain prior written authorization, specific or general, from the controller before hiring another processor;
- Assist the controller in fulfilling his obligation to respond to requests for the exercise of the data subject’s rights;• Delete or return all personal data to the controller after the end of the provision of the services related to the processing operation;
- Make available to the controller all the information necessary to demonstrate compliance with the obligations set out in the GDPR and to allow and contribute to audits, including inspections, carried out by the controller or another auditor mandated by the controller;
- Maintain a record of all categories of processing activities carried out on behalf of a controller;
- Cooperate, upon request, with the supervisory authority in the performance of its tasks;
- Ensure that any person acting under the authority of the controller having access to personal data shall not process them unless instructed by the controller;
- Notify the controller without delay after becoming aware of a breach of personal data;
- Appoint a data protection officer when required by the GDPR, publish his or her contact details and communicate them to the supervisory authority;
- Support the Data Protection Officer in the performance of their tasks by providing the necessary resources for the performance of these tasks and access to personal data and processing operations, and by maintaining their knowledge.
DATA PROCESSING OBJECTIVE
Bright Link data processing includes all automated or manual operations applied to personal or organizational data that globally preserve human capital by creating value-added information as a result of data processing.
- Data collection and extraction
- Data storage and management
- Data organization and structuring
- Data analysis• Transformation of data into individual diagnostic risk reports
- Consolidation, data fusion and transformation into institutional diagnostic risk reports
- Communication and sharing of data with persons authorised by the controller
- Deleting data
More specifically, the objectives of Bright Link data processing are as follows :
- Create and disseminate an individual risk diagnosis for the prevention of chronic fatigue and absenteeism;
- Identify at-risk individuals early and connect them confidentially with appropriate individual support channels;
- Create and implement a balanced global mapping of risks, « well-being and stress », to enable the creation and implementation of improved prevention policies;
- Analyze risks on a consolidated basis in several breakdowns to identify the organization’s priority sub-structures and thus allow prevention initiatives adapted and adjusted according to risks.
SECURITY AND CONFIDENTIALITY
Bright Link S.A. has taken all appropriate technical and organisational measures to protect the information and data collected against destruction, loss, unintentional modification, damage, accidental or unauthorised access or any other unauthorised processing of data. To ensure this security, Bright Link S.A. uses, among other things, encryption of communication between the server and your computer, firewalls, antivirus scans, access controls, logs, back ups.The number of employees with access to your data is limited and such access is only granted to the extent necessary for the performance of their duties. While Bright Link S.A. works with subcontractors to provide the various services and products it offers, it has entered into the necessary agreements with these subcontractors to ensure the protection of your data. In addition, we have integrated the necessary policies and procedures within our organisation and have appointed a data protection officer.
NATURE OF PERSONAL DATA
Your data may be collected in various ways when you are an employee of a Bright Link S.A. customer company or organization. However, Bright Link completely anonymizes the information collected and the sessions created. In the GDPR, personal data refers to any information relating to an identified or identifiable natural person (« data subject »); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number identification data, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that physical person. Bright Link processes correspond to the following type of data, listed by GDPR :
- Direct individual identifiers (name, national security, identity card, passport, biometric data, video, image, voice): NO
- Indirect individual identifiers (telephone numbers, e-mails, address): YES
- Personal characteristics (gender, age, nationality, level of education) and career information (seniority, position, department, contract status): YES
- Lifestyle information (eating habits, social life, finances, logistics, family items, hobbies, travel) YES
- Digital individual identifiers (IP address, cookies, connected devices): YES
- Tracking and GPS / IOT: NO
- Social networks and Internet behaviors: NO
- Surveys: YES
- DNA and medical identifiers: NO
- Data relating to religions, sexual and philosophical orientation, ethnic groups or political opinions: NO
- Data relating to membership of a trade union or work organisation: NO
- Individual physical or mental health data: YES
- Data on judicial administration (detention): NO
- Financial, investment or insurance data (salaries, assets, debts), pensions, payments, transactions: NO
- Work services (time sheet, days of absence, specific contract clauses, social and in-kind benefits, results evaluation): NO
NATURE AND RIGHTS OF PROTECTED PERSONS
The following persons are « data subjects »: Individuals (employees, workers, managers, agents) under current employment contracts with an organization, company or public administration. The data subject has rights in the GDPR that are fully reconciled with the Bright Link approach and is managed via Bright Link’s support email, as indicated in the mandatory consent form presented in any start of the data collection process :
- Right to information
- Right of access
- Right of rectification
- Right to delete (right to be forgotten)
- Right to restrict processing
- Right of notification in the event of rectification or deletion
- Right to data portability
- Right of objection
- Right to object to automated decision-making
PLACE OF PROCESSING AND INTERNATIONAL TRANSFER
The controller may, at his sole discretion, give written consent subject to other conditions, for example the conclusion of a contract on the basis of standard EU contractual clauses. This obligation applies subject to any legal provisions to the contrary in the law of the Union or the Member States.
USE OF DATA FOR RESEARCH AND STATISTICAL PURPOSES
Bright Link is a university spin-off and its scientific DNA remains an important value. Consequently, anonymised data sessions may be further processed for scientific research or statistical purposes (information relating to well-being or stress at work), which implies that the data are aggregated and/or that the personal identification of any natural person or respondent cannot be obtained, stored, managed, used, processed or transmitted.
PRINCIPLE OF CONFIDENTIALITY
Bright Link, as a subcontractor, or any person acting under the authority of Bright Link and having access to personal data, may only process such data if it is required to respect the utmost confidentiality regarding any personal data of which it has knowledge, unless the disclosure of such personal data is required for the proper performance of their duties by the law of the Union or of a Member State to which the subcontractor is subject. In this case, the processor will inform the controller of this legal obligation before disclosing the personal data, unless the law concerned prohibits such information for an important reason of public interest.
COOKIES AND OTHERS TECHNOLOGIES
You can visit our website without providing your personal data. Our website uses « cookies », which are small pieces of information that are stored by the browser on your computer, allowing us to record certain information about users of our website (e.g. language, length of your visit to the page,…).
AMENDMENTS TO THE REGULATIONS
Company details and controller:
Company name: Bright Link S.A.
6, chemin du Cyclotron
VAT BE 0662.639.464