Processing of personal data: the processing of ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). The term ‘processing’ is broad and covers, among other things, data collecting, recording, organizing, storing, updating, modifying, retrieving, consulting, using, distributing or making available in any way, merging, combining, archiving, erasing or eventually destroying the data.
Controller: a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor: the controller can appoint an external subcontractor to process personal data. In such a case, the subcontractor is the ‘processor’. This can be a natural or legal person, a public authority, agency or another body that processes personal data on behalf of the controller.
Bio-Racer NV, with its registered office at 3980 Tessenderlo, Ravenshout Industrial Zone 5.2.50, registered with the CBE (Crossroads Bank for Enterprises) under number 0437.878.883, is the controller of the personal data (hereinafter ‘Bioracer’).
Bioracer processes the following categories of personal data of its customers:
· Personal identification data: data that enables us to identify and contact our customers such as surname, first names, address, telephone number and email address.
· Physical description: data that enables us to offer the most suitable products and services such as age, gender, height, weight and body measurements. Data relating to the clothing sizes of our customers is also processed in order to produce our personalised garments.
· Financial data: invoicing and payment details, including data relating to the assessment of the creditworthiness of customers.
· Electronic identification data: IP addresses and cookies are processed to improve the usability of our online environments.
· Professional activity: data about the type of customer enables us to, for example, apply the correct pricing in terms of dealers, agents, natural persons, teams or B2B transactions.
· Leisure activities: data about the sports or leisure activities of our customers enable us to offer existing or potential customers the appropriate range of products.
· Memberships: information about the clubs, teams, associations, federations or companies that our customers belong to.
· Clothing design: information about the design or concept of the clothing worn by our customers to participate in their favourite sporting activities.
· Electronic location data: the location data of customers to whom a Bioracer commercial vehicle was leased or made available (GPS tracking).
· Images or videos: Bioracer may process images and/or videos of customers or sponsored athletes for promotional purposes.
More than one of the above data categories can be combined.
Bioracer does not process special categories of personal data that are prohibited in terms of Article 9 of the GDPR which reveal racial or ethnic origin, membership in interest groups, political opinions, ideological or religious views, health status, or data concerning a natural person’s sex life or sexual orientation. Bioracer does not process genetic or biometric data with the aim of uniquely identifying a natural person.
Bioracer processes personal data for various purposes and will always try to process only data that is necessary in order to achieve specific objectives. The use of personal data is necessary in the following cases:
· In the preparation and execution of a placed order or implementation of a service (agreement).
· To comply with the legal obligations to which Bioracer is subject.
· To represent our legitimate interests, always striving to ensure that these interests do not outweigh the respect for the privacy of personal data, especially when it concerns children.
If the processing of personal data is not needed for any of the above three purposes, we will always request explicit permission from the data subject to process the personal data.
If Bioracer is aware that it is collecting personal data from children under the age of 16, permission must be obtained from a parent or guardian, as required by law.
Bioracer collects personal data for the following specific purposes:
A. To process a request for Bioracer products or services
People who are interested in the products and services of Bioracer and contact Bioracer (by telephone, email, or through its website) are asked to leave their personal details so that we can contact them in order to make an appointment.
B. In order to provide personalised information and advice regarding our products and services, together with other companies within the Bioracer group
Bioracer uses data in order to provide personal, specific advice about its products and services. This explicitly relates to presenting clothing that matches the needs of our (potential) customers with regard to model, design, technical characteristics and dimensions. This advice may also relate to the physical attitude of customers on their bicycle and the adjustment of cycling positions. This personal data is recorded for the purpose of customer management (preparation of quotations, (re)orders, invoices, follow-up payments) production follow-ups and after-service care, as well as the handling of complaints.
C. To continuously improve our products and services
Feedback from (professional) athletes and customers regarding our products and services provides an important source of data that enables us to improve the comfort, quality and performance of our clothing under various conditions as well as different weather conditions.
D. To announce new products and services
Bioracer may use personal data to inform its customers (either electronically, in writing or by telephone) of new products, competitions, discounts, special promotions, or new services that have been added to the range. Bioracer may also approach individuals, companies and clubs by mail or newsletter even if they are no longer a Bioracer customer. This can be cancelled by unsubscribing to these services (opting-out).
E. To retain statistics for internal use
Bioracer may use personal data to generate internal reports and analysis in order to evaluate our own procedures and operational processes, allowing us to improve our products and service offerings, or to adapt them in accordance with the evolution of the market (trend analysis).
Bioracer does not use automated decision making which may result in legal consequences, or which may similarly significantly affect those involved.
Recipients and data transfers
Bioracer does not sell personal data to third parties without permission and does not share personal data with third parties except in the following instances:
· With other companies in the Bioracer group. Where necessary, and for the processing purposes as described above, personal data may be shared with other companies within the Bioracer group within the European Union, which are directly or indirectly affiliated with Bioracer or with a Bioracer partner.
· Where necessary for the delivery of our products and services. Bioracer may use third parties for the delivery of products and services, and as a result make its databases available for this purpose. These may include, for example, third party producers commissioned by us or independent commercial entities that market our products. This data will solely be shared for the same purpose as which Bioracer processed it and is limited only to the data needed for carrying out their instructions. Bioracer guarantees that these third parties shall take the appropriate technical and organizational measures needed in order to protect the personal data which they are privy to.
· Subject to legal obligation. Bioracer will share personal data with government authorities, legal services or police services when required to do so by law.
· When Bioracer or a third party has a legitimate interest. Bioracer will only share personal data with a third party if the right to privacy does not outweigh the purpose. For example, in terms of collection agencies, or partners when it comes to competitions offering prizes.
· Permission given. In all other cases, when Bioracer shares personal data with third parties, the data subject will be notified in advance, with an explanation regarding the third party and the purpose. Where required by law, permission will naturally be requested first.
When personal data is processed outside of the European Union, Bioracer will take appropriate contractual or other measures to ensure that this personal data is subject to the same or comparable level of protection as if it were protected within the European Union and in accordance with the GDRP legislation.
In addition to necessary and functional cookies, Bioracer also uses:
· Performance cookies: these cookies collect data about the use of the website, such as the number of visitors, from which countries these visitors originate, which pages are popular, how much time is spent on the pages and so on.
· Social media cookies: these cookies enable the functionalities of social media such as Facebook, Instagram, Twitter and LinkedIn. For example, this could be a ‘like’ button on the website.
· Advertising cookies: these cookies enable more efficient and personalised advertisements and advertising messages, tailored to the surfing behaviour and demographic data of the user of the website.
Bioracer can also invoke third-party cookies such as from Google Analytics. Users of the website and online store can switch off or remove all installed cookies from their computer or mobile device at any time in their browser.
In order to protect the collected personal data used by Bioracer, and to safeguard the privacy rights of data subjects, Bioracer has implemented a number of technical and organisational measures:
– Bioracer employees are informed how they should handle confidential personal data through periodic awareness campaigns.
– When new projects are started within Bioracer, whereby personal data is processed, one of the assessment criteria is the security and protection of personal data. Privacy concerns are always taken into account.
– In the field of information technology, we work together with specialised parties that ensure the safety of our information systems, IT infrastructure and web environment.
Bioracer employs various technical measures to protect personal data against unauthorised access, unauthorised use and loss or theft of data, including:
– Securing our systems and databases with a username and password.
– The use of firewalls to shield our systems from external attacks.
– The use of anti-virus and anti-spam software to protect our systems and data against viruses, spyware, spam and the like.
– Shielding data through profiles and rights management so that only specific data is visible to employees who need it to carry out their tasks.
– Keeping all software up-to-date with the latest security updates.
– The use of VPN connections and rights to secure the access to files on our servers.
In the event of a data breach, which may hold adverse consequences for data subjects, Bioracer will go through the legally prescribed procedures and personally inform the data subjects about this within the legally required period.
Data retention period
In accordance with the GDPR regulations, Bioracer is not allowed to keep personal data longer than is necessary in order to achieve the predetermined purpose for which the data was collected. This means that the storage period can differ considerably for each purpose.
Personal data processed for customer management are retained for the period necessary to comply with legal requirements. For example, in order to meet accounting and tax obligations, Bioracer is obliged to keep the invoicing data for a maximum of 7 years. Due to legal necessity, certain data such as invoices, complaints and correspondence must be kept for a maximum period of 10 years.
After the applicable storage period(s) have expired, personal data will be deleted or anonymised.
Exercising privacy rights
Individuals whose personal data is processed by Bioracer have a number of rights as set out in the latest regulations in the GDRP.
1. Right to review
The data subject shall have the right to obtain from Bioracer confirmation as to whether or not personal data concerning him or her are being processed and in those cases, have access to the personal data and the information regarding its processing purposes, including the categories of personal data concerned, the recipients or categories of recipient to whom the personal data have been or will be disclosed, the expected period for which the personal data will be stored, their privacy rights, the right to file a complaint and the existence of automated decision-making. Bioracer shall be obliged to provide a free copy of the personal data undergoing processing in a commonly used electronic form.
2. Right to rectification
The data subject shall have the right to obtain from Bioracer, without undue delay, the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. Where data has been provided to third parties, this will be disclosed to the data subject and the necessary changes will also be communicated to said third parties.
3. Right to erasure (‘right to be forgotten’)
In a number of specific cases, the data subject shall have the right to obtain from Bioracer the deletion of personal data concerning him or her and Bioracer shall have the obligation to delete such personal data where one of the following grounds apply:
– The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
– The data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
– The data subject objects to the processing and there are no overriding legitimate grounds for the processing;
– The personal data has been processed unlawfully;
– The personal data must be deleted for compliance with a legal obligation or law to which Bioracer is subject;
– The personal data was collected when the person was still underage.
Bioracer is not always obliged to delete personal data, for example, when the data is necessary in respect of instituting legal proceedings.
4. Right to restriction of processing
Data subjects for whom Bioracer stores data have the right to limit the scope of their processed personal data in the following cases:
– The accuracy of the personal data is contested by the data subject.
– The data subject has objected to the processing of their data and pending the verification whether the legitimate grounds of Bioracer override those of the data subject, the data subject may request that the use of their data be restricted.
– The processing is unlawful, and the data subject opposes the deletion of the personal data and requests the restriction of their use instead.
– Bioracer no longer needs the data, but the data subject requires it for him or herself.
5. Right to transferability
Data subjects whose data is held by Bioracer have the right to have their personal data that they provided transferred to another processor. This is only possible if the information was provided based on an agreement, or subject to the consent of the person concerned.
6. Right to object
The persons from whom Bioracer has collected data have the right to object to the processing of their data based on legitimate and justified grounds. Bioracer will stop the processing of the data unless compelling or legal grounds can be shown to the contrary.
7. Direct marketing
Data subjects have the right to oppose, free of charge, any processing of their personal data in terms of direct marketing (opt-out). This can be done without giving any reason and by contacting Customer Services, or by using the contact details below.
Data subjects have the right to file a complaint with the Commission for the Protection of Privacy.
Address: Drukpersstraat 35, 1000 Brussels
Tel: +32 (0)2 274 48 00