Qualified Electronic Registered Delivery Service Privacy Statement

QERDS PRIVACY STATEMENT– V1.3

1. Purpose

This privacy statement is about the data that is collected using the QERDS service and how we use it. This Privacy Statement is part of the larger Agreement between Parties, including the Terms & Conditions, the Quotation and the & Practice Statement. Due to the specific scope of the Privacy Statement, its provisions take control of the other forms in the event of contradiction.

Your privacy is really important to us; this statement explains how we protect you and your data. When providing the Service, we process personal data of the Sender, the Authorized Users, the Receiver, the Addressee (which could or could not be the same person as the Receiver), their representatives and third parties involved in the data sent through the Service, all of these to the extent that the data pertain to an identified or identifiable natural person.

The data controller is Dioss Smart Solutions NV, with registered offices at Honderdweg 21, 9230 Wetteren, and registered in the CBE with reference number 0478.640.659.

Dioss’ data processing operations are subject to the EU General Data Protection Regulation 2016/679, as well as the ePrivacy Directive 2002/58/EC, and the relevant Belgian legislation transposing or further elaborating European law.

In general, it is important to note that there is a shared responsibility in this system:

• On the one hand, Dioss provides the platform where the services take place and is amongst others obligated to make sure everything that occurs there happens in a secure manner and what happens is transparent to the users.
• On the other hand, the Senders are companies that implement the platform and are amongst others obligated to only send correct content to the correct Addressees.
• All users are obligated to handle the system in a responsible manner
  
  

2. Terminology

See Practice Statement and Terms & Conditions.

3. Overview of the personal data

A detailed description is found in our data register, but in general, this is what we use:

Account data

• Name Sender
• Name Authorized User
• Email address
• Phone number
• Login and password
• Authentication data
• History
• Evidence reports

Sender data

• Name Sender
• Name Authorized User
• E-mail address
• itsme® identification number (if used as authentication method)
• eID card number (if used as authentication method)
• Telephone number
• Company VAT number (if applicable)
• Sent content
• Metadata

Addressee data

• Name Addressee
• E-mail address
• itsme® identification number (if used as authentication method)
• eID card number (if used as authentication method)
• National Registry Number (in case itsme® is used as authentication method)
• Date of birth
• Company VAT number (if applicable)
• Notification dates and times

Evidence data

• Name Sender
• Name Authorized User
• E-mail address Sender/Authorized User
• IP address Sender/Authorized User
• Sender registration number
• Name Addressee
• E-mail address Addressee
• IP address Addressee
• Addressee registration number
• Addressee's date of birth
• Content hash
• Seal and timestamp

This data is kept (except for the national registry number which is immediately destroyed after having extracted the birth date) in the following forms:

1. The database
2. Proof of sending
3. Proof of receiving
4. Logs
5. Backups

The data is kept within the European Union in Europe in accordance with GDPR and only through secure partners which use secure datacenters. See the practice statement for more information.

4. Processing Operations

We endeavor to use the minimum data that is required by the functioning of the system and by law. After the by law minimally required time period, your data is removed.
We go into this in detail below, but in general this means

1. The content that is sent and possibly delivered will be deleted after handling: the content is available for first delivery for 2 weeks, and after delivery the content can be retrieved again for another 2 weeks
   1. All metadata that is required by law must be kept for a longer period of time, this is:
      1. the evidence reports for 7 years
         1. containing document original hash, document sealed/time stamped hash, Sender name, Addressee name, time of submission and time of delivery, ...
   2. service logs for 2 years
      1. timestamps of when authentications and identifications took place in which manner, document hash, ...

4.1 Account data

• Data: Account Data processed by Dioss includes the data mentioned in Article 2.
• Purposes: The Account Data are processed for enrollment on the platform, to identify and authenticate the Sender and/or Authorized Users and to manage and uphold the Sender’s or Authorized Users’ accounts.
• Legal ground: Execution of the contract (art. 6.1.b GDPR), i.e. the Agreement
• Retention time: As long as the Sender maintains its account and the Agreement is live

4.2 Sender data

• Data: Sender Data processed by Dioss includes the data mentioned in Article 2.
• Purposes: The Sender Data are processed in order to be able to send the content to the right entity or person, as instructed by the Sender. This entails communication about the Service, such as sending proofs, notifications of requests ready for delivery etc. Updates on the Practice Statement, Terms & Conditions, this Privacy Statement or other changes in the Service. Monitoring, auditing and supporting the Service.
• Legal ground: Execution of the contract (art. 6.1.b GDPR)
• Retention time: Maximum 2 months, as long as it takes to send out the content.

4.3 Addressee data

• Data: Addressee Data processed by Dioss includes the data mentioned in Article 2.
• Purposes: The Addressee Data are processed in order to be able to send the content to the right entity or person, as instructed by the Sender. And to allow for identification and authentication of the Receiver as the Addressee when retrieving the content or message. In case of identification via itsme®, the National Registry Number is used to derive the birth date of the Addressee (it is further not kept, used, nor stored).
• Legal ground: Legal obligation (art. 6.1.c GDPR), due to eIDAS requirements
• Retention time: Maximum 2 months.

4.4 Evidence data

• Data: Evidence Data processed by Dioss includes the data mentioned in Article 2.
• Purposes: The Evidence Data are processed in order to provide evidence of the content sent by the QERDS , to provide society with legally binding and trustworthy evidence, as guaranteed and regulated by the eIDAS Regulation.
• Legal ground: Legal obligation (art. 6.1.c GDPR), due to eIDAS and connected legal requirements.
• Retention time: 7 years.

4.5 Logs

• Data: Logging data keeping track of the use of the Service.
• Purposes: The logs are kept to keep track of the use of the Service in order enable audits on the sound functioning of the trusted Service.
• Legal ground: Legal obligation (art. 6.1.c GDPR), due to eIDAS and connected legal requirements.
• Retention time: 2 years.

4.6 Newsletter

• Data: Sender’s and/or Authorized Users’ names and email addresses
• Purposes: Keeping the Senders and Authorized Users up to date on new evolutions at Dioss and its QERDS service, potentially via a newsletter.
• Legal ground: Prior and informed consent (art. 6.1.a GDPR)
• Retention time: As long as the consent remains valid. The Senders and Authorized Users may withdraw their consent at any time.

4.7 Analysis

• Data: User data with regard to the use of the Service (monitoring).
• Purposes: Rendering statistics, based on live anonymized data, for analysis in order to give insights on the functioning of the Service and the improvement thereof.
• Legal ground: Legitimate interest (art. 6.1.f GDPR)
• Retention time: maximum 2 months

4.8 Cookies

We only use cookies for authentication purposes:

TOKEN_ACCOUNT_CREATION_FLOW: token used to identify user during account creation

• TOKEN_ACCOUNT_NEED_2FA: token used to identify user during MFA log in
• TOKEN_ACCOUNT_AUTHENTICATION: token to identify logged in user
• TOKEN_RECEIVER_AUTHENTICATION: token to identify authenticated Receiver as the Addressee
  
  

5. How we handle your data

By using the Service, you expressly agree with this Privacy Statement. You may revoke this permission at any time for any subsequent deliveries (by removing your account). To deliver on our responsibilities as QTSP, we need to keep the evidence of transactions for the period of time mentioned in the Practice Statement.

We do not store the data for longer than is strictly necessary for the purposes they are collected for. We do not share your data with third parties other than the Sender or any authorized legal parties (such as police mandates or requests authorized by a court of law).

6. Data Sharing

Dioss applies strict access control policies and makes sure that its personnel does not access the data unless such access is vital to the delivery of the Service. Dioss does not share any of your data with third parties for commercial or other gain. Your data is only shared with partners to whom Dioss has entrusted one or more of the processing operations, such as authentication, cloud storage or electronic signatures. A up to date overview of the partners may be consulted in the Practice Statement.

7. Breaches

In the event of a security breach and/or a data leak (which is understood to include: unauthorized access to personal data that results in a significant likelihood of negative consequences in terms of protection of personal data), Dioss will make every effort to inform the involved parties of this immediately, in response to which we will assess together whether or not the sending party needs to notify the relevant supervisory body and/or others concerned. The sending party is and remains responsible for any statutory obligations to this effect. Notification only has to take place in regard to an event causing major impact and only if the event actually occurred.

8. Viewing, Editing and removing

8.1 Receiver

The data we keep is sent to the Receiver at the time of receiving the content in the form of the evidence report and the content itself. Any data is then deleted at the first time where we are legally allowed to do so. This means that specific requests to remove data sooner cannot be accepted.

8.2 Sender

A Sender will be able to terminate his/her/their personal/company account. He/she/they will be reminded that some of the transactional data will still be kept in the user/event logs inside the QERDS platform to keep up with the obligations around legal activities (as explained
earlier in this document).

9. Changes

We reserve the right to make changes to this Statement. If we modify this Statement, we will report it on our website (https://smartsolutions.dioss.com/en/products/tuvi/privacy-statement/).

When changes are made to provisions impacting processing operations based on consent, the data subjects shall be asked to renew their consent, based on the modified Privacy Statement.

10. Security

Dioss ensures that your data is properly secured with us. We have implemented several technical and organizational security measures, according to the present state of the art and science, and proportionate to the risks involved. In terms of information security, we are both
eIDAS certified and ISO 27001 certified.

11. Data Subject Access Rights

As a data subject, you are granted several rights with regard to your data, processed by us:

• Right of access and information: you have the right to request us whether or not we process any of your data, to get access to your data and to ask for more information on how we process your data.
• Right of rectification: you have the right to correct or supplement the personal data we process about you, if they are incorrect or incomplete.
• Right to withdraw your consent: if applicable (for those processing operations based on consent), you can withdraw your consent at any time.
• Right of objection: you can object to the processing of your personal data (which implies you will not be able to use the Service).
• Right of deletion (and to be forgotten): you can request us to delete your personal data (except for the data that we are obliged to keep by law, as mentioned elsewhere in this document).
• Right to data portability: you may request us to transfer your data to third party data controllers or to request a copy of your data in a readable format.
• Right to restrict processing: in some cases, you may request that we limit the processing of your personal data (temporarily or otherwise), which means that we will process less of your data.

We do not perform any profiling on your data or take automated decisions based on your data.

If you decide to invoke one or more of your data subject access rights, you may contact us by mail on: Dioss Smart Solutions NV, DPO, Honderdweg 21, 9230 Wetteren Or by email: dpo.smartsolutions@dioss.com

In order to keep all information confidential and accurate, we must ascertain whether you are the legitimate data subject invoking your rights in connection with the correct data. Therefore we ask you to provide us with proof of your identity. This may be done by sending us information that only the both of us may know, or by sending us a copy of your ID card with the National Register Number made unintelligible. We will respond to your request as soon as possible, but at the latest within 30 days. Should this period be extended for reasons relating to the specific rights of data subjects or the complexity of the request, we will respond within three months at the latest.

12. Complaints

If you have a complaint with regard to our processing of your data, please let us know via email to dpo.smartsolutions@dioss.com.

But you also have the right to complain about how your data is being handled with the Belgian supervisory authority responsible for enforcing data protection legislation, in particular:
Gegevensbeschermingsautoriteit (GBA)
Drukpersstraat 35, 1000 Brussel
Tel. +32 2 274 48 00
e-mail: contact@apd-gba.be
Website: www.gegevensbeschermingsautoriteit.be

Complaints filed with the GBA do not limit your right to lodge legal proceedings before the competent court in any way; nor does it limit the possibility to request compensation for damage suffered.

13. Contact

If you have any questions or would like to know what personal data we have about you, you can always contact us at dpo.smartsolutions@dioss.com.

We take the protection of your data extremely seriously and take appropriate measures to prevent misuse, loss, unauthorized access, unsolicited disclosure and unauthorized alteration.

However, if there are indications of misuse or you have concerns on how your data is processed or kept, please contact us directly via dpo.smartsolutions@dioss.com.