Privacy Policy of Xylos NV

Last update: 04/11/2024

1. Identity of the Data Controller

This policy will apply from March 2024 and is published by Xylos NV  

XYLOS NV, 
Noorderlaan 139, 
2030 Antwerp
CBE 0877. 360.743 

 (Hereafter ‘Xylos’)

Our internal privacy team and external DPO can be reached via privacy@xylos.com 

The protection of your personal data is important to Xylos.  
During your contact with Xylos, you may share personal data with us so that we can identify you as an individual, employee of a company, etc.  (Such as, for example, your full name, email address, address, and phone number). This is your “personal data”. 

2. What personal data do we process and for what purposes?

Xylos collects, registers and processes the personal data of (possible) customers of Xylos (hereafter ‘Customer(s)’), candidates, employees, self-employed freelancers or other persons with whom our company is in contact. For example, data is provided by individuals themselves when they contact our services. 

Personal data is always processed in compliance with the principles of privacy legislation and the General Data Protection Regulation, being the European Regulation 2016/679 of 27 April 2016 on the protection of personal data.

The personal data is processed in a lawful, fair and transparent manner and this for a specific and explicit purpose.  Xylos also ensures data minimisation by regularly updating our database.

Xylos processes your personal data for the following purposes, among others:

  • Customer management – searching for leads, contacts, company data, identification data, financial data, information and project information exchange;
  • Recruitment of new employees – professional contact details, job title, experience, career data, data related to a Customer’s job description; Data from new employees and freelancers is uploaded into our systems so that a good match can be found between a candidate’s experience and specializations and available assignments, among other things. When entering into a new assignment, it is possible that personal data is shared concerning the persons involved in the agreement. The people from Xylos are contractually bound by confidentiality.
  • Information about our professional and social activities, or any other subject that may interest you through our communication channels (p.e. newsletter, website);
  • If you contact our company through social media or if your profile is accessible within these platforms, personal data may be shared with Xylos as part of that platform, and we recommend that social media users check the privacy conditions as users of such platforms.
  • To deliver the services of our agreements entered into by our Customer;
  • Handling financial commitments and accounting obligations ;
  • Data analysis to improve the efficiency and performance of our services, for which AI models can be used;
  • To comply with legal obligations;
  • When the legitimate interest of the company requires to process the data, but this is always clear to the data subject, for example for safety reasons.

Other data is collected by automated means by ‘cookies’ and other systems/applications that collect information when visiting the website. When you visit the website for the first time, you can use our cookie pop-up to set the types of cookies according to your wishes and find more information about the cookies in question. 

The personal data is protected in an appropriate manner by means of appropriate technical and organisational measures that we prefer not to disclose, if you have more questions about this, please contact our data protection officer (DPO) or your contact person within Xylos;

Xylos as a Processor

In the case of the services provided by Xylos on behalf of the Customer, Xylos sometimes has access to the Customer’s personal data. In such cases, the Customer will have the role of “Controller” and Xylos will have the role of “Processor”, as defined in the GDPR.  In these cases, you will be referred to the Controller regarding the processing of your personal data.

3. Who do we share our personal data with?

Xylos opts for partners who can guarantee the same level of protection for your personal data. The personal data will not be transferred outside the European Economic Area (EEA) unless adequate safeguards are provided in accordance with the General Data Protection Regulation or the EU-U.S. Data Privacy Framework.

Your personal data may be shared with external business partners. These can be, for example, suppliers regarding IT infrastructure, administration or accounting obligations, but also subcontractors or sub-processors.

Xylos strives for quality and excellence and is growing year after year. In this respect, personal data may be shared within our departments and within the purposes of the processing. 

With regard to our Customers, Xylos in most cases has the capacity of Processor, in this capacity professional data, which may contain personal data, may be shared, and you will be informed about this when you start employment or when a new project is started. In any case, you can get more and more information from our DPO.

4. How long do we keep personal data?

The retention period of the personal data is limited to as long as necessary with regard to the realisation of the purposes of the processing.  In doing so, we strive for an up-to-date database that is regularly updated.

With regard to candidates, the following deadline has been agreed:

  • Unretained candidates: 3 years without permission, 5 years after consent

With regard to persons who had a contractual relationship with Xylos:

  • The personal data will be kept for 10 years after the end of the last employment contract with the person, due to possible commercial claims and occupational accidents. However, it is possible to deviate from this period in exceptional cases, such as a long-term dispute.

Electronic identification data, such as IP address, will be automatically deleted in accordance with the data period as shown in the cookie policy. You can consult the expiry period on the website.

5. Rights of the data subject

You have various rights with regard to the data we process about you. If you wish to invoke any of the following rights, please contact us or our external DPO using the contact details provided in the first title of this Privacy Statement.

Right of access and copy

You have the right to inspect your data and obtain a copy of it. This right also includes the possibility to request further information about the processing of your data,

including with regard to the categories of data that are processed about you and for what purposes.  

Right to rectification 

You have the right to have your data corrected if you believe that we have incorrect data.

Right to erasure (right to be forgotten)

You have the right to request that we erase your data without undue delay. However, we will not always be able to comply with such a request, for example if we still need the data in function of an ongoing membership or file, or if the retention of certain of your data for a specific period of time is required by law.

Right to restriction of processing

You have the right to restrict the processing of your data. In this way, the processing is temporarily stopped until, for example, there is certainty about its accuracy.  

Right to withdraw your consent

If the processing is based on your consent, you have the right to withdraw this consent at any time by contacting us.

Right to object

You have the right to object to processing of your data which is based on our legitimate interests or the public interest. This should be done on the basis of reasons specific to your situation. In this case, we must stop the processing, unless we demonstrate compelling legitimate grounds to continue the processing.

However, you can object to the use of your data for direct marketing purposes at any time, after which we are obliged to stop processing for these purposes. For promotional messages that you receive from us via e-mail, you can easily exercise this right of objection by clicking on the “unsubscribe” button provided. 

Right to data portability

You have the right to receive your data that you have provided to us yourself with your consent or in the performance of an agreement, in electronic form. In this way, they can easily be transferred to another organization.

Right to lodge a complaint with your supervisory authority

If you believe that we are processing your data incorrectly, you always have the right to lodge a complaint with your data protection supervisory authority. You can do this with the supervisory authority of the EEA Member State where you habitually reside, where you have your place of work or where the alleged infringement was committed. As a Belgian company, we refer below to the contact details of the Belgian Data Protection Authority.

Belgian Data Protection Authority (DPA) Drukpersstraat 35

1000 Brussels

+32 (0)2 274 48 00

contact@apd-gba.be  

For further information and the contact details of the supervisory authority of each EEA Member State, please refer to this website page of the European Data Protection Board with all relevant contact details. 

Security and confidentiality

Xylos has developed technical and organisational security measures to prevent the destruction, loss, falsification, alteration, unauthorised access or accidental disclosure to third parties of personal data collected on the website, as well as any other unauthorised processing of this data.

Our website and/or service does not intend to collect data about website visitors under the age of 16 unless they have parental or guardian permission. However, we cannot verify whether a website visitor is over the age of 16. We encourage parents to be involved in their children’s online activities in order to prevent the collection of information about children without parental consent. If you are convinced that we have collected personal data about a minor without such consent, please contact us at privacy@xylos.com and we will delete this information. 

If you have the impression that your data is not properly secured or there are indications of misuse, please contact privacy@xylos.com. 

Accuracy of your data

Every person who provides data to Xylos guarantees that the data is accurate and complete. The communication of incorrect data or data belonging to third parties may result in the person being denied, temporarily or permanently, of all or part of all access to Xylos products and services.

Miscellaneous

This Privacy Statement may be amended from time to time, taking into account, among other things, the new laws and regulations or evolutions in this regard. The changes will take effect automatically upon publication. This is an English translation of the privacy policy, if there is any misunderstanding the original Dutch version prevails.

If one of the foregoing provisions concerning the processing of personal data or any other provision should not be valid, all parties accept that it will be replaced by a provision that will approach the underlying purpose of the proposed provision as much as possible.

Xylos’ privacy policy is subject to Belgian law.

The Belgian Authorities (e.g. the Data Protection Authority) and the courts competent for the registered office are, to the exclusion of all others, competent to hear disputes and complaints that may arise in relation to this website or its use or regarding the processing of personal data or any other dispute.

If you would like to comply with the applicable legislation, rights and obligations arising from the General Data Protection Regulation or follow up on any information security incident, please contact privacy@xylos.com.  

XYLOS NV, Noorderlaan 139, 2030 Antwerp, Belgium