La Lorraine – General privacy policy
In the context of its activities, La Lorraine Bakery Group NV, with registered office at Elisabethlaan 143, 9400 Ninove, VAT 412.382.632, RPR Ghent, Dendermonde Division and all directly or indirectly associated group companies in application of Article 11 of the Belgian Companies Code (“LLBG”), collect and use information about natural persons such as yourself (also referred to as “personal data”). LLBG considers the protection of your privacy as very important and therefore commits to process the information that it collects about you only as set out in this policy. In so doing, LLBG is acting in accordance with the relevant privacy legislation, including the General Data Protection Regulation or “GDPR”.
As part of this commitment, LLBG wishes to explain with this privacy policy why and how we process your personal data, as well as what your rights and our obligations are in this respect. This policy also provides information about who you can contact within LLBG if you have questions or to exercise your rights (see point 7).
1 Scope
This privacy policy applies to every type of use of personal data concerning:
- future, present and former customers (natural persons);
- future, present and former suppliers (natural persons);
- representatives and personnel of customers (legal persons);
- representatives and personnel of suppliers (legal persons);
- Applicants;
- visitors of our premises; and
- visitors of our websites.
This policy does not apply to information relating to legal persons.
The so-called “controller” is the legal entity which decides on the purposes and means of collecting and using your personal data. Unless otherwise indicated in a supplementary policy relating to a specific processing operation, LLBG is the controller.
2 What personal data is collected about you by LLBG?
2.1 General
In the first place we collect the identification and contact details of individuals with whom we communicate, such as your name, email address and/or postal address, landline and/or mobile telephone number. The content of the communication that you exchange with us by post or email is also recorded.
Data relating to children is processed only when they participate in an organised company or school visit.
2.2 Professionals
For professional customers and suppliers who are natural persons this further includes your title, position, name of your company, payment data, such as your bank account number, IBAN, BIC and, where applicable, your VAT number.
For the representatives and personnel of customers and suppliers who are legal persons, this also includes your title, position, name of your company.
If you provide us with information about other individuals (such as the contact details of a colleague), you must provide a copy of this privacy policy to these individuals.
2.3 Private persons
For customers who are private persons and have a loyalty card, LLBG also collects the purchasing history and personal details, such as your sex, age, date of birth and whether you have any relatives.
2.4 Visitors of our premises
When you visit one of our premises you may also be filmed by our security cameras. These cameras are always indicated by the appropriate icon.
If you have an appointment with one of our staff members, you must also give your name at the reception as well as the reason for your visit.
2.5 Events
When you participate to an event organised by LLBG, you may be photographed if you have given your permission.
2.6 Visitors of our websites
When you visit our websites, we also collect certain connection and communication data (such as your IP address, the domain name of your internet provider, your type of browser, operating system and platform), statistical information and information relating to your behaviour, habits and preferences (such as information relating to the pages that you have visited, information that you have requested and the time that you have spent on our websites).
2.7 Applicants
We process the relevant personal data offered by applicants who apply for a vacancy, such as your sex, age, date of birth and professional information (work experience, languages, degrees, …).
3 How is personal data collected?
We have collected this personal data directly or indirectly using (one or more) of the following channels:
(i) when you contact us and communicate with our personnel and/or our IT systems;
(ii) when you give us your business card;
(iii) when you sign up for one of our newsletters;
(iv) When you apply for a vacancy at LLBG (through spontaneous application or reacting on a LLBG vacancy);
(v) when you order and purchase some of our goods or services, such as through our online bakery;
(vi) through our CCTV and security systems;
(vii) through our photographer at events;
(viii) through the company for which you work or through one of your colleagues;
(ix) through online research;
(x) by the use of your loyalty card;
(xi) by participating in or registering for surveys, campaigns, competitions and/or company visits;
(xii) by purchasing customer data from direct marketing databases; or when you visit our website and/or fill in the contact form.
Where necessary, we supplement your personal data with information from public sources, namely the Belgian State Gazette and the Crossroads Bank for Enterprises.
When we request information directly from you (for example, via a form), we will always indicate whether this information is mandatory and what the consequences are if you do not wish to provide this data.
In order to ensure that the personal data that we have about you is accurate and remains up-to-date, we may ask you at certain intervals to review and confirm this personal data or update it, where necessary.
4 Why is personal data collected and used?
Your personal data is always processed for a specific and well-defined purpose and only the data required to achieve that purpose is used.
4.1 General purposes
We process the personal data of (the representatives and personnel of) our customers and suppliers, company and website visitors for the following general purposes:
(i) monitoring of our activities (measuring and compiling statistics on sales, number of customers, etc.);
(ii) management of our IT, including the management of the infrastructure and the continuity of the business;
(iii) improving the quality of our products and services;
(iv) safeguarding our economic interests;
(v) management of our archiving systems;
(vi) answering questions from a public authority or court;
(vii) compliance with statutory obligations;
(viii) mergers and acquisitions; and
(ix) fraud prevention.
4.2 Professionals
We also process the personal data of (the representatives and personnel of) our customers and suppliers for:
(i) the preparation and performance of agreements;
(ii) purchase, procurement, invoicing and accounting;
(iii) management of relations with customers and suppliers and partner programmes;
(iv) monitoring the activities in our premises, including compliance with relevant policies, health and safety rules; and
(v) periodically sending out newsletters and promotional e-mails about our products and services, as well as interesting information, for example by using targeted advertisement through social media, by making use of the address that you or the company for which you work has given us (if you have given us your permission).
4.3 Private persons
We also process the personal data of customers which are private persons for:
(i) planning and delivery of goods and services to customers;
(ii) management of loyalty cards;
(iii) management of customer relations;
(iv) processing of (personalised) orders, including the online bakery, and to inform customers, where necessary, of the status of such orders;
(v) Recruitment and selection;
(vi) invoicing and accounting;
(vii) the periodic sending out of newsletters and promotional e-mails about our products and services, and also interesting information, for example by using targeted advertisement through social media, by making use of the address that you have supplied (if you have given us your permission);
(viii) answering questions from our customers, including questions asked by telephone; and
(ix) the organisation of promotions, campaigns and competitions.
4.4 Visitors of our premises
We process our visitors’ personal data for:
(i) the organisation of company and school visits; and
(ii) monitoring the activities on our premises, including compliance with applicable policies, health and safety rules.
4.5 Visitors of our websites
We also process the personal data of the visitors of our website for:
(i) managing and improving our websites (e.g. through the diagnosis of server problems, optimisation of data traffic, integration and optimisation of web pages);
(ii) measuring the use of our websites (e.g. by compiling statistics of the data traffic or collecting information on the behaviour of the visitors and the pages that they visit);
(iii) improving and personalising your experience as well as adapting the content of the website to each visitor (e.g. by remembering your selections and preferences, together with the use of cookies);
(iv) analysis of the efficiency of our e-mail campaigns and improving the sending of e–mails in order to communicate better with our customers; and
(v) monitoring and prevention of fraud and other potential misuse of our website.
5 Legal basis allowing the collection and use of personal data
Personal data may not be processed without a valid legal basis. We will therefore process your personal data only when:
(i) we have received your free, explicit and specific consent for the processing of your personal data for one or more specific purposes; or
(ii) the processing is necessary to perform our contractual obligations towards you or to take pre-contractual steps at your request; or
(iii) the processing is necessary in order to comply with an obligation to which we are subject by a statute, decree or ordinance; or
(iv) the processing is necessary to protect your vital interests or those of another person; or
(v) the processing is necessary for our legitimate interests and does not unduly affect your interests or fundamental rights and freedoms. Please note that, when processing your personal data on this basis, we always seek to maintain a balance between our legitimate interest and your privacy.
Examples of such legitimate interests include: benefiting from cost-effective services, offering our products and services to our customers, fraud prevention and the security of our IT systems and networks, meeting our corporate and social responsibility objectives.
In most cases your personal data will be processed because this is necessary in the context of our present and future contractual relations. If you require more information on the exact legal basis on which we rely to process certain personal data, please do not hesitate to contact us, as explained in point 7.
When we collect personal data about your children in the context of an organised company visit to one of our premises, we will always ask your explicit consent for this, either directly or through your children’s school.
6 Who has access to my personal data?
6.1 Within LLBG
Your personal data will be stored by LLBG in its IT systems, but will only be accessible to the personnel who require access to your personal data as part of their tasks within LLBG and only for the purposes set out in point 4.
This personnel is bound by our internal rules and procedures relating to security, confidentiality and protection of personal data. They are also obliged to comply with the technical and organisational measures that we have taken to protect your personal data. These security measures were tailored to take into account the state of the art of the technology, their cost of implementation, the risks presented by the processing and the nature of the personal data, the volume and risks attached to the processing of personal data.
6.2 Outside LLBG
Part of the personal data is also shared with certain categories of recipients outside LLBG in the context of the purposes defined above, but only if they actually require such information. This concerns, in particular:
(i) our service providers such as consultants, IT service providers, security companies, insurance companies and financial institutions;
(ii) our business partners, such as stores and other supermarkets who distribute our products, as well as our marketing advisors;
(iii) any national and/or international regulatory, enforcement or exchange body or court where we are required to do so by applicable law or regulation or at their request;
(iv) third parties advisors, such as accountants and lawyers, for example in the context of the transfer or takeover of all or a part of the business; and
(v) third parties involved in investigating possible fraud or other legal violations.
In the above context, we remain responsible for the processing of your personal data. Except in the case of the authorities, these recipients may process the data only on the basis of our specific instructions and for no other purpose, unless we have informed you of this in advance and have obtained your consent, where required. We also impose specific contractual obligations on them in order to guarantee the protection of your personal data.
6.3 Outside the European Economic Area
Recipients can sometimes be located in a country outside the European Economic Area (“EEA”), which may not provide an adequate level of protection of personal data. The applicable legislation for the transfer of personal data to such countries requires that we implement appropriate safeguards to ensure that the protection of personal data remains guaranteed (such as contractual provisions that impose on the recipients to protect your personal data). You can obtain additional information and an explanation about this or a copy of these measures by exercising your rights as described in point 7.
7 What are my rights and how should I exercise them?
You always have the right to request access to the personal data that LLBG processes about you and to have inaccurate or incomplete personal data corrected. In some instances you can also object to the processing of this data, request a restriction on the processing or ask us to delete certain data. Lastly, you are also entitled in certain circumstances to request that some of your personal data be transferred to yourself or to a third party.
When you have given your consent for a certain type of processing, you may withdraw it at any time, but you should be aware that in such case you may not be able to fully enjoy all of our services. Such withdrawal will not affect the lawfulness of processing based on consent before its withdrawal. In addition, you can always object at no cost to the use of your personal data for direct marketing purposes.
Should you wish to exercise any of the above rights, please send an e-mail to privacy@llbg.com, attaching a copy of your identity card.
LLBG takes your comments about our processing of personal data seriously and will quickly attend to them. So do not hesitate to contact us if you have any comments.
If you are not satisfied with the way in which we process your personal data, you are entitled to submit a complaint to the supervisory authority responsible for the protection of personal data, in Belgium, the Data Protection Authority (GBA).
8 How long is my data kept?
The exact retention period depends on the purpose for which the personal data is being processed.
In principle, LLBG uses the following criteria for the retention of personal data: (i) personal data is stored for as long as is necessary for achieving the purpose for which it was collected and (ii) always in line with the relevant statutory, regulatory and internal requirements in this respect.
More specifically, personal data that we hold about you in our database and that is not related to a specific agreement, is removed 120 months after your last interaction with us.
For personal data that is related to a contract that you (or the company for which you work) have executed with us, the retention period is the duration of this contract, plus the period until claims under this contract become time-barred, unless mandatory statutory or regulatory requirements require a longer or shorter retention period. After the expiry of this period your personal data will be removed from our systems.
CCTV images are retained for a maximum retention period of 2 weeks.
Personal data that is collected and processed in the context of a dispute is removed (i) as soon as an amicable settlement has been reached, (ii) as soon as a final decision has been rendered that can no longer be appealed or (iii) when the claim has become time-barred.
9 Amendment of the policy
This policy may be subject to amendments. This privacy policy was last amended on 4 May 2018. Future amendments or additions to the processing of your personal data as described in this privacy policy will be notified to you in advance through our website(s) (for example, through pop-up screens) as well as by means of our usual communication channels (for example, by e-mail, if we hold your e-mail address). Please always ensure, however, that you use the latest version.
10 Contact us
For general questions you can always contact us by sending an e-mail to privacy@llbg.com. For privacy-related questions and/or to exercise your rights, please refer to the e-mail address given in point 7. We are pleased to help you.