We understand that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of everyone who uses Adminbox, a digital platform owned by Unifiedpost SA on which you can handle documents which you receive from third parties and who are permitted to provide these documents to us. We will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”). Please read this Privacy Notice carefully and ensure that you understand it.
This notice applies where we are acting as a data controller with respect to the personal data of Adminbox. In other words, where we deliver services in the Adminbox and determine the purposes and means of the processing of that personal data. This Privacy Notice describes how we collect, use and process your personal data, and under what circumstances we may disclose the information to third parties.
Please note however that when we receive your data from permitted third parties (i.e. those parties with whom you agreed that they can send us e.g. invoices, salary slips, interim contracts and other documents), we are acting as data processor and we process your personal data on behalf of these third parties. The data we receive from the third parties is only visible to you and the third parties with whom you share it. We have necessary contractual arrangements in place with these third parties in order to ensure your data is processed lawfully. If you have any concerns related to such personal data or why such data is processed or you would wish to exercise any of the rights detailed in the section 4, please refer to the third parties from whom you receive the documents.
Information about us
The Adminbox is owned by Unifiedpost group a limited liability company incorporated and existing under the laws of Belgium with registered address at office at Avenue Reine Astrid 92 A, 1310 La Hulpe, Belgium and with company number 0886.277.617 referred to as “Unifiedpost” or “we” or ‘us’.
Questions regarding this Privacy Notice can be regarded to:
Data Protection Officer: Mathias Baert
Email address: firstname.lastname@example.org
Postal address: Avenue Reine Astrid 92 A, 1310 La Hulpe, Belgium
What is personal Data?
Personal data is defined by the by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.
Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.
The personal data that we use is set out in section 5 of this Privacy Notice.
What are my rights?
Under the GDPR, you have the following rights, which we will always work to uphold:
- The right to be informed about our collection and use of your personal data. This Privacy Notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the details in section 11.
- The right to access the personal data we hold about you. Section 11 will tell you how to do this.
- The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. Please contact us using the details in section 11 to find out more.
- The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we have. Please note that there are exceptions where we are not required to fulfil such request. For more information, please contact us using the details in section 11.
- The right to restrict (i.e. prevent) the processing of your personal data.
- object to us using your personal data for a particular purpose or purposes. If you make such an objection, we will cease to process the personal information unless the processing is for the establishment, exercise or defence of legal claims.
- The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
- Rights relating to automated decision-making and profiling which may have an impact on your legal rights. We do not use your personal data in this way.
For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in in section 11.
If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement. We would welcome the opportunity to resolve your concerns ourselves, however, so please contact us first, using the details in section 11.
What personal data do we collect/process?
In this section 5 we have set out:
- the general categories of personal data that we may process;
- the purposes for which we may process personal data; and
- the legal bases of the processing.
Depending upon your use of Adminbox, we may collect, and process some or all the personal data set out below. Please note that, as mentioned above, for some functionalities of Adminbox, we may act as data processor of the permitted third parties.
We may collect data when you create an Adminbox account. This may include your email address, mobile phone, first and last name. This account data may be processed for the purposes of enabling you to register and use the Adminbox. The legal basis for this processing is the performance of contract entered into between you and us.
We can collect data about the way in which you use the Adminbox such as when you click buttons, links and other parts of our platform. These service data may be processed for tracking whether you, amongst others, have archived, signed received, downloaded, stored, viewed, organised, mailed, handled, searched documents, marked up the documents as read. The legal basis for this processing is the performance of contract between you and us.
When a payment functionality is available in your country, you will be able to make payments using Adminbox. We may collect data such as amount of payment made, description of what you paid, date of payment, and unique identifier of the payment. This data may be processed to allow you to make payments within the Adminbox. The legal basis for this processing is performance of contract between you and us.
If you opt to use our archiving functionality, the Adminbox will store the documents and we will thus process the personal data contained in those documents for the legal retention period set out in section 8. The purpose of the processing of such personal data is providing you with more convenient use of Adminbox. The legal basis for such processing is performance of contract between you and us.
In addition, we may also collect your postal address to deliver the documents if other channels of delivery fail. The legal basis for this processing is the performance of contract between you and us.
We may process any of your personal data identified in this policy where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others..
We may process any of your personal data identified in this policy where necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, or obtaining professional advice. The legal basis for this processing is our legitimate interests, namely the proper protection of our business against risks.
In addition to the specific purposes for which we may process your personal data set out in this section 5, we may also process any of your personal data where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person
When acting as a data controller, we will only use your personal data for the purpose(s) for which it was originally collected unless we reasonably believe that another purpose is compatible with that or those original purpose(s) and need to use your personal data for that purpose. If we do use your personal data in this way and you wish us to explain how the new purpose is compatible with the original, please contact us using the details in section 11. If we need to use your personal data for a purpose that is unrelated to, or incompatible with, the purpose(s) for which it was originally collected, we will inform you and explain the legal basis which allows us to do so. In some circumstances, where permitted or required by law, we may process your personal data without your knowledge or consent. This will only be done within the bounds of the GDPR (or other applicable data protection laws) and your legal rights.
Do you share my personal data?
Use of processor(s)
We rely on data processors (which may include any member of the Unifiedpost group). A processor is the natural or legal person who processes your personal data upon request and on behalf of us, the controller. The processor is required to ensure the security and confidentiality of the personal data. The processor will always act on our instructions. We rely on processors for hosting purposes.
With a view to the optimal protection of your personal data, we have made the necessary contractual arrangements with our processors to ensure that they apply the highest privacy standards. In any event, data processors shall be required to ensure the security and confidentiality of the personal data.
In addition to the above, we may disclose your personal data to our insurers and/or professional advisers insofar as reasonably necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice, or the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure].
Transfer of personal data to third parties
In addition to the specific disclosures of personal data set out in this section 6, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject. We may also disclose your personal data where such disclosure is necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
Please note that when we are acting as a data processor, we may also be required to provide certain personal data to the permitted third party (e.g. whether you have received the documents in Adminbox). For more information on this, please contact the permitted third parties.
International transfers of your personal data
We will only store or transfer your personal data within the European Economic Area (the "EEA"). The EEA consists of all EU member states, plus Norway, Iceland, and Liechtenstein. This means that your personal data will be fully protected under the Data Protection Legislation, GDPR, and/or to equivalent standards by law.
How long will you keep my personal data?
We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Your data personal data will therefore be kept for the following periods:
How long we keep it
2 years in Adminbox and 7 years in the archive unless mandatory law would require us to use a longer or shorter retention period.
2 years in Adminbox and 7 years in the archive unless mandatory law would require us to use a longer or shorter retention period
Notwithstanding the other provisions of this section, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject.
Security of personal data
The security of your personal data is essential to us, and to protect your data we will take appropriate technical and organisational precautions.
We encrypt all the data we store with different keys. When you provide personal data online, we use the industry standard for encryption on the Internet – Transport Layer Security (TLS) technology – to help protect the data that you provide. This internet encryption standard scrambles data as they are transferred from your device to our server. We also use digital certificates to ensure that you are connected to authentic channels.
- Data Storage
All personal data is stored on a server. We use secured servers provided located in the European Economic Area to store the data.
- Restricted Access
Internal access to the personal data is limited on a strict ‘need-to-know’ basis. Only authorized personnel, whose activity will be monitored to prevent any misuse, will be able to access the personal data.
How can I access my personal data?
If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.
All subject access requests should be made in writing and sent to the email or postal addresses shown in section 11 (How do I exercise my rights?).
There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.
We will respond to your subject access request within one month of receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.
How do I exercise my rights?
To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details:
For the attention of the DPO:
Email address: email@example.com
Postal Address: Address: Avenue Reine Astrid 92A, 1310 La Hulpe, Belgium
Personal data of children
Adminbox is targeted at persons over the age of 18. If we have reason to believe that we hold personal data of a person under that age in our databases, we will delete that personal data
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server. Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed. Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.
Changes to this Privacy Notice
We’re constantly trying to improve the functionalities of Adminbox, so we may need to change or modify this Privacy Notice from time to time as well, for example, if the law changes, or if we change the functionalities in Adminbox in a way that affects personal data protection and privacy.
We will inform you of any such change via the Adminbox and/or other channels which we deem appropriate at least 30 days before the change becomes effective. Such information will contain the change itself and the reason why we made such change and the date when such change becomes effective. In the event that you have any questions in relation to such change, you may contact us using the details in section 11.
This Privacy Notice was last reviewed and updated on September 15th 2021.