General terms and conditions

Agilitas Group securely and confidentially processes the personal data collected on all freelance employees and freelance employee candidates, collectively referred to as “employee(s)” in this privacy policy. Agilitas Group is committed to strictly complying with all data protection regulations regarding the collection and processing of freelance employees' personal data. This policy outlines the types of personal data processed by Agilitas Group, the legal basis and purpose for processing, and how data is protected. The policy also includes a description of freelance employees' rights regarding data processing and the rules governing data access (i.e., who can view the personal data?).

This policy specifically addresses the protection of personal data in the context of personnel files and payroll information. It applies to all freelance employees engaged under an employment contract, as well as to individuals who:

Are no longer employed but whose data must legally be retained for a specified period;
Are in contact with the employer as part of an ongoing recruitment process.

When referring to “employee(s)” in this policy, these two groups are included.

1. Who to Contact with Questions?

Agilitas Group NV/SA, registered in the Crossroads Bank for Enterprises under number (VAT BE) 0478.971.449, with its headquarters located at Stationsstraat 120, 2800 Mechelen, is the data controller for personal data. As the data controller, Agilitas Group affirms its adherence to Belgian privacy laws and the General Data Protection Regulation (GDPR) upon its implementation.

2. What constitutes Personal Data?

Under the GDPR, personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.”

Where this Privacy Policy refers to personal data, it aligns with the above GDPR definition.

In principle, Agilitas Group does not process special categories of personal data unless required for employment contract purposes. “Special categories of personal data” include data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as data related to genetic or biometric identifiers, health status, or sexual orientation.

3. What data is processed?

A. Types of personal data

Agilitas Group collects and processes various types of personal data about its freelance employees. This data primarily includes information necessary for compliance with legal, regulatory, or contractual obligations related to personnel management. Such data typically includes:

Employment status and compliance with labor, social, and tax laws;
Attendance, absence records, and corresponding interpretations;
Salary details, including amount, payment, and progression;
Other legal, regulatory, and contractual personnel administration requirements, such as workplace injury insurance, occupational medicine, and medical assessments related to work incapacity.

Additionally, in the execution of the employment contract and legal or regulatory obligations, data processed may include categories like:

Identification details (name, address, national registration number, ID number)
Nationality (for work permit requirements)
Financial information (bank account number)
Personal characteristics (age, gender, marital status, work permit, certificate of good conduct)
Household composition (dependents, children’s birth dates)
Professional information (resume, cover letters, interview notes, job description)
Salary and payroll records
Work hours and schedules
Performance agreements and objectives
Evaluation and assessment information
Skills necessary or to be acquired
Physical characteristics (e.g., height, weight, if necessary for work attire)
Certain habits or preferences (e.g., travel requirements, honors, accident information)
Housing details (only if housing is provided by the employer)
Training records (e.g., completed, scheduled, or required training)
Judicial data (if legally relevant to the employment contract, such as garnishment of wages)
Political, philosophical, or religious beliefs (only for cases like special leave for religious events or political holidays)
Health insurance affiliation (workplace accident cases)
Career planning information
Emergency contact details

This list aims to be exhaustive but does not imply that all data listed will be processed.

B. Personal Information Provision

Employees are expected to provide all relevant information required by the employer. Upon hiring or the introduction of new measures, the employee must submit all necessary information to fulfill legal formalities, whether in the field of social legislation or for granting, suspending, or ceasing entitlement to benefits.

The employer reserves the right to request copies of diplomas and/or certificates when relevant to the employee's job function. The employer will handle this information with the appropriate privacy considerations.

Employees must promptly inform the employer of any changes in their personal information (e.g., address, marital status, family responsibilities), either online, in writing, or via email. Employees are responsible for any consequences arising from delays or failure to report changes, including repayment of unduly received benefits or allowances.

C. Collection of Personal Data from Third Parties

In accordance with Annex 4 of the Decree of the Flemish Government implementing the private employment placement decree, no references or data will be requested from current or previous employers without the prior, explicit consent of the employee.

If data is collected from third parties, the employee will be informed, and explicit consent will be obtained. Consent will be given by signing a statement specifying the identity of the employee, the third party providing the data, the nature of the requested data, the reason for data collection, and the consent period.

The employee is aware that explicit mention of a reference in their CV implies implicit consent.

D. Protection of Personal Data

Some data is processed solely to provide an advantage to the employee. "Sensitive data" may be processed when necessary to exercise labor law rights and obligations.

(Article 9 of the General Data Protection Regulation, Article 8 of the Act of 8 December 1992, Articles 25-27 of the Royal Decree of 13 February 2001)

For example, “health insurance affiliation” may be processed to serve a legitimate interest of the data subject if it provides a tangible benefit, provided the data subject does not object to this processing.

(Articles 25-27 of the Royal Decree of 13 February 2001)

E. Processing of Personal Data

The employer may obtain personal data both directly from the employee and from other information sources. If data is not obtained directly from the employee, they will be notified within a reasonable period.

The processing of this data complies with the Act of 8 December 1992 on the protection of privacy concerning the processing of personal data, and Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals concerning the processing of personal data and the free movement of such data.

The data controller is the employer, who ensures that data is processed with the necessary care.

Further information regarding employee rights in relation to this processing and data protection measures is provided below.

4. Why is personal data processed and what is the legal basis for this processing?

A. General

The personal data collected and processed is intended for storage and use by Agilitas Group and its affiliated companies, such as Ergoflex, in their recognized role as employment agencies. This includes recruitment, selection, employee placement, and activity as a recognized service company.

Employee personal data is processed:

in compliance with laws, regulations, and directives at regional, federal, and international levels regarding labor law, social security, tax law, as well as collective labor agreements, individual employment contracts, and workplace policies;
as part of the employment contract;
based on a legitimate interest of the data controller or a third party.

To manage personnel records and payroll, a substantial amount of personal data is processed as required by laws, regulations, and directives concerning labor law, social security, tax law, collective labor agreements, individual employment contracts, and workplace policies. When applicable, the purposes will be clearly specified and communicated to the employee.

Personal data is primarily used for payroll management, possibly with the support of a social secretariat, and for personnel administration. It includes mainly information listed in the annual individual account. Marital status and dependent children are required for tax and social calculations, while nationality is checked and processed to ensure compliance with employment authorization requirements.

CVs, cover letters, interview notes, and evaluation forms are processed as a legitimate interest during the recruitment process. Personal data derived from employee evaluations or monitoring is also processed under the employment contract. If used for other purposes, the employee will be notified promptly in accordance with legal requirements. Photos and videos are collected and processed for internal communication purposes, but only with prior consent.

A contact person’s name is collected to reach a family member or close relative in case of an emergency, with the legal basis being the protection of the employee’s vital interests.

Additional data may be processed due to a legal obligation placed on the employer, or when necessary and reasonable to protect the interests of the data controller (employer) or a third party. The employer will inform the employee of such processing promptly, if applicable.

In certain cases, the processing of personal data is based on the employee's explicit consent.

This data will only be used for personnel management or payroll administration. If used for other purposes, the employee will be notified promptly in accordance with legal requirements.

B. Specific situations

In certain specific situations, additional data, beyond the information listed above, is processed:

Camera surveillance:
- Legal basis:
  - □ Contractual basis
  - □ Legitimate interest
- Purposes:
  - □ Safety and health
  - □ Protection of company assets
  - □ Monitoring production processes
  - □ Performance monitoring of an employee
- Retention period: 1 month
Email and internet monitoring:
- Legal basis:
  - □ Contractual basis
  - □ Legitimate interest
- Purposes:
  - □ Prevention of illegal, defamatory, immoral acts, or actions affecting the dignity of others
  - □ Protection of confidential commercial, economic, and financial interests and adverse interests
  - □ Ensuring technical and network security, physical protection of the company
  - □ Adherence to good-faith rules on the use of company technology
  - □ Monitoring production processes
- Retention period: 3 years
Employee photos:
- Legal basis:
  - □ Legitimate interest
  - □ Contractual basis
- Purposes:
  - □ Promotion
  - □ Communication
- Retention period: 10 years
Timekeeping:
- Legal basis:
  - □ Contractual basis
  - □ Legal obligation
  - □ Legitimate interest
- Purposes:
  - □ Accurate remuneration
  - □ Building security
  - □ Access to utility facilities
- Retention period: 5 years

5. Employee Rights in the Processing of Personal Data

A. Personal Data Processing by Clients

Agilitas Group clients may process personal data of freelance employees. This data processing is governed by the client’s privacy policy.

B. Right of Access and Copy

Employees have the right to access the personal data the employer processes about them, the reasons for processing, the source of data, and who receives it. They may also inquire about the intended retention period, whether the data is used for automated decision-making, and if the employer plans to transfer data outside the European Union. Requests to exercise this right can be made in writing or electronically via privacy@agilitasgroup.be.

The employer provides the requested information in writing or electronically within a reasonable timeframe. Upon the employee’s request, information can be provided verbally, provided the employee’s identity is verified by other means.

Employees are also entitled to a copy of the personal data processed. If the request is made electronically, the information is provided in electronic format unless otherwise requested by the employee.

If pay slips are made available electronically, employees may access these data at any time.

C. Right to Rectification

Employees may request to correct or complete inaccurate personal data. The employer commits to fulfilling this request as quickly as possible.

D. Right to Erasure

Employees have the right to request the deletion of personal data concerning them. The employer will comply with this request within a reasonable timeframe in cases such as:

Personal data is no longer needed for the purposes it was collected or processed.
Processing was based solely on the employee’s consent, which has been withdrawn.
The employee objects to the processing for legitimate reasons.
The employer lacks a legal basis for processing the data.

This erasure request may only be refused by the employer when justified, such as in the exercise or defense of legal rights or due to a legal obligation to retain certain data. The employee cannot oppose the processing of data necessary for payroll administration.

E. Right to Restrict Personal Data

Employees may request the restriction of their personal data processing if they dispute the accuracy of the data, if the processing is unlawful, or if the employer no longer needs the data for processing purposes. The data may then only be processed in the following cases:

With the employee’s consent.
For legal claims or to protect others’ rights.

F. Right to Object

Employees have the right to object to the processing of their personal data, including profiling based on such processing. Processing will then cease, unless it is necessary to comply with social and tax laws, to protect the employer’s or a third party's interests, or in the context of legal rights.

G. Right to Data Portability

Employees may request that the employer provide their personal data in a structured, commonly used, and machine-readable format for any processing based on explicit consent or employment contracts. Furthermore, they may transfer this data to another employer or data controller.

H. Right to Complain

Employees may file a complaint regarding personal data processing with the relevant authority in the member state of their usual residence, workplace, or where the alleged infringement occurred.

In Belgium, complaints can be filed with the Belgian Data Protection Authority: Rue de la Presse 35, 1000 Brussels (Tel: +32 22744800; Fax: +32 22744835, email: commission@privacycommission.be).

Employees may also bring a civil action and claim damages if they suffer harm due to the processing of their personal data.

I. Right to Withdraw Consent

When personal data processing is based on the employee’s consent, they may withdraw this consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

6. Personal Data Security and Safeguards

A. Security of Personal Data

The employer implements technical and organizational security measures to protect personal data processing, specifically to prevent destruction, loss, forgery, alteration, unauthorized access, or inadvertent disclosure to third parties, as well as any other unauthorized processing. Security measures include high-tech tools and trained personnel bound by professional confidentiality.

Technical measures include:

Antivirus, firewalls, and regular password updates.
No unsecured hard drives or unprotected backups.
Data access and encrypted data transmission security.
Secure hard drives restricted to designated teams or individuals.

Organizational measures include:

Clearly defined personnel access.
Incident management procedures.
Privacy policies for employees and collaborators.
Employee and collaborator training on data privacy.
Privacy clauses and designated application portals for personal data processing determinations.
Offboarding procedures for departing staff.

If documents are electronically transmitted or stored (e.g., pay slips), this is managed by the social secretariat under strict security standards.

In the case of data transfers outside the European Union, appropriate safeguards will be taken, or the employee’s consent will be requested.

B. Data Controller and Data Protection Officer

The data controller (employer) ensures the accuracy and relevance of processed personal data, ensuring compliance with applicable regulations.

Employees may contact the data controller or their representative at any time to exercise their rights or request further information. Where applicable, the Data Protection Officer will oversee compliance with personal data protection.

7. Retention Period for Personal Data

Freelance employee data are retained for three years after first registration. Upon the three-year expiry, employees are re-contacted for consent to remain in the database.

Personal data of freelance employees who have worked with Agilitas Group are retained for five years following the end of the last contract. At the end of this period, employees are re-contacted for consent to remain in the database, notwithstanding legal, regulatory, or contractual provisions that mandate longer retention, for instance, for legal claims.

8. Who can Access Personal Data?

A. Data Access

Only authorized employer personnel and designated company representatives are allowed internal data access, strictly limited to the needs of their role or service requirements. The company maintains a restricted access system and appropriate security level.

B. (Categories of) Individuals to Whom Personal Data is Disclosed (External Communications)

Employee personal data are shared with companies within Agilitas Group and associated company Ergoflex. External data sharing is limited to legal and regulatory requirements or essential personnel and payroll management functions, such as public authorities, social security organizations, and cooperating social security institutions or temporary staffing functions.

Personal data may also be shared with specific third parties:

Payroll information is shared with our social secretariat, Acerta, and the relevant authorities based on legal obligations.
Information necessary for meal or eco vouchers is shared with Edenred.
Name, address, and job title are provided to Attentia Prevention & Protection for occupational health services.
Data such as name, address, job title, and bank account number are shared with Isabel for salary payments.
Name, first name, and CV may be made available via the candidate database to potential freelance employers.

The employee’s personnel file may be shared with an audit office for quality label certification within the professional federation.

In exceptional circumstances, personal data is shared with third parties for task execution, including accountants, consultants, and lawyers, for fiscal or legal support, and service providers. Contracts with these subcontractors ensure the employee’s personal data remains protected and secure.

Personal data will not be sold, rented, shared, or commercially exploited, except as described above or with prior consent.

The employer may be required to disclose personal data by court order or in compliance with other binding laws or regulations.

9. When does this policy take effect?

This policy takes effect on May 25, 2018.

Protection of Personal Data for Freelance Workers