This website is owned and operated by the European FinTech Association a.s.b.l., Rue Washington 40, 1050 Brussels, Belgium (hereinafter, “EFA”, “we”, “our”, “us”, or the “Association”). The Association takes personal data protection very seriously and makes sure to comply with Regulation (EU) 2016/679 on the protection of personal data (the “GDPR”) and any other applicable national law or regulation regarding the processing of personal data or the protection of privacy.
This policy relates to situations where we act as data controller, i.e. situations where we solely and autonomously determine the purposes and means of the processing of your personal data.
If you have been referred to this policy, it is to make you aware of data protection practices and policies implemented by the EFA as data controller and to inform you of your rights.
In case you have any questions or queries as to how we use personal data, please contact firstname.lastname@example.org.
1. Who we are – Controller
The controller responsible for the collection and processing of your personal data in accordance with the GDPR is:
European FinTech Association a.s.b.l.
Rue Washington 40,
EFA is a non-profit association, with the mandate to foster cooperation and dialogue between FinTech companies with cross-border and international activities within the European Union; speak with one voice for the FinTech sector; and advocate and represent the interests of its members at the political policy level, in particular in relation to the EU institutions and other European regulatory bodies. The Association is composed of two categories of members, namely full members (hereinafter referred to as “Members”) and sponsor members (hereinafter referred to as “Sponsors”).
This policy mainly relates to the processing of personal data of:
individual natural persons designated by EFA Members and Sponsors to be their representatives;
people employed by or representing contractual partners;
people who have expressed an interest in the EFA and its activities (e.g. by membership applications, or registering for one of our events or newsletters); and
people with whom the EFA engages with, in the framework of its purpose and activities.
3. Type of personal data processed and purpose of processing
Personal data is any information relating to an identified or identifiable natural person. Personal data includes, e.g., name, email address or telephone number.
In the conduct of its activities, the EFA may process certain personal data. We describe below the categories of data that we process. The data can be either provided directly by yourself or potentially gathered from other sources. Nevertheless, our policy is to only collect, use and/or process personal data if this is permitted by law or if you consent to the data processing.
If you are working for a Member or Sponsor of the EFA and you represent that Member or Sponsor within the EFA, we will collect the following information about you: first name, last name, e-mail, work address, position, phone number (fixed and/or mobile). Depending on agreed activities, we may as well collect from you: passport/ID details, travel details, academic record/qualifications, biographical information, dietary requirements/allergies. This is done for the purpose of providing you a service (Art. 6 (1) b. GDPR) or for the purpose of our legitimate interests (Art. 6 (1) f. GDPR).
If you contacted or have been contacted by the EFA in the framework of our interest representation activities (e.g. local/national, European, international public servant, national or European parliamentarians and their assistants, interest representatives), we will collect: first name, last name, position, professional email, work address, and other work-related details. Such contacts aim to foster a dialogue between authorities, stakeholders and the FinTech sector on national, EU or international policy and regulatory issues. This is done for the purpose of processing your enquiry (Art. 6 (1) b. GDPR) or for the purpose of our legitimate interests (Art. 6 (1) f. GDPR).
If you sign up for one of our email communications, we will collect and process your personal data to follow up on your request and handle any feedback or query from you. We will collect your first name, last name, organisation, position and e-mail address. This is done on the basis of your consent (Art. 6 (1) a. GDPR) or for the purpose of processing your enquiry (Art. 6 (1) b. GDPR). You can unsubscribe at any time by using the ‘unsubscribe button’ in the email or by sending an email to the originator.
If you attend events organised by the EFA, we will keep a record of your participation. If you are a participant, we will collect your name, position, organisation and professional contact details provided voluntarily for the purposes of the event. With your consent, we may use that information to keep you informed of future events. If you are a speaker, we may additionally collect your bio and picture or other information you volunteer as a speaker. The participants list (name, surname, organisation) is usually made available at the venue. This is done for the purpose of our legitimate interests (Art. 6 (1) f. GDPR).
If you represent/work for a company having a business or contractual relationship with the EFA (e.g. service supplier), we will collect your name and professional contact details for the purposes of the business relation or contract, general administrative management, compliance with laws and regulations; and the protection of our rights. This is done for the purpose of providing you a service (Art. 6 (1) b. GDPR), and/or for the purpose of fulfilling our legal obligation (Art. 6 (1) c. GDPR).
When you visit our website, an information exchange occurs between you and us. We automatically collect the so-called “server-log-files” that your browser transfers to us. Also, our website sends cookies to you. Cookies are small text files with information which are stored on your access device. Our website uses the following types of cookies:
Transient cookies: These are automatically deleted when you close the browser. Transient cookies store your session ID, with which various requests from your browser can be assigned to the common session. This will allow your computer to be recognised when you return to our website. The session cookies are deleted when you log out or close the browser.
Persistent cookies: These are only deleted after a specified period of time, which may differ depending on the cookie. You can delete the cookies in the security settings of your browser at any time. Please be aware that you may not be able to use all features of this site, when deleting the cookies from your browser history. The setting of cookies can be prevented by appropriate settings in the user’s Internet browser at any time.
We collect the following data: type/version of the browser; system software used; referrer URL; hostname of the device; and time of the server request. If you are using a mobile device, the following data are collected additionally through the website: country code; language; hostname of the device; and name and version of the operational system.
We use these data to improve your browsing experience, and for statistical analysis for the purpose of operation, security and optimization of our website. However, we reserve the right to check these data retrospectively if there is a justified suspicion of illegal use based on concrete indications. These data are then stored because this is the only way to prevent the misuse of our website and, if necessary, allow us to investigate any crimes committed. The storage of these data is necessary in order to protect us as the entity responsible for processing the data. As a matter of principle, these data will not be passed on to third parties unless there is a legal obligation to pass it on or the transfer of data serves criminal prosecution purposes.
This data processing is done for the purpose of our legitimate interests (Art. 6 (1) f. GDPR).
4. On which legal basis and for what purposes does the EFA process your data?
We always process your personal data within the boundaries of the legal bases laid down under applicable law. We also ensure to limit the processing of your personal data to what is strictly necessary for the achievement and performance of these purposes.
When we process your personal data for specific purposes beyond the usual interactions with EFA Member/Sponsor representatives, civil servants, politicians, interest representatives and our institutional communication, we strive to rely on your consent to put you in control of your personal data.
Your prior informed, explicit consent will be requested for registering to the EFA’s communications. Your consent will also be sought in case your presentation or speech is filmed or if your portrait is photographed at events that we organise. You always have the right to withdraw your consent at any time by contacting the event organiser/email initiator or by sending an email to privacy[@]eufintechs.com.
Performance of legal, statutory or contractual duties
We may process your personal data where this is necessary for the performance of our legal/statutory duties or the performance of our contractual obligation towards you. In such a case, we limit the processing of your personal data to the extent of what is strictly necessary.
If a person applies to represent his/her organisation in an EFA governance body or structure, the EFA may process personal data of the Member/Sponsor representative for the functioning in its governance bodies, such as administration, management, voting procedures and related, following the EFA Statutes, by-laws and internal rules, and the Belgian Code on Companies and Associations of 23 March 2019.
We also process Member and/or Sponsor representatives’ personal data to ensure the respective Member/Sponsor enjoys the rights granted by the EFA Statutes, by-laws, and internal rules (i.e. access to EFA working structures and information).
Legitimate interests of the EFA
The EFA may also process the EFA personal data for other purposes, falling under the achievement and the realisation of its legitimate interests, e.g.:
to contact policy-makers, stakeholders and journalists on legislative issues, and communicate the position of the EFA on policy issues;
to manage the communication and updates to EFA’s Member or Sponsor individuals (news, updates, activities) not falling under the abovementioned communications;
to publish newsletters and website stories;
to draft and publish the EFA’s reports;
to ensure an effective relationship between the Association and its Members/Sponsors. In such a case, however, the EFA strives to maintain a fair balance between the need to process your data and the preservation of your rights and freedoms, including the protection of your privacy.
5. With whom and how do we share your data?
Beyond the usual interactions with EFA Member/Sponsor representatives, civil servants, politicians and interest representatives, your personal data will not be shared with third parties without your express prior consent – except in the following two situations:
We sometimes rely on contractually bound third-party companies and external service providers to provide our services. These service providers may need to process personal data to perform their contractual obligations. When this is the case, processors are permitted to use the data only for the purposes and duration specified by us. Furthermore, they are contractually obligated to handle your data exclusively in line with the applicable data protection laws.
We may use service providers for the following:
distribution of newsletters, the execution of surveys;
website or data hosting/maintenance;
advise/support on public relations and affairs
study research, statistics, scientific studies, etc.;
logistics service providers, for sending you materials relating to EFA activities;
payment service providers for the purpose of processing all payments from you to us or vice versa; and
IT service providers for the provision of hardware and software and for the implementation of maintenance work.
Data is disclosed to processors based on Article 28(1) of the GDPR or, alternatively, on the basis of our legitimate interests in the economic and technical advantages associated with the use of specialised processors and on the basis of circumstances in which your rights and interests in the protection of your personal data are not overridden (see point (f) of Article 6(1) of the GDPR).
For prosecution reasons
Where required to investigate the unlawful use of our services or for the purposes of prosecution, personal data will be disclosed to the relevant law enforcement authorities and, where applicable, to any third-party claimants. However, such a course of action will only take place if there is concrete evidence of unlawful conduct or misuse. In such cases, your data may also be shared if doing so is required for the fulfilment of terms and conditions of use or other agreements. If requested, we are also legally obligated to disclose such data to certain public authorities, such as law enforcement bodies, authorities that penalise offences with financial penalties, and financial authorities.
In these cases, data is disclosed on the basis of our legitimate interest in combating misuse, aiding the prosecution of criminal offences, and aiding the establishment, assertion and enforcement of claims, in line with point (c) and (f) of Article 6(1) of the GDPR.
6. Automated Decision Making (“Profiling”)
Profiling means any automated processing of personal data consisting in the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the performance of work, economic situation, health, personal preferences, interests, reliability, behaviour, location or relocation of that natural person. Examples of such profiling include the analysis of data (e.g. based on statistical methods) with the aim of displaying personalized advertising to the user or giving shopping tips.
We do not process any data via “profiling” or in the form of automated decision making.
7. What are your rights?
Access, rectification, erasure, portability and objection rights
For all the purposes defined above, and subject to applicable data protection laws, you have the following rights:
the right to ask us to obtain from us, access to the personal data that we hold about you at any time, which include the right to ask us: whether we process your personal data, for what purposes; the categories of data; the recipients to whom the data are shared;
to receive your personal data, which you have provided to us, in a structured, current and machine-readable format or to request the transmission to another controller;
the right to ask us to update and correct any out-of-date or incorrect personal data that we hold about you;
the right to withdraw your consent where such consent has been given;
the right to erasure within the limits afforded by data protection legislation;
the right to oppose to the processing of your personal data, within the limits afforded by data protection legislation;
the right to data portability within the limits afforded by data protection legislation.
How to exercise those rights?
You may at any time exercise the above mentioned rights in accordance with data protection regulations, by sending a request with a copy of your ID card (passport or other proof of identity) to email@example.com or in writing to Rue Washington 40, 1050 Brussels, and subject to complying with our reasonable requests to verify your identity.
Right to lodge a complaint
You can also lodge a complaint to the Belgian Data Protection Authority either by post at rue de la Presse 35, 1000 Brussels; by e-mail at firstname.lastname@example.org; by phone at +32 2 274 48 00 or first-line assistance at +32 2 274 48 78.
8. How long do we keep your personal data?
We will not store your personal data beyond the time necessary for the performance of the purposes for which the data is processed. Specifically, we distinguish between a retention period and an archiving period:
The retention period is the maximum period of use of your personal data for specific purposes:
the data processed for the execution of the contractual relationship or the performance of a legal duty is kept for the entire duration of the contract, or as long as the legal duty applies, and for the prescription period upon termination of the contract or of the legal obligation;
the data processed for other purposes may be retained for a longer period during which we will reassess the need to keep this data and pseudonymize the data where it does not affect the realisation of the purposes.
The archiving period meets our legal obligation as well as the legal need to retain your data beyond the retention period for evidentiary purposes or to respond to requests for information from the competent authorities.
9. How do we protect your personal data?
We take appropriate technical and organisational measures to safeguard and protect your personal data, against unauthorised or unlawful processing and against accidental destruction, loss, access, misuses, damage and any other unlawful forms of processing of the personal data in our possession.
10. Changes to this Policy
11. How to contact us?
Last updated on May 2020.