Personal data privacy statement

This privacy statement (hereinafter referred to as “Statement”) applies to any person (hereinafter referred to as “you”) who will use the KOMON solution. It has been drawn up by KOMON in order to provide the greatest possible transparency to any person who uses the KOMON solution (hereinafter referred to as “the KOMON solution”) on which KOMON SRL processes personal data.

KOMON SRL (hereinafter referred to as “KOMON” or “we”), whose registered office is located at 13 rue des Poissonniers 1000 Brussels and which is registered with the Crossroads Bank for Enterprises under the company number 785716232, wishes to inform you by means of this Declaration why and how we collect and process your personal data on behalf of the controller, which is your employer.

KOMON acts as an intermediary between its customers (your employer) and you, the end user, by providing a tool that enables its customers, including human resources departments and accountants, to offer you multimodal mileage allowances. In these circumstances, KOMON processes your personal data for and on behalf of its customers (your employer) and will be considered a processor (see below point 1 of this Declaration).

This Statement has been drawn up pursuant to and in accordance with Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as “GDPR” ).

1. Definitions

For the purposes of this Statement, the following terms have the following meanings

Personal data: means information relating to an identified or identifiable natural person (the data subject).

Processing: means any operation (or set of operations) performed on personal data. This may include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data subject: means a person who can be identified or identified, directly or indirectly, by personal data.
Controller: means the natural or legal person, public authority, agency or any other body which alone or jointly determines the purposes and means of the processing of personal data. In practice, your employer is the controller.

Processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. In practice, KOMON is the processor.

Third party: means a natural or legal person, public authority, department or body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

GDPR: means Regulation (EU) 2016/679 of the European Parliament and of the Council of 26 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

2. Controler vs. processor

When using the KOMON solution, KOMON SRL acts as a processor, which means that it collects and processes your personal data on behalf of its customers (your employer).

Your employer, as the controller, determines the purposes and means of processing your personal data while we, as the processor, process your personal data for and on behalf of your employer, and according to his instructions.

In order to frame our relationship, we have entered into what we call a Data Processing Agreement (DPA) between KOMON SRL and your employer in accordance with the GDPR.

If you would like more information about the data controller and/or its data protection officer (hereinafter referred to as “DPO”), we encourage you to contact your employer directly.

3. Purpose of the privacy statement

This Statement applies to anyone who uses the KOMON solution at the request of your employer to facilitate the management of mileage allowances within the company.

With this Statement, we want to be as transparent as possible and inform you about how we process your personal data when using the KOMON solution; and also inform you that you can :
– retain control over the personal data we process;
– exercise your rights regarding your personal data.

Please note that this statement relates only to the processing of your personal data through the use of the KOMON solution.

If you would like more information about your employer’s processing of your personal data, we encourage you to read your employer’s privacy statement and/or request additional information directly from your employer.

4. What kind of data do we collect about you?

4.1. Personal data

Personal data means any information relating to an identified or identifiable individual. In particular, we may collect the following categories of personal data from your employer:
– identification data such as: surname, first name, gender, employee identification number, etc;
– contact data such as: your (business) e-mail address, your home address.
– information related to your role in the organisation: job title, function, category.
– information related to your mobility consumption: mobility budget(s), employment percentage, working hours, etc.

In addition, we also collect the following categories of personal data directly from you when you use the KOMON solution
– identification data such as: last name, first name,
– contact data such as: your e-mail address, your home address, your telephone number,
– financial information related to the use of the solution,
– consumption data such as information about your choice of mobility and self-reported usage data such as distances cycled.

When you request certain services from external service providers (e.g. public transport operators such as SNCB/NMBS), we may also collect the following categories of personal data directly from you
– data concerning your family composition,
– national identity registration number,
– images such as your photograph,
– your car registration number
– driving licence

This information is requested by these public transport providers in order to provide some of their services. We will only collect this personal data if it is specifically requested by the external service provider.

Finally, we would like to inform you that the KOMON solution also uses cookies which are necessary for the proper functioning of our solution.

5. Purposes of processing and legal basis

5.1. Choice of mileage allowances within your company

Your personal data will be processed in the context of your employer’s implementation of its mobility policy by :
– providing a solution that allows you to manage your mileage allowances – facilitating the management within the company of the travel allowances offered by the company
– reimbursing your expenses related to your mobility choices and needs.

This personal data is processed in order to enable your employer to execute the employment contract concluded with you.

5.2. Security and proper functioning of the KOMON solution

We also process your IP address and the information obtained via cookies installed in your browser in order to :
– improve and secure our tools (we call them “system cookies”): they allow us to store the information you provided when entering trips or other information in case a bug occurs. In this situation, we will process these cookies on the basis of our legitimate interest in providing each user with an enhanced experience;
– to make the tools work properly (we call them “necessary cookies”). We will process these cookies on the basis of our legitimate interest, which is to enable the tool to function properly.

5.3. Analytical purpose

Depending on what has been agreed with your employer, we may carry out analytical studies of the mobility choices implemented within your company based on your employer’s legitimate interest in better understanding and managing the mobility options chosen by its employees. This particular processing will only be carried out on anonymous data and may be used with third parties outside your company.

5.4. Archiving purposes

Finally, we may also retain your personal data if we have a legal obligation to do so, including for tax or commercial archiving purposes. The retention period is a maximum of 5 years.

6. Is this personal data necessary? What are the consequences of not providing it?

Depending on the service you request, personal data may be necessary to provide our service and/or to facilitate the provision of services by external providers (e.g. Dott, Felyx, etc.).

If you do not provide this personal data, we will not be able to facilitate the management of your travel expenses by your employer.

7. With whom do we share your data?

Your personal data will only be processed for the purposes mentioned in point 5 of this statement. Thus, it will be transmitted to your employer, in particular to the HR, fleet and mobility, payroll, finance and expenses departments of your company, and to third parties for analysis purposes.

Depending on the structure of your company, these services may be outsourced. In such a situation and depending on what has been agreed with your employer, we may pass your personal data directly to this external service provider (e.g. social secretariat, accountant).

In addition, we also share your personal data with the service provider you choose for your mobility when using the KOMON solution.

Finally, we only share your information if :
– your employer requests and/or agrees,
– it is necessary for us to comply with a legal obligation.

8. Is your personal data transferred outside the EU or EEA?

The personal data we process will not be transferred outside the European Union (EU) or the European Economic Area (EEA).

However, in any event, should this change, we will ensure that minimum legal requirements and security standards are met at all times. If we suspect that your personal data will be stored and processed outside the EU, we will explicitly inform you and your employer and ensure that the same level of protection is used as that applicable within the EU.

External service providers may store personal data outside the EU or EEA. If this is the case, we will inform you when you request activation of the service. You will have the opportunity to cancel the request.

9. How long will your personal data be kept?

We do not keep your personal data longer than is necessary to achieve the purposes mentioned in point 5 of this statement.
Since the need to retain personal data depends on the type of personal data concerned and the purpose of the processing, retention periods may vary considerably.

Below are the criteria we use to define retention periods:
∙ have we defined a specific retention period with your employer?
∙ have we defined and announced a certain retention period?
∙ are we subject to a legal retention/archiving obligation, contractual obligation or equivalent?

Regarding cookies, they are retained, starting from the last active session, for a fortnight.

We will delete your personal data when it is no longer required for the above purposes.

If there is personal data that we cannot, for technical reasons, delete completely from our systems, we will put in place appropriate measures to secure it by anonymising it and/or preventing any further processing or use of the data.

10. How is your personal data protected?

We have implemented generally accepted technological and operational security standards to protect personal data from loss, misuse, alteration or unauthorised destruction.

We require all of our staff, including employees, principals and freelancers, to maintain the confidentiality of personal data and only authorised staff members have access to your personal data on a “need to know” basis.

Furthermore, we only use suppliers who offer sufficient guarantees to implement adequate technical and organisational measures for the protection of personal data.

With regard to the security measures implemented by your employer, we invite you to read the privacy policy of your employer and/or to contact your employer directly.

11. What are your rights with regard to your personal data? Below is an overview of your rights as a data subject.

However, we would like to point out that these rights are not absolute and may be subject to conditions.

Right of access to your personal data
You have the right to access and view your personal data processed by us at any time. In this context, we will provide you with a copy of your personal data free of charge.

Right to rectify your personal data
You have the right at any time to have incorrect, incomplete, inappropriate or outdated personal data deleted, supplemented or corrected.

Right to erase of your personal data
You have the right to have your personal data deleted. However, we may retain personal data if it is required for evidential purposes.

Right to object to certain processing
You have the right to object to processing at any time on grounds relating to your particular circumstances. We and, where applicable, the controller, will cease processing your personal data immediately, unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or which relate to the establishment, exercise or defence of legal claims.

Right to restrict certain processing
You have the right to restrict the processing of your personal data if:
∙ you contest the accuracy of the personal data, for a period of time that allows you to verify whether said data is accurate;
∙ if the processing is unlawful and you object to the erasure of your personal data, requesting that their use be limited instead;
∙ we and, where applicable, the controller no longer need your personal data for the purposes of the processing, but you still need it for the establishment, exercise or defence of legal claims;
∙ you have objected to a processing operation, pending the answer to the question of whether such objection is justified.

Right to transfer personal data
You have the right to request that the personal data you have personally provided to us – in a structured, commonly used and digital form – be transferred to you so that you can store them for your (re)use, or to pass on such personal data directly to another data controller, insofar as it is technically possible for us to do so.

However, data protection legislation provides for a number of restrictions to this right, which means that it does not apply to all your personal data.

Right to lodge a complaint with the supervisory authority
If you believe that the processing of your personal data does not comply with data protection legislation, you can lodge a complaint with the national data protection authority (e.g. the Belgian data protection authority in Belgium, the CNIL in France, etc.).

Right to manage cookies
Regardless of the type of cookies placed on your browser, you have the possibility to manage them at any time by using the following procedure.

However, we would like to draw your attention to the fact that by modifying the settings of these cookies (for example: by refusing cookies), your navigation on the KOMON solution may be affected.

There are several ways to manage cookies, which are explained below. Through the browser you are using, you can :
– see what types of cookies are present on your computer’s hardware and delete them;
– block third-party cookies
– block cookies from certain websites
– block the installation of all cookies
– delete all cookies when you close your browser.

To understand how to do this in practice, as each browser may have a different procedure, we invite you to visit the dedicated pages on the browsers’ websites:
– Internet Explorer, Mozilla Firefox,
– Chrome, Safari.

11. How to exercise your rights?

To exercise the above rights, you should make a request directly to your employer who, where appropriate, will ask us to respond.

When exercising your right(s), we ask you to clearly indicate the right you wish to exercise, the processing operation(s) you object to and/or wish to restrict and the personal data you wish to delete/complete/modify.

Always be as specific as possible if you wish to exercise your rights, so that we can do what is necessary.

These requests are free of charge, except where the request is manifestly unfounded or excessive (such as in the case of a repeated request).

For any additional copies requested, we may also charge a reasonable fee based on the administrative costs associated with processing the request.

Your request will be processed within one month. This period may be extended by two months, taking into account factors such as complexity and the number of requests. If the deadline is extended, you will be informed of the extension and the reasons for it.

12. How to submit questions or complaints?

If you have a question or complaint about our processing of personal data or this Statement, you can contact us by the following means:
∙ by email: privacy@komon.co ;
∙ in writing to the following postal address:

KOMON SRL at “Spaces Stock Exchange”
13 Rue des Poissonniers,
1000 – Brussels (Belgium)

In addition, we ask you to send a copy of this request to your employer if you consider it necessary.

We are committed to cooperating with you to obtain a fair resolution of any complaint or concern about privacy. However, if you feel that we or your employer have been unable to assist you in resolving your complaint or concern, you have the right to lodge a complaint with the data protection authority of the country in which you live using their website.

13. Changes to this Statement

We may amend or supplement this Statement as we deem necessary.

If material changes are made to this Statement, the date on which it is amended will be adjusted and we will also notify you and provide you with a copy of the amended Statement.

We also encourage you to periodically review this Statement, posted on the KOMON solution, to learn how we handle and protect your personal data.