AFC Benelux is a Luxembourg Société à responsabilité limitée (limited liability company) that offers its services in four fields (accounting, tax, human resources and financial engineering) for clients operating in Belgium and Luxembourg.
As a trust company, we are responsible for the processing of a large amount of data, including personal data.
The personal data that we process may relate to you as a client of AFC Benelux, as a representative of one of our clients, as a beneficial owner, temporary worker, intern, student, potential candidate, employee, supplier, subcontractor or service provider of AFC Benelux, or as a direct business partner or business partner of our clients (if you are a supplier, subcontractor or client of our client, for example).
Our company, which is keen to protect your personal data and relationships with our clients, subcontractors, suppliers and partners (hereinafter the “third parties”), strives to process your personal data in a transparent manner. AFC Benelux attaches great importance to collecting and processing your personal data both securely and confidentially in order to protect it against losses, breaches, errors and unauthorised access or processing.
This declaration addresses your legal rights and obligations as a third party and explains how your personal data is collected and processed.
We would ask that you read this notice carefully, as it contains important information about the way in which we process your personal data and the reasons for us doing so.
By sharing your personal data with us, you expressly confirm that you have read this notice and the conditions and limits set out herein, and you expressly accept the content and agree to the processing itself.
- Personal data: any information concerning an identified or identifiable natural person (e.g. name, email address, postal address, telephone number, etc.).
- Processing: any action performed in respect of the personal data (collection, recording, storage, destruction, erasure, etc.).
- Controller: natural person or legal entity determining the purposes and means of processing.
- Processor: natural person or legal entity that processes data on behalf of the controller.
- Legitimate interest: the legitimate interest of the controller is defined as the wider aim sought by the controller or the benefit derived from the processing. An interest may be considered legitimate when the controller is able to pursue this interest while complying with data protection legislation and other legislation. In the case of processing as part of a client relationship, when personal data is processed for direct marketing purposes, to prevent fraud or to ensure the security of the network and IT system information, companies can have a legitimate interest in using their clients’ personal data.
This data protection notice concerns all services provided and all activities carried out by AFC Benelux. This notice applies for our existing and future clients (as well as their suppliers and our clients’ clients, where applicable), representatives of our clients, beneficial owners, our subcontractors, partners, suppliers and service providers.
III. Our company
The name of our company is AFC Benelux S.à r.l.
Our company is entered in the Trade and Companies Register of the Grand Duchy of Luxembourg under number B 60.162.
Its registered office is located at 1, rue de Steinfort, L-8371 Hobscheid, Grand Duchy of Luxembourg.
IV. Controller and processor
The controller is “AFC Benelux S.à r.l.”.
As a controller, our company must comply with the legal requirements governing the processing of data for the purposes determined by it. It is responsible for processing personal data, particularly for its natural person or sole trader clients, when it acts as the domiciliation agent and when it is appointed as a director/manager, auditor and liquidator. It shall also act as controller when fulfilling its obligations in respect of the fight against money laundering and terrorist financing, and as part of its internal obligations towards its own staff. Finally, given Opinion 1/2010 of the Article 29 Data Protection Working Party, it shall act as controller for all missions on the basis of general instructions from the client when it is granted clear autonomy in exercising and executing its mission insofar as it determines the essential means of the processing of data in order to achieve the specified purposes.
AFC Benelux also assumes the role of processor. In this regard, AFC Benelux complies with the provisions of article 28 of the Regulation on the protection of personal data and only processes personal data on documented instructions from the controller, including as regards transfers of personal data. AFC Benelux takes into account the nature of the processing, and assists the controller via appropriate technical and organisational measures, insofar as possible, to fulfil its obligation to respond to requests issued by data subjects seeking to exercise their rights.
AFC Benelux ensures that the persons authorised to process personal data are committed to respecting confidentiality or are subject to an appropriate statutory obligation of confidentiality.
V. Data Protection Officer
The company has appointed Mr Yves Mertz as Data Protection Officer (hereinafter “DPO”). For any questions regarding the protection of your personal data, please contact our DPO either by post at the address shown above or by email (contact: firstname.lastname@example.org).
VI. Personal data
Depending on your activities and your relationship with our company, you may send us the following data on an ad-hoc basis:
In addition to the name of the company, its address, VAT number and bank account details, some data about your contact person or colleagues will be processed: surname, first name, title, sex, language, date of birth, address, telephone number, email address, etc.
Data – natural persons
Depending on the processing required: surname, first name, title, postal address, address, telephone number, email address, bank account number, etc.; as well as data such as: sex, language, date of birth, household composition and family identification details, data on training and any experience and/or professional qualifications, etc.
AFC Benelux processes personal data supplied by data subjects or by their relatives.
AFC Benelux also processes personal data that was not supplied by the data subject, such as personal data sent by the client regarding their employees, directors, clients, suppliers and even shareholders.
Personal data may also come from public sources including, but not limited to, Luxembourg Business Registers (including the Luxembourg Trade and Companies Register and the Recueil électronique des sociétés et associations), the Mémorial B and the Central Bank of Luxembourg.
The data is only processed if such processing is required for the purposes indicated in point VII.
Please note that you are responsible for the accuracy of the data transmitted.
VII. Purposes of processing personal data
AFC Benelux processes personal data for the following purposes:
A. In application of article 3(2)(a) of the Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (hereinafter “AML/CTF law”), read in conjunction with paragraph 25 of the professional standard decreed by the Ordre des Experts-Comptables du Luxembourg (Luxembourg association of registered accountants) concerning the fight against money laundering and terrorist financing.
It is a legal obligation to process such personal data. Without such data, we cannot establish a business relationship.
B. The obligations of AFC Benelux towards the Luxembourg authorities, foreign authorities or international institutions, in application of a legal or regulatory obligation, in application of a court judgement or where there is a legitimate interest, particularly, but not exclusively, if the current and future tax and labour laws require us to process personal data as part of the mission entrusted to us.
It is a legal obligation to process such personal data. Without such data, we cannot establish a business relationship.
C. Execution of an agreement for the provision of legal, accounting, tax, HR and financial engineering (corporate strategy and organisation, restructuring and domiciliation advice in Luxembourg) services, and any other consultancy assignment in the broadest possible sense. The processing of personal data concerns the data of the clients themselves, of their principals, of their staff members, of their employees, of their agents, of their directors and of any other useful contact person, as well as any other persons, such as clients and suppliers, that are involved in their activities.
If this data is not shared with us and is not processed, we will not be able to fulfil our role as a trust company.
D. In addition to the data listed, we also process the personal data of other persons, such as useful contacts within our sector, networking contacts and expert contacts, etc.
We may also keep and process all responses and feedback, as well as any complaints.
This data is processed on the basis of consent, the execution of the agreement or our legitimate interest.
VIII. Website and cookies
Cookies are small files placed on your computer or mobile device by websites when you visit them. They are stored on your computer or mobile device in your browser’s file directory. They contain a variety of information, such as the visitor’s preferred language, so that the latter will not need to provide this information again when they next visit. Cookies contain a unique code that makes it possible to identify visitors when they access the website.
It is possible to configure your browser in such a way that it informs you each time it generates a cookie or to prevent them from being created.
While blocking cookies on your browser does not mean that you will be denied access to our website, some functions may not be available.
IX. Processing period
Personal data is retained and processed by AFC Benelux for as long as is necessary depending on the purposes of the processing and the relationship (whether contractual or otherwise). The storage period for personal data may also be extended as a result of a legal obligation.
A. The personal data that we are required to store pursuant to the AML/CTF law (cf. point VII. A)
This refers to identification data required by law. In accordance with article 3(6) of the AML/CTF law, this data is stored for a maximum period of five years after the end of a business relationship with the client or after the date of an occasional transaction.
B. Other personal data
Other personal data is stored for periods provided for by the applicable legislation, such as accounting legislation, tax legislation and labour legislation.
C. Once the abovementioned periods have elapsed, the personal data shall be erased, unless another applicable piece of legislation stipulates a longer storage period.
X. Access to and provision of personal data
In order to process your personal data, we authorise our employees and staff to access such data. They are required to handle your data confidentially and may only use this data for the purposes for which it was provided.
In line with the above, and unless it is necessary to disclose the personal data to organisations or entities that are third-party service providers, AFC Benelux shall not transfer the personal data collected to third parties and shall not sell, rent or exchange it with any organisation or entity.
AFC Benelux uses third-party providers of IT services and takes particular care in selecting them.
AFC Benelux uses external associates for the purposes of performing certain tasks or specific assignments (IT suppliers, statutory auditors, notaries, sworn translators, law firms, etc.).
The abovementioned associates or representatives of service providers or institutions, as well as the specialist service providers appointed by them, are required to respect the confidential nature of your personal data and may only use this data for the purposes for which it was provided.
AFC Benelux can transmit personal data to any legally competent authority upon request or on its own initiative if it believes in good faith that the transmission of that information is necessary in order to comply with the legislation in force or to protect the rights and interest of its clients.
XI. Security measures
Your personal data shall be treated confidentially. AFC Benelux has established technical and organisational procedures and measures in order to process the data with a sufficient level of security and to protect the personal data against any destruction, loss, falsification, unauthorised access or notifications to third parties in error, as well as any unauthorised processing of this data. These procedures apply to both the collection and storage of this data.
XII. Your rights: right of access, right of rectification, right to information, right to be forgotten, right to data portability, right to object
In accordance with the Luxembourg legislation on data protection and the provisions of the General Data Protection Regulation, please note that you have a legal right to request, free of charge, access to your data that is processed by AFC Benelux in order to verify it, or to have it rectified or supplemented.
The European Regulation also confers the following rights:
- Right to object to a specific use
You have the right to object to the processing of your personal data for serious and legitimate reasons. You do not, however, have the right to object to the processing of data when required for the performance of a legal obligation or the execution of an agreement. You always have the right to object to the processing of your data for the purposes of direct marketing or for the use of profiling related to such direct marketing. You also have the right to object to the transfer of your data to third parties for the same direct marketing purposes.
- Right to data erasure
If you suspect certain data is not being processed correctly, you can request the erasure of such data. There are, however, cases in which we are not legally permitted to erase data.
- Right to portability
You have the right to receive your personal data in a structured, commonly used and machine-readable format. You have the right to transmit that data to another controller.
- Right to restrict processing
In the event of a dispute concerning the processing of your personal data, you can request to restrict its processing until the conflict is resolved.
If the processing of personal data is based on prior consent, you have the right to withdraw such consent. This personal data shall then only be processed if we have another legal basis to do so.
You can exercise the abovementioned rights by emailing AFC Benelux at the following address: email@example.com, or by sending a letter to: AFC Benelux S.à r.l. FAO Mr Yves Mertz, 1 rue de Steinfort – L-8371 Hobscheid Luxembourg.
AFC Benelux will not be able to process your request without proof of your identity.
We do everything we can to ensure the personal data of our clients and third parties is processed in a meticulous and legal manner, in accordance with the applicable regulations. However, if you believe that your rights have not been respected, you are free to file a complaint with the competent supervisory authority:
Commission nationale pour la protection des données (National commission for data protection)
1, avenue du Rock’n’Roll
Tel.: (+352) 26 10 60-1
You may also seek legal recourse if you believe that you have incurred damage caused by the processing of your personal data.