IDEWE Group privacy policy

If you have certain tasks that are handled by IDEWE, we use your personal data for that purpose. Of course, we take the appropriate measures to protect your privacy in our role as the data controller. We strictly adhere to the European, national and regional regulations for personal data processing and protection.

IDEWE Group consists of:

  • IDEWE vzw, Interleuvenlaan 58, 3001 Leuven, Belgium (CBE enterprise number 0409 862 612), represented by Prof. Lode Godderis, Managing Director
  • IBEVE vzw, Interleuvenlaan 58, 3001 Leuven, Belgium (CBE enterprise number 0436 612 044), represented by Prof. Lode Godderis, Managing Director

Data Protection Officer: Valentine De Dobbeleer (privacy@idewe.be)

Personal data processing: legal grounds

As an external health and safety service for prevention and protection at work, IDEWE vzw complies with the following:

  • The Act of 4 August 1996 regarding employee wellbeing at work, also referred to as the Workers' Wellbeing Act
  • The Codex on wellbeing at work
  • The Patient Rights Act of 22 August 2002
  • The General Data Protection Regulation, hereinafter referred to as "GDPR"
  • The Personal Data Protection Act of 30 July 2018
  • The part of the Codex on the reintegration of employees after long-term sick leave (Employee Health Monitoring Measures, Book I, Title 4)
  • The service agreement with the customer or the question of the data subject

If the employer is affiliated with IDEWE vzw, we receive the employees' employment information via the Crossroads Bank for Social Security in the majority of cases. This is administrative data only, such as the name, place of residence, social security identification number, date of birth, status, gender, nationality and employment start and end dates.

If it is medical information, IDEWE vzw complies with the disciplinary rules of the Chamber of Physicians.

In addition to IDEWE vzw, IDEWE Group includes IBEVE vzw, which operates on a contractual basis. The services of IBEVE vzw are closely aligned with the statutory tasks of an external health and safety prevention service and include asbestos research, environmental management, occupational hygiene, occupational safety, safety coordination and energy management.

For what purposes do we process your personal data?

IDEWE vzw processes personal data in accordance with the aforementioned legislation for the following:

  • Health and administrative files
  • Organisation of health assessments
  • Reintegration assessments
  • Epidemiological research and (primary) scientific research
  • Provision of information and newsletters

It is important that IDEWE vzw has the following data to ensure it can correctly perform its tasks as an external health and safety service for prevention and protection at work:

  • All information needed for the identification and medical monitoring of the data subjects
  • Up-to-date personnel data to determine our customers' statutory annual contribution

IDEWE vzw receives all data directly from the employer or the data subject themselves and via the Crossroads Bank for Social Security. IDEWE only uses the information obtained for the above purposes, unless explicitly agreed otherwise with the employee.

IBEVE vzw processes personal data where necessary for the contracts' implementation.

IDEWE Group also uses some address data for direct marketing purposes, such as newsletters and invitations.

On what legal basis does IDEWE Group process personal data?

  • The personal data's processing is necessary to implement an agreement.
  • The personal data's processing is necessary to look after the controller's legitimate interests.
  • The personal data's processing is necessary to comply with a legal obligation of IDEWE Group.
  • The personal data is processed at the data subject's request.
  • In some cases, the data's processing requires the data subject's consent.

Types of personal data

IDEWE Group stores the following data:

  • Identification data, such as surname, first name, date of birth, place of birth, country of birth and national registration number
  • Contact information, such as phone number, personal address and possibly the address of an emergency contact
  • Employment data, such as previous jobs, risks associated with these jobs, employment start and end date (if your employer or employers are affiliated with IDEWE Group)
  • Private information about matters that may affect the employee's health or job, such as hobbies, sports, smoking, drinking, drugs, etc.
  • Health information, such as personal and family history, pregnancies, medication, medical history, biometrics, etc.
  • Psychosocial information on inappropriate and unacceptable behaviour, stress, etc.
  • Customer contact details

Who has access to the personal data?

  • Authorised staff at IDEWE Group We distinguish between various types of personal data (e.g. addresses, medical data, etc.) to determine access rights. For example, medical data is only available to medical staff. For a number of specific administrative tasks (e.g. allocation of incoming mail), supporting administrative staff also receives temporary and restricted access to the medical data required for that task only.
  • Professionals who must be consulted, e.g. with regard to health or psychosocial files (with the employee's consent only).
  • The customer themselves for administrative, non-medical personal data
  • Organisations to which IDEWE Group is legally obliged to provide personal data

If, for a certain reason, it is necessary to give a third party – such as a software supplier – access to certain personal data, IDEWE Group will take the necessary measures to guarantee the data's security and confidentiality. In that case, IDEWE Group will conclude a processor agreement with the third party as determined by the GDPR.

We treat the information we receive from the employee during (or as part of) a medical examination as medical information. This means only medical staff has access to it. For a number of specific administrative tasks (e.g. allocation of incoming mail), supporting administrative staff also receives temporary and restricted access.

We never share electronic health files with employer(s) or third parties. If the company opts for another external health and safety service for prevention and protection at work and the contract with IDEWE vzw expires, IDEWE vzw will forward the information from the health file in accordance with the Workers' Wellbeing Act and the Codex on wellbeing at work.

Security of your personal data

The IDEWE Group security plan takes into account all domains described in the ISO 27000 principles. IDEWE guarantees a suitable level of security based on the risk, with corresponding technical and organisational measures such as:

  • The encryption of personal data
  • A permanent guarantee of:
    • the confidentiality, integrity and availability of the processed data;
    • the resilience of our processing systems and services
  • Rapid intervention in the event of a physical or technical incident
  • An extensive testing procedure

IDEWE Group uses data classification to protect the information properly. This means that the more sensitive the information, the more security is provided.

All IDEWE Group staff have signed a confidentiality clause, and this is an integral part of the employment contract.

For some processing operations, IDEWE Group uses a subcontractor, such as a software supplier and printer. In that case, a processor agreement will be concluded. This is how IDEWE Group ensures that everything is carried out in accordance with the GDPR and the associated organisational and technical security measures and obligations.

Retention periods

  • IDEWE vzw retains the employee information for a minimum of 15 years. In doing so, we deviate from the right to be forgotten. The reason for this is continued medical monitoring: the impact of certain risks only becomes visible after an extended period. The specific period is laid down in the legislation on workers' well-being.
  • Psychosocial aspects: formal and informal requests are subject to a 20-year statutory retention period. Surveys are subject to a 15-year retention period as part of a risk assessment of psychosocial aspects.
  • IBEVE vzw keeps the personal data for seven years, which is the same retention period as specified by the legislation on company accounting.
  • Job application files are retained for five years.

Use of National Registration Number for identification purposes

IDEWE vzw has received permission from the Data Protection Commission to use the national registration number for the following purposes:

  • Unambiguous employee identification
  • Communication with the employer

Anonymous use of information

One of the tasks of an external health and safety service for prevention and protection at work is to conduct scientific research. IDEWE vzw uses anonymised or pseudonymised information for this purpose. Identifiable personal data will only be used in exceptional cases and only if strictly necessary for a particular type of survey. IDEWE vzw always adheres to the strictest confidentiality standards for this.

Individual rights under the GDPR

  1. Right to view personal data in possession of IDEWE Group:
    • Administrative file
      • The data subject receives this data themselves.
    • Psychosocial file
      • The data subject is entitled to a copy of the interviews with the health and safety prevention adviser on psychosocial aspects.
    • Health file
      • If we receive the data subject's consent, we will provide the documents from the health file to the attending physician.
      • The data subject is entitled to read the medical personal data and exposure data in the health file in accordance with the provisions of Article I.4-95 of the Codex on well-being at work.
  2. Right to rectification
    If the data subject finds that some personal data is incorrect, they are entitled to have this data corrected.
  3. Right to erase data
    In most cases, the right to erase data is very limited or expires completely. This is because IDEWE vzw is bound by statutory retention obligations.
  4. Right to restrict processing
  5. Some personal data (such as the health file) is subject to legal provisions that regulate its transfer.
  6. Right to object
    IDEWE vzw is bound by legal processing obligations. This means that in many cases the right to object lapses. The data subject can always object to the use of their personal data for direct marketing purposes.
  7. Right to withdraw consent
    If explicit consent is required for data processing, the data subject can withdraw it at any time. Please note that such withdrawal shall only have a legal impact on future data processing operations, never on past data processing operations.
  8. Automated individual decision-making
    If a decision is ever made based on automated individual decision-making, we offer the data subject the necessary guarantees. If the data subject disagrees with the automated decision, we also provide them with a specific explanation of the decision-making process and the right to human intervention.
  9. Right to file a complaint with a supervisory data authority
    If the data subject thinks the GDPR has been breached, they are entitled to file a complaint with the supervisory data authority of the Member State where they usually reside, where they have their place of work, or where the alleged breach has been committed. In Belgium, this is the Data Protection Authority (formerly the Privacy Commission).

Exercise of individual rights

Unless the request method is laid down by law – for example with regard to the ability to transfer the health file – a data subject may exercise their individual rights if they submit a dated request.

As this concerns sensitive data, we need to be sure of the data subject's identity. In case of a health file, for example, a change or viewing can have major consequences.

If the identification data sent to us is not sufficiently conclusive, we will require additional proof of your identity.

In extreme cases, we may request a copy of your identity card. You can cover up any data not required for identification, such as the identity card number. IDEWE vzw is authorised to use the national registration number. That is why in such a case, you will also be required to provide a copy of the back of the identity card, clearly showing your name and national registration number at the minimum. IBEVE vzw only requires a copy of the front of the identity card.

You can also submit a dated request with an electronically signed email. This may also include a copy of the identity card as described above.