Privacy Statement Expertaxpartners
As an accounting firm, we are responsible for processing a large amount of data. Some of this data includes personal information, and in this context, we would like to inform you of the following:
The firm collects and processes identity and contact information received from the client about the client themselves, their family members, their employees, their staff, their appointees, and their business relations (suppliers or customers of the client) and any other relevant contact person. This personal data is processed by the firm in accordance with Belgian data protection legislation and the provisions of the Regulation 2016/679 of 27 April 2016 concerning the protection of natural persons regarding the processing of personal data and the free movement of such data, applicable since 25 May 2018 (hereinafter ‘General Data Protection Regulation’).
The client is responsible for the accuracy and updating of the personal data provided to the firm and commits to strictly comply with the provisions of the General Data Protection Regulation regarding the individuals to whom they have provided personal data. The client is also responsible for any possible personal data they may receive from their customers, employees, staff, and appointees.
The client acknowledges that they have been informed of the information below and authorizes the firm to process the personal data provided in the context of the services provided by the firm, in accordance with the provisions included in this privacy statement.
1. Controller responsible for the processing of personal data
The controller responsible for the processing of personal data is Mr. Frederik OPHALVENS.
The controller’s registered office is located at Peulisbaan 16, 2820 BONHEIDEN, with company number 0508.779.549.
The controller is registered with ITAA under recognition number 10.953.320.
Contact regarding the protection of personal data:
For any questions related to the protection of personal data, you can always contact Expertaxpartners via mail at the address mentioned above or via email at firstname.lastname@example.org.
2. Purposes of processing personal data
2.1 Only data relevant to the pursuit of the specific purpose is processed for each processing. The processing includes any operation (manual or automated) on personal data.
These data are only shared with subcontractors, recipients, and/or third parties to the extent necessary for the aforementioned purposes of the specified processing.
2.2 In general, the firm processes personal data for the following purposes:
A. Application of the Law of 18 September 2017 for the prevention of money laundering and terrorist financing and for the restriction of the use of cash (hereinafter referred to as the Law of 18 September 2017).
1° Pursuant to Article 26 of the Law of 18 September 2017, our office is required to collect the following personal data regarding our clients and their proxies: name, first name, date and place of birth, and, if possible, address.
2° Pursuant to Article 26 of the Law of 18 September 2017, our office is required to collect the following personal data regarding the ultimate beneficiaries of the clients: name, first name, and, if possible, date and place of birth and address.
The processing of this personal data is a legal obligation. Without this data, we cannot proceed with establishing a business relationship (Art. 33 Law of 18 September 2017 for the prevention of money laundering and terrorist financing and for the restriction of the use of cash).
B. The obligations incumbent on the office towards the Belgian government, foreign governments, or international organizations, in execution of a legal or regulatory obligation, in execution of a judicial decision, or in the context of the pursuit of a legitimate interest, including but not limited to the current and future tax laws (e.g., VAT listings, tax forms), and social laws, necessitate the processing of personal data within the framework of the assignment with which we have been entrusted.
The processing of this personal data is a legal obligation, and without this data, we cannot proceed with establishing a business relationship.
C. Execution of an agreement regarding accounting and tax services. The processing of personal data concerns the data of the clients themselves, their employees, their directors, and similar individuals, as well as other persons involved as customers or suppliers in the activity.
Without the provision and processing of this data, we cannot properly carry out our assignment as an accountant/tax advisor.
D. Direct prospecting activities, such as sending promotional or commercial information such as newsletters. The client can unsubscribe from information or newsletters and other messages from the office at any time. The client can unsubscribe by sending an email to the following address: email@example.com.
2.3 Specifically, the office collects, records, and uses the data of clients for the following purposes:
- establishing and managing the contractual relationship with the client;
- executing its assignment;
- enabling the client to receive messages and information;
- responding to requests for information;
- any communication activity from the office to clients who have given their consent;
- informing clients of any changes to the office’s website, functionalities, and terms and conditions;
- for any other reason for which the client has expressly given consent.
2.4 The legal basis for the processing of personal data by the office is:
(i) the consent of the client;
If the legal basis for the processing is the consent of the client, they have the right to withdraw it at any time without adversely affecting the processing that was performed before the client’s withdrawal.
(ii) Performing any request from the client or the need to execute an agreement concluded with the client.
The office needs to collect certain data from the client to fulfill their requests. If the client chooses not to share this data with the office, it may result in the inability to execute the agreement.
(iii) A legal obligation imposed on the professional to collect and retain certain client data to comply with various legal provisions, including those related to taxes, accounting, and anti-money laundering regulations.
(iv) The legitimate interest of the office to process the client’s personal data, provided it is done in compliance with the client’s interests and fundamental rights and freedoms.
The office has a legitimate interest in maintaining communication with its clients, including but not limited to:
- Fulfilling their requests or better executing the assignment;
- Preventing abuse and fraud, verifying the legality of transactions, exercising, defending, and protecting the office’s rights in case of disputes;
- Providing evidence of a possible violation of the office’s rights;
- Managing and improving relationships with the clients;
- Continuously improving the services provided by the office.
The office always ensures a proportional balance between its legitimate interest and the respect for the privacy of its clients.
3. Which personal data and from whom?
3.1 The office processes only the personal data provided by the data subject or their relatives.
- Identification data such as name, surname, marital status, date of birth, address, employer, position, telephone number, email address, national number, and company number;
- Biometric data (copy of electronic identity card or passport).
- Banking information necessary for the execution of the assignment by the office, such as IBAN and BIC/SWIFT bank account numbers.
- Billing information;
- Communication between the client and the office;
- In the context of the declaration of personal income tax via Tax-on-web, the following data are also processed: children, membership of a trade union or political organization, medical data;
- Any other personal data necessary for the execution of the assignment.
3.2 The office processes personal data not provided by the data subject:
- Personal data provided by the client relating to their employees, directors, customers, suppliers, etc.
3.3 The office processes personal data not provided by the client:
- The personal data may come from public sources such as the Crossroads Bank for Enterprises, the Belgian State Gazette, and its appendices, and the National Bank of Belgium (Central Balance Sheet Office);
- In the context of the assignment, the office may also collect certain data from other companies, including those from the following sources:
- Other companies seeking our services regarding a case concerning you (e.g., as a third party, co-contractor, shareholder, related family member for tax returns, etc.);
- Legal authorities;
- Judicial officers or notaries;
- Tax or social administration;
- Clients/suppliers, etc.
4. Recipient of data
4.1 Disclosure to other parties than service providers
The office may disclose personal data upon request of any legally competent authority or on its own initiative if it believes in good faith that the disclosure of such information is necessary to comply with legislation and regulations or to defend and protect the rights or property of the office, its clients, its website, and/or yourself.
4.2 Disclosure to third-party service providers
The office relies on third-party service providers:
- The office uses an e-bookkeeping software and a related portal;
- The office engages external employees to perform certain tasks or specific assignments (e.g., business auditor, notary, etc.).
The office may disclose personal information of its clients to third parties to the extent necessary for the execution of an agreement with its clients. In this case, those third parties shall not disclose that information to other parties, except in the following situations:
- The disclosure of that information by those third parties to their suppliers or subcontractors is necessary for the execution of the agreement;
- When those third parties are required by applicable law to disclose certain information or documents to the competent authorities in the fight against money laundering, and, in general, to any competent public authority.
The disclosure of that information to the aforementioned persons must, in all circumstances, be limited to the information strictly necessary or required by applicable law.
4.3 Transfer to a country outside the European Economic Area (if applicable)
The office only transfers data to a country outside the European Economic Area when that country provides an adequate level of protection as defined by applicable law, particularly the General Data Protection Regulation, or within the limits permitted by applicable law, for example, by ensuring data protection through appropriate contractual clauses.
5. Security measures
The office has implemented appropriate organizational and technical measures, both in data collection and retention, to ensure a level of protection commensurate with the risk and, as far as possible, to prevent:
- Unauthorized access to or modification of this data;
- Inappropriate use or dissemination of this data;
- Unlawful destruction or accidental loss of this data.
These procedures also apply to all subcontractors used by the office.
In this regard, employees, shareholders, or associates of the office who have access to this data are subject to strict confidentiality obligations.
However, the office cannot be held responsible in the event of theft or embezzlement of this data by a third party despite the security measures put in place.
6. Retention period
6.1. Personal data that the office must retain under the Law of September 18, 2017 (see 2.2A.)
This concerns the identification data and copies of documents relating to our clients, internal and external agents, as well as the ultimate beneficiaries of our clients.
This personal data is kept in accordance with Article 60 of the Law of September 18, 2017, for a maximum of ten years after the end of the business relationship with the client or from the date of an occasional transaction.
6.2. Other personal data
The personal data of individuals other than those mentioned above is kept only for the periods provided for in the applicable legislation, such as accounting legislation, tax legislation, and social legislation, except for the personal data that the office must keep for a longer period based on specific legislation or in the event of a pending dispute for which the personal data is required.
6.3 After the expiry of the aforementioned periods, the personal data is erased, unless other applicable legislation provides for a longer retention period.
7. Rights of access, rectification, erasure, data portability, objection, non-profiling, and notification of security breaches
7.1 In accordance with the regulations on the processing of personal data, the client has the following rights, subject to the particular case provided for in Article 7.2:
- Right to be informed about the purposes of the processing and the identity of the data controller.
- Right of access: the client has the right to ask at any time whether their data has been collected, for how long, and for what purpose.
- Right to object: the client can object to the use of their data by the office at any time.
- Right of rectification: the client has the right to request at any time that their incorrect or incomplete data be corrected or supplemented.
- Right to restrict processing: the client can request a restriction of the processing of their data. This means that the data in question must be “marked” in the office’s computer system and cannot be used for a certain period.
- Right to erasure of data (“right to be forgotten”): subject to the exceptions provided for by law, the client has the right to request the erasure of their data, except for data that the office must retain under a legal obligation.
- Right to data portability: the client can request that their data be provided to them in a “structured, commonly used, and machine-readable format” and can also request the office to transfer that data to another data controller.
- Right to lodge a complaint: the client can lodge a complaint with the Data Protection Authority.
To exercise their rights, the client can always submit a written request, along with a copy of their identity card or passport, to the data controller by email: firstname.lastname@example.org or by regular mail.
7.2. Regarding the personal data that the office must retain in accordance with the Law of September 18, 2017.
This concerns the personal data of our clients, agents, and ultimate beneficiaries of our clients.
In this regard, we draw your attention to Article 65 of the Law of September 18, 2017:
“Art. 65. The person to whom the processing of personal data applies under this law does not enjoy the right of access and rectification of their data, the right to be forgotten, data portability, the right to object or not to be profiled, nor the right to be notified of security breaches under this law.
The right of access of the data subject to the personal data concerning them is exercised indirectly, pursuant to Article 13 of the aforementioned Law of December 8, 1992, with the Commission for the Protection of Privacy as established by Article 23 of the same Law.
The Commission for the Protection of Privacy informs the applicant only that the necessary verifications have been carried out and the results thereof regarding the legality of the processing in question.
That data may be communicated to the applicant when the Commission for the Protection of Privacy, in consultation with the CFI and with the advice of the data controller, on the one hand, determines that its communication is not susceptible to disclosing the existence of a report of a suspicion referred to in Articles 47 and 54, the consequences thereof, or the exercise by the CFI of its right to request additional information under Article 81, nor susceptible to compromising the objective of the fight against ML/TF, and on the other hand, determines that the data in question relate to the applicant and are kept by the subject entities, the CFI, or the supervisory authorities for the application of this law.”
Therefore, to exercise your rights regarding your personal data, you must contact the Data Protection Authority (see point 8).
Regarding the processing of personal data by our office, you can file a complaint with the Data Protection Authority:
Drukpersstraat 35, 1000 Brussels
Tel +32 (0)2 274 48 00
Fax: +32 (0)2 274 48 35
9. Updates and changes to the privacy statement
The office may modify or adapt the privacy statement, informing clients through its website or by email. This may be done, among other reasons, to comply with new legislation and/or regulations applicable to the protection of personal data, recommendations
of the Belgian Data Protection Authority, guidelines, recommendations, and best practices of the European Data Protection Board, and decisions of courts and tribunals on this matter.
Last updated on July 31, 2023.