Personal data protection policy – eStox –

EStox is a platform managed by the non-profit association Enterprise Spoc (hereinafter “Enterprise Spoc”), with registered office at Rue de la Montagne 30-34, 1000 Brussels, registered with the CBE under number 0727.371.722, which makes it possible to keep an Electronic register of securities of a company. It is a service made available to companies by notaries, accountants, chartered accountants and tax advisers (hereinafter “the Advisers”).

Enterprise Spoc and the Advisers place a strong emphasis on respecting your privacy and your personal data (hereinafter, “Data”). As such, they ensure that they comply with the relevant regulations and, in particular, the European General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter “GDPR”).

The purpose of this Policy is therefore to inform you about how they process your Data and the means available to you to control this use. If you require any further information, you can contact Enterprise Spoc’s Data Protection Officer either:

  • by sending an email to info@privanot.be; or
  • by writing to Privanot asbl, rue de la Montagne, 30, 1000 Brussels.

This version of the personal data protection policy is subject to change. We will inform you of any substantial updates.

1. Who is responsible for processing your Data?

As part of the management of the eStox platform and the administration of the services offered therein, Enterprise Spoc is required to process your Data alongside Advisers, whether in its capacity as Advisers’ “data controller” or “processor” (within the meaning of the GDPR). 

Thus, Enterprise Spoc acts as a “data controller” for the following processing operations:

  • Platform user identification and authentication.
  • Customer management and invoicing.

Enterprise Spoc acts as Advisers' “processor” for the following processing operations:

  • Management and electronic storage of Electronic registers of securities of Advisers' corporate clients.
  • Communication and registration of (specific) data from Compagnies’ Electronic registers of securities or the eStox platform onto other systems, such as the UBO Register.
  • Communication and registration of data from company registers in the file management software used by the Advisers.

The purpose of this policy is to inform you about all these processing operations.

2. What data do we process and for what purposes?

The data processed, the storage period and the purposes for which they are processed depend on the data subjects concerned.

2.1. If you have access to the eStox platform as a user

As part of the eStox Platform, Enterprise Spoc is required to correctly identify and authenticate users who wish to connect to the platform in order to prevent abusive or illegitimate access to the platform.

In this context, Enterprise Spoc processes the following Data relating to persons accessing the registers:

  • Identification data: surname and first name
  • National Register identification number (FPS Interior authorisation 067/2020 of 11 August 2020)
  • Connection data (IP address, logs, terminal identifier, user identification, time stamp information)
  • Email address (for notaries, chartered accountants and tax advisers)
  • Profession + role assigned for use of the platform (read or write access) (for notaries, chartered accountants and tax advisers)

This processing is necessary for the performance of a contract to which you are a party and for Enterprise Spoc’s own legitimate interests, namely to ensure the security of the eStox platform and the Electronic registers of securities accessible through it.

The aforementioned Data will be kept for as long as you are a user of the eStox platform.

Access logs to the eStox platform are kept for 10 years as evidence.

2.2. If you are an Adviser accessing the eStox platform

As an Adviser, you are both a user (see point a. above) and a customer of Enterprise Spoc.

In this capacity, Enterprise Spoc may invoice you for the services provided.

In this context, Enterprise Spoc processes the following Data on the basis of the contract between you and Enterprise Spoc:

  • Identification data (surname, first name, etc.)
  • Contact details (postal address, email address)

Your Identification Data will be kept for as long as you are a customer. Your Accounting Data will be kept for 10 years from the date on which the accounts are closed.

2.3. If you are listed in a company's Electronic register of securities

The categories of processing carried out by Enterprise Spoc as part of the management and maintenance of Electronic registers of securities are: the collection, use and storage of Data.

The purpose of this processing is to maintain - including hosting - in electronic form a register of Electronic registers of securities of companies that have appointed an Adviser in accordance with Articles 24, 6:24 and 7:29 of the Companies and Associations Code and Articles 7:12 et seq. of the Royal Decree of 29 April 2019 implementing the Companies and Associations Code.

In this context, the categories of data processed relating to the persons listed in the register are as follows:

  • Identification data (surname, first name, alias, capacity, home postal address, telephone number, email address, bank account number, date of birth, etc.)
  • Other identification data (national register identification number - FPS Interior authorisation 067/2020 of 11 August 2020)
  • Data relating to the securities held (number of securities held, category, payments made on each share/unit, payments still to be made, declarations of transfer of securities, voting rights and rights to profits attached to each security, entitlement to the liquidation bonus, any restrictions on the transferability of securities, any securities established, etc.)

The aforementioned data is kept for as long as we are tasked by an Adviser with the management and conservation of the Companies’ Electronic registers of securities.

In addition, in order to best assist companies that hold an Electronic registers of securities through eStox, which are also required to communicate certain information to the UBO Register in accordance with the Law of 18 September 2017 on the prevention of money laundering and terrorist financing and the restriction of the use of cash, Enterprise Spoc is required to communicate data to the UBO Register on behalf of Advisers.

In order to do this, Enterprise Spoc needs to access the National Register in order to:

  • Collect the data referred to in Articles 3 and 4 of the Royal Decree of 30 July 2018 on the operating procedures of the UBO Register and included in the National Register.
  • Compare the data collected with the data contained in the electronic register of securities in order to verify the accuracy of the data that Enterprise Spoc asbl will be required to communicate to the UBO Register, on behalf of the Advisers appointed by the companies holding an electronic register of securities via the eStox Platform.

These purposes are legitimate on the part of the Advisers insofar as such access is legally provided for by Article 24 of the Royal Decree of 30 July 2018 on the operating procedures of the UBO Register.

The data subjects of the Data communicated to the FPS Interior are the beneficial owners of companies - holding an Electronic register of securities through eStox - whose identity must be provided to the UBO Register pursuant to the law of 18 September 2017.

The categories of data processed in this context are the Data required under Articles 3 and 4 of the Royal Decree of 30 July 2018 on the operating procedures of the UBO Register, namely:

  • Identification data (surname, first forename, day of birth, month of birth, year of birth, nationality(ies), country of residence, full address of residence, identification number in the National Register of Natural Persons or in the Crossroads Bank for Social Security, and where applicable, any similar identifier given by the State in which the beneficial owner resides or of which they are a national).

These data come from the National Register following authorisation by the FPS Interior 067/2020 of 11 August 2020.

  • Data relating to the status of beneficial owner (date on which the beneficial owner obtained this status, category to which it belongs pursuant to Article 4, 27°, para. 2 of the Law of 18 September 2017, if it is a person who fulfils one of the conditions listed in Article 4, 27°, para. 2 of the Law of 18 September 2017, direct or indirect beneficial ownership, in isolation or, on the contrary, in coordination with other persons, and, in the latter case, the number of intermediaries, the extent of the beneficial interest held (i.e. the percentage of shares or voting rights they hold in the party responsible for providing information or, the percentages of shares or weighted voting rights they hold in the party responsible for providing information).

The aforementioned data will be kept by Enterprise Spoc for the time necessary to compare them with the data contained in the Electronic registers of securities before they are communicated to the UBO Register. Thereafter, once communicated to the UBO Register, the Data are automatically deleted by Enterprise Spoc.

3. Does Enterprise Spoc use your Data for purposes other than those mentioned in point 2?

Where appropriate, your Data may be re-used by Enterprise Spoc for statistical or scientific research purposes after it has been anonymised.

The ultimate purpose of such further processing of the Data is always to improve the service provided by Enterprise Spoc to companies and to Advisers.

4. Is your Data communicated to third parties?

Your Data may be transmitted to:

  • Enterprise Spoc’s external subcontractors (in particular the Royal Federation of Belgian Notaries and the Institute of Tax Advisers and Accountants) responsible for carrying out Data processing in compliance with the aforementioned purposes with whom Enterprise Spoc has taken care to sign a contract guaranteeing the respect of your Data in accordance with the provisions of the GDPR.
  • The FPS Finance, which manages the UBO Register.

Enterprise Spoc may also transmit your Data to authorities, administrations or courts if required to do so by law.

5. How is your Data protected?

Your Data is stored in a secure Cloud service within the European Union.

Enterprise Spoc takes all necessary measures to ensure the security and confidentiality of your Data, in particular by preventing it from being damaged, unintentionally deleted or accessed by unauthorised third parties.

Furthermore, in the event of a security incident affecting your Data (destruction, loss, alteration or disclosure), Enterprise Spoc undertakes to comply with its obligation under the GDPR to notify Data breaches, in particular to the Data Protection Authority or the Adviser.

6. What are your rights with regard to the processing of your Data?

As the data subject of Data processed by Enterprise Spoc, you have the right to exercise the rights granted to you by the GDPR.

Thus, you have the right to transparent processing of your Data, the right to information, the right of access and the right to rectification if your Data proves to be inaccurate or incomplete.

Under certain conditions and in strictly defined cases, you also have the right to have your Data deleted, the right to object to the use of your Data and the right to data portability for your Data.

You may exercise your rights via the data controller.

Depending on the type of processing concerned, you may exercise your rights with the Data Protection Officer appointed by Enterprise Spoc (by sending an email to info@privanot.be or a letter to Privanot asbl, rue de la Montagne, 30, 1000 Brussels) or to the Adviser or their Data Protection Officer.

7. Complaints

If you believe that Enterprise Spoc or an Adviser has not processed your Data in accordance with applicable regulations, you have the right to lodge a complaint with the Data Protection Authority (https://www.autoriteprotectiondonnees.be).