The Flemish Data Utility Company respects your rights when processing your personal data.
This statement tells you how we collect and process your personal data, identifying you or establishing a link with you as a natural person. This process is always done according to the General Data Protection Regulation (GDPR). Below you will find an explanation of our approach and the rights you can invoke.
Who processes your personal data?
The Flemish Data Utility Company, abbreviated "DUC", is responsible for processing your personal data. On this page, we use the personal pronoun we to refer to the DUC. We only process personal data and allow personal data to be processed when necessary to perform the tasks assigned to us. We always process personal data per the provisions of the General Data Protection Regulation (GDPR) and federal and Flemish regulations on the protection of natural persons when processing personal data.
Our objective is to facilitate cooperation in a data-driven ecosystem around secure data sharing with and by citizens, companies or public authorities and to optimise the exercise of citizens' data protection rights with minimum administrative burden. As part of our objective, we have set up the citizen data vault platform and the real estate information platform. Below is a list of personal data for each platform.
Data vault platform
Managed by us, the data vault platform makes personal data vaults available to citizens.
What is the purpose, and why do we process your personal data?
The platform aims to give you control over data about you and exchange this data in a secure and efficient way with third parties of your choice. You decide on the content of your personal data vault and the purposes for which you want to use this personal data.
The functioning of a data vault can be broadly summarised as follows:
- Creation of data vault: We create a data vault at your request. A unique address (WebID) is linked to you and your data vault. You decide whether you want to create a data vault and are in no way obliged to do so.
- Data retrieval: We retrieve data from a "providing entity" at your request. This means an organisation, public or private, that provides data.
- Loading data into the data vault: We load this information.
- Attesting data in data vault: The data in the data vault can be attested with electronic seals within the meaning of Article 3 eIDAS Regulation.
- Sharing data in data vault: At your request, we share data from the vault to the organisation you designate, which may be public or private, provided the latter has obtained access to an application of the Flemish Data Utility Company as provided for in Art. 10 DNB Decree.
- Data vault removal: At your request, we can delete your data vault with the unique address and the data herein.
You safely activate your personal data via My Citizen Profile (Mijn Burgerprofiel). Subsequently, you also have the option to deactivate your personal data vault. Only you decide on the activation or deactivation of your personal data vault.
We process your personal data within the framework of the data vault platform on the basis of your consent to comply with a legal obligation incumbent on us and to fulfil a task of public interest (included in the Decree of 2 December 2022 authorising the establishment of the privately incorporated externally independent agency Flemish Data Utility Company in the form of a public limited company).
The processing of data and data sharing looks schematically (and simplified) as follows:
What personal data may we process from you?
The personal data or categories of personal data we process from you in your data vault will depend on your needs and requests.
However, the following categories of personal data may potentially be processed:
- contact and identification details
- family composition data
- occupational and educational data
- financial data
- the identification number of the National Register
- the identification number of the Crossroads Bank for Social Security
- the company number from the Crossroads Bank for Enterprises
- cadastral data
- Mobility data
- Leisure-time data
- Health data
As already described above, the initiative of activating a data vault lies with you. We do not process personal data from you in the context of this platform if you would not have activated a personal data vault.
In addition, we also process log files on the use of your data vault.
How do we obtain your data, and with whom do we share it?
At your request, specific data may be added/entered into your data vault collected from a government agency or company you designate (this is a supplying entity). The supplying entity acts as a data controller for the data they communicate.
Furthermore, at your request, we may share specific data from your data vault with a government agency or company designated by you (this is a receiving entity).
The receiving entity acts as a data controller for the data they process and must have obtained access to an application of the DUC as provided for in Art. 10 DNB Decree. The legal basis on which the receiving entity relies for processing after accessing the data in your safe based on consent may be a basis other than consent. It is best to consult the receiving entity's privacy notice for this.
It is important to note that only you have access to the contents of your personal data vault. We cannot access your chosen content or the personal data processed in the safe.
Protocols concluded by the Flemish Data Utility Company with other governing bodies
Following Article 8 §1 of the e-Gov Decree, protocols concluded between bodies of the Flemish Government should be published on the governing bodies' websites.
The Flemish Data Utility Company has concluded a protocol with AHOVOKS to disclose diploma data from the LED (Learning and Experience Evidence Database) in the Data Vaults. Read the protocol here.
Real estate information platform
The Real Estate Information Platform is an electronic information system for accessing, aggregating and making available real estate information between public authorities and real estate agents, notaries and citizens.
On behalf of local authorities, we process the following categories of personal data for the purpose of making real estate files available:
- real estate information (intelligence) derived from local, regional or federal data sources
- data in the context of urban planning and environmental crimes and infringements derived from local data sources
The data controllers under the Real Estate Information Platform are the local authorities.
How long do we keep your personal data?
We do not process your personal data for longer than necessary for the purposes for which we process your personal data or according to the legal obligation imposed on us. Log files regarding the use of your data vault and the property information made available will be kept for ten years.
Will your personal data be shared with third parties?
The transfer of personal data to third parties is only done to the extent necessary for the performance of the processing. A transfer outside the European Economic Area will be limited as much as possible and always take place in accordance with the GDPR (through model contractual clauses, as approved by the European Commission, and additional appropriate technical, organisational and contractual measures to ensure a level of protection equivalent to the EU....).
Transfer of personal data in the data vault will only take place at your explicit request. There is no transfer to third parties without your consent.
What are your rights regarding your personal data?
To exercise your privacy rights, please get in touch with the Data Protection Officer (DPO) by emailing email@example.com. We request a recto-verso copy of your identity card as proof of your identity.
You have the right to access the personal data we process about you. You may request a copy of your personal data.
However, for the personal data in your data vault, we cannot respond to your request as we do not have access to the contents of your data vault. If you wish to view your processed data, you can access the contents directly in your data vault via My Citizen Profile.
If you are convinced that the personal data processed about you is incorrect or not up to date, you can have it corrected.
As the personal data comes in the personal data vault of a submitting authority, we cannot correct this data ourselves. To this end, you can contact the submitting body itself; we will make sure it is clear how this can be done each time. You can also send your request to us at firstname.lastname@example.org, in which case we will contact the submitting entity.
Personal data processed are kept only for a limited time and specific purposes. However, if you consider that your personal data are not (any longer) necessary for the service you are calling upon, you can ask for your personal data to be deleted.
For the personal data in your data vault, we cannot delete personal data in a targeted manner, as we do not have access to the contents of your data vault. You can delete data from your data vault yourself via My Citizen Profile. In the future, you can also delete your data vault, with the associated unique address, via My Citizen Profile. Until then, you can contact us to delete your data vault and its unique address via email@example.com.
- The right to object, restriction of processing, and the right not to be subject to automated decision-making.
You can invoke the right to object in order to stop the processing of your personal data if your interests outweigh the public interest task, governmental tasks or statistical or historical grounds for the processing. You can do this at firstname.lastname@example.org.
If you request to restrict the processing of your personal data, it will not be deleted, but no further processing will be carried out in the future. In case you dispute the correctness of the data without wanting to stop the processing, or you believe that the processing is unlawful or for legal reasons such as court proceedings for which you need the processed data or if you objected. The request for objection has not yet been completed.
For processing personal data in the personal data vault, you can manage this yourself via My Citizen Profile.
Furthermore, Article 28 of the DUC founding decree states that we do not conduct automated decision-making on personal data, including profiling.
It is possible to recover personal data processed about you, which you have provided yourself and for which you have given your consent, or to have it transferred.
However, this is not possible for the personal data in the personal data vault, as we do not have access to the data in your safe.
- Right to withdraw your consent
You always have the right to withdraw your consent for the processing of your personal data that we base on your consent.
For processing by data lockers, you can manage this yourself via My Citizen Profile.
How will my personal data be protected?
Breach prevention is supported by multi-layer encryption and regular penetration testing of key software components. Detection capabilities rely on audit logs that integrate with the Flemish government's SIEM solution and 24/7 monitoring by operators from the Flemish government's SOC. All technology providers have solid security and service management processes, including incident management and vulnerability management, which ensure that problems are quickly remedied.
More information on how your personal data are protected on our data locker platform can be found here:
Where can you raise questions or complaints regarding processing your personal data?
You can contact the Data Protection Officer (DPO) for additional information, questions, comments, and suggestions on how we process your personal data or if you disagree with any processing. The same applies to exercising rights granted to you by the regulations, as described above.
You can always contact the data protection officer of the Flemish Data Utility Company by e-mail using the contact details below.
If you are of the opinion that processing by the Flemish Data Utility Company violates the applicable laws and regulations, there is also, as a last resort, the possibility of filing a complaint with the Flemish Supervisory Commission or with the Data Protection Authority.
For the Flemish Supervisory Commission, file a complaint via email@example.com or by post: Koning Albert II-laan 15, 1210 Brussels.
For the Data Protection Authority: firstname.lastname@example.org or Printing Press Street 35, 1000 Brussels.
Data protection officer (DPO): email@example.com
Havenlaan 88 bus C