By using our website, using the products and services offered by Bright Link S.A. via our platform or participating in our actions, you expressly accept the way in which Bright Link S.A. collects and processes personal data.
Letter from the Chief Executive Officer
The General Data Protection Regulation (GDPR) is a European Union regulation which, as from 25 May 2018, applies to all organisations that collect and process the personal data of Union citizens. As a responsible and forward-looking company, Bright Link recognizes at the highest level the importance and necessity of complying with the GDPR and ensuring that effective measures are in place to protect the personal data of our customers, employees and other stakeholders. The commitment to personal data security extends to the highest levels of the organization and will be demonstrated by relevant internal policies and the provision of appropriate resources to establish and develop effective data protection and information security controls.
Where appropriate, a data protection impact assessment approach in accordance with the requirements and recommendations of the DSMP and best practices will be used. Risk management is carried out at several levels within the organisation: risk assessment for the personal data we collect and process, regular assessments of information security risks in specific operational areas, risk assessment in the context of significant changes, including data protection impact assessments (DIPAs).
We encourage all employees and other stakeholders in our company to ensure that they play their part in complying with the principles of the GDPR at all times, and in meeting our information security objectives.
S.A. complies with all the principles of the GDPR through organizational and
In its activities with its customers:
For PBT enterprise and Balencio products, Bright Link acts as a « subcontractor » while Bright Link’s direct customer functions as « controller ». Due to the small size of Bright Link, the roles of Data Protection Officer (DPO) and Information Security Manager are centralized under the strong responsibility of the company’s CEO.
Bright Link uses several subcontractors, mainly for technical reasons, all of them are RGPD aligned.
Bright Link data processing consists of any automated or manual operations applied to personal or organizational data that globally preserve human capital by creating value-added information through data processing.
The nature of the personal data processed is mainly: personal characteristics, lifestyle and health information. However, the impacts of the GDPR on Bright Link activities are quite limited because Bright Link anonymizes all individual sessions. The principle of « systematic pseudonymization when, and where, it is possible » is a central axiom of how Bright Link deals with privacy, data confidentiality and GDPR issues.
Bright Link has implemented various technical measures to optimize GDPR and data privacy: through the use of its Cloud platform and in the way data is managed and processed. In addition, Bright Link has also implemented organizational measures to ensure the highest possible level of data security.
Main technical and organisational measures:
On this website:
Confidential information is collected only for administrative and account configuration purposes for PBT Premium customers who are considering using and paying online. The information collected and stored is:
Roles and responsibilities
One of the key attributes of an effective approach to data protection is a clear assignment of roles, each with defined responsibilities. Each of these roles is assigned to specific individuals or groups in Bright Link. It is essential that all Bright Link members understand the role they must play in protecting the personal data we hold and process about individuals.
By ensuring that roles and responsibilities are clearly defined, we are in a good position to prevent many data protection incidents affecting personal data and to react effectively and appropriately, if necessary.
In the data protection framework relevant to our compliance with the GDPR, the following key roles have been defined:
The specific responsibilities for each of these roles are defined in the following sections of this document.
Person responsible for the processing of personal data
Personal data » means any information relating to an identified or identifiable natural person (hereinafter referred to as « data ») as stipulated in the General Data Protection Regulations.
Processing » means any operation or set of operations concerning data or a set of data, whether or not carried out by means of automated processes, such as collection, recording, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, matching or interconnection, limitation, erasure or destruction of data.
Bright Link S.A., chemin du Cyclotron, 6, 1348 Louvain-la-Neuve, with company number 0662.639.464 is the controller of your data (hereinafter referred to as « Bright Link S.A. »).
S.A. has a contact point within its company in charge of data protection. You
can contact him for any questions via: email@example.com
However, in order to exercise your rights, we ask you to first use the possibilities provided for in Article 5.
The GDPR defines a « processor » as « a natural or legal person, a public authority, an agency or other body processing personal data on behalf of the controller ». As a result, the responsibilities described below may be assigned to an individual or may be considered applicable to the organization as a whole. Bright Link acts as a subcontractor for Bright Link’s customers in the case of PBT and Balencio.
The data processor (Bright Link) has the following responsibilities:
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of personal data;
Data processing objective
Bright Link data processing includes all automated or manual operations applied to personal or organizational data that globally preserve human capital by creating value-added information as a result of data processing. This includes:
More specifically, the objectives of Bright Link data processing are as follows:
Security and confidentiality
Bright Link S.A. has taken all appropriate technical and organisational measures to: protect the information and data collected against destruction, loss, unintentional modification, damage, accidental or unauthorised access or any other unauthorised processing of data. To ensure this security, Bright Link S.A. uses, among other things, encryption of communication between the server and your computer, firewalls, antivirus scans, access controls, logs, back ups.
The number of employees with access to your data is limited and such access is only granted to the extent necessary for the performance of their duties. While Bright Link S.A. works with subcontractors to provide the various services and products it offers, it has entered into the necessary agreements with these subcontractors to ensure the protection of your data. In addition, we have integrated the necessary policies and procedures within our organisation and have appointed a data protection officer.
Nature of personal data
Your data may be collected in various ways when you are an employee of a Bright Link S.A. customer company or organization. However, Bright Link completely anonymizes the information collected and the sessions created.
In the GDPR, personal data refers to any information relating to an identified or identifiable natural person (« data subject »); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number identification data, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that physical person.
Bright Link processes correspond to the following type of data, listed by GDPR:
Nature and rights of protected persons
The following persons are « data subjects »:
Individuals (employees, workers, managers, agents) under current employment contracts with an organization, company or public administration.
The data subject has rights in the GDPR that are fully reconciled with the Bright Link approach and is managed via Bright Link’s support email, as indicated in the mandatory consent form presented in any start of the data collection process:
Place of processing and international transfer
The Bright Link digital platform is maintained and managed in Belgium.
However, the server and database are managed by Amazon Web Services (AWS), used as a subcontractor for its remote services on the server. These are located in Europe, Germany and Frankfurt.
The two set up are therefore part of the E.U.
Bright Link processes personal data only in the European Union and may not grant access to or transfer of personal data (or any other information processed by a processor on behalf of the controller) to a recipient located in a country outside the European Union without the latter’s consent.
The controller may, at his sole discretion, give written consent subject to other conditions, for example the conclusion of a contract on the basis of standard EU contractual clauses. This obligation applies subject to any legal provisions to the contrary in the law of the Union or the Member States.
Use of data for research and statistical purposes
Bright Link is a university spin-off and its scientific DNA remains an important value.
Consequently, anonymised data sessions may be further processed for scientific research or statistical purposes (information relating to well-being or stress at work), which implies that the data are aggregated and/or that the personal identification of any natural person or respondent cannot be obtained, stored, managed, used, processed or transmitted.
Principle of confidentiality
Bright Link, as a subcontractor, or any person acting under the authority of Bright Link and having access to personal data, may only process such data if it is required to respect the utmost confidentiality regarding any personal data of which it has knowledge, unless the disclosure of such personal data is required for the proper performance of their duties by the law of the Union or of a Member State to which the subcontractor is subject.
In this case, the processor will inform the controller of this legal obligation before disclosing the personal data, unless the law concerned prohibits such information for an important reason of public interest.
Cookies and other technologies
You can visit our website without providing your personal data.
website uses « cookies », which are small pieces of information that
are stored by the browser on your computer, allowing us to record certain
information about users of our website (e.g. language, length of your visit to
Cookies will be used on these websites to be able to offer you a better service by, for example, informing us of your language, identifying you the next time you visit the website…
They help to better tailor the websites to your needs, preferences and convenience. Cookies can also be used to make the content or advertising of a website more personalized. Cookies themselves cannot collect information stored on your computer or files.
Risks associated with the use of Internet and online applications
The use of our websites, services and products online implies knowledge and acceptance of the characteristics and limitations of the Internet, in particular with regard to technical performance, response times for consulting, requesting or sending information, or the risks of interruption, and more generally, the risks inherent in all Internet connections and transmissions, the lack of protection of certain data against possible abuse and the risks of contamination by possible viruses circulating on the network.
Amendments to the Regulations
Company details and controller:
Company name: Bright Link S.A.
6, chemin du Cyclotron
VAT BE 0662.639.464