Privacy Policy of XML srl/bv (“the Company”)

This Privacy Policy gives effect to the Company’s commitment to protecting the privacy of users of the website www.xml-med.com .

The Company takes all reasonable measures to protect personal data that are processed under its responsibility.

Users are deemed to have accepted the terms and conditions set out below when providing their data and once they have accepted the terms and conditions.

Any material change to this Privacy Policy shall only be made applicable by the Company after obtaining the explicit consent of users.

ARTICLE 1: Information about the data controller

The Company is the data controller of the personal data that it manages.

The Company: SRL XML

Company enterprise number / VAT number: 0882.760.079

Postal address of the registered office: Avenue de Tervuren 120, box 3, 1150 Woluwe-Saint-Pierre, Belgium

Company e-mail address: privacy@xml-med.com

ARTICLE 2: Categories of personal data processed

The personal data potentially processed by the Company are all information provided by users and may include the following:

• identification data: name, title, postal address, nationality, gender, e-mail, telephone number, national register number, identity card number;
• financial data: account numbers, card numbers;
• electronic data: IP and/or MAC address, computer model, web browser, screen resolution, location, IMEI, cookies, online behaviour, online purchasing habits, registration for promotional offers, login data, preferences, etc.

The Company records the date of communication of or any subsequent changes to personal data.

The Company does not process any sensitive/special personal user data such as race or ethnic origin, political opinion, religious belief or health data.

Users must refrain from communicating any personal data belonging to a third party.

Parental consent is required in the case of personal data relating to an individual under 13 years of age. The Company may request proof of such consent in order to process the minor’s personal data.

The Company uses cookies or similar technologies to collect data that are not personal in nature or for which the end user is not identifiable. Such technologies, which collect both personal and non-personal data, make it possible to offer a personalised and continuous e-shop service (see the Cookie Policy).

ARTICLE 3: Purposes and legal basis for the processing of personal data

On the basis of Article 6.1 a), b), c) and f) of Regulation No 2016/679, known as the General Data Protection Regulation (“GDPR”), the Company uses users’ personal data for the following purposes.

3.1. Basis and purposes connected with obtaining user consent

After obtaining the consent of users, the Company uses the personal data provided when users contact the Company for any reason.

The Company may also use the personal data of users to provide them with information about the e-shop and/or information of an administrative nature.

The personal data provided by users, subject to their consent, facilitate the internal functioning of the Company (analysis of trends and the efficiency of use, implementation of new services or products or promotions, improvement of the e-shop, etc.).

3.2. Basis and purpose connected with a legitimate interest

The Company processes the personal data of users within the context of protecting its activities, its rights, those of users or third parties, compliance with the Terms of Use, the Terms and Conditions of Sale, legal proceedings (bringing of appeals or limitation of possible harm), etc.

3.3. Basis and purposes connected with performance of the agreement (order, purchase, etc.)

To ensure the proper performance of the purchase agreement, the Company uses the personal data of users in order to monitor and process orders, the return of orders, complaints and repairs.

Use of users’ personal data also enables the Company to ensure optimal customer management (accounting, customer relations, etc.).

3.4. Basis and purpose connected with the Company’s legal obligations

As part of its accounting and tax obligations, the Company is required to transmit and retain certain personal data of users.

ARTICLE 4: Communication of the personal data of users to third parties

4.1. Categories of recipients (processors or third parties)

Processors that may have access to personal data provided by users to the Company include, but are not limited to, the following:

• customer service;
• advertising service;
• delivery service;
• fraud control service;
• communication service (hosting, server, e-mail);

The Company may, pursuant to law and in a confidential manner, be authorised, obliged or requested to communicate certain personal data to a public authority or institution, including where the Company is undergoing a sale, merger, transfer, restructuring or other event.

4.2. Type of personal data provided

All personal data provided by users may be processed by a processor where such processing is relevant for the task to be performed (e.g. last name, first name, title in the case of customer service, etc.).

4.3. Safeguards

Any processing carried out by the Company’s processors is strictly done on the basis of the Company’s instructions.

The processing is carried out under a contractual obligation of confidentiality.

The processor is obliged to take all necessary measures to ensure optimal protection of users’ personal data.

In order to optimise the processing and protection of the data used by the processors, they may communicate information to users.

4.4. Note

The free communication of data does not fall within the scope of this Privacy Policy.

Such data is considered to be public.

ARTICLE 5: Transfer of users’ personal data outside the European Union

5.1. Category of recipient (processors or third parties)

See Article 4.1.

5.2. Type of personal data provided

See Article 4.2.

5.3. Safeguards

See Article 4.3.

In order to achieve a level of protection at least equivalent to that of the European Union, the transfer of data outside the EEA is protected by specific contractual obligations, in accordance with the GDPR.

ARTICLE 6: Retention period for users’ personal data

The personal data of users are retained for the period necessary to carry out the purposes in Article 3 of this Privacy Policy.

The maximum period of retention is three years, unless a longer period is permitted or required by law.

ARTICLE 7: Measures to protect users’ personal data implemented by the Company

The Company uses organisational and technical measures to prevent, insofar as possible, any unauthorised use and/or access to users’ personal data.

Only the necessary personnel and relevant data are used to carry out each of the Company’s purposes.

All processing is carried out in a confidential manner.

The Company cannot guarantee with certainty that any communication of personal data via the e-shop cannot be received by anyone other than the intended recipient.

In the event of a breach of personal data of users, the Company shall inform the Belgian Data Protection Authority.

ARTICLE 8: Rights of users (data subjects)

Users may withdraw their consent to the processing of personal data at any time.

Users have the following rights in respect of personal data held and/or processed by the Company:

• right to access and view;
• right to rectification;
• right to erasure;
• right to restriction of processing;
• right of portability;
• right to object to processing on the basis of a legitimate interest, processing for direct marketing and profiling purposes and processing for scientific or historical research purposes or for statistical purposes that are not in the public interest;
• right to object to decisions based solely on automated processing;
• right to file a complaint with the supervisory authority.

The aforementioned rights can be exercised in writing by sending an e-mail, accompanied by a copy of the user’s identity card, to the following address: privacy@xml-med.com.

Users have the right to file a complaint with the Belgian Data Protection Authority via the following e-mail address: contact@apd-gba.be.