Policy of FPS Finance in regard to privacy protection and the personal data processing

This privacy declaration describes the way in which the FPS Finance processes your personal data.

The FPS Finance processes your personal data in accordance with the provisions of the General Data Protection Regulation[1] – GDPR, the law of July 30^th 2018 on the protection of natural persons and the law of August 3^rd 2012 laying down various provisions regarding the processing of personal data carried out by the Federal Public Service Finance within the framework of its missions.

The purpose of this privacy declaration is to provide you with the following information:

Who is the controller
Who is the Data Protection Officer - DPO
What personal data are processed
Why these personal data are processed
How these personal data are secured
Who are the recipients of these personal data
How long these personal data are kept
Which are your rights and how can you exercise them.

1. Who is the controller and the data protection officer (DPO)?

The FPS Finance (Boulevard du Roi Albert II 33,1030 Brussels), represented by the Chairman of the Management Committee, is the controller of personal data within the framework of the execution of its legal objectives[2].

The law of August 3^rd 2012, laying down various provisions as regards the processing of personal data carried out by the Federal Public Service Finance within the framework of its objectives, has set up a Department of Information Security and Privacy Protection within the FPS Finance, which assists the Data Protection Officer - DPO. [3]

The Data Protection Officer is the head of the Department of Information Security and Privacy Protection and can be reached via the e-mail address dataprotection@minfin.fed.be.

The Data Protection Officer is the person in charge of answering every question as regards the processing of your personal data as well as the exercise of your rights stipulated in the General Data Protection Regulation. They will answer every question whose answer is not mentioned in the present declaration.

2. What personal data are processed by the FPS Finance?

The categories of personal data processed by the FPS Finance are as follows:

Identification data (for instance, name, first name, birth date);
Contact data (for instance, address, phone number);
Bank data (for instance, bank account number);
Financial and patrimonial data (for instance, income, real estate, leases);
Legal data (for instance, administrative sanctions);

The FPS Finance collects these personal data by means of declarations among others (tax returns, patrimonial declarations, declarations of estate...)

Your personal data held by the FPS Finance may be processed in the context of a phone conversation with you, for the exercise of its legal missions.

Besides, the FPS Finance also collects some personal data via other organisations in charge of data processing. More information about these external data exchanges.

3. Why is the FPS Finance processing your personal data?

The FPS Finance processes your personal data in order to be able to carry out its legal missions of general interest[4] or to comply with legal obligations.[5]

You can find the legal missions of the FPS Finance in the Royal Decree of February 17^th 2002 creating the FPS Finance.

It concerns more specifically the following objectives:

Tax assessment, control, collection and recovery (personal income tax, value added tax, registration and estate duties,...)
Land register
Record
Management of the State’s own real estate and movable assets, including the acquisition, the sale and the expropriation
Collection, recovery and transfer to the person(s) entitled of the non-fiscal claims of the public authorities and the tax refunds (legal and administrative fines, unpaid invoices issued by public services, personal income tax, value added tax,...) and individuals (maintenance claims).
Management of contentious matters;
Follow-up of authorizations and administrative controls in Customs and Excise matters - Administrative police missions;
Follow-up of security measures in Customs and Excise matters - Public security;
Generic service in charge of the management of mandates for the citizens and enterprises on the basis of an independent electronic e-government application for the “self-service mandate creation”;
Management of the persons entitled by the General Administration of the Treasury;

The law also stipulates that the FPS Finance can carry out targeted controls thanks to data from its various internal administrations within the framework of its missions. On the basis of this law, the FPS Finance can collect these data in a datawarehouse that allows it to carry out datamining and datamatching[6] processes, including profiling[7].

Your personal data will never be processed by the FPS Finance for commercial or promotional purposes or transmitted to third parties who would use these data for such purposes.

4. How are these personal data secured?

The FPS Finance has implemented technical and organisational measures in order to guarantee the security and the confidentiality of your personal data.

Access to your personal data by FPS Finance personnel is strictly limited to those who are authorised to do so and is restricted to the data necessary for the performance of their tasks[8].

5. Who are the recipients of these personal data?

The categories of recipients or persons in charge of data processing to whom the FPS Finance provides your personal data on the basis of a legal obligation or within the framework of its general interest missions are as follows:

The departments of the FPS Finance[9]

Other federal public services; administrations of communities, regions, provinces and municipalities; judicial bodies; police services; public institutions and establishments; legal entities under public or private law.

The states with whom Belgian authorities have concluded international conventions or agreements as regards administrative cooperation or information exchange. More information about these international tax information exchanges.

On the page on external data exchanges, you will find more detailed information on transfers of personal data by the FPS Finance to other authorities or private bodies.[10]

6. Which rights do you have in this regard?

You have the following rights as regards your personal data[11]:

Right to information and right to access your data
Right to consult data
Right to rectification (adaptation/adding data)
Right to restrict the data processing
Right to transfer your data
Right to object to the processing

If you wish to change your address, marital status or account number, you will find more information on this page or you can contact the Contact Center via this link.

Restriction of some rights:

The General Data Protection Regulation provides for the possibility for EU Member States to establish legislation limiting the exercise of certain rights. [12]

This is the case for the right to information, the right of access to your data, the right of rectification and the right to restrict processing, for which the Belgian legislator has laid down rules applicable to the FPS Finance in the context of the execution of its legal missions.[13]

When the FPS Finance carries out a tax control, for example, the person concerned, who is the subject of the control, will not be able to exercise their right to information during the investigation period.

7. How long are your personal data kept?

Your personal data are kept for the duration of the processing necessary to carry out the legal tasks of the FPS Finance.[14]

Personal data resulting from controls and investigations carried out by the FPS Finance are not kept longer than necessary for the purposes for which they are processed, with a maximum period of one year after the final termination of the judicial, administrative and extrajudicial procedures and appeals resulting from these investigations[15]

The personal data resulting from the processing operations in the data warehouse shall not be kept longer than necessary for the purposes for which they are processed, with a maximum retention period of one year after the expiry of all actions falling within the competence of the person in charge of the data processing and, where applicable, the final termination of administrative and judicial proceedings and appeals.[16]

8. How can you exercise your rights?

You can find more information about your personal data processed by the FPS Finance via this link: www.myminfin.be

Once you are identified via eID or a digital identity, you only have access to your personal data unless you have a mandate to see specific data (for instance, an accountant who submits the tax return of their client). When you notice on MyMinfin that some of your personal data has errors or are incomplete or if you wish to exercise your rights, you can submit your request or a form for giving you access [Word format (DOC, 37 KB) ou pdf format (PDF, 101.21 KB)] dated and signed:

By sending an e-mail (if possible, with an electronic signature) at the following address: dataprotection@minfin.fed.be

By mail for the attention of the SPF Finances (FPS Finance, Chairman’s department, Department of Information Security and Privacy Protection North Galaxy, Boulevard du Roi Albert II 33 PO Box 10 1030 Brussels;

Please enclose a copy of your identity card with your request. Your request will be dealt with within a period of 30 calendar days. If your request is complex or if the department must deal with many requests, this period of time will be extended to 60 days.

9. Complaints

Without prejudice to any other administrative or legal appeal, any data subject has the right to lodge a complaint with the competent administrative or judicial bodies. You also have the right to lodge a complaint with the Data Protection Authority, if you consider that your rights are not respected or that the processing of your personal data constitutes a breach of the General Data Protection Regulation.[17].

To lodge a complaint, you can send a request to:

Data Protection Authority

Rue de la Presse, 35

1000 Brussels

E-mail address: contact@apd-gba.be

10. Update of the privacy declaration

The present privacy declaration may be updated in the light of new regulations. The adapted privacy declaration will always comply with the General Data Protection Regulation.

The present privacy declaration was updated on 05/03/2021

[1]Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such ESC data and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR)

[2]Royal Decree creating the Federal Public Service Finance; Articles 2 and 3 of the Law of August 3^rd 2012 laying down various provisions regarding the processing of personal data carried out by the Federal Public Service Finance within the framework of its missions, as amended by the law of September 5^th 2018 establishing the Information Security Committee and amending various laws regarding the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

[3]Article 8 of the Law of 3 August 2012, as amended by the Law of 5 September 2018, as aforementioned.

[4] Royal Decree of February 17^th 2002 as aforementioned ; and the law of August 3^rd 2012 as aforementioned and amended by the aforementioned law of September 5^th 2018.

[5] Pursuant to Article 6, 1 GDPR.

[6] Article 5, §1^st, second paragraph, 1°, 2° and 3° of the law of August 3^rd 2012, as amended by the aforementioned law of September 5^th 2018: “datawarehouse”: a data system containing a large amount of digital data that can be analysed;
“datamining”: the advanced search for information in large data files.
“datamatching”: the comparison between several sets of data collected;

[7] Art. 5, § 1^st, first paragraph of the law of August 3^rd 2012 such as amended by the aforementioned law of September 5^th 2018 ; art. 4, 4) GDPR: “Profiling” is any form of automatic processing of personal data which involves the use of personal data to assess certain personal aspects relating to an individual, in particular to analyse or predict matters concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

[8]Access authentication procedure: “Identity and Access Management” ; Article 10 of the aforementioned law of August 3^rd 2012, such as amended by the aforementioned law of September 5^th 2018

[9] Article 5 of the law of August 3^rd 2012 such as aforementioned and the Royal Decree of March 27^th 2015 implementing Article 4, 1^st paragraph of the law of August 3^rd 2012 laying down various provisions as regards the processing of personal data carried out by the Federal Public Service Finance within the framework of its missions.

[10] Article 20 of the law of July 30^th 2018 on the protection of natural persons with regard to the processing of personal data

[11]To find out more about your rights, you can visit the website of the Belgian Data Protection Authority : https://www.autoriteprotectiondonnees.be/citoyen/vie-privee/quels-sont-mes-droits-

[12] Article 23 GDPR

[13] Art. 11, 11/1, 11/2 and 11/3 of the law of August 3^rd 2012, such as amended by the aforementioned law of September 5^th 2018, in conjunction with Article 23 GDPR.

[14] Royal Decree of February 17^th 2002 as aforementioned

[15]Art. 11, § 1, third subparagraph, 11/1, § 1, third subparagraph, 11/2 § 1, third subparagraph and 11/3 § 1, third subparagraph, of the law of 3 August 2012, as amended by the aforementioned law of 5 September 2018, in addition to Article 23 GDPR

[16] Art. 5, § 1, third paragraph of the law of August 3^rd 2012 such as amended by the law of September 5^th 2018 as aforementioned

[17] Art. 77 GDPR

Privacy declaration