Privacy policy
1. Introduction
This privacy statement describes how Cyclobility processes personal data and which technical and organisational measures are taken to safeguard the protection of such data.
In the context of its activities, Cyclobility processes a significant amount of personal data. Cyclobility recognises that this entails a major responsibility and fully complies with the provisions of the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679) and the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data.
Cyclobility states that it does not collect more data than is necessary to perform its assignments / contractual services, in line with legal obligations.
Cyclobility takes the protection of personal data seriously and implements appropriate measures to prevent misuse, loss, unauthorised access, unwanted disclosure and unlawful modification.
Cyclobility reserves the right to amend this privacy statement at any time. The most recent version can be found on our website. If changes are substantial, we will bring this to your attention via our website, by e‑mail or by regular mail.
This privacy statement applies to all customers, visitors, suppliers, applicants and employees of Cyclobility, and to anyone whose personal data Cyclobility processes in its capacity as data controller.
2. Contact details
Cyclobility BV
Registered office: Oudenaardebaan 2, 9690 Kluisbergen
Company number: 0659.786.377 (CBE)
E‑mail: privacy@cyclobility.be
Telephone: +32 (0)55 60 66 97
3. Definitions
Processing of personal data: any operation or set of operations performed on personal data, whether or not by automated means. This includes, among others, collecting, recording, organising, structuring, storing, updating or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying data. Personal data means any information relating to an identified or identifiable natural person.
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Controller: a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
4. Processing of personal data
4.1 Personal data
In the context of its activities, Cyclobility processes a significant amount of personal data, but does not collect more data than is necessary for the performance of assignments / contractual services and legal obligations.
Cyclobility does not intend to collect data about website users under the age of 13, unless they have consent from their parent(s) or legal guardian(s). However, Cyclobility cannot verify whether a website user is at least 13 years old. Cyclobility therefore advises parents or legal guardians to be involved in their children’s online activities to prevent data about children from being collected without valid consent. If someone believes that Cyclobility has collected personal data about a person under 13 without such consent, they can report this.
The nature and scope of these data differ depending on the relationship with Cyclobility (customer, supplier, applicant, employee, …).
The table below provides an overview of the main categories of personal data, the legal basis and the purpose of processing.
This overview is non‑exhaustive: additional processing may take place if this is necessary for the performance of our activities or to comply with legal obligations.
Category of person / activity | Which data | Legal basis | Purpose of processing |
Applicant | Personal identification data, personal characteristics (language, date of birth), competences, education history, career, CV, cover letter, image, references, photo | Consent | Recruitment and selection of candidates; recruitment policy |
Employees | Personal identification data (name, address, contact details), professional data (role, department), HR administration (employment contract, salary, evaluations), social data (NSSO number, bank account), attendance and leave data | Contractual necessity; legal obligation | Performance of the employment contract, payroll administration, personnel management, compliance with social and tax legislation |
Customer | Personal identification data, contact details (e‑mail, phone number, private address), security data (userID, password), professional data, financial data, personal characteristics | Contractual necessity; consent; legal obligation; legitimate interest | Secure access to the customer area and provision of relevant information, support, correct processing and follow‑up of orders, delivery and invoicing |
Participant in a test event | Identification data, contact details, date of birth, body height | Consent | Organisation and administrative follow‑up of events, possibly with partners |
Newsletter subscriber | Personal identification data (name, e‑mail address) | Consent | Sending newsletters; option to unsubscribe |
Participant in a customer satisfaction survey | Identification and professional data linked to survey results | Consent | Service improvement; processing via a research agency acting as processor |
Use of targeted photos | Images in which persons are clearly recognisable (close‑up, focused image, posed photo) | Consent | Publication on social media and the website for promotional purposes |
Use of security cameras | Images in and around buildings | Legitimate interest; legal obligation | Preventing, establishing or detecting offences and maintaining order |
Handling questions and requests | Personal identification and communication data (via phone, letter, e‑mail, chat, contact form, social media) | Consent; legitimate interest | Answering questions, providing help and information |
Direct marketing | Personal identification data (name, e‑mail) | Consent | Sending marketing about similar products/services; option to unsubscribe |
Images for PR / journalistic purposes | Photos of visitors at large events | Legitimate interest | Public relations and recruitment of new employees/customers; option to object |
Improving website quality | Anonymised usage data via analytics tools and cookies | Legitimate interest | Statistical analysis and improvement of website functionality |
Website visitors | Data collected via contact form, whitepapers, cookies | Consent | Answering questions; sending information |
Prospects | Identification data, company data, contact details | Consent; legitimate interest | Prospecting, commercial communication, meetings |
Persons providing their business card or contact details | Identification data, company data, contact details | Consent; legitimate interest | Prospecting, commercial communication, meetings |
Suppliers | Identification data, financial data, professional data | Consent; legitimate interest; contractual necessity | Supplier management |
4.2 Retention of personal data
Cyclobility retains personal data only for the minimum period necessary to achieve the purposes. A longer retention period may apply:
· if this is required to resolve disputes, or
· if a longer retention period is legally mandatory.
Where the processing or sharing of personal data is based on consent, there is always the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.
4.3 Compatible purpose
Where Cyclobility processes personal data on the basis of legitimate interest or a contract, these data may in the future also be used for another purpose that is compatible with the original purpose.
When assessing such compatibility, Cyclobility takes into account:
· the link between the original purpose and the new or future purpose;
· the context in which the data were collected (such as the relationship between the person and Cyclobility);
· the nature and sensitivity of the data;
· the possible consequences of further processing for the data subject;
· the existence of appropriate safeguards, such as encryption or pseudonymisation.
5. Rights
5.1 Rights
· Right of access: anyone can ask Cyclobility which personal data are processed, for which purposes, which categories of data are concerned, with which third parties Cyclobility shares these data, what the origin of the data is and – where applicable – which logic is used in automated processing.
· Right to rectification: if certain personal data are not correct, you can request that they be corrected or completed.
· Right to erasure: where data are not processed lawfully or are no longer necessary for the purpose for which they were collected, you can request their deletion.
· Right to restriction of processing: you can request that processing of personal data be restricted. In that case, Cyclobility may only store the data and may not carry out any other processing activities.
· Right to object: you have the right to object to the processing of personal data where it is based on a task carried out in the public interest or on Cyclobility’s legitimate interest. This right also applies where data are processed for direct marketing or profiling for that purpose.
· Right to withdraw consent: where processing is based on consent, that consent can be withdrawn at any time.
· Right to data portability: you have the right to receive the personal data you provided in a structured, commonly used and machine‑readable format and to transmit them to another controller, where the processing is based on consent or on a contractual relationship.
These rights are subject to the limitations provided for in applicable data protection legislation.
5.2 How can you exercise your rights?
· The above rights can be exercised by sending an e‑mail to privacy@cyclobility.be.
· To prevent unauthorised disclosure of personal data, Cyclobility may request additional information to verify your identity.
· Cyclobility has one month to handle the request. This period starts as soon as Cyclobility has received the request and all necessary information. If needed, this period may be extended by one month, subject to notification and explanation.
· The requested information is provided free of charge. If requests are manifestly unfounded or excessive (for example due to their repetitive nature), Cyclobility may charge a reasonable fee or refuse to act on the request.
· If you believe that Cyclobility has not handled your request correctly, you may contact us again so that we can look for a solution together.
· For completeness, Cyclobility points out that you always have the right to lodge a complaint with the Data Protection Authority, Drukpersstraat 35, 1000 Brussels, tel. +32 (0)2 274 48 00, e‑mail: contact@apd-gba.be. Before filing a complaint, it is advisable to contact Cyclobility to find a quick solution to your complaint.
6. With whom does Cyclobility share personal data?
Cyclobility does not share personal data with third parties, unless:
· with sub‑processors if this is necessary for the performance of our assignment (for example: financial institutions for financing, insurance companies, bicycle repairers, partners responsible for bike delivery, commercial partners, IT service providers, PR/marketing service providers, employees, software and cloud providers, social secretariat, …);
· Cyclobility has received prior consent to do so;
· Cyclobility is required to do so under regulations or legal proceedings;
· Cyclobility is requested to do so by legislative or judicial authorities (such as police services, the courts and supervisory authorities);
· Cyclobility organises an event together with partners or suppliers, in which case the participant list may also be shared with those partners or suppliers;
· our professional advisers, such as law firms and accountants;
· Cyclobility is wholly or partly acquired or split up.
In the event of a full or partial reorganisation or transfer of our activities or in the event that we are declared bankrupt, your personal data may be transferred to new entities or third parties. In that case, we will inform you in advance that we are transferring your personal data to a third party.
In addition, Cyclobility relies on certain subcontractors, such as consultants, research agencies (for example for satisfaction surveys) and digital tools (such as CRM systems or mailing tools), to outsource part of our services. These subcontractors are not considered third parties but processors. Cyclobility ensures that they take the necessary technical and organisational measures to process your personal data lawfully and securely, and that they do not disclose these data to any other third parties under any circumstances.
This list is not exhaustive. There may be other cases in which Cyclobility must inform other parties in order to provide its services as effectively as possible.
7. Technical and organisational measures
Cyclobility recognises that the security of personal data is an essential part of data protection. Cyclobility therefore takes appropriate technical and organisational measures to protect your personal data against unauthorised processing and unauthorised access, with the aim of preventing misuse.
Cyclobility implements technical and organisational measures to protect personal data, specifically focusing on three domains: information security, data back‑up and controlled destruction.
7.1 Information security
Information security includes all measures that ensure personal data are processed securely and are not accessible to unauthorised persons.
Cyclobility operates in accordance with the Belgian transposition of the NIS2 Directive. All processes are designed to ensure the confidentiality, integrity and availability of personal data, in line with GDPR obligations.
7.2 Data back-up
A robust back‑up policy is essential to prevent data loss and to enable swift recovery to a previous version of data in the event of incidents. Cyclobility applies a structured back‑up schedule and stores these data exclusively within secure European infrastructure.
7.3 Controlled destruction
Cyclobility does not retain personal data longer than necessary for the purpose of processing. After the retention period has expired, data are securely deleted or anonymised, in line with internal procedures and certified methods.
8. Internal policies and awareness
In addition to technical and organisational measures, Cyclobility also implements internal policies to make employees aware of their responsibility regarding data protection. These measures strengthen GDPR compliance and ensure a culture of confidentiality and security within the organisation.
8.1 Confidentiality agreement
Employees are legally bound by strict rules on confidentiality and information security. This is laid down in the employment contract, the work regulations and a separate confidentiality agreement.
8.2 Laptops and mobile devices
The use of laptops and mobile devices is strictly regulated to ensure the security of personal data.
8.3 Teleworking
Teleworking is supported with secure connections and central control mechanisms, so that data remain protected outside office environments.
8.4 Training
Cyclobility invests in periodic training and awareness‑raising to keep employees alert to risks and to support them in secure behaviour.
8.5 Access security
Access security includes both physical and digital measures to prevent unauthorised access to personal data and systems.
Physical access security
· Data centres of the cloud provider operate with security zones and access controls.
· Office spaces are accessible to employees only.
· Access to server rooms and sensitive archives is limited and controlled via badges and visitor registration.
· Cloud infrastructure has redundant power supplies and emergency power; local infrastructure is equipped with UPS where needed.
Digital access security
· Access management is based on the need‑to‑know and least‑privilege principles and is reviewed periodically.
· Roles and rights per function, with logging of administrative actions.
· Access limited to necessary network segments and services.
· Management interfaces available only to authenticated administrators.
Password policy
· Active password management using a reliable password tool.
· Policy rules: minimum length, complexity, refresh frequency and prohibition of re‑using simple or leaked passwords.
· Secure generation, storage and sharing of passwords.
· Technically enforced via identity and access management and policy functionalities, complemented with multi‑factor authentication where possible.
9. Incidents
Cyclobility has an internal procedure for handling security incidents and personal data breaches. If a personal data breach occurs, Cyclobility will:
· immediately register and investigate the incident,
· take the necessary measures to limit further damage,
· notify the Data Protection Authority (DPA) within 72 hours, in accordance with Article 33 GDPR,
· and, if the breach is likely to result in a high risk to the rights and freedoms of data subjects, also inform the data subjects themselves in a timely manner.
This procedure ensures that Cyclobility acts transparently and in line with legal obligations in the event of incidents.
10. Cookies
Cookies are small text files placed on your computer or device that collect standard internet log information and information about your browsing behaviour. Cyclobility uses cookies to:
· analyse visitor behaviour on the website, and
· compile statistical reports on website use.
More information: Cookies – Cyclobility
11. Applicable law and competent courts
Belgian law applies exclusively to this privacy statement and any dispute arising from it. The courts and tribunals of the judicial district of Ghent (Ghent division) have exclusive jurisdiction to settle any dispute arising from or relating to the interpretation or execution of this privacy statement, without prejudice to any mandatory law that may be applicable.
Privacy statement