Who is responsible?
Who is responsible for processing your personal data ?
The "Société des Transports Intercommunaux de Bruxelles" / “Maatschappij voor het Intercommunaal Vervoer te Brussel” Association governed by public law with its head office at 1000 Brussels, Koningsstraat 76 Rue Royale and having as enterprise number 0247.499.953 (hereafter STIB-MIVB) is the controller.
STIB-MIVB Head Office
Koningsstraat 76 Rue Royale
Info Customer Care service
This means that STIB-MIVB determines the purpose and the means in order to process your personal data.
Who is protected ?
It is applicable to the processing of personal data from our (private and business) customers in relation with our products and services (including MOBIB), as well as to the personal data of the end users who, by their connection with our customer (e.g. family members, friends, visitors and employees), use these products and services.
What does ‘processing’ mean?
What does ‘personal data processing’ mean?
What kind of personal data ?
What kind of personal data can we process?
A. The personal data that you communicate to us
We process the personal data that you give us. This can be by phone (e.g. when you contact our customer service for a question), in writing (for example when you fill in a(n) (online) form), when you create a profile in MyBOOTIK, send us a text message or e-mail, participate in a contest or download an app from STIB-MIVB), electronically (for example, by reading your MOBIB-card via an e-ID reader while uploading your MOBIB-card) or orally (for example, in one of our KIOSKs or BOOTIKs).
B. The personal data that our systems collect
C. The personal data that we receive from third parties
We don’t buy data from third parties. However, as part of the proper functioning of our services, we do call upon personal data obtained by third parties in some cases. This is for instance the case when we check a family composition for granting preferential rates or the right to degressive rates we can check via your National Registry number at the CBSS (Crossroads Bank for Social Security) or also by means of intermediaries for the use of our Taxibus services or intermediaries who manage our MyBOOTIK accounts.
D. Categories of personal data.
We distinguish various categories of personal data that can identify you as a user of our products and services (for instance, your name and identity documents), the personal data that allows us to contact you (for instance, your address, your e-mail address and your phone number), the personal data that indicates your personal characteristics (for example, your age and your sex), the information that concerns your family composition or your billing and payment information and all the other preferences that you communicate through your settings on MyBOOTIK or our customer service, shops, social media, actions, websites and mobile applications, contests and so on.
In addition, it is sometimes necessary to process data regarding your health for instance when providing service to disabled people (e.g. Taxibus), or checking the right to degressive rates at the CBSS (Crossroads Bank for Social Security) through your National Registry number or when handling damage cases which took place on the network. Such information will be only processed by the STIB-MIVB if you give your explicit consent hereto or if you ask for it yourself.
E. Personal data of non-customers.
Through different channels like, for instance, contests, promotions/actions, our websites/apps, we can collect personal data about persons who are not customers (yet) of STIB-MIVB with the intention of offering those persons a range of targeted STIB-MIVB products and services. In doing so, we guarantee your right to information and – when applicable- enforce it with our third parties which in this context collect your data (for us), with your consent if required by law.
Why do we use your personal data?
Why do we use your personal data?
As operator of the public transport in the Brussels-Capital Region, we regularly come into contact with personal data. However, we want you to rely on us to handle this information in an ethical, safe and legal way in order to safeguard your privacy.
No matter what we do with your personal data, we always observe the law. For instance, we use your personal data when it is necessary for:
- preparing, executing or terminating of our contract; e.g. for a MOBIB-card;
- fulfilling the legal or regulatory provisions; for instance, security policy (e.g. the applicable surveillance camera legislation);
- representing our legitimate interests, in this case we always strive for a balance between our interest and respect for your privacy, in particular, when you are under a minor, for instance, in order to simply be able to provide our services, to improve our products and services, for marketing purposes, or to optimize our transport network;
- meeting the provisions needed for a mission of general interest;
- or a combination hereof.
The STIB-MIVB has a strict policy concerning the processing personal data of minors. If we know or should know that you are under 16 (for instance, when you contact our customer service), the STIB-MIVB will, as long as legally required, ask your parent(s) or legal guardian for prior consent.
If for one of the previous reasons the handling of your personal data is not necessary, we will always ask for your consent before processing your personal data. You will give your consent by taking a positive action (such as ticking a box). You are free to withdraw your consent at any time. For example, we need your consent if we combine some of your personal data in order to ‘create your profile’ in case we wish to send you better-targeted marketing material (for instance, marketing related to services for people aged 65 and more).
As it is provided by the law, we don’t handle sensitive data like e.g. data regarding your race or ethnic origin, political views, sexual inclination, except for data related to your health within the framework of the services for the disabled (for ex. Taxibus) and with regard to the handling of damage cases which took place on the network. Such information will be only processed by the STIB-MIVB if you give your express consent hereto or you ask us for it yourself.
What do we use these personal data for?
What do we use these personal data for?
A. Proportional handling
We process personal data for various purposes, for which we only process the data necessary to execute the intended goal.
B. Our handling activities
We collect personal data for following specific purposes:
- to handle your request about our products and services
When you visit our website to collect information and/or ask for information about our products and services or when you subscribe to our newsletter, we require your address information. All the information we receive during this pre-contractual phase is only used to provide you with the requested information, in the way you want to receive it. When you finally decide to become a customer of STIB-MIVB, we will request a number of personal data like your name, address, phone number, e-mail address, copy of identity card, National Registry number if you are a Belgian citizen, in order to manage our contractual relationship. You will also receive information such as customer number and login.
- To offer you the best service possible and to inform you about our possibilities of use.
We use your data to gather, maintain and support your products and services and for our customer administration and dispute management. For instance: the sending of invoices and the settling of reports or complaints. Telephone conversations with our customer service can be recorded for quality control purposes. Each time, you are informed about it before the conversation begins.
- To follow up our achievements.
We can use your data and profile in order to assess our products and services. We do this among others by using feedback from customers about our services (e.g. via market survey), which we receive during our conversation with customers and by recording conversations at our customer care service (this is mentioned every time the conversation begins).
- For direct marketing purposes.
We can use your data and profile in order to fine-tune our products and services according to your needs (for instance, direct marketing regarding services to people over 65). Hereto we can use algorithms and/or information about location or other technologies. However, before we use every means, we will ask for your permission in a transparent and unambiguous manner. You can withdraw this permission by contacting our customer service.
- In order to fight fraud and violations.
When you become customer of STIB-MIVB, we will ask for an identity card, so that we can determine who you are and prevent identity theft. Depending on the STIB-MIVB products and/or services for which you choose, we will also check your solvency. We carry out this control to avoid that you take on financial commitments towards us that you are unable to meet. We also want to avoid that the STIB-MIVB invoices remain unpaid. Hereto we can collect information from internal and external databases.
On the other hand, our agents are mandated to check that every user has paid for its trip and, conversely, to detect passengers who travel without a valid ticket. To this end, they may ask for your identity card.
- In order to guarantee everyone’s safety.
You will also be filmed by our security cameras at and around the STIB-MIVB infrastructure (offices and buildings) or at and around the infrastructure that it runs (stations and stops) and in the vehicles. These images are saved only for the purpose of the safety of persons and goods and for preventing misuse, fraud and other transgressions of which our customers, the STIB-MIVB itself and its personnel can be the victim (we indicate that cameras are present by means of legally-required pictograms mentioning our contact data).
- In order to meet our legal obligations.
In a large number of cases, we are legally obliged to store some personal data about you and/or notify them to the federal authorities. In addition to general tax and accounting obligations, we are for instance obliged to communicate data in a confidential manner to the relevant authorities within the framework of a police or judicial inquiry.
- In order to keep studies, tests and statistics up to date to make a trend analysis, for instance.
We can use your anonymous, aggregated data to report both internally and externally on past subscribed contracts or the use of public transport by various categories of users. The data used in this context can not to be traced back to one individual. Data derived from certain analyses is used internally to evaluate our current product and services portfolio, as well as to adapt these to new developments.
- In order to handle damage claims.
The STIB-MIVB acts as insurer and case manager for the cases related to accidents and incidents taking place on its network. In this context, the STIB-MIVB collects and processes your personal data in order to handle your damage claim in accordance with applicable legislation, insurance policies and any other applicable legal text.
In connection with this, we can collect and process the following personal data: identity information, identification information provided by the public authorities, financial authorities, National Registry number, information about your person, physical condition and data regarding your medical and health condition. In order to process sensible data (medical, physical, health condition), we will each time request your explicit consent unless you give us permission.
- In order to be able to offer public transport for the disabled.
We collect and process the following information: identity information, identification information provided by public authorities, financial data, national registry number, data about your person, physical condition and data regarding your medical and health condition. In order to process sensible information (medical, physical, health condition), we will each time request your explicit consent unless you give us permission.
C. Automated decision process.
The STIB-MIVB does not use automated decision processes, based on profiling or not:
- To which legal consequences are attached for you or by which such a process affects you in a considerable degree, unless:
- This is necessary for the conclusion or the execution of your contract (for instance, checking solvability or stop providing you the STIB-MIVB products and services in case of no payment);
- This is allowed by legislation (for instance, for tracing tax fraud): or
- If you gave us your explicit consent hereto.
In such circumstances you are informed in advance about the creation of the automated decision for which you have the right to request human intervention and about the manner you can challenge this decision.
How do we secure your personal data?
How do we secure your personal data?
We take a large number of technical and organizational measures in order to protect your personal data.
If a data leak would happen that would have harmful consequences for your personal data, then we will inform you personally as a customer, as provided by law.
Moreover we will give you the possibility to use our services anonymously by using a MOBIB Basic card. Such a card does not entail the treatment of personal data.
Do we sell your data or pass them on?
Do we sell your data to third parties or do we pass them on?
A. Data transfers.
We don’t sell personal data to third parties. However, we are in some cases obliged to hand your personal data on to third parties :
- In case it is necessary for providing our services to you.
Certain data bases are made to third parties which work under our authority and which help us to provide our products and services. Think for instance about subcontracting some HR duties (recruitment, external evaluation (assessment), ,..) or Information Technology (IT) jobs.
The passing on of your data in this context only takes place in relation to the purposes for which STIB-MIVB itself processes your data and is limited to these data that are necessary to the third parties in the execution of their work under our authority. We verify that they, just like us, manage your data in a secure and respectful way and with due diligence and to this effect, we include the proper contractual guarantees.
In case of a damage claim, we are obliged to hand over your personal data and if needed your data concerning your health to insurance companies, (medical) experts, lawyers, etc. In this case, we will ask for your prior permission.
- There is a legal obligation.
To this end, we refer to the above mentioned with regard to the use of personal data.
- There is a legitimate interest for STIB-MIVB or the third party concerned.
We will pass on your personal data only if your interest or your fundamental rights and privileges don’t outweigh those of the STIB-MIVB and you will always be informed about it in a transparent manner (except in case of legal exceptions). That way, for instance, your personal data can be passed on to credit inspectors, collection offices and judicial service providers as well as partners with whom we collaborate within the framework of a specific action (for instance, to a travel agency where you can win a trip by participating in a contest organized by STIB-MIVB).
- You give us the permission to do so.
Should the STIB-MIVB pass on your personal data to third parties in circumstances other than those mentioned above, you will receive an explicit notification in which the third party’s identity, purposes of the handing over and processing of your data are disclosed. When provided by the law, we will ask for your explicit consent. For example, like above mentioned, in case of claim settlement, we may be obliged to pass your personal data and eventually information regarding your health on to insurance companies, (medical) experts, lawyers, etc. In that case, we will ask for your prior consent, unless you give us permission by yourself.
B. International processing of your personal data.
In the event personal data is processed (when data are transferred as described above) outside the European Union, we will see to that by way of contractual measures or other measures this information has an appropriate level of protection comparable to the protection that it would have in the European Union, in conformity with the European rules.
This can happen for instance for our IT helpdesk, which has also access to applications containing personal data, which is provided by an external IT company from a non-EU country.
C. Use of anonymous information.
We use anonymous, aggregate data for commercial and service purposes and internal/external reporting. These data are never linked to one natural person. Some examples: validation reports (‘how many persons were present at a specific time in a specific metro station, vehicle, etc.’) for event organization, reports related to the use of a specific line in order to determine the use frequencies for instance. The STIB-MIVB guarantees each time that all these parties can never link the information they receive to an identifiable natural person.
What are your responsibilities ?
What are your responsibilities regarding personal data?
A. With respect to end users
- You have to properly inform the end users that the STIB-MIVB will process their personal data because they will use the STIB-MIVB products and services;
- You have to get all the legally required consents from the end users before their personal data are communicated to the STIB-MIVB to be processed within the framework of the STIB-MIVB products and services you allow them to use;
- You may not use the STIB-MIVB products and services in order to collect personal data which are contrary to applicable privacy legislation, nor to illegally grant yourself access to personal data from the end users;
- You have to get information from STIB-MIVB about the protection level of the STIB-MIVB products and services and, to the best of your knowledge and ability, take appropriate technical and organizational to ensure appropriate protection of the personal data against unauthorized or illegal processing and against illegal or unintentional destruction, unintended loss, falsification, unauthorized distribution, damage, modification, unauthorized access or disclosure;
- You may not do, cause or allow anything that can result in any breach of the privacy legislation in any way whatsoever.
B. With respect to third parties’ services
What are your privacy rights ?
What are your privacy rights and how can you exert them?
A. Overview of your privacy rights.
Your right for information
At any time, you have the right to be informed by STIB-MIVB if we process your personal data, and if so, to consult the data and to receive additional information about:
- processing purposes;
- personal data categories that are concerned;
- receivers or categories of receivers (especially receivers in third countries, if applicable);
- if possible, the storage time or, if not possible, the criteria to determine this time;
- the existence of your privacy rights;
- the right to introduce an action against STIB-MIVB by e-mailing to dpo@STIB-MIVB.brussels or by addressing the supervisory authority directly;
- the information that is at our disposal about the source of our data if we receive the personal data via a third party; and
- the existence of automated decision-making.
You also have the right to receive a free copy of the processed data in an intelligible form. STIB-MIVB can ask for reasonable compensation in order to cover its administrative costs for every additional copy that you request.
Your right to correct personal data
You have the right to have incomplete, erroneous, improper or obsolete personal data immediately rectified.
In order to keep your data up to date, like an address or e-mail address modification, we ask you anyway to inform us of any change by contacting our customer service.
Your right to have your data removed (the ‘right to be forgotten’)
You have the right to have your personal data removed, without unreasonable delay, in the following cases:
- your personal data are no longer necessary for the purposes to which they were collected or otherwise processed by STIB-MIVB;
- you withdraw your prior consent for processing and there is no other legal basis for STIB-MIVB to continue processing your data;
- you object to the processing of your personal data and there are no outweighing, legitimate reasons for STIB-MIVB to continue processing your data;
- your personal data are wrongfully processed;
- your personal data have to be removed to meet a legal obligation;
- your personal data were collected when you were a minor.
Take well into account that we cannot always remove all requested personal data, for instance, when processing it is necessary for lodging or continuing legal action. We will further inform you in our reply to your request.
Your right to restrict /limit processing
You have the right to limit the processing of your personal data if one of the following elements is applicable:
- you contest the accuracy of the personal data: its use is limited during a period which allows STIB-MIVB to check the accuracy of your data;
- processing your personal data is wrongful: instead of having your data removed, you ask to limit their use;
- your personal data are no longer necessary to STIB-MIVB for fulfilling the original processing purposes, but you need them to start or continue judicial action;
- instead of removing your data, you limit their use for the purpose of starting or continuing your judicial action. As long as no decision has been taken about the exercise of your right to object the processing, you request to limit the use of your personal data.
Your right to transfer personal data (‘data portability’)
You have the right to transfer your personal data in order to hand them over to another person responsible for processing, for instance, to be able to change your service provider more easily. This is only possible for the personal data that you personally passed on to STIB-MIVB, by virtue of an authorization or after agreeing to it. In all other cases you cannot exert this right (e.g. When processing your data happens in virtue of a legal obligation) .
There are 2 aspects linked to this right:
- You can ask STIB-MIVB to recover the concerned personal data in a structured, valid and by machine legible form; and
- You can ask STIB-MIVB to send the concerned personal data directly to another controller. In that case, you are personally responsible for the accuracy and safety of the (e-mail) address that you communicate for sending the information. STIB-MIVB has the right to refuse if it is technically impossible to send it.
Your right to object the processing of your personal data
Based on your specific situation you have the right to object that your personal data is processed, if processing it fits in the legitimate interest of STIB-MIVB or in the general interest. STIB-MIVB will stop processing your personal data, unless STIB-MIVB can establish its imperative and legitimate grounds to processing which outweigh yours or when processing the personal data is linked to starting or continuing a legal action (e.g. lodging a claim before a Court).
What does your right to object concern within the framework of direct marketing?
You do not want to receive any commercial communication under any form whatsoever? You always have the right to object against the use of your personal data for direct marketing purposes or to deactivate promotions and/or actions by phone, mail, text message or e-mail without providing justification. For that purpose, you can contact the STIB-MIVB customer care service through our website, go to a STIB-MIVB KIOSK or to a BOOTIK or adjust your settings on your MyBOOTIK online profile.
We will only send commercial communications to website users who are not STIB-MIVB customers by sending a text message and/or an e-mail after they have given their unambiguous prior consent to it.
This does not affect our right to communicate electronically within the framework of the execution of your contract or as provided by the law.
How do I exercise my privacy rights?
You can contact our STIB-MIVB customer service via our website - http://www.stib-STIB-MIVB.be or via the FAQ-list (Frequently Asked Questions) that has been drawn for that purpose.
In order to exercise your right to access, and to prevent any unauthorized publication of your personal data, we need to check your identity card. When in doubt or if uncertain, we will first ask you for additional information (e.g. a copy of an identity card).
Are there costs linked to this ?
You can exert your privacy rights free of charge, unless your request is clearly unfounded or excessive, specifically due to its repetitive nature. In such a case we have – according to privacy legislation – the right and the free choice to (i) charge you with a reasonable fee (taking into account the administrative costs needed for providing you the requested information or communication and the costs that are associated with the action we have taken on your request), or (ii) to refuse to meet your request.
In which form do I receive a reply?
If you submit an electronic request, you will receive an electronic reply whenever possible, unless you would prefer otherwise. In any case we will reply in a concise, transparent, comprehensible and easily accessible manner.
When do I receive a reply?
We reply as soon as possible to your request, and in any case within one month after the receipt of your request. Depending on the complexity of the requests and the amount of requests we receive, this term can possibly be extended to two additional months if necessary. If the term is extended, we will inform you of this within one month after receiving your request.
What if STIB-MIVB doesn’t respond to my request?
For each request you send you will be informed about the possibility to submit a claim to a supervisory authority and for court proceedings.
How long do we keep your personal data?
Your data are stored only as long as needed in function of the purpose for which they were collected. This time varies in function of the different intended purposes.
The storage time can sometimes be very brief. This time can also sometimes be longer, for instance, when we need to meet our legal obligations or out of legal necessity. The access to archived data is always only limited. After the end of the applicable storage time, the personal data are removed or made anonymous for internal or external statistical purposes.
We refer to the separate statement regarding Cookie management that you also find on this website.
How can I contact STIB-MIVB?
Keep yourself informed about adjustments
Escalation to the supervisory authority
For settling claims as regards to the processing of your personal data by STIB-MIVB, you can turn to
+32 (0)2 274 48 00
Text valid from May 25th 2018.