Protection of your privacy
Date of last update: 27/09/2022
As a public entity commissioned by the Brussels-Capital Region to provide public transport services, we at STIB accord the utmost importance to the protection of your privacy and the protection of data. This means that one of our priorities involves treating your personal data with the utmost care and ensuring the highest level of protection in accordance with Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter "GDPR") and the national law applicable in this area, the law on the protection of individuals with regard to the processing of personal data of 30 July 2018. As a result, we would like to provide you with as much information as possible via this declaration on the protection of personal data (hereinafter "the Declaration"). This information is intended to ensure that you have optimal control over your personal data.
List of links
Infographic
1. Presentation of general principles
No question found.
What are the general principles?
Some definitions
To give you the best possible information, and guarantee optimal protection, we need to define the terms frequently used in this Declaration.
|
Definitions under GDPR |
Explanations of the terms in everyday language |
||
Personal data |
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. |
This is any information relating to a natural person who can be identified (You), directly or indirectly. It does not matter whether this information is confidential or public, or whether it relates to the private or professional life of the data subject. For example, a name, a photo, a fingerprint, an email address, a telephone number, a social security number, an IP address, a voice recording, your browsing data on a website, data related to an online purchase, etc. |
||
**Data subject |
Identified or identifiable natural person |
Our clients and non-clients, candidates as well as suppliers |
||
Special categories of data |
Personal data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. |
Sensitive data forms a special category of personal data. The European Regulation prohibits the collection or use of such data, except in certain cases. The data on your state of health are sensitive data (disability).
|
||
Consent |
Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; |
Your unambiguous consent is one of the legal bases for the processing of your data. This consent, which you may withdraw at any time, must meet certain conditions.
|
||
Explicit consent |
|
The "explicit" nature refers to the form of expression of the consent: an express declaration by the data subject is required, which implies special attention and the setting up of ad hoc mechanisms by the data controller. |
||
Data Protection Officer (hereinafter DPO) |
The GDPR does not offer a definition of the DPO, but dedicates a whole article the DPO's tasks, stating that "the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data". |
In particular, the DPO is responsible for advising STIB on how best to comply with the GDPR and the applicable national laws. The DPO is the contact point of the Data Protection Authority, but also your first point of contact for any queries regarding your personal data. |
||
European Economic Area |
|
European Union + Iceland + Norway + Liechtenstein |
||
Data controller |
The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. |
The person, public authority, company or organisation that has control over your data and decides on any use of your data. It decides whether to create or delete a processing operation and determines why your data will be processed and to whom it will be forwarded. It has primary responsibility for the protection of your data. In this case, it is STIB. |
||
Processor |
The natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. |
Any natural or legal person who carries out processing tasks on the instructions and under the responsibility of the data controller. |
||
Processing |
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
Any use of personal data, regardless of the process used, whether computerised or manual (recording, organising, storing, consulting, modifying, reconciling with other data, transmitting, etc. of personal data). For example: the use of your data for order management, sending newsletters, etc. |
Who is the data controller of your personal data?
STIB
The data controller is the Brussels Intercommunal Transport Company, a body governed by public law, whose registered office is located at Rue Royale 76, 1000 Brussels, and whose company number is 0247.499.953 (hereinafter STIB).
Contact details STIB Head Office Rue Royale 76 1000 Brussels www.stib-mivb.be
This Declaration applies to the personal data that we process in our capacity as data controller (see definition above). It also applies when we are joint controllers with regard to processing in the context of certain specific processing operations (see "Joint processing between operators" below). You may exercise your rights with regard to each joint controller.
As data controller, we have a series of obligations: guaranteeing your rights, notifying you of security breaches, establishing a register, appointing a DPO, etc. As joint controllers, we have allocated these obligations and set them out in an agreement that transparently defines the responsibilities and roles of each of us in the performance of our duties under the data protection regulations. You may exercise your rights with respect to and against each joint controller.
DPO We have appointed a Data Protection Officer. Any questions or requests concerning the processing of your personal data can be sent to the following email address: DPO@stib-mivb.brussels.
To whom and when does this Declaration apply?
This declaration applies when you use our products and services (including MOBIB), but also when you visit our offices, KIOSKs and BOOTIKs, or when you visit our website, use our apps (stib-mivb, simbus), participate in a market survey, questionnaire, competition, action or event, or make any other use of our products and services.
The Declaration concerns the following persons:
- Our customers, i.e. regular and non-regular users of the network, whatever type of ticket they have.
- About our business-to-business (B2B) customers:
- -The Declaration only applies if the B2B customer is a natural person;
- -In the case of a legal person, the Declaration applies only to the personal data of natural persons. We only process their personal data in the context of their relationship with the B2B customer (such as agents and contact persons).
- Non-customers, i.e. persons who do not or no longer have a named ticket and whose data has been collected through various channels, such as competitions, the website, social networks, people in contact with the legal department, etc.
- Candidates, i.e. people who apply for a job at STIB, in particular via the jobs.stib.be website.
- The contact persons within our suppliers, i.e. any company that provides us with goods and/or services in the context of our activities.
NB: Via our STIB products and services, you can also use the services of other parties, such as chatbot, third party websites, forums, and/or apps. STIB has no control over, and is not responsible for, the information you place on the website and the way in which it is processed. It is up to you to act with caution and to read the privacy policy/declaration of these third parties.
How do we collect your data?
A. You share data with us
We process the personal data that you send us. This may be done by telephone (for example, when you contact our customer service), in writing (for example, when you fill out a form (online), when you create a profile in MyBOOTIK, when you send us a text message or email, when you register for a competition or download a STIB application), electronically or verbally (for example, in one of our KIOSKs or BOOTIKs).
B. Our systems collect data
We use your personal data for the use of our products and services (e.g. e-mail address, IP address, telephone number, customer number, login code(s) and passwords). Our systems also store personal data that is generated when you use our products and services (e.g. the use of Cookies).
C. Third parties provide us with data
We do not purchase data from external parties. However, in the proper performance of our services, we do in some cases make use of personal data obtained via third parties. This happens, for example, when verifying household composition so we can grant discounted fares or check the right to preferential fares, which we can verify, or with the CBSS (Crossroads Bank for Social Security) or intermediaries for the use of our Taxibus services.
What data do we process?
We distinguish several categories of data. For example, personal data that can identify you as a user of our products and services (your name and identity documents...), personal data that enables us to contact you (for example, your address, email address and telephone number), personal data indicating your personal characteristics (for example, your age and gender), billing and payment data, all data relating to your use of our website and applications (on MyBOOTIK or via our customer service, shops, social media, actions, websites and mobile applications, competitions, etc.) as well as data that you provide on your own initiative, for example your CV as part of an application or a question or complaint to our customer service.
In addition, as required by law, we do not process sensitive data without your explicit prior consent or if you did not provide it to us on your own initiative. We process certain data relating to your health in the context of the provision of services for persons with disabilities (e.g. Taxibus), entitlement to special rates, via the CBSS (Crossroads Bank for Social Security), or for the processing of claims that have arisen on the network.
STIB has a strict policy regarding the processing of the personal data of minors. If we know or need to know that you are under 13 years of age, STIB will, in principle, request the agreement of your parent(s) or guardian(s).
We use anonymous, aggregated data for commercial and service purposes and for internal/external reporting and statistical purposes. This data can never relate to a specific natural person. Some examples: validation reports (how many people were present at a given time in a given vehicle or station, etc.), event organisations, reports on the use of a certain line, for example to determine the frequency of use.
We also give you the opportunity to use our services anonymously via the MOBIB Basic card. This card is not linked to any personal data.
What is the justification for processing my data?
As a public transport operator in the Brussels-Capital Region, we are regularly in contact with your personal data. The processing of your data is governed by a legal framework; it is important to us that you are sure that your data is processed in an ethical, legal and secure manner.
In accordance with the principle of lawfulness of the GDPR, our processing operations always have a legal basis. This means that we use your personal data only if its use is justified by one of the following legal bases:
- the execution of the contract to which you are a party (including pre-contractual measures and the termination of the contract);
- compliance with the legal or regulatory provisions to which we are subject; (e.g. in terms of accounting);
- carrying out a task of public interest: STIB is in fact responsible, in particular via the Decree of the Government of the Brussels-Capital Region of 18/07/1996 laying down the specifications to which the Brussels Intercommunal Transport Company is subject, for carrying out tasks of public interest, principally the provision of public transport in the Brussels-Capital Region;
- the legitimate interests of STIB, in which case we always ensure a balance between these interests and your privacy, freedoms and fundamental rights;
- or a combination of these bases.
We will always ask for your prior consent if the processing of your personal data does not fall within the scope of one of these principles. You give your consent through a positive action (such as ticking a box). You are free to withdraw your consent at any time.
Why do we collect personal data?
We process personal data for a variety of purposes and, in accordance with the purpose limitation principle (data may only be processed for the intended purpose) and minimisation, only process the data that is strictly necessary to achieve the intended purpose. If there is a purpose other than that originally intended, you will be notified and your consent will be required. This is not the case only if the new purpose is the compilation of statistics. Details of the purposes are given below.
How do we secure your data?
We have appointed a DPO, who advises us on the applicable data protection rules. They also help us to check whether we are complying with these rules.
We only make your data available to employees or subcontractors if it is strictly necessary for the performance of their duties.
For new processing operations, as well as for existing processes that may give rise to a high risk, we carry out a data protection impact assessment in advance to determine the most appropriate security measures.
In addition, we have also taken appropriate technical, physical and organisational measures to protect your personal data against destruction, loss, inadvertent modification, damage or disclosure.
Nevertheless, should a data leak occur, and if it is likely to pose a high risk to your rights and freedoms, you, as a data subject (customer or non-customer, including candidates and suppliers), will be personally notified under the circumstances provided for by law.
How long do we keep your data?
In accordance with the data retention principle of the GDPR, STIB keeps your data for a previously determined period of time. STIB has thus determined precise rules concerning the length of time your personal data is kept. This duration varies according to the various intended purposes, and must take into account possible legal obligations.
Your data is kept, as a maximum, for the period needed for processing for the purpose for which it was collected. This period varies according to the purpose for which it is intended.
The storage period can sometimes be very short, but may sometimes be longer, for example to fulfil our legal obligations or due to a legal necessity (in the context of litigation). There is only ever limited access to the archived data. After the expiry of the applicable conservation period(s), the personal data is deleted or anonymised for internal or external statistical purposes.
Who do we share your data with?
We do not sell your personal data to third parties.
While we never sell your data, in some cases we pass it on to third parties for various purposes:
- If this is necessary for our service provision
Some of our databases are made available to third parties who are working on our behalf and assisting us in providing our products and services. For example, consider the outsourcing of certain HR tasks (recruitment, external assessment, etc.) or IT tasks (IT support).
In this respect, your data is transmitted solely for the purposes for which STIB itself processes your data as data controller, and is limited to the data that these third parties require for the performance of their task on our behalf (processor).
- Existence of a legal obligation
In this respect, we refer to what has already been mentioned above regarding the justification of the use of your personal data. Your data could be transferred to public administrative or judicial authorities (e.g. request from the police, justified by a formal report, from an examining magistrate, justified by a warrant, or from a public prosecutor by means of an apostil).
- If there is a legitimate interest for STIB
We will only pass on your personal data if our legitimate interest outweighs your fundamental rights and freedoms. We will also always inform you in a transparent manner. For example, your personal data may be passed on to credit checkers, debt collection agencies and legal service providers, as well as to partners with whom we are working on a specific action (for example, a travel agency, for a STIB competition in which you can win a trip).
- If you authorise us.
If STIB passes on personal data to third parties in other situations, this will always be following an explicit notification, in which information is provided about the third party, the purposes of the transmission and the processing itself. This notification will be a prerequisite for the necessary collection of your consent to this new treatment. Please note that your explicit consent will be requested should this new processing involve sensitive data (such as health data). For example, as already mentioned above, when processing a claim, we have to provide your personal data and possibly data relating to your health to insurance companies, (medical) experts, lawyers, etc. For this purpose, we will ask for your explicit consent in advance, unless you provide us with this data yourself.
- Writing external reports
We use anonymous, aggregated data for external reporting and for statistical purposes. This data can never relate to a specific natural person. Some examples: validation reports (how many people were present at a given time in a given vehicle or station, etc.), event organisation, reports on the use of a certain line, for example, to determine the frequency of use. STIB always guarantees that the parties to whom this data is transmitted can never use the data received from us to identify a particular natural person (anonymisation).
Is your data transmitted abroad?
Data transfer within the European Economic Area
Certain data is transferred within the European Economic Area for the purposes of certain processing operations. Within the European Economic Area, please be aware that personal data receives the same level of protection everywhere, since this entire area is subject to the GDPR.
Data transfer outside the European Economic Area
We transfer and/or grant access to your personal data to a processor located in countries outside the European Economic Area only when:
- they are located in a State which ensures an adequate level of protection by virtue of a decision on adequacy taken by the European Commission;
- appropriate safeguards have been implemented in accordance with the GDPR, such as:
- the signature of the standard contractual clauses adopted by the European Commission for the transfer of personal data to processors established in third countries (2010/87/EU);
- the use of approved binding corporate rules or;
- the application of an approved code of conduct.
Any transfer of personal data to a country outside the EEA will cease immediately if the adequacy decision or other equivalent guarantee on which the transfer is based is invalid or if the conditions are no longer met. For more information and/or a copy of the guarantees, please contact us via our contact form or send us an email to DPO@stib-mivb.brussels.
Cookie Policy
In this respect, we refer to the separate declaration on the Cookie policy, which you will also find on our website.
Would you like to contact us about this Declaration?
If you wish to contact the STIB Customer Care department about this Privacy Declaration (e.g. to change your privacy settings), you can do so in writing, by telephone or by email. All the information on STIB Customer Care can be found here.
For more information on this privacy declaration or for complaints regarding the processing of your personal data, you can contact the STIB Data Protection Officer via DPO@stib-mivb.brussels
Can STIB modify this Declaration?
STIB may amend this Declaration on the protection of personal data from time to time, for example to take account of any legislative or regulatory changes or the development or emergence of new STIB processing activities. Please always consult the latest version of this Declaration on our website (http://www.stib-mivb.be/index.htm?l=en). We will inform you in advance via our website. The date of the last modification is always at the top of the Declaration.
Appeal to the supervisory authority
You can contact the Data Protection Authority for complaints about STIB's processing of your personal data.
By post:
Data Protection Authority
Rue de la Presse, 35
1000 Brussels
+32 (0)2 274 48 00
By email: contact@apd-gba.be
Via the website: https://www.dataprotectionauthority.be/.
2. Your rights
No question found.
What are your rights?
General
The GDPR gives you rights that allow you control over your personal data. Please note that in order to exercise your rights, and to prevent any unlawful disclosure of your personal data, we need to verify your identity.
Is there a charge for this?
You may exercise your privacy rights free of charge, unless your request is manifestly unfounded or unreasonable, i.e. due to its repetitive nature. In this case - in accordance with privacy legislation - we have the right and can choose to either (i) charge a reasonable fee (taking into account the administrative costs of providing the information or making the requested disclosure and the costs associated with the requested measures), or (ii) refuse to comply with your request.
In what format will I receive a response?
If you submit your request electronically, the information will be provided electronically, if possible, unless you request otherwise. If you send us a request by post, we will reply to you by the same method. In short, we will apply a symmetry of communication methods, unless you request otherwise. In any event, we provide you with a succinct, transparent, understandable and easily accessible answer.
When will I receive an answer?
We respond to your request as quickly as possible, and always within one month of receiving it. The deadline may be extended by a further two months, depending on the complexity and number of requests. If the deadline is extended, we will inform you within one month of receipt of the request.
What happens if STIB does not comply with my request?
We will always inform you in our reply of the possibility of lodging a complaint with the supervisory authority.
By post:
Data Protection Authority
Rue de la Presse, 35
1000 Brussels
+32 (0)2 274 48 00
By email: contact@apd-gba.be
Via the website: https://www.dataprotectionauthority.be/.
How do I exercise my rights?
If you have any questions or you wish to exercise your rights on your personal data, do not hesitate to contact the Data Protection Officer via the provided form.
This form will allow you to request, among other things:
- to receive a copy of the personal data that STIB-MIVB holds about you
- to object to some of the processing carried out on your personal data
- to erase the personal data that STIB-MIVB holds about you within the limits of the legal bases
- to obtain your purchase history of more than one year
And that’s not all! The Data Protection Officer will answer any GDPR-related questions you may have asked on the email address dpo@stib-mivb.brussels.
If you are unable to access your information by email, you can send us your request by post to the following address:
STIB
62 Rue des Colonies
1000 Brussels
Belgium
Written requests must be signed and accompanied by a copy of the front of your identity card as well as your MOBIB card if you have one. The request must state the address to which the reply should be sent.
Our response time:
In case of requests for access, correction, deletion and opposition, we will answer you within 30 calendar days, in accordance with the law.
Try to be as accurate as possible about the data your request concerns (data as a candidate, purchase or validation data or all your data) so that we can best respond to your request.
Keep in mind that some of the answers may be found in our Privacy Statement.
Concerning your right of access: you will receive a free copy of your data in electronic format within one month of receipt of the request. This period will be extended by two months if your request requires in-depth research or in the event of an excessive workload; you will always be notified of this extension within one month of your request, and it will be explained. We draw your attention to the fact that your right to obtain a copy will not succeed if it infringes the rights and freedoms of others.
With regard to your right to be forgotten: we cannot always delete all personal data, so you should bear in mind that this right is not absolute. We have to balance it with other important rights or values, such as freedom of expression, compliance with a legal obligation to which we are subject, important reasons of public interest, or the need for certain data for the establishment, exercise or defence of legal rights. We will provide you with more information about this in the reply to your request.
Your right of access
You have the right to find out from STIB at any time whether or not we have processed your personal data and, if we have, to inspect and/or obtain a copy of it. You can also obtain more information on:
- the purposes of processing;
- the categories of personal data concerned;
- the recipients or categories of recipient (including recipients in third countries, where appropriate);
- if possible, the retention period or, if this is not possible, the criteria for determining that period;
- the existence of your privacy rights;
- the right to lodge a complaint with STIB via DPO@stib-mivb.brussels or directly with the supervisory authority;
- information we have about the source of the data if we obtain personal data from a third party; and
- the existence of automated decision-making.
Your right to correct personal data (correction)
You have the right to have your incomplete, incorrect, unsuitable or outdated personal data corrected without delay.
To keep the data up to date, for example when you move house or change your email address, we therefore ask you to notify us of any changes via our customer service department, either by telephone or by email using our contact form.
Your right to have your data deleted (the 'right to be forgotten')
You have the right to have your personal data deleted in the following cases:
- your personal data is no longer necessary for the purposes for which they were collected or otherwise processed by STIB;
- you withdraw your consent on which the processing of your personal data by STIB is based;
- you object to the processing of your personal data and there are no more important, legitimate reasons for processing/further processing by STIB;
- your personal data has been processed in an unlawful manner, not in accordance with the GDPR and Belgian law;
- your personal data must be deleted to comply with a legal obligation provided for by European Union law or by national law to which STIB is subject;
- your personal data was collected within the framework of the offering of a website aimed at children;
- for a reason of your own, you consider that one of the processing operations carried out infringes your privacy;
Please note that if you have applied for a position at STIB, we will always keep the collected data for a period of five years from the last contact. You will only be able to exercise your right to be forgotten at the end of this period. There are compelling and legitimate reasons for retaining the data, linked to the very large number of applications submitted annually to STIB. For more information, please consult the FAQs on our "recruitment" website.
Your right to object to the processing of your personal data
On the basis of your particular situation, you have the right to object to the processing of your personal data if this processing is based on the legitimate interests of STIB or on the general interest. STIB will stop processing your personal data, unless it can demonstrate that there are legitimate and compelling reasons for processing that prevail over your interests, rights or freedom or for the establishment, exercise or defence of legal rights.
This means that your request will not be successful:
- if the processing is necessary for the conclusion or performance of your contract
- if the processing was required by law or regulations
- if the processing is necessary to establish, exercise or defend rights in court
Regarding your right to object in direct marketing
Do you not wish to receive any form of commercial communication? You always have the right to object, without giving reasons, to the use of your personal data for direct marketing or promotions and/or to disable actions by telephone, post, text message or email. To this end, you can contact STIB's customer service via the website, go to a STIB KIOSK or BOOTIK, or change your online profile via MyBOOTIK.
Website users who are not STIB customers will only receive commercial communications by text and/or email after they have given their clear consent.
This opposition to the processing of your data for direct marketing purposes is naturally without prejudice to our right to contact you electronically in the framework of the execution of your contract or if we are obliged to do so by law.
Your right to limitation of processing
You have the right to ask us to limit your data, i.e. to mark (e.g. temporarily move your data to another processing system or lock your data so that they are inaccessible) your stored personal data in order to limit their further processing.
You have the right to limit the processing of your personal data if one of the following applies:
- you dispute the accuracy of this personal data: their use is limited for a period that allows STIB to check the accuracy of the data;
- the processing of your personal data is unlawful: instead of deleting your data, you ask for its use to be limited; its processing is not compliant with GDPR and Belgian law;
- STIB no longer needs your data for the original purposes of processing, but needs it to initiate, exercise or support a legal action, in which case, instead of deleting your data, its use is limited to initiating, exercising or supporting the legal action. You request the limited use of your personal data pending a decision on the exercise of your right to object to the processing.
3. List of processing activities
No question found.
Why do we process your data?
Issuing of tickets
In most cases, a certain amount of personal data is necessary to issue tickets. The personal data processed depends on the type of ticket.
1/ What is the purpose?
- Issuing of the named MOBIB card
What data?
The MOBIB card is a medium that allows you to load a transport ticket or a personalised subscription.
The creation of the personalised MOBIB card involves the collection of the following data:
- last name, first name
- sex
- date of birth
- address
- contact details (mobile phone number, email address)
- a photo
- national registry number
This data is necessary for the management and updating of our customer file.
What is the justification?
We process this data in order to fulfil the task of public interest entrusted to us by the regulations, namely the provision of a transport service in the Brussels-Capital Region.
STIB also needs this data in order to fulfil its contractual obligations. Indeed, the provision of the transport service would not be possible without the processing of such data.
However, transport can also take place with an anonymous card such as a MOBIB Basic card or a paper ticket.
What is the origin of the data?
We collect this information from you when you purchase a named MOBIB card.
If you receive your MOBIB card through a third-party payment system, this information may also be provided to STIB by this third party.
Is your data transmitted?
Payments for the purchase of a MOBIB card are made through a payment service provider, to whom we transmit your bank details in order to carry out the payment.
We may also share this data with other transport service providers. For example, when you choose an interoperable ticket. For example, you may have a MOBIB card issued by SNCB, in which case your consent to the sharing of data will be requested when you first purchase a ticket.
This data may also be transmitted within the framework of a third party payment system. The data could be sent to your employer if they pay for your MOBIB card.
How long can the data be kept?
We keep this data for a maximum of one year after your card expires (five years) plus the validity of your last ticket (maximum three years).
2/ What is the purpose?
- Issuing of a personalised subscription
What data?
A subscription giving access to the entire STIB or MTB network can be loaded onto a MOBIB card. In this case, the following data may be added to that collected for the creation of the MOBIB card:
- family composition
- type of client (if applicable: social status, disability, beneficiaries of the national solidarity status for victims of terrorist acts)
- the school attendance certificate for the over 18s
The collected data enables us to determine the appropriate fare (verification of your right to certain types of subscription, in particular for children/senior citizens/persons who have BIM status or are dependent on a CPAS, or even a potential discount potentially depending on the composition of the household).
What is the justification?
We process this data in order to fulfil the task of public interest entrusted to us by the regulations, namely the provision of a transport service in the Brussels-Capital Region.
STIB also needs this data to fulfil its contractual obligations. It would not be possible to provide the transport service if we did not process this data.
What is the origin of the data?
We collect this information when you load your subscription onto your MOBIB card. If you receive a subscription card through a third-party payment system, this information may also be provided to STIB by this third party.
Is your data transmitted?
Payments for the purchase of a ticket are made through a payment service provider, to whom we transmit your bank details in order to carry out the payment.
We may also share this data with other transport service providers, for example, when you choose an interoperable ticket. For example, you may have a MOBIB card issued by SNCB, in which case your consent to the sharing of data will be requested when you first purchase a ticket.
This data may be transmitted within the framework of a third party contract. When your employer takes over your MOBIB card, it could be sent to your employer.
How long can the data be kept?
We keep this data for a maximum of one year after your card expires (five years) plus the validity of your subscription/ticket (18 months maximum).
3/ What is the purpose?
- Issuing of tickets via the anonymous MOBIB card ("Basic card"): the Basic card is anonymous in that we do not collect any personal data.
4/ What is the purpose?
- Issuing of paper tickets
We do not collect and therefore do not process any personal data for paper tickets.
Use of the MoBIB card: validation on the STIB network
In accordance with article 3.7 of the Decree of the Government of the Brussels-Capital Region of 13 December 2007, any user entering a STIB vehicle must validate their transport ticket.
As a reminder, the personalised MoBIB card contains personal data (for more information, see "Issuing of tickets" processing above) and the MoBIB basic card does not contain personal data (anonymous data).
For what purposes?
- Management of tickets: information on the number of journeys and re-creation of a ticket if the MoBIB card has to be replaced (for the personalised MoBIB card: if the card holds a ticket other than a subscription)
- Provision of a declaration of use of public transport at the request of the user (only for the personalised MoBIB card: see access rights)
- Technical management of tickets: detect technical anomalies (for the personalised MoBIB card: if the card holds a ticket other than a subscription)
- Fraud management: ensure that each user has actually paid for their journey and, conversely, detect users travelling with a fraudulent ticket
- Statistical management: adapt the transport service in accordance with the stops used; transmission of statistical data to the authorities to assist with the development of a mobility policy
- Determination of the amount of the subsidies granted to the STIB by the Brussels-Capital Region
The MoBIB card holds information on the tickets purchased, and in particular the last validation, thus enabling the calculation of transfers between vehicles (not counting another trip).
What data?
The validation of the MoBIB card (basic MoBIB card and personalised MoBIB card) at the terminals placed outside and inside the vehicles implies the collection of the following data:
- the serial number of the MoBIB card
- the stop where the card was validated
- the vehicle in which the card was validated
- the validator (the identifier of the terminal at which the card was validated)
- the status of the release (use of a ticket or transfer)
- the validation date
- the validation time
- the number of trips remaining after validation
What is the justification?
We process this data in order to fulfil a mission of public interest. The STIB is in fact responsible, in particular via the Decree of the Government of the Brussels-Capital Region of 18 July 1996 laying down the specifications to which the Brussels Intercommunal Transport Company is subject, for carrying out tasks of public interest, principally the provision of public transport in the Brussels-Capital Region. This mission of public interest is also mentioned in the management contract signed by the STIB and the Brussels-Capital Region.
The anonymised validation data is used to adapt the STIB's transport offer to the number of people using its stops (determination of timetables with peak and off-peak times and school holidays, as well as the length of vehicles required) and to provide statistical data to the authorities so that they can draw up an efficient mobility policy and thus determine the subsidies needed by the STIB.
What is the origin of the data?
We collect validation data when you pass your MoBIB card over one of the validators at the entrance to metro stations or in STIB vehicles.
Is your data transmitted to third parties?
If your MoBIB card comes from another public transport operator and you are using the STIB network, information about the use of your ticket will be transmitted to the operator who provided you with the ticket via BMC. Information on the validation location will not be transmitted.
How long can the data be kept?
We keep the validation data of personalised MoBIB cards for a maximum of six months plus the current month. After this period, the validation data is anonymised and used to determine our transport offer and compile statistics for the authorities.
The validation data for other tickets is anonymous as soon as it is collected.
Use of the MOBIB card : validation on other operators' networks
STIB collects and processes your personal data in the context of a task of public interest which involves exchanging personal data in order to facilitate interoperability, i.e. the use of the same card on different networks, and to simplify the management of the MOBIB card by all public transport operators individually. It is important to note that in this context, STIB acts as joint controller with Belgian Mobility Card S.A (BMC) and the other transport operators.
What data?
Information relating to the MOBIB (MOBIB number, serial number, expiry date, active or deactivated - the tickets loaded onto the card (product number, first and last validation, departure and last stop, class, period of validity); a computer application, the "CenSy", centralises this data.
What is the justification?
Task of public interest (see above). Personal data is processed solely to enable and promote interoperability between BMC and the four transport operators via CenSy.
In this context, the data will not be processed by STIB for its own purposes.
Is your data transmitted?
By its nature, processing involves data transmission between BMC and the transport operators.
How long can the data be kept?
Your data is kept for the period of validity of your MOBIB card, which is extended by three years.
Please consult the BMC Declaration if you would like more information on the nature of this processing.
Pay with a bank card
You can easily use contactless payment on the STIB-MIVB network. To do so, validate your journey by using your (debit or credit) bank card or with an emulation on your smartphone.
What are the purposes?
- Fares management: information regarding the number and the types of journeys
- Fraud management: make sure that each traveller has paid his journey and, otherwise, detect the travellers with a fraudulent transport ticket
- Statistics management: Adapt the transport offer according to the busy stops; transfer statistical data to the authorities within the framework of a mobility policy
- Determination of the amount of the subsidies granted to the STIB by the Brussels-Capital Region
What are the concerned data?
When you use the contactless payment to validate your journey, the following additional data are collected in a safe environment:
- bank card number
- validity date of the bank card
- validation data: validation date, hour and location
This safe environment is PCI DSS norm compliant. This allows a safe payment and encrypts the information to avoid unauthorised use.
The validation data (except for the location) can be accessed by creating a MyBOOTIK account (see “sites and applications” processing).
Which justification?
We process this data to carry out the public mandate we were given by regulation, being providing a transport service within the Brussels-Capital Region.
What is the origin of the data?
You provide this information when you validate your bank card in order to purchase a transport ticket as well as when you register your card on your MyBOOTIK account.
Is your data transferred to third parties?
We transfer this data to our payment service providers and to the company in charge of our payment management platform.
What is the retention period?
We retain this data for 1 year maximum after your last validation for a journey, using your bank card.
Pay with your smartphone
The mobile app allows the purchase of a digital transport ticket.
This transport ticket can be used on the networks of the various public transport operators according to the specific terms of use of the digital ticket set out in the Transport Rules.
For what purposes?
The following intended purposes are common to the 4 public transport operators and BMC who have a joint responsibility:
- Allow travel with a digital transport ticket
- Check ticket validity during a transport ticket inspection
- Provide after-sales service after the purchase of the transport ticket
- Ensure re-invoicing between the public transport operators
STIB-MIVB is the sole responsible for the following intended purpose:
- Provide a proof of purchase
Which data?
The use of a digital ticket involves processing following data:
- Your name, your first name
- The validation data
- The data related to the purchased transport ticket (quantity, validity)
- Technical data
The use of the digital transport ticket requires the creation of a digital account (see our website for purchases from STIB-MIVB)
What is the justification?
We process data related to the use of the digital Brupass and Brupass XL transport ticket in order to carry out the task of public interest with which we have been legally entrusted, i.e. to provide public transport in the Brussels-Capital Region.
If you wish to travel anonymously, you still have the option to do so by using an anonymous card such as the MOBIB basic card or a paper ticket.
Where does the data come from?
We collect the data from you, when you use the transport ticket.
Is your data shared with other parties?
Within the framework of transport ticket interoperability, we share data in a secure way with the other public transport operators (SNCB-NMBS, TEC, De Lijn) and BMC. You can, after having bought a digital Brupass and Brupass XL transport ticket, use it on the networks of these public transport operators according to the specific terms of use of the Brupass and Brupass XL transport ticket.
The data is also shared with the service provider who is managing the platform that is jointly used by the public transport operators.
What is the retention period of the data?
We keep your identification data for as long as your digital account is active, that is maximum 3 years after your last connection to your account.
The validation data are kept for a period of 6 months.
Mobility aid for people with disabilities: Taxibus
What is the purpose?
Public transport on demand, door-to-door, for persons with disabilities.
- planning and implementation of transport within the Taxibus service
- development of attendance and production statistics
- evaluation of STIB's offer relating to specific services for people with reduced mobility, possibly via surveys
- communication of new services and improvements to the STIB network in terms of accessibility
What data?
- identification
- financial data (provision)
- data about handicap (to use an adapted vehicle)
What is the justification?
We process this data in order to fulfil the task of public interest entrusted to us by the regulations, namely the provision of a transport service in the Brussels-Capital Region. The transport of persons with disabilities is explicitly mentioned in the management contract between STIB and the Brussels-Capital Region.
Some data may be considered health data. Their processing therefore requires explicit consent on the part of the user. This is collected when you register for "TaxiBus".
What is the origin of the data?
We collect this data from you when you make your first booking or when you contact our Customer Care.
Data transmission
STIB shares this data with operators, public or private, whom it may call upon to provide the service and who take charge of the transport missions entrusted to them.
Data Retention period
We keep this data for a maximum of five years after the last booking.
After-sales service management (contacts with Customer Care)
What purposes?
- Respond to the customer's or third party's request expressed via telephone, social networks, email or the contact form
- Send unresolved problems unresolved by Customer Care to the relevant departments
- Respond to a request from a customer or third party to find a lost item on the STIB-MIVB network
What data?
Data provided by the person contacting Customer Care as well as all data previously collected in the context of a customer relationship (see purpose 1).
In addition, calls may be recorded. This is mentioned before the contact is made with one of our employees and you have the possibility to refuse this recording at that moment.
The data collected through the contact form is the following:
- Identity data (surname, first name, date of birth)
- Contact data (email address, telephone number, postal address)
What justification?
This purpose is based on STIB-MIVB's legitimate interest in processing personal data of its customers or third parties since, without this, STIB-MIVB is unable to process the incoming requests and/or questions.
What is the origin of the data?
We collect this data from you when you call us or contact us via email or the contact form.
Is your data passed on to third parties?
We pass on this data to the company that manages our after-sale service platform.
What is the retention period?
We keep this data for a maximum of 5 years after the contact.
Management of major works
What is the purpose?
- To communicate with local residents about the impact of the work.
What data?
- Identity data (surname, first name)
- Contact data (phone number)
What is the justification?
STIB processes this data so that it can warn local residents of the progress of the work and therefore of its impact (in particular car access in the streets concerned, etc.). This network maintenance, development and extension work is in the public interest and is entrusted to STIB by the Brussels-Capital Region. Information on its development and impact on daily life is one of the possibilities offered, and processing is therefore justified by consent.
Is your data transmitted?
The data is passed on to the company that manages our communication platform.
How long can the data be kept?
The data is only kept for the period during which the work is carried out.
Partner relationship management
What is the purpose?
- To communicate with the contact persons of our partners, suppliers and/or tenderers as well as our commercial operators
- Manage unpaid bills
What data?
- Identity data
- Contact data
- Curriculum Vitae
What is the justification?
STIB's legitimate interest in collecting and processing data relating to the contact persons of tenderers, suppliers and/or partners is part of the contract negotiation and/or execution process, the need to negotiate and/or execute the contract with you or your company.
How long can the data be kept?
The data is kept for ten years from the end of the contractual relationship or five years from the end of the negotiation.
Application management
What is the purpose?
- Management of your digital application account
- Evaluation of incoming CVs and management of individual contacts with the candidates in the frame of interviews, tests, assessments
- Drafting and conclusion of an employment (or other) contract
- Management of the recruitment reserve list
- Reuse of test, interview and assessment results
- Management of any disputes
What data ?
We collect the following data if you create a profile to apply for a job at STIB:
- last name, first name
- email address
We also collect the following additional data during the recruitment process:
- gender
- date of birth
- national registration number
- nationality
- address
- telephone number
- language
- training courses followed
- professional experience
- curriculum vitae, cover letter
- any references
- any information you wish to provide voluntarily
- the results of your interviews, tests and assessments, if applicable
What is the justification?
We process this data in order to manage your application for a current or future job (negotiation and potential drafting of your employment contract; this data is therefore processed in the context of implementing pre-contractual measures.
Furthermore, we process this data in the context of our legitimate interest, so that we can identify and contact the people we wish to participate in the recruitment process; this means that, if necessary and relevant, we can re-use the results of tests, interviews and/or assessments (see the FAQs on our recruitment website) and, ultimately, recruit the staff most suited to the position for which they are applying. We also need to verify the accuracy of the data concerning skills (e.g. driver's licence).
With your consent, we can use references you have communicated to us.
What is the origin of the data?
You provide us directly with the data as an applicant. Temporary employment agencies or external recruitment agencies may also provide us with this information.
Is your data transmitted?
Your data may be passed on to external recruitment agencies which are responsible for carrying out recruitment on our behalf. With the exception of this example, data is not passed on to third parties.
How long can the data be kept?
We will keep your contact details as a candidate for a period of five years after the application so that we can reuse the results of your tests and assessments (see our FAQ) if you reapply at a later date and in order to contact you again should you be suitable for another position.
If your application is successful, we will transfer the data collected during the application process to our personnel file.
Passenger screening and fines
What is the purpose?
- To impose a surcharge for failure to hold a valid ticket
- To impose an administrative fine
STIB carries out checks to ensure that passengers are in possession of a valid ticket and that they use it correctly (in particular, that they comply with the obligation to validate it when they board a vehicle). STIB inspectors can also impose a fine on users who cause nuisance in and around a vehicle or disrupt the service (damage to equipment, voluntary slowing down of vehicles, etc.). They may also issue tickets for specific traffic offences, such as parking at stops or driving in transport lanes.
What data?
In the event of a fine, we collect the following data:
- last name, first name
- place and date of birth
- nationality
- ID card number
- national registry number
- sex
- the licence plate number (if it is a vehicle offence)
- address
- in the case of a minor: the surname, first name, address of the parents, date of birth of the carer or persons responsible for the minor
- mobile phone number
- previous infringements
- subscription data (including other public transport companies)
- email address
- the place of inspection (vehicle number, line number, stop)
This information is required for us to verify your identity and to process the fine file. You can also find details of this procedure in the STIB Transport Rules published on our website.
What is the justification?
Passenger screening and the imposition of administrative fines involve processing operations justified by the performance of our task of public interest. The user must contribute to the cost of the service and dissuasive measures must be taken to prevent users from damaging the equipment needed to provide our services.
What is the origin of the data?
We collect this information from you during the check and verify and/or supplement it with information from the national register.
Is your data transmitted?
Surveillance camera footage can be transmitted to the competent judicial authorities (police, public prosecutor's office, investigating judge).
How long can the data be kept?
The retention period of this data is determined by law. This period is five years, starting from the date of the fine.
Detection of fraud such as tailgating or leaping over the barriers at metro and pre-metro gates
For what purposes?
Processing allows the STIB to organise a targeted check of STIB tickets in metro and pre-metro stations by determining where the check should start.
What data?
Processing uses as a starting point a photo of the offence taken automatically whenever sensors detect tailgating or barrier jumping at metro or pre-metro gates. Due to the large number of passengers throughout the inspection area, it is important that officers are able to determine where they will begin their checks and can best target these ticket inspections.
Secure access to the data is granted only to sworn agents on duty in the control area at the time the fraud was detected.
What is the justification?
The processing is part of the implementation of the STIB's public interest mission, more specifically the fight against fraud.
Is your data transmitted?
Your data is not sent to third parties?
How long can the data be kept?
"Photo" data is kept for a maximum of 30 minutes on the STIB server and two minutes on the RAM of the control agent's tablet. The data is deleted after this period.
Management of disputes, claims and compensation requests
What is the purpose?
- To have the necessary information to be able to communicate with the parties involved in a dispute
- To have the necessary information for claiming compensation in the event of damage suffered by STIB
- To have the necessary information for responding to a request for compensation in the event of damage caused by STIB
What data?
- Identity data of the parties (parties to the accident) and witnesses
- Household composition data
- Identity data of any agents (lawyers, insurers, etc.)
- Identity data provided by the public authorities
- national registry number
- financial data
- health data
- surveillance camera footage
What is the justification?
This management task stems from the legitimate interest of STIB. It is important for STIB to be able to react in an appropriate and therefore documented manner in the event of a dispute, an accident or a request for compensation.
What is the origin of the data?
The data may be provided to us by you, but also by experts, insurance companies, insurance brokers, lawyers, bailiffs, notaries, or surveillance camera images.
Is your data transmitted?
The data processed during this processing may be transmitted to lawyers, bailiffs, experts, insurance companies, notaries and the competent judicial authorities.
How long can the data be kept?
We keep this data for a maximum of 20 years after the file is closed, depending on the applicable limitation periods.
Management of cameras
What is the purpose?
- To ensure the safety of users (vehicles and stations)
- To ensure staff safety (STIB MIVB buildings)
- To ensure the safety of STIB assets (stations, STIB MIVB buildings and vehicles)
- To enable a rapid response by the appropriate personnel (vehicles and stations)
- To ensure the management of disputes, claims and compensation requests (vehicles and stations)
- Assistance with driving/driver while driving vehicles (vehicles)
The STIB has cameras in the stations, in the various STIB MIVB buildings and in public transport vehicles (bus, tram and metro). The new transport vehicles (from 2021) will also be fitted with cameras on the vehicle. STIB has introduced an internal policy for the management of its cameras.
What data?
The images collected by the different cameras.
What is the justification?
To guarantee the safety of STIB users and property is one of the tasks assigned to STIB by the Brussels-Capital Region, and this task is in the public interest. The legal basis of the aim of managing its own disputes is legitimate interest.
Is your data sent to third parties?
The images from the surveillance cameras may be sent to the relevant judicial authorities (police, investigating judge), provided that their requests meet the legal conditions for access (see processing below).
How long can the data be kept?
In accordance with the camera law, we only keep images for 30 days maximum. Recordings will be taken and kept for a period of five years in the event of an accident or incident.
Reporting potential risks with analytic cameras
For what purposes?
STIB carries out anonymous passenger volume counts in metro stations to measure platform occupancy rates. This count is carried out using cameras installed in metro stations, which only manage filling data. The information we obtain from these analyses is used internally to:
- detect safety risks on platforms (e.g. overcrowded platform)
- map platform occupancy rates, particularly to guarantee safety (e.g. analysis of flows leading to platform redevelopment)
The results of these analyses and reports do not contain any personal data.
What data?
The processing starts with personal data (images of passengers) and provides anonymised count data. The conversion process takes place in the camera via software. Under no circumstances are the images recorded, transferred or viewed.
The analysis reports do not contain any personal data.
The anonymised data processed is the following:
- number of travellers in a defined area
- location of passengers (e.g. start or end of platform)
What is the justification?
The analyses fall within the framework of the legitimate interests pursued by STIB to anticipate potential safety risks on its network.
Is your data transmitted?
The information we obtain from these analyses is used only by STIB. This data is not transmitted externally to STIB.
How long can the data be kept?
For models predicting the evolution of our passenger numbers, the extent of the records is one of the main factors that influences the quality of the predictions. For this reason, we keep this data in an anonymised form for a period of 20 years.
Passenger flow management
For what purposes?
STIB carries out passenger flow counts in metro stations to measure the volume of people using its infrastructures. This count is carried out using cameras installed in metro stations, which only manage volumetric data. The information we obtain from these analyses is used internally to:
- adapt supply to demand, for example, to adapt vehicle frequency to the volume of users;
- map passenger flows in the various corridors and accesses, in particular to ensure safety (e.g. sizing of the number of access gates);
- measure volumes of passenger connecting between the different platforms of a station.
The results of these analyses and reports do not contain any personal data.
What data?
The processing starts with personal data (images of passengers) and provides anonymised count data as an output. The conversion process takes place in the camera via software. Under no circumstances are the images recorded, transferred or viewed by persons.
The analysis reports do not contain any personal data.
The anonymised data processed is the following:
- passenger numbers
- line used
- line direction
What is the justification?
he STIB has a legitimate interest in knowing more about the use of its network in order to improve it and provide a quality service.
Is your data transmitted?
The information we obtain from these analyses is used by STIB. We may transmit passenger number data (containing no personal data) to external companies (emergency services, consultancy companies, station businesses, etc.).
How long can the data be kept?
For models predicting the evolution of our passenger numbers, the extent of the records is one of the main factors that influences the quality of the predictions. For this reason, we will keep this (anonymised) data for a period of 20 years.
Marketing to our customers and non-customers
1/ What purpose?
Sending occasional marketing campaigns by email to customers
What data?
- Identity data (surname, first name, date of birth)
- Contact data (email address, telephone number, postal address)
- Data linked to the MOBIB card (card number, type of season ticket)
What justification?
STIB-MIVB processes this data on the basis of the legitimate interest of informing its customers about the goods and services the company offers.
Your consent is sometimes required in accordance with the specific rules on advertising by email (Article XII.13(1) of the Code of Economic Law; Royal Decree of 4 April 2003).
Is your data transmitted?
These campaigns are sent via a service provider, to whom we send your email address in order to carry out the sending.
What is the retention period?
We keep your data for as long as you remain a customer of STIB-MIVB. In each communication you have the possibility of objecting to future communications.
2/ What is the purpose?
- The distribution of the newsletter
What data?
- Identity data: surname, first name
- Email address
- Language
What is the justification?
STIB processes this data only if the person concerned (customer or not) has given their consent.
Consent may be withdrawn at any time. You will then no longer receive a newsletter from us.
Is your data transmitted?
The newsletter is sent via a service provider, to whom we pass on your email address so that the newsletter can be sent out.
How long can the data be kept?
We retain your data for as long as you have not withdrawn your consent to receive the newsletter.
3/ What is the purpose?
- Management of STIB's pages on social networks
What data?
Data visible by default on the platforms:
- surname and first name or pseudonym
- profile photograph or avatar
- introductory message
- publications
- messages exchanged
- data made public by the user as part of his general settings on the platform concerned data on the use of the platform for the production of anonymous statistics
What is the justification?
This purpose is based on STIB's legitimate interest in collecting and processing data concerning the users of social networks (only in the context of consultation of/interaction with the STIB page). These processing operations are carried out under the joint responsibility of STIB and the social networks.
Is your data transmitted?
Public exchanges and publications are likely to be accessible, due to their presence on social networking platforms, outside the European Union. The data necessary for the compilation of statistics may be processed outside the European Union in accordance with the data management policy established by the head of each platform.
How long can the data be kept?
The data is kept for the period during which the account exists on the social network in question.
NB: To exercise your rights (see above), you can contact the social network in question directly. For more information, see their data protection/privacy policy.
4/ What is the purpose?
- Organisation of competitions
- STIB processes the data of competition entrants to ensure the smooth running of the competition.
What data?
For this purpose, we only process contact data in order to inform the data subject of the competition results.
What is the origin of the data?
You provide the data yourself in order to participate in the competition.
What justification?
The processing of this data is based on the execution of the contract for contests. You have the possibility to participate in these contests or not.
Is your data transmitted?
Participation takes place by using the use of a platform developed by a service provider that has access to your data.
How long can the data be kept?
We keep the data for a maximum of three months after the winner(s) has/have been declared.
Websites
The website collects data at 3 different moments:
- When creating a digital account (which allows you to purchase and manage your tickets through Go Easy/ MyBOOTIK or the mobile app);
- When asking for an access to the STIB-MIVB open data platform (which allows you to get data concerning the STIB-MIVB transport network, such as timetables, the names and locations of the stops, etc.);
- In the context of the STIB-MIVB Store (online shopping site for merchandising items related to the STIB-MIVB).
1/To what end?
Creating a digital customer account as well as adding and/or removing MOBIB cards linked to this account.
Which data?
In the GO Easy/ MyBOOTIK portal, we ask you to fill in the following information:
- Your identity
- Your e-mail address
- Your password
- Your mobile number
When you link your account to a MOBIB card, additional information is collected:
- Data linked to your MOBIB card and to the rates you are entitled to
- Your full address
- Your national registration number
When you use your account on your mobile application, additional information is collected:
- Geolocation data (that can be deactivated)
To keep your data updated, for example in case of a change of address or e-mail address, we ask you to change the profile information of your MyBOOTIK digital account.
What is the justification?
When you create and use an account, STIB-MIVB provides you with services to facilitate managing your MOBIB cards. It is within this framework that your data is processed (execution of this free service contract).
Where does the data come from?
We process the personal data that you provide us when you create your digital profile (for example, when your MyBOOTIK account is linked to your MOBIB card).
Is your data shared with others?
When necessary for the provision of our services, some of our databases are made available to third parties who work on our behalf and assist us in providing our products and services. Examples of this include information technology (IT) support tasks.
What is the retention period?
We keep this data as long as you have not deleted your account and it is active.
2/ What purpose?
Open data:
- Creation of user profiles;
- Provision of a platform for accessing, sharing and exchanging data and datasets between users;
- Provision of APIs for access to data sets;
- Supervision of the application and of any use of the information, legitimate and/or illegitimate, including ally measures to prevent fraud;
- Production of visits/downloads statistics.
What data?
- first name
- last name
- email address
- encrypted password
- IP address
- other business contact information
- company
- country
- type of access granted
What justification?
The processing of this data is based on the execution of the licence contract for the use of the Open Data platform between you and STIB-MIVB, and on the legitimate interest of STIB-MIVB to oversee the respect of the licence conditions for re-use in order to avoid fraud and to produce statistics.
What is the origin of the data?
You provide this information when you register on the Open Data platform.
Is your data transmitted?
Our Open Data platform is hosted by a service provider, which manages the personal data you provide.
What is the retention period?
We keep this data for a maximum of 1 year.
Mobile Application
- Mobile App
To what end?
The purpose of processing personal data in the mobile application is to personalise it according to the user's location and preferences (favourites, recently searched locations, frequently used lines...).
Adding personal touches can allow you to obtain information concerning your itinerary, disruptions on the transport network, specific announcements in case of evacuation of a station, publications to promote STIB-MIVB products…
Which data?
The creation of a digital account implies the processing of the following data:
- The identity,
- The e-mail address,
- The password.
This data may be indirectly communicated to us if you choose to sign in using your Facebook or Apple account (which transfers in this case your identification data to us).
If you decide to use the app without signing in, no personal data will be saved in the STIB-MIVB databases. Some of your technical data will be saved by the partner who hosts our app.
What is the justification?
When you create and use a digital account, STIB-MIVB provides you with services to make your use of its network easier. It is within this framework that your data is processed (execution of this free service contract).
Your consent is necessary for the use of your location.
This consent can be withdrawn at any moment by changing the permissions in the settings.
Where does the data come from?
You provide your data when you create your account.
Is your data shared with others?
We do not share your personal data.
What is the retention period?
Your identification data and your favourites are stored as long as your account is active. Frequently used locations and lines are stored for a maximum duration of 18 months. You can erase your history in the application or through GO Easy/ MyBOOTIK on our website (www.stib-mivb.be).
Creation of statistics, market surveys and polls
STIB carries out surveys and analyses of its users in various ways in order to adapt supply and demand as much as possible and monitor its service. To improve our service, we need to be able to evaluate it through market surveys, market analyses, reports and statistical analysis. This evaluation also enables us to pursue a target group policy and apply price differentiation. The information we obtain from certain analyses is used internally to evaluate our current portfolio of products and services as well as our processes and to adapt them on the basis of new developments.
Finally, according to the terms of our management contract with the Brussels-Capital Region, we must have the information required for the annual evaluation reports. The report consists of a systematic evaluation of the commitments and objectives of the Parties, and thus of STIB. The results of these analyses and reports do not contain any personal data.
In addition, STIB regularly conducts satisfaction surveys and customer surveys to gain a better understanding of its customers' needs and priorities, evaluate changes and constantly improve the service offered to customers. The results of its surveys are directly anonymised.
What data?
STIB may use all the data it has about its customers in order to carry out the above-mentioned analyses. This includes, for example, the data contained in the customer database, ticket usage data, etc.
What is the justification?
The analyses are part of the task of public interest entrusted to STIB.
For satisfaction surveys and polls, the data are processed on the basis of our legitimate interest to assess the customer's satisfaction.
What is the origin of the data?
We collect this data throughout your relationship as a STIB user. It may also come directly from you during field investigations.
Is your data transmitted?
Does STIB use subcontractors to carry out such surveys?
In addition, within the terms of the management contract, we sometimes send reports and analyses to the Government of the Brussels-Capital Region.
How long can the data be kept?
The reports on the studies and market analyses do not contain any personal data. In this respect, no maximum retention period has been set.
Responding to competent authorities
The competent authorities ask us for information in the context of ongoing police and judicial investigations. This may involve all the data we have about one or more customers, such as surveillance camera footage in compliance with the law of 21 March 2007. This data disclosure is part of a legal obligation.
4. FAQ - Data Protection
FAQ - Data Protection
Data Protection
How can I have my data deleted?
Simply send us a request using our contact form option "DPO/exercise my rights" or contact us by email at DPO@stib-mivb.brussels with the subject "Erasure: personal data" and attach a copy of the front of your identity card (this enables us to identify you).
For more information about all your rights, please consult our Privacy statement, in the section "Your rights".
How can I get a list of my journeys?
In order to have access to your validations, simply send us a request using our contact form option "DPO/exercising my rights" or contact us by email at DPO@stib-mivb.brussels with the subject "Access: personal data". This e-mail should contain your MOBIB card number. Please note that if the email address used to contact us is not the same as the one listed in our systems, you will be asked for a copy of the front of your identity card as an authentication.
For more information about all your rights, please consult our Privacy statement, in the section "Your rights".
What personal data is contained on my MOBIB Basic card?
MOBIB Basic cards do not produce any personal data, even for STIB-MIVB. Individuals cannot be identified and the validation data is completely anonymous. However, please note that if you link your MOBIB Basic card to your MyBOOTIK account, we will be able to link your card to the email address of the MyBOOTIK account.
What personal data is contained on my personal MOBIB card?
Only personal information allowing to define the applicable fare is collected.
The card contains the data specific to the card, the minimum identification data of the traveller, the purchased contracts, the additional services (Interparking,...) and the last validation (allowing free connection within one hour after validation).
Why validate if I have a season ticket?
Validating your card enables STIB-MIVB to adapt its offer to the demand and to manage the travellers' flow. The validations number also plays a part in defining the subsidies granted to STIB-MIVB.
What personal data is collected when validating?
When a MOBIB card is validated, the validating machine collects the card information (card number, contract number linked to the card, stop, time and type of validation (validation error, connection...)).
As soon as the validating machine has a connectivity, this data is sent to the "Validations" database.
How are my MOBIB card and my validations related?
STIB-MIVB has separate databases in order to store the traveller's personal data apart from the validations. The aim is to pseudonymise the validation data in order to better protect the travellers' data. It is therefore impossible to identify a customer without reading the information located in two physically separated databases. The only data allowing to make a link between the two databases (customer and validations) is the card serial number.
Only a limited number of authorised persons have access to both databases, and this under certain defined circumstances, in order to cross-reference the information (e.g. in case of a request from the police or an explicit request from the customer). This access is controlled, audited and monitored.
How long is the validation data kept and why?
The validation data is kept for a maximum of 6 months in the operational databases. After 6 months, all the validation data is deleted from the database by a continuous IT process.
The anonymised validation data is kept for statistical purposes. These data are aggregated on the basis of the traveller profile in order to make analyses and statistics and to offer new services to travellers.
Where is my MOBIB card data stored?
All this data is stored at STIB-MIVB. STIB-MIVB is solely responsible for managing these databases. No external service provider is involved.
Is my validation data transferred to a third party?
The validation data is only transferred if a traveller validates a contract purchased on another operator's network, on the STIB-MIVB network. In this case, the pseudonymised validation data (no customer data) will be shared with the other operator for rebilling purposes between the operators. All the data exchanged between the operators can be identified by the MOBIB card serial number and the contract signature information known only by the operator who sold the contract.
The pseudonymised validation data can also be exchanged between the operators in case of duplicate or replacement of a MOBIB card.
What security systems are used to protect the data contained on my MOBIB card?
The MOBIB card complies with the security level that applies to smard cards (ISO 14443-B), which is also used in banks.
How can I report someone's death in order to deactivate their account?
In order to report a death, please contact the Customer Care using our contact form. A death certificate is then required.