Legal information

Who are we?

We are Bluesquare (legally known as Blue Square SA), located at Hive5 – Rue des Francs 79, 1040 Brussels, Belgium.

As part of our activities, we collect and process certain personal data. In accordance with European legislation on data protection and privacy, we sometimes act as a “data processor”, and sometimes as a “data controller”:

• We act as a data processor on behalf of our clients (who act as data controllers) when our clients conduct surveys, for example using our web/mobile application; in this case, our clients determine the information to be collected via the surveys as well as the purposes of this collection (such as monitoring grants and aid).
• We also act as a data processor for our clients when they ask us to host the data collected via surveys on our cloud platform, to anonymize this data and to make it accessible upon their request and under their instructions.

We act as a data controller when we anonymize and aggregate patient data collected for statistical and research purposes, or when we collect certain data via access to government databases with their consent. We also act as a data controller when we collect data from our clients and suppliers, such as name, position and contact details.

We know that privacy is important and must be respected

We place great value on individuals’ right to privacy and we strive to protect personal data in accordance with applicable data protection legislation, including the EU General Data Protection Regulation (“GDPR”) and its national implementing legislation.

For activities in which we act as a “data controller”, this privacy policy describes how we collect personal data, how and for what purposes we may use it, and to whom it may be disclosed. In addition, this policy contains important information on individuals’ rights regarding the processing of their personal data.

For activities in which we act solely as a “processor”, our clients are responsible for providing adequate information on data processing to all individuals whose data is collected.

We update this privacy policy from time to time. The most recent version is available on our website. You may also request that we send you a copy of the most recent version.

How do we collect personal data?

As part of the services we provide to our clients, we collect personal data concerning individuals who participate in surveys on services received via government or NGO programs in different countries.

In general, the following information is collected and processed:

• Location data (GPS coordinates of the place where the data is entered by the person interviewing the patient)
• First and last name
• Gender
• Age
• Village/District/Province/Country
• Information on the hospital, health center or school visited by the person
• Type of services received (this may include health services)
• Level of satisfaction expressed by the person and answers to other questions (for example, relating to bribes or sexual violence)

This information is generally collected via mobile questionnaires. Local enumerators are asked to complete these questionnaires with the respondent and to properly inform them about the collection and processing of their data, so that they can give valid consent. This consent is then confirmed before the start of the survey.

Other information may also be collected through us via access to health records or other public databases, subject to the legal requirements governing access to these databases.

For what purposes do we use this personal data?

When we act as a processor, we collect respondents’ information, as described above, for the purposes specified by our clients, generally related to the management and monitoring of grants and aid for hospitals, healthcare providers and schools.
When we act as a controller, we aggregate and anonymize respondents’ information, as described above, for statistical and research purposes (for example, to generate geographical maps indicating with geo-codes where interviews took place).

We rely on public interest and statistical research grounds for this anonymization process. To the extent that this would not be sufficient, we have also implemented an opt-in consent mechanism. In any case, once the data is fully anonymized, it can no longer be linked to the patients concerned and no longer constitutes “personal data”.

When we act as a controller, we collect information from our clients, partners and suppliers (name, position, organization, contact details) for the purpose of sharing news and updates about our activities and measuring their level of satisfaction with our products and services. We do not share this information with third parties without their explicit consent.

With whom do we share personal data?

As part of the purposes listed above, we may share personal data with third parties, such as:

• our clients (since they are the “data controllers”);
• independent developers working for us; and/or
• any IT service provider engaged by us to carry out certain processing operations or to host datasets.

The anonymized/aggregated datasets generated by us may also be shared with third parties. However, these datasets do not contain any personally identifiable information.

Where applicable, we will ensure that contractual safeguards are put in place to ensure the protection of personal data in the event of disclosure to a third party.

If a party to whom we disclose personal data is located outside the European Economic Area (EEA), we will ensure that measures are taken to guarantee an adequate level of protection for personal data in accordance with applicable legislation.

How long do we retain personal data?

Your personal data will not be retained longer than necessary for the purposes for which we process it (as determined by our clients).

To the extent that we act as data controllers, we will anonymize personal data obtained via surveys as soon as possible, in order not to retain any personal data in our datasets.

How do we protect personal data?

We will implement the administrative, technical and organizational measures necessary to ensure a level of security appropriate to the risks we have identified. In any case, our data warehouse is only accessible to authorized users (internal or external) with a username and password.

We also protect personal data against destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed.

What are individuals’ rights and how can they exercise them?
Individuals have the right to:

• information and access to their personal data;
• rectification of their personal data;
• erasure of their personal data (“right to be forgotten”);
• restriction of the processing of their personal data;
• object to the processing of their personal data (“withdraw their consent”); and
• receive their personal data in a structured, commonly used and machine-readable format, and to (have) their personal data transmitted to another organization.

Finally, individuals also have the right to lodge a complaint with the Belgian Data Protection Authority (or any other competent authority).

To learn more about these rights and the circumstances in which they may be exercised, see the Annex below.

Any questions? Contact us!

If you have any questions, comments or complaints regarding this privacy policy or the processing of your personal data, please do not hesitate to contact us by post for the attention of Martin De Wulf, Rue des Francs 79 – 1040 Etterbeek or via info@bluesquarehub.com.

Annex – Data subjects’ rights

Right to information and access to your personal data
You may at any time request more information about our processing activities and about the personal data we hold about you.

Right to rectification of inaccurate or incomplete personal data
You have the right to request, without undue delay, that we rectify or complete your inaccurate or incomplete personal data.

Right to erasure of your personal data (“right to be forgotten”)
You may request that we delete (part of) your data