CANDY PACK Privacy Policy

1 : Objective

This document constitutes the "Privacy" policy implemented by CANDY PACK in the context of its activities.

The protection of your privacy and your personal data is of paramount importance to CANDY PACK.

This Privacy Policy is written to ensure compliance with the European Regulation 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, or GDPR).

This Privacy Policy is intended to provide you with comprehensive information about how we collect, use and store your personal data.

2: What is the scope of this policy?

What does "processing your data" mean and who is responsible for it?

We collect and use only the personal data that is necessary for our business and that allows us to provide you with quality products and services.

CANDY PACK, with its registered office at Avenue des Biolleux 2, B-4800 Verviers, is responsible for processing the personal data it is required to process.

We are therefore your partner as well as the partner of the supervisory authorities (e.g. the "Data Protection Authority") for any questions regarding the use of your data by our company.

For certain services, we use specialized third parties who, in some cases, act as subcontractors. They must follow our guidelines and comply with our Privacy Policy. In other cases, these third parties are also jointly responsible for the processing and must comply with their legal obligations in this regard.

We ensure that these subcontractors only receive data that is strictly necessary to perform their part of the contract.

We may also act as a subcontractor for other entities belonging or not belonging to the CANDY PACK group. In this case, these entities are responsible for the processing of personal data. We then follow their instructions.

3: What data is covered by our policy?

The data covered by this policy are the personal data of natural persons, i.e. data that directly or indirectly identify a person.

Within the framework of your relations and interactions with CANDY PACK, we can be brought to collect various personal data, such as:

  • Identification and contact data (e.g. your title, name, address, date and place of birth, national registry number, account number, telephone number, e-mail address, IP address, occupation);
  • Family status (examples: marital status, number of children) ;
  • Banking, financial and transactional data (e.g. bank details, account numbers, transfer data including communication, and generally all data recorded during your bank transfers);
  • Data relating to your behavior and habits concerning the use of our channels (e.g. our stores, our websites, our applications for tablets and smartphones) or your consumption (number of products ordered, interval of orders, etc.) ;
  • Data relating to your preferences and interests, which you communicate to us directly or indirectly, for example via participation in our contests or events, ... ;
  • Data from your interactions on our dedicated pages on social networks.

We never process data relating to your racial or ethnic origins, your political opinions, your religion, your philosophical convictions or trade union membership, your genetic data, your sex life or sexual orientation unless legislation requires us to do so or unless it results from the performance you make of our products and services (example: you mention this type of information).

4: Guidelines for processing personal data

CANDY PACK will respect, among others, the following principles when processing personal data in the management and execution of its commitments:

  • Lawful data processing: CANDY PACK processes personal data in a lawful manner in the course of its activities;
  • Identified purposes and purpose limitation: CANDY PACK collects and processes personal data for the following lawful purposes;
  • Minimization of data processing: CANDY PACK limits the processing of personal data to what is necessary for its activities;
  • Accuracy of personal data: CANDY PACK takes all reasonable steps to ensure that personal data are accurate and that they are rectified and/or deleted without delay if they no longer appear accurate;
  • Limitation of processing and storage: CANDY PACK will not process or store personal data for longer than is necessary for the performance of its activities;
  • Security measures: CANDY PACK takes the necessary and appropriate technical and/or organizational measures for the security of personal data.

5: When is your personal data collected?

The data we use may be collected directly from you or obtained from the following sources for the purpose of verifying or enhancing our databases:

  • Publications/databases made available by the official authorities (e.g. the Belgian Official Gazette);
  • Our corporate clients or service providers;
  • Websites/social network pages containing information you have made public (e.g. your website or social network);
  • Databases made public by third parties.

Some of your data may also be collected by CANDY PACK:

  • When you become a customer or supplier;
  • When you register to use our online services (each time you log in or use them);
  • When you fill out the forms and contracts we submit to you;
  • When you check in at the CANDY PACK reception;
  • When you use our services and products after signing a contract;
  • When you subscribe to our newsletters, respond to our contests, you register on our website;
  • When you contact us through the different channels at your disposal;
  • When your data is published or transmitted by authorized third parties or professional data providers;
  • When you are filmed by our surveillance cameras located in and around our premises/buildings.

The images are recorded solely for the purpose of preserving the safety of property and persons and preventing abuse, fraud and other offences against our customers and/or staff (their presence is indicated by stickers with our contact details).

6: On what basis and why do we use your personal data?

We process your personal data for various purposes. For each processing, only the data relevant to the purpose is processed.

In general, we use your personal data:

  • In the context of theexecution of a contract or the taking of pre-contractual measures;
  • In order to comply with the legal and regulatory requirements to which we are subject;
  • For reasons that fall within thecompany's legitimate interest (see illustrations below). When we carry out this type of processing, we take care to preserve the balance between this legitimate interest and the respect of your privacy;
  • When we have obtained your consent.

Personal data are processed by CANDY PACK for purposes that include, but are not limited to:

  • Provide you with information about our products and services;
  • Assist you and answer your questions;
  • To enable the proper execution of the agreements entered into;
  • To ensure the financial and accounting management of CANDY PACK;
  • Ensure proper management of customers, materials and suppliers;
  • To carry out market research and establish user profiles, to carry out information and/or promotional operations on products and services, those of its group companies and/or its commercial partners;
  • To work on the improvement of existing products and services (or those under development) through surveys of current or potential customers, statistics, tests, comments that you send us directly or that you publish on our websites;
  • Fulfill legal obligations, including responses to official requests from duly authorized public or judicial authorities;
  • Detect and prevent abuse and fraud: we process and manage contact and security data (card reader, password, ...) in order to validate, track and ensure the security of transactions and communications via our remote channels;
  • To ensure the provision of services and products through subcontractors;
  • Monitor our activities (sales, number of appointments, number of calls, visits to our website, etc.);
  • Improve the quality of individual service to our customers;
  • Prospecting for CANDY PACK products and services, or for other products that we promote or that are promoted by companies belonging to the CANDY PACK group;
  • To ensure the security of our premises and infrastructures, as well as the people in these places.

7: Who has access to your data and to whom is it transferred?

Only authorized users have access to your personal data in order to accomplish the aforementioned purposes. Authorized users are those persons who, in the course of their duties at CANDY PACK, are authorized to process personal data on the basis of CANDY PACK guidelines.

In order to accomplish the above purposes, CANDY PACK discloses your personal data to

  • Entities of the CANDY PACK Group (example: you can benefit from the various services and products);
  • Suppliers or subcontractors of said suppliers, so that they can better serve you;
  • External auditor;
  • An approved commissioner;
  • Legal counsel;
  • Financial consultant;
  • Another professional and/or service provider/consultant;
  • A social secretariat, banking organizations, insurers/funds;
  • IT companies or service providers for software programs and electronic data storage (servers, etc.);
  • Judicial, administrative or police authorities.

8: How long do we keep your data?

We retain your personal data for the longest period of time necessary to comply with applicable legal and regulatory requirements or for such other period of time as is necessary for operational purposes, such as proper bookkeeping, effective customer relationship management, and responding to legal or regulatory requests.

Customer data is kept for the life of the contract and for a period of ten years after the end of the contractual relationship.

Data on potential clients is thus kept for a maximum of one year, depending on the life cycle of the project for which it was collected and when the person has expressed an interest.

Some data is archived for longer periods of time in order to meet our legal obligations and for evidential purposes, in particular to safeguard your rights and the rights of our company. These archived data are only accessible for purposes of proof in court, control by an authorized authority (e.g. by the tax authority), for reasons of document production before judicial, administrative or police authorities.

9: Security and privacy

CANDY PACK undertakes to adopt the necessary and adequate technical, physical and organizational measures to protect personal data against unauthorized access, unlawful and unauthorized processing, accidental loss or damage, and unauthorized destruction. These measures are regularly evaluated and, if necessary, updated in order to guarantee maximum protection of the personal data of the persons concerned.

In the event of a data breach or leak, as described below, CANDY PACK takes the necessary/adequate measures to ascertain the extent and consequences, to put an end to it as quickly as possible and, if necessary, to limit its impact on the persons concerned.

10: What are your rights and how can you exercise them?

10.1 : Rights of the persons concerned

In accordance with the applicable regulations, you have various rights:

  • The right to request access to personal data (A);
  • The right to rectification (A);
  • The right to erasure of data(A);
  • The right to object to processing (B);
  • The right to withdraw consent (B) ;
  • The right to request a restriction of processing (B);
  • The right to data portability (C).
  1. : Right of access, rectification and deletion

Any data subject has the right to make a request for access to his or her personal data. If a data subject exercises this right, CANDY PACK is obliged to provide him or her with information on the subject, including:

  • To give a description and a copy of the personal data;
  • To inform the data subject of the purposes for which CANDY PACK processes the data.

If data are inaccurate or incomplete, the data subject may request that they be corrected.

Under certain circumstances, the data subject may, in accordance with the data protection regulations, request the erasure of personal data relating to him or her, inter alia, if the personal data is no longer required for the purposes for which it was collected or processed. CANDY PACK may, however, refuse to delete such data, for example for the purpose of lodging, enforcing or proving a legal claim.

In order to keep your data up to date, we ask you to inform us of any changes (e.g. change of marital status, change of address).

  1. Right to object to and limit the processing of your data and right to withdraw your consent

You have the right to object to certain processing of your personal data that we would like to carry out. In particular, you have the right to object, without justification, to the use of your data for prospecting purposes. You can also request the limitation of the processing of your data.

However, this right can only be exercised under certain conditions:

  1. Your application must be dated and signed;
  2. For cases other than opposition for canvassing purposes, you must have serious and legitimate reasons relating to your particular situation to object to the processing taking place. In case of justified objection, the processing in question may no longer involve such data.

However, you may not object to processing that is necessary for the performance of a contract entered into with you or for the performance of pre-contractual measures taken at your request; nor may you object to compliance with any legal or regulatory provision to which we are subject.

If you have given your consent to the processing of your personal data, you have the right to withdraw that consent at any time.

  1. : The right to portability

Where necessary and to the extent applicable, the data subject may request to receive certain personal data that he or she has provided to CANDY PACK in connection with the management and performance of its activities, and to transfer such data to another Controller. Where technically possible, the data subject may request CANDY PACK to transfer such data directly to another Data Controller.

10.2 : Who should you contact ?

If the data subject wishes to exercise his/her rights with respect to his/her personal data, he/she may do so by sending an e-mail to the following address:

In accordance with the regulations, you are entitled to lodge a complaint with the competent supervisory authority.

11: Transfer of data outside the EEA

In the case of international transfers from the EEA to a third country for which the European Commission has issued an adequacy decision recognizing that country as having a level of personal data protection equivalent to that provided by EEA law, your personal data will be transferred on that basis.

For transfers to countries outside the EEA for which the European Commission has not issued an adequacy decision, we rely either on an exemption applicable to the situation (e.g., in the case of international payments, the transfer is necessary for the performance of the contract) or on the fact that the data recipient has agreed to process the personal data in accordance with the "Standard Contractual Clauses" established by the European Commission for Data Controllers or Processors.

To obtain a copy of these texts or to find out how to access them, you may send a written request as indicated in Section 10.2.

12: Violation of personal data

12.1: Notification of personal data breaches

Authorized users must take care in the performance of their duties to avoid incidents (intentional or unintentional) that may infringe on the privacy of the persons concerned.

In the event of a personal data breach, appropriate measures are taken as quickly as possible to minimize the risk of damage to the persons concerned as well as to CANDY PACK (damage to reputation, sanctions imposed, etc.).

In any case, all authorized users, as well as all other persons who consult, use or manage information from CANDY PACK must immediately report any breach of security and incidents related to the security of the information so that an analysis can be immediately made, the necessary measures taken and whether the violation should be reported to the Data Protection Authority and/or to the persons concerned.

When the notification is made by e-mail, it is important that it is sent to the address mentioned in section 10.2 and that it is expressly stated in the subject line of the e-mail that it is a message with a high degree of urgency about a possible violation related to personal data.

The information should contain a complete and detailed description of the incident, including who is reporting it (full name, address, email (if applicable) and phone number), what type of incident it is, and how many people are involved.

12.2: Survey and Risk Analysis

In principle, within 24 hours after the incident or violation has been noted by CANDY PACK or reported by a subcontractor, authorized user, recipient, data subject or third party, an investigation will be initiated by CANDY PACK.

The investigation will indicate the nature of the incident, the type of data involved, and whether specifically personal data is impacted (and if so, who the individuals are and how much personal data is affected). The investigation will determine whether or not there has been a breach of personal data.

In the case of a breach, a risk analysis will be carried out to find out what the possible consequences of the breach are (can be), and in particular the (possible) impacts on the persons concerned.

CANDY PACK will then decide, on the basis of the nature of the violation, whether or not there is an obligation to make a notification to the Data Protection Authority and/or the data subject.

12.3 : Documentation of violations

All violations will be documented in a log. The log will detail the root cause of the incident and contributing factors, the chronology of events, response actions, recommendations and lessons learned to identify areas for improvement. Recommended changes to systems and procedures will be documented and implemented as quickly as possible.

13: How do I find out about this policy and its changes?

In a world of constant technological change, we will update the Privacy Policy regularly.

We invite you to consult the latest version of this document on our sites and we will inform you of any substantial change through our sites or through our usual communication channels.

14 : How to contact us ?

If you have any questions about the use of your personal data as described in this policy, you can contact us by e-mail at

This Privacy Policy is effective as of January 1, 2023.