Privacy statement

Privacy statement – Processing of personal data

This statement describes how SBB Gecertificeerde Accountants en Adviseurs BV (SBB Certified Accountants and Advisors LLC), with registered office at Diestsevest 32 box 1A, 3000 Leuven in Belgium and company number 0459.609.556, RPR Leuven, -, and SBB Bedrijfsdiensten BV (SBB Corporate Services, LLC) , with registered office at Diestsevest 32 box 1A, 3000 Leuven in Belgium and company number 0420.170.841, RPR Leuven, -, process your personal data in the context of its activities as joint controllers ("We").

We are committed to processing your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, i.e. the General Data Protection Regulation.

Processing operations

We process your personal data for various purposes within the context of our activities:

1. Customer management (contractual necessity) (legal obligation)

  • Identification data
  • Financial data and special information (payment data, private and professional assets and financial activities)
  • Personal characteristics
  • Living habits
  • Composition of the family
  • Professional data (training and profession)
  • Membership fees
  • Judicial data
  • Housing characteristics
  • Identity card and national registration number
  • Membership of a trade union

2. Direct marketing (legitimate interest) (consent)

  • Identification data
  • Personal characteristics
  • Professional data (training and profession)

3. Supplier management and independent service providers (contractual necessity)

  • Identification data of you and some of your employees (if applicable)
  • Financial data (payment data)
  • Professional data (training and profession)

4. Compliance with our statutory obligations (legal obligation)

  • Identification data
  • Financial data (payment data)
  • Identity card and national registration number

5. Fraud prevention and control (legitimate interest, i.e. fraud prevention and control) (legal obligation)

  • Identification data
  • Financial data
  • Identity card and national registration number

The legal basis on which we rely is always indicated when processing. Sensitive data are personal data that have apparently been disclosed by the data subject himself.

Some data are obtained from third parties (e.g. your advisers, including notaries, lawyers and other professional advisers, provide Us with personal data on your instructions) and from public sources (the Belgian Official Gazette, the Crossroads Bank for Enterprises, and government services). Personal data is also collected via our (commercial) partners and other entities with which we collaborate in order to grant you (commercial) advantages, for the purpose of offering certain services, or for the purpose of providing relevant information.

If the basis is a contractual necessity or legal obligation, then the personal data must be provided in order to enable the performance of the contract or comply with a legal obligation. If the required data are not provided, the business relation cannot continue.

The retention period of your personal data is limited to:

  • Customer management: 10 years after the end of the agreement;
  • Supplier management: 10 years after the end of the supplier relation;
  • Fraud prevention and control: 10 years after the end of the agreement/transaction;
  • Direct marketing: 5 years after the last meaningful contact, it being understood that a renewal of this period is possible with your consent;
  • Compliance with our statutory obligations: retention in compliance with the legal retention period.

Export of personal data

To organise our ICT and support services, we make use of external service providers who may process limited amounts of personal data outside the European Economic Area (including but not limited to the United States of America, the United Kingdom, etc.). We guarantee an adequate level of protection by implementing appropriate safeguards (including standard contractual clauses approved by the European Commission or other measures described in Chapter V of the GDPR).

Additional information regarding the recipients of your personal data

Under certain circumstances, we may share your personal data with a limited number of other parties:

  • We share your personal data with you and, where appropriate, (a) your employer or certain of your employees and (b) professional advisers appointed by you;
  • We share your personal data with banks, insurance companies and brokers, within the context of your relationship with these parties;
  • We share your personal data with public authorities to meet legal obligations;
  • We share your personal data with our professional advisers, lawyers, bailiffs and partners to the extent required for them to provide assistance;
  • We use the services of a number of technical and operational processors, for example for the hosting of websites, files and dossiers, provided that the necessary processing agreements are implemented;
  • We share your personal data with other entities of the SBB group to the extent required for their activities.

Processing security

We have implemented appropriate protection for the personal data that we process.

No information system can guarantee 100% safety. We are committed to continuously improving the safety of our systems. You also have an important role to play in protecting your personal data, for example by keeping your account details confidential and adequately protected, and by using our buildings with the necessary vigilance.

Your rights

The General Data Protection Regulation grants you a number of rights with regard to your personal data:

  • The right to access and rectify your personal data;
  • The right to object to the processing of your personal data for direct marketing purposes and the general right to object on the basis of circumstances specific to your situation;
  • The right to data erasure and limitation, and the right to be forgotten;
  • The right to revoke your consent at any time;
  • The right to data portability;
  • The right to submit a complaint to the Data Protection Authority.

Before filing a complaint, We encourage you to contact us in order to find a quick solution to your complaint.

The exercise of these rights is subject to certain conditions as governed by the GDPR.

How to contact us?

You can always contact the DPO of SBB using the contact details below:


We reserve the right to amend this statement from time to time. If the changes are substantial, we will notify you via our website or by e-mail.