Privacy notice on critical infrastructures and privileged access

Your privacy is important to you and to us, which is why we want to be transparent about what we do with your personal data. In this document, you can find information on the processing of your personal data by Proximus when you obtain privileged access to platforms and critical infrastructure of Proximus through a privileged remote access system. This information includes what personal data we collect about you, how we process your personal data and with whom it will be shared. We also describe what your data subject rights are and how you can exercise them.

Who is the data controller?

The controller of the processing of your personal data described in this privacy policy is Proximus PLC under Belgian public law, with its registered office at Bd du Roi Albert II, 27, 1030 Brussels, Belgium - registered with the Crossroads Bank for Enterprises under number 0202.239.951 (“Proximus”).

What personal data will Proximus use?

• First and last name
• Professional email address (which can be provided to Proximus by your employer if you are not a Proximus employee)
• PERID (if Proximus has assigned you a PERID)
• Mobile number
• Video recordings of actions undertaken on the platforms and critical infrastructure of Proximus once privileged access has been obtained through the privileged remote access system*
• Key stroke recordings of commands or text logs on the platforms and critical infrastructure of Proximus once privileged access has been obtained through the privileged remote access system*

*The recordings are limited to the content that is accessed through the privileged remote access system. Actions on the user’s device that happen outside the privileged remote access system are not recorded.

What justifies this processing activity?

Proximus’ legitimate interest (art. 6(1)(f) GDPR) to guarantee the security of its platforms and critical infrastructure, detect and prevent fraud and enable an investigation in case of a security incident.

How long will Proximus keep this data?

The recordings are stored by Proximus for a period of 12 months as from the date of the recording.

User profiles are stored by Proximus until the moment the access rights of the user to the privileged remote access system are withdrawn.

With whom does Proximus share this data?

The personal data is shared with Proximus ADA NV/SA (“Proximus ADA”) in the context of the security incident detection and response services that it provides to Proximus. Proximus ADA is a Proximus subsidiary specialized in artificial intelligence and cybersecurity, functioning as center of excellence for all companies of the Proximus Group.

The personal data might also be shared with Cyberark, Citrix or Ekran (depending on the type of remote access), which are the third-party vendors providing the remote access portal solutions, as part of the invitation process. In such case, only identification details (such as first name, last name, email address and mobile number) are shared with the third-party vendor to this end. The video and keystrokes recordings are retained within Proximus Group.

The third-party vendors may process the personal data outside the European Economic Area (EEA), for instance in the United States and Israel, provided that the requirements of Chapter V of the GDPR are met. Depending on the destination country, these transfers will rely either on an adequacy decision or on the signature of standard contractual clauses approved by the European Commission.