Privacy Statement

Privacy Statement

Learn more about how we collect and process your data

Privacy Mission

At Approach, we are committed to providing cyber serenity to society, while putting security and privacy at the core. We believe privacy is not just a legal obligation but a profound responsibility and an opportunity to build trust with our stakeholders. 

The data protection mission and ongoing efforts are sponsored by the CEO, the CISO and the company’s management.

We invite you to read this Privacy Notice. It explains your rights, sets out Approach’s obligations regarding data protection.

This Privacy Notice applies to Approach website and services. Approach consists of Approach Belgium and Approach Switzerland.

Please note that this Privacy Notice does not apply to other websites offered by Approach Group or its affiliates. We advise you to look at the relevant privacy notices when using such websites, applications or platforms.

  • We will only collect and use personal data in the ways as described in this Privacy Notice, in a way that is consistent with the Belgian, European and Swiss privacy legislation. Particularly appropriate are:
  • The General Data Protection Regulation (2016/679) (‘GDPR’),
  • The Belgian law of 30 July 2018 on the natural persons with regard to the protection of personal data,
  • New Federal Act on Data Protection from 1 September 2023 (‘nFADP’).
  • Any data protection law that applies to the processing of your personal data.

Personal data

As ‘Personal data’, we consider any information ‘relating to an identifiable person who can be directly or indirectly identified’. Simply stated, this is any information that enables you to be identified. It covers information such your name and email address, but it also covers less obvious information such as electronic location data, IP address and other online identifiers.

The personal data we use is set out in Section 6 of this Privacy notice.

Processing activity

What we consider as ‘processing activity’: any operation or set of operations which is performed on personal data or on sets of personal data. This is regardless of whether or not the processing activity happens by automated means. Examples are:

Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Processor (‘processor’)

A data processor is the natural or legal person who processes your personal data upon request and on behalf of us, the controller. You may find more information about how we use processors in Section 7.1.1.

Data Controller (‘controller’)

A data controller is a natural or legal person, public authority, agency or other body which determines the purposes and means of processing personal data. They decide what to do with personal data, and is responsible for ensuring compliance with data protection laws.

Data Protection Coordinator’ (‘DPC’)

The DPC supports Approach in fulfilling our GDPR obligations. The DPC informs and advises on data protection legislation, organises trainings, spreads awareness and monitors compliance. They are your point of contact for any questions regarding your data protection rights.

Please note: the function of DPC is not the same as the one of a data protection officer (‘DPO’). Although responsibilities are similar, the DPC function is not defined under GDPR. Approach is not legally required to have a DPO under GDPR, but it has a DPC to fulfil Approach’s compliance responsibilities under GDPR.

Lead

A lead is a potential customer for Approach. If you have shown an active interest in using Approach services, we consider you a lead.

Active lead

A lead who interacts with our services, by communicating with our Sales and Marketing Team, or expressing active interest in our brand and services.

Inactive lead

A lead who does not interact with our services for more than 18 months.

Lead generation

Lead generation is the process used by our Marketing and Sales team to attract new customers to our Approach brand and services.

This website is an initiative of Approach. We are a company incorporated and existing under Belgian law, with registered address in APPROACH Louvain-la-Neuve, Axis Parc, Rue Edouard Belin 7, 1435 Mont-Saint-Guibert
Belgium.

This Privacy Notice describes the activities in which we process personal data as data controller. We are data controller when we decide for which purpose (why), and by which means (how) we will process data.

Please note that this Notice does not apply to our processing activities as data processor, when we merely process data on behalf of another controller. Our legal rights and obligations as a data processor are instead set out in the contract between us and the relevant data controller. These can be found in the applicable terms and condition

Any questions about your rights under European, Belgian or Swiss data protection legislation (nFDAP) may be directed to our data protection coordinator at privacy@approach-cyber.com, or writing to the following address: APPROACH Louvain-la-Neuve, Axis Parc, Rue Edouard Belin 7, 1435 Mont-Saint-Guibert Belgium.

If you are a customer or partner of Approach Switzerland, please refer to the customer notice.

For more information on how to exercise your rights, please refer to section 6 of this Privacy Notice.

Approach collects your data in several ways:

  • As website user
  • As customer
  • As potential customer
  • As partner
  • As candidate
  • As intern
  • As visitor of our premises

6.1. How to read this section?

We process your personal data only for specific purposes that are mentioned in this section. Your personal data will not be processed in a way that is not compatible with these purposes.

Below we describe how we process your data. Per processing activity, you may find information on:

  • Purpose: the purposes for which we may process personal data.
  • Personal data: the general categories of personal data that we process.
  • Legal basis: the legal bases of the processing.
  • Retention period: the period for which we keep your data. After this period, your data will be deleted or anonymised.

We use the following legal bases to process your personal data:

  • Your consent
  • A contractual agreement between you and Approach, or your employer and Approach
  • Legitimate interest of Approach
  • Legal obligations of Approach

Approach may contact you, for example to inform you about its products or services, for invoicing and for administrative purposes. We may contact you through various means:

  • By email
  • By phone
  • By post

6.2. How do we process your personal data?

In this title we list all the types of activities in which we process your personal data: via our website, marketing activities, in the job application process, when you are a customer, when you visit our premises and any other type of activity.

6.2.1. Via our website

Purposes:

When you visit our website, we process your personal data for the following purposes:

  • To understand how users use our website, identify users, areas of improvement and personalise content.
  • We do this to enhance users’ website experience and the experience of (potential) customers using our products.
  • We also process the data in this section to advertise our products to you and attract potential customers.
6.2.1.1. Security of our website

Purpose: To prevent spam and misuse of our website, we verify that you are a user and not a bot using our website. We enhance website security to protect against automated attacks and unauthorised access.

We use various techniques and technologies, such as Google reCAPTCHA and cookies and other tracking technologies. The latter is described under 6.2.1.2.

Processed personal data: Using a static website, we process limited personal data. We process your IP address, user interactions with the reCAPTCHA widget, cookies and other tracking technologies.

Legal basis: legitimate interest of Approach to ensure website security, ensuring it is necessary and proportionate to secure our website while respecting your privacy rights.

Retention period: logs of the website are stored for 7 days.

6.2.1.2. Cookies and tracking technologies

Personal data: the data that is processed depends on your preferences regarding our use of cookies and tracking technologies. You can set your preferences here. For more information on the data we process, please refer to our cookie policy.

Legal basis: This may vary depending on the type of cookie used. Please check our Cookie Policy Preference Center.

Retention period: Retention periods vary depending on the type of cookie used. Please check our Cookie Policy Preference Center.

What are cookies?

“Cookies” are small data files that are commonly stored on your device when you browse and use websites and online services and often include an anonymous unique identifier. They are widely used to make websites work, or to work more efficiently, as well as to provide reporting information and assist with service or personalisation.

“Log files” track actions occurring on the website and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.

How do we manage these cookies?

We use CookieYes to manage cookies. You may find more information in our Cookie Policy.

6.2.1.3. Ads

Personal data: Google Analytics 4 collects various information about website visitors, such as IP addresses, device types, and browser types, to provide analytics and insights about user behaviour.

Purpose: We use this information to understand how users interact with our website, to identify areas for improvement, and to personalize our content and advertising.

Legal basis: We process personal data through ads under the basis of legitimate interest, ensuring it is necessary and proportionate to provide relevant content while respecting your privacy rights.

Retention period:

  • User data: 14 months.
  • Events data: 2 months.
  • For more information, please refer to our Cookie Policy.

How do we manage advertising?

We use Google Analytics 4 on our website. This is a web analytics service provided by Google that tracks and reports website traffic.

For more information on Google Analytics 4, you can visit the Google Analytics Support page. You can opt out of Google Analytics by adjusting cookie settings or using the Google Analytics opt-out browser add-on.

6.2.2. Marketing communication, leads and events

Purposes: We process your contact information to send you marketing emails and create content you can download on our website. We also use it for planning, organising, and executing marketing activities such as events, promotion, registration, and post-event follow-ups.

6.2.2.1. Marketing communication

Personal data: Email addresses, names, job titles.

Legal basis: We ask your explicit consent to receive marketing communication. If you are an existing customer, we may use legitimate interest to offer you similar services in line with data protection legislation.

Retention period: We keep this data as long as we have your active consent and maximum for 2 years. We ask you to renew your consent every 2 years.

How do we manage marketing communication?

We use Plezi to send you marketing emails and to create content you can download on our website. The personal data we process is stored in our Customer Relationship Management system.

6.2.2.2. Events

Processed personal data: If you register or attend an event sponsored by Approach, the event organiser may share your contact information with Approach. We process your contact info, such as first name, last name, email address, professional phone number, job title, company name, other information provided voluntarily during event registration or communication

Legal basis: We process personal data for events sponsored by Approach under the basis of legitimate interest, to manage event participation, provide relevant information, and enhance the attendee experience while respecting your right to privacy.

Retention period: Event registration data will be kept for 2 months, starting from the moment you register.

6.2.2.3. Lead generation

How do we manage lead data?

We collect leads when:

–            You contact one of our partners and express interest in our services. The partner may then share your contact information with Approach.

–            When you interact with our website, using our contact form.

–            After an event sponsored by Approach, we process your contact information.

–            If people download whitepapers or fill out contact forms on our website.

We use Plezi on our website and our CRM tool to collect and manage leads. Inactive leads will be automatically deleted after 18 months, unless you consent to keep your data longer.

Personal data: contact information, such as first name, last name, email address, phone number, company name

Legal basis: We process your personal data to generate leads, based on legitimate interest to establish and manage business relationships while respecting your privacy.

Retention period:  We keep your contact information as lead up to 18 months, from the last interaction with our Sales and Marketing team, or from the last expression of interest in our brand or services.

6.2.3. Job application

Purpose: We use the data from your job application to manage CVs, interview notes and reference checks and pre-contractual communication. We might also include your CV in our Talent Reserve to contact you in case positions open that you may be interested in.

Personal data:

  • Identification data: Name, marital status, place and date of birth, age and gender, address, email address, nationality…
  • Studies and training information: education, training, diplomas, certificates, skills and competencies.
  • Occupational information: current position and responsibilities, previous professional positions and experience, date of departure, reason for departure, working conditions and professional competencies and abilities; data related to mobility (means of transportation, willingness to move, driver’s license).
  • Knowledge and competency tests: these data are collected only if, after an initial analysis, your CV is considered suitable for a position.
  • Criminal records data: When the law allows to process your criminal records, we may process an extract of your criminal record.
  • Information about expectations for income and compensation and other data resulting from individual interviews.

Legal basis:

  • Consent: We will always ask your explicit consent to contact your previous and current employers and/or the contacts you have indicated.
  • Performance of a (future) contract: we process your data on the basis of precontractual measures necessary for the performance or the execution of a labour or an internship contract.
  • Legitimate interest: we process data when it is necessary for Approach’s legitimate interests. We do so with the goal of correctly evaluating your application. Examples are, when we:
    • Communicate your personal data to centres that conduct personality assessments. These assessments will evaluate character traits, behaviour and attitudes through various techniques (self-report questionnaires and (interview-based) assessments). This data is processed only to evaluate if you are capable to occupy the job you applied for. No automated decision-making is used during this process. 
    • Include your CV in our recruitment reserve. When you apply for a job and are not retained, we may keep your data in our recruitment reserve. This way, we can contact you when a position opens that you may be interested in. You may object at any time.
  • Manage the recruitment process: we use your contact information to arrange meetings and interviews with you.
  • Criminal records check:
    • When we have a legal obligation to do so, we may process an extract of your criminal record. This may be the case when you need a security clearance to work for an Approach client.
    • When Approach clients require a criminal record check contractually- so without being required by law-, then Approach does not process criminal records, but will do an eye check. The purpose of the eye check is to see if you have a clean criminal record. Your criminal record will not be stored or otherwise processed.

Retention period:

If you apply for a job and are not retained, we may keep your personal data for 2 years in our recruitment reserve. This period starts from the moment you apply and we include your data in our CRM tool. We may keep your data after this 2 years period only if you give us your explicit consent to do so.  If we do not get your explicit consent after this period, your personal data will be erased.

We keep your data in a Talent Reserve to build a living database of CVs. This way, we can contact you in case of future employment opportunities. As we are a growing company in a quickly evolving domain of privacy and security, we are constantly on the lookout for new profiles. We have set this retention period in line with the recommendations of data protection authorities.

In case you get a job at Approach (congratulations!), you will be informed of how we process your personal data within the framework of HR and payroll management before signing your employment or internship contract.

6.2.4. Customers

Purposes: We process customer data to ensure the efficient delivery of our services, maintain high standards of customer satisfaction, and comply with legal obligations. Specific purposes are set out per activity.

6.2.4.1. Payment processing

Personal data: Name of finance contact point, job title, email address, address, phone number payment details (e.g., credit card number, bank account), invoice history.

Legal basis: We process this personal data based on the performance of a contract, ensuring transactions are securely completed and obligations are fulfilled in accordance with the agreed terms.

Retention period: Information about purchases and invoices are kept for a period of 10 years from the date of the transaction to comply with tax and financial regulations.

6.2.4.2. Support

Personal data: Name, contact information (email, phone number), customer ID, communication history, issue details.

Legal basis: Legitimate interest to resolve customer issues and ensure service quality, while ensuring customers privacy rights are respected.

Retention period: For the duration of the support case. For quality assurance, we keep the data until the contract expires.

6.2.4.3. Testimonials

Personal data: Name, job title, picture (if provided), written testimonial, and information voluntarily submitted.

Legal basis: We process personal data for testimonials based on consent, ensuring individuals have willingly agreed to share their experiences while retaining the right to withdraw their consent at any time.

Retention period: Until the customer withdraws consent or the testimonial is no longer relevant and maximum 5 years.

6.2.4.4. Interactions with customer

Personal data: Name, email address, phone number, email communications, chat transcripts.

Legal basis: We process personal data under the basis of legitimate interest to improve our services and resolve issues arising from interactions with customers, ensuring a better user experience while respecting individuals’ rights and privacy.

Retention period: We keep the data until the contract with you expires.

6.2.4.5. Customer satisfaction survey

Personal data: Name, email address, survey responses, IP address.

Legal basis: We process personal data for customer satisfaction surveys on the basis of legitimate interest, ensuring we gather valuable feedback to enhance our services while respecting individuals’ privacy.

Retention period: Survey data is retained for up to 1 year after the survey closes unless anonymized for statistical purposes.

6.2.4.6. Audit

We are ISO27001/27701 certified. This implies frequent audit to ensure we still adhere to the certification standards.

Personal data: Name, contact details, transaction records, communication logs.

Legal basis: Legitimate interest, to ensure compliance with legal obligations and certification obligations, while ensuring individuals’ privacy.

Retention period: Retain for the period required to complete the audit, unless legally required to keep longer.

6.2.5. Office access management for visitors

Purpose To implement entry control and ensure that visitors have access only to the allowed areas. Being ISO 27001- and 27701- certified, we need to ensure compliance with our certifications obligations. Visitors with a badge will be registered with a QR code.

Personal data: Identification information, contact information.

Legal basis: We process personal data for office access management for visitors on the basis of legitimate interest, ensuring security, safety, and operational efficiency while respecting individuals’ rights and privacy.

Retention period:

  • Access management of visitors with a badge (QR code registration) is 3 months
  • Access management of visitors without a badge (just ring the bell) for the length of visit

6.2.6. Other uses of data  

We may process any of your personal data identified in this Notice where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

The legal basis is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others. We may process any of your personal data identified in this Notice where necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, or obtaining professional advice.

In addition to the specific purposes for which we may process your personal data set out in this section, we may also process any of your personal data where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

Please do not supply any other person’s personal data to us, unless we prompt you to do so.

7.1. Use of processors

We are free to rely on data processors. The processor will always act on our instructions, and we require the processors to ensure the security and confidentiality of the personal data. We rely on processors for recruitment, cloud services, customer relationship management, hosting, administrative purposes, accounting, marketing, analytic purposes, communication or whistleblowing purposes.

For an optimal protection of your personal data, we have made the necessary contractual arrangements with our processors to ensure that they apply the highest privacy standards.

7.2. Processors used for the Approach website

Our website includes hyperlinks to, and details of, third-party websites. We have no control over, and are not responsible for, the privacy policies and practices of third parties.

These third-party websites include the following: YouTube, Facebook, LinkedIn, Instagram.

7.3. Processors used for Approach services

To deliver our services efficiently and securely, our organization engages third-party service providers (« data processors ») to handle certain data processing activities on our behalf. We have data protection agreements with these processors, to ensure they adhere to the highest standards of data protection when processing your personal data.

When you enter into a contractual relationship with Approach, we provide a data protection agreement, that includes a list of the processors for the services we provide to you. These data protection agreements can be found here.

7.4. Partners

Approach may share contact details of (potential) customers with partners. We have data processing agreements in place without partners, to ensure they adhere to the highest standards of data protection when processing your personal data.

We do not use external suppliers to process your data as job candidate.

As natural person you have rights regarding your personal data. Under Swiss law (‘nFADP’), you may exercise your rights both as natural personal and as legal person.

In Approach, we will always work to uphold your rights. You may find below an overview of your rights and how to exercise them.

Right to be informed

You have the right to be informed about our collection and use of your personal data. We explain how we process your data in this Privacy Notice. However, you can always contact us if you have any questions or want to find out more.

Right to access

You have the right to access the personal data we hold about you. If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.

Right to correction

You have the right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete.

Right to erasure (‘right to be forgotten’ )

You have the right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we have. You can exercise this right if:

  • we no longer need your personal data for the original purpose,
  • you withdraw your consent for processing it,
  • you object to us processing your personal data for our legitimate interest,
  • we unlawfully process your personal data or
  • if a local law requires us to erase your personal data.

For this type of request, we ask you for a proof of identity, so that we do not unjustly erase your data. To prove your identity, you may send us a copy of the front side of your e-ID card or driver’s license. Please make sure to redact the copy so that only your first name, last name and birth data are visible. We are happy to help if you need support to do so.

Right to restrict processing

You have the right to restrict (i.e. prevent) the processing of your personal data. You have the right to ask us to restrict the use of your personal data if:

  • you believe that the personal data which we hold is inaccurate,
  • we are processing the personal data unlawfully,
  • you have objected to us processing your personal data for our legitimate interests or
  • we no longer need the personal data for the purposes of processing but you want us to keep this for the establishment, exercise or defence of legal claims.

Right to data portability

You have the right to data portability. This means that you can ask us for a copy of that personal data to re-use with another service or business in a structured, commonly used and machine-readable format under the following conditions:

  • you have provided us directly with personal data,
  • we are using it with your consent or for the performance of a contract,
  • that data is processed using automated means

However, this right does not apply where it would adversely affect the rights and freedoms of others. This is the case when we cannot technically provide you a copy of the data, without including personal data about other individuals.

Right to object

You have the right to object to us using your personal data for a particular purpose or purposes. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests (for example combating fraud), rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims

Rights relating to automated decision making

You have the right not to be subject to decisions which may legally or significantly affect you and that were based solely on automated processing using your personal data. We will however not use your personal data in this way.

How can you exercise your data subject rights?

You can always opt-out for direct marketing purposes or exercise your rights by using the following communication channels:

Approach postal address:

APPROACH Louvain-la-Neuve
Axis Parc
Rue Edouard Belin 7
1435 Mont-Saint-Guibert
Belgium

Approach Switzerland SA

APPROACH Lausanne
Campus Unlimitrust
Route des Flumeaux 46
1008, Prilly (Lausanne)
Switzerland

Email address:

Send us an email on privacy@approach-cyber.com.

For more information about our use of your personal data or exercising your rights as outlined above, we advise you to consult our FAQ or we advise you to contact us via email: privacy@approach-cyber.com.

Is there a cost to exercising your rights?

There is in principle no charge for exercising your right. If, however, your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.

Progress and outcome of your request

We will respond to your request within one month after receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.

Filing a complaint with the Data Protection Authority.

If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. The contact details of your supervisory authority can be found here.

In certain circumstances, we may store your personal data in or transfer it to countries that are not part of the EEA. This might be the case when we are using processors who make use of specific sub-processors.

Countries outside the EEA are known as « third countries » and may not have data protection laws that are as strong as those in the EEA. This means that we will take additional steps to ensure that your personal data is treated just as safely and securely as it would be within the EEA and under the Data Protection Legislation:

We transfer your personal data to third countries whose levels of data protection are deemed ‘adequate’ by the European Commission or the Swiss Federal Council. More information is available from the European Commission and the FDPIC websites.

We use specific contracts with external third parties that are approved by the European Commission for the transfer of personal data to third countries. These contracts require the same levels of personal data protection that would apply under the GDPR and Swiss nFADP.

If you are located outside the EEA, similar restrictions apply.

Please contact us for further information about the data protection mechanisms used by us when transferring your personal data to a third country.

Approach retains your data only to the extent we are obliged to do so. This is the case when we have a legal obligation or for the duration of the services we provide to you in accordance with this Privacy Notice and the purposes for which your data were collected. The duration for which we retain your data is mentioned under section 6 of this Privacy Notice.

Facebook-f Linkedin-in Youtube

Our certifications & labels

Facebook-f Linkedin-in Youtube