GDPR

Under the General Data Protection Regulation (Regulation (EU) 2016/679), you have the following rights with respect to your personal data:

• Right of access (Art. 15) — to know whether we process your personal data and, if so, get a copy.
• Right to rectification (Art. 16) — to correct inaccurate or incomplete data.
• Right to erasure (Art. 17, “right to be forgotten”) — to ask for deletion when the data is no longer needed, you withdraw consent, or processing is unlawful.
• Right to restriction (Art. 18) — to limit our processing under specific circumstances (e.g. while you contest the accuracy of the data).
• Right to portability (Art. 20) — to receive your data in a structured, commonly-used, machine-readable format and have it transmitted to another controller where technically feasible.
• Right to object (Art. 21) — to object to processing based on legitimate interests, including profiling and direct marketing.
• Right not to be subject to automated decisions (Art. 22) — including profiling, where it produces legal or similarly significant effects on you.
• Right to withdraw consent (Art. 7) — at any time, where processing is based on consent. Withdrawal does not affect the lawfulness of processing carried out before.

Send your request to [email protected]. To help us locate your data and prevent fraudulent requests, please include:

• The right(s) you wish to exercise.
• The email address associated with your senga account.
• A short description of the data the request concerns (if specific).
• Proof of identity, where reasonably needed to confirm the request.

We respond within 30 calendar days of receipt. For complex or numerous requests, we may extend this period by up to two further months and we will notify you within the first month if so. Responses are free of charge unless requests are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse to act).

When senga processes data about your customers, employees, or contacts on your behalf, you (the senga customer) are the controller and we are the processor. Data-subject requests concerning that data must be addressed to you, not to us — but we will help you respond. The mechanics are governed by our Data Processing Agreement.

When we process data about you (the senga customer or visitor) to operate the website and provide the Services, we are the controller — our handling of that data is described in the Privacy Policy.

The legal bases we rely on for processing personal data are listed in our Privacy Policy. The shortlist:

• Contract (Art. 6(1)(b)) — to deliver the Services.
• Legitimate interests (Art. 6(1)(f)) — security, fraud prevention, product improvement.
• Legal obligation (Art. 6(1)(c)) — accounting, tax, regulatory.
• Consent (Art. 6(1)(a)) — product update emails, optional cookies (we don't set any).

The Services run inside the European Union. We do not transfer personal data outside the EU/EEA except where a subprocessor we engage operates outside it — in which case the transfer is covered by the European Commission's Standard Contractual Clauses, plus supplementary measures where required by case law (e.g. Schrems II).

The full subprocessor list, including each subprocessor's location, is in the DPA.

If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority — in particular in the EU member state where you reside, where you work, or where the alleged infringement took place.

The Belgian supervisory authority is:

Autorité de Protection des Données / Gegevensbeschermingsautoriteit
Rue de la Presse 35, 1000 Bruxelles
Web: dataprotectionauthority.be
Phone: +32 2 274 48 00

We update this page when our practices change or when guidance from the European Data Protection Board makes us refine our procedures. The effective date appears at the top.