Data Protection Policy
Découvrez comment Edonys traite et protège vos données personnelles
General information
It is important that you (hereinafter the “User“) carefully read this Data Protection Policy in conjunction with the General Terms and Conditions of Use and the Cookies Policy before using the Edonys Website and/or Platform and the Package of Application Modules.
By using the Website, the Platform including the Softwares, Applications and/or Application Modules as well as any additional service provided by the Service Provider, you give your express consent freely, without any haste, having read and understood all the terms used.
The company responsible for processing personal data is VIREO S.à r.l., a limited liability company established at 4, rue Jean-Pierre Brasseur, L-1258 Luxembourg, trading under the name Edonys, registered in the Luxembourg Trade and Companies Register under number B.222.152 (“The Service Provider“) and represented by its current CEO.
The Service Provider undertakes to do everything in its power to protect the privacy of its Users. If you do not accept all or part of the provisions of this Policy, you must not click on “I accept” but inform the Service Provider at gdpr@vireo.lu of the provisions with which you disagree. A total refusal could make it impossible to access the Software, Application(s) and/or Application Module(s).
This document is drawn up in French and may be translated into other languages. In the event of any discrepancy or contradiction between the French version and its translation, the provisions of the French version shall prevail.
Article 1. Collection of personal data
As part of their relationship with the Service Provider, Users may be asked to provide personal data, which will be collected by the Service Provider to enable the purposes described below to be carried out.
The personal data collected depends on the Application Module Package to which the User has access. Only personal data that is strictly necessary for the purposes described above is processed. Depending on the User’s particular situation and choices, the following data may be processed :
–> Identification data (surname, first name, gender, date of birth, nationality, etc.) ;
–> Contact details (e-mail address, mobile and/or telephone number, postal address, etc.) ;
–> Language used ;
–> Method of introduction to the Application Module Package (employer, internet, press, recommendation, etc.) ;
–> Financial data and asset information (list of movable and immovable assets, etc.) ;
–> Occupational data (job title, etc.) ;
–> Household composition (marital status, number of children, etc.).
Certain sensitive personal data requiring special protection may be processed, such as :
–> Tax identification number ;
–> Income of all kinds identifiable ;
–> Identifiable expenses of all kinds (insurance, loans and other miscellaneous charges, etc.) ;
–> Convincing evidence ;
–> The User’s investment risk profile ;
–> Copy of valid identity document ;
–> Bank details (IBAN and BIC numbers) ;
–> Bank transactions (in accordance with the provisions of the European PSD II Directive) ;
–> Consumption profile.
In certain cases, personal data relating to persons other than the User but communicated by the User may be processed, such as :
–> Children,
–> The spouse/partner,
–> A friend / colleague / family member.
The User who is required to communicate such data undertakes to inform the persons concerned and to obtain their prior authorisation..
Article 2. Processing of personal data
For what purposes and on what legal grounds is personal data processed by the Service Provider ?
By providing the Service Provider with personal data, the User expressly authorises the Service Provider to process (collect, record, organise, structure, store, adapt, modify, extract, consult, use, communicate by transmission, disseminate or otherwise make available, bring together or interconnect, limit, delete or destroy) said data for the purpose(s) set out below.
Firstly, the Service Provider uses the personal information collected to fulfil its contractual obligations towards the User, in particular in order to:
–> Enable the proper performance of the mission for which the Service Provider has been commissioned (use of the Software, Applications and/or Application Modules, updates, helpdesk, improvement of functionalities, etc.) ;
–> Respond to questions, requests for information and/or advice from intermediaries ;
–> Monitor and manage the User’s file ;
–> To allow the transmission of User data to the various authorised sub-contractors in accordance with the User’s requests ;
–> Allow the transmission of User connection and browsing data for the purposes of managing the User’s file ;
–> Transmit any electronic communications and invitations to the User ;
–> Anonymise data in order to use it for statistical purposes.
On the basis of its legitimate interests, the Service Provider may process the personal data thus collected in order to :
–> Manage its User base and have an overall view of Users (for example, by compiling statistics to find out who they are and get to know them better, pursue its legitimate development interests, meet their expectations as effectively as possible, etc.) ;
–> To ensure the proper technical operation of its installations, Software, Applications, Application Modules and additional services ;
–> Prevent abuse, fraud and infringements ;
–> Ensuring the security of goods and people as well as the company’s networks and IT systems ;
–> To establish, exercise, defend and preserve the rights of the company or the persons it may represent, for example in litigation ;
–> Take evidence ;
–> Ensure invoicing and proper follow-up by its accounts department ;
–> Ensuring the technical, legal and/or tax maintenance of software, applications and/or application modules (solving algorithmic problems, checking tax calculations, checking salary calculations, etc.) ;
–> Checking and improving the results (technical, financial, tax, legal) presented by the Software, Applications and/or Application Modules to guarantee their reliability ;
–> Carry out consolidated measurements.
Does the Service Provider use the personal data collected to make automated decisions ?
The Service Provider does not use personal data for profiling purposes or to make automated decisions without the User’s prior consent. For example, to benefit from Joybiiz loyalty rewards, the User must give their prior consent for their data to be transmitted to the Merchants where they make purchases. This consent may also be withdrawn at any time.
Article 3. Why is it necessary for Users to provide their personal data ?
If the User refuses to provide the Service Provider with the data requested as part of the services offered through the Software, Applications and/or Application Modules accessible as part of the Licensing Plan and the additional services subscribed to with the Service Provider, the latter may find itself unable to perform the services offered or subscribed to.
Article 4. Who has access to personal data ?
Persons employed by the Service Provider who have access to Users’ personal data are subject to a strict internal policy of access rights and secure access procedures. They may only access data for the purposes described in Article 2 of these Terms and Conditions and in compliance with current legislation.
In addition to the data processing carried out by the Service Provider, the User may give his/her consent and authorise access to his/her data to the Service Provider’s partners as part of the proper execution and continuity of the use of the Application Module Package. These partners (intermediaries / subcontractors) are for example (non-exhaustive list) :
–> Tax specialists / persons in charge of tax monitoring with whom the User can interact as part of the Assistance accompanying myTax, the digital tax assistant in the TaxWorld package ;
–> Financial/asset advisors with whom the User can interact as part of TaxWorld’s financial analysis and optimization service ;
–> Retailers who offer Users a Joybiiz digital loyalty programme.
In order to protect the User’s privacy, the persons who are authorised to access the User’s data are precisely determined according to their tasks. Their background and reliability are checked beforehand by the Service Provider.
Apart from authorised persons, the Service Provider does not pass on non-anonymised personal data to third parties. In order to achieve the purposes detailed above, the Service Provider may communicate certain information to authorised third parties such as :
–> IT service sub-contractors ;
–> Certain authorities and regulators in order to comply with its legal obligations ;
–> Lawyers in the event of litigation.
Article 5. How is personal data secured and processed ?
All data entered by the User is transferred exclusively via an encrypted connection. The lock icon in the status bar of the User’s browser enables him/her to ensure that his/her data is sent in encrypted form to a server certified and authorised by the Service Provider.
The Service Provider implements an effective data protection security policy. In order to guarantee optimum security of its Software, Applications and Application Modules, this security policy can only be accessed under certain conditions. For further information, the User may contact the Service Provider at gdpr@vireo.lu .
Article 6. How long is personal data kept ?
The Service Provider retains the personal data collected for as long as :
–> Necessary for the purposes detailed above ;
–> A legal obligation imposes such retention ;
–> To ensure that it has the necessary information to protect itself from any legal action.
Article 7. What rights do Users have and how can they exercise them ?
As a data subject, the User has various rights which may be exercised at any time by sending a written request to the Service Provider :
–> To the postal address : 4, Rue Jean-Pierre Brasseur, L-1258 Luxembourg
–> Or by e-mail to gdpr@vireo.lu.
Right to information : Users may ask the Service Provider any questions regarding the recording and processing of their data.
Right of access : Users may obtain confirmation as to whether or not their personal data is being processed and, if so, access to said data and a free copy thereof.
Right to rectification : the User may obtain rectification of inaccurate personal data concerning him/her, bearing in mind that, in principle, only the User has control over such data since it is the User who fills in all the fields (answers to questions) when using the Package of Application Modules. Similarly, the User may request that incomplete data be completed.
Right to erasure : the User may obtain the partial or total erasure of his/her personal data, provided that one of the following reasons applies :
–> The data is no longer necessary for the purposes for which it was collected and processed ;
–> The User has withdrawn the consent on which the processing was based ;
–> The User now objects to the processing and there is no compelling legitimate reason for it ;
–> The data has been processed unlawfully ;
–> The data must be deleted to comply with a legal obligation.
Right to restrict processing : when processing is restricted, personal data may only be processed with the User’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person, or for important reasons of public interest.
The User may request limitation of processing for the following reasons :
–> He disputes the accuracy of the personal data ;
–> In the event of unlawful processing ;
–> The Service Provider no longer needs the personal data for the purposes of processing, but the data is still necessary for the User to establish, exercise or defend legal claims ;
–> The User has objected to the processing (the processing will be limited for the period necessary to verify the existence of legitimate reasons on the part of the Service Provider which prevail over those of the User).
Right to object : the User has the right to object, for reasons relating to his/her particular situation, to the processing of his/her personal data that is necessary for the purposes of the legitimate interests pursued by the Service Provider.
The Service Provider will no longer process such personal data unless it can be shown that there are compelling legitimate grounds for the processing which override the interests of the User and his/her rights and freedoms, or for the establishment, exercise or defence of legal claims.
If the User’s personal data is processed for canvassing purposes, the User has the right to object to this processing at any time.
Right to portability : the User has the right to receive the personal data concerning him/her that he/she has provided, in a structured, commonly used and machine-readable format, and to transmit this data to another data controller without the Service Provider being able to prevent this when the processing is based on consent or on a contract and the processing is carried out using automated processes.
Right to withdraw consent : where processing is based on consent, the User has the right to withdraw consent. Withdrawal of consent does not affect the lawfulness of processing based on consent carried out prior to the withdrawal of consent.
Right to lodge a complaint : the Service Provider shall use its best endeavours to ensure compliance with its legal obligations in terms of data protection and to respond as quickly as possible to any complaint made to it in this respect. If the User is not satisfied with the response received, he or she may lodge a complaint with the Data Protection Authority :
Commission Nationale pour la Protection des Données (CNPD)
1, Avenue du Rock’n »Roll
L-4361 Esch-sur-Alzette
+352 26 10 60 – 1
