This policy applies to Liege Airport, Liege Airport Business Park, and Liege Airport Security.

Introduction

The purpose of this policy (hereinafter the “Policy”) is to inform you about how we collect, use, and share your personal data in accordance with European Regulation No. 2016/679 of April 27, 2016 (GDPR), the Belgian Law of July 30, 2018 on the Protection of Privacy, and any other applicable regulations in force (hereinafter collectively referred to as the “Regulations”) in order to fulfill the purposes described below.

LIEGE AIRPORT is committed to limiting the processing of personal data to only the cases listed in this policy, in accordance with the principles of data minimization and transparency, and to updating this policy to ensure a high level of personal data protection in compliance with applicable Regulations and evolving threats.

With this in mind, LIEGE AIRPORT attaches great importance to the protection of your personal data and your privacy. All processes and procedures for managing personal data are designed to ensure strict compliance with the fundamental principles of the General Data Protection Regulation (GDPR), including lawfulness, data minimization, transparency, purpose limitation, and data security. LIEGE AIRPORT strives to raise awareness among all its teams and stakeholders regarding the importance of data protection and to implement appropriate organizational and technical measures to ensure the accessibility, confidentiality, and integrity of the personal data processed.

The purpose of this privacy policy is to provide you with the following information:

  • The identities of the data controllers and the Data Protection Officer (DPO)
  • The categories of personal data collected and processed
  • The purposes and legal bases associated with the processing of this personal data
  • The security measures in place for this personal data
  • The recipients of this personal data
  • The retention period for this personal data
  • The rights of data subjects and how to exercise them

Definitions

  • Personal data: any information relating to an identified or identifiable natural person.
  • Processing of personal data: any operation or set of operations performed on personal data or on sets of personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • Data Controller: a natural or legal person, public authority, agency, or any other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. In other words, the data controller decides why and how personal data is collected and used.
  • Data Protection Officer (DPO): a person or department appointed by the data controller or processor to ensure compliance with personal data protection regulations. The DPO’s primary mission is to inform and advise the organization and its members on their obligations, monitor compliance with data processing requirements, cooperate with the supervisory authority, and serve as a point of contact for data subjects who wish to exercise their rights or obtain information on how their data is processed.
  • Processor: a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. This means that the processor acts on the instructions of the controller, without itself determining the purposes or means of data processing. Its role is to carry out processing operations on behalf of an organization, while complying with the obligations and safeguards imposed by the GDPR, particularly regarding the security, confidentiality, and traceability of personal data.
  • Purpose of personal data processing: the specific, explicit, and legitimate objective pursued when collecting and processing such data. In other words, it is the reason why personal data is collected, used, and stored.
  • Legal basis for the processing of personal data: the legal foundation that authorizes an organization to collect and process personal data. In other words, it is the ground provided by the regulations that legitimizes such processing. Thus, any collection and use of personal data must be based on one of these grounds, and the data controller must be able to justify the basis chosen for each purpose.
  • Standard Contractual Clauses: a set of standardized provisions adopted by the European Commission to provide a legal framework for transfers of personal data from the European Union to third countries that do not offer an adequate level of protection. These clauses define the rights and obligations of the data exporter and importer to ensure that the transfer complies with the GDPR’s requirements regarding security, confidentiality, and respect for the rights of data subjects.
  • Data Processing Agreement (DPA): a data processing agreement is a contract entered into between a data controller and a data processor when an organization entrusts a service provider with operations involving personal data. This agreement establishes the legal and operational framework within which the processor processes the relevant data on behalf of the controller. This document, required by the General Data Protection Regulation (GDPR), formalizes the relationship between the parties to ensure compliant, secure processing that respects the rights of data subjects.
  • Non-disclosure agreement (NDA): also known as a confidentiality agreement, is a contract whereby one or more parties agree not to disclose certain confidential information obtained in the course of a professional, commercial, or contractual relationship. Generally, this type of agreement aims to protect sensitive information such as trade secrets, know-how, technical or commercial data, customer lists, ongoing projects, or corporate strategies. Confidentiality agreements are frequently used during business negotiations, partnerships, recruitment, or in any context where sensitive information must be exchanged with third parties while preserving its confidential nature.
  • Confidentiality, Integrity, and Availability: The CIA principle—an acronym for Confidentiality, Integrity, and Availability—is an essential framework for information system security and the protection of personal data. It aims to ensure that information—whether public, private, or sensitive—is adequately protected against risks, threats, and unauthorized use.

Identities of the Data Controller and the Data Protection Officer (DPO)

The LIEGE AIRPORT Group, represented by LIEGE AIRPORT and its subsidiaries LIEGE AIRPORT SECURITY and LIEGE AIRPORT BUSINESS PARK (hereinafter “LIEGE AIRPORT”), acts as the data controller within the meaning of the GDPR.
The Data Protection Officer (DPO) can be contacted at dpo@liegeairport.com for any questions regarding the processing of your personal data and the exercise of your rights under the GDPR.

Categories of data processed

The categories of personal data processed by LIEGE AIRPORT may include, in particular:

  • Identification data (e.g., last name, first name, mailing address, email, phone number),
  • Data related to professional life (e.g., job title, company),
  • Authentication data (e.g., username),
  • Financial and economic information (e.g., bank account number, payment history, etc.),
  • HR data for staff (e.g., salary, national ID number, etc.),
  • Geolocation data (e.g., access badge logs, flight number, departure and arrival locations, etc.),
  • Login or browsing information on the airport’s digital platforms (e.g., login logs, cookie preferences, IP address, etc.),
  • Any other category of data strictly necessary for the management of LIEGE AIRPORT’s activities or regulatory obligations.

All data is collected in accordance with the intended purpose, lawfully, and processed in compliance with applicable regulations.

Purposes and Legal Bases for the Processing of Personal Data

Purposes

Personal data is collected for the following purposes:

  • To ensure the safety and security of the facilities,
  • To manage job applications for recruitment purposes,
  • To perform statistical analysis of website and digital solution traffic,
  • To manage cookies and user preferences when browsing websites and digital solutions,
  • To provide technical support and maintenance to ensure the proper functioning and security of the digital platforms and websites offered,
  • Improving the functionality and quality of navigation on digital solutions and websites by conducting tests, research, analyses, studies, and surveys,
  • Conducting sales prospecting activities,
  • Inviting you to events we organize, either on our own or in partnership with others,
  • Invite you to participate in our customer satisfaction surveys, advertising contests, and various promotions,
  • Comply with the legal obligations to which we are subject,
  • Execute and enforce all of our contracts and services provided,
  • Carry out any other purpose strictly necessary for the proper conduct of our business.

If we were to need to collect additional data or process personal data for purposes other than those mentioned in this policy, all information regarding this new purpose, as well as any other necessary information, would be communicated to the data subjects in advance. Similarly, all necessary measures, including providing information to the data subjects, in accordance with the legal basis(es) related to any new purpose, will be taken before commencing the new processing.

Legal Bases

Each data processing operation carried out by LIEGE AIRPORT is primarily based on one or more of the following legal bases:

  • The consent of the data subject (e.g., transfer of image rights, cookie management on websites, etc.),
  • The performance of a contract or pre-contractual measures (e.g., employment contract, recruitment, etc.),
  • Compliance with a legal obligation (e.g., security obligations),
  • The legitimate interest of the data controller (e.g., physical security of infrastructure, statistics, etc.).

Recipients of personal data

Data may be transmitted to authorized internal departments of LIEGE AIRPORT that are authorized to process it, to its subcontractors (e.g., web host, IT service provider, service provider) as necessary, as well as to the competent authorities in the event of a legal obligation.
Unless required by law, accounting standards, or court order, we will not disclose, rent, sell, or transfer your personal data to third parties in any way.

Transfer of Personal Data Outside the EU

In principle, LIEGE AIRPORT does not transfer your personal data outside the European Union. If such a transfer were to occur, this data would not be transferred to a country that does not offer an adequate level of protection, and the transfer would be governed by appropriate safeguards (standard contractual clauses, data processing agreements, adequacy decisions, non-disclosure agreements, etc.).

Disclosure of data to the competent authorities may be necessary.
Prior to any transfer, LIEGE AIRPORT undertakes to work exclusively with processors that have appropriate technical and organizational measures in place to ensure the confidentiality and security of the personal data concerned by the potential transfer.

Retention Period

Your personal data is retained only for the period strictly necessary to achieve the purposes set forth in this policy, in accordance with applicable regulations and laws.
After this period, your personal data will be deleted.

Rights of data subjects

Depending on the purpose(s) and associated legal basis(es), you may at any time exercise your rights granted to you under the GDPR:

  • Request access to your personal data;
  • Request the rectification of inaccurate personal data concerning you;
  • Request the erasure of your personal data;
  • Restrict our processing of your personal data;
  • Withdraw your consent to the processing of your personal data;
  • Object to the processing of your personal data;
  • Obtain a copy of your personal data (right to data portability).

To exercise these rights, you may contact us at the following address: dpo@liegeairport.com.

Storage and protection measures for personal data

The personal data collected is stored in a secure environment at LIEGE AIRPORT or its data processor, accessible only to authorized personnel designated to process such data.

LIEGE AIRPORT and its processors take appropriate technical and organizational measures that comply with applicable privacy and data protection laws to ensure the accessibility, confidentiality, and integrity of this data.

Data security relies on appropriate technical and organizational measures, such as, but not limited to:

  • Encryption of communications and sensitive databases,
  • Access rights management and strong authentication,
  • Proactive network monitoring and intrusion detection systems,
  • Regular staff training and awareness campaigns on data protection,
  • Project management procedures based on the Privacy by Design principle,
  • Contract templates specific to the processing of personal data.

LIEGE AIRPORT takes reasonable measures to ensure that the personal data processed is reliable for the intended use, and as accurate and complete as necessary to fulfill the objectives described in this policy.

If any individual covered by this policy has reason to believe that interaction with LIEGE AIRPORT is no longer secure (for example, if there is a concern that the security of personal data may have been compromised), they are encouraged to immediately notify the DPO at dpo@liegeairport.com.

In the event of dissatisfaction with the manner in which personal data is processed and if there remains a feeling that contacting LIEGE AIRPORT will not resolve the issue, applicable privacy laws grant any data subject the right to file a complaint with the competent supervisory authority: https://www.autoriteprotectiondonnees.be/.

Awareness and Training

As part of its ongoing commitment to the protection of personal data, LIEGE AIRPORT places paramount importance on regular awareness-raising and training for all staff members. These initiatives aim to embed compliance and security measures into daily processes and behaviors for everyone, thereby ensuring their effectiveness and sustainability.

Training modules tailored to different roles and levels of exposure aim to foster an understanding of data protection issues, provide guidance on best practices for daily work, and highlight the risks associated with the inappropriate or insecure processing of personal information.

Throughout the year, regular reminders, internal campaigns, and targeted communications reinforce knowledge and encourage everyone to remain vigilant in the face of technological developments and new threats.

Furthermore, LIEGE AIRPORT pays particular attention to raising awareness and fostering accountability among its suppliers and customers regarding the protection of personal data. Within the framework of its contractual and operational relationships, LIEGE AIRPORT ensures that clear confidentiality and security requirements are established to guarantee that every external partner adopts the appropriate standards and complies with the principles of the GDPR. This proactive approach aims to extend the culture of security beyond the organization, reinforcing shared vigilance regarding privacy issues.

Revisions and Updates

We may need to modify this policy to comply with regulatory, legal, editorial, or technical changes.

If necessary, we will change the “revision” number and indicate the “date” on which the changes were made.

We recommend that you review this policy regularly—which is also available on our website—to stay informed of any changes or updates.