B2B PRIVACY POLICY

Table of Contents

1. Introduction
2. Purpose of this Privacy Policy
3. What is the legal framework in this area?
4. What are our principles regarding the protection of personal data?
5. What terms will help you understand this privacy policy?
6. Who is responsible for processing your personal data?
7. What data do we collect and how?
8. Why do we process your data, and what is the legal basis for this processing?
9. How long do you retain your data?
10. How do we protect your data?
11. Who has access to your data?
12. What are your rights?
13. How can you exercise your rights?
14. Questions, inquiries, or complaints
15. Update to our Privacy Policy, Applicable Law, and Jurisdiction

1. Introduction

Brussels Expo (hereinafter“we”) is dedicated to fostering and developing a hub for meetings and exchanges aimed at promoting economic, commercial, industrial, scientific, cultural, and recreational activities, particularly across the territory and within the various buildings granted to us by the City of Brussels. To this end, we carry out all useful or necessary activities, including the provision of services directly or indirectly related to the organization of trade fairs, conventions, conferences, exhibitions, concerts, festivals, and other events.

This includes the processing of personal data of individuals involved in our dealings with other companies.

We process the personal data of all these individuals with the utmost respect for their rights and freedoms.

The purpose of this Privacy Policy is to inform you about how we collect, process, and store this data in connection with our relationship with the company you work for. We also want you to be aware of your rights in this regard. To that end, we encourage you to read this Privacy Policy carefully.

If you have any questions regarding the content of our privacy policy or wish to exercise any of your rights regarding your personal data, please contact us at[email protected].

2. Purpose of this Privacy Policy

This Privacy Policy applies to ourbusiness-to-business(B2B) operations and, more specifically, to the personal data collected in connection with such operations. These operations cover three specific scenarios:

• (Pre)contractual relationship: the entity for which or with which you work collaborates with us or is our partner;
• Accreditations: you must have accreditation to access our sites, and a request must be made to us for this purpose;
• B2B Marketing: You receive promotional materials about our activities in your capacity as a contact person or representative of a partner company.

3. What is the legal framework governing this matter?

The current legal framework for the protection of personal data consists of the provisions of the Law of July 30, 2018, on the protection of natural persons with regard to the processing of personal data, and those of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, commonly known as the “General Data Protection Regulation” (hereinafter,“GDPR”).

In accordance with this legal framework, you will find below information relating to the processing we carry out in the course of our activities.

4. What are our principles regarding the protection of personal data?

We value the personal data of data subjects and their privacy. Trust is paramount in our relationships. We process this data lawfully, transparently, fairly, and responsibly. We make every effort to adopt appropriate organizational and technical measures to protect data. Finally, we strive to collect as little data about you as possible in order to achieve our purposes.

5. What terms will help you understand this privacy policy?

• Data subject: any identified or identifiable natural person. This refers to the person whose personal data we process and collect. In this case, that means you.
• Personal data: any information relating to a data subject. This definition is broad, as data is considered personal if it allows a natural person to be identified either directly (last name, first name, photo, etc.) or indirectly (email address, customer number, employee number, etc.). When we refer to “data” in this privacy policy, we are referring to personal data.
• Processing: any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means. Here too, the definition is broad. Any manipulation of personal data constitutes processing: collection, consultation, storage, sending, modification, erasure, etc.
• Data controller: In this case, this refers to the legal entity that determines the purposes and means of processing your personal data and decides why your data is collected and processed. It is also the entity that will be held responsible for compliance with applicable data protection standards. In this case, that means us, Brussels Expo (see point 6).
• Processor: a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller. The processor does not determine the purposes for which the processing is carried out; rather, it carries out the processing on behalf of the controller.
• Third party: any natural or legal person, public authority, agency, or body other than the data subject, the controller, the processor, and the persons who, acting under the direct authority of the controller or the processor, are authorized to process personal data
• Recipient: the natural or legal person, public authority, agency, or any other body to which personal data are disclosed, whether or not it is a third party. However, public authorities that may receive personal data in the course of a specific investigative task in accordance with Union law or the law of a Member State are not considered recipients; the processing of such data by the public authorities in question complies with applicable data protection rules in accordance with the purposes of the

6. Who is responsible for processing your personal data? 

Personal data is processed by the non-profit organization Parc des Expositions de Bruxelles, abbreviated as “Brussels Expo,” which has its registered office at Place de Belgique 1, B-1020 Brussels, and is registered with the Crossroads Bank for Enterprises under number 406.655.573.

7. What data do we collect, and how? 

(a) Data collection methods

The data we collect and process is data that you voluntarily provide to us or to one of our subcontractors.

We collect your personal data in the course of ourbusiness-to-businessoperations, primarily through one of the following methods:

• the email address[email protected];
• an email to one of the employees or representatives of Brussels Expo;
• websitebrussels-expo.com;
• website:https://ing.arena.brussels/;
• websitela-madeleine.be;
• The Brussels Expo online store, accessible athttps://shop.expo.brussels/expo/
• the ticketing platform managed by Brussels Expo;
• data provided by our partners;
• data collected due to the physical presence of the data subject at one of our sites.

(b) Categories of personal data collected

By providing us with personal data through any of these means or by any other means, you agree to provide us with true and accurate information about yourself.

Depending on the case, the data we collect includes the following:

• contact information (title, last name, first name, work email address, phone number, date of birth, place of birth, national ID number or NISS number, license plate number, language, country);
• the name of the company you work for or represent, its VAT number, the address of its headquarters, the company’s bank details, and your position within the company;
• handwritten signature;
• your questions/comments/communications;
• The credit card number used to purchase a parking ticket parking
• Login information for the Brussels Expo webshop (username and password);
• Information related to customer billing (financial status and payment history);
• your questions, contact requests, complaints, and any information you provide to us when we communicate with you, including via email;
• the personal information you choose to provide us with in order to enhance your experience, particularly through satisfaction surveys or voluntary customer feedback;
• all information provided in connection with any litigation.

(c) Special categories of personal data

As a matter of principle, Brussels Expo does not process specific categories of personal data revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning your sex life or sexual orientation without your consent.

(d) Non-personal data

We may also collect non-personal data.

This data is classified as non-personal data because it does not allow for the direct or indirect identification of a specific individual. It may therefore be used for any purpose.

This includes, for example, anonymized data such as the results of a survey or a satisfaction survey.

However, if non-personal data is combined with personal data in such a way that the data subjects can be identified, such data will be treated as personal data until it is no longer possible to link it to a specific individual.

(e) Consequences of failing to provide this information

Providing some of the information listed above is required to access certain services offered by Brussels Expo, including the issuance of credentials.

If the data subject does not provide the personal data requested by Brussels Expo, the data subject will be unable to access certain services offered by Brussels Expo.

8. Why do we process your data, and what is the legal basis for such processing?

In accordance with the GDPR, we process your personal data for specific purposes and on the relevant legal grounds, as outlined in the table below:

9. How long do you retain your data?

Your personal data will be retained for as long as necessary to fulfill the purposes for which it was collected and, in any event, until the expiration of the statutory retention periods, particularly those related to tax and accounting matters, and until the expiration of the statute of limitations for contractual liability.

Your data will be deleted when:

• they are no longer necessary for the purpose for which they were collected; or
• you have validly exercised your right to erasure; or
• you have withdrawn your consent, where the processing is based on that consent.

The table below details certain specific legal bases and the corresponding data retention periods.

10. How do we protect your data? 

We have implemented the necessary organizational, technical, and physical measures—commensurate with the risks of infringement of your rights and freedoms—to best protect your personal data against unauthorized access, loss, destruction, or alteration.

Our security measures are regularly evaluated and adapted to ensure a consistently high level of protection.

We have implemented internal access control procedures to limit access to your data to only those individuals whose involvement is necessary for the purpose of processing.

11. Who has access to your data? 

We undertake not to disclose your personal data to third parties other than for the purposes set out in point 8. In this regard, we may disclose your data to our subsidiaries, subcontractors, the police, or our direct partners whose involvement is necessary to achieve the aforementioned purposes.

a) Internal recipients

Access to your personal data is strictly limited within Brussels Expo to the following individuals only:

• authorized personnel in the Entertainment department, particularly with regard to VIP ticketing management;
• authorized personnel from the Operations Department, particularly with regard to event planning, security management, and the management of Brussels Expo’s IT infrastructure;
• authorized personnel in the Marketing & Ticketing department, with regard to promoting our services to our partner companies;
• authorized personnel from the Legal Department, particularly with regard to the protection of Brussels Expo’s rights in court and compliance with applicable laws;
• Generally speaking, authorized personnel responsible for B2B relations.

(b) External recipients

When necessary for these purposes, Brussels Expo may share your data with the following recipients:

• banking institutions;
• tax and social security authorities;
• our lawyers in the event of disputes, tax advisors, or any other person bound by confidentiality;
• our service providers, such as those providing cleaning services for your events or site security for your events;
• administrative, criminal, and judicial authorities;
• the auditors.

Your personal data is always shared with the utmost respect for confidentiality.

(c) Data storage and transfer

Your personal data is hosted by Brussels Expo, which may itself use a qualified subcontractor with servers located within the European Economic Area (EEA).

These hosting solutions offer security measures to guarantee the confidentiality, availability, and integrity of your data. The chosen subcontractor also undertakes, under the same conditions, to back up your data or have it backed up under conditions that guarantee its security and integrity, and to protect it from any damage that may occur to the servers.

None of your personal data is transferred to third countries outside the European Union or to international organizations. Should this become necessary, we are committed to implementing appropriate security measures to ensure an adequate level of protection for your personal data.

12. What are your rights? 

We do everything possible to ensure that your rights regarding your personal data are respected.

To this end, you have the following rights, under the conditions defined by applicable regulations, including the GDPR:

• the right to withdraw your consent to the processing of your personal data at any time for purposes based on such consent (right to withdraw consent);
• the right to obtain from Brussels Expo confirmation as to whether or not personal data concerning you are being processed and, where they are, access to such personal data as well as to various details regarding the processing (purposes of the processing, categories of personal data concerned, recipients or categories of recipients to whom the personal data have been or will be disclosed, the envisaged retention period for the personal data or, where this is not possible, the criteria used to determine that period, etc.) (right to information andright of access);
• the right to have Brussels Expo correct, as soon as possible, any personal data concerning you that is inaccurate or incomplete. If we have shared your data with other entities, we are required to take all necessary steps to inform those entities of your request for correction (right to rectification);
• the right to have Brussels Expo erase your personal data as soon as possible, where required by the applicable legislation referred to in section 3. In the event that we have made your data available to other entities, we are required to take all necessary measures to inform those entities of your request to be forgotten (right to erasure);
• the right to request that Brussels Expo restrict the processing of your data to storage only, where provided for by the applicable legislation referred to in section 3. If we have disclosed your data to other entities, we are required to take all necessary steps to inform those entities of your request for restriction of processing (right to restriction of processing);
• when the processing of your personal data is based on your consent or on a contract and is carried out using automated means, the right to request that this data be provided to you in a structured, commonly used, and machine-readable format. You may also request that this data be transmitted to another data controller (right to data portability);
• the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you (right to object to automated individual decision-making);
• the right to obtain from Brussels Expo at any time, for reasons relating to your particular situation, that it no longer processes personal data concerning you when such processing, including profiling, is based on its legitimate interests,
• the right to object at any time to the processing of your personal data for marketing purposes, including profiling to the extent that it is related to such marketing (right to object).

Please note that even in this case, when weighing your interests against ours, our interests or fundamental rights and freedoms may take precedence and justify our processing of your data on the basis of our legitimate interest, despite your objection.

13. How can you exercise your rights?

You may exercise the rights described above free of charge by contacting our DPO, the law firm Lex4u, represented by Frédéric Dechamps, at the following email address:[email protected].

Your request must specify the right(s) you wish to exercise. We may ask you to provide proof of your identity for security reasons, to prevent the unauthorized disclosure or misuse of your personal data.

We will then have one month from the date we receive your request to respond. This period may be extended by two months, depending on the complexity or number of requests. If this occurs, the extension may only be granted if you have been notified and the reasons for the delay have been communicated to you.

If we decide not to proceed with your request, we will inform you of the reasons for our refusal or inaction.

In the event of manifestly unfounded or excessive requests, particularly due to their repetitive nature, we may:

• require payment of reasonable fees that take into account the administrative costs incurred in providing the information, communicating, or taking the requested measures; or
• refuse to act on these requests.

It is incumbent upon us to demonstrate that your request is manifestly unfounded or excessive.

14. Questions, complaints, or concerns

If you wish to raise a concern regarding any of the practices described in this privacy policy, we recommend that you first contact our DPO using the contact information provided in Section 13.

You may also contact the Data Protection Authority (hereinafter the“DPA”) if you are dissatisfied with how Brussels Expo processes your personal data, using the following contact information:

Data Protection Authority

35 Rue de la Presse

1000 Brussels

Tel. +32 2 274 48 00

Fax: +32 2 274 48 35

[email protected]

All information on this subject can be found on the APD website:

• autoriteprotectiondonnees.be/(EN);
• gegevensbeschermingsautoriteit.be/(NL);
• dataprotectionauthority.be(EN);
• datenschutzbehorde.be/(DE).

15. Updates to Our Privacy Policy, Governing Law, and Jurisdiction

This Privacy Policy may be amended at any time to comply with applicable laws. The applicable version of the Privacy Policy is the one currently posted on our website:https://www.brussels-expo.com. We therefore recommend that you review it regularly.

The validity, interpretation, and/or enforcement of this Privacy Policy are governed by Belgian law and applicable European Union law. In the event of a dispute regarding the validity, interpretation, and/or enforcement of this Privacy Policy, subject to Article 211, 3°, paragraph 2 of the Law of July 30, 2018 on the protection of natural persons with regard to the processing of personal data, the courts and tribunals of Brussels shall have exclusive jurisdiction.

Last updated: March 16, 2026