1. INTRODUCTION

This Privacy Notice (“Notice”) explains how Black Tiger Belgium SA processes your personal data when it is not collected directly from you, but received from third parties,  typically, organisations you have a relationship with.

We are providing this information in accordance with Article 14 of the UK and EU General Data Protection Regulation (GDPR), which requires organisations to explain how and why they process personal data obtained from other sources.

We process personal data to deliver data validation and identity reference services to third-party clients. These services help our clients verify the accuracy and consistency of data they already hold, typically to prevent fraud, support onboarding, or comply with regulatory obligations. The data is used only in a passive, privacy-conscious way, we do not contact you, make decisions about you, or build profiles from this data.

We rely on legitimate interests under Article 6(1)(f) of the GDPR as our lawful basis for this processing. You have the right to object at any time to our use of your data for this purpose (see Section 15 for how to do this).

This notice explains:

• What personal data we process
• Where it comes from
• What we use it for
• How long we keep it
• How we protect it
• Your rights, including your right to object

We are committed to using your personal data lawfully, fairly, and transparently, in line with GDPR requirements.

2. WHO IS RESPONSIBLE FOR YOUR PERSONAL DATA?

Black Tiger Belgium SA (“Black Tiger”, “we”, “us”) is the controller of the personal data described in this privacy notice. ‍This means that we determine how Personal data obtained from third-party sources or publicly available records is processed, the purposes for which it is processed, and the measures we use to protect it.‍

Where you have been directed to this notice by an organisation, who are also controllers of your personal data and use our services to validate the information you provided to them,  please note that this Notice supplements (but does not replace) the information they provide to you. We process your personal data separately, on our own behalf, and only for the purpose of supporting identity validation in a passive, reference only manner.

3. HOW TO CONTACT US

You can contact us at:

‍

Black Tiger Privacy Team

Email: privacy@blacktiger.com

Address: 12 Rue d'Oradour-sur-Glane, 75015 Paris, France

4. DATA PROTECTION OFFICER (DPO)

We have appointed GRCI Law Limited as our Data Protection Officer (or DPO) to oversee our data protection compliance.‍

If you have any questions about this Privacy Notice or how we handle your Personal data, you can contact the DPO at:‍

Email: dpoaas@grcilaw.com

Postal Address:
GRCI Law Limited
Unit 3, Clive Court
Bartholomew’s Walk
Cambridgeshire Business Park
Ely, Cambridgeshire
CB7 4EA
United Kingdom

If you are located in the UK or the EEA, you may also contact the DPO to exercise your rights or raise concerns with a supervisory authority.

5. WHAT IS PERSONAL DATA?

Personal data means any information that identifies or relates to an individual, such as a name, address, date of birth or ID number.

Certain types of data, like health or biometric information, are considered more sensitive and require extra protection. These are known as Special Category Data under the GDPR. We do not collect or process any such sensitive data for our data validation services.

6. WHAT PERSONAL DATA WE OBTAIN FROM THIRD PARTY SOURCES

The types of personal data we may obtain, use and process under this Notice include: 

Contact Data: including current and previous residential addresses, email addresses, telephone numbers

Identity Data: including full names (inclusive of middle names and / or initials,  maiden, married and former names),  dates of birth 

Metadata: registration or submission date, channel or method by which the data was originally provided

7. HOW WE OBTAIN YOUR PERSONAL DATA

We do not collect your personal data directly. Instead, we receive it from trusted third-party data providers, who originally collected the information from individuals in the course of offering their own services (such as retail, media, or account-based platforms). These providers act as data contributors or commercial data brokers and have shared this information with us under formal agreements for the purpose of enabling identity validation.

These sources include (but are not limited to):

• Verzekeringen S.A., a Belgian registered insurance broker;  
• Gowie S.A., a Belgian registered company;
• Damart T.S.D. S.A, a Belgian registered retail company; 
• Mediahuis N.V, Belgian based international media group;
• Roularta Media Group NV, a Belgian-based multimedia company;
• Claes Retail Group is a Belgian registered company; and‍
• Freedelity S.A., a Belgian registered data compan

8. DATA ACCURACY 

We aim to ensure the personal data we process is accurate and relevant. If you believe any of it is incorrect or incomplete, you have the right to request a correction under applicable data protection laws.

To do so, please contact us at privacy@blacktiger.com, or see the section titled “Your Privacy Rights” for more information.

9. HOW WE COLLECT YOUR PERSONAL DATA

We process personal data obtained from trusted third-party sources solely for the purpose of providing identity validation and reference services.

Our lawful basis under the UK and EU GDPR is legitimate interests. These interests include:

• Supporting accurate, consistent, and responsible use of identity data
• Helping clients validate identity information to prevent fraud and improve data quality
• Ensuring the secure and limited use of legacy identity data

We do not use this data for unrelated purposes, profiling, or direct marketing.
For more detail, see the “Lawful Basis Table” in Section 10 of this notice.

We do not use personal data for any purpose other than the identity validation function described in this notice. If this changes in future, we will update this notice and explain the new purpose and legal basis, where required by law.

10. LAWFUL BASIS TABLE

The following table provides further detail in relation to our processing of your personal data and the lawful basis which applies to that processing. 

‍

11. RETENTION OF DATA

We retain personal data only as long as it remains accurate, relevant, and necessary for identity validation purposes.

We review our data and retention practices at least every six months. Records that become outdated or unverifiable are removed from active use. There is no fixed retention period, but we do not retain personal data longer than necessary for the validation function.

We may retain anonymised data for research or statistical use, which cannot identify individuals and may be kept indefinitely.

You may request deletion of your personal data at any time, subject to legal or legitimate grounds. To do so, please contact us at privacy@blacktiger.com or see the section “Your Privacy Rights”.

12. SHARING YOUR DATA

We may share your personal data with trusted third parties strictly for the purpose of delivering identity validation and reference services, and to comply with legal obligations. All recipients are bound by appropriate contractual safeguards and must handle your data lawfully, securely, and only for the intended purpose.

We may share personal data with:

• Client organisations:  who use our services to validate identity data they have collected directly from you. These clients are separate controllers and are required to provide you with their own privacy notices.
• Service providers:  including cloud hosting, IT systems, and secure tools needed to deliver and maintain our services
• Professional advisers:  including lawyers, auditors, or insurers working under confidentiality obligations
• Regulatory or legal authorities: when required to comply with applicable law or respond to lawful requests
• Processors and subcontractors: acting on our behalf under binding agreements in line with Article 28 UK/EU GDPR
• Prospective buyers or investors: if we undergo a corporate change (e.g. sale or merger), subject to strict privacy protections

We do not sell or broker personal data. All third parties must enter into appropriate contracts that limit use, ensure security, and uphold your rights under the UK and EU GDPR.

13. INTERNATIONAL DATA TRANSFERS

We may transfer and process your personal data outside of your country of residence, including to jurisdictions that may not provide the same level of data protection as is provided in your home country. ‍ Whenever we transfer your personal data internationally, we ensure that appropriate safeguards are in place to protect that personal data in accordance with applicable data protection laws, including:

• transferring data only to countries recognised as providing an adequate level of protection; or
• implementing legally recognised safeguards such as:
  
  • Standard Contractual Clauses (SCCs) approved by the European Commission or UK authorities;
  • Data Transfer Agreements (DTAs);
  • Binding Corporate Rules (BCRs);
  • Express consent where no other mechanism applies and the transfer is not repetitive.

For more information about the safeguards we use for international transfers, you may contact us at privacy@blacktiger.com.‍

14. HOW WE KEEP YOUR PERSONAL DATA SECURE

The security of your personal data is important to us. We implement appropriate technical and organisational measures designed to protect your personal data from accidental loss, misuse, unauthorised access, disclosure, alteration, or destruction. These measures include access controls, encryption, secure data storage, and staff confidentiality obligations, aligned with recognised industry standards and legal requirements.‍

We restrict access to your personal data to employees, contractors, and authorised third parties who require it to perform their job duties and who are subject to contractual or legal confidentiality obligations.

However, please remember that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.‍

We continue to review, monitor, and update our security practices to meet evolving standards.

15. YOUR PRIVACY RIGHTS

You may have the right, subject to any lawful limitations, to exercise the following rights regarding your personal data:

• Right of Access:  You may request confirmation as to whether we process your personal data and, where we do, request access to a copy of that data.
• Right to Rectification:  You may request that we correct or update inaccurate or incomplete personal data concerning you.
• Right to Erasure (Right to be Forgotten): You may request the deletion of your personal data where there is no lawful basis for us to continue processing it. Please note that in some cases, deletion may not be possible due to contractual, legal, or regulatory obligations.
• Right to Restrict Processing: You may request that we restrict the processing of your personal data where the accuracy of the data is contested, processing is unlawful, you have objected to processing, or the data is no longer needed but required by you for legal purposes.
• Right to Object: You may object to our processing of your personal data in certain circumstances, such as where the processing is based on our legitimate interests.

Whenever possible, you may update your personal data directly by contacting us at privacy@blacktiger.com.

We may request verification of your identity before responding to your request.‍

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

16. COMPLAINTS

 If you have concerns about how we have handled your personal data, or believe your privacy rights have been violated, you can contact us at privacy@blacktiger.com We take all privacy-related concerns seriously and aim to resolve them promptly and fairly.

You also have the right to lodge a complaint with your relevant data protection authority. For example:

• United Kingdom is the  Information Commissioner’s Office (ICO): www.ico.org.uk
• European Union / EEA: You can contact your national Data Protection Authority. A list of EU regulators is available here.s:
  

You may also have the right to seek a judicial remedy where you believe your data rights have been infringed under applicable data protection law.

Exercising your privacy rights will not result in any form of discriminatory treatment or penalty.

17. NOTICE CHANGES AND UPDATES

We may update this Notice from time to time to reflect changes in our data practices or legal obligations.

Where required by law, we will notify you of material changes before they take effect. If direct notification is not practical, we may rely on Article 14(5)(b) GDPR and publish a prominent update on our website.

Please check the “Effective Date” at the top of this Notice to stay informed.