Privacy Policy
Floya
As a public institution entrusted by the Brussels-Capital Region with developing and managing the MaaS application, STIB-MIVB is committed to protecting your privacy and personal data. Consequently, one of our priorities is to treat your personal data with the utmost care and ensure the best level of protection, in accordance with the Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR”), as well as the related national law, the law of 30 July 2018 on the protection of individuals with regard to the processing of personal data. For this reason, we would like to inform you as fully as possible by means of this privacy policy. The purpose is to ensure that you have the best possible control over your data.
1. Who is responsible for processing your personal data?
The controler is the Société des Transports Intercommunaux de Bruxelles/Maatschappij voor het Intercommunaal Vervoer te Brussel, an association of public law with its registered office at 1000 Brussels, rue Royale/Koningsstraat 76 and with company number 0247.499.953 (hereinafter “STIB-MIVB”).
STIB-MIVB Head Office
Rue Royale/Koningsstraat 76
1000 Brussels
STIB-MIVB has appointed a Data Protection Officer (DPO). Among other things, the DPO is responsible for ensuring the internal application of the rules for the protection and management of your data, in cooperation with the supervisory authorities.
Below you will find the contact details of our DPO:
Or by post:
Data Protection Officer
Rue Royale/Koningsstraat 76
1000 Brussels
2. To what end?
As part of the Floya project, we process your personal data for the following purposes:
| Purpose of collection of personal data | Legal basis for processing your personal data |
|---|---|
| Using the Floya app and creating an account | STIB-MIVB provides you with a mobile application that aims to facilitate the use of a combination of transport modes in Brussels. When installing this app, STIB-MIVB collects technical data that allows you to use the app. When creating an account, we collect data that allows you to access the services offered in the application, register a payment method, and verify that the signing up in the app is being done by a human (and not by a robot). These data collections are based on the execution of a service contract allowing you to use this application. The retention period of the data: 3 years after the last login in the application |
| Booking and using mobility services | The application allows you to purchase and activate a public transport ticket, as well as book and use private mobility services available in the application. This processing is based on the service contract that allows you to benefit from the mobility services in question. These purposes are common to STIB-MIVB and the relevant mobility partners who act as joint processors. The retention period of the data: 3 years after the last login in the application |
| Sharing your location | You can activate the location in your application to facilitate the use of the app and mobility services. This processing is based on your consent. You can deactivate this feature at any time directly in your phone’s settings. The retention period of the data: 3 years after the last login in the application |
| Providing the necessary official documents to access mobility services | Some of the offered mobility services require the registration of official documents, such as a driving licence or an identification card. The validity of these documents must be confirmed in order to grant you access to certain services. These data are collected on the basis of the execution of the service contract allowing you to use the features of the application. In order to proceed with document verification and to confirm their authenticity, the application collects biometric data to compare your face with the photo included in the documents. The collected biometric data is considered sensitive data under Article 9.1 of the GDPR. It can only be processed with your explicit consent. Some of our mobility partners wish to perform this verification themselves. In that case, your explicit consent will also be requested to transfer the data to them. The retention period of the data: 1 year |
| Paying for mobility services | STIB-MIVB manages the payments for private and public mobility services. This processing is based on the service contract that allows you to benefit from the services provided by the application. In some cases, STIB-MIVB needs to rebill public transport operators. Your data is also used to facilitate the rebilling between the operators. The retention period of the data: 7 years |
| Getting an overview of your activities | You can receive a list of the last journeys and purchases you have made. These data are collected on the basis of the execution of the service contract allowing you to use the features of the application. The retention period of the data: 3 years after the last login in the application |
| Promoting and encouraging the use of the Floya app | The processing is aimed at sending you notifications within the application or communications via email to inform you and promote the application. It also includes sending surveys. Your consent is required to collect this data in accordance with specific rules regarding email advertising (Article XII.13(1) of the Economic Law Code; Royal Decree of 4th April 2003). You can withdraw your consent at any time in the application. Furthermore, when using the Floya app or visiting the website, trackers are installed to offer you advertisements tailored to your presumed preferences and to record usage statistics of the application. For more information, we invite you to read our Cookie policy. This processing is based on your consent, which you can withdraw at any time. The retention period of the data: 1 year starting from the inactivity |
| Organisation of contests | STIB processes the data of contest participants to ensure the smooth running of the contest. For this purpose, we only process contact data in order to inform the data subject of the contest results. You provide the data yourself in order to participate in the contest. The processing of this data is based on the execution of the contract for contests. You have the possibility to participate in these contests or not. Participation takes place by using the use of a platform developed by a service provider that has access to your data. The retention period of the data: 1 month after the winner(s) has/have been declared. |
| Contacting customer care | If the journey planner is based on the location that you activate in your application, this processing is based on your consent. You can deactivate this feature at any time. If the route search is not based on location, then the data is collected as part of the service contract related to your use of the application. After contacting our Customer Care, a form will be sent to you by e-mail to measure your satisfaction with the response obtained. This sending is based on STIB-MIVB’s legitimate interest in improving the quality of its services The retention period of the data: 5 years |
3. What data?
STIB-MIVB processes and collects various types of data in order to achieve the above-mentioned purposes. This data may be collected when you register on the application, or indirectly when you use the application.
This concerns the following types of personal data:
- Identification data (surname, first name, date of birth)
- Contact data (email address, mobile number)
- Financial data to enable the purchase and booking of mobility services
- Authentication data required for booking some mobility services (identity card, driving licence) and biometric data used to verify the validity and authenticity of the documents.
- Geolocation data
- Mobility data (type of service used, date, time of travel)
- Metadata (information about your device and use of the app)
4. With whom do we share your data? Is your data transmitted?
We use an external service provider who processes and hosts all the data listed in point 3.
The required documents for the use of certain services are being verified by a service provider. Similarly, marketing campaigns are sent through a service provider to whom we transmit your data.
When you use a mobility service through the Floya application, your identification data may be transmitted to the provider of the chosen mobility service so that they can provide you with the desired service. We act as joint controllers for the processing of your data with the relevant mobility service provider.
Payments via the app go through a payment service provider, which thus has access to your bank details in order to make the payment.
In all cases, a contract has been established with the service providers we use. These contracts include the technical and organisational measures to be implemented to ensure the protection of personal data.
We do not sell your personal data to third parties.
5. What are your rights?
If you wish to access your personal data, obtain their deletion, limit or refuse their processing, withdraw your consent or obtain their portability, you can send us a written request with a copy of the front of your identity card.
Via following contact form:
Or by post: Data Protection Officer
Rue Royale/Koningsstraat 76
1000 Brussels
You will receive an answer within 30 days. Depending on the complexity of the requests and the number of requests, the deadline may be extended by a further two months. If the period is extended, we will inform you within one month after receiving your request.
However, we may not be able to comply with your request. In this case, we will of course ensure that you receive the clearest possible answer.
If you wish to correct your personal data, you can do so through the contact form:
For more information about your rights, please consult our website: www.stib-mivb.be/privacy
If you consider that the processing of your personal data constitutes a violation of the GDPR, you can file a complaint with the competent authority in Belgium:
Data Protection Authority
Rue de la Presse/Drukpersstraat 35
1000 Brussels
+32 (0)2 274 48 00