Privacyverklaring

TILMAN S.A

Privacy Statement

(LAST UPDATE: November 28, 2025)

1. Who are we?

Your personal data are collected and processed by TILMAN S.A., a company incorporated under Belgian law, whose registered office is located at Zone d’activités Sud, Bail. 15, 5377 Somme-Leuze, registered with the Crossroads Bank for Enterprises under number 0458.493.759 (hereinafter referred to as “Tilman” or “we”).

Contact details of the Data Protection Officer of the controller: privacy@tilman.be.

2. Objectives of this statement

Concerned about respecting your privacy, and aware of the importance of complying with our legal obligations in this regard, we do everything in our power to protect your personal data.

The purpose of this statement is to inform you (as “data subject”) about how we (as “controller”) process your personal data, in accordance with all applicable national or international data protection and privacy laws and regulations (hereinafter referred to as “Data Protection Laws”), including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ( “GDPR”).

This statement is also intended to inform you of your rights regarding the processing of your personal data.

It applies to applicants, partners, visitors to our website or offices, prospects, patients, clients, users of our products and, more generally, any person who comes into contact with Tilman and whose personal data we process as data controller.

3. Information on the different processing of personal data

In this section, we provide you with information on:

The purposes of the processing (why we process your data);
The categories of personal data processed (what types of data are processed);
The legal basis of the processing (what justifies the processing);

Purposes	Categories of personal data	Legal basis
Customer service (ex. : management of information requests, complaints, after-sales services)	Identification, electronic identification, content of communications, commercial information, description of the complaint	GDPR, Art. 6, §1, c) (necessary for compliance with a legal obligation) GDPR, Art. 6(1)(f) (legitimate interest: improving the service, preventing and managing disputes)
Customer management (ex. : order tracking and fulfilment, sales information, invoicing)	Identification, electronic identification, administrative data, sectoral data, customer code, function, category / group, language, currency, financial characteristics, representative, transport, content of communications, commercial information.	GDPR, art.6, §1 b) (performance of contractual or pre-contractual measures) GDPR, art.6, §1 c) (necessary for compliance with a legal obligation)
Satisfaction surveys	Identification, electronic identification	GDPR, art.6, §1, f) (legitimate interest: quality controls, process improvement) GDPR, art.6, §1 a) (consent)
Market analysis	Identification, electronic identification, purchases	GDPR, art.6, §1 b) (performance of contractual or pre-contractual measures) GDPR, art.6, §1, f) (legitimate interest: process improvement, internal management, market analysis)
Information campaigns (mailings)	Identification, electronic identification	GDPR, art.6, §1 a) (consent) GDPR, art.6, §1, f) ("soft opt-in" for persons who are already Tilman’s customers)
Pharmacovigilance	Identification, electronic identification, date of birth, age, weight, height, gender, medical data: product involved (and production information), adverse reactions, medical history	GDPR, art.6, §1 c) (necessary for compliance with a legal obligation) GDPR, art.9, §2 i) (grounds of public interest in the field of public health)
Supplier management (ex. : selection, order tracking, accounting and administration, quality controls)	Identification, electronic identification, administrative data, content of communications.	GDPR, art.6, §1 b) (performance of contractual or pre-contractual measures) GDPR, art.6, §1 c) (necessary for compliance with a legal obligation) GDPR, art.6, §1, f) (legitimate interest: selection and management of suppliers, quality controls, process improvement, protection of Tilman's rights)
General prospecting	Identification, electronic identification, administrative data, sectoral data, customer code, function, category/group, language, currency, financial characteristics, representative, transport, content of communications, commercial information	GDPR, art.6, §1, f) (legitimate interest: prospecting of professional customers, development of economic activities) GDPR, art.6, §1 a) (consent)
Recruitment management	Identification, electronic identification, family composition, leisure, education, professional data	GDPR, art.6, §1 b) (pre-contractual measures) GDPR, art.6, §1 a) (consent for subsequent storage)
Sponsoring	Identification, electronic identification, administrative data	GDPR, art.6, §1 b) (performance of contractual or pre-contractual measures)
Security (ex. : recording of entries and exits in our buildings)	Identification, name of employer, visit data (arrival and departure times)	GDPR, art.6, §1, c) (necessary for compliance with a legal obligation) GDPR, art.6, §1, f) (legitimate interest: protection of the company, its property and its staff)
Events	Identification, electronic identification occupation, participation	GDPR, art.6, §1 b) (performance of contractual or pre-contractual measures) GDPR, art.6, §1 a) (consent)
BE Transparent	Identification (name, phone number, etc.), electronic identification, administrative data, sectoral data (INAMI number), national registration number, financial data	GDPR, art.6, §1, c) (necessary for compliance with a legal obligation)
Improvement of the website and visitor experience	Navigation data	GDPR, art.6, §1 a) (consent) GDPR, art.6, §1, f) (legitimate interest: website operation and security)
Organisation of contests and promotional operations	Identification, electronic identification, participation, provided responses.	GDPR, art.6, §1 a) (consent) GDPR, art.6, §1, f) (legitimate interest: “soft opt-in” for existing Tilman customers)
Clinical studies	Identification, participation, medical data	GDPR, art.6, §1 c) (necessary for compliance with a legal obligation) GDPR, art. 9, §2, i) (processing is necessary for reasons of public interest in the area of public health) GDPR, art.6, §1, f) (legitimate interest: product research and development, advancement of medical knowledge (scientific research)) GDPR, art.9, §2, j) (processing is necessary for scientific research purposes)

4. Retention of your personal data

We will not retain your personal data longer than necessary for the purposes for which it was collected. Retention periods vary depending on the type of processing activity and the purpose for which the personal data was collected.

We will retain your personal data collected on the basis of your consent for as long as your consent remains valid.

In any case, personal data may be retained for a longer period if there is a legal or regulatory requirement to do so, or for a shorter period if you object to the processing of your personal data and there is no longer a legitimate reason to retain it. Your personal data will be deleted or anonymised at the end of the retention period.

5. Your rights as a data subject

Subject to the conditions and limitations set out in the Data Protection Laws, you may exercise the following data subject rights:

Right of access to your personal data: The right to request access to your personal data, to request a copy of the personal data we collect about you, and to obtain additional information on how we process your data.
Right to rectification: The right to have inaccurate personal data corrected or incomplete personal data completed.
Right to erasure (“right to be forgotten”): The right to have your personal data deleted from our systems. Requests for erasure cannot always be granted, for example due to contractual or legal obligations. We will comply with such obligations when responding to your request.
Right to object: The right to object to the processing of your personal data where the processing is based on our legitimate interest or on grounds of public interest. We will cease processing unless we can demonstrate compelling legitimate grounds for continuing the processing or for the establishment, exercise, or defense of legal claims. You also have the right to object to the processing of your personal data for direct marketing purposes, in which case your data will no longer be processed for such purposes.
Right to withdraw your consent: For the processing of your personal data collected based on your consent, you may withdraw your consent at any time. For example, you can unsubscribe from newsletters at any time. However, the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Right to restriction of processing: In certain cases, you have the right to obtain restriction of processing of your personal data. If you successfully exercise this right, we will continue to store your data but limit its use. For example, you may request this if you believe your personal data is inaccurate or if its processing is unjustified. We are required to comply with such requests only in specific cases as provided by law.
Right to data portability: The right to receive the personal data concerning you, processed by Tilman, in a structured, commonly used, and machine-readable format and/or to have such data transmitted or copied to another data controller.

These rights can be exercised free of charge by sending an email to privacy@tilman.be. We commit to responding to your request within the deadlines prescribed by applicable data protection legislation. We may request additional information to verify your identity and ensure that the request comes from you.

If you believe that your data protection rights have been infringed, you have the right to lodge a complaint with the Belgian Data Protection Authority : Autorité de protection des données, Rue de la Presse 35, 1000 Bruxelles, Tel +32 (0) 2 274 48 00, email : contact@apd-gba.be.

6. Recipients

We refrain from disclosing your personal data to third parties or making it public, except in the following specific cases:

Personal data may be shared between our different branches where such transfer is required for the provision of our products or services in accordance with the predetermined purpose;
Personal data may be shared with external service providers to whom we have entrusted certain processing activities. If necessary, a data processing agreement will be concluded to ensure that they comply with all obligations required by applicable data protection laws;
When required by applicable laws or regulations.

7. International transfers

We comply with Data Protection Laws by providing adequate safeguards for the transfer of personal data to recipients located in countries outside the European Economic Area (“EEA”).

In the event of a transfer of personal data to a third country or an international organisation outside the EEA, we ensure that such data is transferred only to countries deemed by the European Commission to provide an “adequate” level of protection (a list of adequate third countries is available on the European Commission’s website) or, alternatively, where your personal data is transferred to a country that does not provide an adequate level of protection, we will implement appropriate safeguards with the entity receiving your personal data (for example, the EU Standard Contractual Clauses) to ensure that your personal data remains protected in accordance with Data Protection Laws.

En cas de transfert de données personnelles vers un pays tiers ou une organisation internationale en dehors de l’EEE, nous veillons à ce que ces données soient transférées vers des pays tiers considérés comme offrant un niveau de protection “adéquat” par la Commission européenne (une liste des pays tiers adéquats est disponible sur le site web de la Commission européenne) ou, alternativement, lorsque vos données à caractère personnel ne sont pas envoyées vers un pays offrant un niveau de protection adéquat, nous mettrons en place des garanties appropriées avec l’entité recevant vos données personnelles (par exemple, les clauses contractuelles types de l’UE) afin de garantir que vos données personnelles restent protégées conformément aux Lois sur la protection des données.

8. Security

Tilman will implement appropriate technical, physical, legal, and organisational measures in compliance with Data Protection Laws. However, no transmission of data over the Internet or any data storage system can be guaranteed to be 100% secure. If you have reason to believe that an interaction with us is no longer secure (for example, if you suspect that the security of any personal data you may hold with us has been compromised), please inform us immediately. See the section “Who to Contact About Your Personal Data” below.

When Tilman provides personal data to a service provider, the service provider is carefully selected and is required to implement appropriate measures to protect the confidentiality and security of the personal data.

9. Who to contact about your personal data

If you have any questions about our use of your personal data you can :

Send us an e-mail to the following address: privacy@tilman.be
Or write to us at the following physical address:
TILMAN S.A.
15, Zone d’activités Sud
5377 Baillonville
BELGIUM

10. Changes to this statement

We regularly review this statement and reserve the right to make changes at any time to reflect changes in our business or new legal requirements.

To inform you of the changes, we will post updates on our website. Please check the “last updated” date at the top of this Statement to see when it was last revised.