Privacy Policy

autovig.be under the GDPR: controller, lawful basis per purpose, retention, recipients, transfer safeguards, your rights and the route to the Belgian APD/GBA.

This Privacy Policy describes how personal data is processed when you visit the website autovig.be (the "Site"). It is provided under articles 12, 13 and 14 of Regulation (EU) 2016/679 (the "GDPR") and the Belgian Loi du 30 juillet 2018 relative à la protection des personnes physiques à l'égard des traitements de données à caractère personnel.

autovig.be is the Belgian local instance of the Autovig editorial service about European motorway vignettes and tolls. It does not host user accounts, does not process payments and does not host user-generated content. The personal data processed is therefore limited to what is technically required to deliver a public website, to measure its editorial performance, and to answer messages you send us.

1. Controller identity

The controller of the personal data described in this Policy is:

References to "Autovig", "we", "us" or "our" in this Policy refer to Autovig acting under the Autovig brand on the Belgian local property autovig.be. The controller is established in the European Union; no representative under GDPR article 27 is required.

2. Data Protection Officer

Autovig has not appointed a Data Protection Officer. The processing operations described in this Policy do not meet the thresholds of GDPR article 37(1): the controller is not a public authority, its core activities do not consist of large-scale regular and systematic monitoring of data subjects, and they do not involve large-scale processing of special categories of data within the meaning of articles 9 and 10.

All privacy queries, including data-subject rights requests, are handled by the responsible publisher at contact@autovig.eu.

3. Categories of personal data and sources

We process the following categories of personal data. Each category is detailed by purpose, lawful basis, recipients, retention and transfers in section 5.

CategoryExamplesSource

Connection dataIP address, timestamp, HTTP method, requested URL, response status, user-agent, referrerGenerated automatically when your browser requests a page (HTTP request headers)

Consent statePer-category cookie decision (necessary / analytics)Provided by you via the cookie banner; stored in your browser's local storage

Audience measurement eventsPseudonymous page-view events: viewed page, locale, basic device class, referrer hostGenerated by your browser only after you grant analytics consent

Correspondence dataEmail address, content of your message and any data you include in itProvided by you when you write to us

Vulnerability-report dataEmail address, technical description of the finding, optional PGP-encrypted contentProvided by you when you report a security issue under our Responsible Disclosure policy

We do not process special categories of personal data within the meaning of GDPR article 9 (data revealing racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data, health data, data concerning sex life or sexual orientation), nor data relating to criminal convictions within the meaning of article 10. We do not perform automated individual decision-making, including profiling, that produces legal or similarly significant effects on you within the meaning of article 22.

4. We do not collect

For clarity, we do not collect or process: account credentials, payment data, identity documents, postal addresses, telephone numbers, vehicle registration numbers, geolocation beyond what an IP address inherently reveals, advertising identifiers, cross-site tracking identifiers, or behavioural-advertising profiles.

5. Processing purposes, lawful basis, recipients, retention and transfers

The table below sets out, per processing purpose, the data used, the lawful basis under GDPR article 6, the recipients, the retention period and any third-country transfer.

PurposeData usedLawful basis (GDPR art. 6)RecipientsRetentionTransfers outside the EEA

Delivering the Site (page rendering, language routing)Connection data, consent stateLegitimate interest — art. 6(1)(f): operating a public websiteHosting provider (OVH SAS, France)Connection data: up to 12 months in operational logs; consent state stored on your device until you clear itNone — hosting is in the EU

Operational security (defending against abuse, intrusion detection, incident response)Connection dataLegitimate interest — art. 6(1)(f): securing the Site, balanced against your reasonable expectation that traffic to a public website is logged for security purposes; legal obligation — art. 6(1)(c) where a competent authority requests preservation under articles 39 and 88 of the Belgian Code d'instruction criminelleHosting provider; on lawful request, Belgian judicial or supervisory authoritiesSecurity logs: up to 12 monthsNone

Editorial audience measurement (counting page views, locales, referrers)Audience measurement eventsConsent — art. 6(1)(a): events are loaded only after you accept analytics on the cookie banner; withdrawal of consent is as easy as giving it via Cookie PreferencesGoogle Ireland Limited (Ireland), acting as our processor under article 28 GDPR; data may be onward-transferred to Google LLC (United States) within the same groupDefault retention is 14 months at event level in the analytics property; you can request earlier deletion (section 7)Yes — Google LLC, United States, under Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and under the EU–US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795) — Google LLC self-certifies under the DPF

Answering your messagesCorrespondence dataLegitimate interest — art. 6(1)(f) for general enquiries; contract — art. 6(1)(b) where the message is a pre-contractual request once a checkout flow is enabledHosting provider of the mailbox; no third-party email-marketing processorUp to 24 months after the last message in the thread, unless a longer retention is required to defend a legal claim (up to 10 years under article 2262bis of the Belgian Code civil)None — mailbox is hosted in the EU

Receiving vulnerability reportsVulnerability-report dataLegitimate interest — art. 6(1)(f): coordinated vulnerability disclosure under ISO/IEC 29147:2018 and the Belgian Loi du 28 novembre 2022 on whistleblowers and coordinated vulnerability disclosureInternal security handlers only; coordinated disclosure with the affected third party where the report concerns themUp to 5 years for closed reports, in line with the retention guidance in the Belgian Centre for Cybersecurity (CCB) coordinated-vulnerability-disclosure policyNone

Recording consent (to demonstrate compliance with art. 7(1) GDPR)Consent stateLegal obligation — art. 6(1)(c) read with art. 7(1) GDPRStored only in your browser's local storage; not transmitted to usUntil you clear browser storage or change your consent choiceNone

If we add a new processing purpose or a new processor, this Policy is updated before the new processing begins, the updatedAt date in the page header is revised, and you are notified at the top of the page for at least 30 days.

Note on legitimate interest

For each processing purpose listed above relying on legitimate interest (art. 6(1)(f)), we have performed the three-step assessment required by EDPB Guidelines 01/2024 and recital 47 of the GDPR:

the interest pursued is legitimate (operating, securing, and answering enquiries about a lawful editorial service);

the processing is necessary for that interest (no less intrusive means achieves the same result — for example, connection logs cannot be replaced for incident response);

the processing does not override your fundamental rights and freedoms, given the limited categories of data involved, the short retention, the absence of profiling, and the public-website context in which you transmit the data.

You may at any time object to processing based on legitimate interest under GDPR article 21; the route is described in section 7.

6. Cookies and similar technologies

The full inventory of cookies and similar technologies set or read on the Site, including names, purposes, retention and the third parties involved, is in the Cookie Policy. You can grant, refuse or withdraw consent for non-strictly-necessary trackers at any time via Cookie Preferences.

Consent is obtained in line with article 5(3) of Directive 2002/58/EC as amended (the "ePrivacy Directive") and its Belgian transposition at article 129 of the Loi du 13 juin 2005 relative aux communications électroniques. Strictly necessary trackers are deployed without consent on the basis of that same article 5(3) exception.

7. Your rights as a data subject

Under articles 15 to 22 and 77 of the GDPR you have the right to:

access the personal data we hold about you (art. 15);

request rectification of inaccurate or incomplete data (art. 16);

request erasure ("right to be forgotten") in the cases listed in article 17;

request restriction of processing in the cases listed in article 18;

receive your personal data in a structured, commonly used, machine-readable format, or have it transmitted to another controller — portability — in the cases listed in article 20;

object to processing based on legitimate interest (art. 21);

withdraw consent at any time, without affecting the lawfulness of processing carried out before the withdrawal (art. 7(3));

not be subject to a decision based solely on automated processing producing legal or similarly significant effects on you (art. 22); we do not perform such decision-making.

How to exercise your rights

Write to contact@autovig.eu. Indicate which right you wish to exercise and the data you are referring to. We may ask for additional information that is strictly necessary to confirm your identity before acting on the request, in line with article 12(6) of the GDPR. We respond within one month of receipt of the request. This period may be extended by a further two months where necessary, taking into account the complexity and number of the requests; you will be informed of any such extension within the first month.

Access, rectification, erasure, restriction and portability are provided free of charge unless your request is manifestly unfounded or excessive (art. 12(5) GDPR).

8. Right to lodge a complaint

If you consider that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. As a Belgian resident, the competent authority for the controller is the Belgian DPA — and this is your primary route:

Autorité de protection des données / Gegevensbeschermingsautoriteit (APD / GBA)

Rue de la Presse 35 / Drukpersstraat 35, 1000 Bruxelles / 1000 Brussel, Belgium

Telephone: +32 (0)2 274 48 00

Online complaint form: https://www.autoriteprotectiondonnees.be/citoyen/agir/introduire-une-plainte / https://www.gegevensbeschermingsautoriteit.be/burger/acties/klacht-indienen

Under article 77(1) of the GDPR you may also lodge a complaint with the supervisory authority of the EU/EEA Member State of your habitual residence, place of work, or the place of the alleged infringement. The list of national supervisory authorities is published by the European Data Protection Board at https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.

9. International transfers — safeguards in detail

The only third-country transfer in the table at section 5 concerns Google Analytics 4. Where audience measurement events are onward-transferred from Google Ireland Limited (Ireland) to Google LLC (United States), the transfer relies on two cumulative safeguards:

Standard Contractual Clauses — Module 2 (controller to processor) of Commission Implementing Decision (EU) 2021/914 of 4 June 2021, executed between the controller and Google Ireland Limited and flowing down to Google LLC as a sub-processor under article 28(2) of the GDPR.

EU–US Data Privacy Framework — Commission Implementing Decision (EU) 2023/1795 of 10 July 2023, on which Google LLC self-certifies. The current certification status can be verified on https://www.dataprivacyframework.gov.

A copy of the safeguard documentation can be requested at contact@autovig.eu. We do not transfer personal data to any other third country.

10. Security of processing

We implement technical and organisational measures aligned with article 32 of the GDPR, taking into account the state of the art, the cost of implementation, the nature and scope of processing, and the risks for data subjects. These include TLS in transit for all public traffic, principle-of-least-privilege access to operational systems, separation of build, staging and production environments, log review for anomalous activity, and a documented procedure to notify the APD/GBA within 72 hours and affected data subjects without undue delay where a personal data breach is likely to result in a risk to their rights and freedoms (GDPR articles 33 and 34).

We welcome reports of suspected vulnerabilities under our Responsible Disclosure policy. Specific technical measures are not described here as their disclosure could weaken the protection they provide.

11. Children

The Site is not directed at children and we do not knowingly process personal data of children below the digital-consent threshold. In Belgium, article 7(1) of the Loi du 30 juillet 2018 sets that threshold at 13 years for information-society services offered directly to a child on the basis of consent. If you believe that a child below that threshold has provided personal data to us, please write to contact@autovig.eu and we will delete the data without undue delay.

12. Changes to this Policy

We may update this Policy when the Site evolves. The updatedAt date in the page header reflects the latest revision. Material changes — for example, a new processor, a new processing purpose, or a new transfer mechanism — are highlighted at the top of the page for at least 30 days before they take effect. Previous versions of this Policy are available on request at contact@autovig.eu.

13. Effective date

This Policy is effective from the updatedAt date in the page header. It supersedes any earlier version.

Sources

The following instruments are cited or implemented above. Each link is the consolidated permalink.

Regulation (EU) 2016/679 (GDPR)

Commission Implementing Decision (EU) 2021/914 (Standard Contractual Clauses)

Commission Implementing Decision (EU) 2023/1795 (EU–US Data Privacy Framework)

Directive 2002/58/EC as amended (ePrivacy)

Loi du 30 juillet 2018 relative à la protection des personnes physiques à l'égard des traitements de données à caractère personnel

Loi du 13 juin 2005 relative aux communications électroniques

Loi du 28 novembre 2022 (whistleblowers / coordinated vulnerability disclosure)

Belgian Code civil, article 2262bis

EDPB Guidelines 05/2020 on consent under Regulation 2016/679

EDPB Guidelines 01/2024 on legitimate interests

Autorité de protection des données / Gegevensbeschermingsautoriteit — https://www.autoriteprotectiondonnees.be / https://www.gegevensbeschermingsautoriteit.be