Privacy Policy of


European Small Business Alliance AISBL
Rue de la Science 14,
B-1040 Brussels,

In order to receive information about your Personal Data, the purposes and the parties the Data is shared with, contact the owner.

  1. Owner and Data Controller

ESBA, European Small Business Alliance, Avenue la Reinassance, 1, Bruxelles, BELGIUM

Owner contact email:

European Small Business Alliance (ESBA)’s mission is to provide professionals with a flexible global platform ( in order to help professionals to find, interact with and consult their peers globally. Central to this objective is the compliance with applicable data protection laws and regulations as well as transparency about the collection, use and sharing of personal data related to the provision of our services.

This Privacy Policy is applicable to the personal data processed by ESBA aisbl (“ESBA” or “we”) relating to the  registered users, visitors and/or user’s contacts (aforementioned data subjects are hereinafter collectively referred to as “User” or “you”) of our online platform, ESBA-branded applications and other services or off-site services provided by us (“Services”), but excluding services stating that they are offered under a different privacy policy. Service Users may be private professionals or company representatives.

The purpose of this Privacy Policy is to provide you with information about the processing of your personal data in accordance with the information obligations set in Article 14 of the General Data Protection Regulation 2016/679/EU (GDPR).

Throughout this Privacy Policy the term “processing” is used to cover all activities involving your personal data, including collecting, handling, storing, accessing, using, transferring and disposing of information.

Please note that this Privacy Policy only applies to our processing of personal data of the above mentioned data subjects where we act as a data controller. This Privacy Policy does not address, and we are not responsible for, the privacy and data processing practices of any third parties.

This Privacy Policy may be updated if required in order to reflect the changes in data processing practices or otherwise. The valid version of the Privacy Policy shall be available at [*]. We will not make substantial changes to this Privacy Policy or reduce your rights under this Privacy Policy without providing a notice thereof.

  1. Types of Data collected

The owner does not provide a list of Personal Data types collected.

Complete details on each type of Personal Data collected are provided in the dedicated sections of this privacy policy or by specific explanation texts displayed prior to the Data collection.
Personal Data may be freely provided by the User, or, in case of Usage Data, collected automatically when using this Application.
Unless specified otherwise, all Data requested by this Application is mandatory and failure to provide this Data may make it impossible for this Application to provide its services. In cases where this Application specifically states that some Data is not mandatory, Users are free not to communicate this Data without consequences to the availability or the functioning of the Service.
Users who are uncertain about which Personal Data is mandatory are welcome to contact the Owner.
Any use of Cookies – or of other tracking tools – by this Application or by the owners of third-party services used by this Application serves the purpose of providing the Service required by the User, in addition to any other purposes described in the present document and in the Cookie Policy, if available.

Users are responsible for any third-party Personal Data obtained, published or shared through this Application and confirm that they have the third party’s consent to provide the Data to the Owner.

  1. Personal Data Processed And Sources Of Data

Data you provide us


We may collect the following type of personal information concerning the User depending on the capacity of the User as a private professional and/or company representative and whether you provide such information directly or via LinkedIn, Facebook or Google account using browser extension:

full name;

e-mail address;

user name and password;

photograph; and

company name/logo.

 If you register for a premium Service or act on behalf of a company User, you will need to provide us with payment (e.g. credit card) and billing information.

User Profile

You have choices about the information you provide on your profile, such as:

country and place of business;

whether your profile is publicly available to everyone or privately to other Service Users;

personal or company descriptions;

chosen skills and categories;


work experience;


professional status; and


The User does not have to provide additional information on the his/her User profile. Please acknowledge, however, that profile information may help you to get more from our Services.

To the extent that User provides personally identifiable information on his/her employees or colleagues to the User profile, the User must obtain a prior approval from such party in order to provide their information.

Please do not post or add personal data to your profile that you would not want to be publicly available.

Posting and uploading

We may collect personally identifiable information from you when you provide, post or upload it to our Services. If the User opts to import his/her contact address book from LinkedIn or other third party service via browser extension, we receive personal information on your contacts.

Additionally, we may collect User notes from interactions with you or your direct correspondence with us concerning the Service.


We may collect analytical data generated by the use of our Services. Analytical data shall be collected in an aggregated form meaning that the identification of individual persons from such data is not possible. However, an individual person may be identifiable from aggregated data in certain situations when combined with other data accessible by ESBA. In these situations, aggregated data shall constitute personal data under applicable data protection laws and shall be processed in accordance with this Privacy Policy.

Analytical data collected by ESBA may include the following:

browser type and version;

language settings;


visiting time and time zone;

settings and preferences; and

type and model of User’s device.

Data from other sources

We may collect personally identifiable information (including contact information) about you when other Users import or sync their contacts or calendar hosted by a third party service provider with our Services, associate their contacts with User profiles or send invitations and/or connection requests using the Services.

Furthermore, other Users may post content that includes information about you on our Services.

4. Methods of processing

The Owner takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data.
The Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to the Owner, in some cases, the Data may be accessible to certain types of persons in charge, involved with the operation of this Application (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as Data Processors by the Owner. The updated list of these parties may be requested from the Owner at any time.

Legal basis of processing

The Owner may process Personal Data relating to Users if one of the following applies:

  • Users have given their consent for one or more specific purposes. Note: Under some legislations the Owner may be allowed to process Personal Data until the User objects to such processing (“opt-out”), without having to rely on consent or any other of the following legal bases. This, however, does not apply, whenever the processing of Personal Data is subject to European data protection law;
  • provision of Data is necessary for the performance of an agreement with the User and/or for any pre-contractual obligations thereof;
  • processing is necessary for compliance with a legal obligation to which the Owner is subject;
  • processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Owner;
  • processing is necessary for the purposes of the legitimate interests pursued by the Owner or by a third party.

In any case, the Owner will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.


The Data is processed at the Owner’s operating offices and in any other places where the parties involved in the processing are located.         

Depending on the User’s location, data transfers may involve transferring the User’s Data to a country other than their own. To find out more about the place of processing of such transferred Data, Users can check the section containing details about the processing of Personal Data.

Users are also entitled to learn about the legal basis of Data transfers to a country outside the European Union or to any international organization governed by public international law or set up by two or more countries, such as the UN, and about the security measures taken by the Owner to safeguard their Data.           

If any such transfer takes place, Users can find out more by checking the relevant sections of this document or inquire with the Owner using the information provided in the contact section.

Retention time

Personal Data shall be processed and stored for as long as required by the purpose they have been collected for.


  • Personal Data collected for purposes related to the performance of a contract between the Owner and the User shall be retained until such contract has been fully performed.
  • Personal Data collected for the purposes of the Owner’s legitimate interests shall be retained as long as needed to fulfill such purposes. Users may find specific information regarding the legitimate interests pursued by the Owner within the relevant sections of this document or by contacting the Owner.

The Owner may be allowed to retain Personal Data for a longer period whenever the User has given consent to such processing, as long as such consent is not withdrawn. Furthermore, the Owner may be obliged to retain Personal Data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an authority.        

Once the retention period expires, Personal Data shall be deleted. Therefore, the right of access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.

    1. The rights of Users

Users may exercise certain rights regarding their Data processed by the Owner.

In particular, Users have the right to do the following:

  • Withdraw their consent at any time. Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.
  • Object to processing of their Data. Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent. Further details are provided in the dedicated section below.
  • Access their Data. Users have the right to learn if Data is being processed by the Owner, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Data undergoing processing.
  • Verify and seek rectification. Users have the right to verify the accuracy of their Data and ask for it to be updated or corrected.
  • Restrict the processing of their Data. Users have the right, under certain circumstances, to restrict the processing of their Data. In this case, the Owner will not process their Data for any purpose other than storing it.
  • Have their Personal Data deleted or otherwise removed. Users have the right, under certain circumstances, to obtain the erasure of their Data from the Owner.
  • Receive their Data and have it transferred to another controller. Users have the right to receive their Data in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is applicable provided that the Data is processed by automated means and that the processing is based on the User’s consent, on a contract which the User is part of or on pre-contractual obligations thereof.
  • Lodge a complaint. Users have the right to bring a claim before their competent data protection authority.

Details about the right to object to processing

Where Personal Data is processed for a public interest, in the exercise of an official authority vested in the Owner or for the purposes of the legitimate interests pursued by the Owner, Users may object to such processing by providing a ground related to their particular situation to justify the objection.

Users must know that, however, should their Personal Data be processed for direct marketing purposes, they can object to that processing at any time without providing any justification. To learn, whether the Owner is processing Personal Data for direct marketing purposes, Users may refer to the relevant sections of this document.

How to exercise these rights

Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by the Owner as early as possible and always within one month.

    1. Additional information about Data collection and processing

Legal action

The User’s Personal Data may be used for legal purposes by the Owner in Court or in the stages leading to possible legal action arising from improper use of this Application or the related Services.
The User declares to be aware that the Owner may be required to reveal personal data upon request of public authorities.

Additional information about User’s Personal Data

In addition to the information contained in this privacy policy, this Application may provide the User with additional and contextual information concerning particular Services or the collection and processing of Personal Data upon request.

System logs and maintenance

For operation and maintenance purposes, this Application and any third-party services may collect files that record interaction with this Application (System logs) use other Personal Data (such as the IP Address) for this purpose.

Information not contained in this policy

More details concerning the collection or processing of Personal Data may be requested from the Owner at any time. Please see the contact information at the beginning of this document.

How “Do Not Track” requests are handled

This Application does not support “Do Not Track” requests.
To determine whether any of the third-party services it uses honor the “Do Not Track” requests, please read their privacy policies.

Changes to this privacy policy

The Owner reserves the right to make changes to this privacy policy at any time by notifying its Users on this page and possibly within this Application and/or – as far as technically and legally feasible – sending a notice to Users via any contact information available to the Owner. It is strongly recommended to check this page often, referring to the date of the last modification listed at the bottom.

Should the changes affect processing activities performed on the basis of the User’s consent, the Owner shall collect new consent from the User, where required.

All the team established a central project database where all relevant documents are collected and categorised so that they can be easily found and shared.

– The database is hosted on MS Teams. Particular care is taken with the handling of contact details of the stakeholders thanks to private channels structure with restricted access based on the sensitivity/relevance of the documents and data stored: i.e. individual PPs private channels, financial team, Steering Committee, etc. The coordination staff of ESBA is using in addition the cloud services of Google Workspace for the storage of internal working documents

For better reference, please check: – MS Teams Privacy policy – GDPR compliance: 
– Google Workspace  Privacy policy – GDPR compliance:

Other tools which will be used by the WEgate Consortium are:

– WEgate Newsletter: Mailchimp is the tool selected based on performance and compliance with GDPR ( The Consortium will make sure to set up double opt-in settings and customize the forms in order to make them both user and GDPR-friendly.

– Zoom: the tool has been selected both in consideration of the high level of performance and transparent policy for GDPR compliance: “Zoom’s products feature an explicit consent mechanism for EU users. Existing or new users coming from IP address detected from EU when signing into the Zoom desktop or mobile application, or joining a meeting without being signed in, across any platform (Mac, Windows, Linux, iOS, Android, Web, ChromeOS) will be presented with a one-time privacy policy update.”

– Google forms: as part of Google Workspace products, also Google forms underlies to the general Google’s GDPR compliance policy, nevertheless, additional care is put by the Consortium in ensuring the highest degree of transparency:

– Right of access: the end user is informed in a dedicated space at the bottom of the form (previous to the “submit” button) that their personal information is going to be collected and there will be no unauthorized sharing of the said data

– Right to be forgotten: the end users of the forms can at any time request for the deletion of the collected data by sending a request to

– Right to rectification: the end users’ right to rectify any erroneous information at anytime is guaranteed by reaching out to 

– A consent tick box is placed at the bottom of the form, previous to the “Submit” button, linking to the legal terms and conditions of WEgate.         

    1. International transfers

ESBA stores personal data primarily within the European Economic Area. However, we have service providers in several geographical locations. As such, we, our service providers may transfer personal data to, or access it in, jurisdictions outside the European Economic Area or outside of your domicile.

We will take steps to ensure that your personal data receives an adequate level of protection in the jurisdictions in which it is processed. We provide adequate protection for the transfers of personal data to countries outside of the European Economic Area through a series of agreements with our service providers based on the Standard Contractual Clauses or through other appropriate safeguards, such as the Privacy Shield Framework.

8. Cookies and analytics

We use various technologies to collect and store analytics data and other information when Users visit our Services, including cookies.

Cookies are small text files sent and saved on your device that allows us to identify visitors of our websites and facilitate the use of our Services and to create aggregate information of our visitors. This helps us to improve our Service and better serve our Users. The cookies will not harm your device or files. We use cookies to tailor our Services and the information we provide in accordance with the individual interests of our Users.

Users may choose to set their web browser to refuse cookies, or to alert when cookies are being sent. For example, the following links provide information on how to adjust the cookie settings on some popular browsers:


Google Chrome

Mozilla Firefox

Please note that some parts of our Services may not function properly if use of cookies is refused.

We also use Google Analytics to compile analytics data and reports on visitor usage. For an overview of Google Analytics, please visit Google Analytics. It is possible to opt-out of Google Analytics with the following browser add-on tool: Google Analytics opt-out add-on.

9. Information security

We use administrative, organizational, technical, and physical safeguards to protect the personal data we collect and process. Our security controls are designed to maintain an appropriate level of data confidentiality, integrity, availability, resilience and ability to restore the data. We regularly test our systems, and other assets for security vulnerabilities.

Should, despite of the security measures, a security breach occur that is likely to have negative effects on your privacy, we will inform you and other affected parties, as well as relevant authorities when required by applicable data protection laws, about the breach as soon as possible.

10. Lodging a complaint

In case you consider our processing of personal data to be inconsistent with the applicable data protection laws, a complaint may be lodged with the local supervisory authority for data protection.

In Belgium, the local supervisory authority is the Data Protection Ombudsman.

Should, despite of the security measures, a security breach occur that is likely to have negative effects on your privacy, we will inform you and other affected parties, as well as relevant authorities when required by applicable data protection laws, about the breach as soon as possible.

  1. The legal ground

The general legal ground is based on the following regulation of GDPR:     

Nevertheless, our data storage is fully compliant of every other national storage data legislation, such as:

Data Protection Act, Federal Law Gazette I Nr. 165/1999 (the “Data Protection Act”); amended to reflect GDPR  requirements by two Data Protection Amendment Acts  in 2018

Law of 5 September 2018 establishing the information security committee and modifying various laws regarding the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

Law on Amendment and Supplement to the Personal Data Protection Act ;jsessionid=17AC48BEC0100FB28FDA0294DE0C9CC0?idMat=135056

Act on the Implementation of the General Data Protection Regulation (in Croatian: Zakon o provedbi Opće uredbe o zaštiti podataka) (the “Implementation Act”)

Law providing for the protection of natural persons with regard to the processing of personal data and for the free movement of such data (Law 125(I) of 2018) (the “Data Protection Act”)$file/Law%20125(I)%20of%202018%20ENG%20final.pdf

Czech Republic    
Act amending certain legislations due to the adoption of the act on processing of personal data (the “Amending Act”)

Databeskyttelsesloven (the “Data Protection Act”)

Personal Data Protection Act (the “PDPA”)

Finnish Data Protection Act (1050/2018) (the “Data Protection Act”)

French Data Protection Act (as amended by the Law No. 2018-493 of 20 June 2018 on the protection of personal data and by the Decree No. 2018-687 of 1 August 2018) (the “FDPA”)

Bundesdatenschutzgesetz, Neufassung 2018 (“BDSG“)   

Law 4624/2019,121,83,229,125,127,247,242

Act CXII of 2011 on the Right of Informational Self- Determination and on Freedom of Information (the “Data Protection Act”)

Act No. 90/2018 on Data Protection and the Processing of Personal Data (in Icelandic: Lög nr. 90/2018 um persónuvernd og vinnslu persónuupplýsinga) (the “Data Protection Act”)

Data Protection Act 2018 (the “2018 Act”)

Legislative Decree No. 101/2018 setting out rules adapting Italian law to the GDPR, which amended Legislative Decree No. 196/2003 setting out the Italian privacy code (the “Italian Privacy Code”)

Personal Data Processing Law (“PDPL”)

Datenschutzgesetz (the “Data Protection Act”) 

The Law on Legal Protection of Personal Data (“Data Protection Law”)

Law of 1 August 2018 organising the National Commission on Data Protection and implementing the GDPR (the “Data Protection Law”)

CAP 586 (the “Data Protection Act”)    

Uitvoeringswet Algemene Verordening Gegevensbescherming (General Data Protection Regulation Implementation Act) (the “Data Protection Act”)

The Norwegian Data Protection Act (the “Act”) 

Act of 10 May 2018 on the Protection of Personal Data (the “Data Protection Act”)

Act 58/2019 of 8 August (the “Data Protection Act”)

Law No. 190 of 18 July 2018 regarding the Measures for the Application of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 re the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repeal of the Directive 95/46/EC (General Data Protection Regulation) (the “Data Protection Act”)

Act No. 18/2018 Coll., on the Protection of Personal Data and on Changing and Amending of Other Acts (the “Data Protection Act”)    

Personal Data Protection Act (Zakon o varstvu osebnih podatkov; ZVOP-1) (the “Current Data Protection Act”)

Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (“Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales”) (the “Data Protection Act”) Date in force: 7 December 2018    

The Swedish Data Protection Act (2018:218) (Swe. lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning) (the ”Data Protection Act”)

United Kingdom 
UK GDPR