1. Purpose
This policy describes how Hybrid Core BV collects, uses, stores, and protects personal data. It reflects the company's commitment to compliance with the General Data Protection Regulation (GDPR) and related European data protection law, and to the responsible treatment of personal data belonging to employees, clients, research participants, partners, and other individuals.
2. Scope
This policy applies to all personal data processed by Hybrid Core BV, whether in the context of commercial activities, employment, research and innovation projects, or any other business function. It applies to all employees, contractors, and third parties who process personal data on behalf of the company.
3. Policy statement
Hybrid Core BV is committed to processing personal data lawfully, fairly, and transparently. We collect only the data we need, use it only for the purposes for which it was collected, and protect it with appropriate technical and organisational measures. Privacy is a fundamental right, and we treat it as such in the design of our systems, products, and processes.
4. Principles
All personal data processing by Hybrid Core BV is conducted in accordance with the following GDPR principles:
- Lawfulness, fairness, and transparency: personal data is processed on a valid legal basis and individuals are informed about how their data is used
- Purpose limitation: data is collected for specified, explicit, and legitimate purposes and not processed in ways incompatible with those purposes
- Data minimisation: only the data that is necessary for the intended purpose is collected and processed
- Accuracy: personal data is kept accurate and up to date
- Storage limitation: data is retained only for as long as necessary and in accordance with the company's data retention schedule
- Integrity and confidentiality: data is protected against unauthorised access, loss, or destruction through appropriate security measures
- Accountability: the company can demonstrate its compliance with these principles
5. Legal bases for processing
Personal data is processed only where a valid legal basis exists. The legal bases used by Hybrid Core BV include:
- Contractual necessity: processing required to perform a contract with the data subject
- Legal obligation: processing required to comply with applicable law
- Legitimate interests: processing necessary for the company's legitimate interests, where not overridden by the interests or rights of the data subject
- Consent: where the data subject has given freely given, specific, informed, and unambiguous consent
6. Individual rights
Individuals whose personal data is processed by Hybrid Core BV have the following rights under GDPR, which the company will honour within the required timeframes:
- Right of access to their personal data
- Right to rectification of inaccurate data
- Right to erasure in certain circumstances
- Right to restriction of processing in certain circumstances
- Right to data portability where processing is based on consent or contract
- Right to object to processing, including for direct marketing
Requests to exercise these rights should be directed to management@hybridcore.eu.
7. Data transfers
Personal data is not transferred outside the European Economic Area (EEA) unless the transfer is subject to appropriate safeguards as required by GDPR, including adequacy decisions, standard contractual clauses, or other approved transfer mechanisms.
8. Data breaches
In the event of a personal data breach, Hybrid Core BV will assess the risk to individuals and, where required, notify the Belgian Data Protection Authority within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to individuals, affected data subjects will also be notified without undue delay.
9. Responsibilities
9.1 Management
Management is responsible for ensuring that the company's data processing activities are lawful and properly documented, that appropriate data protection measures are in place, and that any personal data breaches are escalated and reported appropriately.
9.2 Employees and contractors
All employees and contractors who handle personal data are responsible for doing so in accordance with this policy and any supporting procedures, and for reporting any suspected data breaches or weaknesses to management immediately.
10. Reporting and compliance
The company maintains records of its data processing activities as required by GDPR Article 30. Compliance with this policy is subject to internal review and, where applicable, audit by supervisory authorities. Any individual who believes their personal data has been mishandled may raise a complaint with Hybrid Core BV directly or with the Belgian Data Protection Authority.
11. Monitoring and review
Data protection practices are reviewed regularly to ensure continued compliance with applicable law. This policy is reviewed at least every two years or following material changes in law, technology, or the company's data processing activities.
12. Communication and awareness
Data protection training is provided to all employees at induction and refreshed regularly. Privacy notices are provided to individuals at the point of data collection. This policy is published on the company's internal systems and available to relevant stakeholders on request.
13. Review cycle
This policy is reviewed every two years by the Hybrid Core Management Team or sooner if required by legislative changes or significant changes in data processing activities.
14. Version control
Version: 1.0
Owner: Hybrid Core Management Team
Approved by: Hybrid Core Management
Effective Date: 01.06.2026
Review Period: Every 2 Years