Privacy Policy
Last updated: 03.10.2025
Controller: NGO Risk Dashboard – NEXT COMMUNITY SRL (the “Controller”, “we”, “us”, “our”)
Contact (privacy): [email protected]
Registered address: TOPOS MERODE – Rue Abbe Cuypers 3, 1040 Brussels, BELGIUM
Supervisory authority: Belgian Data Protection Authority (APD/GBA), Rue de la Presse 35, 1000 Bruxelles — contact: https://www.autoriteprotectiondonnees.be/
1) Scope and who we are
This Privacy Policy explains how we process personal data when you visit brussels-leaks.eu and its sub-pages, including the NGO Risk Dashboard, when you create or use a member account (e.g., Observer Access, Due Diligence subscriptions), and when we compile and publish profiles of NGOs using official public records.
We operate from Belgium and are subject to:
EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679),
Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data,
sectoral transparency rules that require NGOs to publish governance details and accounts.
We are the data controller for all processing described here. Certain services (e.g., payments) are performed by our processors on our instructions (see §10).
2) What we publish and why
We build profiles of NGOs using only official public sources, such as:
Belgian Official Gazette / Moniteur Belge (governance filings),
National Bank of Belgium (NBB) annual accounts (including abridged/full schemes under the Royal Decree of 30/01/2001),
Belgian administrative registers (SPF Justice, SPF Économie, SPF Emploi/ONSS),
The EU Financial Transparency System (EU Financial Regulation 2018/1046),
Official transparency registers and similar national/EU sources.
From those public records we extract minimal personal data about office-holders and governance of NGOs, typically: name, role/mandate, and mandate dates. We do not publish contact details or special-category data about those individuals.
We also compute organisation-level indicators (e.g., risk scores and red flags) derived from official accounts and grant data. These indicators do not profile natural persons and do not allege wrongdoing; they surface accounting and governance patterns for transparency and oversight.
3) Legal bases for publishing public-source data
We process and publish the personal data of NGO governance office-holders on the following bases:
Legitimate interests (GDPR Art. 6(1)(f)) — pursuing transparency, accountability and public scrutiny of organisations that receive public funds. Office-holders reasonably expect republication and analysis of information that the law already requires to be public.
Freedom of expression and information / journalistic purposes (GDPR Art. 85 and Belgian Act of 30 July 2018) — our compilation and commentary serve the public interest by enabling oversight, research and reporting. Where applicable, national Art. 85 derogations may temper certain GDPR obligations (e.g., individual notice) insofar as necessary to safeguard this freedom.
Legal obligation & public interest transparency regimes — the data exists because companies/associations law and EU public-fund rules require publication; our reuse is compatible with those purposes.
We carry out and keep an internal Legitimate Interests Assessment (LIA) demonstrating necessity, proportionality and safeguards.
4) Information we collect from you (members, visitors, correspondents)
When you register, subscribe, or interact with us, we process:
- Account & subscription data (contractual necessity, Art. 6(1)(b)): name, email, password (hashed), organisation/employer, role/profession, billing address, country, chosen plan, subscription status and invoices.
- Payments (contract, legitimate interests, and legal obligation): processed by Stripe Payments Europe, Ltd. We receive confirmation and identifiers; we do not receive or store full card numbers or CVC. We keep accounting data as required by law.
- Communications (legitimate interests): emails you send to us (e.g., correction requests, support), and our replies.
- Security/usage data (legitimate interests): server logs, IP address, timestamps, device/browser information to secure accounts, prevent abuse and diagnose issues.
- Cookies & similar technologies:
Strictly necessary cookies for login, session management, member-only pages and security.
Preferences/analytics cookies only with your consent (Art. 6(1)(a)); see §11 (Cookies).
We do not sell personal data or use it for targeted advertising.
5) Information we collect from public sources (not directly from data subjects)
For NGO governance we process: name, function (e.g., Director, Administrator, Auditor/Commissaire), mandate start/end dates, and pointers to the official record. The source and the date of extraction are shown on the profile.
Art. 14 GDPR notice: Because contacting every office-holder individually would involve disproportionate effort and would undermine the journalistic/transparency purpose, we provide this privacy information publicly and respond to individual requests. This approach is consistent with Art. 14(5) and Art. 85 (freedom of expression and information).
6) How we use personal data
- Compile and publish NGO profiles from official public records (names of office-holders, mandate metadata, organisation-level indicators).
- Provide member features (authentication, access control, account area, invoices, emails about your subscription).
- Ensure security, prevent fraud, and keep reliable logs.
- Handle corrections/objections and other rights requests.
- Produce aggregate and anonymous usage statistics to improve the service.
- Comply with legal obligations (tax and accounting retention; responding to lawful requests from authorities).
We do not take decisions producing legal or similarly significant effects about individuals solely by automated means.
7) Data minimisation, accuracy and corrections
We publish minimal personal data necessary for governance transparency. We link to the source and show timestamps. If a person identifies an inaccuracy or change, we will verify against the official register and correct swiftly.
You can request corrections at [email protected] (attach or link the official record).
8) Your rights
Depending on the context, you have the following rights under GDPR:
Access to your personal data and copy of it (Art. 15).
Rectification (Art. 16).
Erasure (Art. 17) — for public-source data we assess erasure requests against our freedom of expression/information mandate and the fact that the data remains in official registers; in most cases rectification is appropriate.
Restriction (Art. 18) in certain cases.
Portability for data you provided to us and which we process by automated means on the basis of contract or consent (Art. 20) — typically relevant to your member account data.
Object (Art. 21):
to processing based on legitimate interests (e.g., republication of public-source governance names); we will assess your objection and either cease or explain compelling grounds grounded in transparency/journalism and the public nature of the data, or limit processing where appropriate;
to direct marketing (if any) — we do not conduct targeted advertising.
Withdraw consent at any time (for cookies/newsletters) without affecting prior lawful processing.
To exercise rights, contact [email protected]. You also have the right to lodge a complaint with the APD/GBA (details at the top).
We will respond without undue delay and within one month (extendable by two months for complex requests; we will inform you).
9) How long we keep data
- Public-source profiles: retained as a public-interest archive and updated when official records change.
- Member accounts: kept while your account is active. If you close your account we keep core accounting records and invoices for 10 years to meet Belgian legal obligations; other account data is deleted or anonymised within 12 months.
- Server logs & security events: up to 6 months unless needed for an incident.
- Support communications: normally 24 months after closure.
- Cookie consent records: 12 months or as required by law.
10) Recipients and processors
We share data only as necessary and under contracts that meet Art. 28 GDPR. Typical recipients include:
- Hosting and infrastructure providers (website, databases, backups, DDoS/security).
- Payment processor: Stripe Payments Europe, Ltd. (we do not receive full card data).
- Member management and email delivery tools (for transactional emails about your account, password resets, invoices).
- Analytics provider(s) where you have given consent (IP masking/anonymisation applied where possible).
- Professional advisers (legal/accounting) under confidentiality.
- Authorities where required by law.
We do not permit our processors to use your data for their own purposes.
11) International transfers
Our primary hosting is in the EEA. Where a service provider is located outside the EEA (for example, some email or anti-fraud services), we rely on a valid transfer mechanism under Chapter V GDPR (e.g., European Commission adequacy decision or Standard Contractual Clauses, with supplementary safeguards if needed).
12) Cookies and similar technologies
We use cookies to make the site work and to protect your account.
Strictly necessary cookies (no consent required): authentication/session, security (e.g., to prevent cross-site request forgery), basic load balancing and cache-busting for logged-in users.
Preferences/analytics cookies (consent): used only if you accept via our cookie banner. You can change preferences at any time in the banner or your browser. We do not use cookies for behavioural advertising.
If we embed third-party content (e.g., a map or a chart hosted elsewhere), that provider may place its own cookies; we will warn you and block such embeds until you consent where required.
13) Reuse of public records, IP and screenshots
We use facts and data from official public registers subject to their reuse terms. We avoid reproducing protected layouts, and we attribute sources. Where we show screenshots of official pages, we do so under lawful reuse terms or quotation/excerpt rules, solely for transparency and verification.
If you represent a register and believe a particular reuse breaches your licence, contact [email protected] and we will review promptly.
14) Security
We apply appropriate technical and organisational measures (Art. 32), including:
- TLS encryption in transit, access controls and role-based permissions,
- hashed passwords and credential hygiene,
- regular patching and backups,
- logging and monitoring for abuse,
- vendor due diligence and data-processing agreements.
No internet service can be 100% secure, but we work to prevent, detect and respond to incidents. We will notify the APD/GBA and, where required, affected individuals of any personal-data breach.
15) Children
Our services are intended for professionals and adults. We do not knowingly offer subscriptions to persons under 16 (and require 18+ to contract). If you believe a minor has created an account, contact us to remove it.
16) Links to other sites
Our profiles link to official registers and third-party sites. We are not responsible for their content or privacy practices. Please review their policies.
17) Changes to this Policy
We may update this Policy to reflect legal, technical or business developments. We will post the new version with a new effective date and, where appropriate, notify members by email or in the account area. Historical versions can be requested at [email protected].
Annex A — Summary of legal bases by purpose
| Purpose | Data categories | Legal basis |
|---|---|---|
| Publish NGO governance names from official public registers | Name, role/mandate, mandate dates, link to source | Legitimate interests (Art. 6(1)(f)); freedom of expression/information & journalistic purposes (Art. 85 + Belgian Act 30/07/2018) |
| Compute and display organisation-level risk indicators | Organisation-level financials and grant data (no personal data) | Not applicable to individuals; legitimate interests for transparency |
| Member registration, login, subscription management | Account details, hashed password, plan, invoices | Contract (Art. 6(1)(b)); legal obligation for accounting |
| Payments | Payment identifiers, status (card data handled by Stripe) | Contract; legal obligation; legitimate interests (fraud prevention) |
| Security, logs, abuse prevention | IP, timestamps, device/browser information | Legitimate interests |
| Customer support & corrections | Contact details, message content; copies of official records for verification | Legitimate interests |
| Non-essential analytics | Pseudonymous usage data | Consent (Art. 6(1)(a)) |
| Email updates/marketing (if any) | Email, name | Consent or legitimate interests with opt-out, depending on channel |
Annex B — How to exercise your rights (practical)
Email [email protected] and clearly state the right you wish to exercise (access, rectification, objection, etc.).
For governance corrections, include a link or attachment to the official record (e.g., updated Moniteur Belge entry).
We may ask for limited information to verify your identity.
We respond within one month (extendable where necessary). If we decline your request (e.g., due to Art. 85/journalistic exemption or because the data remains lawfully public), we will explain the reasons and your right to complain to the APD/GBA.
This Policy is designed to be comprehensive and to reflect the dual nature of our activities: (i) compiling and republishing public-source governance data in the public interest and for journalistic/oversight purposes, and (ii) operating member subscriptions and a secure website.
EU Money Monitor is committed to protecting your privacy while serving the public interest. We balance transparency, accountability, and your rights with the vital need for fearless, independent journalism.