GGN Label Portal
This privacy policy applies to all personal data collected or processed by GLOBALG.A.P. c/o FoodPLUS GmbH
(hereinafter referred to as “FoodPLUS” or “we”) when using the GGN label portal at www.ggn.org (hereinafter referred to as the
“GGN Label Portal”). This website (hereinafter referred to as the
“Website”) is accessible to everyone (hereinafter referred to as the
“User” or “Users”) and provides information about
agricultural
businesses whose processes are certified to the GLOBALG.A.P. standards (hereinafter referred to as a
“Certified Company” or “Certified Companies”) and that are registered on the GGN Label
Portal.
When using any of the websites operated by FoodPLUS – e.g., www.globalgap.org or www.database.globalgap.org – the “privacy policy” by FoodPLUS linked on
the respective website applies.
In this privacy policy, we inform you inter alia about the type,
scope,
and purposes of the collection, processing, and use of your personal data when visiting or using our GGN Label
Portal.
This is performed in accordance with the provisions of the European Union General Data Protection Regulation (GDPR)
and
other applicable (federal and state) data protection legislations (hereinafter referred to jointly as
“Applicable Data Protection Law”).
No automated decision-making/profiling is performed.
Responsible as the data controller for collecting and processing your data is:
FoodPLUS GmbH
Spichernstr. 55
50672 Cologne, Germany
Email: info@globalgap.org
Tel: +49 (0) 221-57776-0.
For questions relating to the processing of your personal data and data protection, please
contact our
Data Protection Officer:
HEC Harald Eul Consulting GmbH
Auf
der
Höhe 34
50321 Brühl
Email: dataprivacy@globalgap.org
We collect and process different categories of personal data depending on how you use our GGN Label Portal.
When you register as a Certified Company with the GGN Label Portal, we might process your username, password, first
name, surname, work mobile phone, work e-mail address, work address, office phone, office fax, and company you work
for.
If you provide us with additional information such as a photo/avatar, we will also process this information.
When
you contact us through the contact form of the GGN Label Portal, we will process your name, email address, and
message.
Please note that FoodPLUS may receive messages that require translation. In such cases, our employees
use
translation tools (e.g., Google translator) to process your inquiry. Thus, please ensure that you do not enter
personal
data into the message field of your inquiry.
When you contact us by phone, email, in person, or via any other
business contact channel, we will collect the information you provide us. Typical data collected is first name and
surname, email address, phone, and company you work for, although other types of information provided by you could
be
collected.
When you visit our GGN Label Portal as a User to inform yourself about the Certified Companies and
our
labels, we (or the webspace provider commissioned by FoodPLUS) collect data about every access to the GGN Label
Portal/the Website (known as server log files). The access data include the name of the webpage or webservice
accessed,
file, date and time of the access, data volume transferred, any data input, report of successful access, browser
type
including version, the User’s operating system, referrer URL (the page visited previously), IP address, and
where
relevant the username and requesting provider. This data is not merged with other data sources or other personal
data
about you. The IP address is stored for the duration of the session for this purpose. FoodPLUS further reserves the
right to review the log data retrospectively if there are specific indications that justify a suspicion of unlawful
use.
When you register as a Certified Company, we need to process your personal data to manage and maintain the
business relationship, comply with our contractual obligations (that is, to provide you with the service), and
comply
with our legal obligations under the law. The legal basis for processing your personal data is
art. 6 (1) (b) GDPR for the purpose of the performance of a user agreement. If you submit additional
data
based on your consent, the legal basis for processing is art. 6 (1) (a) GDPR.
When you place an
inquiry with us through the contact form or via any other of our business contact channels, we need to process your
personal data to respond to your request, manage and maintain the business relationship, comply with our contractual
obligations (that is, to provide you with the service), and comply with our legal obligations under the law. In this
regard the legal basis for processing your personal data is art. 6 (1) (b) GDPR. If you submit
additional
data based on your consent, the legal basis for processing is art. 6 (1) (a) GDPR.
If you visit
our
GGN Label Portal/Website as a User to inform yourself about a Certified Company, FoodPLUS uses the log data solely
for
statistical analyses and for the purpose of operating, securing, and optimizing the GGN Label Portal. The system
needs
to store the IP addresses temporarily to enable the GGN Label Portal to be delivered to you. Data is saved in server
log
files to safeguard the functionality of the Website. The data also helps FoodPLUS optimize the GGN Label Portal and
safeguard the security of the IT systems. These purposes constitute a legitimate interest of FoodPLUS in data
processing. The legal basis here is art. 6 (1) (f) GDPR. Your data for analytical purposes we process
with your consent only, in accordance with art. 6 (1) (a) GDPR. You can withdraw your consent at any
time
with effect for the future. For more information see below under “G. Cookies.”
To the extent we
are
required to process any of your personal data to comply with a legal obligation, we will process your personal data
on
the basis of art. 6 (1) (c) GDPR.
FoodPLUS will receive access to your personal data. Only relevant individuals who are acting within their job
description and have a need to know will have access to your personal data.
In certain cases, third-party
providers may be given access to your personal data. We will not disclose your personal data to third parties unless
you
have provided your consent or another permitted circumstance applies in accordance with applicable data protection
law.
These third parties include, in the first instance, service providers commissioned by us who support our business
operations (art. 28 GDPR). This covers, e.g., webspace or telemedia service providers for the operation and/or
maintenance of the GGN Label Portal or the forwarding of invoicing or tax-relevant information to service providers
for
the purposes of invoicing and accounting or controlling. In these cases, however, the scope of the transferred data
will
extend only to the minimum data required to achieve the purposes pursued via the data processing.
We will not
share your personal data with local authorities or courts except where we are required to do so by applicable law, a
court order, or a legally binding injunction. If we are legally obliged to disclose specific personal data on the
basis
of a judicial decision or following a request for information from law enforcement or supervisory authorities or
authorized third parties in conjunction with investigatory proceedings or the suspicion of a criminal act, an
unlawful
act, or other acts that may give rise to legal liability for you or us, we will disclose the data required for the
investigation, such as name, address, email address, or other relevant information (art. 6 (1) (c)
GDPR).
Similarly, we reserve the right to process and use Users’ personal data to enforce or defend against claims
(art. 6 (1) (f) GDPR).
Personal data may be transferred in this way to third parties that are
domiciled in non-EEA or non-EU countries and where the EU Commission has not established a level of data protection
comparable to the EU (e.g., the USA). In this case, prior to transferring we ensure, in
compliance with the requirements of art. 44 et seq. GDPR, that an adequate level of data protection is
in
place at the recipient, in particular by conducting so-called transfer impact assessments, obtaining your consent in
advance, or securing specific guarantees from the recipient, in particular the
self-certification of a recipient in the US in accordance with the principles of the EU–US Privacy Framework or as well as concluding the
so-called EU standard contractual clauses. A copy of suitable guarantees can be obtained on request via the email
address of the Data Protection Officer set out at the top of this privacy policy. Further basic information about
the
participants of the EU–US Privacy Framework can be found here. Basic information about the EU
standard
contractual clauses can be found here,
and information about the adequacy decisions is given here.
Furthermore, even when we have concluded standard contractual clauses, we seek to establish further measures that
provide an equivalent level of data protection compared to the applicable standards in the EU when personal data is
forwarded to third countries (e.g., the USA, South Africa). Such further measures shall be established to
accommodate
CJEU decision C-311/18 (Schrems II). For further information on this topic please contact our Data Protection
Officer
via the email address set out at the top of this privacy policy.
Additional information relevant to the GGN
Label
Portal Certified Companies: Through the GGN Label Portal, your personal data is available to colleagues at your
company
registered on the GGN Label Portal. Your personal data is NOT available to other registered and Certified Companies.
We will deactivate or cancel the registered Certified Company data as soon as appropriate to avoid unauthorized
access to information. It is then no longer visible in the GGN Label Portal, and you will no longer receive any new
communications. We will delete personal data of those registered Certified Companies after the end of statutory
retention obligations if and where applicable.
In consideration of the applicable provisions under applicable
data
protection law, we will delete the stored personal data about you without any action on your part if there is no
longer
a need for the information to be known to perform the purpose associated with the storage or if the storage of the
data
is not permitted for other legal reasons. In some cases, provided for by law (e.g., statutory retention
obligations),
your personal data may be blocked instead of deleted.
We store cookies on our Users’ hard drives unless they actively block them. Cookies are small text files
that permit specific information relating to the device to be stored on the User’s accessing device (PC,
smartphone, etc.). Some enhance the user-friendliness of websites and thus aid the User (e.g., by storing login
data);
some enable the recording of statistical data about website use and the analysis to improve websites or the
placement of
targeted ads. You can influence how cookies are used. Most browsers have an option that limits or completely
prohibits
the storage of cookies. However, it should be noted that website performance, and in particular user comfort, may be
restricted without cookies. For further information about the use of cookies and how you can deactivate them, see www.youronlinechoices.com.
The processing of personal data
collected using cookies for analytical and marketing purposes is done, and cookies are dropped, subject to your
prior
consent only. Thus, the legal basis for this processing is art. 6 (1) a) GDPR. You can withdraw your consent at any time with effect for the future. The legal basis
for
setting cookies for the technical operation of our Website is art. 6 (1) (f) GDPR.
Further
information on which third-party providers we use in this regard can be found in the following.
YouTube
videos: Videos are shown on the GGN Label Portal via the provider YouTube. These videos are operated by
YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (hereinafter referred to as “YouTube”). If a
webpage
containing such a button (identifiable by the YouTube icon in the lower right of the video preview) is accessed and
you
activate the corresponding content, your browser creates a direct connection with the YouTube servers. YouTube
transmits
the content of the YouTube button directly via your browser and is integrated into the respective webpage. We have
no
further influence over the data that YouTube collects via the button. Even though we have turned on the
privacy-enhanced
mode provided by YouTube to further protect your privacy, it is likely that your IP address is recorded and cookies
are
set, among other things. Correspondingly, we only process these personal data with your consent
(art. 6 (1)
GDPR).
If you are logged on to YouTube as a member, YouTube may allocate information about the webpages
accessed
and YouTube content to your user account. This may also be the case if you log on to YouTube as a member at another
point in time. Further information about the scope and purpose of the data collection and the further use and
processing
of the data by YouTube as well as your associated rights and configuration options to protect your privacy can be
found
in the YouTube privacy policy: https://www.youtube.com/intl/en_us/howyoutubeworks/our-commitments/protecting-user-data/#privacy-guidelines
Google Maps: The GGN Label Portal uses Google Maps API applications. This enables us to display
interactive maps directly on the GGN Label Portal and enables you to conveniently use the map function. We use
Google
Maps to allow Certified Companies to search their location, address and geo-position, translate geo-positions into
addresses and addresses into geo-positions. You can view Google’s terms of use here: https://policies.google.com/terms?hl=en. You can find
Google’s privacy policy here: https://policies.google.com/privacy?hl=en.
Google
Translate API: The GGN Label Portal uses Google Translate API to allow registered Users to
automatically
translate free text input by other Users into their language. The free text fields can be sent to Google for
translation
if required by another registered Certified Company. Please ensure that you do not enter personal information into
the
GGN Label Portal free text fields. You can view Google’s terms of use here: https://policies.google.com/terms?hl=en. You can find
Google’s privacy policy here: https://policies.google.com/privacy?hl=en.
Piwik
PRO: The GGN Label Portal uses the web analysis service Piwik PRO from the provider Piwik PRO GmbH
(hereinafter referred to as “Piwik PRO”) for the statistical analysis of user access. Piwik PRO may use
cookies, tags, IP addresses, and what is known as fingerprinting to enable an analysis of Users’ website use.
This
may include the collection or processing of the following data: IP address (anonymized), user ID, date and time of
the
request, title or URL of the page visited, URL of the page visited previously, screen resolution, time zone, files
clicked on and downloaded, links clicked to external websites, display speed of the pages, User’s geo-data
(country, region, city, approximate longitude and latitude), browser language, user agent of the browser used,
randomly
assigned one-off user ID, time of a User’s first visit, time of a User’s previous visit, and number of a
User’s visits.
This processing is done subject to your prior consent only. Thus, the legal basis for
this
processing is art. 6 (1) a) GDPR. The information generated by the cookies about the use of the GGN
Label
Portal is stored on the servers of Piwik PRO or service providers commissioned by them in Europe. The IP address is
anonymized immediately after processing and before saving. The information generated by Piwik PRO is not used to
identify the User of the GGN Label Portal personally and is not merged with other personal data of the User.
You
can also prevent the installation of the cookies by making a corresponding setting in your browser software.
However,
FoodPLUS refers Users to the fact that in this case they may not be able to use the full functionality of this
Website.
For further information about this topic, see https://piwikpro.de/datenschutz/.
Google Ads:
We
use Google Ads. Google Ads is an online promotional program of Google Ireland Limited (“Google”), Gordon
House, Barrow Street, Dublin 4, Ireland.
Google Ads enables us to display ads in the Google search engine or
on
third-party websites if the user enters certain search terms into Google (keyword targeting). It is also possible to
place targeted ads based on the user data Google has in its possession (e.g., location data and interests; target
group
targeting). We can analyze these data quantitatively, for instance by analyzing which search terms resulted in the
display of our ads and how many ads led to respective clicks. For these purposes of (re-)marketing and targeting,
cookies and other technologies are stored on your device.
This processing is done, and cookies are dropped,
subject to your prior consent only. Thus, the legal basis for this processing is art. 6 (1) a) GDPR.
You
may withdraw your consent at any time with effect for the future.
You can also prevent the use of the cookies
through a corresponding setting in your browser software. The suppression of third-party cookies means that you will
not
receive any ads from third-party providers.
It is possible that respective data is transferred to the US. This
transfer is based on the standard contractual clauses (SCC) of the European Commission. Details can be found here:
https://policies.google.com/privacy/frameworks and https://privacy.google.com/businesses/
controllerterms/mccs/. Furthermore, Google is certified in accordance with the “EU–US Data
Privacy
Framework” (DPF). This agreement between the European Union and the US is intended to ensure compliance with
European data protection standards for data processing in the US. Every company certified under the DPF is obliged
to
comply with these data protection standards. For more information, please see https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact
=true&id=a2zt000000001L5AAI&status=Active.
We maintain publicly accessible profiles on various social media platforms. The individual social media platforms
we use are listed below. You can access our social media profiles from our Website by clicking on the relevant
platform
button. These are no social plug-ins, but simple links to our accounts registered on the respective platform. Our
social
media profiles are intended to present our company and our activities as widely as possible. This is a legitimate
interest within the meaning of art. 6 (1) f) GDPR. The analysis initiated by the social media
platforms
may have different legal bases, which must be specified by the operators of the social media platforms.
The
social
media platforms can generally analyze your user behavior when you visit their websites, and visiting our social
media
profiles triggers various data processing operations. If you are logged in to your social media account and visit
our
social media profiles, the operator of the social media platforms can assign this visit to your user account.
However,
your personal data may also be collected if you are not logged in or do not have an account with the respective
social
media platform. In this case, this data collection takes place, for example, via cookies that are stored on your end
device or by collecting your IP address. With the help of the data collected in this way, the operators of the
social
media platforms can create user profiles in which your preferences and interests are stored. In this way,
interest-based
advertising can be displayed to you both within and outside the respective social media platform. If you have an
account
with the respective social media platform, the interest-based advertising can be displayed on all devices on which
you
are logged in or have been logged in.
Please also note that we have no control over or insight into the full
range
of processing operations on the respective social media platforms. Depending on the provider, further processing
operations may therefore be carried out. For details, please refer to the terms of use and data protection policies
of
the respective social media platforms.
Facebook: We have a profile on
Facebook.
The provider of this service is Meta Platforms Ireland Ltd (“Meta”), Merrion Road, Dublin 4, Ireland.
According to Meta, the data collected is also transferred to the USA and other third countries. You can adjust your
advertising settings yourself in your user account on Facebook. Further details can be found in Meta’s privacy
policy: https://www.facebook.com/about/privacy/.
Instagram: We have a profile on Instagram. The provider of this service is Meta Platforms Ireland
Ltd
(“Meta”), Merrion Road, Dublin 4, Ireland. According to Meta, the data collected is also transferred to
the
USA and other third countries. You can adjust your advertising settings yourself in your user account on Instagram.
Further details can be found in Meta’s privacy policy: https://privacycenter.instagram.com/policy/.
LinkedIn: We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company
(“LinkedIn”), Wilton Place, Dublin 2, Ireland. Details on how LinkedIn handles your personal data can be
found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy.
You have the following rights:
We will notify any recipients to whom we have disclosed your personal data about any correction or erasure of the
personal data or restriction of the processing, unless this turns out to be impossible or would involve
disproportionate
effort.
You can assert the above rights against us, e.g., by notifying us by post via the contact details
described above or by email to dataprivacy@globalgap.org.
That
notwithstanding, you have the right to submit a complaint to the competent supervisory authority (art. 77
GDPR).
California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia provide (now or in the future) their state residents with rights to:
The exact scope of these rights may vary by state. To exercise any of these rights please reach out to the Data
Protection Officer at dataprivacy@globalgap.org or by calling
toll-free
at +1 833 879 8855.
The California-specific supplement is below in this policy.
The state of California enacted the California Consumer Privacy Act in 2018 and amended it in 2020 under the California Privacy Rights Act (hereinafter referred to collectively as “CCPA”). Together, the acts afford certain rights to California residents (hereinafter referred to as “Consumers”). This section specifically addresses the rights of California residents under the CCPA.
As explained above in this privacy policy, we collect a variety of categories of information, including sensitive personal information, in connection with providing the services. In this section, we explain these categories again specifically in the context of the CCPA. In providing the services on the Website, we collect the following categories of personal information: the person’s name, postal/?mailing address, IP address, unique personal identifier or online identifier, email address or telephone number, and other registration data.
As explained above, we collect personal information from Consumers themselves directly via our Website, through interactions with our company’s personnel, and through social media, and, in some cases, from service providers.
As explained in greater detail above, we use the personal information that is collected for a wide variety of business purposes:
We disclose and share your personal information for business purposes with only the following categories of third parties:
We do not engage in any sale of a Consumer’s personal information as that term is defined under the CCPA.
The CCPA defines “sharing” as “renting, releasing, disclosing, disseminating, making available,
transferring, or otherwise communicating orally, in writing, or by electronic or other means” personal
information. We share your personal information, as described above, with the companies that provide cookies and
similar
technologies used on our Website. Those companies have access to and might use the personal information gathered
through
these technologies, which personal information might include an individual Consumer’s IP address. Such uses
might
include targeted advertising information based on individual internet activity and interests. It is possible that
some
of the businesses providing marketing services to us might share personal information with their business partners.
In
addition, some companies that provide services to us might need to access and use customer information as part of
providing services to us, and these same companies might use this information for the development of their own
business
capabilities, not solely for the provision of services to us.
To notify us of your desire to restrict the use
of
your personal information by third parties, contact us and submit your request by emailing us at
dataprivacy@globagap.org:
DO NOT SHARE MY PERSONAL INFORMATION
If you have any
questions
about submitting your request, please contact us and submit your request by emailing us at dataprivacy@globagap.org
or
calling toll-free at +1 833 879 8855.
The CCPA provides California residents with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.
You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see the section “Exercising consumer rights” below), we will disclose to you:
Under the CCPA, you may also request that we disclose certain information to you about our collection and use of your personal information beyond the past 12 months. We, however, may decline to provide that information to you if doing so would require a disproportionate effort on our part.
You have the right to request that we delete or correct any of your personal information that we collected from
you, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see the section
“Exercising consumer rights” below), we will delete (and direct our service providers to delete) or
correct
your personal information from our records, unless an exception applies.
In the absence of a verifiable
consumer
request from you, we will retain your personal information as described above, before automatically deleting (and
directing our service providers to delete) it.
We may deny your deletion request if retaining the information
is
necessary for us or our service providers to:
You have the right to opt out of the sharing of your information with a third party, i.e., to prevent a transfer
of information to a third party that is not restricted in certain ways from making use of the information. As we
explained above, some of the companies that provide cookies and similar technologies might use personal information
for
targeted advertising information based on individual internet activity and interests, potentially including the
sharing
of information with others. You can exercise your right to opt out of the sharing of your information by emailing us
at
dataprivacy@globagap.org:
DO NOT SHARE MY PERSONAL
INFORMATION
To exercise the rights described above, please submit a verifiable consumer request to us by one of the following methods:
Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf,
may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer
request on behalf of your minor child. You may make a verifiable consumer request for access or data portability no
more
than twice within a 12-month period.
To verify the identity of an individual making a request, a two-step
process
will need to be completed.
A verifiable consumer request must do the following:
We cannot respond to your request or provide you with personal information if we cannot verify your identity or
authority to make the request and confirm the personal information relates to you.
Making a verifiable
consumer
request does not require you to create an account with us. Any personal information provided in a verifiable
consumer
request will not be used for any other purpose than to verify the requestor’s identity or authority to make
the
request.
We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time, we
will inform you of the reason and extension period in writing.
If you have an account with us, we will deliver
our
written response to that account. If you do not have an account with us, we will deliver our written response by
mail or
electronically, at your option.
Unless otherwise requested, any disclosures we provide will cover no more than
the
12-month period preceding receipt of the verifiable consumer request. Where applicable, the response we provide will
also explain the reasons we cannot comply with a request. For data portability requests, we will select a format to
provide your personal information that is readily useable and should allow you to transmit the information from one
entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable
consumer request unless the request is excessive, repetitive, or manifestly unfounded. If we determine that the
request
warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing
your
request.
We will not discriminate against you for exercising your CCPA rights. Unless permitted by the CCPA, we will not:
However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time. However, we do not currently provide any financial incentives.
We have not shared any personal information with other companies for their direct marketing use within the
immediately preceding calendar year. Accordingly, California’s “Shine the Light” law,
Cal. Civil
Code § 1798.83 to § 1798.84, does not apply to us, and we have not established any mechanism for
you
to request information on our sharing of information for third parties’ marketing purposes.
In the course of the ongoing development of our Website, we will
also continually modify our privacy policy. Your continued use of the Website following the posting of revised terms
of
use means that you accept and agree to the changes. Any changes will be communicated on this page in good time. For
that
reason, our Users should regularly view this page to find out about the current status of the privacy policy.