Privacy Policy

A. Scope
This privacy policy applies to all personal data collected or processed by GLOBALG.A.P. c/o FoodPLUS GmbH (hereinafter referred to as “FoodPLUS” or “we”) when using the GGN label platform under www.ggn.org (hereinafter referred to as “GGN label platform”). This website (hereinafter referred to as “Website”) is accessible by everyone (hereinafter referred to as “User”) and provides information about agricultural businesses that are certified against the GLOBALG.A.P. standards (hereinafter referred to as “Certified Company” or “Certified Companies”) and registered on the GGN label platform.
When using any of the websites operated by FoodPLUS, e.g., www.globalgap.org or www.database.globalgap.org, the Privacy Notice by FoodPLUS linked on the respective website applies.
In this privacy policy, we inform you inter alia about the type, scope, and purposes of the collection, processing, and use of your personal data when visiting or using our GGN label platform. This is performed in accordance with the provisions of the European General Data Protection Regulation (GDPR) and other applicable (federal and state) data protection legislations (hereinafter referred to jointly as “Applicable Data Protection Law”).
No automated decision-making/profiling is performed.

B. Data Controller
Responsible as the data controller for collecting and processing your data is:
FoodPLUS GmbH
Spichernstr. 55
50672 Cologne, Germany
E-mail: info@globalgap.org,
Tel: +49 (0) 221-57776-0.

For questions relating to the processing of your personal data and data protection, please contact our
Data Protection Officer:  
HEC Harald Eul Consulting GmbH
Auf der Höhe 34
50321 Brühl
Email: dataprivacy@globalgap.org

C. Categories of Data
We collect and process different categories of personal data depending on how you use our GGN label platform.
When you register as a certified company with the GGN label platform we might process your username, password, first name, surname, work mobile phone, work e-mail address, work address, office phone, office fax, and company you work for. If you provide us with additional information such as photo/avatar, we will also process this information.
When you contact us through the contact form of the GGN Label platform, we will process your name, e-mail address, and message.
Please note that FoodPLUS may receive messages that require translation. In such cases, our employees use translation tools (e.g., Google translator) to process your inquiry. Thus, please ensure that you do not enter personal data into the message field of your inquiry.
When you contact us by phone, e-mail, in person, or via any other business contact channel, we will collect the information you provide us. Typical data collected is first name and surname, e-mail address, phone, and company you work for, although other types of information provided by you could be collected.
When you visit our GGN label platform as a User to inform yourself about the Certified Companies and our labels, we (or the webspace provider commissioned by FoodPLUS) collect data about every access to the GGN label platform / the Website (known as server log files). The access data include name of the webpage or webservice accessed, file, date and time of the access, data volume transferred, any data input, report of successful access, browser type including version, User’s operating system, referrer URL (the page visited previously), IP address, where relevant username and the requesting provider. This data is not merged with other data sources or other personal data about you. The IP address is stored for the duration of the session for this purpose. FoodPLUS further reserves the right to review the log data retrospectively if there are specific indications that justify a suspicion of unlawful use.

D. Purpose and Legal Basis for Processing
When you register as a Certified Company we need to process your personal data to manage and maintain the business relationship, comply with our contractual obligations (that is, to provide you with the service), and comply with our legal obligations under the law. The legal basis for processing your personal data is Art. 6 (1) (b) GDPR for the purpose of the performance of a user agreement. In case you submit additional data based on your consent, the legal basis for processing is Art. 6 (1) (a) GDPR.
When you place an inquiry with us by using the contact form or via any other of our business contact channels, we need to process your personal data to respond to your request, manage and maintain the business relationship, comply with our contractual obligations (that is, to provide you with the service), and comply with our legal obligations under the law. In this regard the legal basis for processing your personal data is Art. 6 (1) (b) GDPR. In case you submit additional data based on your consent, the legal basis for processing is Art. 6 (1) (a) GDPR.
If you visit our GGN label platform/Website as a User to inform yourself about the Certified Company, FoodPLUS uses the log data solely for statistical analyses and for the purpose of operating, securing, and optimizing the GGN label platform. The system needs to store the IP addresses temporarily to enable the GGN label platform to be delivered to you. Data is saved in server log files to safeguard the functionality of the Website. The data also helps FoodPLUS to optimize the GGN label platform and safeguard the security of the IT systems. These purposes constitute a legitimate interest of FoodPLUS in data processing. The legal basis here is Art. 6 (1) (f) GDPR. Your data for analytical purposes we only process with your consent according to Art. 6 (1) (a) GDPR. You can withdraw your consent at any time with effect for the future. For more information see below under “G. Cookies.”
To the extent we are required to process any of your personal data to comply with a legal obligation, we will process your personal data on basis of Art. 6 (1) (c) GDPR.

E. Disclosure to Third Parties and Transferring of Data to Countries outside the EEA/EU
FoodPLUS will receive access to your personal data. Only relevant individuals who are acting within their job description and have a need to know will have access to your personal data.
In certain cases, third-party providers may be given access to your personal data. We will only disclose your personal data to third parties if you have provided your consent or subject to another permitted circumstance in accordance with the Applicable Data Protection Law. These include in the first instance service providers commissioned by us who support our business operations (Art. 28 GDPR). This covers e.g., webspace or telemedia service providers for the operation and/or maintenance of the GGN label platform or the forwarding of in-voicing or tax-relevant information to service providers for the purposes of invoicing and accounting or controlling. In these cases, however, the scope of the transferred data will extend only to the minimum required to achieve the purposes pursued via the data processing.
We will not share your personal data with local authorities or courts except where we are required to do so by applicable law, a court order, or a legally binding injunction. If we are legally obliged to disclose specific personal data on the basis of a judicial decision or following a request for information from law-enforcement or supervisory authorities or authorized third parties in conjunction with investigatory proceedings or the suspicion of a criminal act, an unlawful act or other acts that may give rise to legal liability for you or us, we will disclose the data required for the investigation, such as name, address, e-mail address, or other relevant information (Art. 6 (1) (c) GDPR). Similarly, we reserve the right to process and use Users’ personal data to enforce or defend against claims (Art. 6 (1) (f) GDPR).
Personal data may be transferred in this way to third parties that are domiciled in non-EEA or non-EU countries and where the EU Commission has not established a level of data protection comparable to the EU (e.g., USA). In this case, prior to transferring we ensure in compliance with the requirements of Art. 44 et seq. GDPR that an adequate level of data protection is in place at the recipient, in particular by conducting so-called transfer impact assessments, obtaining your consent in advance or through specific guarantees , in particular the self-certification of a recipient in the US in accordance with the principles of the EU-US Privacy Framework or as well as concluding the so-called EU standard contractual clauses. A copy of suitable guarantees can be obtained on request via the email address set out at the end of this privacy policy. Basic information about the participants of the EU-US Privacy Framework can further be found here. Basic information about the EU standard contractual clauses can be found here, and information about the adequacy decisions here.
Furthermore, even when we have concluded standard contractual clauses, we seek to establish further measures that provide an equal level of data protection compared to the applicable standards in the EU when personal data is forwarded to third countries (e.g., the USA, South Africa). Such further measures shall be established to accommodate CJEU decision C-311/18 (Schrems II). For further information on this topic please contact our Data Protection Officer via the email address set out at the top of this privacy policy.
Additional information relevant to the GGN label platform Certified Companies: your personal data is available through the GGN label platform to your company colleagues registered on the GGN label platform. Your personal data is NOT available to other registered and Certified Companies.

F. Retention Periods for Personal Data
We will deactivate or cancel the registered Certified Company data as soon as appropriate to avoid unauthorized access to information. It is then no longer visible in the GGN Label Platform and you will not receive any new communications. We will delete personal data of those registered Certified Companies after the end of statutory retention obligations if and where applicable.
In consideration of the applicable provisions under Applicable Data Protection Law, we will delete the stored personal data about you without any action on your part if there is no longer a need for the information to be known to perform the purpose associated with the storage or if the storage of the data is not permitted for other legal reasons. In some cases, provided for by law (e.g., statutory retention obligations), your personal data may be blocked instead of deleted.

G. Cookies
We store cookies on our Users’ hard drives unless they actively block them. Cookies are small text files that permit specific information relating to the device to be stored on the User’s accessing device (PC, smartphone, etc.). Some enhance the friendliness of websites and thus aid the User (e.g., by storing login data), some enable the recording of statistical data about website use and the analysis to improve websites or the placement of targeted ads. You can influence how cookies are used. Most browsers have an option that limits or completely prohibits the storage of cookies. However, it should be noted that usage, and in particular user comfort, may be restricted without cookies. For further information about the use of cookies and how you can deactivate them, see www.youronlinechoices.com.
The processing of personal data collected using cookies for analytical and marketing purposes is only done, and cookies are only dropped subject to your prior consent. Thus, the legal basis for this processing is Art. 6 (1) a) GDPR). You can withdraw your consent at any time with effect for the future. The legal basis for setting cookies for the technical operation of our Website is Art. 6 (1) (f) GDPR.
Further information on which third-party-providers we use in this regard can be found in the following.

I. YouTube Videos
Videos are shown on the GGN label platform via the provider YouTube. These are operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (hereinafter referred to as “YouTube”). If a webpage containing such a button (identifiable by the YouTube icon in the lower right of the video preview) is accessed and you activate the corresponding content, your browser creates a direct connection with the YouTube servers.  YouTube transmits the content of the YouTube button directly via your browser and is integrated into the respective webpage. We have no further influence over the data that YouTube collects via the button. Even though we have turned on the privacy-enhanced mode provided by YouTube to further protect your privacy, it is likely that your IP address is recorded and cookies are set, among other things. Correspondingly, we only process these personal data with your consent (Art. 6 (1) GDPR).  
If you are logged on to YouTube as a member, YouTube may allocate information about the webpages accessed and YouTube content to your user account. This may also be the case if you log on to YouTube as a member at another point in time. Further information about the scope and purpose of the data collection and the further use and processing of the data by YouTube as well as your associated rights and configuration options to protect your privacy can be found in the YouTube privacy policy:  https://policies.google.com/privacy?hl=en

II. Google Maps
The GGN label platform uses Google Maps API applications. This enables us to display interactive maps directly on the GGN label platform and enables you to conveniently use the map function. We use Google Maps to allow Certified Companies to search their location, address and geo-position, translate geo-positions into addresses and addresses into geo-positions. You can view Google’s terms of use here: https://policies.google.com/terms?hl=en. You can find Google’s privacy policy here: https://policies.google.com/privacy?hl=en.

III. Google Translation API
The GGN label platform uses Google translate API to allow register Users to automatically translate free texts inputted by other Users into their language. The free-text fields can be sent to Google for translation if required by another registered Certified Company. Please ensure that you do not enter personal information into the GGN label platform free-text fields. You can view Google’s terms of use here: https://policies.google.com/terms?hl=en. You can find Google’s privacy policy here: https://policies.google.com/privacy?hl=en.

IV. Piwik PRO
The GGN label platform uses the web analysis service Piwik PRO from the provider Piwik PRO GmbH (hereinafter referred to as “Piwik PRO”) for the statistical analysis of user access. Piwik PRO may use cookies, tags, IP addresses, and what is known as fingerprinting to enable an analysis of Users’ Website use. This may include the collection or processing of the following data: IP address (anonymized), user ID, date and time of the request, title or URL of the page visited, URL of the page visited previously, screen resolution, time zone, files clicked on and downloaded, links clicked to external websites, display speed of the pages, User’s geo-data (country, region, city, approximate longitude and latitude), browser language, user agent of the browser used, randomly assigned one-off user ID, time of a User’s first visit, time of a User’s previous visit, number of a User’s visits.
This processing is done only subject to your prior consent. Thus, the legal basis for this processing is (Art. 6 (1) a) GDPR). The information generated by the cookies about the use of the GGN label platform is stored on the servers of Piwik PRO or service providers commissioned by them in Europe. The IP address is anonymized immediately after processing and before saving. The information generated by Piwik PRO is not used to identify the User of the GGN label platform personally and is not merged with other personal data of the User.
You can also prevent the installation of the cookies by making a corresponding setting in your browser software. However, FoodPLUS refers Users to the fact that in this case they may not be able to use the full functionality of this Website. For further information about this topic, see https://piwikpro.de/datenschutz/.

Google Ads
We use Google Ads. Google Ads is an online promotional program of Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.
Google Ads enables us to display ads in the Google search engine or on third-party websites, if the user enters certain search terms into Google (keyword targeting). It is also possible to place targeted ads based on the user data Google has in its possession (e.g., location data and interests; target group targeting). We can analyze these data quantitatively, for instance by analyzing which search terms resulted in the display of our ads and how many ads led to respective clicks. For these purposes of (re-)marketing and targeting, cookies and other technologies are stored on you device.
This processing is only done, and cookies are only dropped subject to your prior consent. Thus, the legal basis for this processing is Art. 6 (1) a) GDPR). You may withdraw your consent at any time with the effect for the future.
You can also prevent the use of the cookies through a corresponding setting in your browser software – the suppression of third-party cookies means that you will not receive any ads from third-party providers.
It is possible that respective data is transferred to the US. This transfer is based on Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://policies.google.com/privacy/frameworks and https://privacy.google.com/businesses/controllerterms/mccs/. Furthermore, Google is certified in accordance with the “EU-US Data Privacy Framework”. This is an agreement between the European Union and the US, which is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please see https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active.

V. Profiles on Social Media Networks
We maintain publicly accessible profiles on various social networks. The individual social networks we use are listed below. You can access our social media profiles from our website by clicking on the relevant network button. These are no social plug-ins, but simple links to our FoodPLUS/GLOBALG.A.P. accounts registered on the respective network. Our social media profiles are intended to present our company and our activities as widely as possible. This is a legitimate interest within the meaning of Art. 6 (1) f) GDPR. The analysis initiated by the social networks may be based on different legal bases, which must be specified by the operators of the social networks.
The social networks can generally analyze your user behavior when you visit their website and visiting our social media profiles triggers various data processing operations. If you are logged into your social media account and visit our social media profiles, the operator of the social media network can assign this visit to your user account. However, your personal data may also be collected if you are not logged in or do not have an account with the respective social media platform. In this case, this data collection takes place, for example, via cookies that are stored on your end device or by collecting your IP address. With the help of the data collected in this way, the operators of the social media websites can create user profiles in which your preferences and interests are stored. In this way, interest-based advertising can be displayed to you both within and outside the respective social media platform. If you have an account with the respective social network, the interest-based advertising can be displayed on all devices on which you are logged in or have been logged in.
Please also note, that we cannot understand all processing operations on the social media networks. Depending on the provider, further processing operations may therefore be carried out. For details, please refer to the terms of use and data protection policies of the respective social media platforms.
Facebook: We have a profile on Facebook. The provider of this service is Meta Platforms Ireland Ltd, Merrion Road, Dublin 4, Ireland. According to Facebook, the data collected is also transferred to the USA and other third countries. You can adjust your advertising settings yourself in your user account on Facebook. Further details can be found in Meta's privacy policy: https://www.facebook.com/about/privacy/.
Instagram: We have a profile on Instagram. The provider of this service is Meta Platforms Ireland Ltd, Merrion Road, Dublin 4, Ireland. According to Instagram, the data collected is also transferred to the USA and other third countries. You can adjust your advertising settings yourself in your user account on Instagram. Further details can be found in Meta's privacy policy: https://privacycenter.instagram.com/policy.
LinkedIn: We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. Details on how they handle your personal data can be found in LinkedIn's privacy policy: https://www.linkedin.com/legal/privacy-policy.

VI. Rights of data subjects
You have the following rights: We will notify any recipients to whom we have disclosed your personal data about any correction or erasure of the personal data or restriction of the processing, unless this turns out to be impossible or would involve disproportionate effort.
You can assert the above rights against us, e.g., by notifying us by post via the contact details described above or e-mail to dataprivacy@globalgap.org.
That notwithstanding, you have the right to submit a complaint to the competent supervisory authority (Art. 77 GDPR).

UNITED STATES SUPPLEMENT
California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia provide (now or in the future) their state residents with rights to: The exact scope of these rights may vary by state. To exercise any of these rights please reach out to the Data Controller at dataprivacy@globalgap.org or by calling toll-free at +1 833 879 8855.
The California-specific supplement is below in this Policy.

CALIFORNIA
Additional California privacy terms and rights
The state of California enacted the California Consumer Privacy Act in 2018 and amended it in 2020 under the California Privacy Rights Act (hereinafter referred to collectively as “CCPA”). Together, the acts afford certain rights to California residents (hereinafter referred to as “Consumers”). This section specifically addresses the rights of California residents under the CCPA.

A.           Collection categories
As explained above in this privacy policy, we collect a variety of categories of information, including sensitive personal information, in connection with providing the services. In this section, we explain these categories again specifically in the context of the CCPA. In providing the services on the Website, we collect the following categories of personal information: the person’s name, postal/​mailing address, IP address, unique personal identifier or online identifier, email address or telephone number, and other Registration Data.

B.           Information sources
As explained above, we collect personal information from consumers themselves directly via our Website, through interactions with our company’s personnel, and through social media, and, in some cases, from service providers.

C.           Personal information use and sharing for business purposes
As explained in greater detail above, we use the personal information that is collected for a wide variety of business purposes:
We only disclose and share your personal information for business purposes with the following categories of third parties: D.           Sale of personal information
We do not engage in any sale of a consumer’s personal information as that term is defined under the CCPA.

E.           Sharing of personal information
The CCPA defines “sharing” as “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” personal information. We share your personal information, as described above, with the companies that provide cookies and similar technologies used on our Website. Those companies have access to and might use the personal information gathered through these technologies, which might include an individual consumer’s IP address. Such uses might include targeted advertising information based on individual internet activity and interests. It is possible that some of the businesses providing marketing services to us might share personal information with their business partners. In addition, some companies that provide services to us might need to access and use customer information as part of providing services to us, and these same companies might use this information for the development of their own business capabilities, not solely for the provision of services to us.

To notify us of your desire to restrict the use of your personal information by third parties, contact us and submit your request by emailing us at dataprivacy@globagap.org:
DO NOT SHARE MY PERSONAL INFORMATION
If you have any questions about submitting your request, please contact us and submit your request by emailing us at dataprivacy@globagap.org or calling toll-free at +1 833 879 8855.

F.            Your California rights and choices
The CCPA provides California residents with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

i.   Access to specific information.
You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see the section “Exercising consumer rights” below), we will disclose to you:
Under the CCPA, you may also request that we disclose certain information to you about our collection and use of your personal information beyond the past 12 months. We, however, may decline to provide that information to you if doing so would require a disproportionate effort on our part.

ii.   Deletion and correction request rights
You have the right to request that we delete or correct any of your personal information that we collected from you, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see the section “Exercising consumer rights” below), we will delete (and direct our service providers to delete) or correct your personal information from our records, unless an exception applies.

In the absence of a verifiable consumer request from you, we will retain your personal information as described above, before automatically deleting (and directing our service providers to delete) it.
We may deny your deletion request if retaining the information is necessary for us or our service providers to:
iii. The right to opt out – the right to opt out of sharing of personal information
You have the right to opt out of the sharing of your information with a third party, i.e., to prevent a transfer of information to a third party that is not restricted in certain ways from making use of the information. As we explained above, some of the companies that provide cookies and similar technologies might use personal information for targeted advertising information based on individual internet activity and interests, potentially including the sharing of information with others. You can exercise your right to opt out of the sharing of your information by emailing us at dataprivacy@globagap.org:
DO NOT SHARE MY PERSONAL INFORMATION

iv. Exercising consumer rights
To exercise the rights described above, please submit a verifiable consumer request to us by one of the following methods:
• Emailing us at dataprivacy@globalgap.org
• Calling us toll-free at +1 833 879 8855

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. You may make a verifiable consumer request for access or data portability no more than twice within a 12-month period.
To verify the identity of an individual making a request, a two-step process will need to be completed.

A verifiable consumer request must do the following:
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.
Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

iv. Response timing and format
We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time, we will inform you of the reason and extension period in writing.
If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.
Unless otherwise requested, any disclosures we provide will cover no more than the 12-month period preceding receipt of the verifiable consumer request. The response we provide will also explain the reasons we cannot comply with a request, where applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless the request is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

G.           Nondiscrimination
We will not discriminate against you for exercising your CCPA rights. Unless permitted by the CCPA, we will not:
However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time. However, we do not currently provide any financial incentives.

H.           “Shine the Light” disclosure
We have not shared any personal information with other companies for their direct marketing use within the immediately preceding calendar year. Accordingly, California’s “Shine the Light” law, Cal. Civil Code § 1798.83 to § 1798.84, does not apply to us, and we have not established any mechanism for you to request information on our sharing of information for third parties’ marketing purposes.

Updates to the Privacy Policy
In the course of the ongoing development of our Website, we will also continually modify our privacy policy. Your continued use of the Website following the posting of revised terms of use means that you accept and agree to the changes. Any changes will be communicated on this page in good time. For that reason, our users should regularly view this page to find out about the current status of the privacy policy.