Privacy policy

The protection of your privacy and personal data is important to us, and this is a key factor in how we design and implement our activities on the internet.

Data controller and scope of application

This privacy policy applies to multiple websites operated by GLOBALG.A.P. c/o FoodPLUS GmbH, Spichernstr. 55, 50672 Cologne, Germany; email: info@globalgap.org; tel.: +49 (0) 221 57776 0 (hereinafter referred to as “GLOBALG.A.P.” or “we”) as the data controller. These websites include, e.g., www.globalgap.org and database.globalgap.org (hereinafter referred to as “Websites”). This privacy policy can be accessed from any of these Websites.

For questions relating to data protection and the processing of your personal data, please contact our

Data Protection Officer:

HEC Harald Eul Consulting GmbH
Auf der Höhe 34
50321 Brühl
Email: dataprivacy@globalgap.org

In this privacy policy, we inform you about the type, scope, and purposes of the collection, processing, and use of your personal data when visiting or using our Websites. This is performed in accordance with the provisions of the European General Data Protection Regulation (GDPR) and other applicable (federal) data protection legislations (hereinafter referred to jointly as “Applicable Data Protection Law”).

No automated decision-making/profiling is performed.

Handling of personal data and legal bases for data processing

Personal data is information that can be used to identify a person, i.e., details that can be traced back to a person. This includes, e.g., the person’s name, email address, or telephone number. Personal data is not collected, processed, and/or used by GLOBALG.A.P. unless you have consented to the data collection or another permissible legal basis applies under Applicable Data Protection Law.

When we obtain your consent to the processing of personal data, the legal basis for this data processing is Art. 6 (1) a) GDPR. The legal basis for the processing of personal data that we require for the performance of contracts with you is Art. 6 (1) b) GDPR. This also applies to processing that enables precontractual measures to be performed. When we are required to process personal data to comply with a legal obligation, the legal basis for this data processing is Art. 6 (1) c) GDPR. Further, we may also process personal data if the processing is necessary to protect your vital interests or the vital interests of another natural person. The legal basis for this data processing is Art. 6 (1) d) GDPR. When the processing of your personal data is necessary for the purposes of a legitimate interest pursued by us or a third party that is not overridden by your interests, fundamental rights, or fundamental freedoms, the legal basis for the data processing is Art. 6 (1) f) GDPR.

Access data and server log files

GLOBALG.A.P. (or the webspace provider commissioned by GLOBALG.A.P.) collects data about every visit to the Websites. This data is saved in so-called server log files and includes the name of the accessed web page or webservice, file, date and time of the access, data volume transferred, any data input, report of successful access, browser type including version, your operating system, referrer URL (the page previously visited), Internet Protocol (IP) address, and where relevant username and the requesting provider. GLOBALG.A.P. uses this data exclusively for statistical analyses and the purpose of operating, securing, and optimizing the Websites. This data is not merged with other data sources or other personal data about you. The system needs to store the IP address temporarily to enable the Websites to be delivered to you. The IP address is stored for the duration of the session for this purpose. Data is saved in server log files to safeguard the functionality of the Websites. The data also helps GLOBALG.A.P. to optimize the Websites and safeguard the security of the IT systems. GLOBALG.A.P. further reserves the right to review the data in the sever log files retrospectively if there are specific indications that justify a suspicion of unlawful use. These purposes represent an example of GLOBALG.A.P.’s legitimate interest in data processing. The legal basis for this data processing is Art. 6 (1) f) GDPR.

Registration

You can register on our Websites for a variety of purposes. Registration is used to sign up for specific events, training courses, or examinations, to become a GLOBALG.A.P. Community Member, to receive information mail-outs/newsletters, to receive informational material (e.g., brochures or posters), to apply for the GLOBALG.A.P. Registered Trainer program, or to access the restricted area of our GLOBALG.A.P. IT systems (e.g., database.globalgap.org orhttps://audit.globalgap.org/). The latter is only possible for certain users. During registration we collect data about you that we need for the specific registration (hereinafter referred to as “Registration Data”). This generally includes your title and position, first name and surname, date of birth (for identification purposes), email address and/or address and telephone number, country of residence, and further information about your company (where relevant). The specific data is set out in further detail in the registration form in each case. The legal basis for this data processing is Art. 6 (1) b) GDPR.

When you register, we store your IP address in addition to the Registration Data. This falls within our legitimate interests relating to log purposes and the prevention of abuse. The legal basis for this data processing is Art. 6 (1) f) GDPR.

We endeavor to ensure maximum transparency in terms of what Registration Data is accessible to whom. You can find detailed documentation for our GLOBALG.A.P. IT systems in the data access rules (https://www.globalgap.org/search).

We process your Registration Data via Microsoft Dynamics. It cannot be ruled out that in individual cases your Registration Data will be transmitted to the Microsoft Corporation in the USA and processed there. For further information about the processing of your personal data by Microsoft, see https://privacy.microsoft.com/en-us/privacystatement. For further information about the processing of your personal data in countries outside the EEA/EU, please see the section “Transferring data to countries outside the EEA/EU” below.

You can object to the further processing, storage, and use of your Registration Data at any time. However, this may result in a complete deregistration. You may submit your objection either directly via the Website in question or by contacting us at dataprivacy@globalgap.org.

Committees/Specialist groups

In certain cases, if you become active in committees/specialist groups we also process personal data, e.g., in the form of participation lists. This is necessary for the performance and documentation of the committees/specialist groups. The legal basis for this data processing is Art. 6 (1) b) and f) GDPR.

As part of their participation in the committees/specialist groups or collaboration on other projects, we may email certain users, in particular customers or other third parties we work with, a link for sharing content via SharePoint which is offered by Microsoft Ireland Operations, Ltd. (hereinafter referred to as “Microsoft”). Further information about Microsoft SharePoint can be found at https://products.office.com/en-us/sharepoint/collaboration. For further information about the processing of your personal data by Microsoft, see https://privacy.microsoft.com/en-us/privacystatement. For further information about the processing of your personal data in countries outside the EEA/EU, please see the section “Transferring data to countries outside the EEA/EU” below. This processing is performed on the basis of your consent to the processing of your personal data pursuant to Art. 6 (1) a) GDPR or Art. 6 (1) b) GDPR when data is processed for the purpose of the performance of a contract.

Training courses and examinations

You can register with us for a range of training courses and examinations. If you register for or take part in one of these training courses or examinations, we collect and process the personal data you provide during your registration, as well as personal information arising during the completion of the respective training course or examination, including any video recordings made for monitoring purposes during the respective examination. The legal basis for this data processing is Art. 6 (1) b) GDPR.

We endeavor to ensure maximum transparency regarding what data is accessible to whom. For example, for online examinations we deploy specialized service providers who support us in conducting the online examinations (Art. 28 GDPR). These service providers may also view recordings of the respective examination candidates made during the examination for the exclusive purpose of monitoring and conducting the examination. In individual cases, e.g., certification body trainings, managers of the respective certification body may access your personal data for the purpose of conducting trainings and evaluating the examinations. Your examination registrations and results will not be transmitted to unauthorized third parties.

Contact initiation

When you contact GLOBALG.A.P. (e.g., via contact form, calendars, telephone, email, or as a follow-up to a contact made during a trade fair), your information is stored for the purpose of processing the request as well as for any follow-up queries. The legal basis for this data processing is Art. 6 (1) b) GDPR).

We process such information via Microsoft Dynamics. For further information about this service provider and the processing of your personal data in countries outside the EEA/EU, please see the section “Registration” above, and the section “Transferring data to countries outside the EEA/EU” below.

Comments and posts

If you leave a comment on our blog or make other posts, your IP address will be stored. This is done to protect GLOBALG.A.P. if a user includes unlawful content in comments and/or posts (insults, forbidden political propaganda, etc.). GLOBALG.A.P. may face legal action regarding the comment or post and thus has an interest in the identity of the author for the purposes of defending the claim or asserting recourse claims and may even be obliged to disclose such information to third parties, courts, or public authorities. These purposes represent an example of GLOBALG.A.P.’s legitimate interest in data processing. The legal basis for this data processing is Art. 6 (1) c) and f) GDPR.

Information mail-outs, newsletters

We use our information mail-outs to large mailing lists (hereinafter referred to as “Information Mail-Outs”), in particular our newsletters on a range of subjects, to inform our consenting users about our standards, invitations to certain events, summits/tours, and other activities, as well as news about us or our Websites. If you want to receive Information Mail-Outs, we need you to provide a valid email address. We use a procedure to verify that you are the holder of the email address that was provided, or that the holder consents to receiving the Information Mail-Outs (“double opt-in procedure”). This involves us sending an email to the email address that was provided with a request to reconfirm the registration to receive the Information Mail-Outs (e.g., by clicking a link). Additionally, on request, you can indicate the specific topics we may inform you about. No further data is collected. This data is not used for any purpose other than sending Information Mail-Outs and is not passed on to third parties. The legal basis for this data processing is your consent (Art. 6 (1) a) GDPR; section 7 (2) German Act on Unfair Competition (Gesetz gegen den unlauteren Wettbewerb, UWG)).

When you register for one of our Information Mail-Outs, we store your IP address and the date of the registration. This data is stored solely for evidential purposes in the event that a third party misuses an email address and registers to receive Information Mail-Outs without the knowledge of the authorized party. This falls within the legitimate interests of both us and our users (Art. 6 (1) f) GDPR).

You can withdraw your consent to the saving of your data, your email address, and its use for the sending of Information Mail-Outs at any time effect for the future. Your withdrawal can be performed via a link in the Information Mail-Outs themselves or by notifying us, as described in further detail in the section “Rights of data subjects”.

We process your data in connection with Information Mail-Outs via Microsoft Dynamics. For further information about this service provider or the processing of your personal data in countries outside the EEA/EU, please see the section “Registration” above, and the section “Transferring data to countries outside the EEA/EU” below.

Surveys/Microsoft forms

We may also conduct online surveys on the basis of your respective consent with the aid of Microsoft Forms, a service offered by Microsoft, with whom we have entered into a data processing agreement. The surveys may be disseminated in a number of ways (via hyperlink, QR code, embedding in a website or Sway, or sent by email). Processing is performed on the basis of your consent to the processing of your personal data pursuant to Art. 6 (1) a) GDPR or Art. 6 (1) b) GDPR when data is processed for the purpose of the performance of a contract.

Further information about Microsoft Forms can be found at https://support.office.com/en-us/forms. It cannot be ruled out that in individual cases your data will be transmitted to the Microsoft Corporation in the USA and processed there. For further information about the processing of your personal data by Microsoft, see https://privacy.microsoft.com/en-us/privacystatement. For further information about the processing of your personal data in countries outside the EEA/EU, please see the section “Transferring data to countries outside the EEA/EU” below.

Jotform

We may also use Jotform to create custom online forms, a service provided by Jotform Inc., with whom we have entered into a data processing agreement and concluded standard contractual clauses (more information on the data processing agreement and concluded standard contractual clauses you can find under https://www.jotform.com/gdpr-compliance/dpa/sample_gdpr_dpa_en.pdf). Using Jotform certain personal data might be processed, such as name, surname, email, phone, address/street, street number, city, post code, position/occupation, state, country, region, fax, mobile, spoken languages, device/platform. The processing is performed on the basis of Art. 6 (1) b) GDPR when data is processed for the purpose of the performance of a contract or in order to take steps prior to entering a contract.

It cannot be ruled out that in individual cases your data will be transmitted to Jotform Inc. in the USA. Further information about the processing of your personal data by Jotform can be found underhttps://www.jotform.com/privacy/. For further information about the processing of your personal data in countries outside the EEA/EU, please see the section “Transferring data to countries outside the EEA/EU” below.

Online payments

If you register for an event or course, we make it possible for any payable fees to be paid online, depending on the specific offering. Similarly, all invoices issued by GLOBALG.A.P. can be paid online using a credit card. The data required to initiate the online payment is strictly separated from your Registration Data. If you opt for online payment, the data you input, including the intended use and the sum to be transferred for the online payment, is not saved directly by us, but forwarded straight to BS Payone GmbH for payment verification and the initiation of the payment process. BS Payone GmbH transfers no more than minimal information about the payment procedures to us (e.g., allocation to invoice number and status of the payment transaction). BS Payone GmbH is therefore responsible for processing and storing personal data in connection with online payments. This serves the purpose of performing a contract between you and GLOBALG.A.P. and thus falls within the legitimate interests of both parties (Art. 6 (1) b) and f) GDPR). The data protection regulations of BS Payone GmbH can be accessed at https://www.payone.com/DE-en/data-protection-regulations.

If you and/or your company are located in the United States, the payment service provider used is First Data Merchant Services, LLC. (hereinafter referred to as “Payeezy”). To pay, you will be redirected to Payeezy’s website, where you can enter the data required for payment processing (Art. 6 (1) b) and f) GDPR). We do not transfer any personal data to Payeezy. For more information on how Payeezy processes personal data, please refer to Payeezy’s privacy policy at https://merchants.fiserv.com/en-us/privacy/?utm_source=firstdataus.

CB-AT portal

We offer a portal that can be used as a certification body administration tool (hereinafter referred to as “CB‑AT,” accessible at https://cb-at.powerappsportals.com/). Registered users can use CB-AT to manage and track their approval status. Among others, the following functions are available to users:

Registering the user’s inspectors/auditors

Assigning modules to the user’s inspectors/auditors

Viewing the modules assigned to inspectors/auditors

We use CB‑AT for purposes that include:

Tracking and evaluating the qualifications of the user’s inspectors/auditors

Maintaining the approval status of the user’s inspectors/auditors

To register in CB‑AT, users receive an email from cb_admin@globalgap.org with an invitation code that they need to enter into the registration mask on the CB‑AT website. We process any personal data that you share with us while registering for and using CB‑AT. This may include contact information such as your full name, address, email address, telephone number, contacts among other registered users, your assigned modules, working language(s), and qualification records required for the approval and maintenance of your inspector/auditor status. The legal basis for this data processing is Art. 6 (1) b) GDPR. The data is used to offer the above services provided by CB‑AT.

CB‑AT is run via tools offered by Microsoft (SharePoint and Dynamics). It cannot be ruled out that in individual cases your data will be transmitted to the Microsoft Corporation in the USA and processed there. For further information about the processing of your personal data by Microsoft, see https://privacy.microsoft.com/en-us/privacystatement. For further information about the processing of your personal data in countries outside the EEA/EU, please see the section “Transferring data to countries outside the EEA/EU” below.

Applications

On our Websites we may publicize job advertisements for vacancies in our company, at our subsidiary in the USA (GLOBALG.A.P. North America Inc.), or our offices in South Africa. Responsibility for filling the vacancies and processing the respective applications lies with the company to which you make the specific application.

If you submit an application to us or our subsidiary or other offices, the respective company will process the information and documents you submit including the personal data included therein, such as your full name, address, email address, telephone number, information about your professional development/résumé, references, or other information that you communicate to that company in the course of your application. Prior to any appointment, the personal data (full name, date of birth, place of birth, nationality) of the applicants short-listed following the application process shall be checked against entries on blacklists, and especially the EU terrorist list pursuant to the EU anti-terror regulations. The purpose of this is to enter into a contract of employment with these applicants and to comply with a legal obligation to which we are subject (Article 6 (1) c) GDPR), because statutory provisions prohibit financial benefits, including the payment of a salary, being paid to persons who are included on such blacklists.

If we forward your application to our subsidiary in the USA, we do so to comply with your request to enter into/initiate an employment contract with the subsidiary pursuant to Art. 49 (1) 1b) GDPR. The submission of application documents including personal data is necessary for the performance of the application process.

You are not obliged, either under statute or contractually, to provide personal data for application purposes. However, if you supply no information about yourself, your application cannot be processed.

Transferring data to third parties

We will not disclose your personal data to third parties unless you have provided your consent or another permitted circumstance applies in accordance with the Applicable Data Protection Law. These third parties include in the first instance service providers commissioned by us to support our business operations (Art. 28 GDPR). This covers, e.g., webspace providers for the operation of our Websites or the forwarding of invoicing or tax-relevant information to service providers for the purposes of invoicing and accounting or controlling. In these cases, however, the scope of the transmitted data will extend only to the minimum required to achieve the purposes pursued via the data processing. If you register on our Websites for an event or training course, we transmit the information you submit during registration to the organizations and companies we work with to run the respective event or training course. The legal basis for this data processing is Art. 6 (1) b) GDPR.

For the purpose of pooling resources and optimizing our business processes, we operate a CRM system with our affiliated company, GLOBALG.A.P. North America Inc., under joint responsibility pursuant to Art. 26 GDPR. In this regard, we have concluded a so-called joint controller agreement (Art. 26 (1) GDPR). You can assert your data protection rights with each controller. The parties will inform each other without delay of claims asserted by data subjects in relation to the joint processing. They will provide each other with all the information necessary to respond to requests for information. FoodPLUS GmbH will generally process and respond to requests from data subjects. GLOBALG.A.P. North America Inc. is located outside the EU/EEA and in the USA. To ensure an appropriate level of data protection, we have concluded so-called standard contractual clauses. You can find more information on data transfers to third countries in the following section.

If we are legally obliged to disclose specific personal data on the basis of a judicial decision or following a request for information from law enforcement or supervisory authorities or authorized third parties in conjunction with investigatory proceedings or the suspicion of a criminal act, an unlawful act, or other acts that may give rise to legal liability for you or us, we will disclose the data required for the investigation, such as your full name, address, email address, or other relevant information (Art. 6 (1) c) GDPR). Similarly, we reserve the right to process and use users’ personal data to enforce or defend against claims.

In order to make certification data stored in the GLOBALG.A.P. database available to persons or groups of persons that are entitled to access such data in accordance with our data access rules (accessible at https://www.globalgap.org/document-center/), we cooperate with data partners. The data partners are registered and licensed and must strictly adhere to our data access rules and this privacy policy. We have a legitimate interest (Art. 6 (1) f) GDPR) in a cooperation with such data partners.

Transferring data to countries outside the EEA/EU

Personal data may be transferred to third parties that are located in non-EEA or non-EU countries and where no so-called adequacy decision exists, i.e., the European Commission has not established a level of data protection comparable to that in the EU (e.g., the USA, South Africa). In this case, prior to transferring, we ensure in compliance with the requirements of Art. 44 et seq. GDPR that an adequate level of data protection is in place at the recipient, in particular by conducting what are known as transfer impact assessments, by obtaining your consent in advance, or through specific guarantees, in particular the self-certification of a recipient in the USA in accordance with the principles of the EU – US Privacy Framework as well as concluding what are referred to as the EU standard contractual clauses. A copy of suitable guarantees can be obtained on request via the email address set out at the beginning of this privacy policy. Basic information about the participants of the EU–US Privacy Framework can also be found here. Basic information about the EU standard contractual clauses can be found here, and information about the adequacy decisions here.

Furthermore, even when we have concluded standard contractual clauses, we seek to establish further measures that provide an equal level of data protection compared to the applicable standards in the EU when personal data is forwarded to third countries (e.g., the USA, South Africa). Such further measures shall be established to accommodate CJEU decision C-311/18 (Schrems II). For further information on this topic, please contact our Data Protection Officer via the email address set out at the beginning of this privacy policy.

Integration of third-party content and services

Third-party content, such as YouTube videos, RSS feeds, or graphics from other websites, may be integrated into our online offerings. This usually assumes that the providers of this content (hereinafter referred to as “Third-Party Providers”) will be aware of the user’s IP address. This is because they would not be able to transmit the content to the browser of the user in question without the IP address. The IP address is therefore necessary in order to display this content. We endeavor only to use such content in those cases in which the respective Third-Party Provider only uses the IP address to deliver the content. However, we have no influence over whether the Third-Party Providers use IP addresses, e.g., for statistical purposes. Where we are aware of this, we will notify the users accordingly. The use of enhanced presentation options for information purposes and to optimize your user experience is within our mutual legitimate interest (Art. 6 (1) f) GDPR).

Further information about the use of YouTube videos can be found below.

YouTube videos

Videos are shown on our web pages via the provider YouTube. The videos are operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (hereinafter referred to as “YouTube”). If a web page containing such a button (identifiable by the YouTube icon in the lower right of the video preview) is accessed and you activate the corresponding content (Art. 6 (1) a) GDPR), your browser creates a direct connection with the YouTube servers. The showing of videos on our Websites is also within our mutual legitimate interest (Art. 6 (1) f) GDPR). YouTube transmits the content of the YouTube button directly via your browser and it is integrated into the web page. We have no further influence over the data that YouTube collects via the button. It is likely that your IP address is recorded, among other things.

If you are logged in to YouTube as a member, YouTube may allocate information about the web pages accessed and YouTube content to your user account. This may also be the case if you log in to YouTube as a member at another point in time. Further information about the scope and purpose of the data collection and the further use and processing of the data by YouTube as well as your associated rights and configuration options to protect your privacy can be found in the YouTube privacy policy: https://www.google.de/intl/en/policies/privacy/

Cookies

Cookies are small files that permit specific information relating to a device to be stored on the user’s accessing device (PC, smartphone, etc.). Some enhance the user-friendliness of websites and aid the user (e.g., by storing login data), some enable the recording of statistical data about website use and the analysis to improve the Websites or the placement of targeted ads. You can influence how cookies are used. Most browsers have an option that limits or completely prohibits the storage of cookies. However, it should be noted that use, and especially user comfort, may be restricted without cookies. Our users can manage many online advertising cookies from companies via the US page http://www.aboutads.info/choices/ or the EU page http://www.youronlinechoices.com/uk/your-ad-choices/.For further information about the use of cookies and how you can deactivate them, see www.youronlinechoices.com.

We store cookies on our users’ hard drives unless they actively block them. The processing of personal data collected using cookies for analytical and marketing purposes is only done, and cookies are only dropped, subject to your prior consent. Thus, the legal basis for this processing is Art. 6 (1) a) GDPR. You can withdraw your consent at any time with effect for the future. The legal basis for using cookies which are necessary for the technical operation of our website is Art. 6 (1) f) GDPR. Further information on which Third-Party Providers we use in this regard can be found in the following.

Piwik PRO

Our Websites use the web analysis service Piwik PRO offered by the provider Piwik PRO GmbH (hereinafter referred to as “Piwik PRO”) for the statistical analysis of user access. Piwik PRO may use cookies, tags, IP addresses, and what is known as fingerprinting to enable an analysis of users’ website use. This may include the collection or processing of the following data: IP address (anonymized), user ID, date and time of the request, title or URL of the page visited, URL of the page visited previously, screen resolution, time zone, files clicked on and downloaded, links clicked to external websites, display speed of the pages, user’s geodata (country, region, city, approximate longitude and latitude), browser language, user agent of the browser used, randomly assigned one-off user ID, time of a user’s first visit, time of a user’s previous visit, number of user’s visits.

This processing is only done, and cookies are only dropped subject to your prior consent. Thus, the legal basis for this processing is Art. 6 (1) a) GDPR). The information generated by the cookies about the use of our Websites is stored on the servers of Piwik PRO or service providers commissioned by them in Europe. The IP address is anonymized immediately after processing and before saving. The information generated by Piwik PRO is not used to identify the user of these Websites personally and is not merged with other personal data of the user.

You can also prevent the setting of the cookies through a corresponding setting in your browser software. However, GLOBALG.A.P. refers users to the fact that in this case they may not be able to use the full functionality of a Website. For further information about this topic, see https://piwik.pro/privacy-policy/.

If you do not consent to the use of Piwik PRO, we will use a version of the tool which does not use cookies or otherwise access data on your device and does not track individual user data. Your IP address will be masked as well.

Google Ads

We use Google Ads. Google Ads is an online promotional program of Google Ireland Limited (hereinafter referred to as “Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Ads enables us to display ads in the Google search engine or on third-party websites, if the user enters certain search terms into Google (keyword targeting). It is also possible to place targeted ads based on the user data Google has in its possession (e.g., location data and interests; target group targeting). We can analyze these data quantitatively, for instance by analyzing which search terms resulted in the display of our ads and how many ads led to respective clicks. For these purposes of (re-)marketing and targeting, cookies and other technologies are stored on your device.

This processing is only done, and cookies are only dropped, subject to your prior consent. Thus, the legal basis for this processing is Art. 6 (1) a) GDPR. You can withdraw your consent at any time with effect for the future.

You can also prevent the use of cookies through a corresponding setting in your browser software – the suppression of third-party cookies means that you will not receive any ads from Third-Party Providers.

It is possible that respective data is transferred to the USA. This transfer is based on Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://policies.google.com/privacy/frameworks and https://privacy.google.com/businesses/controllerterms/mccs/. Furthermore, Google is certified in accordance with the EU–US Data Privacy Framework. This is an agreement between the European Union and the USA that is intended to ensure compliance with European data protection standards for data processing in the USA. Every company certified under the EU–US Data Privacy Framework is obliged to comply with these data protection standards. For more information, please see https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact=true&id=a2zt000000001L5AAI&status=Active.

Profiles on social media platforms

We maintain publicly accessible profiles on various social media platforms. The individual social media platforms we use are listed below. You can access our social media profiles from our website by clicking on the relevant platform button. These are no social plug-ins, but simple links to our accounts registered on the respective platform. Our social media profiles are intended to present our company and our activities as widely as possible. This is a legitimate interest within the meaning of Art. 6 (1) f) GDPR. The analysis initiated by the social media platforms may be based on different legal bases, which must be specified by the operators of the social media platforms.

The social media platforms can generally analyze your user behavior when you visit their website, and visiting our social media profiles triggers various data processing operations. If you are logged into your social media account and visit our social media profiles, the operator of the social media platforms can assign this visit to your user account. However, your personal data may also be collected if you are not logged in or do not have an account with the respective social media platform. In this case, this data collection takes place, for example, via cookies that are stored on your end device or by collecting your IP address. With the help of the data collected in this way, the operators of the social media platforms can create user profiles in which your preferences and interests are stored. In this way, interest-based advertising can be displayed to you both within and outside the respective social media platform. If you have an account with the respective social media platform, the interest-based advertising can be displayed on all devices on which you are logged in or have been logged in.

Please also note, that we have no control or insight into the full range of processing operations on the social media platforms. Depending on the provider, further processing operations may therefore be carried out. For details, please refer to the terms of use and data protection policies of the respective social media platforms.

Facebook: We have a profile on Facebook. The provider of this service is Meta Platforms Ireland Ltd, Merrion Road, Dublin 4, Ireland. According to Facebook, the data collected is also transferred to the USA and other third countries. You can adjust your advertising settings yourself in your user account on Facebook. Further details can be found in Meta’s privacy policy: https://www.facebook.com/about/privacy/.

Instagram:We have a profile on Instagram. The provider of this service is Meta Platforms Ireland Ltd, Merrion Road, Dublin 4, Ireland. According to Instagram, the data collected is also transferred to the USA and other third countries. You can adjust your advertising settings yourself in your user account on Instagram. Further details can be found in Meta’s privacy policy: https://privacycenter.instagram.com/policy/.

LinkedIn: We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. Details on how they handle your personal data can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy.

X: We use the short messaging service X. The provider is X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. You can adjust your advertising settings yourself in your user account (https://twitter.com/settings/account). Further details can be found in X’s privacy policy: https://twitter.com/de/privacy.

YouTube: We have a profile on YouTube. The provider is Google Ireland Limited, Gordon House, Barrow St, Dublin, D04 E5W5, Ireland. Details on how they handle your personal data can be found in YouTube’s privacy policy: https://policies.google.com/privacy?hl=de&gl=de#infocollect.

Rights of data subjects

You have the following rights:

  • The right to request confirmation of whether personal data relating to you is being processed and details of this data and any additional information and a copy of the data (Art. 15 GDPR)

  • The right to request the completion of incomplete personal data or the rectification of incorrect personal data (Art. 16 GDPR)

  • The right to request that personal data be deleted immediately (Art. 17 GDPR) or, if need be, that the data processing be restricted (Art. 18 GDPR) (if this data is subject to statutory retention periods, we will block it for the duration of the retention period)

  • The right to receive, or have transmitted to a third party, the relevant personal data that you have provided to us and that we process in an automated manner on the basis of your consent or in the performance of a contract (Art. 20 GDPR) (The data will be provided in a machine-readable format. If you request a direct transfer of the data to a different controller, this will only be done if it is technically feasible.)

  • The right to object at any time to the processing of personal data processed by us on the basis of a legitimate interest of ours (Art. 6 (1) f) GDPR), pursuant to Art. 21 GDPR

  • The right to withdraw any consents granted pursuant to Art. 7 (3) GDPR with future effect (This will not affect the lawfulness of any processing performed on the basis of such consent up to the withdrawal.)

We will notify any recipients to whom we have disclosed your personal data about any correction or deletion of the personal data or restriction of the processing unless this turns out to be impossible or would involve disproportionate effort.

You can assert the above rights against us, e.g., by notifying us by mail or email to dataprivacy@globalgap.org.

That notwithstanding, you have the right to submit a complaint to the competent supervisory authority (Art. 77 GDPR).

Duration of data storage

In consideration of the applicable provisions under data protection law, we will delete the stored personal data about you without any action on your part if there is no longer a need for the information to be known to perform the purpose associated with the storage or if the storage of the data is not permitted for other legal reasons. In some cases provided for by law (e.g., statutory retention obligations), your data may be blocked instead of deleted.

Following job applications, application documents will be deleted or blocked in accordance with the following measures and any personal data provided in hard copy will be returned to the applicant. If applicants have only applied for a specific, advertised job, their application data will be stored until the final decision about the appointment to the post is made plus a maximum of six months from the notification of this decision.

Accordingly, the data or documents provided by the applicants will be deleted in a manner compliant with data protection regulations. Only in cases in which an application results in an employment relationship being entered into or if a statutory provision permits further storage of this data by way of exception will this not apply; in these cases, the application data will be processed to permit the employment relationship to be executed or stored for longer periods in accordance with the statutory provisions and, if a statutory provision so permits, processed and used (Art. 6 (1) b) and f) GDPR). In these cases, we will notify the applicant before the specific act of saving, processing, or using their personal data in accordance with the applicable provisions of data protection law, provided they are not already in possession of this information.

Additional California privacy terms and rights

The state of California enacted the California Consumer Privacy Act in 2018 and amended it in 2020 under the California Privacy Rights Act (hereinafter referred to collectively as “CCPA”). Together, the acts afford certain rights to California residents (“consumers”). This section specifically addresses the rights of California residents under the CCPA.

A. Collection categories

As explained above in this privacy policy, we collect a variety of categories of information, including sensitive personal information, in connection with providing the services. In this section, we explain these categories again specifically in the context of the CCPA. In providing the services on the Websites, we collect the following categories of personal information: the person’s name, postal/mailing address, IP address, unique personal identifier or online identifier, email address or telephone number, and other Registration Data.

B. Information sources

As explained above, we collect personal information from consumers themselves directly via our Websites, through interactions with our company’s personnel, and through social media, and, in some cases, from service providers.

C. Personal information use and sharing for business purposes

As explained in greater detail above, we use the personal information that is collected for a wide variety of business purposes:

To fulfill any contractual obligations with you related to the Websites

To facilitate the establishment and use of accounts created on the Websites

To verify your identity and manage access to your accounts on the Websites

To facilitate your participation in our online forums

For analytics purposes and to operate, maintain, and improve the Websites

To market the Websites and gather additional information regarding the Websites

To create new products and services on the Websites

To protect against, investigate, and deter fraudulent, unauthorized, and/or illegal activity on or relating to the Websites

When necessary, to meet legal requirements, such as legally mandated reporting, subpoenas, court orders, or other legal process requirements

We only disclose and share your personal information for business purposes with the following categories of third parties:

Service providers, as explained above, and with our affiliated company GLOBALG.A.P. North America Inc.

D. Sale of personal information

We do not engage in any sale of a consumer’s personal information as that term is defined under the CCPA.

E. Sharing of personal information

The CCPA defines “sharing” as “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” personal information. We share your personal information, as described above, with the companies that provide cookies and similar technologies used on our Websites. Those companies have access to and might use the personal information gathered through these technologies, which might include an individual consumer’s IP address. Such uses might include targeted advertising information based on individual internet activity and interests. It is possible that some of the businesses providing marketing services to us might share personal information with their business partners. In addition, some companies that provide services to us might need to access and use customer information as part of providing services to us, and these same companies might use this information for the development of their own business capabilities, not solely for the provision of services to us.

To notify us of your desire to restrict the use of your personal information by third parties, contact us and submit your request by emailing us at dataprivacy@globagap.org:

DO NOT SHARE MY PERSONAL INFORMATION

If you have any questions about submitting your request, please contact us and submit your request by emailing us at dataprivacy@globagap.org or calling toll-free at +1 833 879 8855.

F. Your California rights and choices

The CCPA provides California residents with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

i. Access to specific information.

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see the section “Exercising consumer rights” below), we will disclose to you:

The categories of personal information we collected about you

The categories of sources for the personal information we collected about you

Our business or commercial purpose for collecting or selling that personal information

The categories of third parties with whom we share that personal information

The specific pieces of personal information we collected about you

If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:

Sales, identifying the personal information categories that each category of recipient purchased

Disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained

Under the CCPA, you may also request that we disclose certain information to you about our collection and use of your personal information beyond the past 12 months. We, however, may decline to provide that information to you if doing so would require a disproportionate effort on our part.

ii. Deletion and correction request rights

You have the right to request that we delete or correct any of your personal information that we collected from you, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see the section “Exercising consumer rights” below), we will delete (and direct our service providers to delete) or correct your personal information from our records, unless an exception applies.

In the absence of a verifiable consumer request from you, we will retain your personal information as described above, before automatically deleting (and directing our service providers to delete) it.

We may deny your deletion request if retaining the information is necessary for us or our service providers to:

Complete the transaction for which we collected the personal information, provide goods or services that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you

Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities

Debug products to identify and repair errors that impair existing intended functionality

Exercise free speech, ensure the right of another consumer to exercise their right to free speech, or exercise another right provided for by law

Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.)

Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent

Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us

Comply with a legal obligation

Make other internal and lawful uses of that information that are compatible with the context in which you provided it

iii. The right to opt out – the right to opt out of sharing of personal information

You have the right to opt out of the sharing of your information with a third party, i.e., to prevent a transfer of information to a third party that is not restricted in certain ways from making use of the information. As we explained above, some of the companies that provide cookies and similar technologies might use personal information for targeted advertising information based on individual internet activity and interests, potentially including the sharing of information with others. You can exercise your right to opt out of the sharing of your information by emailing us at dataprivacy@globagap.org:

DO NOT SHARE MY PERSONAL INFORMATION

iv. Exercising consumer rights

To exercise the rights described above, please submit a verifiable consumer request to us by one of the following methods:

• Emailing us at dataprivacy@globalgap.org

• Calling us toll-free at +1 833 879 8855

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. You may make a verifiable consumer request for access or data portability no more than twice within a 12-month period.

To verify the identity of an individual making a request, a two-step process will need to be completed. A verifiable consumer request must do the following:

Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it

Separately provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.

Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

iv. Response timing and format

We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time, we will inform you of the reason and extension period in writing.

If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

Unless otherwise requested, any disclosures we provide will cover no more than the 12-month period preceding receipt of the verifiable consumer request. The response we provide will also explain the reasons we cannot comply with a request, where applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless the request is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

G. Nondiscrimination

We will not discriminate against you for exercising your CCPA rights. Unless permitted by the CCPA, we will not:

Deny you goods or services

Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties

Provide you with a different level of quality of goods or services

Suggest that you may receive a different price or rate for goods or services or a different level of quality of goods or services

However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time. However, we do not currently provide any financial incentives.

H. “Shine the Light” disclosure

We have not shared any personal information with other companies for their direct marketing use within the immediately preceding calendar year. Accordingly, California’s “Shine the Light” law, Cal. Civil Code § 1798.83 to § 1798.84, does not apply to us, and we have not established any mechanism for you to request information on our sharing of information for third parties’ marketing purposes.

Updates to the privacy policy

In the course of the ongoing development of our Websites, we will also continually modify our privacy policy. Any changes will be communicated on this page in good time. For that reason, our users should regularly view this page to find out about the current status of the privacy policy.

Last updated: 19/03/2024

crossmenu