Privacy Policy
UPDATED AND EFFECTIVE AS OF: 4th of March 2024
TRANSMISSION DE RECEVOIR DES DONNEES SENSIBLES
Welcome to the ESDP Privacy Policy. This Privacy Policy (and any other documents referred to in it) describes our data practices regarding personal data collected by European Supplier Diversity Project (“ESDP“, “we“, “us“, “our” or “ours“) or third parties processing personal data on our behalf (“processors“), or that you provide to us, in the context of our certification activities.
Please read the following carefully to understand how we use your personal data, our efforts to protect your personal data, and the rights and options you have to control your data.
Our processing activities take into consideration the applicable European and local EU Member States’ legislation, including Regulation (EU) No. 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR“), Directive 2002/58/EC of 12 July 2002 as amended by Directive 2009/136/EC (“ePrivacy Directive“), and any applicable national implementation laws or regulations or any subsequent laws or regulations that may follow them.
This Privacy Policy does not apply to any personal data collected by third parties who are not processors acting on our behalf or instructions, for instance websites or apps that are not operated by ESDP. ESDP is not responsible for the way in which these third parties handle your personal data. We advise you to read the privacy statements of such third parties when, for instance visiting their websites in order to understand how these third parties collect and process your personal data.
By accessing, visiting, using, submitting data to, or otherwise interacting with our website, you acknowledge that our use of your personal data will be carried out in accordance with this Privacy Policy.
If you do not agree to the terms of this Privacy Policy, please do not use our services or provide personal data to us.
1. DEFINITIONS AND OVERVIEW
The definitions below mirror or translate the definitions provided under Article of 4 GDPR.
- “Personal data“: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
- “Process/processing“: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- “Data controller” or “controller“: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
- “Data processor” or “processor“: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- “Third party“: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
- “Consent” of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
In addition, “Corporate Members” refers to those organisations who have made a commitment to equal opportunities, diversity and inclusion and that joined ESDP as members who would potentially procure products and services from the Certified Members and/or Self-Registered Members.
2. DATA CONTROLLER
The controller of your personal data is ESDP of which full corporate information is European Supplier Diversity Program Stichting, a foundation (Stitching), registered by the Chamber of Commerce under the number 91598656, and of which address is Vijzelstraat 68, Spaces Amsterdam, 1017HL Amsterdam, the Netherlands.
3. DATA PROTECTION OFFICER Our data protection officer (“DPO”) is responsible for overseeing questions in relation to this Privacy Policy and the processing of your personal data. If you have any questions about the processing of your personal data by us or our processors, or about this Privacy Policy, including any requests to exercise your legal rights, please contact the DPO at dpo@esdp-org.eu. We are committed to handling your queries and complaints as best we can. You also have the right to complain to the supervisory authority: For France: Commission nationale de l’informatique et des libertés, 3 place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, www.cnil.fr. For the Netherlands: Autoriteit Persoonsgegevens, Hoge Nieuwstraat 8 P.O. Box 93374, 2509 AJ Den Haag, Tel. +31 70 888 8500, www.autoriteitpersoonsgegevens.nl
4. PERSONAL DATA WE COLLECT – PURPOSES – LEGAL BASES
In order to qualify for membership under ESDP certification, or in order to register as a Corporate Member, we ask you to provide us with information which differs depending on the type of certification you apply for (Self-Certified Associate Membership or Premium Membership Certification).
The tables below sets out in detail the (1) categories of personal data that we collect, (2) purposes for which we collect that data, and (3) legal bases for these purposes.
|
Data collected from you directly only as part of the supplier certification process
|
||||
|---|---|---|---|---|
|
What kind of data do we process?
|
When do we collect the data | Why do we process this? | Is it permitted by law to process the data for these purposes? | Legal basis |
|
Data included in your passport or
identity card, or resident permit (excluding biometric information). First name, surname, physical address at the time the document was issued, date of birth, nationality, photograph, passport or identity card number
|
You provide it to us when you apply for certification
|
To process applications for certification by verifying identity and eligibility for certification, including the fact that applicants have the right to work and own a business in the country of reference.
|
Yes.
The law requires, amongst others, that we do not process more data than necessary. This is why we request one identification document with options as to which one you may provide.
|
Contractual necessity
|
|
Director / partner details in the official business registration documents delivered by the registrar, including: director names, director date of birth, director addresses (if any), director place/country of birth.
|
You provide it to us when you apply for certification
|
To process applications for certification by verifying the actual registration status of the business.
|
Yes.
The law requires, amongst others, that we do not process more data than necessary . This is why we request only the information that is relevant to establishing the registration status of the business.
|
Contractual necessity |
|
Previous year’s audited or unaudited financial statements (P&L, statement of cash flows) confirming the turnover of the business. Note: To the extent that the information relates to a sole trader or sole practitioner or otherwise to specific individuals, this constitutes personal data.
|
You provide it to us when you apply for certification
|
To conduct initial screening regarding the business’ solidity, to be complemented, as the case may be, by the relevant Corporate Member.
|
Yes.
The law requires, amongst others, that we do not process more data than necessary . This is why we request only the information that is relevant to establishing a financial baseline.
|
Contractual necessity
|
|
Information about the applicant’s ethnic origin
|
You provide it to us when you apply for certification
|
To process applications for certification by verifying the applicants and their business fall within the category we are seeking to protect and promote, i.e. businesses which, in the qualifying country, tend to be disadvantaged due to the fact they are owned, managed and/or controlled by visible minorities who tend to be discriminated against due to the fact their (presumed) ethnicity is apparent on their look.
Such data is never shared with Corporate Members.
Our other objective is to ensure that one minority group is not more disadvantaged than the other in our certification services. It is established that ethnic minority groups are not all treated in the same manner and each faces its own challenges, and is subject to different prejudices. Amongst others, if within our certification programme, we identify imbalance in the representation of racial minorities, we would analyse the cause of any underrepresentation and remedy it, to the extent that it is not solely based on the business’ merits.
|
Yes.
Under Article 9 GDPR the processing of personal data revealing racial or ethnic origin, is permitted, amongst others, where the data subject has given explicit consent to the processing of such personal data for one or more specified purposes.
In France, there are no legal provisions barring private-sector charities, foundations and other non-profit organisations from collecting data about racial or ethnic origin if they comply with GDPR and Loi informatique et libertés, 1978 as amended, and do not violate laws, regulation and court rulings against discrimination.
In the Netherlands, the Dutch GDPR Implementation Act provides a specific exemption for processing race and ethnicity personal data without consent if such data is necessary for reducing or eliminate actual disadvantages relating to racial or ethnic origin and if other conditions are met. For more information, see our FAQs.
|
Consent |
| Other personal data | |||
|---|---|---|---|
|
What kind of personal data do we process?
|
When do we have access to it
|
Why do we process this?
|
Legal basis1
|
|
Contact information. This includes your first and last name, email address, username, and current mailing address
|
You provide it to us to register on our online platform.
|
We use this information to register you as a new member of ESDP. |
Contractual necessity
|
|
Payment information. This includes name, billing address, other contact address, payment details, transaction details.
|
Contractual necessity | ||
|
Profile information. This includes first name, last name, username, data of birth, the service subscribed to.
|
(a) Contractual necessity
(b) Necessary to comply with a legal obligation
|
||
|
Profile information. This includes first name, last name, username, data of birth, the service subscribed to.
|
Legitimate interest (to ensure service improvement)
|
||
| You provide it to us to register on our online platform and when you apply for certification. | We use this information to be able to communicate with you about matters relating to your membership or certification and develop and improve our services, which will include asking you to leave a review or take a survey or produce analytics. |
Legitimate interest of ensuring continuous use of the website
|
|
|
Data collected by strictly necessary cookies, such as: the choice expressed by users on the use of cookies, logs used for authentication to a service, including logs designed to ensure the security of the authentication mechanism, for example by limiting robotic or unexpected access attempts; contents of a shopping basket; language and country choice.
|
Legitimate interest of ensuring continuous use of the website | ||
|
We collect the information as you browse the ESDP website.
|
We use this information to use data analytics to improve our website, products/services, customer relationships and experiences
|
Consent
|
|
|
Contact information. This includes your first and last name, phone number, email address, username, and current mailing address. Browsing data: IP address, pages visited, time spent on each page, traffic on pages, usage, trends, and browsing patterns on, cookies or other terminal ID or tracking technologies.
|
You provide us with the information for marketing purpose. We collect the information as you browse the ESDP website
|
We use this information to deliver relevant website content, newsletters and advertisements to you and measure or understand the effectiveness of the advertising we serve to you
|
Consent
|
1Meaning of the legal basis
Legitimate interest means the interest of our organisation in conducting and managing our activities and processing the personal data to enable us to give you the best service and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us at [email protected].
Performance of contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.
5. DISCLOSURES OF YOUR PERSONAL DATA AND INTERNATIONAL TRANSFERS
ESPD handles your personal data carefully and confidentially. Your personal data is only available to our employees to the extent this is necessary to provide our services. We also share personal data with external third parties that we trust. They are our:
- ESDP Corporate Members:
As part of the application process for ESDP membership or certification, your personal data will be shared with Corporate Members of ESDP on strict need-to-know basis where needed for the performance of the contract we have with you with regard to ESDP membership and/or certification.
- Professional advisors: we share your personal data with our professional advisors to the extent this is relevant, such as lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance and accounting services. In specific situations, our advisers may act as joint or independent controllers.
- Service providers: we share your personal data with our service providers that act as our data processors. This includes providers of IT and system administration services and professional advisers acting as processors including lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance and accounting services. We make sure that our service providers respect the security of your personal data and treat your personal data in accordance with the law and enter into data processing agreements with them for this purpose. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We provide your personal data to some third parties that are based outside the European Economic Area (EEA) . Whenever we transfer your personal data out of the EEA, we ensure your personal data is handled and protected in a similar degree as provided in the EEA. This means that we make sure that appropriate safeguards are taken, including any of the following safeguards:
- We transfer your personal data to countries that have been deemed, by the European Commission, to provide an adequate level of protection for personal data.
- We use specific contracts approved by the European Commission, which give personal data the same protection it has in the EEA.
- We transfer your personal data to third parties that participate in the Data Privacy Framework recognised by the European Commission as adequate.
Please contact us at [email protected] if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
6. DATA SECURITY
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors, and other Third Parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
7. DATA RETENTION
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements.
In some circumstances you can ask us to delete your data.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
8. YOUR LEGAL RIGHTS
You have the right to:
Request access to your personal data (commonly known as a “data subject access request”). This enables you to obtain confirmation as to whether personal data concerning you is being processed, and, where that is the case, to get access to the data, and receive a copy of the personal data we hold about.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a Third Party) and there is something about your situation which makes you want to object to processing on this ground based on your specific situation . In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- If you want us to establish the accuracy of your personal data, for the period that enables us to check this.
- Where our use of your personal data is unlawful, but you do not want us to erase it.
- Where you need us to hold your personal data even if we no longer require it as you need it to establish, exercise or defend legal claims.
- You have objected to our use of your personal data, but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a Third Party. We will provide to you, or a Third Party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to personal data that we process by automated means based on your consent or to perform the contract we have with you.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.
8.1 EXERCISING YOUR RIGHTS
If you wish to exercise any of the rights set out above, please contact us at [email protected].
No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, in accordance with Article 12.5 GDPR, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you within the first 30 days and keep you updated.
9. CONTACT US
If you have any questions about this Privacy Policy, or how we process your personal data, please contact us at [email protected].
You can also write to us on the following address: European Supplier Diversity Program Stichting, Vijzelstraat 68, Spaces Amsterdam, 1017HL Amsterdam, the Netherlands.