The protection of your privacy and your personal data is important to us, and this is a key factor in how we design and implement our activities on the Internet.
Responsibility, Scope of Application
No automated decision-making/profiling is performed.
Handling of Personal Data, Legal Bases of Data Processing
Personal data refers to information that can be used to identify a person, i.e. details that can be traced back to a person. This includes for example the person’s name, e-mail address or telephone number. Personal data is only collected, processed, and used by GLOBALG.A.P. if the user has consented to the data collection or in the event of another permitted circumstance under Applicable Data Protection Law.
If we obtain users’ consent to the processing of personal data, the legal basis for this data processing is Art. 6 (1) a) GDPR. The processing of personal data that we require for the performance of a contract with the user is governed by Art. 6 (1) b) GDPR as the legal basis for the data processing. This also applies to processing events that enable precontractual measures to be performed. If we are required to process personal data in order to comply with a legal obligation, the legal basis is Art. 6 (1) c) GDPR. Further, we may also process personal data if the processing is necessary to protect the vital interests of the user or of another natural person (Art. 6 (1) d) GDPR). If the processing of your personal data is necessary for the purposes of a legitimate interest pursued by us or a third party that is not overridden by the interests, fundamental rights, or fundamental freedoms of the user, the data processing is based on Art. 6 (1) f) GDPR.
Access Data/Server Log Files
GLOBALG.A.P. (or the webspace provider commissioned by GLOBALG.A.P.) collects data about every access to the Websites (known as server log files). The access data includes: name of the webpage or webservice accessed, file, date and time of the access, data volume transferred, any data input, report of successful access, browser type including version, user’s operating system, referrer URL (the page visited previously), IP address, where relevant user name and the requesting provider. GLOBALG.A.P. uses the log data solely for statistical analyses and the purpose of operating, securing, and optimizing the Websites. This data is not merged with other data sources or other personal data about you. The system needs to store the IP addresses temporarily to enable the Websites to be delivered to you. The IP address is stored for the duration of the session for this purpose. Data is saved in server log files to safeguard the functionality of the Websites. The data also helps GLOB-ALG.A.P. to optimize the Websites and safeguard the security of the IT systems. GLOBALG.A.P. further reserves the right to review the log data retrospectively if there are specific indications that justify a suspicion of unlawful use. These purposes represent a legitimate interest of GLOBALG.A.P. in data processing. The legal basis here is Art. 6 (1) f) GDPR.
You may register on our Websites for a variety of purposes. Registration is performed in order to sign up for specific events, training courses/workshops or ex-aminations, to become a member of GLOBALG.A.P., to receive information mail-outs/newsletters, to receive information material (e.g., brochures or posters) or to access the restricted area of our data-base (database.globalgap.org). The latter is only possible for certain users (hereinafter referred to as “Market Participants”). During registration we collect data about you that we need for the specific registration (hereinafter referred to as “Registration Data”). This generally includes information about your title and position, first name and surname, e-mail address, country, and if necessary further information about your company or your birth date for identification purposes and your address and telephone number. The specific data is set out in further detail in the registration form in each case. The legal basis for the processing is Art. 6 (1) b) GDPR in each case.
On registration, in addition to the Registration Data, we store the IP address of our users. This falls within our legitimate interests relating to logging purposes and the prevention of abuse (Art. 6 (1) f) GDPR).
We endeavor to ensure maximum transparency in terms of which Registration Data is accessible to whom. You will find detailed documentation for the Website database.globalgap.org at http://www.globalgap.org/de/documents?q= (Data Access Rules).
We process your Registration Data via Microsoft Dynamics. It cannot be ruled out that in individual cases your Registration Data will be transmitted to the Microsoft Corporation in the USA and processed there. For further information on the processing of personal data by Microsoft, see https://privacy.microsoft.com/en-us/privacystatement. For further information on processing of your data in countries outside the EEA please see the section “Forwarding of Data to Countries Outside the EEA/EU” below.
You can object to the further processing, storage, and use of your Registration Data at any time. However, this may result in a complete deregistration. You may submit your objection either directly via the Website in question or by contacting us at firstname.lastname@example.org.
If you become active in certain cases in committees/specialist groups, we also process personal data, e.g., in the form of participation lists. This is necessary for the performance and documentation of the committees/specialist groups. The legal basis for this is Art. 6 (1) b) and f) GDPR.
To participate in the committees/specialist groups or collaborate on other projects, we may email to certain users, in particular customers or other third parties we work with, a link for sharing content via SharePoint from Microsoft Ireland Operations, Ltd. (hereinafter referred to as “Microsoft”). Further information on Microsoft SharePoint can be found at https://products.office.com/en-us/sharepoint/collaboration. For further information on the processing of personal data by Microsoft, see https://privacy.microsoft.com/en-us/privacystatement. For further information on processing of your data in countries outside the EEA please see the section “Forwarding of Data to Countries Outside the EEA/EU” below. Processing is performed on the basis of your consent to the processing of your personal data pursuant to Art. 6 (1) a) GDPR or Art. 6 (1) b) GDPR, provided data is processed for the purpose of the performance of a contract.
Training Courses/Workshops and Examinations
You can register with us for a range of training courses/workshops or examinations and complete these training courses/workshops and examinations with us. In this case we collect and process the personal data you provide during your registration as well as personal information arising during the completion of the training courses/workshops and examinations, including any video recordings made for monitoring purposes during the respective examination. The legal basis for the processing is Art. 6 (1) b) GDPR in each case.
We endeavor to ensure maximum transparency on the issue of which data is accessible to whom. For example, we deploy specialized service providers for online examinations who support us in conducting online examinations (Art. 28 DSGVO). These service providers may also view recordings of the respective examination candidates made during the examination for the exclusive purpose of monitoring and conducting the examination. In individual cases, e.g., workshops for certification bodies (CB trainings), managers of the respective certification body may access your personal data for the purpose of conducting training courses and evaluating the examinations. As a matter of fact, your examination registrations and results will not be transmitted to unauthorized third parties.
When you contact GLOBALG.A.P. (for instance via contact form, telephone, e-mail or, if you wish, as a follow-up to a contact during a trade fair), your information is stored for the purpose of processing the request as well as for any follow-up queries (legal basis: Art. 6 (1) b) GDPR).
We process such information via Microsoft Dynamics. It cannot be ruled out that in individual cases your data will be transmitted to the Microsoft Corporation in the USA and processed there. For further information on the processing of personal data by Microsoft, see https://privacy.microsoft.com/en-us/privacystatement. For further information on processing of your data in countries outside the EEA please see the section “Forwarding of Data to Countries Outside the EEA/EU” below.
Comments and Posts
If you leave comments on the blog or make other posts, your IP address will be stored. This is done to protect GLOBALG.A.P. in the event that a user includes unlawful content in comments and posts (insults, forbidden political propaganda, etc.). In this case GLOBALG.A.P. may itself face legal action for the comment or post and thus has an interest in the identity of the author for purposes of de-fending the claim or asserting recourse claims or may even be obliged to disclose such information to third parties, courts, or public authorities. GLOBALG.A.P. again has a legitimate interest in such purposes, with the legal basis being Art. 6 (1) c) and f) GDPR. The legal basis here is Art. 6 (1) c) and f) GDPR.
Information Mail-outs, Newsletters
We use our e-mail information mail-outs to large mailing lists, in particular our newsletters on a range of subjects, to inform our consenting users about us, our Websites, our standards, invitations to certain events, workshops or summits/tours, and other activities, as well as news about us or our Websites (hereinafter referred to as “Information Mail-Outs”).If you want to receive Information Mail-Outs, we need you to provide a valid e-mail address. We can perform a process to verify that you are indeed the holder of the specified e-mail address, or that the holder consents to the receipt of the Information Mail-Outs. To do so, we use the “double opt-in procedure”. This involves us sending an e-mail to the specified e-mail address with the request to re-confirm the registration to receive the Information Mail-Outs (e.g., by clicking a link). Additionally, on request you can indicate the specific topics we may inform you about. No further data is collected. This data is only used for sending Information Mail-Outs and is not passed to third parties. The legal basis for the data processing is the user’s consent (Art. 6 (1) a) GDPR, section 7 (2) German Act on Unfair Competition (UWG)).
On registration for one of our Information Mail-Outs, we store your IP address and the date of the registration. This data is stored solely for evidential purposes in the event that a third party misuses an e-mail address and registers to receive Information Mail-Outs without the knowledge of the authorized party. This thus falls within the legitimate interests of us and our users (Art. 6 (1) f) GDPR).
You may revoke your consent to the saving of the data, the e-mail address, and its use for the sending of Information Mail-Outs at any time with future effect. The revocation may be performed via a link in the Information Mail-Outs themselves or a notification to us, as described in further detail in the section “Rights of Data Subjects”.
We process your data in connection with Information Mail-Outs via Microsoft Dynamics. It cannot be ruled out that in individual cases your Registration Data will be transmitted to the Microsoft Corporation in the USA and processed there. For further information on the processing of personal data by Microsoft, see https://privacy.microsoft.com/en-us/privacystatement. For further information on processing of your data in countries outside the EEA please see the section “Forwarding of Data to Countries Outside the EEA/EU” below.
In addition, we may conduct online‑surveys on the basis of your respective consent with the aid of Microsoft Forms, a service of Microsoft, with whom we have entered into a data-processing agreement. The surveys may be disseminated in a number of ways (via hyperlink, QR code, embedding in a website or Sway, or sent by e-mail). Processing is performed on the basis of your consent to the processing of your personal data pursuant to Art. 6 (1) a) GDPR or Art. 6 (1) b) GDPR, provided data is processed for the purpose of the performance of a contract.
Further information on Microsoft Forms can be found at https://support.office.com/de-de/forms. It cannot be ruled out that in individual cases your data will be transmitted to the Microsoft Corporation in the USA and processed there. For further information on the processing of personal data by Microsoft, see https://privacy.microsoft.com/en-us/privacystatement. For further information on processing of your data in countries outside the EEA please see the section “Forwarding of Data to Countries Outside the EEA/EU” below.
On registration we enable any fees payable (e.g., for events) to be paid online, depending on the specific offering. Similarly, all invoices from GLOBALG.A.P. can be paid online using a credit card. The data required to initiate the online payment is strictly separated from the registration data. If you opt for online payment, the data you input including the intended use and the sum to be transferred for the online payment is not saved directly by us, but forwarded straight to BS Payone GmbH for payment verification and initiation of the payment process. BS Payone GmbH only transfers minimal information about the payment procedures to us (e.g., allocation to invoice number and status of the payment transaction). BS Payone GmbH is therefore responsible for processing and storing personal data in connection with an online payment. This serves the purpose of performing a contract between you and us and thus falls within the legitimate interests of us both (Art. 6 (1) b) and f) GDPR). The data protection provisions of BS Payone GmbH can be accessed here.
We offer a portal that can be used as a certification body administration tool (hereinafter referred to as “CB‑AT”, accessible at https://cb-at.powerappsportals.com/). At the CB‑AT, registered users can manage and track their approval status. The following functions are amongst others available for users:
- Register user’s inspectors/auditors
- Assign modules to user’s inspectors/auditors
- View the modules assigned to inspectors/auditors
We use the CB‑AT amongst others to:
- Track and evaluate the qualifications of the user’s inspectors/auditors
- Maintain the approval status of the user’s inspectors/auditors
To register into CB‑AT, users will have to receive an e-mail from email@example.com with an invitation code that the users have to enter into the registration mask at the CB‑AT Website. We process any personal data that you share with us registering for and using the CB‑AT. This may include contact information such as your full name, address, e-mail address, your contacts amongst other registered users, your assigned modules, working language(s), phone number, and qualification records required for approval and maintenance of your GLOBALG.A.P. inspector/auditor status. The legal basis for the processing is Art. 6 (1) b) GDPR in each case. The data is used to offer the above described services of the CB‑AT.
The CB‑AT is run via tools from Microsoft Office 365 (SharePoint and Dynamics). It cannot be ruled out that in individual cases your data will be transmitted to the Microsoft Corporation in the USA and processed there. For further information on the processing of personal data by Microsoft, see https://privacy.microsoft.com/en-us/privacystatement. For further information on processing of your data in countries outside the EEA please see the section “Forwarding of Data to Countries Outside the EEA/EU” below.
On our Websites we may publicize adverts for vacancies in our company or at our subsidiary in the USA (GLOBALG.A.P. North America Inc.). Responsibility for filling the vacancies and processing the respective applications lies with the company to which you make the specific application.
If you submit an application to us or to the company in the USA, the respective company will process the information and documents submitted along with the personal data included therein, such as name, address, e-mail address, telephone number, information about professional development/resumé, references, or other information that you communicate to that company in the course of your application (section 26 (1) BDSG). Prior to appointment, this consists of the verification of personal data (name, date of birth, place of birth, nationality) of the applicants short-listed following the application process against entries on blacklists, such as in particular the EU terrorist list pursuant to the EU anti-terror regulations. The purpose of this is first to enter into a contract of employment with these applicants and second the compliance with a legal obligation to which we are subject (Article 6 (1) c) GDPR), because statutory provisions prohibit financial benefits, including the payment of a salary, being paid to persons who are included on such blacklists.
If we forward your application to the company in the USA, we do so in accordance with Art. 49 (1) 1b) GDPR at your request to enter into/initiate an employment contract with the subsidiary. The submission of application documents including personal data is necessary for the performance of the application process.
You are obliged neither under statute nor contractually to provide personal data for application purposes. However, if you supply no information about yourself, your application cannot be processed.
Transmission to Third Parties
We will only disclose your personal data to third parties if you have provided your consent or in the event of another permitted circumstance in accordance with the Applicable Data Protection Law. These include in the first instance service providers commissioned by us who support our business operations (Art. 28 GDPR). This covers e.g. webspace providers for the operation of our Websites or the forwarding of invoicing or tax-relevant information to service providers for the purposes of invoicing and accounting or controlling. In these cases, however, the scope of the transmitted data will extend only to the minimum required to achieve the purposes pursued via the data processing. If you register for an event or training course/workshop on our website, we transmit the information you submit on registration to the organizations and companies we work with on running the respective event or training course/workshop (Art. 6 (1) b) GDPR).
If we are legally obliged to disclose specific personal data on the basis of a judicial decision or following a request for information from law-enforcement or supervisory authorities or authorized third parties in conjunction with investigatory proceedings or the suspicion of a criminal act, an unlawful act, or other acts that may give rise to legal liability for you or us, we will disclose the data required for the investigation, such as name, address, e-mail address, or other relevant information (Art. 6 (1) c) GDPR). Similarly, we reserve the right to process and use users’ personal data to enforce or defend against claims.
Forwarding of Data to Countries Outside the EEA/EU
Integration of Third-party Content and Services
Third-party content, such as YouTube videos, RSS feeds, or graphics from other websites, may be integrated into these online offerings. This usually assumes that the providers of this content (hereinafter referred to as “Third-Party Providers”) will be aware of the users’ IP address. This is because they would not be able to transmit the content to the browser of the user in question without the IP address. The IP address is therefore necessary in order to display this content. We endeavor only to use such content where the respective provider solely uses the IP address to deliver the content. At the same time, we have no influence over whether the Third-Party Providers use the IP address e.g., for statistical purposes. Where we are aware of this, we will notify the users accordingly. The use of enhanced presentation options for information purposes and to optimize your user experience is within our mutual legitimate interest (Art. 6 (1) f) GDPR).
Further information about the use of YouTube videos can be found below.
Videos are shown on our webpages via the provider YouTube. These are operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (hereinafter referred to as “YouTube”). If a webpage containing such a button (identifiable by the YouTube icon in the lower right of the video preview) is accessed and you activate the corresponding content (Art. 6 (1) a) GDPR), your browser creates a direct connection with the YouTube servers. The showing of videos within our Websites is further a legitimate interest of ours and yours (Art. 6 (1) f) GDPR). YouTube transmits the content of the YouTube button directly via your browser and is integrated into the webpage. We have no further influence over the data that YouTube collects via the button. It is likely that your IP address is recorded and cookies are set, among other things.
We store cookies on our users’ hard drives unless they actively block them. The legal basis for set-ting cookies which are necessary for the technical operation of our website and providing the services required by the user is Art. 6 (1) f) GDPR. If you give us your prior consent, we may also use tracking/analysis cookies within the framework of our Websites. The legal basis in these cases is Art. 6 (1) a) GDPR.
This processing is done only subject to your prior consent. Thus, the legal basis for this processing is Art. 6 (1) a) GDPR). The information generated by the cookies about the use of these Websites is stored on the servers of Piwik PRO or service providers commissioned by them in Europe. The IP address is anonymized immediately after processing and before saving. The information generated by Piwik PRO is not used to identify the user of these Websites personally and is not merged with other personal data of the user.
You can prevent the installation of the cookies by making a corresponding setting in your browser software. However, GLOBALG.A.P. refers users to the fact that in this case they may not be able to use the full functionality of this website. For further information about this topic, see https://piwik.pro/privacy-policy/.
Limited Use of Social Plugins on Integration with the Shariff Solution
On our websites we use buttons from social networks, known as social plugins (hereinafter referred to as “Plugins”), as explained in further detail below. These enable you to perform actions related to the contents of our Websites. The legal basis for the provision of the Plugins on our Websites is our overriding legitimate interest, established by a balancing of interests, in a user-focused design of our Websites and the optimum marketing of our product range (Art. 6 (1) f) GDPR).
If you are registered with the respective social network and are logged in, you can communicate directly with the social network. To enhance the protection of users’ personal data when visiting our Websites, integration of the Plugins into the Websites only occurs to a limited extent via an HTML link of the c’t “Shariff” project. This guarantees that simply accessing our Websites that contain such a Plugin does not create a connection to the servers of the provider of the social network. A Plugin only creates a direct link to the specific provider of the social network when activated by a user, e.g. by clicking a button such as the Facebook “Share” button, and thus enabling the provider of the social network to collect data about you via the Plugin. This opens a new window in your browser and launches the page of the provider of the social network, where you can click the button. For further information about the c’t “Shariff” project, visit the website of Heise Medien GmbH & Co. KG (https://www.heise.de/ct/ausgabe/2014-26-Social-Media-Buttons-datenschutzkonform-nutzen-2463330.html).
If you activate the Plugins by clicking them, you hereby declare your express consent to transmission of data to the provider of the social network you have selected. On activation, your server connects to the provider of the social network you have selected. As a result, you share details of the website you accessed in accordance with the actions you carry out there (for instance after a prior logon or confirmation of the sharing of your recommendation within the social network in question).
In each case, any consent for a transfer of data only relates to the provider of the specific social network selected and the specific website that is opened. As far as we are aware, when you activate of the Plugin of the provider of the respective social network by actively clicking on our Websites, the provider of the social network will set cookies and your IP address will be transmitted to it. The provider of the social network will also be notified that you have accessed the page in question as well as the time and date of your visit. This enables the respective provider of the social network to create usage profiles, potentially also regarding other websites visited. The provider of the social network may also receive information about the browser and operating system you use.
If the user is logged on to the social network while using our Websites, the possibility that the provider of the social network may assign the visit to the user’s account with the social network cannot be excluded. When users interact with the Plugins, for instance by clicking a share button or posting a comment, the corresponding information is transmitted from the user’s browser directly to the social network and saved there. As the provider of this site we are not informed about the content of the data transferred or its use by the social network.
If a user is a member of a social network and does not want the network to collect data about him via these Websites and link it to the membership data saved on the social network, he needs to log out of the social network prior to visiting the Websites. Similarly, it is generally possible to block Plugins using add-ons for your browser, for example using the “NoScript” script blocker (http://noscript.net/).
Specifically, the following Plugins are integrated into our Websites using the Shariff solution.
Facebook Social Plugins
Users can also completely prevent the loading of the Facebook Plugins via browser add-ons using “Facebook Blocker”, e.g., for Mozilla Firefox: https://addons.mozilla.org/de/firefox/addon/facebook-blocker/ or for Opera: https://addons.opera.com/de/extensions/details/facebook-blocker/?display=en.
Twitter Social Plugins
LinkedIn Social Plugins
Instagram Social Plugins
Additionally, Plugins of the social network Instagram, operated by Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland, a subsidiary of Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (hereinafter referred to as “Instagram”) are integrated into our Websites. For information about the purpose and scope of the data collection and the further processing and use of the data by Instagram, as well as your rights in this regard and configuration options to protect your privacy, refer to the Instagram data policy: https://help.instagram.com/
Alongside our Websites, we also maintain a dedicated presence on Facebook (hereinafter referred to as “Company Page”) and our webpages may contain links to this Company Page. When you access the Company Page, Facebook processes personal data, which is even possible if you are not logged on to Facebook when the page is accessed. However, Facebook provides us with detailed statistics, which consist of summarized information relating to the use of our Company Page on Facebook. These statistics enable us to identify for example how often or by how many unique users the Company Page and individual posts on this page are accessed or e.g. rated. However, the statistics do not permit us to identify which specific persons have visited the Company Page or accessed or rated individual posts. As is generally the case with Facebook, however, the Company Page shows which Facebook user has rated or commented on a post.
Rights of Data Subjects
You have the following rights:
- the right to request confirmation of whether personal data relating to you is being processed and details of this data and any additional information and a copy of the data (Art. 15 GDPR);
- the right to request the completion of incomplete personal data or the rectification of incorrect personal data (Art. 16 GDPR);
- under Art. 17 GDPR, the right to request that personal data be deleted immediately, or, if need be under Art. 18 GDPR, that the data processing be restricted (if this data is subject to statutory retention periods, we will block it for the duration of the retention period);
- the right to receive, or have transmitted to a third party, the relevant personal data that you have provided to us and that we process in an automated manner on the basis of your con-sent or in the performance of a contract. The data will be provided in a machine-readable format. If you request the direct transfer of the data to a different controller, this will only be done if it is technically feasible (Art. 20 GDPR).
- the right to object at any time to the processing of personal data processed by us on the basis of a legitimate interest of ours (Art. 6 (1) f) DGSVO), pursuant to Art. 21 GDPR; and
- the right to withdraw any consents granted pursuant to Art. 7 (3) GDPR with future effect. This will not affect the lawfulness of any processing performed on the basis of such consent up to the revocation.
We will notify any recipients to whom we have disclosed your personal data about any correction or erasure of the personal data or restriction of the processing, unless this turns out to be impossible or would involve disproportionate effort.
You can assert the above rights against us, e.g., by notifying us by mail or e-mail to firstname.lastname@example.org.
That notwithstanding, you have the right to submit a complaint to the competent supervisory authority (Art. 77 GDPR).
Duration of Data Storage
In consideration of the applicable provisions under data-protection law, we will delete the stored personal data about you without any action on your part if there is no longer a need for the information to be known to perform the purpose associated with the storage or if the storage of the data is not permitted for other legal reasons. In some cases provided for by law (e.g., statutory retention obligations), your data may be blocked instead of deleted.
In the case of job applications, application documents will be deleted or blocked in accordance with the following measures and any personal data provided in hard copy returned to the applicant. If applicants have only applied for a specific advertised job, their application data will be stored until the final decision about the appointment to the post is made plus a maximum of six months from the notification of this decision.
Accordingly, the data or documents provided by the applicants will be deleted in a manner compliant with data protection regulations. Only where an application results in an employment relationship being entered into or if a statutory provision permits further storage of this data by way of exception will this not apply; in this case, the application data will be processed to permit the employment relationship to be executed or stored for longer periods in accordance with the statutory stipulations and, if a statutory stipulation so permits, processed and used (section 26 (1) BDSG and/or Art. 6 (1) b) and f) GDPR). In this case, we will notify the applicant before the specific act of saving, processing, or using their personal data in accordance with the applicable provisions of data-protection law, provided they are not already in possession of this information.
Contact Details of the Data Protection Officer
Sachverständigenbüro Mülot GmbH
Grüner Weg 80
Telefon: + 49 2571-5402-0