Privacy Policy 

GGN Label Portal 

  1. SCOPE 

This privacy policy applies to all personal data collected or processed by GLOBALG.A.P. c/o FoodPLUS GmbH (hereinafter referred to as “FoodPLUS” or “we”) when using the GGN label portal at www.ggn.org (hereinafter referred to as the “GGN Label Portal”). This website (hereinafter referred to as the “Website”) is accessible to everyone (hereinafter referred to as the “User” or “Users”) and provides information about agricultural businesses whose processes are certified to the GLOBALG.A.P. standards (hereinafter referred to as a “Certified Company” or “Certified Companies”) and that are registered on the GGN Label Portal. 

When using any of the websites operated by FoodPLUS – e.g., www.globalgap.org or www.database.globalgap.org – the “privacy policy” by FoodPLUS linked on the respective website applies. 

In this privacy policy, we inform you inter alia about the type, scope, and purposes of the collection, processing, and use of your personal data when visiting or using our GGN Label Portal. This is performed in accordance with the provisions of the European Union General Data Protection Regulation (GDPR) and other applicable (federal and state) data protection legislations (hereinafter referred to jointly as “Applicable Data Protection Law”). 

No automated decision-making/profiling is performed. 

  1. DATA CONTROLLER 

Responsible as the data controller for collecting and processing your data is: 

FoodPLUS GmbH 

Spichernstr. 55 

50672 Cologne, Germany 

Email: info@globalgap.org 

Tel: +49 (0) 221-57776-0. 

 

For questions relating to the processing of your personal data and data protection, please contact our  

Data Protection Officer

HEC Harald Eul Consulting GmbH 

Auf der Höhe 34 

50321 Brühl 

Email: dataprivacy@globalgap.org 

  1. CATEGORIES OF DATA 

We collect and process different categories of personal data depending on how you use our GGN Label Portal. 

When you register as a Certified Company with the GGN Label Portal, we might process your username, password, first name, surname, work mobile phone, work e-mail address, work address, office phone, office fax, and company you work for. If you provide us with additional information such as a photo/avatar, we will also process this information. 

When you contact us through the contact form of the GGN Label Portal, we will process your name, email address, and message. 

Please note that FoodPLUS may receive messages that require translation. In such cases, our employees use translation tools (e.g., Google translator) to process your inquiry. Thus, please ensure that you do not enter personal data into the message field of your inquiry. 

When you contact us by phone, email, in person, or via any other business contact channel, we will collect the information you provide us. Typical data collected is first name and surname, email address, phone, and company you work for, although other types of information provided by you could be collected. 

When you visit our GGN Label Portal as a User to inform yourself about the Certified Companies and our labels, we (or the webspace provider commissioned by FoodPLUS) collect data about every access to the GGN Label Portal/the Website (known as server log files). The access data include the name of the webpage or webservice accessed, file, date and time of the access, data volume transferred, any data input, report of successful access, browser type including version, the User’s operating system, referrer URL (the page visited previously), IP address, and where relevant the username and requesting provider. This data is not merged with other data sources or other personal data about you. The IP address is stored for the duration of the session for this purpose. FoodPLUS further reserves the right to review the log data retrospectively if there are specific indications that justify a suspicion of unlawful use. 

  1. PURPOSE AND LEGAL BASIS FOR PROCESSING 

When you register as a Certified Company, we need to process your personal data to manage and maintain the business relationship, comply with our contractual obligations (that is, to provide you with the service), and comply with our legal obligations under the law. The legal basis for processing your personal data is art. 6 (1) (b) GDPR for the purpose of the performance of a user agreement. If you submit additional data based on your consent, the legal basis for processing is art. 6 (1) (a) GDPR. 

When you place an inquiry with us through the contact form or via any other of our business contact channels, we need to process your personal data to respond to your request, manage and maintain the business relationship, comply with our contractual obligations (that is, to provide you with the service), and comply with our legal obligations under the law. In this regard the legal basis for processing your personal data is art. 6 (1) (b) GDPR. If you submit additional data based on your consent, the legal basis for processing is art. 6 (1) (a) GDPR. 

If you visit our GGN Label Portal/Website as a User to inform yourself about a Certified Company, FoodPLUS uses the log data solely for statistical analyses and for the purpose of operating, securing, and optimizing the GGN Label Portal. The system needs to store the IP addresses temporarily to enable the GGN Label Portal to be delivered to you. Data is saved in server log files to safeguard the functionality of the Website. The data also helps FoodPLUS optimize the GGN Label Portal and safeguard the security of the IT systems. These purposes constitute a legitimate interest of FoodPLUS in data processing. The legal basis here is art. 6 (1) (f) GDPR. Your data for analytical purposes we process with your consent only, in accordance with art. 6 (1) (a) GDPR. You can withdraw your consent at any time with effect for the future. For more information see below under “G Cookies.” 

To the extent we are required to process any of your personal data to comply with a legal obligation, we will process your personal data on the basis of art. 6 (1) (c) GDPR. 

  1. DISCLOSURE TO THIRD PARTIES AND TRANSFERRING OF DATA TO COUNTRIES OUTSIDE THE EEA/EU 

FoodPLUS will receive access to your personal data. Only relevant individuals who are acting within their job description and have a need to know will have access to your personal data. 

In certain cases, third-party providers may be given access to your personal data. We will not disclose your personal data to third parties unless you have provided your consent or another permitted circumstance applies in accordance with applicable data protection law. These third parties include, in the first instance, service providers commissioned by us who support our business operations (art. 28 GDPR). This covers, e.g., webspace or telemedia service providers for the operation and/or maintenance of the GGN Label Portal or the forwarding of invoicing or tax-relevant information to service providers for the purposes of invoicing and accounting or controlling. In these cases, however, the scope of the transferred data will extend only to the minimum data required to achieve the purposes pursued via the data processing. 

We will not share your personal data with local authorities or courts except where we are required to do so by applicable law, a court order, or a legally binding injunction. If we are legally obliged to disclose specific personal data on the basis of a judicial decision or following a request for information from law enforcement or supervisory authorities or authorized third parties in conjunction with investigatory proceedings or the suspicion of a criminal act, an unlawful act, or other acts that may give rise to legal liability for you or us, we will disclose the data required for the investigation, such as name, address, email address, or other relevant information (art. 6 (1) (c) GDPR). Similarly, we reserve the right to process and use Users’ personal data to enforce or defend against claims (art. 6 (1) (f) GDPR). 

Personal data may be transferred in this way to third parties that are domiciled in non-EEA or non-EU countries and where the EU Commission has not established a level of data protection comparable to the EU (e.g., the USA). In this case, prior to transferring we ensure, in compliance with the requirements of art. 44 et seq. GDPR, that an adequate level of data protection is in place at the recipient, in particular by conducting so-called transfer impact assessments, obtaining your consent in advance, or securing specific guarantees from the recipient, in particular the self-certification of a recipient in the US in accordance with the principles of the EU–US Privacy Framework or as well as concluding the so-called EU standard contractual clauses. A copy of suitable guarantees can be obtained on request via the email address of the Data Protection Officer set out at the top of this privacy policy. Further basic information about the participants of the EU–US Privacy Framework can be found here. Basic information about the EU standard contractual clauses can be found here, and information about the adequacy decisions is given here

Furthermore, even when we have concluded standard contractual clauses, we seek to establish further measures that provide an equivalent level of data protection compared to the applicable standards in the EU when personal data is forwarded to third countries (e.g., the USA, South Africa). Such further measures shall be established to accommodate CJEU decision C-311/18 (Schrems II). For further information on this topic please contact our Data Protection Officer via the email address set out at the top of this privacy policy. 

Additional information relevant to the GGN Label Portal Certified Companies: Through the GGN Label Portal, your personal data is available to colleagues at your company registered on the GGN Label Portal. Your personal data is NOT available to other registered and Certified Companies. 

  1. RETENTION PERIODS FOR PERSONAL DATA 

We will deactivate or cancel the registered Certified Company data as soon as appropriate to avoid unauthorized access to information. It is then no longer visible in the GGN Label Portal, and you will no longer receive any new communications. We will delete personal data of those registered Certified Companies after the end of statutory retention obligations if and where applicable. 

In consideration of the applicable provisions under applicable data protection law, we will delete the stored personal data about you without any action on your part if there is no longer a need for the information to be known to perform the purpose associated with the storage or if the storage of the data is not permitted for other legal reasons. In some cases, provided for by law (e.g., statutory retention obligations), your personal data may be blocked instead of deleted. 

  1. COOKIES 

We store cookies on our Users’ hard drives unless they actively block them. Cookies are small text files that permit specific information relating to the device to be stored on the User’s accessing device (PC, smartphone, etc.). Some enhance the user-friendliness of websites and thus aid the User (e.g., by storing login data); some enable the recording of statistical data about website use and the analysis to improve websites or the placement of targeted ads. You can influence how cookies are used. Most browsers have an option that limits or completely prohibits the storage of cookies. However, it should be noted that website performance, and in particular user comfort, may be restricted without cookies. For further information about the use of cookies and how you can deactivate them, see www.youronlinechoices.com.  

The processing of personal data collected using cookies for analytical and marketing purposes is done, and cookies are dropped, subject to your prior consent only. Thus, the legal basis for this processing is art. 6 (1) a) GDPR. You can withdraw your consent at any time with effect for the future. The legal basis for setting cookies for the technical operation of our Website is art. 6 (1) (f) GDPR. 

Further information on which third-party providers we use in this regard can be found in the following. 

YouTube videos: Videos are shown on the GGN Label Portal via the provider YouTube. These videos are operated by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA (hereinafter referred to as “YouTube”). If a webpage containing such a button (identifiable by the YouTube icon in the lower right of the video preview) is accessed and you activate the corresponding content, your browser creates a direct connection with the YouTube servers. YouTube transmits the content of the YouTube button directly via your browser and is integrated into the respective webpage. We have no further influence over the data that YouTube collects via the button. Even though we have turned on the privacy-enhanced mode provided by YouTube to further protect your privacy, it is likely that your IP address is recorded and cookies are set, among other things. Correspondingly, we only process these personal data with your consent (art. 6 (1) GDPR). 

If you are logged on to YouTube as a member, YouTube may allocate information about the webpages accessed and YouTube content to your user account. This may also be the case if you log on to YouTube as a member at another point in time. Further information about the scope and purpose of the data collection and the further use and processing of the data by YouTube as well as your associated rights and configuration options to protect your privacy can be found in the YouTube privacy policy: https://www.youtube.com/intl/en_us/howyoutubeworks/our-commitments/protecting-user-data/#privacy-guidelines 

Google Maps: The GGN Label Portal uses Google Maps API applications. This enables us to display interactive maps directly on the GGN Label Portal and enables you to conveniently use the map function. We use Google Maps to allow Certified Companies to search their location, address and geo-position, translate geo-positions into addresses and addresses into geo-positions. You can view Google’s terms of use here: https://policies.google.com/terms?hl=en. You can find Google’s privacy policy here: https://policies.google.com/privacy?hl=en

Google Translate API: The GGN Label Portal uses Google Translate API to allow registered Users to automatically translate free text input by other Users into their language. The free text fields can be sent to Google for translation if required by another registered Certified Company. Please ensure that you do not enter personal information into the GGN Label Portal free text fields. You can view Google’s terms of use here: https://policies.google.com/terms?hl=en. You can find Google’s privacy policy here: https://policies.google.com/privacy?hl=en

Piwik PRO: The GGN Label Portal uses the web analysis service Piwik PRO from the provider Piwik PRO GmbH (hereinafter referred to as “Piwik PRO”) for the statistical analysis of user access. Piwik PRO may use cookies, tags, IP addresses, and what is known as fingerprinting to enable an analysis of Users’ website use. This may include the collection or processing of the following data: IP address (anonymized), user ID, date and time of the request, title or URL of the page visited, URL of the page visited previously, screen resolution, time zone, files clicked on and downloaded, links clicked to external websites, display speed of the pages, User’s geo-data (country, region, city, approximate longitude and latitude), browser language, user agent of the browser used, randomly assigned one-off user ID, time of a User’s first visit, time of a User’s previous visit, and number of a User’s visits. 

This processing is done subject to your prior consent only. Thus, the legal basis for this processing is art. 6 (1) a) GDPR. The information generated by the cookies about the use of the GGN Label Portal is stored on the servers of Piwik PRO or service providers commissioned by them in Europe. The IP address is anonymized immediately after processing and before saving. The information generated by Piwik PRO is not used to identify the User of the GGN Label Portal personally and is not merged with other personal data of the User. 

You can also prevent the installation of the cookies by making a corresponding setting in your browser software. However, FoodPLUS refers Users to the fact that in this case they may not be able to use the full functionality of this Website. For further information about this topic, see https://piwikpro.de/datenschutz/

Google Ads: We use Google Ads. Google Ads is an online promotional program of Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. 

Google Ads enables us to display ads in the Google search engine or on third-party websites if the user enters certain search terms into Google (keyword targeting). It is also possible to place targeted ads based on the user data Google has in its possession (e.g., location data and interests; target group targeting). We can analyze these data quantitatively, for instance by analyzing which search terms resulted in the display of our ads and how many ads led to respective clicks. For these purposes of (re-)marketing and targeting, cookies and other technologies are stored on your device. 

This processing is done, and cookies are dropped, subject to your prior consent only. Thus, the legal basis for this processing is art. 6 (1) a) GDPR. You may withdraw your consent at any time with effect for the future.  

You can also prevent the use of the cookies through a corresponding setting in your browser software. The suppression of third-party cookies means that you will not receive any ads from third-party providers. 

It is possible that respective data is transferred to the US. This transfer is based on the standard contractual clauses (SCC) of the European Commission. Details can be found here: https://policies.google.com/privacy/frameworks and https://privacy.google.com/businesses/ 
controllerterms/mccs/. Furthermore, Google is certified in accordance with the “EU–US Data Privacy Framework” (DPF). This agreement between the European Union and the US is intended to ensure compliance with European data protection standards for data processing in the US. Every company certified under the DPF is obliged to comply with these data protection standards. For more information, please see https://www.dataprivacyframework.gov/s/participant-search/participant-detail?contact 
=true&id=a2zt000000001L5AAI&status=Active.  

  1. PROFILES ON SOCIAL MEDIA NETWORKS 

We maintain publicly accessible profiles on various social media platforms. The individual social media platforms we use are listed below. You can access our social media profiles from our Website by clicking on the relevant platform button. These are no social plug-ins, but simple links to our accounts registered on the respective platform. Our social media profiles are intended to present our company and our activities as widely as possible. This is a legitimate interest within the meaning of art. 6 (1) f) GDPR. The analysis initiated by the social media platforms may have different legal bases, which must be specified by the operators of the social media platforms. 

The social media platforms can generally analyze your user behavior when you visit their websites, and visiting our social media profiles triggers various data processing operations. If you are logged in to your social media account and visit our social media profiles, the operator of the social media platforms can assign this visit to your user account. However, your personal data may also be collected if you are not logged in or do not have an account with the respective social media platform. In this case, this data collection takes place, for example, via cookies that are stored on your end device or by collecting your IP address. With the help of the data collected in this way, the operators of the social media platforms can create user profiles in which your preferences and interests are stored. In this way, interest-based advertising can be displayed to you both within and outside the respective social media platform. If you have an account with the respective social media platform, the interest-based advertising can be displayed on all devices on which you are logged in or have been logged in. 

Please also note that we have no control over or insight into the full range of processing operations on the respective social media platforms. Depending on the provider, further processing operations may therefore be carried out. For details, please refer to the terms of use and data protection policies of the respective social media platforms. 

Facebook: We have a profile on Facebook. The provider of this service is Meta Platforms Ireland Ltd (“Meta”), Merrion Road, Dublin 4, Ireland. According to Meta, the data collected is also transferred to the USA and other third countries. You can adjust your advertising settings yourself in your user account on Facebook. Further details can be found in Meta’s privacy policy: https://www.facebook.com/about/privacy/

Instagram: We have a profile on Instagram. The provider of this service is Meta Platforms Ireland Ltd (“Meta”), Merrion Road, Dublin 4, Ireland. According to Meta, the data collected is also transferred to the USA and other third countries. You can adjust your advertising settings yourself in your user account on Instagram. Further details can be found in Meta’s privacy policy: https://privacycenter.instagram.com/policy/

LinkedIn: We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company (“LinkedIn”), Wilton Place, Dublin 2, Ireland. Details on how LinkedIn handles your personal data can be found in LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy.  

  1. RIGHTS OF DATA SUBJECTS 

You have the following rights: 

We will notify any recipients to whom we have disclosed your personal data about any correction or erasure of the personal data or restriction of the processing, unless this turns out to be impossible or would involve disproportionate effort. 

You can assert the above rights against us, e.g., by notifying us by post via the contact details described above or by email to dataprivacy@globalgap.org

That notwithstanding, you have the right to submit a complaint to the competent supervisory authority (art. 77 GDPR).  

UNITED STATES SUPPLEMENT 

California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia provide (now or in the future) their state residents with rights to: 

The exact scope of these rights may vary by state. To exercise any of these rights please reach out to the Data Protection Officer at dataprivacy@globalgap.org or by calling toll-free at +1 833 879 8855.  

The California-specific supplement is below in this policy. 

CALIFORNIA 

Additional California privacy terms and rights 

The state of California enacted the California Consumer Privacy Act in 2018 and amended it in 2020 under the California Privacy Rights Act (hereinafter referred to collectively as “CCPA”). Together, the acts afford certain rights to California residents (hereinafter referred to as “Consumers”). This section specifically addresses the rights of California residents under the CCPA. 

  1. Collection categories 

As explained above in this privacy policy, we collect a variety of categories of information, including sensitive personal information, in connection with providing the services. In this section, we explain these categories again specifically in the context of the CCPA. In providing the services on the Website, we collect the following categories of personal information: the person’s name, postal/​mailing address, IP address, unique personal identifier or online identifier, email address or telephone number, and other registration data. 

  1. Information sources 

As explained above, we collect personal information from Consumers themselves directly via our Website, through interactions with our company’s personnel, and through social media, and, in some cases, from service providers. 

  1. Personal information use and sharing for business purposes 

As explained in greater detail above, we use the personal information that is collected for a wide variety of business purposes: 

We disclose and share your personal information for business purposes with only the following categories of third parties: 

  1. Sale of personal information 

We do not engage in any sale of a Consumer’s personal information as that term is defined under the CCPA. 

  1. Sharing of personal information 

The CCPA defines “sharing” as “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” personal information. We share your personal information, as described above, with the companies that provide cookies and similar technologies used on our Website. Those companies have access to and might use the personal information gathered through these technologies, which personal information might include an individual Consumer’s IP address. Such uses might include targeted advertising information based on individual internet activity and interests. It is possible that some of the businesses providing marketing services to us might share personal information with their business partners. In addition, some companies that provide services to us might need to access and use customer information as part of providing services to us, and these same companies might use this information for the development of their own business capabilities, not solely for the provision of services to us. 

To notify us of your desire to restrict the use of your personal information by third parties, contact us and submit your request by emailing us at dataprivacy@globagap.org: 

DO NOT SHARE MY PERSONAL INFORMATION 

If you have any questions about submitting your request, please contact us and submit your request by emailing us at dataprivacy@globagap.org or calling toll-free at +1 833 879 8855. 

  1. Your California rights and choices 

The CCPA provides California residents with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights. 

  1. Access to specific information. 

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see the section “Exercising consumer rights” below), we will disclose to you: 

Under the CCPA, you may also request that we disclose certain information to you about our collection and use of your personal information beyond the past 12 months. We, however, may decline to provide that information to you if doing so would require a disproportionate effort on our part. 

  1. Deletion and correction request rights 

You have the right to request that we delete or correct any of your personal information that we collected from you, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see the section “Exercising consumer rights” below), we will delete (and direct our service providers to delete) or correct your personal information from our records, unless an exception applies. 

In the absence of a verifiable consumer request from you, we will retain your personal information as described above, before automatically deleting (and directing our service providers to delete) it. 

We may deny your deletion request if retaining the information is necessary for us or our service providers to: 

  1. The right to opt out – the right to opt out of sharing of personal information 

You have the right to opt out of the sharing of your information with a third party, i.e., to prevent a transfer of information to a third party that is not restricted in certain ways from making use of the information. As we explained above, some of the companies that provide cookies and similar technologies might use personal information for targeted advertising information based on individual internet activity and interests, potentially including the sharing of information with others. You can exercise your right to opt out of the sharing of your information by emailing us at dataprivacy@globagap.org

DO NOT SHARE MY PERSONAL INFORMATION 

  1. Exercising consumer rights 

To exercise the rights described above, please submit a verifiable consumer request to us by one of the following methods: 

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. You may make a verifiable consumer request for access or data portability no more than twice within a 12-month period. 

To verify the identity of an individual making a request, a two-step process will need to be completed. 

A verifiable consumer request must do the following: 

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. 

Making a verifiable consumer request does not require you to create an account with us. Any personal information provided in a verifiable consumer request will not be used for any other purpose than to verify the requestor’s identity or authority to make the request. 

  1. Response timing and format 

We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time, we will inform you of the reason and extension period in writing. 

If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. 

Unless otherwise requested, any disclosures we provide will cover no more than the 12-month period preceding receipt of the verifiable consumer request. Where applicable, the response we provide will also explain the reasons we cannot comply with a request. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance. 

We do not charge a fee to process or respond to your verifiable consumer request unless the request is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request. 

  1. Nondiscrimination 

We will not discriminate against you for exercising your CCPA rights. Unless permitted by the CCPA, we will not: 

However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time. However, we do not currently provide any financial incentives. 

  1. “Shine the Light” disclosure 

We have not shared any personal information with other companies for their direct marketing use within the immediately preceding calendar year. Accordingly, California’s “Shine the Light” law, Cal. Civil Code § 1798.83 to § 1798.84, does not apply to us, and we have not established any mechanism for you to request information on our sharing of information for third parties’ marketing purposes.  

Updates to the privacy policy 

In the course of the ongoing development of our Website, we will also continually modify our privacy policy. Your continued use of the Website following the posting of revised terms of use means that you accept and agree to the changes. Any changes will be communicated on this page in good time. For that reason, our Users should regularly view this page to find out about the current status of the privacy policy. 


 
Manage Consent