- About Us
- How We Work
- Our Insights
October 15, 2018
BSR (Business for Social Responsibility) places great importance on security of your personal data and only partners with vendors that adhere to the strictest security and data protection standards. BSR has implemented technical and organizational security measures to guarantee the security of your personal data. Information is stored on secure networks and access is restricted to those employees and partners who are entitled to access our systems.
The Data Controller:
Business for Social Responsibility
220 Montgomery Street, 17th floor
San Francisco, CA 94104 USA
If you have any questions or concerns about BSR’s personal data practices or your privacy rights, you may contact us at email@example.com.
In accordance with the European Union (EU) General Data Protection Regulation (“GDPR”), BSR has appointed a representative within the EU for all contact with European Authorities:
Business for Social Responsibility NORDIC ApS
Vester Voldgade 6 - 8, 2nd to the right
DK-1552 Copenhagen V
As a global nonprofit organization, BSR complies with data protection legislation and guidelines in all countries where it has locations. BSR has therefore chosen to work only with IT vendors who participate in and have certified compliance with the EU–U.S. Privacy Shield Framework and are committed to subjecting all personal data received from EU member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles, or have taken other measures to comply with GDPR as mentioned below, under chapter VII. To learn more about the Privacy Shield Framework, you may visit the U.S. Department of Commerce’s Privacy Shield List.
BSR collects personally identifiable information in the following ways:
When a company joins as a member of BSR or subscribes to our BSR Mailing list, we collect business contact data in the form of the following data from you:
All personal data collected will only be used to process your membership application and send you product information and occasional special offers or announcements from selected BSR partners, if you have subscribed to the BSR Mailing List. We do not sell personal data to anyone and only share it with third parties who are facilitating the delivery of BSR services.
We rely on fulfillment of contract as the lawful basis under GDPR Article 6(1)(b) for the processing of member and client data.
BSR is always looking for new employees, and we are always pleased to receive solicited job applications. If you wish to apply for a position with us, please apply directly through our website. Email resume attachments will not be considered.
When you submit your application for employment with BSR, we process your personal data in accordance with applicable personal data regulations. This implies that:
BSR has ensured that applicants have expressly authorized personal information to be transmitted to BSR for position consideration. Access to this personal data is restricted to relevant employees within BSR only.
BSR stores employee details and performance data with security-cleared data processors, who are assisting us with these HR services. Your personal data are stored on secure servers in the United States.
Any personal data received from you with your application will only be used for the purpose of processing your application and will not be disclosed, except to BSR’s security-cleared data processors in connection with the recruitment procedure.
We rely on fulfillment of contract to which the applicant is party or in order to take steps at the request of the applicant prior to entering into a contract as the lawful basis under GDPR Article 6(1)(b) for the processing of Human Resources Data.
Individuals within companies provide their corporate information to register for an event. During Conference and event registration, where information is voluntarily provided during event signup, we collect the following information from you:
BSR events may be photographed and/or video/audio recorded for the purpose of reflecting the events in BSR publications and on the BSR website. We focus our efforts solely on the key note speakers and other voluntary participants from the audience, as well as the audience as a whole.
We rely on legitimate interest as the lawful basis under GDPR Article 6(1)(f) for the processing of Events and BSR Conference Data.
In general, website visitors do not need to provide personalized information to BSR. We do collect "aggregate data," that is, group data with no personal identifiers. We use this aggregate data to help us understand how the site is being used and to improve its usability. We also use it to enhance the quality and availability of products and services we offer.
We also, with explicit permission, use aggregate data from online surveys you choose to fill out for research and publication purposes.
If personal data is provided, and retained, it is only name, business contact email, and business contact phone number, which allow BSR to contact the visitor at his or her organization. BSR solely holds the information and engages in no contact-sharing program with other organizations.
Many websites create Cookies (small text files) when a user visits a website, and these Cookies are used to analyze aggregate user behavior on a website. In compliance with the EU ePrivacy Directive, BSR websites ask permission of the visitor prior to setting Cookies. Should the visitor agree, BSR’s server will only collect the following information:
In addition, where this is available, BSR will also collect:
When it comes to Cookies, we rely on consent given as the lawful basis under GDPR Article 6(1)(a).
When you send an inquiry to us through our contact form, we use the personal data that you have stated in the contact form to answer you. Any personal data received from you will not be used for any other purpose without your prior consent and knowledge and will not be disclosed.
We rely on a legitimate interest as the lawful basis under GDPR Article 6(1)(f) for the processing of data in connection to inquiries.
In order to ensure that the services we offer meet your requirements, we may ask for your feedback in form of surveys and polls. Any feedback received from you will only be used for the purpose of improving our services and will not be disclosed.
We rely on your consent as the lawful basis under GDPR Article 6(1)(a) for the processing of data in connection with surveys.
If we contact you to perform stakeholder interviews, any personal data received from you will not be used for any other purpose without your prior consent.
BSR’s use of ecommerce is limited to registration for a limited number of events each year. Individuals within companies provide their corporate information to register for an event. We use the data collected in order to process billing and orders for products/services you choose to purchase on our website.
We rely on fulfillment of contract as the lawful basis under GDPR Article 6(1)(b) for the processing of eCommerce Data.
In some cases, we collect your personal data from third parties:
We receive a limited amount of data via lead generation programs. Contacts can change email preferences at any time and opt-out by following the links included in BSR emails for this purpose.
When you purchase services from us, we request you to state your payment card details (name on card, billing address [street address/city/state/country], card type [e.g. Visa], card number, expiration date, security code). We are using a secure third party to manage transactions and ecommerce payment processing.
Your payment information will be stored as long as the third party is entitled or obliged to store it pursuant to legislation. Read more about this directly with the third party.
We will store your personal data until these are no longer necessary for us to process. In certain situations, it may be difficult to envisage an exact period, but the below paragraphs list our periods for the processing of your personal data.
In general, if we have reason to store your personal data as part of the protection of our legitimate interests, including, for example, legal disputes, we reserve our right to store your personal data for an extended period and minimum until the legal dispute has been determined.
We do not rent or sell personally identifiable information with other individuals or organizations.
However, we may transfer your personal data to third parties when it is necessary in order to provide you with our service. Third parties shall mean:
When we transfer your personal data to business partners, you should be aware that they might have stored personal data concerning you collected by other means, e.g. if you have been in contact with them in another context.
We also transfer your personal data to the above or other third parties if we are obliged to do so according to legislation or in order to protect our or the group’s interests in legal disputes.
BSR partners with a security-cleared data processor to store files and data on secure servers. This data processor has self-certified under the EU-U.S. Privacy Shield Framework and thereby guarantees an appropriate standard of data protection and operates to an appropriate standard of data security.
All data is accessed via secure connections in the United States.
In spite of our efforts to establish a secure environment for the website, you should be aware that no information is completely secure on the internet. Therefore, you should always take the necessary safeguards on your own equipment.
You have the right of access to the personal data we are processing concerning you, as well as to have your personal data updated, rectified, or erased, or to obtain a copy of your personal data. All requests shall be made in writing to firstname.lastname@example.org.
BSR partners with various IT vendors and from time to time. This will result in a transfer of personal data to a third country or international organization.
In order to ensure a sufficient level of security for such transfer in accordance with the GDPR, BSR has chosen to work only with vendors that:
A copy of the Standard Contractual Clauses can be obtained by contacting email@example.com.
If you want to lodge a complaint over our processing of your personal data, please contact us directly. If we cannot help you, you can lodge a complaint to the national Data Protection Authority.