Data Protection and Privacy Policy

Last updated: February 2023

Introduction

BSR (Business for Social Responsibility) places great importance on security of your personal data and only partners with vendors that adhere to the strictest security and data protection standards. BSR has implemented technical and organizational security measures to guarantee the security of your personal data. Information is stored on secure networks and access is restricted to those employees and partners who are entitled to access our systems.

This policy (the “Data Protection and Privacy Policy”) explains which personal data concerning you we collect when you visit our website (the “Website”), when and why we collect the personal data, how we use them, the conditions of our disclosure to third parties, as well has how we secure the stored personal data.

Please read the Data Protection and Privacy Policy thoroughly to understand how we process your personal data.

The Data Controller:
Business for Social Responsibility
220 Montgomery Street, 17th floor
San Francisco, CA 94104 USA

If you have any questions or concerns about BSR’s personal data practices or your privacy rights, you may contact us at gdpr@bsr.org.

In accordance with the European Union (EU) General Data Protection Regulation (“GDPR”), BSR has appointed a representative within the EU for all contact with European Authorities:

Business for Social Responsibility NORDIC ApS
Vester Voldgade 6 - 8, 2nd to the right
DK-1552 Copenhagen V
Denmark


I. Executive Summary

As a global nonprofit organization, BSR complies with data protection legislation and guidelines in all countries where it has locations. BSR has therefore chosen to work only with IT vendors who participate in and have certified compliance with the EU–U.S. Privacy Shield Framework and are committed to subjecting all personal data received from EU member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles, or have taken other measures to comply with GDPR as mentioned below, under chapter VII. To learn more about the Privacy Shield Framework, you may visit the

U.S. Department of Commerce’s Privacy Shield List.

BSR also complies with the EU ePrivacy Directive, including the requirement for website operators to obtain users’ consent prior to creating Cookies. See BSR’s Cookie Policy for more details. In addition to GDPR, BSR complies with The California Consumer Privacy Act or CCPA. Policies and procedures are in-place to protect the data of California residence data collected by BSR.


II. How We Collect and Use Your Personal Data

BSR collects personally identifiable information in the following ways:

Member and Client Data

When a company joins as a member of BSR or subscribes to our BSR Mailing list, we collect business contact data in the form of the following data from you:

  • First and last name
  • Job title
  • Company
  • Work email address
  • Phone number
  • Area of interest (e.g. sustainability, climate etc.)
  • Town/city/state
  • Country

All personal data collected will only be used to process your membership application and send you product information and occasional special offers or announcements from selected BSR partners, if you have subscribed to any BSR mailing list. We do not sell personal data to anyone and only share it with third parties who are facilitating the delivery of BSR services.

We rely on fulfillment of contract as the lawful basis under GDPR Article 6(1)(b) for the processing of member and client data.

Human Resources Data

BSR is always looking for new employees, and we are always pleased to receive solicited job applications. If you wish to apply for a position with us, please apply directly through our website. Email resume attachments will not be considered.

When you submit your application for employment with BSR, we process your personal data in accordance with applicable personal data regulations. This implies that:

  • Your personal data will be treated confidentially
  • We only use your personal data for recruitment purposes
  • We do not disclose your personal data, except for the data processors we use in our recruitment procedure.

BSR has ensured that applicants have expressly authorized personal information to be transmitted to BSR for position consideration. Access to this personal data is restricted to relevant employees within BSR only.

BSR stores employee details and performance data with security-cleared data processors, who are assisting us with these HR services. Your personal data are stored on secure servers in the United States.

Any personal data received from you with your application will only be used for the purpose of processing your application and will not be disclosed, except to BSR’s security-cleared data processors in connection with the recruitment procedure.

We rely on fulfillment of contract to which the applicant is party or in order to take steps at the request of the applicant prior to entering into a contract as the lawful basis under GDPR Article 6(1)(b) for the processing of Human Resources Data.

Events and BSR Conference Data

Individuals within companies provide their corporate information to register for an event. During Conference and event registration, where information is voluntarily provided during event signup, we collect the following information from you:

  • First and last name
  • Job title
  • Company
  • Work e-mail address
  • Phone number
  • Area of interest (e.g. sustainability, climate etc.)
  • Town/city/state
  • Country

BSR events may be photographed and/or video/audio recorded for the purpose of reflecting the events in BSR publications and on the BSR website. We focus our efforts solely on the keynote speakers and other voluntary participants from the audience, as well as the audience as a whole.

We rely on legitimate interest as the lawful basis under GDPR Article 6(1)(f) for the processing of Events and BSR Conference Data.

Website Visitors’ Data

In general, website visitors do not need to provide personalized information to BSR. We do collect "aggregate data," that is, group data with no personal identifiers. We use this aggregate data to help us understand how the site is being used and to improve its usability. We also use it to enhance the quality and availability of products and services we offer.

We also, with explicit permission, use aggregate data from online surveys you choose to fill out for research and publication purposes.

If personal data is provided, and retained, it is only name, business contact email, and business contact phone number, which allow BSR to contact the visitor at his or her organization. BSR solely holds the information and engages in no contact-sharing program with other organizations.

Many websites create Cookies (small text files) when a user visits a website, and these Cookies are used to analyze aggregate user behavior on a website. In compliance with the EU ePrivacy Directive, BSR websites ask permission of the visitor prior to setting Cookies. Should the visitor agree, BSR’s server will only collect the following information:

  • The visitor’s IP address (including the domain name associated with the IP address, i.e. using reverse look-up).
  • The date and time of the visit to the website.
  • The pages visited on the website.
  • The browser being used.

In addition, where this is available, BSR will also collect:

  • The country from which the visitor is accessing the website (only the ending is saved, e.g., de, since this indicates the relevant country).
  • The language of the browser being used.
  • The website from which the visitor is accessing the BSR website.
  • The search word used (if the site is accessed via a search engine).
  • The type of connection and operating system.

We only use this data to improve the visitor’s website experience. Please review our Cookie Policy to learn more about how we use Cookies.

When it comes to Cookies, we rely on consent given as the lawful basis under GDPR Article 6(1)(a).

Inquiries

When you send an inquiry to us through our contact form, we use the personal data that you have stated in the contact form to answer you. Any personal data received from you will not be used for any other purpose without your prior consent and knowledge and will not be disclosed.

We rely on a legitimate interest as the lawful basis under GDPR Article 6(1)(f) for the processing of data in connection to inquiries.

Surveys

To ensure that the services we offer meet your requirements, we may ask for your feedback in form of surveys and polls. Any feedback received from you will only be used for the purpose of improving our services and will not be disclosed.

We rely on your consent as the lawful basis under GDPR Article 6(1)(a) for the processing of data in connection with surveys.

Interviews

If we contact you to perform stakeholder interviews, any personal data received from you will not be used for any other purpose without your prior consent.

eCommerce

BSR’s use of ecommerce is limited to registration for a limited number of events each year. Individuals within companies provide their corporate information to register for an event. We use the data collected to process billing and orders for products/services you choose to purchase on our website.

We rely on fulfillment of contract as the lawful basis under GDPR Article 6(1)(b) for the processing of eCommerce Data.


III. Personal Data Collected From Third Parties

In some cases, we collect your personal data from third parties:

We receive a limited amount of data via lead generation programs. Contacts can change email preferences at any time and opt-out by following the links included in BSR emails for this purpose.


IV. Payment Information

When you purchase services from us, we request you to state your payment card details (name on card, billing address [street address/city/state/country], card type [e.g. Visa], card number, expiration date, security code). We are using a secure third party to manage transactions and ecommerce payment processing.

Your payment information will be stored if the third party is entitled or obliged to store it pursuant to legislation. Read more about this directly with the third party.


V. Duration of Storage

We will store your personal data until these are no longer necessary for us to process. In certain situations, it may be difficult to envisage an exact period, but the below paragraphs list our periods for the processing of your personal data.

Member and Client Data

  • We store member company data and contact information of member companies for the duration of the membership with us and for a period thereafter to allow members to recover accounts if they decide to renew, to analyze the data for our own operations, and for historical and archiving purposes associated with our history as a membership organization. For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact our data protection officer at gdpr@bsr.org.
  • Client data, i.e., data collected due to your subscription to our mailing list, will be erased as soon as possible after your deregistration to a mailing list.

Human Resources

  • If you submit an application to us, your consent is required to store your application data longer than six months after receipt. The application will be stored in order for you to be taken into consideration for any future positions that have any relevance for your profile.

Events and BSR Conference Data

  • As a main rule, information about participation to events and the BSR Conference are deleted as soon as possible after the Conference or event is over, unless BSR has legitimate and exceptional reasons to store the data for a longer period.

Inquiries

  • Stored until six months after completion of processing of your inquiry.

Surveys

  • Stored up to five years after receipt. To the extent possible, we will store your feedback in an anonymous form, and we have a long duration of storage in order to measure our own performance over time.

In general, if we have reason to store your personal data as part of the protection of our legitimate interests, including, for example, legal disputes, we reserve our right to store your personal data for an extended period and minimum until the legal dispute has been determined.


VI. Transfer of Your Personal Data

We do not rent or sell personally identifiable information with other individuals or organizations.

However, we may transfer your personal data to third parties when it is necessary in order to provide you with our service. Third parties shall mean:

  • Undertakings in the BSR Group
  • Business partners
  • Security-cleared data processors/subcontractors, who are assisting us or the group with IT or other services

When we transfer your personal data to business partners, you should be aware that they might have stored personal data concerning you collected by other means, e.g. if you have been in contact with them in another context.

We also transfer your personal data to the above or other third parties if we are obliged to do so according to legislation or in order to protect our or the group’s interests in legal disputes.


VII. For EU Citizens

File Storage and Security

BSR partners with a security-cleared data processor to store files and data on secure servers. This data processor has self-certified under the EU-U.S. Privacy Shield Framework and thereby guarantees an appropriate standard of data protection and operates to an appropriate standard of data security.

All data is accessed via secure connections in the United States.

In spite of our efforts to establish a secure environment for the website, you should be aware that no information is completely secure on the internet. Therefore, you should always take the necessary safeguards on your own equipment.

Your Rights

You have the right of access to the personal data we are processing concerning you, as well as to have your personal data updated, rectified, or erased, or to obtain a copy of your personal data. All requests shall be made in writing to gdpr@bsr.org.

Transfer of Personal Data to Third Countries

BSR partners with various IT vendors and from time to time. This will result in a transfer of personal data to a third country or international organization.

In order to ensure a sufficient level of security for such transfer in accordance with the GDPR, BSR has chosen to work only with vendors that:

  • have certified compliance with the EU-U.S. Privacy Shield Framework, or
  • have entered into Standard Contractual Clauses with BSR.

A copy of the Standard Contractual Clauses can be obtained by contacting gdpr@bsr.org.

Complaints

If you want to lodge a complaint over our processing of your personal data, please contact us directly. If we cannot help you, you can lodge a complaint to the national Data Protection Authority.


VIII. Changes

We recognize that data protection and privacy is an ongoing responsibility, so we reserve our right to make changes to this Data Protection and Privacy Policy from time to time as we undertake new personal data practices or adopt new privacy policies, etc. If such changes are substantial, we will notify you via email, if we have your email address.