Data Protection and Privacy Policy

Last updated: November 2025

Introduction

Business for Social Responsibility (“BSR”) places great importance on the security of your personal data. BSR has implemented technical and organizational security measures to secure your personal data. Additionally, BSR only partners with vendors that adhere to the strictest security and data protection standards. Information is stored on secure networks and access is restricted to those employees and partners who are entitled to access our systems.

This Data Protection and Privacy Policy (the “Policy”) outlines the personal data we collect about you when you visit our website (the “Website”) or use our services (the “Services”). It explains when and why we collect this data, how we use it, under what circumstances we disclose it to third parties, and how we protect it.

Please read the Policy thoroughly to understand how we process your personal data.

The Data Controllers:

Business for Social Responsibility
220 Montgomery Street, 17th floor
San Francisco, CA 94104 USA

Association Business for Social Responsibility
1 rue Saint-Georges
75009 Paris, France

Business for Social Responsibility, NORDIC ApS
Vester Voldgade 6-8, 2nd to the right
DK-1552 Copenhagen V
Denmark

If you have any questions or concerns about BSR’s personal data practices or your privacy rights, you may contact us at gdpr@bsr.org.

In accordance with the European Union (EU) General Data Protection Regulation (“GDPR”), BSR has appointed a representative within the EU for all contact with European Authorities:

Business for Social Responsibility NORDIC ApS
Vester Voldgade 6 - 8, 2nd to the right
DK-1552 Copenhagen V
Denmark

I. Executive Summary

As a global nonprofit organization, BSR is committed to adhering to all applicable data protection laws. An entire list of BSR’s offices can be found here: https://www.bsr.org/en/about/contact.

BSR only works with vendors who participate in and have certified compliance with the EU–U.S. Data Privacy Framework and are committed to subjecting all personal data received from EU member countries, in reliance on the EU-U.S. Data Privacy Framework, to the Framework’s applicable Principles, or have taken other measures to comply with GDPR. 

BSR also complies with the EU ePrivacy Directive, including the requirement for website operators to obtain users’ consent prior to creating Cookies. See BSR’s Cookie Policy for more details. 

II. How We Collect and Use Your Personal Data

BSR collects personally identifiable information in the following ways:

Member and Client Data

When a company joins as a member of BSR or subscribes to our BSR Mailing list, we may collect business contact data including but not limited to:

  • First and last name
  • Job title
  • Company name
  • Work email address
  • Phone number
  • Area of interest (e.g. sustainability, climate etc.)
  • Town/city/state
  • Country

All personal data collected will only be used to process your membership application, include you as a contact in our customer relationship management platform, and provide relevant services.BSR may also send you product information and occasional special offers or announcements from selected BSR partners, if you have subscribed to any BSR mailing list. We do not sell personal data to anyone and only share it with third parties who are facilitating the delivery of BSR services. If you have any questions about any specific data that has been collected, you can reach out to gdpr@bsr.org.

We rely on fulfillment of contract and legitimate interest as the lawful basis under GDPR Article 6(1)(b) and 6(1)(f) for the processing of member and client data.

Human Resources Data

BSR is always looking for new employees, and we are always pleased to receive solicited job applications. If you wish to apply for a position with us, please apply directly through our website. Email resume attachments will not be considered.

When you submit your application for employment with BSR, we process your personal data in accordance with applicable personal data regulations. This implies that:

  • Your personal data will be treated confidentially
  • We only use your personal data for recruitment purposes
  • We do not disclose your personal data, except for the data processors we use in our recruitment procedure.

BSR has ensured that applicants have expressly authorized personal information to be transmitted to BSR for position consideration. Access to this personal data is restricted to relevant employees within BSR only.

BSR stores employee details and performance data with data processors, who are assisting us with these HR services. Your personal data are stored on secure servers.

Any personal data received from you with your application will only be used for the purpose of processing your application and will not be disclosed, except to BSR’s data processors in connection with the recruitment procedure.

We rely on data subject consent, contract fulfillment or necessary pre-contract steps, and/or legitimate interests as outlined in Article 6 (1)(a), 6(1)(b), and 6(1)(f) of the GDPR for lawful processing of Human Resources Data.

Events

Individuals within companies provide their corporate information to register for an event. During Conference and event registration, where information is voluntarily provided during event signup, we collect the following information from you:

  • First and last name
  • Job title
  • Company
  • Work e-mail address
  • Phone number
  • Area of interest (e.g. sustainability, climate etc.)
  • Town/city/state
  • Country

BSR events may be photographed and/or video/audio recorded for the purpose of reflecting the events in BSR publications and on the BSR website. We focus our efforts on the keynote speakers and other voluntary participants from the audience, as well as the audience as a whole.

We rely on legitimate interest as the lawful basis under GDPR Article 6(1)(f) for the processing of Events and BSR Conference Data.

Website Visitors’ Data, Cookies, and Web Beacons

In general, website visitors do not need to provide personalized information to BSR. We do collect "aggregate data," that is, group data with no personal identifiers. We use this aggregate data to help us understand how the site is being used and to improve its usability. We also use it to enhance the quality and availability of products and services we offer.

We also, with explicit permission, use aggregate data from online surveys you choose to fill out for research and publication purposes.

If personal data is provided, and retained, it is only name, business contact email, and business contact phone number, which allow BSR to contact the visitor at his or her organization. BSR solely holds the information and engages in no contact-sharing program with other organizations.

Many websites create Cookies (small text files) when a user visits a website, and these Cookies are used to analyze aggregate user behavior on a website. In compliance with the EU ePrivacy Directive, BSR websites ask permission of the European visitors prior to setting Cookies. Should the visitor agree, BSR’s server will only collect the following information:

  • The visitor’s IP address (including the domain name associated with the IP address, i.e. using reverse look-up).
  • The date and time of the visit to the website.
  • The pages visited on the website.
  • The browser being used.

In addition, where this is available, BSR will also collect:

  • The country from which the visitor is accessing the website (only the ending is saved, e.g., de, since this indicates the relevant country).
  • The language of the browser being used.
  • The website from which the visitor is accessing the BSR website.
  • The search word used (if the site is accessed via a search engine).
  • The type of connection and operating system.

We only use this data to improve the visitor’s website experience. Please review our Cookie Policy to learn more about how we use Cookies.

When it comes to Website Visitors’ Data and Cookies, we rely on consent given as the lawful basis under GDPR Article 6(1)(a).

BSR also uses Web Beacons. As such our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us, for example, to count users who have visited links or opened an e-mail and for other related statistics about our website (for example, recording the popularity of certain services and content; and verifying system and server integrity).

When it comes to Web Beacons we rely on fulfillment of contract and legitimate interest as the lawful basis under GDPR Article 6(1)(b) and 6(1)(f).

If you prefer not to receive email communications from us or do not wish to have information collected via web beacons, you can choose to unsubscribe at any time by clicking the “Unsubscribe” link at the bottom of our emails. Once unsubscribed, you will no longer receive non-essential communications from us.

Please note that even if you opt out of marketing emails, we may still send you transactional or administrative messages related to your account or the services.

Inquiries

When you send an inquiry to us through our contact form, we use the personal data that you have stated in the contact form to answer you and analyze the aggregated data to better serve you. Any personal data received from you will not be used for any other purpose without your prior consent and knowledge and will not be disclosed.

We rely on a legitimate interest as the lawful basis under GDPR Article 6(1)(f) for the processing of data in connection to inquiries.

Surveys

To ensure that the services we offer meet your requirements, we may ask for your feedback in form of surveys and polls. Any feedback received from you will only be used for the purpose of improving our services. Feedback may be disclosed in a general form that is not attributed to individuals.

We rely on your consent as the lawful basis under GDPR Article 6(1)(a) for the processing of data in connection with surveys.

Interviews

If we contact you to perform stakeholder interviews, any personal data received from you will not be used for any other purpose without your prior consent. However, interview content will be aggregated and analyzed to produce general findings that are not attributed to any individuals.

eCommerce

BSR’s use of ecommerce is limited to registration for a limited number of events each year. Individuals within companies provide their corporate information to register for an event. We use the data collected to process billing and orders for products/services you choose to purchase on our website.

We rely on fulfillment of contract as the lawful basis under GDPR Article 6(1)(b) for the processing of eCommerce Data.

III. Personal Data Collected From Third Parties

In some cases, we collect your personal data from third parties:

We receive a limited amount of data via lead generation programs. Contacts can change email preferences at any time and opt-out by following the links included in BSR emails for this purpose.

IV. Payment Information

When you purchase Services from us, we request you to state your payment card details (name on card, billing address [street address/city/state/country], card type [e.g. Visa], card number, expiration date, security code). We are using a secure third party to manage transactions and ecommerce payment processing.

Your payment information will be stored if the third party is entitled or obliged to store it pursuant to legislation. Read more about this directly with the third party.

V. Duration of Storage

We will store your personal data until we no longer have a legitimate interest or it is no longer necessary for us to process. In certain situations, it may be difficult to envisage an exact period, but the below paragraphs list our periods for the processing of your personal data.

Member and Client Data

  • We store member company and client data along with contact information of member companies for the duration of the membership with us and for a period thereafter to allow members to recover accounts if they decide to renew, to analyze the data for our own operations, and for historical and archiving purposes associated with our history as a  membership organization. For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact our data protection officer at gdpr@bsr.org.

Human Resources

  • If you submit an application to us the application will be stored in order for you to be taken into consideration for any future positions that have any relevance for your profile. If you wish to have your application deleted from our system at any time you can contract our data protection officer at gdpr@bsr.org.

Events and BSR Conference Data

  • As a main rule, information about participation in events is kept for legitimate business purposes.
    • BSR member contact information is kept to efficiently engage in current and future services.
    • BSR non-member contact information is kept if the contact has opted into any of BSR’s mailing lists or for future business partnership opportunities.

Inquiries

  • BSR may retain identifying information after an inquiry is processed for legitimate business purposes. If individual inquiries with identifying information are deleted, the general content of the inquiry may be used later for analysis of our operations and to improve our services.

Surveys

  • Stored up to a minimum of five years after receipt. To the extent possible, we will store your feedback in an anonymous form, and we have a long duration of storage in order to maintain and improve our services to members. 

In general, if we have reason to store your personal data as part of the protection of our legitimate interests, including, for example, legal disputes, we reserve our right to store your personal data for an extended period and at a minimum until the legal dispute has been resolved.

VI. Transfer of Your Personal Data

We do not rent or sell personally identifiable information with other individuals or organizations.

However, we may transfer your personal data to third parties when it is necessary in order to provide you with our service. Third parties shall mean:

  • The various legal entities that are part of BSR’s global operations including securitycleared data processors/subcontractors, who are assisting BSR with IT or other services.

When we transfer your personal data to business partners, you should be aware that they might have stored personal data concerning you collected by other means, e.g. if you have been in contact with them in another context.

We also transfer your personal data to the above or other third parties if we are obliged to do so according to legislation or in order to protect BSR’s interests in legal disputes.

VII. For EU Citizens

File Storage and Security

BSR partners with a security-cleared data processor to store files and data on secure servers. This data processor has self-certified under the EU-U.S. Privacy Framework and thereby guarantees an appropriate standard of data protection and operates to an appropriate standard of data security.

All data is accessed via secure connections.

In spite of our efforts to establish a secure environment for the website, you should be aware that no information on the internet is completely secure. In addition, you should always take the necessary safeguards on your own equipment.

Your Rights

You have the right of access to the personal data we are processing concerning you, as well as to have your personal data updated, rectified, or erased, or to obtain a copy of your personal data. All requests shall be made in writing to gdpr@bsr.org.

Transfer of Personal Data to Third Countries pursuant to GDPR Chapter 5

BSR partners with various vendors to process data. This will result in a transfer of personal data to a Third Country as outlined in GDPR Chapter 5.

In order to ensure a sufficient level of security for such transfer in accordance with the GDPR, BSR has chosen to work only with vendors that:

  • have certified compliance with the EU-U.S. Data Privacy Framework, or
  • have entered into Standard Contractual Clauses with BSR or 
  • operate in a country, territory, or specified sector which the European Commission has decided has an adequate level of protection, or
  • have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk

Where applicable a copy of the Standard Contractual Clauses can be obtained by contacting gdpr@bsr.org.

Complaints

If you want to lodge a complaint over our processing of your personal data, please contact us directly. If we cannot help you, you can lodge a complaint to the national  Data Protection Authority.

VIII. Changes

We recognize that data protection and privacy is an ongoing responsibility, so we reserve our right to make changes to this Data Protection and Privacy Policy from time to time as we undertake new personal data practices or adopt new privacy policies, etc.