Data Protection Notice

amfori is committed to protect your personal data and to respect your privacy. amfori collects and further processes personal data pursuant to the Regulation (EU) 2016/679 (hereinafter “GDPR”).

This Privacy Statement provides you with information on data protection, as prescribed by Articles 13 and 14 of the GDPR. More specifically, it explains the purposes of the processing of your personal data, the way we collect and handle personal data provided and ensure their protection, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of amfori as the responsible data controller with whom you may exercise your rights, as well as the contact details of the Belgian Data Protection Authority.

1. Who is the controller?

The controller is amfori, an international non-profit association (aisbl/ivzw) under Belgian law, registered in the Belgian Register of Legal Entities under the number 0427.557.786.

Registered office: Avenue de Tervueren 270, 1150 Brussels, Belgium
Telephone: +32 (0) 2 741 64 76
E-mail: info@amfori.org; dataprotection@amfori.org

For more information on amfori, please consult our website: https://www.amfori.org

2. Information categorised by data subject type

2.1 When you are an employee of an amfori Member

2.1.1 What personal data do we process?

amfori processes the following categories of personal data:

· Identification data: full name, professional title.

· Contact details: such as, e-mail address, telephone number.

2.1.2 Where did we get your personal data?

Personal data is collected from you, or, in some cases, from your employer.

2.1.3 Why do we process your personal data and under what legal ground?

Your personal data is processed for the purposes of client administration, billing administration, expenses management, monitoring Member misbehaviour, informing data subjects (e.g. via newsletter) about amfori activities, trainings and events.

The lawfulness of this processing activity is based on Article 6.1 (f) of the GDPR (‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party’), i.e. client administration, sending invoices, reimbursing expenses, monitoring Member misbehaviour (especially fraud), informing data subjects about amfori activities, trainings and events. You can request more information regarding the legitimate interests pursued by amfori, per e-mail to dataprotection@amfori.org or by letter to amfori (Avenue de Tervueren 270, 1150 Brussels, Belgium) marked for the attention of the amfori Data Protection Coordinator.

2.1.4 Who has access to personal data and what are the categories of recipients of your personal data?

amfori staff

Access to your personal data is provided to the staff members of amfori responsible for carrying out this processing activity and to authorised staff according to the ‘need to know’-principle. Such staff abide by confidentiality agreements.

Recipients

Your data are shared with processors we might need for the performance of our services, middle-office and back-office operations. For information regarding the categories of recipients of your personal data, we refer to Section 3.1 below.

2.1.5 How long do we keep your personal data?

amfori only keeps your personal data for the time necessary to fulfil the purpose of processing.

2.2 When you are member of the amfori Board of Directors, Member advisory Council (‘MAC’) or Stakeholder Advisory Council (‘SAC’)

2.2.1 What personal data do we process?

amfori processes the following categories of personal data:

  • Identification data: full name, professional title, picture.
  • Contact details: such as, e-mail address, telephone number.
  • When you request the reimbursement of occurred expenses: bank account
  • When you apply for a position in our Board of Directors, we also process:
    • Additional identification data: nationality, postal address.
    • Data derived from the candidate’s application: motivation letter and other documents submitted, including, information on education, competencies and language skills, diplomas and certificates, professional experience (including names of previous and current employers, duration of employment, level of responsibility).
    • Personal confirmation of the candidate that he/she was not subject of a conviction by court decision of being prohibited from being a director or manager of a company.

2.2.2 Where did we get your personal data?

Your personal data is collected from you (from your application, submitted by you, or via another way, from you).

2.2.3 Why do we process your personal data and under what legal ground?

Your personal data is processed for the purposes of selecting and appointing new members in our Board of Directors, MAC and SAC, running an efficient governance, carrying out the corporate housekeeping of amfori (publication of your mandate in the Belgian Official Gazette), regarding your bank account: reimbursing occurred expenses, regarding the publication of your name, title, organisation and picture: informing the visitors of our website who is in the amfori Board of Directors, MAC and SAC.

The lawfulness of this processing activity is based on Article 6.1 (f) of the GDPR (‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party’), i.e. selecting and appointing new members in our Board of Directors, MAC and SAC, running an efficient governance, reimbursing occurred expenses, and informing the visitors of our website who is in the amfori Board of Directors, MAC and SAC. The lawfulness of the processing activity related to our corporate housekeeping is based on Article 6.1 (c) of the GDPR (‘processing is necessary for compliance with a legal obligation to which the controller is subject’). You can request more information regarding the legitimate interests pursued by amfori, per e-mail to dataprotection@amfori.org or by letter to amfori (Avenue de Tervueren 270, 1150 Brussels, Belgium) marked for the attention of the amfori Data Protection Coordinator.

2.2.4 Who has access to personal data and what are the categories of recipients of your personal data?

amfori staff

Access to your personal data is provided to the staff members of amfori responsible for carrying out this processing activity and to authorised staff according to the ‘need to know’-principle. Such staff abide by confidentiality agreements.

Recipients

Your data are shared with processors we might need for the performance of our services, middle-office and back-office operations. For information regarding the categories of recipients of your personal data, we refer to Section 3.1 below.

2.2.5 How long do we keep your personal data?

amfori only keeps your personal data for the time necessary to fulfil the purpose of processing.

2.3 When you are an employee of a Monitoring Partner (Auditing Company)

2.3.1 What personal data do we process?

amfori processes the following categories of personal data:

  • Identification data: full name, professional title, APSCA-number (professional certification number of auditors).
  • Contact details: such as, e-mail address, telephone number.
  • Data regarding your qualification: audit qualification, CV

2.3.2 Where did we get your personal data?

Your personal data is collected from you, or, in some cases, from your employer.

2.3.3 Why do we process your personal data and under what legal ground?

Your personal data is processed for the purpose of management of the relationship and contacts with the Monitoring Partners with whom amfori works, as well as for the purpose of monitoring the ethical behaviour of auditors working for the Monitoring Partners.

The lawfulness of this processing activity is based on Article 6.1 (f) of the GDPR (‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party’), i.e. management of the relationship and contracts with the Monitoring partners and ensuring the Monitoring Partners always act in an ethical way. You can request more information regarding the legitimate interests pursued by amfori, per e-mail to dataprotection@amfori.org or by letter to amfori (Avenue de Tervueren 270, 1150 Brussels, Belgium) marked for the attention of the amfori Data Protection Coordinator.

2.3.4  Who has access to personal data and what are the categories of recipients of your personal data?

amfori staff

Access to your personal data is provided to the staff members of amfori responsible for carrying out this processing activity and to authorised staff according to the ‘need to know’-principle. Such staff abide by confidentiality agreements.

Recipients

Your data are shared with processors we might need for the performance of our services, middle-office and back-office operations. For information regarding the categories of recipients of your personal data, we refer to Section 3.1 below.

2.3.5 How long do we keep your personal data?

amfori only keeps your personal data for the time necessary to fulfil the purpose of processing.

2.4 When you are an employee of a Business Partner (Suppliers of amfori Members)

2.4.1 What personal data do we process?

amfori processes the following categories of personal data:

  • Identification data: full name, professional title, in some cases also date of birth.
  • Contact details: such as, e-mail address, telephone number.
  • Information on trade union membership in case of company representatives of a trade union.

2.4.2 Where did we get your personal data?

Your personal data is collected from the Monitoring Partner (Auditing Company) performing an audit at the company you are employed.

2.4.3 Why do we process your personal data and under what legal ground?

Your personal data is processed for the purpose of performing social/environmental audits, drafting audit reports and sharing them with the linked amfori Members, monitoring and improving social/environmental compliance of the audited company (supplier of the amfori Member), so amfori Members can manage the sustainability of their supply chain.

The lawfulness of this processing activity is based on Article 6.1 (f) of the GDPR (‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party’). The legitimate interest is enabling audits to improve social compliance of the audited company. You can request more information regarding the legitimate interests pursued by amfori, per e-mail to dataprotection@amfori.org or by letter to amfori (Avenue de Tervueren 270, 1150 Brussels, Belgium) marked for the attention of the amfori Data Protection Coordinator.

2.4.4 Who has access to personal data and what are the categories of recipients of your personal data?

amfori staff

Access to your personal data is provided to the staff members of amfori responsible for carrying out this processing activity and to authorised staff according to the ‘need to know’-principle. Such staff abide by confidentiality agreements.

Recipients

Your data are shared with processors we might need for the performance of our services, middle-office and back-office operations. For information regarding the categories of recipients of your personal data, we refer to Section 3.1 below.

2.4.5 How long do we keep your personal data?

amfori only keeps your personal data for the time necessary to fulfil the purpose of processing.

2.5 When you are an employee of a Training partner

2.5.1 What personal data do we process?

amfori processes the following categories of personal data:

  • Identification data: full name, professional title.
  • Contact details: such as, e-mail address, telephone number.

2.5.2 Where did we get your personal data?

Your personal data is collected from you, or, in some cases, from your employer.

2.5.3 Why do we process your personal data and under what legal ground?

Your personal data is processed for the purpose of organising training sessions and providing access to the training platform (Academy).

The lawfulness of this processing activity is based on Article 6.1 (f) of the GDPR (‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party’). The legitimate interest is organising training sessions. You can request more information regarding the legitimate interests pursued by amfori, per e-mail to dataprotection@amfori.org or by letter to amfori (Avenue de Tervueren 270, 1150 Brussels, Belgium) marked for the attention of the amfori Data Protection Coordinator.

In case you are a training partner working as a natural person, without a company, the lawfulness of this processing activity is based on Article 6.1 (b) of the GDPR (‘processing is necessary for the performance of a contract to which the data subject is party’).

2.5.4 Who has access to personal data and what are the categories of recipients of your personal data?

amfori staff

Access to your personal data is provided to the staff members of amfori responsible for carrying out this processing activity and to authorised staff according to the ‘need to know’-principle. Such staff abide by confidentiality agreements.

Recipients

Your data are shared with processors we might need for the performance of our services, middle-office and back-office operations. For information regarding the categories of recipients of your personal data, we refer to Section 3.1 below.

2.5.5 How long do we keep your personal data?

amfori only keeps your personal data for the time necessary to fulfil the purpose of processing.

2.6 When you are a visitor or participants of a conference, a training, or an event

2.6.1 What personal data do we process?

amfori processes the following categories of personal data:

  • Identification data: full name, professional title.
  • Contact details: such as, e-mail address, telephone number.
  • If a test is part of the training, we also process the evaluation results.
  • If you participate in an amfori event, we might take pictures including you.

2.6.2 Where did we get your personal data?

Personal data is collected from your registration, submitted by you.

2.6.3 Why do we process your personal data and under what legal ground?

Your personal data is processed for the purpose of processing your registration for a conference, a training or an event. If applicable, we also process your data to provide access to the training platform (Academy), and, if applicable, to evaluate your test results after a training. In case of a satisfaction survey, we process your data to monitor and improve the quality of our conferences/events/trainings. We might also use your data for direct marketing purpose, i.e. to send you our newsletter or other marketing related e-mails. In case you participate in an amfori event, we might take pictures of the event that include you, and publish these pictures on our website or on social media for the purpose of giving the public information about amfori activities in order to promote our activities online.

In case you register for a conference, a training or an event based on a contract concluded directly between you and amfori, the lawfulness of this processing activity is based on Article 6.1 (b) of the GDPR (‘processing is necessary for the performance of a contract to which the data subject is party’). In case there is no such a contract (e.g. the contract is concluded between your employer and amfori, or there is no contract at all), the lawfulness of this processing activity is based on Article 6.1 (a) of the GDPR (‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes’).

If we organise a satisfaction survey, the lawfulness of the processing activity is based on Article 6.1 (f) of the GDPR (‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party’), i.e. quality monitoring and improvement of our conferences/trainings/events.

In case we send you our newsletter or marketing related emails, the lawfulness of this processing activity is based on Article 6.1 (f) of the GDPR (‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party’) when we have an ongoing business relationship with you (e.g. when you are working for an amfori Member). The legitimate interest is building, maintaining and strengthening relationships as part of Client Relationship Management and providing you with information that we believe may be of interest to you. When there is no such relationship, the lawfulness of this processing activity is based on Article 6.1 (a) of the GDPR (‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes’).

In case we take pictures of an amfori event that include you, we might publish these pictures on our website or on social media. The lawfulness of the processing activity is based on Article 6.1 (f) of the GDPR (‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party’), i.e. giving the public information about amfori activities in order to promote our activities online.

You can request more information regarding the legitimate interests pursued by amfori, per e-mail to dataprotection@amfori.org or by letter to amfori (Avenue de Tervueren 270, 1150 Brussels, Belgium) marked for the attention of the amfori Data Protection Coordinator.

2.6.4 Who has access to personal data and what are the categories of recipients of your personal data?

amfori staff

Access to your personal data is provided to the staff members of amfori responsible for carrying out this processing activity and to authorised staff according to the ‘need to know’-principle. Such staff abide by confidentiality agreements.

Recipients

Your data are shared with processors we might need for the performance of our services, middle-office and back-office operations. For information regarding the categories of recipients of your personal data, we refer to Section 3.1 below.

2.6.5 How long do we keep your personal data?

amfori only keeps your personal data for the time necessary to fulfil the purpose of processing.

2.7 When you are a media contact person, a journalist or a (potential) stakeholder

2.7.1 What personal data do we process?

amfori processes the following categories of personal data:

  • Identification data: full name, professional title.
  • Contact details: such as, e-mail address, telephone number.

2.7.2 Where did we get your personal data?

Personal data is collected from you or, in some cases, from a third party.

2.7.3 Why do we process your personal data and under what legal ground?

We use this information to send you press releases and provide you with information that we believe may be of interest to you.

The lawfulness of this processing activity is based on Article 6.1 (f) of the GDPR (‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party’). The legitimate interests are business development and advocacy purposes. You can request more information regarding the legitimate interests pursued by amfori, per e-mail to dataprotection@amfori.org or by letter to amfori (Avenue de Tervueren 270, 1150 Brussels, Belgium) marked for the attention of the amfori Data Protection Coordinator.

2.7.4 Who has access to personal data and what are the categories of recipients of your personal data?

amfori staff

Access to your personal data is provided to the staff members of amfori responsible for carrying out this processing activity and to authorised staff according to the ‘need to know’-principle. Such staff abide by confidentiality agreements.

Recipients

Your data are shared with processors we might need for the performance of our services, middle-office and back-office operations. For information regarding the categories of recipients of your personal data, we refer to Section 3.1 below.

2.7.5 How long do we keep your personal data?

amfori only keeps your personal data for the time necessary to fulfil the purpose of processing.

2.8 When you are an employee of a supplier or a service provider of amfori, or if you are a contractor or consultant working for amfori

2.8.1 What personal data do we process?

amfori processes the following categories of personal data:

  • Identification data: full name, professional title.
  • Contact details: such as, e-mail address, telephone number.
  • Financial data: bank account – if you are a natural person doing business with amfori in your own name (without company)

2.8.2 Where did we get your personal data?

Your personal data is collected from you, or, in some cases, from your employer.

2.8.3 Why do we process your personal data and under what legal ground?

Your personal data is processed for the purposes of procurement administration and supplier & service provider relationship management.

The lawfulness of this processing activity is based on Article 6.1 (f) of the GDPR (‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party’). The legitimate interests are conducting procurement administration and supplier and service provider relationship management. You can request more information regarding the legitimate interests pursued by amfori, per e-mail to dataprotection@amfori.org or by letter to amfori (Avenue de Tervueren 270, 1150 Brussels, Belgium) marked for the attention of the amfori Data Protection Coordinator.

If you are a contractor acting as an individual, i.e. a natural person doing business with amfori in your own name (without company), the lawfulness of this processing activity is based on Article 6.1 (b) of the GDPR (‘processing is necessary for the performance of a contract to which the data subject is party’).

2.8.4 Who has access to personal data and what are the categories of recipients of your personal data?

amfori staff

Access to your personal data is provided to the staff members of amfori responsible for carrying out this processing activity and to authorised staff according to the ‘need to know’-principle. Such staff abide by confidentiality agreements.

Recipients

Your data are shared with processors we might need for the performance of our services, middle-office and back-office operations. For information regarding the categories of recipients of your personal data, we refer to Section 3.1 below.

2.8.5 How long do we keep your personal data?

amfori only keeps your personal data for the time necessary to fulfil the purpose of processing.

2.9 When you are a user of the amfori Sustainability Platform or any of the other amfori Services and Frameworks

2.9.1 What personal data do we process?

amfori processes the following categories of personal data:

  • Identification data: full name, professional title.
  • Contact details: such as, e-mail address, telephone number.
  • Access rights, authentication data, meta data (such as action performed).

2.9.2 Where did we get your personal data?

Your personal data is collected from you.

2.9.3 Why do we process your personal data and under what legal ground?

Your personal data is processed for the purposes of access management & information security and in some cases, monitoring Member misbehaviour (especially fraud) and preventing/solving technical issues to ensure a seamless experience with our software tools.

The lawfulness of this processing activity is based on Article 6.1 (f) of the GDPR (‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party’). The legitimate interests are giving you access to our tools, ensuring information security and in some cases, monitoring Member misbehaviour (especially fraud) and, if applicable, preventing/solving technical issues.

We also use your data for direct marketing purpose, i.e. to send you our newsletter or other marketing related e-mails.

The lawfulness of this processing activity is based on Article 6.1 (f) of the GDPR (‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party’). The legitimate interest is building, maintaining and strengthening relationships as part of Client Relationship Management and providing you with information that we believe may be of interest to you.

You can request more information regarding the legitimate interests pursued by amfori, per e-mail to dataprotection@amfori.org or by letter to amfori (Avenue de Tervueren 270, 1150 Brussels, Belgium) marked for the attention of the amfori Data Protection Coordinator.

2.9.4 Who has access to personal data and what are the categories of recipients of your personal data?

amfori staff

Access to your personal data is provided to the staff members of amfori responsible for carrying out this processing activity and to authorised staff according to the ‘need to know’-principle. Such staff abide by confidentiality agreements.

Recipients

Your data are shared with processors we might need for the performance of our services, middle-office and back-office operations. For information regarding the categories of recipients of your personal data, we refer to Section 3.1 below.

2.9.5 How long do we keep your personal data?

amfori only keeps your personal data for the time necessary to fulfil the purpose of processing.

2.10 When you are a visitor of the amfori Website

2.10.1 What personal data do we process?

Website usage information including the IP-address, source/medium leading to amfori website, browser type and settings, the date and time the website were used, information about browser configuration and plugins and language preferences, device information (laptop, smartphone, etc.) and location information when you are accessing the website (in accordance with the consent process provided by your device).

In most cases, this information will not enable us to identify you, and these data can therefore not be considered as personal data. If, in certain cases, it would be possible to identify you, these data will be considered as personal data.

Regarding cookies, we refer to our Cookie Policy.

2.10.2 Where did we get your personal data?

Your personal data is collected from you.

2.10.3 Why do we process your personal data and under what legal ground?

The lawfulness of this processing activity is based on Article 6.1 (a) of the GDPR (‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes’).

2.10.4 Who has access to personal data and what are the categories of recipients of your personal data?

amfori staff

Access to your personal data is provided to the staff members of amfori responsible for carrying out this processing activity and to authorised staff according to the ‘need to know’-principle. Such staff abide by confidentiality agreements.

Recipients

Your data are shared with processors we might need for the performance of our services, middle-office and back-office operations. For information regarding the categories of recipients of your personal data, we refer to Section 3.1 below.

2.10.5 How long do we keep your personal data?

amfori only keeps your personal data for the time necessary to fulfil the purpose of processing.

2.11 When you are a candidate for a vacant position at amfori

2.11.1 What personal data do we process?

amfori processes all data necessary to process your application:

  • Data identifying the applicant: full name, gender, nationality, date and place of birth
  • The applicant’s contact details: such as, e-mail address, telephone number, postal address.
  • Data derived from the candidate’s application: CV, motivation letter and other supporting documents submitted, including, information on their education, competencies and language skills, diplomas and certificates, professional experience (including names of previous and current employers, duration of employment, level of responsibility). Applicants may, on their own initiative, send documents such as, letters of recommendation, certificates showing language competences, etc.
  • Personal data contained in the evaluation by the selection panel: name and surname of the interviewed candidates, date of the interview, assessment of selection criteria (general comments on each interviewed candidate’s performance), final outcome.

2.11.2 Where did we get your personal data?

Personal data is collected from your application, submitted by you.

2.11.3 Why do we process your personal data and under what legal ground?

Your personal data is processed for the purpose of selecting staff for amfori.

The lawfulness of this processing activity is based on Article 6.1 (f) of the GDPR (‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party’). The legitimate interest is the recruitment of employees. You can request more information regarding the legitimate interests pursued by amfori, per e-mail to dataprotection@amfori.org or by letter to amfori (Avenue de Tervueren 270, 1150 Brussels, Belgium) marked for the attention of the amfori Data Protection Coordinator.

2.11.4 Who has access to personal data and what are the categories of recipients of your personal data?

amfori staff

Access to your personal data is provided to the staff members of amfori responsible for carrying out this processing activity and to authorised staff according to the ‘need to know’-principle, i.e. the staff members in charge of the selection procedure and the members of the selection panel (usually the HR Director, the hiring manager and sometimes one or two other managers). Such staff abide by confidentiality agreements.

Recipients

Your data are shared with processors we might need in the course of a selection process, such as an external assessment agency, with the purpose of performing an assessment, selection tests and/or background check of the candidate. For information regarding the categories of recipients of your personal data, we refer to Section 3.1 below.

2.11.5 How long do we keep your personal data?

The time-limits for storing the data are as follows:

  • 6 years after the end of the employment for recruited applicants
  • 6 months after the end of the selection procedure for non-recruited applicants
  • 6 months after submission for spontaneous applications

2.12 When we receive information about you through a grievance process (amfori Speak for Change, Resolve Channel)

2.12.1 What personal data do we process?

amfori processes the following categories of personal data:

  • Identification data: full name, professional title.
  • Contact details: such as, e-mail address, telephone number.
  • Description of the grievance and any personal data that the data subject provides therein. This can also include special categories of personal data as described in Article 9 of the GDPR (e.g., personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health).

These personal data is only collected if provided by the complainant. A grievance can also be transmitted anonymously, in which case, no personal data are processed in the grievance process, provided that the data do not allow us to identify you.

2.12.2 What personal data do we process?

Your personal data is collected from you.

2.12.3 Why do we process your personal data and under what legal ground?

Your personal data is processed for the purposes of assessing and managing grievances submitted under the amfori Speak for Change grievance mechanism or under Resolve Channel.

The lawfulness of this processing activity is based on Article 6.1 (f) of the GDPR (‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party’). The legitimate interest is handling a grievance in the context of amfori Speak for Change or Resolve Channel. You can request more information regarding the legitimate interests pursued by amfori, per e-mail to dataprotection@amfori.org or by letter to amfori (Avenue de Tervueren 270, 1150 Brussels, Belgium) marked for the attention of the amfori Data Protection Coordinator.

When special categories of personal data are processed, such as data revealing racial or ethnic origin or trade-union membership, the condition for processing these data is the consent of the data subject, as described in Article 6.1 (a) of the GDPR (‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes’).

2.12.4 Who has access to personal data and what are the categories of recipients of your personal data?

amfori staff

Access to your personal data is provided to the staff members of amfori responsible for carrying out this processing activity and to authorised staff according to the ‘need to know’-principle, i.e. the staff member(s) designated as case handler(s). Such staff abide by confidentiality agreements.

Recipients

Your personal data can also be shared with processors supporting the resolution process, including investigation and remediation personnel. For information regarding the categories of recipients of your personal data, we refer to Section 3.1 below.

We emphasise that the identity of the data subject is only disclosed to amfori Member companies directly linked to the complaint, provided that the data subject gives their consent for this disclosure.

2.12.5 How long do we keep your personal data?

amfori only keeps your personal data for the time necessary to fulfil the purpose of processing.

In cases deemed inadmissible or dismissed, personal data shall be retained for a period not exceeding one year following final notification. In cases that are pursued and resolved, relevant data shall be retained for a period of 5 years following case closure.

Personal data associated with user credentials and system access shall be retained for a maximum of 6 months following the end of the user’s authorised engagement. Log files are kept for 6 months.

2.13 When you contact us with a question or request (employees of amfori Members, employees of Business Partners, employees of Monitoring Partners, any other parties, etc.)

2.13.1 What personal data do we process?

amfori processes the following categories of personal data:

  • Identification data: full name, professional title.
  • Contact details: such as, e-mail address, telephone number.

2.13.2 Where did we get your personal data?

Your personal data is collected from you.

2.13.3 Why do we process your personal data and under what legal ground?

Your personal data is processed for the purpose of processing your question or request and providing you with the adequate response.

The lawfulness of this processing activity is based on Article 6.1 (a) of the GDPR (‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes’).

2.13.4 Who has access to personal data and what are the categories of recipients of your personal data?

amfori staff

Access to your personal data is provided to the staff members of amfori responsible for carrying out this processing activity and to authorised staff according to the ‘need to know’-principle. Such staff abide by confidentiality agreements.

Recipients

Your data are shared with processors we might need for the performance of our services, middle-office and back-office operations. For information regarding the categories of recipients of your personal data, we refer to Section 3.1 below.

2.13.5 How long do we keep your personal data?

amfori only keeps your personal data for the time necessary to fulfil the purpose of processing.

3. Other information (common to all data subject types)

3.1 Recipients

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. amfori has different categories of recipients.

Processors

For the performance of a number of services, middle-office and back-office operations and related processing activities, amfori uses specialised (natural or legal) persons who carry out assignments, and who process the associated data for and on behalf of amfori (‘processors’ in the sense of the GDPR). amfori uses the services of several categories of processors:

  • IT Service Providers who have access to amfori’s software systems to perform IT developments and/or maintenance, for the purpose of ensuring the optimal functioning and/or continuous improvement of the system. Access to the data is provided to these entities during the contractual period to enable the development, maintenance, and/or troubleshooting of software systems.
  • Cloud Service Providers, for the purpose of securely hosting, managing, and backing up data to ensure the storage of and accessibility to data. Access to the data is provided to these entities during the contractual period to support the hosting, management, and backup of data in the cloud infrastructure.
  • Other service providers engaged by amfori in order to perform specific services which includes the processing of personal data on behalf of amfori, such as:
    • Marketing and communication agencies providing e-mail campaign services;
    • Assessment/recruitment agencies providing services regarding the assessment, selection tests and/or background checks of candidates for vacant positions;
    • Network Representatives or Network Officers, representing amfori’s interest in another country than Belgium (amfori’s headquarters);
  • amfori subsidiaries and branches: we may share certain data with amfori subsidiaries and branches, for purposes of efficient administration.

Third parties

The information we collect will not be given to any third party, except in specific cases, such as:

  • Collaboration with other data controllers, e.g. a lawyer, to whom certain data might be transferred in case of litigation, or a debt collection agency, to whom certain data might be transferred in case of non-payment of our invoices.
  • To the extent and for the purpose we may be required to do so by law.

Third countries (countries outside the European Economic Area)

Your personal data are only transferred to recipients in third countries or to international organisations in the cases described in Section 3.2 below.

3.2 International Data Transfers

In some cases, we might transfer your data to a processor or a third party, located in a third country. A third country is a country outside the European Economic Area (= the Member States of the European Union, Iceland, Liechtenstein and Norway). In that case, we ensure the confidentiality and security of your data by verifying that the third country was subject to an adequacy decision by the European Commission. In the absence of such adequacy decision, we take the appropriate safeguards, to ensure the confidentiality and security of your data.

We work with US Cloud Service Providers located in a third country to host some of the data we process. Although the cloud servers are located within the European Union, we have ensured that appropriate safeguards are taken:

  • Our US Cloud Service Providers are either certified under the EU-US Data Privacy Framework;
  • Either we have signed the Standard Contractual Clauses (SCC) adopted by the European Commission with the US Cloud Service Provider.

We may also share information wherever amfori is active. This means we may share your information with other amfori entities, amfori network representatives and officers, members, auditors, producers, or other partners in a third country. In each case, we will ensure the confidentiality and security of your data (adequacy decision or other appropriate safeguards, see above).

You can request more information regarding our international data transfers, including a copy of the appropriate or suitable safeguards, per e-mail to dataprotection@amfori.org or by letter to amfori (Avenue de Tervueren 270, 1150 Brussels, Belgium) marked for the attention of the amfori Data Protection Coordinator.

3.3 Automated decision-making

Your personal data is not subject to automated decision-making.

3.4 How do we protect and safeguard your personal data?

All personal data in electronic format are stored on clouds provided by cloud service providers (cloud servers located within the European Union).

In order to protect your personal data, amfori has put in place a number of technical and organisational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purpose of this processing operation, organising periodical data protection training and awareness sessions for staff members, the implementation of a data protection policy and internal processes.

3.5 What are your rights regarding your personal data?

You have specific rights as a data subject under Chapter III (Articles 12-23) of the GDPR:

  • You have the right of access to your personal data and to relevant information concerning the processing. This means that you have the right to obtain confirmation from us as to whether personal data concerning you are being processed, and where that is the case, the right to access to the personal data and to certain information concerning why and how we process it.
  • You have the right to rectification of your personal data in case they are inaccurate or incomplete.
  • Where applicable, you have the right to erasure of your personal data.
  • Where applicable, you have the right to restriction of the processing of your personal data.
  • You have the right to data portability, i.e. the right to receive your personal data in a structured, commonly used ad machine-readable format and the right to transmit those data to another controller. This right only applies when the processing is based on your consent and when the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract.
  • Where the processing of your personal data is based on the legitimate interest pursued by amfori, you have the right to object to the processing of your personal data, on grounds relating to your particular situation.
  • Where your personal data are processed for direct marketing purposes, you have the right to object to the processing of your personal data for such marketing.
  • When the processing of your personal data is based on your consent as legal ground, you have the right to withdraw your consent at any time by notifying the controller. The withdrawal of consent shall not affect the lawfulness of the processing based on consent before its withdrawal.

Please note that in certain cases, as provided in Article 23 of the GDPR, restrictions of data subjects’ rights may apply.

You can send your request per e-mail to dataprotection@amfori.org or by letter to amfori (Avenue de Tervueren 270, 1150 Brussels, Belgium) marked for the attention of the amfori Data Protection Coordinator.

We will consider your request, take a decision and communicate it to you. The time limit for treating your request is one month. This period may be extended by two further months where necessary, taking into account the complexity and the number of requests. In those cases, we shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

3.6 You have the right to lodge a complaint

If you have any remarks or complaints regarding the way we process your personal data, we invite you to contact amfori (contact details mentioned under Section 3.7 below).

You have, in any case, the right to lodge a complaint with the Belgian Data Protection Authority (fr: Autorité de protection des données / nl: Gegevensbeschermingsautoriteit) as supervisory authority: https://www.dataprotectionauthority.be/citizen/actions/lodge-a-complaint.

Autorité de protection des données/Gegevensbeschermingsautoriteit
Rue de la Presse/Drukpersstraat 35, 1000 Brussels, Belgium
Telephone: +32 (0)2 274 48 00
E-mail: contact@apd-gba.be

Website: https://www.dataprotectionauthority.be

3.7 Contact details for enquiries regarding your personal data

We encourage you to contact us by sending an e-mail to dataprotection@amfori.org or a letter to amfori at our registered office (Avenue de Tervueren 270, 1150 Brussels, Belgium) marked for the attention of the amfori Data Protection Coordinator.