Privacy policy

GDPR Policy Statement – V 2024

The non-profit organisation GS1 Belgium & Luxembourg, with registered office at 1000 Brussels Galerie Ravenstein 4, box 10, with company number BE 0418 233 415 (hereinafter referred to as "GS1" or "We"), is responsible for the processing of the personal data that you provide to it or that it uses.

This policy governs the collection, storage and use of personal data as a licensee of a GS1 Company Prefix or a GS1 identification key or any other service where You transfer personal data to GS1. It is intended to provide transparency about the limited personal information we collect, how we use it, and your rights to control it.

Our data capture services are jointly managed by a network of national GS1 member organisations and the GS1 Global Office, as further described on https://www.gs1.org/contact/overview/alphabetical.

As joint data controllers, we respect your right to privacy and will only process personal data that you provide to us in accordance with applicable data protection laws and as described in this policy. Applicable data protection laws include (i) the European General Data Protection Regulation (Regulation 2016/679) ("GDPR"); and (ii) any other existing or new applicable laws relating to or affecting the processing of Personal Data of a Living Person and privacy.

This declaration consists of two parts:

  1. Processing of personal data in the context of the general operation and services of GS1.
  2. Personal data processed within the framework of the GLEIF/LEI.
     

1. Processing of personal data in the context of the general operation and services of GS1 

1.1    Personal data is processed by GS1 for the following purposes and legal grounds:

  • To be able to register the members and to comply with the legal obligations of the non-profit association;
  • To be able to set up and provide the services that members or third parties wish to use, i.e. in execution of an order or agreement; so also to develop services;
  • To inform the members and third parties who purchase services in the context of the operation of GS1, i.e. in the context of a legitimate interest;
  • To provide specific services, which non-members can also use (including training and events, newsletters).

1.2 We may disclose your personal data to GS1 Global Office and to other members of the GS1 network of national GS1 member organisations who are all bound by similar obligations and undertake to comply with applicable regulations.
You agree that the information You provide will be shared with other GS1 member organizations and third-party users who have access to it, including through the GS1 Registry Platform.

1.3 We may choose to disclose your personal data to third party processors who act on our behalf for the same purposes as set out above. These parties are obliged to process such information on the basis of our instructions and in accordance with these rules.

1.4 Compliance with Laws and Legal Process. We may disclose your personal information in the following circumstances:

  • We are required to do so by applicable law, by a government agency, or by a law enforcement agency;
  • to establish or exercise our legal rights or defend against legal claims;
  • to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms of Use, or otherwise required by law, suspected fraud.

1.5 Which personal data is processed and for what purposes:

  • The details of the members and the specified contact persons in general; this is to be able to contact the members where necessary, to inform them about the activities of the association, to comply with the obligations regarding the maintenance of a register of members; also to register the attendance of members at meetings and to make it possible for participants in meetings to make appointments and exchange information among themselves.
  • GS1 processes and collects personal data of individuals for purposes related to the organisation, operation, administration and management of working groups. GS1 has a legitimate interest in processing personal data to manage registration and participation in groups organised by GS1 and for archiving, security management and audit purposes. GS1 collects the personal data each time an individual registers for a GS1 working group. Such personal information may include the participant's name, company, company address, participant title, industry, interest category, country/region, email address, and other contact information, such as username, etc.
  • Depending on the service purchased, the following data may be used when starting a service for you, in particular: email – username – – date of registration – name of company – first name and surname of contact person – language – registered office;
    • These are services offered for the exchange of data on products, the provision of standardised data to consumers, the performance of quality checks on the exchange of data; as well as handling applications and assigning "prefixes" to identify products. These are all services that do not in themselves involve the processing of personal data.
    • Once a service has been started, the users manage the applications and services themselves and GS1 does not intervene further and therefore no further personal data is processed in the execution of those services.
    • Where necessary, the data can also be exchanged with the other data platforms of GS1 Global and the various GS1 companies/member organizations (for a list, see: https://www.gs1.org/contact/overview.
    • Any storage of personal data is therefore extremely limited and will only be used for the purposes described in this statement.
  • In addition, various services and products contain the necessary "login" information for security reasons, as it is essential that it is verifiable who has made manipulations or changes to a particular application for a service holder (normally a member); In this way, a user can also be identified and the actions that were performed.
  • In addition, the association has a "CRM" (customer relationship management) system and software in which the following data can be stored for communication and marketing purposes: first name – last name – e-mail – company address – position – language – telephone number – registrations for training courses and events – requests to the helpdesk.
  • GS1 does not process "sensitive" personal data.
  • Marketing: to the extent that you receive messages or information from GS1 (general newsletters, announcements, etc.) and do not wish to receive them further, you can always unsubscribe from this. A simple message "unsubscribe me" to email address support@gs1belu.org is sufficient.

1.6 The personal data that GS1 processes is obtained directly from the data subjects.     

It does not process personal data that it would request or obtain from third parties for the purpose of processing personal data.

1.7 Personal data will not be sold, rented or otherwise transferred to third parties except as described in these regulations.

1.8 The personal data is kept (in terms of period)

  • as long as You are member of GS1; or
  • as long as You have a relationship with GS1 as a supplier or recipient of services or products;
  • as long as you continue to subscribe to newsletters, wish to continue to receive our mailings, you have registered for training courses and events, until after they have been carried out;
  • to then be stored passively and stored for a maximum period of five years, unless a legal obligation or possible necessity due to the nature of the services provided requires that the data can be consulted for a longer period of time in order to resolve disputes or enforce agreements, if necessary.

1.9 Provision of personal data to third parties

  • Personal data will only be disclosed to third parties, in particular service providers if this is necessary for setting up or providing a service to members; it concerns very limited data required for the establishment of a service which is then managed directly by the member;
  • Almost all personal data is stored on GS1 servers.
  • Where personal data would be passed on to third-party suppliers (processors) in the context of services provided by GS1, GS1 provides the necessary agreements with these third parties to provide for the security and protection of personal data.
  • GS1 does not provide personal data to third parties for the purpose of exchanging personal data; So apart from what is stated above, personal data will only be passed on if this would be required by law or if explicit permission has been obtained.
  • Some of your personal data may be made globally accessible (via GS1 Global Office and GS1 member organizations) in connection with the above purposes and due to the nature of the services. You hereby acknowledge and agree that this is inherent in the services that are purchased.
  • In addition, the provisions of Article 1.4.

1.10 Technical and organisational measures

  • In accordance with the applicable legislation, GS1 has taken the necessary technical and organisational measures to protect personal data against unlawful processing. It should be noted that the personal data processed by GS1 are very limited and do not contain sensitive personal data, nor do they contain data of minors.
  • GS1 has a username and password policy on all files in which personal data is stored.
  • GS1 has an external IT service provider that regularly monitors the software, firewall and IT infrastructure and checks whether the protection, taking into account the nature of the data being stored, is up to date.
  • GS1 provides a GDPR Privacy addendum in its employment contracts with a confidentiality obligation for all employees involved.

1.11 Rights of data subjects

  • You can always exercise your rights in relation to personal data provided by sending a message to support@gs1belu.org. For example, you can exercise your right to rectification, restriction of use or opposition to further use, access, request for transfer and provision of personal data or revocation of your consent regarding personal data (and right to be forgotten) by sending a simple request to the above-mentioned e-mail address.
    •    Any request will be answered within thirty days of verification of the identity of the applicant.
  • Of course, subject to legal obligations or a legitimate interest, the personal data will be deleted or modified, or transferred, in response to a request to do so.
  • In addition, members have the option of consulting and updating their data at any time via the My GS1 platform.

In case of complaints, you can always send a message to the above e-mail address, or contact the supervisory authority in the country where you live or usually carry out your activities, or where you believe that an infringement has been committed.

For Belgium: the DPA – Data Protection Authority – Drukpersstraat 35, 1000 Brussels – 00.32.2.274.48.00 – contact@apd-gba.be

2. Personal data processed in the context of the GLEIF / LEI

GS1 itself does not process any personal data in the context of LEI applications, these are entered and processed directly on the platform of GS1-Germany GmbH (Stolberger Straße 108 a, 50933 Cologne (Köln) and registered in the companies register under number HRB 6276) which is an authorized "Local Operating Unit" for GLEIF.  
https://www.gs1-germany.de/datenschutz/

GS1 only facilitates the acquisition by an applicant/legal entity of an LEI from an accredited organisation.

All information about this and about the legal obligations to request an "LEI" (Legal Entity Identifier) can be found on https://www.gs1belu.org/nl/lei-legal-entity-identifier

This is done on the basis of the terms and conditions of the GLEIF - Global Legal Entity Identifier Foundation - https://www.gleif.org/en.