Privacy Policy

1. General

The EAASS recognises and respect the importance of the privacy of our visitors and users of online systems. We treat your personal data confidentially and in accordance with data protection law. This Privacy Policy explains how we generally handle personal information and cookies when you use our online services. We may also provide more specific information relating to particular products or services in our privacy collection notices.

We will update this policy on our website if we change the way we handle personal information.

2. Information we collect and how we collect it

We collect information that is reasonably necessary for us to perform our functions or activities and to deliver online services to you according to agreed terms.

The use of our website is generally possible without providing personal data. You are neither obliged to visit this website nor to provide any personal data. If you do not provide us with personal information, you may not be able to use certain functionalities of this website. Otherwise there will be no consequences for you. As far as personal information (such as name, address or e-mail addresses) is collected on our site, this is done on a voluntary basis, except in the cases expressly described below.

2.1. Visiting our website and using our online services

When you use our website or online services, certain information is collected by us automatically such as your browser type and IP address. We record and save your computer’s IP address to enable us to send contents of our website or database visited to you to your computer. We process your browser and movements and behaviour on our online systems to monitor the functionality of our online service, compliance with our Terms and to identify potential misuse of our online services.

2.2. Cookies

Cookies are small text files which are saved on your computer. Cookies make it possible to analyse your use of our website and online services. The information stored in cookies (including an IP address) is transmitted to our servers and is used for the purpose of analysing user behaviour and to evaluate the functionality, including user friendliness, of our website and online services.

Your personal data is safeguarded by the anonymization of the IP address. The data is not used to personally identify you and it is not merged with any other data. The data is erased one it is no longer required for our purpose.

You have the right to opt out of us saving and analysing your data from cookies.

2.3. Information provided by you via membership accounts, subscriptions, forms and emails

We may receive personal data voluntarily from you such as your name, organisation name, organisation information, certification information, accreditation information, email address, phone contact and other contact information. You may provide this information to us via forms which are on our website for creating membership accounts, placing subscription orders and raising online enquiries.

We process such personal information for the purpose of answering your requests, fulfilling our legal obligations to provide online services to you and contacting you to notify you of developments in the services we provide.

Where you have given your consent to the processing of personal data, you can withdraw your consent at any time, however, this may affect our ability to respond to requests for support or to fulfil our legal obligations to you. We will inform you if this is the case.

If you provide information about others for purposes such as referring a colleague, you must only provide personal data for others whom you know would be happy to hear from you and must not use our products or services to send unsolicited “spam” messages.

2.4. Web analysis using Google analytics

Our website uses Google Analytics, a service provided by Google Ireland Limited (Google). By using the “Universal Analytics” operating mode Google allows analysis of a user’s activities to be carried out across a range of different devices. We will use information in order to analyse your use of our website and online services, to compile reports on your activities on the website and our online services and to provide further services relating to the website and online service use.

The data sent by us, and the data connected to cookies, user recognition or advertising ID are erased automatically after 26 months.

To learn more about the terms of service and data protection from Google, please visit: https://www.google.com/analytics/terms/us.html and/or https://policies.google.com/?hl=en

The legal basis for the use of Google Analytics is your declaration of consent.

You have the right to withdraw your consent at any time. You can do this by changing your browser settings to prevent the saving of cookies. We note, however, that doing so may prevent you from enjoying the full functionality of our website and online services.

3. The purposes for collecting, storing and processing personal data

We collect and process personal data for the following purposes:

To provide online services to you according to agreed terms.
To analyse user behaviour and to evaluate the use and functionality of the individual components of the website and our online services.
To accommodate your requests and inquiries for services or information.
To provide newsletters or notifications to you.
To provide marketing communications to you.
For the purpose of facilitating validation of accredited certification or accreditation

4. How we use personal data

We use the information provided in the following ways:

To communicate with you in relation to our online services.
To enable you to verify an organisation’s accreditation certification(s).
To enable you to access our online services.
To meet our legal compliance obligations.
For direct marketing purposes to tell you about developments in services available to you from our carefully selected partners (provided that we will communicate these to you in conjunction with our own marketing).

5. We do not sell personal data

We do not sell personal data or authorise personal data to be sold to third parties.

Our service providers/processors are bound by instructions to process your data exclusively in line with applicable data protection laws. In particular, they are contractually bound to treat your data with strict confidentiality and are not permitted to process data for other purposes than the ones agreed.

6. Disclosures of your personal data

As a provider of a global database, in order to deliver the service and support you have requested, we may transfer personal data collected on an aggregated or individual level for the purposes outlined in this Privacy Policy. Such recipients of your personal data may include:

internal divisions, subsidiaries, joint ventures and affiliated companies of the EAASS;
marketing, information technology, customer support and human resources service providers;
professional advisers including lawyers, finance service providers, auditors and insurers who provide consultancy, finance, legal, insurance and accounting services.

Such processing is limited to the extent required for the purposes outlined in this privacy policy and in accordance with applicable data protection regulations.

We may also be legally required to share information with external regulatory bodies in connection with law enforcement and compliance.

7. Disclosure of information across borders

The global database and our website are stored on Amazon Web Services and is located in Frankfurt, Germany.

When we disclose personal information in accordance with this Privacy Policy, it may be accessed from, transferred to, and/or stored outside the country in which you are located. We will, in all circumstances, safeguard the personal information as set out in this Privacy Policy.

Such processing is limited to the extent required for the purposes outlined in this privacy policy and in accordance with applicable data protection regulations.

8. Security

We have implemented appropriate organisational and technical security measures to protect your personal data from loss, destruction, manipulation and unauthorised access. This also applies to any external services that are contracted by us.

We store personal data on servers with limited access located in secured facilities, and our security measures are evaluated on an ongoing basis. The servers are protected by anti-virus software and firewalls.

To protect the personal data of our users, we use a secure online transmission procedure, the so-called "Secure Socket Layer" (SSL) transmission. You can recognize this by the fact that an "s" ("https://") or a green, closed lock symbol is added to the address component http://. By clicking on the icon you will receive information about the SSL certificate used. The display of the symbol depends on the browser version you are using. SSL encryption guarantees the encrypted and complete transmission of your data.

9. No automated single decision

As far as this is not exceptionally necessary for the conclusion of a contract or permitted by law (as in the case of age verification) we do not use your personal data for automated individual decisions.

9.1 Right of access

On request, you have the right to obtain information from us about the personal data concerning you and processed by us, to the extent defined in applicable legislation.

We will provide you with access to the information we hold about you within a reasonable timeframe (or any time frame stipulated by the laws that apply to your request).

If you wish to exercise your right to access your personal data, please contact privacy@eaacr.org.

9.2 Right to rectification

You may request that we rectify any inaccurate personal data about you.

If you wish to exercise your right to rectify processed data, please contact privacy@eaacr.org.

9.3 Right to deletion and restriction

Depending upon your geographical location, you may have the right to immediate deletion (“right to be forgotten”) of personal data concerning you or, where you oppose deletion, you may have the right to restrict processing of personal data.

Legal reasons for requesting deletion of personal data include:

the personal data is no longer necessary for the purposes for which it was processed, or
you withdraw your consent and there are no other legal grounds for processing.

To assert your above rights, please contact privacy@eaacr.org.

9.4 Right to data portability

Data portability is the right to receive personal data concerning you, which you have provided, in a structured, commonly used and machine-readable format.

Depending upon your geographical location, you may have the right to data portability.

To assert your right to data portability, please contact privacy@eaacr.org.

9.6 Right to file a complaint

You have the right to make a complaint at any time about the way that we process personal data.

We would appreciate the opportunity to deal with your concerns before you approach an external body and ask that you contact in the first instance by writing to: privacy@eaacr.org.

9.5 Right to object to processing

You have the right to object at any time to processing of your personal data. We will desist from processing your personal data unless we can demonstrate legitimate grounds for processing.

9.7 Response times

To the extent permitted by law, we try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month to respond if your request is particularly complex or you have made a number of requests. In this case we will notify you and keep you updated.

10. Retention

We keep records for as long as required to manage your membership or subscription accounts, to manage an entity’s accreditation certification in the global database and provide the other relevant services anticipated by this Privacy Policy, including keeping you up-to-date with our marketing, and where we are required to by law or for records purposes. We also retain your information to make your future interactions with us convenient and to personalise the services and communications with you.

Subject to legislation, we will store any data we collect for as long as it is required for the above purposes for which it was collected.

11. Your rights concerning the processing of personal data

In some countries you have the right to access, or correct, the personal information that we hold about you.

While we adhere to the privacy regulations in your country, we must advise you that by requesting that we restrict, delete or stop processing your personal data, you may be prevented from enjoying the full functionality of our website and online services.

12. Amendments to this Privacy Policy

New legal requirements, business decisions or technical developments may require us to change our Privacy Policy. We reserve the right to amend our Privacy Policy.

Any amendments will be posted on our website. Unless stated otherwise, amendments shall take effect immediately following posting of the updated Privacy Policy.

If you do not agree to the modified Privacy Policy, you should discontinue your use of the website or our online services and notify us by writing to: privacy@eaacr.org.

If you continue to use the website or our online services following the amendment of this Privacy Policy, you shall be deemed to accept them and agree to be bound by the amended version.

13. Consent

The legal basis for our use of your personal data is your declaration of consent.

By choosing to provide us with your personal information you are declaring your consent to its use in accordance with the principles outlined in this Privacy Policy.

We may contact you via the methods of communication that you have provided in order to provide you with updates pertaining to our services as well as information about additional offers, products, services or events that we believe may be of interest to you.

13.1.Withdrawing your consent

You do not have to provide us with your personal information. If you choose not to provide certain personal information you will still be able to visit our website but you may be unable to access certain options, products or services.

All marketing communications we send to you will provide you with a way to withdraw your consent to future marketing. If you no longer wish to receive promotional materials you may opt-out of receiving these communications by changing your account settings, this will remove you from our marketing lists.

Please note that if you unsubscribe from marketing communications you will still receive operational and service messages from us regarding your organisation’s account and responses to your enquiries made to us, and that we may hold your details on a suppression list so we do not send you marketing communications in the future.

14. European data protection laws

This section applies if you are based in the European Economic Area (EEA) during your interactions with us and sets out the additional information that we are required to provide to you under European data protection laws.

Under European data protection laws, use of personal information must be based on one of a number of legal grounds and we are required to set out the grounds in respect of each use. Companies may process personal data only when the processing is permitted by the specific legal ground set out in the law.

In the table below, we have set out the relevant grounds that apply to each purpose of data processing that is mentioned in this Privacy Policy.

Purposes of the data processing

Use bases

To provide and administer verification of accreditation certification