1. Introduction

The Joint Alliance for CSR aisbl (JAC) is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, and disclose personal data about you, and your rights in relation to that data, in accordance with the General Data Protection Regulation (GDPR).


2. Data Controller and Contact Information

JAC is the data controller responsible for your personal data. If you have any questions or concerns about this Privacy Policy, please contact us at JACSupport@epiconsulting.co.uk. JAC is a non-profit entity subject to Belgian law, with its registered seat located at Boulevard du Roi Albert II 27, 1030 Brussels, Belgium, registered in the Belgian crossroadsbank of enterprises under number 0783.196.212.

You may also contact our processor EPINDEX Ltd. with any data protection related questions and concerns at JACSupport@epiconsulting.co.uk. EPINDEX Ltd. is a company based in the United Kingdom subject to UK law, with its registered seat located at Bickford House, Shurdington, Cheltenham, UK company registration number 06873479.


3. Processor(s) and Subprocessor(s)

We have the following processors and subprocessors:

  • Processor: EPINDEX Ltd. who will act as processor for the purpose of providing services related to the hosting of the JAC Audit Management System and its administration
  • Subprocessor: Worldly Inc (formerly Fair Factories Clearinghouse), who will act as a sub-processor of EPINDEX Ltd. for the purpose of providing IT services in the form of the online portal service


4. Categories of Personal Data

We may collect and process the following categories of personal data:

  • Names, surnames and business titles
  • Contact details such as telephone numbers and physical or electronic addresses

We may obtain such information directly from you, via your employer/principal or public sources.


5. Purpose for Processing Personal Data

The processing may consist of:

Setting up, securing, maintaining and administering the online portal service designed to store and exchange CSR reports and information

  • Scheduling meetings and organizing seminars or other events related to JAC’s activities
  • Customer support
  • Conducting user surveys for improvement of the services
  • Record keeping


6. Lawfulness of processing

For the purpose of the data processing JAC may rely on the following legal bases:

  • Permission of the data subject, where relevant. If you have given permission you may revoke it at any time without affecting the lawfulness of processing based on consent before its withdrawal
  • Necessity for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data


7. Recipients of Personal Data

We may share your personal data with the following recipients:

  • JAC members, auditors or suppliers
  • Our Processor(s) and Subprocessor(s)


8. Retention Periods for Personal Data

We will retain your personal data for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Unless there are compelling reasons to do so we will no longer retain your personal data when we are made aware that you are no longer acting as a representative for an entity involved with JAC’s activities.


9. Rights of Data Subjects

You have the following rights in relation to your personal data, subject to certain conditions:

  • Right of access – you have the right to request access to the personal data we retain on you
  • Right to rectification – you have the right to request that we correct or complete any inaccurate information
  • Right to erasure or restriction of processing – you have the right to request that we erase or restrict your personal data
  • Right to object – you have the right to object to our processing of personal data
  • Right to Lodge a complaint – if you believe we have not complied with the GDPR in the processing of your data you have the right to lodge a complaint with a competent Supervisory Authority. Based on JAC’s company seat the Belgian Autorité Protection Données (APD) / Gegevensbeschermingsautoriteit (GBA) is a competent Supervisory Authority.


10. Transfer of Personal Data to Third Countries

We may transfer your personal data to third countries outside of the European Economic Area (EEA) that may not inherently provide an adequate level of data protection. We will put appropriate safeguards are in place to protect your personal data, such as standard contractual clauses approved by the European Commission.

EPINDEX Ltd. will process the data it receives in the United Kingdom, which is subject to an adequacy decision from the European Commission.

Given that FFC and its IT infrastructure are based in the United States, EPINDEX Ltd. may transfer personal data to FFC storage servers in the United States. To this end protection has been put in place based on the European Commission’s standard contractual clauses


11. Security Measures

We will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks involved in processing your personal data. Examples of such measures include firewalls, virus protection, registration tokens and password controls.


12. Automated Decision-Making and Profiling

We do not engage in automated decision-making or profiling that has legal or significant effects on you.


13. No obligation to provide personal data

You are under no obligation to provide us with personal data. However in such a case we may be unable to provide our services to your employer or principal.


14. Changes to the Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes to this Privacy Policy by posting a notice on our website or by other means.