1. The Controller
The Controller that is responsible for collecting and processing your personal data when you use the Websites is:
“Controller” means GS1 AISBL, also referred to as “we”, “us”, and “our”.
“processor” means a natural or legal person that processes personal data on behalf of or pursuant to GS1’s instructions.
“processing” refers to the ways your personal data is (among other things) collected, stored, used, disclosed, and erased.
“personal data” means any information relating to an identified or identifiable natural person (a “Data Subject”). Examples of such personal data includes your name, email address, photograph, professional title, business phone number, and any other personal information you provide to us that is capable of identifying you.
“services” includes GS1 services such as the GS1 MO Zone, GS1 Cloud, GS1 Activate, GS1 Learning Zone, GS1 Xchange, GEPIR Premium, and other GS1 services that are created and made available from time to time.
“Website(s)” include https://www.gs1.org/, http://mozone.gs1.org/, https://gs1.wufoo.eu/, https://gs1sso.gs1.org/Account/Login for services, as well as the GS1 events webpages as created from time to time.
3. Collecting Personal Data
The GS1 Websites, including the services available on them, collect personal data that enables us to provide secure Website access and our services to you. When you interact with the Websites (i.e. to register your details and/or login), your personal data is collected for registration and security purposes. Personal data is collected as input by you and from third party processing services that collect personal data via our Websites (such as event registrations).
Personal Data is only collected when necessary to provide secure Website access and/or services to you, and is limited to the relevant types of personal data actually required.
4. Purposes of Processing & Legal Basis
The personal data GS1 collects via its Websites allow us to provide secure access to our Websites and to respond to your questions.
This type of processing is done with your consent, which you may give when submitting your details via the electronic contact form, and otherwise for GS1’s legitimate interest of improving the Websites, our services and responding to your queries.
Our Websites, and the services they provide, may require users to register their personal data (for example name, email address, and password) and user consent is requested at the time of registration.
This type of processing is done on the legal basis of your consent and otherwise, where consent is not legally required, for GS1’s legitimate interest of ensuring the security of our services and the people that access and use them. Where a user has entered into a contract with GS1 (for example that relates to a service), then it may be necessary for us to process personal data in order to fulfil our obligations to perform the contract.
Marketing & Organisation Communication
Personal data may be processed for the purpose of sending email communications about GS1 news and events. Personal data is also processed as our services reasonably require, to communicate updates, troubleshoot issues with the service, and to respond to and resolve user queries about the service. Regarding organisational communications, these are processed on the basis of personal data provided by users of the MO Zone website (http://mozone.gs1.org).
Processing personal data for marketing and organisational communication purposes is done on the legal basis of user consent and otherwise, for GS1’s legitimate interests of marketing its news and events to interested members and users. Processing personal data to communicate with users about services they use is done pursuant to GS1’s legitimate interest of providing ongoing services and related service support to its users.
Personal data is processed to operationally provide our services to users and ensure that the services are protected, to the extent possible, from unauthorised access and use. Such processing also includes to: process business transactions; establish and maintain customer accounts; communicate with you about updates, maintenance, outages or other technical matters relating to the services; provide training; notify you about changes to our policies and procedures; verify the accuracy of account and technical contact information; and respond to user inquiries.
The legal basis for such processing is GS1’s legitimate interest of providing and maintaining the services, and ensuring security of these systems.
GS1 Organised Group(s) (GSMP Work Groups, GS1 Industry Groups, MO Interest Groups, GS1 Advisory Teams, GS1 Workstreams, and other similar GS1 groups)
GS1 processes and collects personal data on individuals for purposes relating to the organisation, operation, administration, and management of GS1 Organised Groups. GS1 has a legitimate interest in processing personal data to manage registration and participation in GS1 Organised Groups and for record-keeping, security management, and audit purposes. GS1 collects the personal data each time an individual registers for a GS1 Organised Group. Such personal data may include the participant’s name, company, company address, participant’s title, industry, interest category, country/region, email address, and other contact details such as username and password. A GS1 Member Organization (“MO”) or other company submitting personal data when registering an individual for a GS1 Organised Group must ensure it does so in accordance with all applicable laws and regulations, including providing notice to the individual concerning GS1’s purposes for collecting the personal data and, where required, obtaining appropriate consent.
Social Media Integration & Plugins
GS1 integrates content from its YouTube channel, Twitter and LinkedIn accounts (“social media platform(s)”) to its Websites. These social media platforms can, if buttons are included on our Websites, automatically download information technology content. The pages viewed by a user can then automatically send data to these social media platforms. Through this technical process, the social media platform may receive personally identifiable information, such as an IP address and browsing habits, to optimise user-directed advertising. This information is stored by the social media platforms in the United States of America and may be shared with third parties where appropriate. If the user is logged in to a social media platform with their profile, the social media platform recognises the user at each activity. Personal data such as the IP address of the person concerned, clicks on pages, access time, access location, the frequency of visits, links of origin, follow-on links and data on the length of stay on the website are sent. The social media platforms may, if buttons are included on our Websites, monitor user activity.
GS1 Websites embed content and uses social plugins ("plugins") from social media platforms. If you visit a page of our Websites that contains such plugin, your browser connects directly to the servers of the social media platform. The content of the plugin is transmitted by the social media platform directly to your browser and integrated into the webpage. By integrating the plugin, the social media provider receives the information that your browser has accessed the corresponding page of our Website. This also applies if you do not have a profile or are currently not logged in to the respective social media platform. This information (including your IP address) is transmitted by your browser directly to a server of the social media platform (possibly in the US) and stored at that location. If you are logged in to one of the social media platforms, the provider can directly allocate the visit to our Website to your profile in the respective social media platform. If you interact with the plugins (for example by clicking the "Like" or "Share" buttons), the corresponding information is also transmitted directly to a social media platform server and stored at that location. The information may also be posted on the social media platform and displayed to your contacts. This type of processing is necessary for the optimal marketing of our services, which is a legitimate interest of GS1.
If you do not want social media platforms to assign the data collected via our Websites directly to your profile in the corresponding social media platform, you must log out of the corresponding service before you visit our Websites. You can prevent the plugins from being loaded, even with add-ons for your browser, using the script blocker "NoScript" (http://noscript.net/).
GS1 must comply with its legal obligations (for example as directed by regulatory authorities or under a Court order) and in such circumstances, it may be necessary for us to process personal data for these reasons.
Cookies are small files stored on your computer when you access our Website. They have various functions including: allowing you to navigate smoothly between pages on the Website, remembering your preferences and improving the overall experience of the Website.
5. Data Storage
6. Data Transfers & Recipients
Disclosure to Third Parties
If required by law, GS1 may disclose personal data upon request of a public authority and upon receipt of a Court order, or similar, to disclose personal data.
In some cases it may be necessary to transfer personal data to international businesses and/or organisations (that is, outside of the European Union). In such instances, personal data will be transferred subject to necessary safeguards including pursuant to adequacy decisions of the European Commission or a contractual agreement between GS1 and the international processor. Further information about such transfers may be requested via email@example.com.
7. Protection of Personal Data
All information collected via the Websites and services are saved and stored in secure operating environments and is only accessible by authorised personnel. The Website is monitored regularly to ensure that it is secure and data is not being accessed or used improperly. The Website is protected by appropriate security measures to safeguard, prevent loss, unlawful use and unauthorised access to personal data to the maximum reasonable extent.
8. Your Rights
Accessing your Personal Data
When you request access to your personal data, and such request is reasonable and proportionate, GS1 will provide such service free of charge, however if your request requires disproportionate technical or administrative effort GS1 may charge a fee.
If you request access to your personal data, GS1 may request verification of your identity to ensure to the fullest extent possible that personal data is not unlawfully disclosed – failure to adequately validate your identity may result in GS1’s refusal to allow access to requested personal data.
You are responsible for maintaining the accuracy of your personal data by contacting GS1 to notify us of any changes to or errors in your personal data. You have the right to access your personal data stored by the Websites and services to update, amend and rectify your personal data record.
You have the right to have your personal data erased, noting that without the retention of your personal data, access to the Websites and services may be limited.
You also have the right to withdraw your consent to your data being processed at any time, without affecting the lawful processing of your personal data before such withdrawal.
You have the right to object, in whole or in part, to your personal data being collected and processed pursuant to GS1’s legitimate interests. In such case, we will no longer process personal data - except where the compelling legitimate grounds to continue the processing override the interests, rights and freedoms of the user, or to establish, exercise or defend legal claims.
Users have the right to restrict processing of their personal data if (i) accuracy of the personal data is contested for the period of time in which GS1 can verify the accuracy of the personal data, (ii) processing is unlawful and the data subject opposes erasure of the personal data and requests restricted processing instead, (iii) GS1 no longer needs the personal data for the purpose of processing but is required by the data subject to establish, exercise or defend legal claims, and (iv) the user objects to processing pending verification whether GS1’s legitimate grounds prevail over those of the user. Where processing has been restricted under the above bases, such personal data (save for storage) will only be processed with a user’s consent or to establish, exercise or defend legal claims or to protect the rights or interests of another individual in the public interest.
Personal Data Portability
Users have the right to request and receive their personal data in a structured way as well as the right to have their personal data transmitted to another processor, where technically feasible and not adversely affecting the rights and freedoms of others.
If you have a complaint about the way GS1 handles or processes your personal data, you may lodge a complaint with the relevant supervisory authority, which for GS1 is the Data Protection Authority (Belgium). At first instance, we recommend that you direct any concerns or complaints to firstname.lastname@example.org.
Published 13 July 2018 and revised 1 May 2022.