page loader

PEFC Database Privacy and Security Notice

Version: December 2, 2022

Contents

Introduction

Welcome to the PEFC Database Privacy and Security Notice.

The PEFC Council is committed to protecting and to being transparent about its personal data management and to meet applicable data protection obligations.

This Notice explains what data are collected, how they are used, shared, and how you can manage your rights. Please also read our Terms of Service which governs the PEFC Database.

1. Who is responsible for data processing and who can you contact?

PEFC Council (PEFC International)
Route de Pré-Bois 20
CH-1215 Geneva
Switzerland
Email: privacy@pefc.org
Telephone: +41227994540

2. Information the PEFC Council collects

The PEFC Council collects information on database users. The PEFC Council receives these data when PEFC national bodies employees request an account by email to the PEFC Council Technical Unit.

2.1 Categories of data

The PEFC Council collects personal data for user accounts: names, email addresses, telephone numbers, employment information, usernames, passwords.

Every time a user attempts to log in or logs in the database, a timestamped log is recorded. This log includes the email address, IP address, type of device (browser, computer, or mobile device) and status of authentication (success/failure) This information is stored for a maximum of 5 years.

2.2 Place of data processing

All data processing activities are carried out exclusively within Switzerland or the EU (European Union).

3. For what purpose does PEFC process personal data and on what legal basis?

3.1 Purpose of processing

  • Enabling implementation of PEFC certification
  • To manage your account
  • Enable contact for support requests and comments
  • Database security / enforcement of the Terms and Conditions

3.2 Type of processing

  • Collection by the PEFC Council
  • Account registration on the PEFC database by the PEFC Council

3.3 Legal basis for processing

  • Performance of the PEFC Administration contract
  • Legitimate interests, including but not limited to:
    • Efficient and effective improvement of services
    • Efficient and effective database user support
    • Understanding members and third-party behaviour and activities
    • Maintenance and security of the database

The table below aims to give a better view on how the PEFC Council collects and uses your personal data:

In what context do we collect your personal data? What types of personal data do we collect? How and why do we use it? How do we process your data? On what legal basis do we process your personal data?
Database administration and security. When database users are accessing the administration interface of the PEFC database
  • Name Address
  • Email address
  • Telephone
  • Employment information (affiliated organization and role only)
  • IP address
 Ensure database security (e.g., against automated requests, unauthorized access attempts) Registration on the PEFC database’s administration interface PEFC scheme administration contract

4. Who will receive your personal data?

The PEFC council may have to share your personal data with the parties set out below for the purposes set out in Section 3:

  • Third party service providers and partners who provide data processing services to us (e.g., Caspio Inc. which provides us with the PEFC database)
  • Individuals working for the PEFC Council who have been granted access to the PEFC database administrative interface
  • Competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation; (ii) to exercise, establish or defend our legal rights; or (iii) to protect your vital interests or those of any other person;
  • To any other person with your consent to the disclosure.

5. How long will your data be stored?

The PEFC Council retains the personal data that relates to the provision of the services or otherwise to a contract or business relationship for as long as the contractual relation is ongoing and for a maximum period of 10 years after the termination of the contractual relationship. In some cases, a longer statutory retention period is applicable for reasons of proof or if there is another valid reason for an exception based on applicable law or regulation.

We delete the data if no longer needed, or we restrict the processing, if there are statutory retention requirements.

6. Data security

The PEFC Council has put in place several measures to safeguard the collection, transmission, and storage of the data we collect.

The PEFC database uses robust security measures. All information transferred within the Caspio Bridge Service, customers’ deployed applications, and the Caspio website(s) is automatically served through a secure connection (HTTPS). However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. While Caspio has implemented and will maintain appropriate security measures to protect your Personal Data, we cannot guarantee its absolute security. We use commercially acceptable means to maintain the integrity of your Personal Data and have implemented physical, technical, and administrative safeguards to protect your data from unauthorized access, use, disclosure, and destruction.

The PEFC Council has put in place procedures to deal with any suspected personal data breach and will notify database users and any applicable regulator of a breach where it is legally required to do so. When the PEFC Council notifies database users, it will provide with the relevant details of the personal data breach.

7. What privacy rights do you have?

Under applicable data protection law, database users have the following privacy rights:

  • Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please use the PEFC Data Subject Access Request Form or contact us using the details set out in Section 1.

Time limit to respond

We try to respond to all legitimate requests within one month.

You may also raise a complaint with the competent data protection authority, which for PEFC in Switzerland is the Swiss Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).

8. Amendment of our database privacy and Security notice

The PEFC Council reserves the right to change our security and data protection measures if this becomes necessary, due to technical circumstances. In these cases, we will also amend our information on data protection accordingly. Therefore, please note the current version of our data protection declaration.

References