EcoVadis SAS and EcoVadis Inc (“EcoVadis”) collect personal information from users of our web Services, including, but not limited to, sites located at www.ecovadis.com, www.ecovadis-survey.com, www.iq.ecovadis-survey.com, all subdomains, and all other online services of EcoVadis (“Services”) and uses for the purposes defined in the paragraphs below.
For Ulula online web services, please refer to the Ulula Corporate Privacy Policy.
The below-described processing of users’ personal information is based on EcoVadis legitimate interests in the meaning of Article 6. 1. f) of GDPR.
EcoVadis collects and uses the personal information of users of its Services through:
a) providing personal information by users in the online registration forms;
b) submitting into the online forms by users of enterprise customers (“Requesting company(ies)”) and users of Requesting companies trading partners (“Rated company(ies)”), their own users’ contact details;
c) submitting the online forms by Requesting companies users the contact details of Rated company(ies) users ;
d) providing personal information of the users of Requesting companies or Rated companies through email messages.
For users who do not participate in the Services and related processes, please refer to the Legal Notice - Data Protection (Prospecting). https://ecovadis.com/trust-center/legal-notice-data-protection/.
Sustainability and Carbon Assessment
EcoVadis collects the following personal information of its users: first and last name, email address, phone number and job title for contacting purposes to provide requested Services.
Requesting user activities on the platform are tracked, and the status of these requesting user activities (time to first log in, onboarding progress and engagement) is communicated to the requesting company's Program Manager for the purpose of improving the onboarding and engagement on the requesting company's side.
The Rated company’s administrator contact created on the EcoVadis solution is visible to all users that are part of the Rated company’s EcoVadis network.
In the case of Sustainability or Carbon scorecard sharing by the Rated company, the administrator’s contact information is visible to the Requesting company’s administrator and the administrators of its subsidiaries.
The collected personal information via the EcoVadis webpages mentioned above is recorded in digital files by EcoVadis. It is kept until the end of the contract for Requesting companies which are requesting Sustainability or Carbon assessments from their Rated companies and for five (5) years after the end of the subscription for the Rated companies.
EcoVadis, as a rating agency, is to maintain the traceability of actions related to our customers’ accounts (e.g. uploading documents on the EcoVadis platform, submitting the questionnaire, accepting customer requests to share Sustainability or Carbon performance results, etc.). For this reason, (inactive) usernames are kept as a reference to be able to answer any queries and establish, exercise or defend potential legal claims. We refer to section 17.3(e) of GDPR.
Users of Rated companies who accepted the T&Cs are kept for 10 years after the end of the subscription according to Article 17.3 b) of GDPR.
Users that were involved in user activities or did not accept the T&C’s can be erased by the Rated company during the term of subscription.
Documents will be deleted 5 years after the end of the subscription in order to keep the justification for the scoring.
Academy E-learning
As part of the services, EcoVadis offers an e-learning platform to support the users within Rated companies and Requesting companies to improve their sustainability practices. EcoVadis collects data on your course participation and results, which will be shared with managers of your own company (holding the Administrator profile). Only anonymized and aggregated user data of Rated companies will be shared with Requesting companies with whom you have previously agreed to share your Sustainability or Carbon scorecard.
For Non-customer users using the e-learning platform the following applies :
EcoVadis collects data on your course participation and your results. These will be shared with managers of the client funding access to the courses of your own company (holding the Administrator profile). EcoVadis processes your personal data for the purpose of providing access to the EcoVadis Academy for our customer users to participate in e-learning courses to understand sustainability practices. EcoVadis collects the following personal information of its users: first and last name, email address (username). The collected personal information is kept until the end of the agreement of the Requesting company.
IQ and Vitals service
For the IQ service, Requesting companies may use the contact data (email addresses) of Rated companies for identification purposes of the Rated company in Ecovadis system. EcoVadis also processes these identifiers to fulfill mandatory regulatory duties, such as providing required notifications to Rated companies under applicable ESG rating regulations (e.g., EU Regulation 2024/3005). Any contact data (email addresses) of Rated companies that have not been edited or reached out to for an assessment request are anonymized 3 years after the first usage and at the end of the agreement with the Requesting company. Users of Requesting companies are kept until the end of the contract.
For the Vitals Service EcoVadis collects the following personal information of its users: first and last name, and email address for contacting purposes to provide requested Services.
Users of Rated companies that have accepted the T&Cs are kept for 10 years after the end of the subscription according to Article 17.3 b) of GDPR. Users of Rated companies and provided documents are kept for 5 years after the end of the subscription. Users of Requesting companies are kept until the end of the contract.
EcoVadis Community
EcoVadis offers an online community network (the "Community"), to facilitate collaboration, networking, and knowledge sharing among our customers, partners, for improving and exchanging on sustainability practices.
To provide and operate this service, EcoVadis processes the following personal data of authorized users: First and Last Name, Email Address, Location, Job Title, Industry, Interests and Company Name. This data is processed in the community platform for the purpose of creating and managing your user account and enabling your access to and usage of the Community.
Moderation
During your participation, the platform automatically processes your Community Interaction Data (e.g., posts, replies, login timestamps, views) to facilitate peer-to-peer interaction, moderate content according to the Community Terms of Use including requirements under the Digital Services Act, and measure community health.
Personalization and Recommender Systems
EcoVadis utilizes recommender systems to personalize the content, experience, and communications displayed to you. This system relies on your professional interests and predicts which content will be most relevant to your role. The specific content and its order of prominence are primarily influenced by the following main parameters:
User Profile and Interests: The industry, professional role, and interests indicated in your profile.
Legal basis, Rights and Control
The processing of this data is based on Legitimate Interest (GDPR Art. 6(1)(f)) for existing customers and partners, as well as for companies interested in sustainability performance services. The Community is considered a value-added and efficient service relevant to your relationship or potential engagement with other EcoVadis services aimed at fostering industry-wide sustainability collaboration.
In accordance with the Digital Services Act and GDPR, you have the right to influence and modify these parameters at any time and to object to profiling:
You may choose not to provide optional professional "Interests" in your profile. Furthermore, by selecting alternative sorting options (such as "Most Recent" or "Chronological") upon your first visit, you can view content without the application of personalized ranking or profiling algorithms.
Modify Parameters: You can update your professional interests in your profile at any time to alter the personalization logic.
Marketing and Personalized Outreach
If you choose to enrich your community profile with additional information (such as your professional 'Interests'), EcoVadis may use this data to provide you with personalized sustainability insights and relevant marketing communications both within the Community (via the recommender system) and through external channels (such as email). This processing is based on our legitimate interest in providing you with high-value, professional content. You maintain full control over these communications and can object to this processing at any time through your marketing preferences or by using the unsubscribe link in our emails.
Reporting Illegal Content (Notice & Action)
If you report illegal content within the Community, EcoVadis processes your name and email address to manage the report and provide you with a confirmation of receipt and the outcome. Your identity as a "notifier" will remain confidential and will not be disclosed to the affected content poster unless such disclosure is strictly necessary to determine the illegality of the content (e.g., in intellectual property disputes). You will be duly informed before any such disclosure occurs.
Automated Moderation & Human Review
To ensure a safe environment, EcoVadis may use automated tools to detect and moderate content. If a decision is made to restrict or remove your content based solely on automated processing, you will be informed of the logic involved and the consequences. You have the right to request a human review of any such automated decision to contest the action taken.
Protection of Minors
EcoVadis is committed to a high level of privacy and safety for minors. We strictly prohibit presenting advertisements based on profiling using the personal data of users when we are aware with reasonable certainty that the recipient is a minor.
Data retention
Your personal data is retained for as long as you are an active member of the Community. If your company’s contract with EcoVadis services ends, you may still access limited parts of the network as a professional contact for up to three years, unless you choose to close your account earlier.
We automatically close accounts that have been inactive for more than three years. When an account is closed—by your request or due to inactivity—we permanently delete your profile and contact details.
To ensure compliance with the Digital Services Act and the GDPR, the following specific retention periods apply:
- Moderated content and statements of reasons: We retain records of content moderation decisions and the associated content for six (6) months following the decision to facilitate the internal complaint-handling and appeals process.
- Legal defense and archive: Activity logs and communications necessary to defend against legal claims or enforce our Terms of Service are retained in a restricted archive for five (5) years following the termination of the business relationship, in accordance with applicable statutes of limitations.
To keep the Community’s discussions meaningful for other members, your posts and comments will remain visible but will be fully anonymized, meaning they will no longer be linked to your name or identity. If you have included personal information within the body of a post (such as your phone number or specific identifying details), you should edit or delete that specific content before closing your account.
For details on your rights, including the right to object to processing and content moderation policies, please refer to the relevant sections of this notice and the Community Terms of Use.
Other processing related to the service:
EcoVadis collects the described personal information of its customers' users for its business communication and managing relationships with its customers.
For improving its services and the platform features the user behaviour is analyzed on the platform. The data is kept for 13 months (cookie lifespan) and 25 months for the information collected through these cookies.
Personal data are processed in the context of the invoicing, payment and accounting management processes. This data is kept for a retention period in accordance with legal or regulatory requirements (invoices: 10 years).
Furthermore, EcoVadis may also contact users to conduct research via surveys relating to user opinions about Services, or inform in newsletters about other Services, or to offer similar or related solutions that are a logical extension of the initial service, or inform about potential new services that may be offered in the future. For this processing please refer to the Legal Notice - Data protection (Prospecting). https://ecovadis.com/trust-center/legal-notice-data-protection/.
Ecovadis uses contact data to provide mandatory notifications to Rated companies as required by ESG transparency and rating regulations supervised by authorities such as ESMA.
For the security of the platform, the connection data of users (logs including the IP address) are processed. This data is kept for 1 year on the platform and 4 years in the archive.
Ecovadis may process provided personal data from persons of requesting companies on the self-registration invitation pages meant to inform Rated companies of the sustainability mission and values particular to a requesting company. While Ecovadis is responsible for processing the data (e.g., video recordings or presentations), it is the requesting company’s responsibility to have lawfully processed this data, including obtaining all the required consents under applicable data protection laws before providing this information to Ecovadis. The personal data on these pages is kept for the duration of the agreement with the requesting company.
Recipients
The collected data for customer management are intended for our customer-facing teams, legal advisors and necessary third parties (providers and partners) involved in the provision of Services.
The user behaviour analytics data are intended for the Product Development team.
For the invoicing and payment and accounting management processes administration, accounting staff as well as debt collection companies will have access.
The access to logs of user connections is restricted to authorized IT and IT Security staff.
The access to requesting companies' personal data on the self-registration invitation page is intended for the Marketing team.
Transfer outside the European Economic Area (EEA)
Ecovadis affiliates
Personal Information submitted to EcoVadis may be transferred to EcoVadis subsidiaries located outside the EEA: EcoVadis (Mauritius) Ltd., EcoVadis (USA) Inc., EcoVadis (Hong Kong) Ltd., EcoVadis Canada Ltd., EcoVadis Japan K.K., and other subsidiaries that may be formed at a later date. Access to this information is necessary in order to provide the service and for the processing mentioned above, e.g. to assist and follow up with customers.
As a safeguard, this transfer is governed by (Data controller - Data controller) standard contractual clauses between EcoVadis SAS (France) and its subsidiaries if the country is considered not ensuring an adequate level of protection. A copy of such SCC can be requested at dpo@ecovadis.com
Data Transfers between Rated and Requesting Customers
To facilitate the Sustainability and Carbon assessment process, enhance transparency and communication, and manage corrective actions, personal contact data is shared between participants as follows:
- Rated Company Data: Contact details are transferred to Requesting Customers (located outside the EEA) when they request or view Sustainability and Carbon performance results or scorecards.
- Requesting Company Data: Contact details are transferred to Rated Companies (located outside the EEA) during assessment requests and scorecard sharing.
- Community Service: When using community features, users may share data with other Requesting and Rated participants globally to enable direct communication.
All such transfers are governed by Controller-to-Controller Standard Contractual Clauses (SCCs). These agreements ensure an adequate level of data protection and are incorporated into our terms with both parties:
- Standard Contractual Clauses for Requesting Customers: https://resources.ecovadis.com/legal-terms-conditions/standard-contractual-clauses-for-customers
Standard Contractual Clauses for Rated Companies : https://resources.ecovadis.com/legal-terms-conditions/standard-contractual-clauses-for-rated-companies-as-importers
Third parties (providers)
For the purpose of processing, EcoVadis uses providers (processors) based outside the EEA. EcoVadis signed (Data controller - Data processor) standard contractual clauses as a safeguard. For more information, please go to the GDPR section on our Trust Center: https://ecovadis.com/trust-center/
Data protection rights
You have the right to access, rectify, or erase your data, restrict or object processing of your data by contacting us. You will find further information about data protection on our website: https://ecovadis.com/trust-center/data-privacy/
If you have any concerns about protecting your personal data and exercising your data protection rights, please feel free to contact us using the information below.
EcoVadis SAS
Data Protection Officer
43 Avenue de la Grande Armée
75116 Paris, France
Email: dpo@ecovadis.com
Furthermore, you have the right to lodge a complaint with a supervisory authority: CNIL, 3 Place de Fontenoy, 75007 Paris, France, if you consider that the processing of personal data relating to you infringes the regulation.
Comments
0 comments
Article is closed for comments.