EcoVadis SAS and EcoVadis Inc (“EcoVadis”) collect personal information from users of our web Services, including, but not limited to, sites located at www.ecovadis.com, www.ecovadis-survey.com, www.iq.ecovadis-survey.com, all subdomains, and all other online services of EcoVadis (“Services”) and uses for the purposes defined in the paragraphs below.
The below-described processing of users’ personal information is based on EcoVadis legitimate interests in the meaning of Article 6. 1. f) of GDPR.
EcoVadis collects and uses the personal information of users of its Services through:
a) providing personal information by users in the online registration forms;
b) submitting into the online forms by users of enterprise customers (“Requesting company(ies)”) and users of Requesting companies trading partners (“Rated company(ies)”), their own users’ contact details;
c) submitting the online forms by Requesting companies users the contact details of Rated company(ies) users ;
d) providing personal information of the users of Requesting companies or Rated companies through email messages.
For users who do not participate in the Services and related processes, please refer to the Legal Notice - Data Protection (Prospection). https://ecovadis.com/trust-center/legal-notice-data-protection/.
Sustainability and Carbon Assessment
EcoVadis collects the following personal information of its users: first and last name, email address, phone number and job title for contacting purposes to provide requested Services.
As part of this service, EcoVadis offers an e-learning platform to support the users within Rated companies and Requesting companies to improve their sustainability practices. EcoVadis collects data on your course participation and results, which will be shared with managers of your own company (holding the Administrator profile). Only anonymized and aggregated user data of Rated companies will be shared with Requesting companies with whom you have previously agreed to share your Sustainability or Carbon scorecard.
Requesting user activities on the platform are tracked, and the status of these requesting user activities (time to first log in, onboarding progress) is communicated to the requesting company's Program Manager for the purpose of improving the onboarding on the requesting company's side.
The Rated company’s administrator contact created on the EcoVadis solution is visible to all users who are part of the Rated company’s EcoVadis network.
In the case of Sustainability or Carbon scorecard sharing by the Rated company, the administrator’s contact information is visible to the Requesting company’s administrator and the administrators of its subsidiaries.
The collected personal information via the EcoVadis webpages mentioned above is recorded in digital files by EcoVadis. It is kept until the end of the contract for Requesting companies which are requesting Sustainability or Carbon assessments from their Rated companies and for five (5) years after the end of the subscription for the Rated companies.
EcoVadis, as a rating agency, is to maintain the traceability of actions related to our customers’ accounts (e.g. uploading documents on the EcoVadis platform, submitting the questionnaire, accepting customer requests to share Sustainability or Carbon performance results, etc.). For this reason, (inactive) usernames are kept as a reference to be able to answer any queries and establish, exercise or defend potential legal claims. We refer to section 17.3(e) of GDPR.
Users of Rated companies who accepted the T&Cs are kept for 10 years after the end of the subscription according to Article 17.3 b) of GDPR.
Documents will be deleted 5 years after the end of the subscription in order to keep the justification for the scoring.
IQ and Vitals service
For the IQ service, any contact data (email addresses) of Rated companies that have not been edited or reached out to for an assessment request are anonymized 3 years after the first usage and at the end of the agreement with the Requesting company.
For the Vitals Service EcoVadis collects the following personal information of its users: first and last name, and email address for contacting purposes to provide requested Services.
Any contact data of Rated companies that have not accepted the T&Cs are anonymized 3 years after the first usage and at the end of the agreement with the Requesting company.
Users of Rated companies that have accepted the T&Cs are kept for 10 years after the end of the subscription according to Article 17.3 b) of GDPR. Provided documents are kept for 5 years after the end of the subscription.
Other processing related to the service:
EcoVadis collects the described personal information of its customers' users for its business communication and managing relationships with its customers.
For improving its services and the platform features the user behaviour is analyzed on the platform. The data is kept for 1 year.
Personal data are processed in the context of the invoicing, payment and accounting management processes. This data is kept for a retention period in accordance with legal or regulatory requirements (invoices: 10 years).
Furthermore, EcoVadis may also contact users to conduct research via surveys relating to user opinions about Services, or inform in newsletters about other Services, or inform about potential new services that may be offered in the future. For this processing please refer to the Legal Notice - Data Protection (Prospection) . https://ecovadis.com/trust-center/legal-notice-data-protection/.
For the security of the platform, the connection data of users (logs including the IP address) are processed. This data is kept for 1 year on the platform and 4 years in the archive.
The collected data for customer management are intended for our customer-facing teams, legal advisors and necessary third parties (providers) involved in the provision of Services.
The user behaviour analytics data are intended for the Product Development team.
For the invoicing and payment and accounting management processes administration, accounting staff as well as debt collection companies will have access.
The access to logs of user connections is restricted to authorized IT and IT Security staff.
Transfer outside the European Economic Area (EEA)
Personal Information submitted to EcoVadis may be transferred to EcoVadis subsidiaries located outside the EEA: EcoVadis (Mauritius) Ltd., EcoVadis (USA) Inc., EcoVadis (Hong Kong) Ltd., EcoVadis Canada Ltd., EcoVadis Japan K.K., and other subsidiaries that may be formed at a later date. Access to this information is necessary in order to provide the service and for the processing mentioned above, e.g. to assist and follow up with customers.
As a safeguard, this transfer is governed by (Data controller - Data controller) standard contractual clauses between EcoVadis SAS (France) and its subsidiaries if the country is considered not ensuring an adequate level of protection.
In the Sustainability and Carbon assessment process, Rated company contact data are transferred to Requesting Customer Companies located outside the EEA when accessing the Sustainability and Carbon performance results. As a safeguard, this transfer is governed by (Data controller - Data controller) standard contractual clauses between EcoVadis and the Requesting customers.
Third parties (providers)
For the purpose of processing, EcoVadis uses providers (processors) based outside the EEA. EcoVadis signed (Data controller - Data processor) standard contractual clauses as a safeguard. For more information, please go to the GDPR section on our Trust Center: https://www.ecovadis.com/fr/trust-center/#IS
Data protection rights
You have the right to access, rectify or erase your data, restrict processing concerning your data or object to processing, and receive an export of your data by contacting us. You will find further information about data protection on our website: www.ecovadis.com/legal-notice/.
If you have any concerns about protecting your personal data and exercising your data protection rights, please feel free to contact us using the information below.
Data Protection Officer
43 Avenue de la Grande Armée
75116 Paris, France
Furthermore, you have the right to lodge a complaint with a supervisory authority: CNIL, 3 Place de Fontenoy, 75007 Paris, France, if you consider that the processing of personal data relating to you infringes the regulation.