We have appointed a data protection officer (DPO) who is responsible for overseeing questions related to data privacy and usage. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO@cerise-spm.org.
What is our privacy commitment to you?
We respect your privacy and are committed to protecting your personal data. This privacy notice describes how we collect, use, share and secure personal data you provide on Cerise-SPTF.org and all associated domains and subdomains (our “Websites”) and specifically on our SPI online platform hosted on the subdomain https://spi.cerise-spm.org (“SPI online”). It also explains your privacy rights and how laws that are applicable to you may protect you and is intended to supplement other notices and privacy policies and not to override them. The registration, use of and access to your account and use of our platform (“Services”) are subject to this privacy notice.
What personal data do we collect?
Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (i.e. anonymous data). We may collect, use, store and transfer different kinds of data about you which we have grouped together as follows:
Personal data:
A. Identity data – name (includes first, last names), organization, organization ID or an ID created for usage of the Services) and country.
B. Contact data – email address
C. Technical data may include internet protocol (IP) addresses, login data, browser type, and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
D. Audit data are data you enter in SPI online, i.e., the answers to the indicators
Anonymous data:
E. Anonymized data are data where identifiers, such as name and contact or technical data are removed.
SPI online users
When you agree to become a user of SPI online (“User”), you are able to create audits. We will ask you to complete the account creation form via https://spi.cerise-spm.org (“SPI online”).
Non-users of SPI online
If you are not a User of SPI online but use our Websites, you provide us with your personal data:
-
- If you do not fill in any contact form related, but not limited to, training, qualification or tools, the only personal data we may preserve about you is your technical data. We do this so we may:
– Measure our audience.
– Improve the user experience.
We will not contact you for any reason.
-
- If you fill in any contact forms related, but not limited to newsletter subscriptions, training, qualification or tools, you agree to share the provided data with us.
What personal data do we collect about you and how do we use your personal data?
In the table below, we have set out a more detailed explanation of the ways in which we use your personal data. If we share any type of data with any third parties (e.g. Atlas dataplatform, research team from universities), please be assured that such parties are not allowed to use your personal data without your express consent and we enter into contracts with those third parties to ensure your data is kept secure and confidential.
In many countries, we are required by law to explain the legal bases we rely on when we process your personal data. These legal bases are listed as follows and we may use more than one lawful basis when processing your personal data.
Consent – In certain cases, we collect and process your personal data with your consent e.g. when you want to start an audit, you have to give your authorization to be able to create it.
Legal compliance – If the law requires us to, we may need to collect and process your personal data in response to lawful requests by public authorities or if e.g. we believe in good faith that disclosure is necessary to protect our rights, to protect your safety or the safety of others, to investigate fraud or breaches of our site terms, or to respond to a government request.
Legitimate interest – means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
Activity
Purpose
Type of data
(a) Identity
(b) Contact
(a) Identity
(b) Contact
(a) Identity
(b) Audit data
(a) Identity
(b) Audit data
(a) Identity
(b) Contact
(a) Identity
(b) Contact
(a) Identity
(b) Contact
(a) Identity
(b) Contact
With whom do we share your personal data?
In general, data we collect from you via our audits are only used by Cerise+SPTF. They are occasionally provided to third parties (e.g. Atlas, research) or made available to the public on our site but only in anonymized or aggregated form. If we provide the results in anonymized and aggregated form, the results include information about groups of financial service providers and not on an individual level. If we provide the results at the individual level (examples of case studies), they are anonymized and will not include your Identity data or Contact data.
Identity data or contact data about you would only be provided to our partners in specific cases for the purposes of research. We would never provide such data to our partners unless we have first received your consent (with the authorizations you give when you use SPI) and confirmed with them that their use is in accordance with applicable law.
From time to time, Cerise+SPTF may use third-party software (e.g., Mailchimp; Salesforce) for email list management and email distribution. These companies are subject to governmental regulations and authorized to use your personal data only as necessary to provide these services to us, pursuant to written instructions. In such cases, these companies must abide by our data privacy and security requirements and are not allowed to use personal data they receive from us for any other purpose.
Though we make every effort to preserve your privacy, we may be required to disclose your personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may also disclose your personal information as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect our rights, to protect your safety or the safety of others, to investigate fraud or breaches of our site terms, or to respond to a government request.
Please see the table above for more on these uses.
Do we transfer your personal data to other countries?
Cerise+SPTF may transfer personal data, as part of our research or benchmark activities, to partners or clients who are located in countries other than where you live. Please be aware that laws in other countries may differ from the laws applicable in your own country of residence. This possible sharing of data is done as part of contracts that guarantee data security and confidentiality.
Hosting
Portions of our web hosting service are located in France. As such, the hosting company must respect GDPR (General Data Protection Regulation (EU) 2016/679). Personal data provided within the use of Cerise + SPTF’s activities may only be used to maintain their services.
What cookies do we use on our site?
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive. SPI online uses cookies to distinguish you from other users of our site. This helps us to provide you with a good experience when you use our site. The main purpose of these cookies is to simplify logins while conducting audits on SPI online. These cookies expire after 24 hours. By continuing to browse the site, you are agreeing to our use of cookies.
What security measures do we undertake to protect your personal data?
We have put in place appropriate security measures (database protected by password, systematic NDA/contracts to work on aggregated data) to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
Although we do everything we can to keep your data safe, unfortunately, no systems can guarantee they are 100% secure. If you have questions about the security of your personal data, or if you have reason to believe that the personal data that we hold about you is no longer secure, please contact us immediately as described in this Privacy Notice.
We will notify you and any applicable regulator or supervisory authority of a breach where we are legally required to do so.
What are our data retention and destruction policies?
Data is kept to conduct historical analysis of trends for the social audits. Data is kept under the same level of protection over time. Audits and contacts can be destroyed when they do not make sense anymore (10 years for the audits).
For how long will you use my personal data?
We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data, and whether we can achieve those purposes through other means, and the applicable legal requirements.
If you are a citizen or resident of the European Economic Area (EEA), or we are processing your personal data in the EEA, in some circumstances you can ask us to delete your data: see below for further information.
As the results of the surveys and other aggregated or Pseudonymized data are used for research, scientific, historical, and/or statistical purposes (whether publicly or privately funded), we and our clients or other third parties may use this information for such purposes in accordance with the terms indefinitely without further notice to you.
How do you access your information; use the user services area and/or update, correct or delete your information?
Upon request, Cerise+SPTF will provide you with information about whether we hold any of your personal data. You may access, correct, or request the deletion of your personal data. We will respond to all requests within a reasonable timeframe.
How do you ask a question or make a complaint?
You can direct any questions or complaints about the use or disclosure of your personal data to DPO@cerise-spm.org. We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of your personal data within 30 days of receiving your complaint.
Your other rights
You may:
- request access to your personal data and we may conduct ID checks before we can respond to your request.
- have your personal data erased, corrected, or restricted if it is inaccurate or requires updating. You may also have the right under certain circumstances to request the deletion of your personal data; however, this is not always possible due to legal requirements and other obligations and factors.
- object to the processing your personal data if we are not using your personal data for the purposes set out in this privacy policy.
Your rights in the European Economic Area
If you are in the EEA, you additionally will have the right to:
- have your personal data transferred to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- make a complaint at any time to a data protection regulator. A list of National Data Protection Authorities can be found here: http://ec.europa.eu/justice/dataprotection/bodies/authorities/index_en.html.
We would, however, appreciate the chance to deal with your concerns before you approach the data protection regulator so please contact us in the first instance.
Changes to the privacy notice and your duty to inform us of changes
This version was last updated in July 2022. We reserve the right to modify this privacy statement at any time, so please review it frequently. It is important that the personal data we hold about you is accurate and current. Please keep your Account details updated if your personal data changes during your relationship with us.
Privacy contact details
You may contact us by writing to:
Data Protection Officer
Cerise + SPTF
71 Cours Anatole France
33000 Bordeaux
FRANCE
E-Mail: DPO@cerise-spm.org
DISCLAIMER
The information provided on all Cerise+SPTF websites is ultimately intended to enhance the social and environmental performance management (SEPM) of its users, to inform visitors of the issues in inclusive finance as they relate to SEPM, and to enhance the global state of SEPM practice. It is expressly understood that all visitors or users remain responsible for their own actions, their decisions regarding SEPM, and the outcomes resulting from those decisions. Cerise+SPTF expressly disclaims any responsibility for specific business outcomes experienced by individual organizations or people.