Privacy Policy – Sustainalyse
17 August 2022
At Sustainalyse (“Sustainalyse”/”we”/“our”/us”) data protection and confidentiality is a high priority. Please read this Privacy Policy before submitting or sharing your personal data with us.
1. Data protection roles
Customer as data controller and Sustainalyse as data processor
Sustainalyse will process personal data regarding Users of the platform for the purpose of providing our services consisting of sustainability consulting, generating GHG and other environmental inventories, other information requiredl for energy & process optimization purposes and carbon emission compensation purposes.
In this case, Sustainalyse will only process personal data as data processor on documented instructions from our customers in the role as data controllers. Reference is made to the data processing agreement enclosed as Appendix 3 to the Customer Agreement for Sustainalyse Services entered into between our customers and Sustainalyse. This Privacy Policy does thus not cover these processing activities.
Sustainalyse as data controller
Sustainalyse also obtains personal data as a separate data controller in different situations. This Privacy Policy sets out the guidelines for Sustainalyse’s processing of your personal data in these situations and provides you with the information you have the right to receive according to applicable data protection legislation.
Our contact details are:
Sustainalyse
VIlniaus str. 33
Vilnius
Lithuania
Contact: info@sustainalyse.com
2. Types of personal data, purposes, legal basis, and deletion
We process personal data on various persons that are in contact with Sustainalyse. Below, you can see how we may process your personal data as a contact person.
Website visitors
The types of personal data we collect may include:
- Your general and identification information (e.g., name, email and/or postal address, telephone number, age, and gender).
- Communication with you.
Your personal data is collected in one or more of the following cases:
- When you book a demo
- When you enter into an agreement
- When you sign up for our newsletter
- When you contact us via email, telephone, or letter
The personal data may be collected and used for the following purposes:
- To sign up and to receive newsletters
- Marketing
- Customer service and general communication
- Improve products, services and tools on our website and platform
- Compliance with requirements according to applicable law
- For the establishment, exercise, or defence of legal claims
Our legal bases for the processing of your personal data for the above purposes are:
- Consent to collect, share and administrate your personal data through cookies for marketing purposes, which may also be based on you interests and your click behaviour (Article 6(1)(a) of the GDPR).
- Legitimate in being able to process your personal data in order to provide newsletter (Article 6(1)(f) of the GDPR), provided that you have given a prior marketing consent in accordance with Section 10 (1) of the Danish Marketing Practices Act.
- Legitimate interest in being able to establish, exercise or defend legal claims (Article 6(1)(f) of the GDPR).
If you signed up for our newsletter, personal data will be stored until you withdraw the marketing consent. Personal data may also be stored as long as is necessary for the purpose for which it was collected, or longer if required under any contract, by applicable law or in order to establish, exercise or defend legal claims. If you have provided a cookie consent, we refer to the pop-up window of cookies in term of the retention periods in relation hereto.
Contact persons of customers and suppliers
The types of personal data we collect may include:
- Name, job title, work email address, correspondences, signature and work phone number
Your personal data is collected in one or more of the following cases:
- When you contact us via email, telephone, or letter
- When we enter into agreements with your organisation
The personal data may be collected and used for the following purposes:
- The administration of our business relations, including being able to communicate with you
- When sending conclusion of agreements
- In connection with invoicing and accounting
- For the establishment, exercise, or defence of legal claims.
Our legal bases for the processing of your personal data for the above purposes are:
- Necessary for the performance of a contract between the organisation that you represent and Sustainalyse (Article 6(1)(b) of the GDPR).
- Legal obligations in relation to the Danish Bookkeeping Act (Article 6(1)(c) of the GDPR).
- Legitimate interest in being able to run our business and to be able to manage Comun-do’s business relationship, including being able to communicate with you (Article 6(1)(f) of the GDPR).
- Legitimate interest in being able to establish, exercise or defend legal claims (Article 6(1)(f) of the GDPR).
We will store your personal data as long as it is necessary in order to fulfil the contract and up to 3 years after providing the services or after the termination of a contract. Bookkeeping material will be stored for 5 years from the closing of the current financial year.
3. Disclosure to data processors and transfer to other data controllers
In order to pursue the above-listed purposes, your personal data may be disclosed to third-party data processors (service providers) providing relevant services under contract to us. Such service providers will only process the personal data in accordance with our instructions and pursuant to a data processing agreement, hereunder in order to provide hosting services, marketing services and analytic services.
Furthermore, we may transfer your personal data to relevant authorities, lawyers, accountants, and courts if we are legally obligated to (Article 6 (1)(c) of the GDPR), in order to pursue our legitimate interest in being able to establish, exercise or defend legal claims (Article 6(1)(f) of the GDPR) or in order to fulfil the contract (Article 6(1)(b) of the GDPR). Your consent may also be provided to share personal data with third parties such as social media providers as part of the cookie pop-up banner. Reference is further made to the pop-up window for cookies.
If your personal data is transferred to data controllers or data processors which are located in countries outside the EU/EEA, not ensuring an adequate level of data protection, such transfer will be safeguarded by the EU Commission’s standard contractual clauses (SCC).
4. Security
We and our service providers have implemented security measures to ensure that the procedures meet the required security standards. Accordingly, we strive to protect the quality and integrity of your personal data. This includes encryption of data, use of pseudonymisation, firewalls, logging, audits and password procedures etc.
5. Rights
You have the right to access and erase the personal data we process about you, but with certain legislative exceptions e.g., if the personal data is comprised by the retention period in the Bookkeeping Act. Furthermore, you have the right to have your personal data rectified, or blocked, but with certain legislative exceptions.
In certain situations, you have the right to have the data you have submitted to us, handed over in a machine-readable format and to have your data transmitted to another data controller.
Moreover, you have the right to object to the collection and further processing of your data, including processing that is based on our legitimate interest.
6. Contact and complaints
If you want to exercise any of your rights, if you have any questions regarding this Privacy Policy or the processing of your personal data, you may contact: info@sustainalyse.com.
You may complain about the processing of your personal data to the State Data Protection Inspectorate
Valstybinė duomenų apsaugos inspekcija
Mr Raimondas Andrijauskas – Director of the State Data Protection Inspectorate
L. Sapiegos str. 17
LT-10312 Vilnius
Tel: + 370 5 279 14 45
ada@ada.lt
7. Changes to this Privacy Policy
We reserve the right to make changes to this Privacy Policy from time to time. The Privacy Policy will be available on our website. In the event of significant changes, we will take the necessary measures to notify you.