We, PRé Sustainability B.V. (hereafter: “PRé”) value your privacy. If you visit our website or if we provide you with our services we may request you to provide information that includes your personal data. We may also receive your personal data from third parties (such as resellers). As PRé is a company that is established in the Netherlands it processes your data in accordance with privacy laws that apply in the Netherlands, including the General Data Protection Regulation (“GDPR”).
The purpose of this Privacy Statement is to be transparent on the processing activities that we undertake with regard to your personal data, collected in the context of our business activities and marketing of our products and services.
2. Processing activities and purposes
The purposes of our processing activities are tied to our activities as a supplier and distributor of LCA software (“SimaPro”) and (integrated) data libraries and as a provider of consultancy services in the field of LCA.
In this section 2 we will set out the purposes of these processing activities (2.1 up to and including 2.5), explaining which personal data we process for which purpose.
2.1 Business operations
We offer our products and services both directly to customers/end users and through a worldwide network of resellers. The products and services include data libraries that we purchase from third party suppliers. We process personal data in the context of our regular business processes, such as registering and sending offers to prospects, processing orders from customers and resellers, sending invoices and payment reminders, processing contact details of prospects, payment of supplier invoices and sales/relationship management.
The processing activities that we undertake for this purpose include transmission and storage of personal data of (contact persons of) customers, prospects, resellers and suppliers and the exchange of such data with resellers. The personal data that we process for this purpose are names, job titles and business contact details (email addresses, phone numbers, fax numbers).
Where both we and a reseller use the same means (CRM system) for the joint purpose of sale of our products and services, we and the relevant reseller qualify as “joint controllers” within the meaning of article 26 of the GDPR. With regard to the processing as joint controllers of business contact details within the CRM system, the information in this Privacy Statement is provided on behalf of the relevant reseller as well. Any questions, complaints and comments regarding this processing can be addressed to us (at the contact details stated in section 9 of this Privacy Statement).
2.2 Providing services
We offer services in the area of LCA, such as consultancy services, software licenses, SaaS and support.
The processing activities that we undertake to provide these services and licenses include communication with customers and user contact persons, including the handling of service calls, the operation of a web-based portal that is accessible to users of SimaPro and to employees/staff members of PRé and the exchange of data with resellers. The personal data that we process in this context are names, job titles, business contact details (email addresses, phone numbers, fax numbers) and login details (usernames and passwords) and requests, questions and comments of customer contact persons and other users and the communication following such requests and questions.
2.3 Marketing and promotion
We promote our products and services by sending mailings, including newsletters and invitations for (online) events to individuals that have subscribed to our mailing list(s) by filling out the form on our website https://pre-sustainability.com/ or to individuals that are registered as contact persons of customers that have obtained such products or services. The emails and invitations can also be sent on a one-on-one, personal and non-structural basis. The processing activities that we undertake for this purpose are: collecting data via a web form, storing these data and sending mailings to the subscribers, prospects or contact persons. The personal data that are collected are names, email addresses, industry and mail options.
2.3.2 Social media platforms
We also market and promote our products and services through company pages (LinkedIn, Twitter) on social media platforms and through a YouTube channel. The pages/channel can be accessed by clicking the button on our website (https://pre-sustainability.com) or directly within the platform. Our posts on social media platforms will be shown on the timeline of individuals that are a user of that social media platform and have “liked” or followed our company page or have subscribed to our YouTube channel. The personal data that we collect for promotion and marketing on social media platforms are names and social media profile information that you as a user of the social media platform have entered in the platform. Occasionally we collect anonymous, statistical data on visitors of the company pages, using the built-in statistics tools of the social media platforms.
In accordance with case law of the EU Court of Justice we and the social media platform are to be regarded as joint controllers where we and the platform pursue purposes that are closely linked or complementary (e.g. by installing links on the website) or where we and the platform participate in the determination of the purposes (and means) of the processing (e.g. by collecting anonymous, statistical data of visitors of company pages). Joint controllers must. according to the GDPR, agree on an arrangement to reflect the respective roles and relationships of the social media platform and us towards the visitor of our company page/company channel. An example of these arrangements is https://legal.linkedin.com/pages-joint-controller-addendum. Via this Privacy Statement, we will keep you updated on other arrangements.
Apart from functional cookies to have our website function properly we use statistics cookies and marketing cookies to market and promote our products and services on our website. Cookies are small text files that are installed on your computer, mobile phone or tablet if you visit our website, through your web browser. More information on the processing of personal data by the installation of statistics and marketing cookies can be found in the “Cookie Statement PRé Sustainability”.
2.4 Contribution to knowledge development in LCA field
In the context of our overall company mission: “guiding positive change with fact-based solutions” we wish to contribute to the development of knowledge in the area of life cycle assessment and related sustainability issues.
For this purpose we offer the possibility to join the “LCA community” at https://support.simapro.com/articles/Article/LCA-Discussion-List/ to any individual that is interested in developments in the area of life cycle assessment and related sustainability issues. Members of this community get access to a platform where contributions of LCA experts and practitioners regarding methodology, the sharing of data, and important events are posted. The processing activities that we undertake for this purpose are: collecting data via a web form, storing these data and comments and questions made within the platform and sending emails to subscribers to the platform. The personal data that are collected are names, email addresses, credentials, subscription options and comments made and questions asked within the platform environment.
2.5 Job applications
If you have applied for a position at our company we store your personal data to be able to communicate with you during the application process. The personal data stored are: names, addresses, contact details, resumes.
3. Legal basis of the processing activities
EU privacy laws permit the processing of personal data only if the party responsible for the processing can rely on a legal basis. As we are responsible for the processing activities listed in section 2, information on the legal basis of such activities is provided in this section.
3.1 Legitimate interest
The legal basis for the processing activities, mentioned in subsections 2.1, 2.2, and 2.4 is: “necessary for the purposes of the legitimate interests pursued by us”. The respective “legitimate interests” are:
- the necessity for us to process personal data to run regular business operations and to provide services under its license and service agreements (2.1, 2.2);
- the contribution by us to our overall mission by publishing content on our platform or in other publications that are relevant to the LCA community.
The legal basis for the processing activities mentioned under 2.3.1 and 2.3.2 is explicit consent given on our websites, or by clicking the “like” or “follow” buttons on our company pages on social media platforms. Consent can be withdrawn at any time by using the opt-out included in each mailing that we send or by de-activating the “like” or “follow” button on social media platforms. The legal basis for processing activities through the use of statistics or marketing cookies is also consent, given by clicking the respective check box for statistics or marketing cookies on https://pre-sustainability.com/ or https://simapro.com/. Consent can be withdrawn by de-installing the cookies through the settings in your web browser.
3.3 Necessary to take steps prior to entering into a contract
The legal basis for the processing activities mentioned under 2.5 is: necessary to take steps prior to entering into a contract with a data subject (the applicant).
4. Recipients of personal data
To achieve the purposes, mentioned under paragraph 2, we may share your personal data with third parties.
We offer our products and services both directly to customers/end users as through a worldwide network of resellers. Resellers may offer our products and/or services and exchange personal data (business contact details) with us for that purpose. Resellers may also provide support services or consultancy services to such joint customers and disclose business contact details to us for further support.
Resellers are independently responsible for their processing of personal data received from us (except where they qualify as “joint controllers” with us as explained under 2.1).
Our products contain content of our suppliers (e.g. data libraries). If our customers request for support with regard to such content we may share business contact details with our suppliers for that purpose.
We engage third party (software) suppliers to perform processing activities on behalf of us and upon instruction by us. Such processing activities involve storage and transmission of personal data. These third-party suppliers qualify as our processors. We has entered into so-called data processing agreements with these processors. On the basis of these agreements and the law processors are bound to various obligations. Such obligations include confidentiality obligations and the obligation to take appropriate technical and organizational security measures to protect the personal data they process on behalf of us against loss, or unauthorized access. Our processors have no access to our personal data, unless and to the extent that access is necessary for the execution of their services.
5. Data transfers
As we are a globally operating company we may transfer the personal data we processes as set out in section 2 to companies or organizations located outside the EEA.
In order to legally transfer personal data to companies or organizations located outside the EEA we use multiple legal bases as provided in Chapter V of the GDPR. Some of the companies or organizations are located in countries that ensure, according to the European Commission an adequate level of protection. Other transfers (for example to resellers) are made on the basis of the standard contractual clauses as issued by the European Commission.
With regard to data transfers to the US, as referred to under 2.3, that were based on the Privacy Shield Framework as a legal basis we are, following the decision of the Court of Justice of the European Union of 16 July 2020 investigating which changes we should make to our processing activities in order to comply with the new requirements arising from the judgment and guidelines of the European Data Protection Board. Through this Privacy Statement we will keep you informed of any such changes.
6. Retention period
The personal data that we process are stored no longer than necessary for the purposes mentioned under 2, unless and to the extent a longer period is prescribed by law.
The aspects that are taken into account when retention periods are set by us are: the duration of the agreement between us and our customers or resellers, statutory retention periods, limitation periods for bringing legal actions and the necessity of storage for later reference (archiving purpose). We uses techniques to anonymize personal data where possible.
If you subscribed to one of our mailing lists you will be offered the opportunity to unsubscribe with each email you receive from us. After you unsubscribed, your data will be deleted from our and our processor’s systems irrevocably.
If you are a contact person of a reseller or customer of our products or services, your data will be retained for a period of five (5) years after the agreement on the basis of which your personal data are processed is terminated. If, within such 5 year period, a legal dispute between us and the respective customer or reseller arises, your data may be retained until such dispute is resolved.
If you are a user of our products or services, your personal data will be retained for a period of 7 years.
If you have applied for a position at our company your data will, if the procedure does not result in an employment agreement, be retained for a maximum of 4 weeks, or, with your (renewed) prior consent, one-year periods.
We take the security of the processing of (personal) data serious. We have therefore implemented an Information Security Management System (ISMS) which is ISO27001 certified. The controls and measures we implemented under the ISMS include role-based access controls, (encrypted) passcodes protection, anonymization and pseudonymization techniques and anti-virus protection. Specific information on security measures can be obtained by sending an email to privacy[at]pre-sustainability.com.
8. Your rights
The GDPR grants each individual whose personal data are processed (“data subject”) certain rights with regard to the processing of their personal data. These rights are: the right to access to and rectification or erasure of the data and restriction of or objection against the processing as well as the right to data portability.
In this section 8, we briefly explain these rights to you.
8.1 Right to information and access
The right to information and access means that we must let you know, on you request, which of your personal data PRé processes and provide access to that data.
8.2 Right to rectification
The right to rectification means that when the data that we process are incorrect, we have to rectify them on your request.
8.3 Right to erasure
The right to erasure means that you can request us to erase your personal data, for example when (i) you object to the processing (please see below on the right to object) and (ii) we do not have an overriding legitimate ground to continue the processing.
8.4 Right to restriction
The right to restriction means that you can request us to suspend the processing of your data when you:
- hold the opinion that the data that we process of you are incorrect or that the processing of the data is unlawful or unnecessary but the data cannot be erased in relation to your legal position; or
- have objected against the processing (see hereafter)
Suspension means that we can only – besides few exceptions – store the data (without your consent) until it is clear whether your opinion is correct. The same applies to processors, who must be informed by us on the suspension.
8.5 Right to objection
The right to objection means that you can, at any time, object to the processing activities based on “legitimate interest” (see under 3.1). We will then discontinue the processing unless we have an overriding legitimate ground to deny your request. In the event of processing activities for marketing or promotional purposes you can object at any time by unsubscribing from a mailing list or change the settings in the social media platform you use.
8.6 Right to data portability
The right to data portability means that you can request us, at the termination of your relationship with us, to provide you with the data that you provided to us on the basis of an agreement between us and yourself in a structured, commonly used and machine-readable format.
If you want to make one of the foregoing requests you can send it to us by email to: privacy[at]pre-sustainability.com. We will respond to your request within a month. We will let you know what the possible consequences are of honoring your request (such as not being able to provide a service). If we hold the opinion that we have valid reasons to refuse your request we will inform you of those reasons in its response.
9. Questions, requests and complaints
Finally, we point out that if you hold the opinion that PRé, by processing your personal data, acts in breach of the law, or if you have other questions regarding the processing and security of your data, please inform PRé at privacy[at]pre-sustainability.com. We will address your question or complaint within 14 weeks. If we are not able to solve the matter with you, you can file a complaint with the Dutch Data Protection Authority (we refer to its website for more information: https://autoriteitpersoonsgegevens.nl).
This statement was updated on: 8 February, 2021.