MPS Group privacy statement
1. Controller and contact details
The MPS Group consists of the MPS foundation (the programme owner) and ECAS B.V. (the certification body). In this privacy statement, ‘MPS’ refers to the MPS Group as a whole.
At MPS, it is our ambition to have the entire horticulture chain operate with respect for mankind, nature and the environment. By means of demonstrably transparent certification, our organisation helps to make the entire chain more sustainable and makes sustainability in the horticultural sector measurable. MPS develops and manages certificates for sustainability and the environment.
When carrying out its work, MPS processes personal data. The MPS Group is committed to protecting your privacy and your personal data. The MPS Group is responsible for the personal data that we process ourselves and allow to be processed by others. This privacy statement sets out how we handle personal data and the rights that you, as a data subject, have. All personal data is collected, processed and secured in accordance with the General Data Protection Regulation (hereinafter referred to as the ‘GDPR’).
When the MPS Group no longer needs personal data for the purposes for which it was collected, the MPS Group will delete or anonymise it. However, we are sometimes obliged to retain personal data for a longer period of time in the context of legal proceedings or to comply with statutory obligations.
Should you have any questions or comments about the MPS Group’s processing of your personal data, please contact our privacy officer via:
The MPS Group
2678 MB De Lier
This is Version 1 of the privacy statement.
2. Processing of personal data
Below we explain, for each individual area, why we process personal data, what personal data this entails and on what legal basis it is processed. We do not retain personal data for longer than is necessary for the purpose for which it has been collected, and in this connection we apply a retention period policy.
2.1 Audits and certification processes
When performing audits and certification processes (implementing agreements with our customer), we process personal data if and insofar as it is necessary to comply with the programme involved in the assessment. In most cases, the programme requires data to be accessed (this does not involve processing and therefore the GDPR does not apply), but in some cases we are required to record data in our report, for instance, so that the Dutch Accreditation Council can verify our work. This data is not kept for longer than is necessary for this purpose. We also make partial use of #automated decision-making for the weighting of the required factors, in accordance with the programme.
2.2 Website use and cookies
We have two websites: https://www.my-mps.com/ for the MPS foundation and http://ecas.nl/ for ECAS B.V. When you visit our websites or use our apps, small text files are stored on your computer, smartphone or other device. These files are called ‘cookies’. Cookies help us to operate, analyse and personalise the websites. Our websites use the following kinds of cookies:
- Analytical: We use these cookies so that we can see how you use our websites. This helps us to improve the websites.
- Tracking: We place tracking cookies to personalise the advertising we show you, so that you see offers that are more relevant to you.
- Social media: You can share the content you view on our websites through cookies on social media. Social media cookies are used for this purpose, so that they recognise you when you want to share something.
2.3 Social media
We are active on various social media channels, including: Twitter, Facebook and LinkedIn.
If you follow the MPS Group on social media, or communicate with or about the MPS Group on social media (via direct messages, by participating in a survey or by posting comments), we may have access to some of your profile data. If you share information about the MPS Group on social media, your data may become visible through that social media channel. The MPS Group also follows social media channels and can gain access to information on social media about you in this way. For instance, we may ask you to send newsworthy images. We may process the following personal data for this purpose:
- Social media profile
- Private messages sent to us
- Comments on our articles
We use your personal data for webcare purposes, to answer any questions you ask us via social media or to respond to complaints. We may also respond if you mention us in a message. We then process the data in the context of our legitimate interest in responding to a message in which you have mentioned us.
We process personal data when # sending newsletters # based on your consent.
3. Sharing personal data
Only authorised members of staff have access to personal data. To the extent that personal data is exchanged between the MPS foundation and ECAS B.V., this is done based on their legitimate business interests in conducting their business operations efficiently.
We may share personal data with third parties if it is necessary for the performance of audits and certifications, and to the extent that it has been laid down by statute contractually. To this end we share data with the Dutch Accreditation Council, via a portal secure e-mail solution.
We reach sound agreements about the careful processing of personal data with all parties with whom we collaborate and exchange personal data. Your personal data will only be stored or processed in non-EEA countries by us or by third parties we have engaged if this is in accordance with the applicable regulations for the transfer of personal data to countries outside the European Union. This means that we will only transfer your personal data to countries outside the European Union if the European Commission has decided that the third country in question guarantees an adequate level of protection, or if other suitable guarantees are offered, such as an adequacy decision (for instance the EU-US Privacy Shield) or because unamended standard data protection provisions approved by the European Commission are used. Information about these provisions is available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en.
The MPS Group takes personal data protection seriously and takes appropriate measures to prevent misuse, loss, unauthorised access, unwanted disclosure and unauthorised changes. For example, our security system uses usernames and passwords; two-factor authentication; we have entered into data processing agreement with our processors; our employees are bound by confidentiality; our server rooms are secured; and we regularly make backups.
5. Your rights
You have various rights under the General Data Protection Regulation:
- Revoking consent: after you have given us your consent, you can inform us that you are revoking it. We will consequently stop processing your personal data in the future, unless there is another reason that requires us to do so.
- Access: You are entitled to ask us whether or not we process your personal data. If we do, we will tell you which personal data is being processed; for what purpose; with which third parties it has been shared; the retention periods that apply; the source from which personal data has been collected without consulting you, if applicable; and information about automated decision-making, if applicable.
- Rectification: You can ask us to rectify or supplement your personal data if the personal data is incorrect or incomplete.
- Erasure: You may ask us to delete your personal data if the personal data is not relevant for the purpose for which it was collected; if you have withdrawn your consent; if you object to the processing of personal data based on a legitimate interest; or if the processing of the personal data is unlawful.
- Restriction of processing: You can ask us to restrict the processing of your personal data if the accuracy of the personal data is disputed; the processing of personal data is unlawful but you do not want it to be deleted; or if you are waiting for a response to a request to exercise your right to object. In that case, we will store the data, but we will not process it any further.
- Lodging an objection: You can object to the processing of your personal data if we use your data for direct marketing purposes, or in other cases if it relates to your specific situation and the processing is based on the MPS Group’s legitimate interest.
- Data portability: You can ask us to provide you with your personal data in a structured, commonly used and machine-readable format, or to transfer it to another organisation if the data processing takes place automatically and is based on consent or an agreement.
You can exercise these rights by contacting us via email@example.com or firstname.lastname@example.org. We will respond within four weeks of receiving the request. You can also lodge a complaint with the Dutch Data Protection Authority if you believe that the MPS Group is violating your privacy rights.