Effective Date: May 20, 2019

GDPR Privacy Notice

This GDPR privacy notice (this “GDPR Notice”) is included in our Privacy Policy and applies to the ‘personal data,’ as defined in the GDPR, of natural persons located in the European Economic Area (“EEA Individuals,” “you,” or “your”) processed by BSI. Any capitalized terms or other terms not defined herein shall have the meaning ascribed to them elsewhere in the Privacy Policy or, if not defined herein or elsewhere in the Privacy Policy, the GDPR. To the extent of any conflict between this GDPR Notice and any other provision of the Privacy Policy, this GDPR Notice shall control only with respect to EEA Individuals and their personal data. If you are located elsewhere, please see our Privacy Policy here.

Controller Disclosure & Details: We are a data controller of personal data regarding the following categories of EEA Individuals: Website visitors (“Site Visitors”) and employees of prospective or current BSI Members (prospective or current “Employees”) (collectively, “Business Contacts”) for the purposes and under the legal bases described in the table below. In many cases, the Site Visitors and Employee categories may overlap (e.g., Employees that visit the Website would also be Site Visitors).

Data Subject Category

Purpose & Legal Basis of Processing

Business Contacts

Information Security: Our web servers will log Site Visitors’ IP address and other information (e.g., browser information, operating system, request date/time, user agent string, referral and exiting URL) in order to maintain an audit log of activities performed. We use this information pursuant to our legitimate interests in tracking Website usage, combating DDOS or other attacks, and removing or defending against malicious Website visitors.

Email Communications: We will answer inquiries, such as those sent through our Contact Us page, pursuant to our legitimate interest in answering such inquiries, ensuring prospective or Employee or Site Visitor satisfaction, and furthering business relationships.

We will send e-mail marketing communications to prospective Employees or Site Visitors that are not current Employees, based on their affirmative consent.

Upon an organization becoming a BSI Member, relevant current Employees (e.g., BSI Compliance Officer, working group participants) will receive administrative, transactional, or other communications (e.g., membership confirmation, alerts, industry updates, invites) pursuant to our, our BSI Members, and our current Employees’ legitimate interest in providing/receiving such communications given their role within such organization and interest and participation in our member services.

BSI Member Portal: We provide the BSI Member portal in our, our BSI Members, and our current Employees’ legitimate interest in providing content to current Employees to facilitate participation in member services (e.g., sign up for working groups and view working group rosters, sign-up trainings, view completed training, and sign attestations for certification purposes).

Executing Contracts and other Legal Documentation: We will process all personal data as necessary for the performance of contracts to which Business Contacts may be a party (such as our Privacy Policy and Terms of Use) or to take requested steps to enter into such contracts.

General Business Development: We have a legitimate interest in processing the personal data of Business Contacts to further business relationships and ensure Employee and Site Visitor satisfaction (e.g., by storing Business Contact information within a CRM or other file, answering inquiries per Email Communications above).

Audience Measurement and Remarketing: We utilize Hubspot to understand how Site Visitors interact with our Website, including our BSI Member Portal, and email communications through the use of cookies (e.g., connecting website and email journeys to target future communications to your preferences), pursuant to such Site Visitors’ consent.


Recipients: BSI personnel process the categories of EEA Individuals’ (as listed above) information for the purposes listed in the table above. Such EEA Individuals’ information is also disclosed to the following recipients to effectuate such purposes:

  • Hubspot (CRM and marketing software)
  • Heroku (Registry widget and API)
  • LogEntries (manages server management and analysis for security purposes)
  • Sentry (monitors ouBSIes and errors for security purposes)
  • Xero (accounting software)
  • Bookkeeper (accounting software)
  • Continuous (Project management software)
  • IAB Tech Lab (SFTP server management)
  • Igloo (Hosts BSI Member Portal, API to Hubspot)
  • TruSTAR (Threat Intelligence Platform)
  • Jotform (maintains records of registration application data)
  • DocuSign (e-signature platform)
  • Adobe (Adobe Sign e-signature platform)
  • Microsoft Azure Active Directory (Single Sign-On capabilities)
  • WebEx (conferencing platform)
  • Google Drive (document storage platform)
  • Dropbox (document storage platform)
  • Outlook via Office 365 (email client)

Retention: Please see below for our general retention periods. Please note that the below retention periods may be extended or shortened, as appropriate, based on the context of our relationship with an EEA Individual (e.g., negotiations for a sale, interest in member services), and for compliance with legal obligations (e.g., accounting, finances, tax).

We will retain the personal data of prospective Employees for approximately eighteen (18)months after collection, as, historically, we have seen that prospective Employees may convert into current Employees within such time period. This retention period may be extended for prospective Employees that are in communication with BSI regarding its member services near the end of such retention period.

Current Employees’ personal data will be retained until the relationship terminates, at which point their personal data will be retained for seven (7) years for finance and tax purposes and in case of repeat business.

Personal data within contractual and other legal documentation will be retained permanently.

Your GDPR Rights: As a natural person, you have a right to: (i) request access to, correction and/or erasure of your personal data; (ii) object to processing of your personal data; (iii) restrict processing of your personal data; and (iv) request a copy of your personal data, or have a copy thereof sent to another controller, in a structured, commonly used and machine readable format under the right of data portability. You may exercise these rights and submit a GDPR complaint by contacting feedback@brandsafetyinstitute.com with the subject line “GDPR Notice.”

You also have the right to lodge a complaint about the processing of your personal data with an appropriate data protection authority, and, as applicable, to exercise third-party beneficiary rights under BSI’s Standard Contractual Clauses.

Contact details for the EU data protection authorities can be found at: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

Objecting to Legitimate Interest/Direct Marketing: You may object to personal data processed pursuant to our legitimate interest. In such case, we will no longer process your personal data unless we can demonstrate appropriate, overriding legitimate grounds for the processing or if needed for the establishment, exercise, or defense of legal claims. You may also object at any time to processing of your personal data for direct marketing purposes by clicking “Unsubscribe” within an automated marketing email or by otherwise submitting your request to feedback@brandsafetyinstitute.com with the subject line “GDPR Notice” (the latter for instances where, for example, you would not like to receive follow-ups from our sales team). In such case, your personal data will no longer be used for that purpose.

Transfer of Personal Data outside the EEA: We are self-certified under the EU-US and Swiss-US Privacy Shield for appropriate transfer of your personal data, such as to our US data centers, pursuant to Article 45(1); in these instances, you may have specific rights under the Privacy Shield (see E.U.-U.S. and Swiss-U.S. Privacy Shield Notice below). In other instances, however, we may alternatively rely on appropriate Standard Contractual Clauses to ensure adequate protection for your personal data.

Governmental Access Requests: BSI may be required to disclose personal data in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. We may also disclose personal data to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas.

Corporate Restructuring: In the event of a merger, reorganization, dissolution or similar corporate event, or the sale of all or substantially all of our assets, we expect that the information that we have collected, including personal data, would be transferred to the surviving entity in a merger or the acquiring entity. All such transfers shall be subject to our commitments with respect to the privacy and confidentiality of such personal data as set forth in this GDPR Notice. This GDPR Notice shall be binding upon BSI and its legal successors in interest.

Updates to this GDPR Notice: If, in the future, we intend to process your personal data for a purpose other than that which it was collected, we will provide you with information on that purpose and any other relevant information at a reasonable time prior to such processing. After such time, the relevant information relating to such processing activity will be revised or added appropriately within this GDPR Notice, and the “Effective Date” at the top of this page will be updated accordingly.

How to Contact Us: Reach out to feedback@brandsafetyinstitute.com for any questions, complaints, or requests regarding this GDPR Notice; please include the subject line “GDPR Notice.”

E.U.-U.S. and Swiss-U.S. Privacy Shield Notice

Privacy Shield: If your personal information is transferred from the EEA or Switzerland to the US pursuant to the Privacy Shield, then the rights, remedies and protections set forth in this section apply to you. BSI complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union (including Iceland, Liechtenstein and Norway) and Switzerland to the United States, respectively. BSI has certified that it adheres to the Privacy Shield principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access and Recourse, Enforcement and Liability (the “Privacy Shield Principles”). If there is a conflict between this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov.

BSI is subject to the investigatory and enforcement powers of the Federal Trade Commission. In compliance with the EU-U.S. Privacy Shield Principles and the Swiss-U.S. Privacy Shield Principles, BSI commits to resolve complaints about your privacy and our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding this Privacy Policy should first contact BSI at feedback@brandsafetyinstitute.com.

BSI has further committed to refer unresolved privacy complaints under the EU-U.S. Privacy Shield Principles and Swiss-U.S. Privacy Shield Principles to BBB PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by BSI, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. If these processes do not result in a resolution, you may also contact your local data protection authority, the US Department of Commerce, and/or the Federal Trade Commission for assistance. If your complaint still remains unresolved, then you have the right to invoke binding arbitration by the Privacy Shield Panel upon written notice to BSI at feedback@brandsafetyinstitute.com.

Onward Transfer to Third Parties under the Privacy Shield: Like many businesses, we hire other companies to perform certain business-related services. We may disclose personal information to certain types of third-party companies, but only to the extent needed to enable them to provide such services. The types of companies that may receive personal information and their functions are: customer relationship management programs, technical consultants and service providers, financial service providers and consultants, information service providers, hosting services, data storage companies and database management/back-up services. All such third parties function as our agents, performing services at our instruction and on our behalf pursuant to contracts which require they provide at least the same level of privacy protection as is required by this Privacy Policy and implemented by BSI. We may also disclose your information, including any personal information, to our affiliates and subsidiaries in order to support delivery of our products and services.

With regard to the Principle of Accountability for Onward Transfer, for example, we remain liable if our agent processes such personal information in a manner inconsistent with the Privacy Shield Principles, unless we prove that we are not responsible for the event giving rise to the damage.

Opt-In Certain Onward Transfers under the Privacy Shield: In the event BSI discloses personal information covered by this Privacy Policy to a third-party controller, BSI will do so consistent with any notice provided to you and any choice you have exercised regarding processing and disclosure. We enter into written contracts with any unaffiliated third-party data controllers requiring them to provide the same level of protection for personal information as the Privacy Shield requires.

To the extent applicable, we will not disclose your sensitive personal information to any third-party without first obtaining your opt-in consent. You may grant such consent by contacting us at feedback@brandsafetyinstitute.com.

In each instance, please allow us a reasonable time to process your response.

Your Privacy Shield Rights: Upon request to feedback@brandsafetyinstitute.com with the subject line “Privacy Shield,” we will provide you with confirmation as to whether we are processing your personal data pursuant to the Privacy Shield, and have such data communicated to you within a reasonable time. You have the right to access, correct, amend, or delete the personal data processed pursuant to the Privacy Shield where it is inaccurate or has been processed in violation of our privacy disclosures to you. We may require payment of a non-excessive fee to defray our expenses in this regard. Please allow us a reasonable time to respond to your inquiries and requests.

Retention of Personal Information under the Privacy Shield: We will retain the personal information processed pursuant to the Privacy Shield in a form that identifies you pursuant to our data retention periods in Retention above, or as subsequently authorized. We may continue processing such personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of our privacy disclosures. After such time periods have expired, we may either delete your personal information or retain it in a form such that it does not identify you personally.

How We Protect Your Personal Information under the Privacy Shield: BSI takes very seriously the security and privacy of the personal information that it collects pursuant to the Privacy Shield. Accordingly, we will implement reasonable and appropriate security measures to protect your personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in processing and the nature of such data, and comply with applicable laws and regulations.