Introduction
This policy sets out how the Marine Stewardship Council (MSC) collects, processes and stores your personal data when it is provided to the MSC and made available via the MSC’s Data Validation platform (API). API (application programming interface) is a concept in software technology that enables multiple applications to validate data easily and securely.
The MSC is head quartered at Marine House, 1-3 Snow Hill, London, EC1A 2DH. The MSC is a data controller of your personal data.
This policy affects your legal rights and obligations so please read it carefully. If you have any questions, please contact us via info@msc.org or call us on +4402072468900.
If you are based in the European Union, you may also contact us via the MSC’s designated establishment in the Union. Email: dataEU@msc.org post: Schwedter Str. 9A, 10119 Berlin, Germany.
1. Personal data we collect
Personal information, such as email address, first name and last name are submitted to the MSC via the web-based API portal application. This information is stored and processed by the MSC.
2. Why do we collect this information?
The MSC collects this information for the purpose of enabling businesses to
1) easily verify if Chain of Custody claiming to be MSC certified are valid
or
2) easily verify that products listed as being from MSC certified sustainable fisheries are valid
The MSC will not use this information for MSC marketing purposes.
3. Lawful processing of your personal data
The MSC will use your data to satisfy legitimate interests of the MSC in the effective and lawful operation of the partner API to simplify the process for verification of MSC-certified fisheries and product. We may also use your personal data for our legitimate interests, including enforcing the terms of any other agreement between us and for regulatory, legal and auditing purposes.
4. Who do we share your data with?
The MSC will never sell your personal information to any third-party.
Personal data provided to MSC as part of or in connection with the API will be available on our solution. Our suppliers, such as our IT services contractors, may have access to personal data stored on our systems, to the extent necessary to fulfil their services to us.
Under certain circumstances we may have to disclose your personal data under applicable laws and/or regulations, for example, to protect a third party's rights,
5. Where we hold and process your personal data
In general, all personal data held by the MSC is stored on servers or clouding solution in the UK or European Union (the EU). Some or all of your personal data may be stored outside of the UK or the EU, including for example, if our email server is located in a country outside the UK or the EU or if any of our service providers or their servers are based outside of the UK or the EU. Other than in exceptional circumstances, we shall only transfer your personal data to countries or organisations that provide adequate safeguards in respect of your personal data. Where the laws applicable to a recipient are not recognised as providing adequate protection for personal data, the adequate safeguards we will employ, if any, will be those approved under UK law, including data transfer contracts based on the so-called "Standard Contractual Clauses", or so-called "Processor Binding Corporate Rules". You can obtain additional information by contacting us using the contact details provided above.
6. Security
We shall process your personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. All information you provide to us is stored on our secure servers or clouding solutions.
7. Your rights
Subject to applicable law and its exemptions, you generally have the right:
to ask us for a copy of personal data about you;
to correct or delete that personal data;
to restrict the processing of that personal data;
in the case of personal data you provided, or which is used to perform a contract with you, to obtain a "portable" copy of that personal data and to ask us to share that data with another organisation.
In addition, you can object to the processing of your personal data in some circumstances (in particular, where we don’t have to process the information to meet a contractual or other legal requirement, or where we are using the information for direct marketing).
These rights may however be limited, for example if fulfilling your request would reveal personal data about another person, would infringe the rights of another person or legal entity (including our rights), or if you ask us to delete or change data which we are required by law to keep (or have other compelling legitimate interests in keeping). We will inform you of relevant exemptions we need to rely on, when responding.
To exercise these rights, or any other rights you may have under applicable laws, please contact us at info@msc.org.
Please note, we reserve the right to reject a request or charge an administrative fee if your request is manifestly unfounded or excessive.
If you have any complaints in relation to this policy or otherwise in relation to our processing of your personal data, you can contact a supervisory authority. In the UK, this is the Information Commissioner, see www.ico.org.uk.
Our website may contain links to other sites of interest. Once you have used these links to leave our website, you should note that we do not have any control over that other site. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this policy. You should exercise caution and look at the privacy policy applicable to the site in question.
8. Retention
We shall keep personal data for no longer than is necessary for the purpose.
Personal data on MSC certificate holders will not be publicly available via the partner API for more than 2 years after the certificate becomes inactive or an unsuccessful application process is concluded.
9. General
We may change the terms of this policy from time to time. If we make material (potentially adverse) changes to how we treat personal data, we will, to the extent necessary, endeavour to notify you either via email (if we have appropriate contact details) or by putting a specific notice on our website. Less significant changes may not be actively publicised in that way. You are responsible for regularly reviewing this policy so that you are aware of any changes to it.