Privacy Policy

The Roundtable on Sustainable Palm Oil, an international association registered in Switzerland with a secretariat in Malaysia which oversees offices in other parts of the world,  wishes to express its commitment to ensuring that the privacy of the information and personal data which you provide to us are preserved and updated in line with international standards for data protection. This Privacy Policy (“Policy”) is designed to help you understand what personal data the Roundtable on Sustainable Palm Oil and its affiliates and secretariat (“RSPO”, “we”, “us”, “our”) process, why we process it, how we process it, and how you can manage your information with us. 

When we use the term “personal data” in this Policy, we mean information that relates directly or indirectly to a natural person who is identified or identifiable from that information or from that and other information.

1. SCOPE OF THIS POLICY

A. APPLICABILITY OF THIS POLICY

This Policy applies to: 

• visitors of our websites at https://rspo.org/, https://www.prismabyrspo.org/, and our online member portal at https://rspo.my.site.com/memberships/s/login/ (“Websites”); 
• users of our tools and services such as GeoRSPO, Remediation and Compensation Procedure, RSPO Complaints Portal, RSPO Hotspot Hub, GHG Calculator, Sustainability College and prisma by RSPO (“Services”); and 
• RSPO members and potential members (including their representatives), including but not limited to suppliers, sponsors, vendors, event organisers/ managers, consultants, contractors, donors and/or donees. 

If you are a user of our prisma by RSPO platform, please also refer to the PRISMA-SPECIFIC ADDENDUM in this document, which applies to personal data collected and processed by us pursuant to your use of our prisma by RSPO platform and which is to be read together with this Policy.

This Policy is to be read together with the latest RSPO Statutes, RSPO Membership Rules, RSPO Code of Conduct for Members, and/or any individual contracts or terms and conditions you have entered into with us or accepted, as the case may be. By using our Websites, Services and/or providing us with your personal data, you are deemed to have read and understood the terms of this Policy. Where allowed under applicable law, and insofar as we rely on your consent as a legal basis, you are also deemed to consent to the processing of your personal data pursuant to the terms of this Policy.

This Policy also describes your data protection rights, including the right to object to some of the processing which RSPO carries out. More information about your rights, and how to exercise them, is set out in section (6) (RIGHTS IN RELATION TO YOUR PERSONAL DATA) of this Policy.

Our Websites and Services may use cookies and similar tracking technologies (“Cookies”), and our processing of personal data using Cookies, including information on the personal data collected and the purposes of processing, are set out in our Cookie Policy accessible here.

B. DATA CONTROLLER AND CONTACT DETAILS

Entity acting as data controller: For the purposes of applicable data protection laws, including the General Data Protection Regulation (“GDPR”) and the Malaysian Personal Data Protection Act 2010, the “data controller” (or similar term under applicable laws) responsible for and controlling the processing of your personal data is:

Roundtable on Sustainable Palm Oil
Unit 13A-1, Level 13A, Menara Etiqa
No. 3, Jalan Bangsar Utama 1
59000 Kuala Lumpur
Malaysia
Email: [email protected]
Contact number: +603 7661 6200

For the purposes of compliance with the GDPR, the data controller’s establishment in the EU is:

Roundtable on Sustainable Palm Oil
Louis Braillelaan 80,
2719 Ek Zoetermeer
Netherlands
Email: [email protected]
Contact number: +603 7661 6200

Contact details of our data compliance officer are as follows:

Roundtable on Sustainable Palm Oil
Designation: Data Compliance Officer
Email: [email protected]
Contact number: +603 7661 6200

C. SUPPLEMENTARY POLICIES

This Policy is designed to apply on a global basis. If you are located in or are a resident of any of the countries listed below, please also review the Annexure relevant to your region for further information about how we collect, use and process your personal data:

• China: If you are living or located in the People’s Republic of China, please see ANNEXURE I below.
• United Kingdom: If you are living or located in the United Kingdom, please see ANNEXURE II and III below.
• EEA: If you are living or located in the EEA, please see ANNEXURE III below (further details about the personal data being processed and the purposes and legal bases of processing).

In the event of a conflict between this Policy and the applicable regional annexure, the latter shall prevail to the extent that it is applicable to you.

2. PERSONAL DATA WE PROCESS ABOUT YOU AND HOW WE COLLECT IT

When you use our Websites or Services or interact with us in any other way, we collect and process personal data about you. We may collect personal data automatically when you interact with our Websites or Services, and we may also collect personal data directly from you in our interactions with you. At times, we may also collect personal data about you from the classes of third parties listed below. 

Some personal data, such as your name, email address and phone number may be necessary for certain purposes, such as for the performance of our contractual obligations with you, to provide you with access to our Websites or Services or for other administrative purposes (e.g., to facilitate your membership with us). Without providing this information, you might not be able to access our Websites or Services, request or use our Services, register for membership or enter into contracts with us.

A. PERSONAL DATA YOU PROVIDE

In general, we may collect and process information such as your name, contact details (email address, phone number), address, business name, communication preferences, unique identification numbers we have assigned to you (such as your membership ID), and certain payment-related/ financial data which you have voluntarily provided to us from a number of sources. Such sources include, among others, Annual Communication of Progress reports, application forms for RSPO membership/ membership of our Websites or Services, where you have made inquiries or complaints with us, registrations for events, meetings, seminars etc. organised by us and any transaction or communication between us and you.

We may also collect and process the following information which you voluntarily provide to us:

• Account data: If you make an account on any of our Websites or Services, we will collect and process your name, email address and phone number via the relevant application forms.
• Member data:
• If you or the organisation you represent are one of our members or are applying for membership, we will collect and process personal data from you in order to facilitate your membership with us via the relevant application forms. We may also collect and process personal data which you voluntarily submit to us pursuant to any of your or your organisation’s obligations as a member, such as via Annual Communication of Progress reports, your participation in our Remediation and Compensation Procedure (including for land use change analyses) and any additional information which you may disclose pursuant to any resolutions passed during an RSPO General Assembly. Such information includes your personal details such as your name, designation, identity card/ passport number, age, gender, nationality, birthdate, residential address, social media website address, membership identification number, contact number and email address, and also includes additional business information such as your business/ company/ organisation’s name, business/ registered address, the nature of your business, tax number, trust documents, and information on other entities in your organisation’s group of companies.
• Payment and transaction information: We also collect and process any information you provide in connection with any payments made via our Websites or Services such as your or your organisation’s bank account details, billing records, invoicing and billing information and transaction-related information (such as payment date, amount, billing address).
• Contractual information: If you provide us with any products or services such that there is a contractual agreement between us, we will collect and process your name, your business/ company/ organisation’s name, address, contact details (email address, phone number), (business) phone number, additional business information, payment information and financial information.
• Contact information: When you contact us through any method of communication, including via email or any live chat function provided on any of our Websites, Services or social media, we will collect and process information from you such as your name, contact details (email address, phone number), the subject of your inquiry, company name, address, what prompted the inquiry, and contents of your inquiry. Depending on your method of contacting us, we may also collect and process certain additional technical information, such as the time the communication was sent and your IP address.
• Preferences: We may collect and process information from you regarding your preferences, such as to your language of choice, communication preferences (including your choice regarding the receipt of news or any future communications from us) as well as your interest in specific content or products. This includes your name, email, contact number, and your business/ company/ organisation’s name.
• Feedback and opinions: Our Websites and Services offer users the opportunity to provide us with their feedback and opinions and if you have done so, we will collect and process this information to improve our Websites or Services.

B. PERSONAL DATA AUTOMATICALLY COLLECTED AND PROCESSED

We and our third party service providers may collect and process certain personal data automatically when you visit, interact with, or use our Websites or other Services:

• If you use our Websites or Services, we may collect and process log data. Such data includes your internet protocol (IP) address, operating system, browser details such as type, ID, and configuration, unique identifiers, device type and version, the referring URL, date/time of your visit, the time you spent on our Websites or Services and any errors that may occur during your use of our Websites or Services.
• Analytic data: We collect and process certain analytical data, such as which webpages on our Websites or Services you visited, type of usage, and certain actions that help us understand the way you use our Websites and Services.
• Security information (such as captcha): We automatically collect and process certain information that we need to secure our Websites and Services, such as your IP address, operating system, browser details such as type, ID, and configuration, unique identifiers, device type and version, the referring URL, date/time of your visit, the time you spent on our Websites or Services, certain movements or patterns, if you can solve simple security questions (such as mathematical questions) or detecting certain things in pictures and any errors that may occur during your visit to our Websites or Services.

To the extent that we collect and process these personal data using Cookies (or similar technologies), please see our Cookie Policy accessible here.

C. PERSONAL DATA FROM OTHER SOURCES AND THIRD PARTIES

We may also obtain personal data from third parties, which we may combine with personal data we collect and process either automatically or directly from an individual. We may receive personal data from the following third parties:

• Event organisers: When you participate in any RSPO events, meetings, seminars etc. our event organisers, promoters and event managers may collect and process certain personal data from you and disclose the same to us, such as your name, email address, phone number, and information about your business/ company/ organisation, such as its name and address.
• Social media:When you interact with us through social media networks, such as when you “Like” us on Facebook or follow us or share our content on Facebook, X.com, Instagram or any other social network, we may receive some personal data about you that you permit the social network to share with third parties, such as your name, email address, phone number, and information about your business/ company/ organisation. 
• Your employer/ organisation: We may receive personal data about you from your employer/ organisation, such as where you are the person in charge of your company. Such personal data includes, among others, your contact information (your name, phone number and email address), designation, nationality, residential address, and membership/ user ID numbers.
• Certification/accreditation bodies, investigators, and auditors/assessors: When you: (a) use our Websites and Services; (b) are an RSPO member or potential member; or (c) lodge a complaint against an RSPO member, we may collect a broad range of information from these third parties for certification/audit purposes and for the purpose of investigating complaints against RSPO members. This includes some personal data such as name, contact details (email address, phone number), and certification/ licence identification number.

3. PURPOSES FOR PROCESSING YOUR PERSONAL DATA
We process your personal data for the following purposes: 

• For administrative purposes, including but not limited to billing and payment processing (including of membership fees), registration of new members, renewal of current memberships and to manage membership records.
• For trade management purposes, such as to process payments, cancellations and refunds, manage members’ orders and transactions, manage members’ contracts and projects.
• To respond to your inquiries or requests, handle complaints, and to provide you with support, where required.
• For the organisation of RSPO events and meetings, including to facilitate your participation in RSPO events, such as future or promotional events.
• To provide you with access to member-only resources and benefits.
• To communicate with you, including via email, text message, social media and/or telephone and video calls. This includes sending you emails on updates, RSPO activities, and on future RSPO events, as well as communications with you about your membership, membership-related inquiries or other requests.
• To administer, improve and personalise our Websites and Services, including by recognising an individual and remembering their information when they return to our Websites or Services.
• To conduct research, surveys and statistical analyses, and to collect feedback from you. For example, we may use your personal data to conduct member satisfaction surveys.
• For direct marketing purposes.
• To test, enhance, update and monitor our Websites and Services, or diagnose or fix technical issues.
• To enforce our contractual rights and for the performance of contracts to which you are a party, including without limitation, and to the extent applicable, the [prisma by RSPO Terms and Conditions], any addenda thereto and any other applicable terms.
• For compliance with any legal obligation to which RSPO is subject. For example, we may have to retain your personal data for specific periods under tax or commercial laws, and may be required to disclose your personal data to law enforcement authorities on request.
• To prevent, investigate or report any cases of unlawful or criminal activity (e.g., fraud).
• To establish, exercise or defend our rights, including for the conduct of any legal proceedings or in preparation of anticipated legal proceedings. 

For the avoidance of doubt, we do not process your personal data for the purposes of any automated individual decision-making, including profiling, within the meaning of the GDPR.

4. LEGAL BASES FOR PROCESSING OF YOUR PERSONAL DATA

We rely on the following legal bases to process your personal data:

• Consent: Where allowed under applicable law, you are deemed to have read this Policy and consent to the processing of your personal data in accordance with this Policy by using our Websites, Services and/or voluntarily providing your personal data to us (e.g., via application forms). In certain situations, and whenever applicable laws require it, we seek your specific consent to allow us to process your personal data.
• Legitimate interests: In some cases, the processing of your personal data will be necessary for our legitimate interests. This includes our legitimate interest to:
  • administer, improve, monitor, update and personalise our Websites and Services (e.g., recognising individuals and remembering their preferences and information when browsing our Websites);
  • enforce any contracts we may have with you or the company you represent, including the [prisma by RSPO Terms and Conditions], resolve disputes, handle complaints, carry out any legal or contractual obligations we may have, and generally protect our commercial interests;
  • organise events and meetings, and to allow you to participate in the same;
  • establish, exercise or defend our rights;
  • communicate with you, including to obtain feedback, conduct market research and surveys, and process and respond to inquiries or requests;
  • conduct marketing activities;
  • identify and fix technical issues; and
  • prevent, investigate or report any cases of unlawful or criminal activity (e.g., fraud).
• Necessary for the performance of a contract: In some cases, the processing of your personal data will be necessary for the performance of a contract with you, including the [prisma by RSPO Terms and Conditions], or in order to take steps, at your request, prior to entering into a contract with you.
• Compliance with legal obligations: Depending on the circumstances and the specific type of personal data processed, we may be required to retain and process your personal data in accordance with legal requirements and obligations imposed on us. For example, we may have to retain your personal data for specific periods under tax or commercial laws, and may be required to disclose your personal data to law enforcement authorities on request.

5. HOW WE TRANSMIT AND DISCLOSE PERSONAL DATA

A. TO WHOM WE DISCLOSE PERSONAL DATA

We may share, transmit, disclose, grant access to, make available, and provide your personal data with and to the following third parties for the following purposes:

• RSPO’s partners, trusted affiliates, secretariat, promoters, event organisers, event managers, researchers and advertisers: We share personal data (such as account data, contact information, and analytic data) with these third parties as part of our efforts to conduct statistical analyses of current or future global trends as well as for marketing, advertising and promotional purposes and the organisation of meetings, conferences and/or events.
• RSPO’s legal counsel, accountants, actuaries, auditors, consultants, promoters and event organisers: We share personal data (such as account data, member data, contractual information, and contact information) with these third parties which are necessary for the conduct and administration of their services for us. For example, we share information which is necessary for auditors to conduct audits on the activities of our members.
• Service providers: We share personal data (such as account data, member data, contact information, payment and transaction information, preferences, feedback and opinions, and analytic data) with third party service providers which provide us with services and which help operate our Websites and Services. The services provided to us by such third party service providers may include, among others, data storage services, data migration services, web hosting and maintenance services, payment processing services, analytics services, email communications services and web and video hosting providers and developers.
• Legal obligations and rights: We may also disclose your personal data (such as account data, member data, contact information, and payment and transaction information) to third parties, such as law enforcement agencies or regulators, where we are legally obliged to do so or if we reasonably believe that such disclosure is necessary:
  • to comply with laws or to respond to lawful requests and legal process; 
  • to protect our rights and property and the rights, personal safety and property of others;
  • in connection with the establishment, exercise, or defence of legal claims;
  • to detect, suppress, or prevent fraud or other criminal activity; or 
  • as otherwise required by applicable law.

With your consent: In certain situations, we may seek your consent directly to disclose your personal data to certain other third parties or publicly. For example, we may post your testimonial on our Websites or in publications with your consent.

B. CROSS-BORDER TRANSFERS OF PERSONAL DATA

The disclosures described above may involve the transfer of personal data to recipients located in jurisdictions outside the jurisdiction in which the personal data was collected or in which you reside. For example, we may disclose your personal data to our third party service providers located in other jurisdictions or transfer your personal data to our servers located across the world for storage purposes.

Where allowed under applicable laws, you hereby consent to such cross border transfers of personal data by providing your personal data to us.

C. TRANSFERS OF PERSONAL DATA OUT OF THE EU

Such disclosures may involve the transfer of personal data which was collected in the European Union/ European Economic Area to recipients outside the European Union/ European Economic Area, including but not limited to: (a) Malaysia; (b) Indonesia, the United Kingdom, China, the United States of America, and Colombia where our or our affiliates’ and secretariat’s offices are located; and (c) countries where our third-party service providers or servers are located, such as Singapore and Australia.

In such cases, we will conclude appropriate safeguards such as standard contractual clauses (adopted by the European Commission) with these recipients, unless they are based in countries with an adequacy decision pursuant to Article 45 of the GDPR (a list of these countries is available at: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en) or if the GDPR provides for an exception under Article 49. 

To request a copy of the standard contractual clauses we have relied on (if any) you may contact us using the contact details provided in the “DATA CONTROLLER AND CONTACT DETAILS” section above. Please note that in the event we provide you with a copy of our standard contractual clauses, it may be redacted to the extent necessary to ensure that our commercial secrets and other confidential information belonging to us or the third party remains protected.

6. RIGHTS IN RELATION TO YOUR PERSONAL DATA

If you are located in the EEA, you are entitled to the following rights in relation to your personal data (these rights may also apply if you are located outside the EEA, subject to local regulations):

• • Right of access: You have the right to be informed by us whether we are currently processing personal data about you and to request information regarding our processing of your personal data, as well as a copy of your personal data processed by us. Insofar as allowed under applicable laws, we may charge you a small fee to comply with your data access request.
  • Right to rectification: Where you think that the personal data we process about you is inaccurate, incomplete, misleading or not up to date in any way, you have the right to request that we correct, modify or update the personal data.
  • Right to erasure: Under certain circumstances, you may request that we erase your personal data.
  • Right to restrict/prevent processing: Depending on the circumstances, you may have the right to restrict/prevent our processing of your personal data.
  • Right to data portability: Under certain conditions, you may have the right to receive personal data about you which you have provided to us in a structured, commonly used and machine-readable format. Additionally, you have the right to request that we transmit your personal data to another data controller of your choice, noting that this right is subject to technical feasibility and the compatibility of our data format with that of the other data controller.
  • Right to object: To the extent that we are processing your personal data to protect our legitimate interests, you have the right to object to such processing for reasons arising from your particular situation. In spite of any objections we receive from you, there may be compelling reasons for us to continue processing your personal data and we will assess each case accordingly and inform you if that is the case. You may also object to the processing of your personal data for marketing purposes for any reason and at any time. If at any time you do not want to receive any emails from RSPO pertaining to promotions, surveys, advertisements, statistical analysis or other related marketing material, you may unsubscribe from the RSPO’s mailing list.
  • Right to withdraw consent: Where you have consented to our processing of your personal data, you have the right to withdraw your consent at any time. For the avoidance of doubt, your withdrawal of consent will not affect the lawfulness of any processing conducted based on your consent up until that point.You may exercise any of the abovementioned rights by contacting us via the contact details set out in the “DATA CONTROLLER AND CONTACT DETAILS” section above. In addition, we may require you to provide a set of credentials and/or identification to confirm your identity before listening to any requests from you.In addition, you also have the right to lodge a complaint with a supervisory authority concerning the processing of your personal data. If you are based in the EU, information about how to contact your local supervisory authority is available here.

7. RETENTION OF PERSONAL DATA

We will typically only store the personal data we hold about you for no longer than is necessary for the fulfilment of the purpose for which it was originally collected. 

The specific criteria used by us to determine the period for which personal data about you is stored will vary depending on the legal basis under which we are processing the personal data:

• Consent: Where processing is based on your consent, we will generally retain your personal data until you withdraw your consent or until the processing of your personal data is no longer necessary to fulfil the purpose for which you have provided us with your personal data, whichever is earlier.
• Legitimate interests: Where we are processing your personal data based on our legitimate interests, we will generally retain the personal data for a reasonable period of time based on the particular legitimate interest, taking into account your fundamental interests and your rights and freedoms.
• Performance of a contract: Where our processing of your personal data is necessary for the performance of a contract with you or in order to take steps before entering into a contract with you, we retain your information for the duration of the contract and two years thereafter.
• Compliance with legal obligations: Where we are processing your personal data for compliance with our legal obligations, we will generally retain the personal data for as long as required to comply with/ fulfil the legal obligation. For example, we will retain your personal data for as long as required for compliance with any statutory obligations we are subject to. 

As an exception to the general retention periods specified above, we may store your personal data for longer where the processing/storage of the same is necessary to establish, exercise or defend our legal rights, including for the conduct of any legal proceedings or in preparation of anticipated legal proceedings. In such cases, we may store the personal data for as long as required to establish, exercise or defend our legal rights.

8. SECURITY OF YOUR PERSONAL DATA

We will implement appropriate technical and organisational measures to ensure your personal data is protected against any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction. Our Websites and Services are encrypted to ensure that the information collected therein is secure and all reasonable measures are taken to ensure such information is secure and to prevent any loss, alteration, theft or third party interference. All personal data we collect will be stored by our cloud hosting provider on secure servers.

9. THIRD PARTY WEBSITES AND SERVICES

Our Websites and Services may contain links to third party websites or services, including those of our service providers or partners. By interacting with these third parties, you are providing information directly to the third party and not RSPO. Please note that we are not responsible for the privacy practices of these third parties, and we encourage you to review the privacy notices and online terms of those third parties to learn more about how they handle your personal data.

10. CHANGES TO THIS PRIVACY POLICY 

We reserve the right to amend the terms of this Policy and its addendums and annexures from time to time in our sole discretion. We will notify you about any material changes in the way we process personal data by placing a prominent notice on our Websites or via a notification on our Services. If you are located outside the EEA or the PRC, it is your responsibility to review this Policy periodically to take note of any changes. Insofar as allowed under applicable law, you hereby consent to any changes made to this Policy by continuing to use our Websites or Services. All changes shall be effective from the date of publication unless otherwise provided.

11. CONTACT US 

If you have any inquiries, complaints or requests in connection with this Policy, our data protection practices or other privacy-related matters, you may contact us using the contact details provided in the “DATA CONTROLLER AND CONTACT DETAILS” section above.

12. LANGUAGE OF THIS POLICY

In the event of any discrepancies between the English version of this Policy and any applicable addendum or annexures, and versions provided in any other language, the English version shall prevail.

Additionally, the Websites and Services are originally published in English and contain information translated into other languages by third party translators. Translations are provided as a service to our website visitors and are provided “as is”.  We make no warranty of any kind, either expressed or implied, as to the accuracy, reliability, or correctness of any translations from English into any other language. 

ANNEXURE I – PEOPLE’S REPUBLIC OF CHINA

For the purposes of this Annexure I only, references to “personal data”, “sensitive personal data”, “process/processing”, “data controller”, and “data processor”, shall have the same meaning as those terms or similar terms as defined in the Personal Information Protection Law of the People’s Republic of China (the “PIPL”).

A. DATA CONTROLLER AND CONTACT DETAILS

For the purpose of the Policy and this Annexure I only, “China” herein is excluding Hong Kong Special Administrative Region, Macau Special Administrative Region and Taiwan. If our processing activities of your personal data within the territory of China are subject to the PIPL, the data controller responsible for processing and protecting your personal data is: 

Roundtable on Sustainable Palm Oil
Unit 13A-1, Level 13A, Menara Etiqa
No. 3, Jalan Bangsar Utama 1
59000 Kuala Lumpur
Malaysia
Email: [email protected]
Contact number: +603 7661 6200

B. SENSITIVE PERSONAL DATA WE PROCESS ABOUT YOU

We may collect your sensitive personal data such as your identity card/ passport number and your bank account details. We will only process your sensitive personal data if there is a specific purpose and sufficient necessity to do so, and if strict protection measures are taken. 

C. LEGAL BASES FOR PROCESSING OF YOUR PERSONAL DATA

Depending on the circumstances, we will rely on one or more of the following legal bases for processing your personal data:

• You have given us your consent to process your personal data;
• The processing is necessary for the conclusion or performance of a contract to which you are a contracting party;
• The processing is necessary to fulfil statutory functions or statutory obligations;
• The processing is necessary to respond to public health emergencies or protect the life, health or property safety of natural persons under emergency circumstances;
• Personal data is processed within a reasonable scope to conduct news reporting, public opinion-based supervision, or other activities in the public interest;
• The personal data that has been disclosed by the individuals themselves or other personal data that has been legally disclosed is processed within a reasonable scope in accordance with the PIPL; or
• Under any other circumstances as provided by any applicable laws and regulations.

D. TO WHOM WE DISCLOSE PERSONAL DATA

As set out in the section of “HOW WE TRANSMIT AND DISCLOSE PERSONAL DATA”, we may share your personal data with third parties for achieving the purposes listed in the Policy. For third parties who we entrust to process your personal data, we will ask them to handle your personal data in accordance with our instructions, the Policy, this Annexure I, and applicable laws and regulations.

E. CROSS-BORDER TRANSFERS OF PERSONAL DATA

We may transfer your personal data to Malaysia where we are based. Where personal data is transferred outside China, your personal data will be secured by appropriate safeguards when required by the PIPL and applicable laws and regulations. To the extent required under PIPL and applicable laws and regulations, we will obtain separate consent from you before the transfer of your personal data.

F. RIGHTS IN RELATION TO YOUR PERSONAL DATA

You may e-mail us at [email protected] to exercise the following rights:

• The right to know and the right to decide on the processing of your personal data;
• The right to restrict or refuse the processing of your personal data by others;
• The right to access and duplicate your personal data;
• The right to request the transfer of personal data to your designated data controller;
• The right to request us to correct or supplement your personal data where you discover the data is incorrect or incomplete;
• The right to delete your personal data under specific circumstances;
• The right to consult this Policy; 
• The right to withdraw your consent to the processing of personal data based on your consent (but please note that your withdrawal of consent does not affect the validity of the processing of personal data that has been carried out based on your consent before the withdrawal); and
• Any other rights under PIPL and applicable laws and regulations. 

To protect the security of your personal data, we need to verify your identity in order to respond to your rights request(s), and we may not be able to respond to the request(s) for rights related to personal data that are not from you or authorised by you (for example, requests to consult personal data of someone else).

Additionally, the rights above are subject to limitations and exceptions under applicable laws and regulations. We will respond to and comply with your request(s) consistent in accordance with the timeline required by the PIPL and relevant laws and regulations. If you have unresolved concerns, you also have the right to complain to relevant supervisory authority or where applicable, file a lawsuit with the court in accordance with applicable laws and regulations.

G. LANGUAGE OF THIS POLICY

We have prepared a Simplified Chinese version of the Policy and this Annexure I to make it easier for you to understand. In the event of any discrepancies between the English version and the Simplified Chinese version, the Simplified Chinese version shall prevail.

ANNEXURE II – UNITED KINGDOM

A. DATA CONTROLLER AND CONTACT DETAILS

The RSPO data controller responsible for and controlling the processing of your personal data is:

Roundtable on Sustainable Palm Oil
Unit 13A-1, Level 13A, Menara Etiqa
No. 3, Jalan Bangsar Utama 1
59000 Kuala Lumpur
Malaysia
Email: [email protected]
Contact number: +603 7661 6200

For the purposes of compliance with the UK GDPR, details of our local UK branch are set out below:

Roundtable on Sustainable Palm Oil
Regus Grosvenor Gardens
52 Grosvenor Gardens
London, SW1W 0AU
United Kingdom
Email: [email protected]
Contact number: +603 7661 6200

B. TRANSFERS OF PERSONAL DATA OUT OF THE UK

Such disclosures may involve the transfer of personal data which was collected in the United Kingdom to recipients outside the United Kingdom. 

In such cases, we will conclude with these recipients appropriate safeguards such as the International Data Transfer Addendum to the EU standard contractual clauses, issued by the Information Commissioner and laid before Parliament in accordance with s.119A of the Data Protection Act 2018 on 2 February 2022 and in force since 21 March 2022 (“UK Addendum”), unless they are based in countries with an adequacy decision pursuant to Article 45 of the UK GDPR (a list of these countries is available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-transfers-a-guide/) or if the UK GDPR provides for an exception under Article 49.

To request a copy of the UK Addendum we have relied on (if any) you may contact us using the contact details provided in the “DATA CONTROLLER AND CONTACT DETAILS” section above. Please note that in the event we provide you with a copy of our UK Addendum it may be redacted to the extent necessary to ensure that our commercial secrets and other confidential information belonging to us or the third party remains protected.

C. RIGHTS IN RELATION TO YOUR PERSONAL DATA

If you are located in the UK, you are entitled to the same rights as outlined in Section 6 of the main Policy, subject to local regulations. 

In addition, you also have the right to lodge a complaint with a supervisory authority concerning the processing of your personal data. If you are based in the UK, the relevant supervisory authority is the ICO who can be contacted via www.ico.org.uk.

ANNEXURE III

Specifics of Processing

PRISMA-SPECIFIC ADDENDUM TO THE GENERAL PRIVACY POLICY

The RSPO has issued the General Privacy Policy (“Policy”) (accessible here) which describes what personal data we process, why we process it, how we process it, and how you can manage your information with us. This prisma-specific addendum (“Addendum”) supplements the Policy with additional information as to how we process your personal data when you use our Palm Resource Information and Sustainability Management platform (the “Platform”). Capitalised terms which are used but not defined have the meanings set forth in the Policy. 

1. SCOPE OF THIS ADDENDUM

A. APPLICABILITY OF THIS ADDENDUM

This Addendum applies to users of the Platform including without limitation, RSPO members, auditors, and customers who have provided personal data to us via the Platform.

By using the Platform and providing us with your personal data via the Platform, you are deemed to have read and understood the terms of this Addendum and the Policy. Where allowed under applicable law, and insofar as we rely on your consent as a legal basis, you are also deemed to consent to the processing of your personal data pursuant to the terms of this Addendum and the Policy.

This Addendum is to be read together with the Policy but in the event of any inconsistencies or conflicting terms between the terms set out in this Addendum and the Policy, the terms in this Addendum shall prevail.

If you live or are located in the EEA or the UK, please also refer to the table in Annexure I (further details about the personal data being processed and the purposes and legal bases of processing).

2. PERSONAL DATA WE PROCESS ABOUT YOU AND HOW WE COLLECT IT

When you sign up for and use the Platform, we collect and process personal data about you. Most of the personal data we collect via the Platform is collected directly from you in your interactions with us. We may also collect personal data automatically when you interact with the Platform (as described in the Policy) and at times, we may collect personal data about you from the classes of third parties listed below and in the Policy. 

Some personal data, such as your name, email address and phone number may be necessary for certain purposes, such as to provide you with access to the Platform (e.g., to enable you to sign up for an account), for administrative purposes (e.g., to facilitate your account on the Platform), as a part of your or your organisation’s obligation as an RSPO member, and for the facilitation of your organisation’s certification/ licence status. Without providing this information, you might not be able to access the Platform, register for an account on the Platform, maintain your membership with RSPO, or apply for and maintain your organisation’s certification/ licence status. 

A. PERSONAL DATA YOU PROVIDE

In addition to the types of information set out in the Policy, we may collect and process the following information which you voluntarily provide to us:

• Acount data: If you or the organisation you represent are a registered user of the Platform or are applying for an account, we will collect and process personal data from you (such as your name, email address, phone number, and designation) in order to facilitate your or your organisation’s account on the Platform via the relevant application forms. 
• Entity management information: We collect information about other entities in your organisation’s group of companies which you have provided to us as part of the Platform’s entity management functionalities. Such information includes some personal data such as location information, membership/ user ID numbers, name, contact details (email address, phone number), and address.
• Certification/ licence information: We collect a broad range of information required for members to apply for and maintain certification/ licences with certification bodies around the globe, including information required to audit your organisation for compliance with certain standards. Such information includes some personal data such as name, contact details (email address, phone number), and certification/ licence identification number. 
• Trading/ transaction information: We collect and process any information you provide in connection with any payments (including payments for any administrative or membership fees) and trades (such as trades for RSPO credits) made via the Platform. We also collect and process information which is required to provide you with the Platform’s stock/ inventory management functionalities. Such information includes your or your organisation’s bank account details, billing records, invoicing and billing information, and transaction-related information (such as payment date, amount, billing address). 
• Geospatial information: We collect and process information required to provide you with the Platform’s geospatial and risk assessment functionalities. Such information may include some personal data such as location information.
• Auditors’ profiles: If you are an auditor, we collect and process information from you as required for the purpose of preparing your auditor’s profile. Such information includes your name, country of residence, qualifications/experience, and designation.
• Training: If you sign up for any of our training programs, events, meetings, or seminars relating to the use of the Platform, we will collect and process information from you such as your name, contact details (email address, phone number), and designation as required to provide you with training.
• Feedback and helpdesk: The Platform offers users the opportunity to provide us with feedback and a helpdesk functionality for users who need assistance. We will collect and process information you have provided to us via these features to improve the Platform and deal with your request/ inquiry.

B. PERSONAL DATA FROM OTHER SOURCES AND THIRD PARTIES

We may also obtain personal data from third parties, which we may combine with personal data we collect and process either automatically or directly from an individual. In addition to the scenarios and third parties set out in the Policy, we may receive personal data from the following third parties in these scenarios:

• Your employer/ organisation: We may receive personal data about you (such as your name, phone number, email address, designation, nationality, residential address, and membership/ user ID numbers) from your employer/ organisation, such as where you are the person in charge of your company or where your employer has signed you up to receive training from us. 

3. PURPOSES FOR PROCESSING YOUR PERSONAL DATA

In addition to the purposes set out in the Policy, we process your personal data for the following purposes in relation to the Platform: 

• For the provision of the Platform’s services and functionalities, including among others:
  • Trading services and for trade management purposes such as to process payments, cancellations and refunds, manage members’ orders and transactions, manage members’ contracts and projects, generate reports on palm oil trade transactions, and facilitate the trade of RSPO credits/ palm oil products.
  • Entity management services which enable you to manage the entities within your organisation’s group of companies.
  • Certification and audit services which allow you to manage your organisation’s certification and licence statuses and allow for independent audits to be conducted on your organisation via the Platform.
  • Geospatial and risk assessment services which allow you to utilise the Platform’s built-in geospatial functionalities to monitor palm oil sourcing locations and assess risks within these locations.
• To administer and improve the Platform, including to test, enhance, update and monitor the Platform, or diagnose or fix technical issues.
• For auditing purposes, including audits to determine your organisation’s compliance with RSPO’s requirements for certification.
• To conduct research, surveys and statistical analyses, and to collect feedback from you. For example, we may use your personal data to conduct supply base analysis and due diligence.

For the avoidance of doubt, we do not process your personal data for the purposes of any automated individual decision-making, including profiling, within the meaning of the GDPR.

4. LEGAL BASES FOR PROCESSING OF YOUR PERSONAL DATA

The legal bases we rely on to process your personal data pursuant to the Platform are as set out in the Policy and in Annexure I below.

5. HOW WE TRANSMIT AND DISCLOSE PERSONAL DATA

A. TO WHOM WE DISCLOSE PERSONAL DATA

In addition to the third parties set out in the Policy, we may share, transmit, disclose, grant access to, make available, and provide your personal data with and to the following third parties for the following purposes: 

• Users of the Platform/ disclosure to the public: Where you have voluntarily disclosed your or your organisation’s information on the Platform, note that some of this information (including your name, designation, phone number, and email address) will be made available to all other users of the Platform. Additionally, information you disclose as a part of your organisation’s Annual Communication of Progress reports, audit reports, and information on your organisation’s certification status will be made available to the public on our website. If you are an individual member of the RSPO, we will disclose your name, country of residence, designation, and brief information about yourself which you have provided to us on our website. If you are an auditor, we will disclose your name, country of residence, qualifications/experience, and designation which you have provided to us as a part of your auditor’s profile on audit reports published on our website.
• Disclosures to other third parties: In certain situations, we may disclose information you have voluntarily disclosed on the Platform to third parties who are seeking such information for their commercial interests. For example, we may disclose information regarding the sustainability of your organisation to banks who are seeking such information to determine if your organisation meets any required sustainability goals to provide you with certain types of financing.

ANNEXURE I

Specifics of Processing