Privacy Statement

1.Introduction

1.1.Privacy Statement

GEP is fully committed to maintaining the privacy and personal information collected through GEP’s public Website, non-public web sites and any GEP software platforms including web application(s) and mobile application (s) (“GEP’s Application(s) and Services”). All Privacy Information is protected by GEP in accordance with the terms set forth in this Privacy Statement. This Privacy Statement explains what Personal Information we collect from You, how GEP uses it and to whom it is passed or provided. [In the event of any conflict or substantive translation changes in a non-English language of this Privacy Statement, the English version of this Privacy Statement shall govern.]

2.Scope and Purpose

GEP is fully committed to maintaining the privacy and personal information collected through GEP’s public Website, non-public web sites and any GEP software platforms including web application(s) and mobile application (s) (“GEP’s Application(s) and Services”). All Privacy Information is protected by GEP in accordance with the terms set forth in this Privacy Statement. This Privacy Statement explains what Personal Information we collect from You, how GEP uses it and to whom it is passed or provided. [In the event of any conflict or substantive translation changes in a non-English language of this Privacy Statement, the English version of this Privacy Statement shall govern.]

GEP's collects information, inclusive of any Personal Information, to provide You with industry information regarding procurement and sourcing and to provide GEP clients and their suppliers with a secure, efficient and customized venue for electronic sourcing of products and services. The Application may also enable GEP clients to create custom fields or documents for the collection of business and Personal Information.

Personal Information, such as individual names and email addresses, is collected to provide You with information such as white papers and industry specific data where You have provided consent to receive such information.

Personal Information provided by You may also be used by other GEP clients, and suppliers of GEP clients, for some features within GEP’s Application(s) and Services and to provide procurement and sourcing services. GEP clients may submit Personal Information to create registered Users of the solutions, to store transaction documents, and to store contact information associated with other entities.

Any business information and Personal Information is stored in Microsoft® Azure® data centers in the U.S. & Europe where GEP’s technology platform solution is hosted. This web link to the Microsoft® web sites describes the privacy policy and practices that govern use of Azure® and Microsoft®’s other enterprise online services.

https://privacy.microsoft.com/en-ca/privacystatement

In addition, GEP may use your business information and Personal Information for its internal business operations, such as securing and updating the Application(s). If you are in the EU, GEP processes such Personal Information where it is in GEP’s or a third party’s legitimate interests to do so.

We may collect, use and disclose qualitative and quantitative data derived from Your use of the Application for analysis including but not limited to industry analysis, analytics, and other business purposes. We will use such qualitative and quantitative data and Information only as part of an aggregated and anonymized transaction information GEP publishes at its sole discretion on the website(s) or in any other medium. All data collected, used and disclosed will be in aggregated form and will not identify You as an individual User. We may aggregate and publish User business information relating to activity within GEP’s non-public websites and software platforms including mobile application(s), but such aggregated User business information shall not include any User business information that could be used to personally identify You. GEP does this to provide you with a subscription, research and analysis to optimize the Website and GEP’s Application(s) and Services inclusive of software platforms including GEP SMARTTM (aka “SMART by GEP®”) and GEP NEXXETM provided thereby, and better serve GEP clients and Users.

Access Provided by Your Organization-Notice to End Users

For Users, the Personal Information is generally related to Your role at Your respective organization and is not related to You as a private person or as an individual client or supplier.

For GEP client Users

When You access or use an Application(s) and Service, GEP’s processing of Your Personal Information in connection with that Application(s) and Service is governed by a contract between GEP and Your company. If you are in the EU or UK, Your company is the ‘controller’ and GEP is a ‘processor’ acting on behalf of Your company, each as defined in the EU General Data Protection Regulation or the UK Data Protection Act 2018. GEP processes Your Personal Information to provide the Application(s) and services (including improving, securing, and updating the service) to Your organization and You for GEP’s business operations related to providing the Application(s) and services. If You have questions about GEP’s processing of Your Personal Information in connection with providing services to Your company, please contact Your company.

For registered supplier Users

When You use an Application(s) and service on behalf of Your organization as a supplier User, GEP’s processing of Your Personal Information in connection with the specific Application(s) is governed by this Privacy Statement. GEP processes Your Personal Information to provide the Application(s) and Services (including improving, securing, and updating the service) to Your company and You, and for GEP’s legitimate business operations related to providing the Application(s) and Services. Certain features of Application(s) and Services may enable GEP’s clients to use or create custom fields or documents to gather various types of information about a supplier. If you object to the types of additional business or Personal Information being requested from a GEP client, please contact the GEP client directly.

Because GEP understands the importance of protecting the privacy of visitors to its Website, GEP clients and the suppliers to GEP clients, and maintaining the security of the business information and Personal Information, GEP pledges that no Personal Information will be disclosed, distributed, published, disseminated, sold, traded, or shared with any third party, including advertisers, business or governmental organizations, or other clients or members.

Provided, however, that GEP shall be entitled to disclose business information and/or Personal Information to third parties in the following situations:

  • When such disclosure is necessary to facilitate communications with Users or transactions between Users in accordance with the normal operation or services and transactions between Users and GEP clients;
  • When such disclosure is so ordered by any court, administrative body, governmental agency or regulatory agency, or when GEP in good faith determines that it is legally required to make such disclosure, or when such disclosure is requested by law enforcement authorities in connection with their investigations, or in the event of an emergency;
  • When enforcing the terms of the Agreement (including this Privacy Statement);
  • When communicating with a visitor user to the GEP Website, a GEP client or User outside of GEP’s non-public websites and software platforms including mobile application(s);
  • When GEP in good faith determines that such disclosure is necessary to correct what GEP believes to be false or misleading information or to address activities that GEP believes to be manipulative or deceptive;
  • When you designate your Personal Information to be publicly viewable within any Application(s) and services(s).
  • GEP may aggregate and publish User business information relating to activity within GEP’s non-public websites and software platforms including mobile application(s), but such aggregated User business information shall not include any User business information that could be used to personally identify you; and
  • GEP may share Personal Information with our global affiliates, parent, subsidiaries, agents and integrated service providers that cooperate to provide content to visitors of the Website, and/or to provide GEP’s Technology Solution (including GEP Application(s) and Services) to GEP clients. GEP affiliates follow practices no less protective as per practices described in this Privacy Statement and to the extent allowed by applicable law.

Tracking and other similar technologies

Depending on whether you visit the GEP Website, are a GEP client, or supplier User visiting a non-public website and/or any software platform including Application(s) and Services, web application(s) and/or mobile application(s), the information gathered through technologies like cookies, web beacons, web links and other such tools may include Your Internet Protocol (IP) address (or the proxy server You use to access the World Wide Web), device and application identification numbers, Your location, Your browser type, Your Internet service provider and/or mobile carrier, the pages and files You viewed, Your searches, Your operating system and system configuration information, and date/time stamps associated with Your usage. For example, due to Internet communications standards, when You visit or use the GEP Website and services, GEP automatically receives the URL of the website from which You came and the website to which you go when you leave our Website. Similar technologies may be part of your use of the GEP mobile application platforms. The business information gathered by such technologies is used to analyze overall trends, to help us improve our Website, Application(s) and services, software platform (s) including web application(s) and mobile application(s) and services, to track and aggregate non-personal information, and to provide the Website and Application services. The business information obtained through tracking tools may be subject to data analytics only for the purpose of enhancing the software features or services provided through the software without compromising confidentiality. The tracking technology for the Website and Application(s) and services including web application(s) and mobile application(s) is explained in the GEP Cookie Policy.

3.Privacy principles

GEP complies with the privacy requirements as set forth by data protection legislation in the United Kingdom and the European Union regarding the collection, use, and retention of Personal Information transferred from the United Kingdom, European Economic Area and/or Switzerland to a third country or an international organization outside the European Union. GEP adheres to the privacy principles relating to the processing of Personal Information:

  • Personal Information is processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).
  • Personal Information is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘Purpose Limitation’).
  • Personal Information is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (‘Data Minimization’).
  • Information is accurate and, where necessary, kept up to date; every reasonable step is taken to provide that Personal Information which is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay (‘Accuracy’).
  • Information is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Information is processed (‘Storage Limitation’).
  • Information is processed in a manner that ensures appropriate security of the Personal Information, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).
  • When GEP collects Your Personal Information, GEP will give You timely and appropriate notice describing what Personal Information GEP is collecting, how GEP will use it, and the types of third parties with whom GEP may share it. GEP will give rights to access Your Personal Information and method to communicate for any change.
  • GEP will give You choices about the ways GEP uses, shares Your Personal Information, and GEP will respect the choices you make.
  • To transfer Personal Information to a third party, GEP will comply with the Notice and Choice Principles as set out in the EU-U.S./Swiss-U.S. Data Privacy Framework. GEP will enter into a contract with the third-party to provide the same level of protection as the Notice and Choice Principles.
  • In the context of an onward transfer GEP has responsibility for the processing of personal information it receives under the Data Privacy Framework and subsequently transfers to a third party acting as an agent on its behalf. GEP shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless GEP proves that it is not responsible for the event giving rise to the damage.
  • GEP will take reasonable and appropriate measures to protect Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the Personal Information.
  • GEP will not process Personal Information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, GEP will take reasonable steps to ensure that Personal Information is reliable for its intended use, accurate, complete, and current.
  • GEP will provide ways for You to access Your Personal Information, as required by law, so You can correct inaccuracies.
  • GEP will provide independent recourse mechanism by which each individual’s complaints and dispute are investigated and expeditiously resolved at no cost to the individual.

Data Privacy Framework

GEP is certified to the EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the European Union and Switzerland to the United States. GEP has certified to the Department of Commerce that it adheres to the Data Privacy Framework Principles. To learn more about the Data Privacy Framework program, and to view GEP’s certification, please visit https://www.dataprivacyframework.gov/s/.

On July 16, 2020, the European Court of Justice invalidated EU-U.S. Privacy Shield as a transfer mechanism between the European Union and United States. Therefore, GEP intends to use a legally compliant alternative transfer mechanism for transfers of Personal Information from the European Economic Area and the United Kingdom to GEP’s office(s) in the United States, such as data transfer agreements providing adequate safeguards equivalent to the protections afforded under the laws of the European Economic Area and the United Kingdom. GEP will continue to protect Personal Information and honor its commitments with respect to Personal Information transferred from the European Union to the United States pursuant to Privacy Shield before July 16, 2020, EU-US Data Privacy Framework effective 10th July 2023, and the Swiss-US Data Privacy Framework effective 17th July 2023.

4.Individual rights-User Rights

Please note the following rights which apply to an individual under the General Data Protection Regulation where GEP is acting in its capacity as a controller. In most circumstances, GEP is not considered a controller and is operating as a processor.

  • An individual has the right to receive the Personal Information concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit the data to another controller without hindrance from the controller to which the Personal Information has been provided.
  • An individual has the right to object, on grounds relating to his or her particular situation, at any time, to the processing of Personal Information concerning him or her, including profiling based on those provisions. The controller shall no longer process the Personal Information unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual or for the establishment, exercise or defense of legal claims.
  • An individual has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
  • An individual has the right to obtain from the controller confirmation as to whether or not Personal Information concerning him or her is being processed, and, where that is the case, access to the Personal Information and the following information:
    • The purposes of the processing.
    • The categories of Personal Information concerned.
    • The recipients or categories of recipient to whom the Personal Information has been or will be disclosed, in particular recipients in third countries or international organizations.
    • Where possible, the envisaged period for which the Personal Information will be stored, or, if not possible, the criteria used to determine that period.
    • The existence of the right to request from the controller rectification or erasure of Personal Information or restriction of processing of Personal Information concerning the data subject or to object to such processing.
    • The right to lodge a complaint with a supervisory authority.
    • Where the Personal Information is not collected from the data subject, any available information as to their source.
  • An individual has rights to deny or withdraw the consent anytime where relevant.
  • An individual has the right to obtain from the controller without undue delay the rectification of inaccurate Personal Information concerning him or her.
  • An individual has the right to obtain from the controller the erasure of Personal Information concerning him or her without undue delay in certain circumstances.
  • An individual has the right to obtain from the controller restriction of processing in a situation where accuracy of the Personal Information is contested by the data subject, the processing is unlawful, and the data subject opposes the erasure of the Personal Information and requests the restriction of their use instead.
  • An individual has the right to lodge a complaint with the relevant supervisory authority in your jurisdiction.

5. Security of Personal Information

GEP’s internal security policy governs the processing of data collected through the Application and Services and the Website. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, GEP has implemented appropriate technical and organizational measures to provide a level of security appropriate to the risk.

  • The pseudonymization and encryption of sensitive or special category sensitive data.
  • The ability to provide the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
  • The ability to restore the availability and access to Personal Information in a timely manner in the event of a physical or technical incident.
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
  • GEP has implemented technical controls to prevent unauthorized access to or unauthorized alteration, disclosure or destruction of information GEP holds.
    • GEP has encrypted many of GEP’s services using the latest strong encryption technologies.
    • GEP provides secure authentication to access non-public information.
    • GEP restricts access to Personal Information to employees, contractors and agents who need to know that information in order to process it for GEP, and who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.

6. Compliance and cooperation with regulatory authorities

GEP regularly reviews our compliance with GEP’s Privacy Statement and applicable data protection and privacy law. GEP is subject to the investigatory and enforcement powers of the Federal Trade Commission (“FTC”). When GEP receives formal written complaints, GEP will contact the person who made the complaint to follow up. GEP will work with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of Personal Information that GEP cannot resolve with our users directly.

GEP Contact

Attn: privacy@gep.com

100 Walnut Ave
Clark, NJ 07066
https://www.gep.com
Office (732) 382-6565

To raise a request or complaint about how GEP has handled your Personal Information, please mail or email the above contact. Please be aware that if you complain to GEP directly and it is the processor of your Personal Information, it will promptly refer your enquiry to the Controller.

Please allow at least 10 business days for GEP to respond to Your request or complaint.

In compliance with the Data Privacy Framework Principles at https://www.dataprivacyframework.gov/s/, GEP commits to resolve complaints about GEP’s collection or use of Your Personal Information.

EU and Swiss individuals with inquiries or complaints regarding our Data Privacy Framework policy should first contact GEP at: Privacy@gep.com.

GEP has further committed to refer unresolved Data Privacy Framework complaints to ICDR-AAA, an alternative dispute resolution provider located in the United States. Subject to certain conditions, You may be able to invoke binding arbitration. If You do not receive timely acknowledgment of Your complaint from GEP, or if GEP has not addressed Your complaint to Your satisfaction, please visit ICDR-AAA site at https://www.icdr.org/dpf for more information or to file a complaint. The services of ICDR-AAA are provided at no cost to You.