Provided pursuant to Articles 13 and 14 of the European General Data Protection Regulation 2016/679 (“GDPR”)

1.    Who processes personal data?

The Data Controller is ECR Community a.s.b.l. (“ECR Community”), with registered office in Boluevard du Jublie 71, bte3, 1080 Brussels, Belgium.

ECR Community is the global association for all ECR National & Partner organisations in the Retail & Consumer Product Group sector (“ECR Members”). It is a not-for-profit that provides a neutral platform to develop and share best practices among our network of ECR Nationals and their members.

The purpose of the ECR Members is to bring together manufacturers, retailers, service providers and industry associations at a national level to share best practice information in areas that are mutually beneficial such as supply chain, category management, sustainability and digital transformation.

ECR members are located all over the world and shall be: – national ECR and/or GS1 Organizations; – Federations or trade associations of retailers and/or wholesalers, consumer goods manufacturers, or retailers and manufacturers, inasmuch as they do not duplicate the work of national ECR and/or GS1 organizations.

The updated list ECR Members is published on ECR Community website on the page

In carrying out its activities, ECR Community collects and processes your personal data as Data Controller, and, in this capacity, ensures the application of appropriate organisational and technical measures for the protection of personal data in compliance with the provisions of the applicable laws and regulations.

2.    Which personal data are collected?

ECR Community collects and processes personal data such as, by way of example but not limited to company name, first name, last name, fiscal code/VAT number, email address, professional landline and/or mobile phone number, company name where you work and covered role, IP address used in the possible navigation of the website managed by and referable to the Data Controller, as well as data related to the commercial and/or professional activity of said company and its contact details and bank details, other information relevant to customer surveys and/or offers such as interests and preferences.

Images, photos and/or videos of you may also be collected during events or conferences. With respect to the processing of such data, you may receive a supplement to this Privacy Policy and a specific waiver and request for the collection and processing of personal data.

ECR Community does not collect sensitive personal data such as political opinions, social or ethnic origins, religious beliefs, genetic, biometric and sexual orientation data.

In addition to the provisions of Article 3 of this Privacy Policy, the following data may also be collected and processed through: a) the website managed by and referable to the Data Controller, b) the use of the relevant functionalities, c) the filling in of electronic forms and the use of services provided therein:

  • browsing data: this data includes, by way of example, the data that the server automatically records each time the website is visited, such as the IP addresses of the computers used by the users who connect to the website, the URI (Uniform Resource Identifier) addresses of the resources requested, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the user’s operating system and IT environment;
  • personal data voluntarily provided by users/visitors: this is data that is provided by users by filling in electronic forms to send information or contact requests or, where applicable, for the purpose of creating an account on the website and/or for requesting, ordering and using the services made available therein. This category includes, by way of example, name and surname, company e-mail address and phone number, company name and covered role, further data and information that may be contained in messages sent to the addresses indicated on the website or by filling in any electronic forms published therein.

3.    How we use cookies ?

Cookie files are files or fragments of information that may be stored on your computer or other Internet-compatible end user devices (for example, smartphones and tablets) when you visit our websites or use our webservices. This information frequently consists of alphanumeric strings that uniquely identify your computer or end user device, but they may also contain other information.

Once you agree, the file is added and the cookie help us to analyse the web traffic or let us know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

We use traffic log cookies to identify which pages are being used. This helps us to analyse data about web page traffic and to improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.

Overall, cookies help us to provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

ECR Community’s website does not use advertising and profiling cookies while using only technical cookies that are absolutely essential for the website to function properly.

ECR Community’s website may also contain links to third parties websites that are not under the effective and direct control of ECR Community. ECR Community will not be held responsible for the truthfulness, respect for rights, including copyright, overall legality, morality, or any other aspect relating to the content of the third-party websites. The inclusion of a link referring to a third party on the ECR Community’s website does not imply the approval, even only implicit or potential, of any website or content contained therein.

ECR Community provide such links solely to facilitate the user and provide potential contents of interest. The inclusion on the website of links to third-party websites does not imply endorsement of such websites or any form of association, participation and/or cooperation with their owners and operators.

4.    On what legal bases and for what purposes are personal data processed?

Personal data is processed by virtue of a legitimate interest of the Data Controller or an express consent of the Data subject for the following purposes:

  • a) for the activities preparatory to the establishment of the relationship with ECR Community, b) for the subsequent execution and management of such relationship and for the activities related and functional to its performance, c) for the management of the website referable to the Data Controller and of the services rendered through it, d) to follow up on the request to receive information, as well as e) for the fulfilment of legal obligations;
  • to pursue a legitimate interest of the Data Controller: a) for the legal defence of a right or interest before any competent authority or body, expressly including for debt recovery purposes, b) for the purpose of carrying out the following promotional activities:

1) for the sending of invitations and the subsequent management of your possible interest events, meetings, working groups for confrontation and cooperation purposes, seminars, round tables, conventions and meetings (also aimed at training), organised and managed by the Data Controller and/or third parties, autonomously or in collaboration with third parties identified in the specific invitations (brochures and/or presentations) that shall be transmitted or delivered to collect your possible participation (hereinafter referred to as “Event”/”Events”);

2) for the invitation to participate in surveys of various kinds, the creation and sending of newsletters, publications, studies, survey results, market analyses or analyses of specific industrial or commercial sectors, as well as any other kind of informative material, of your possible interest, prepared, edited and/or published by the Data Controller, independently or in collaboration with third parties (hereinafter referred to as “Publications”);

3) to manage relations and interactions with the referents or “contact persons” of member companies and any other subjects with whom ECR Community has established relations, in order to better understand their needs and expectations, improve and develop new services. The above initiatives may be managed and implemented by email or by telephone.

With regard to said matters, we remind you that you may, at any time, object to the commercial communications received by e-mail and unsubscribe from marketing by clicking on the appropriate link in the e-mails received or by sending a communication in the manner set out in the paragraph below “What are the rights under the GDPR?” as well as withdraw any consent given, easily, freely and free of charge by sending a communication in the manner set out in the paragraph below “What are the rights under the GDPR?”

5.    What happens in case of failure to provide personal data?

The provision of personal data is not mandatory, but it is necessary to enable the management of the contractual relationship and the fulfilment of any legal obligations, with the consequence that failure to provide, partial or incorrect provision of the data will make impossible, as applicable, to fulfil the contractual relationship and to execute the related services and/or to implement and process specific requests made by the data subject. Failure to provide the data may affect the possibility of interacting with the Data Controller for contractual purposes.

6.    Who can access to personal data?

Personal data you provide may be made accessible to:

  • employees, outside staff and consultants of the Data Controller, as persons authorised to process data pursuant to Article 29 of the GDPR;
  • legal or supervisory authorities, general government and other authorities, public bodies and organisations (domestic and foreign) in fulfilment of regulatory obligations, which will process them as autonomous data controllers;
  • professionals and consultants, appointed by the Data Controller to carry out activities related to the management of the organisation and/or the management of professional assignments or the possible defence in court, including, by way of example, auditing and financial statement certification companies, quality surveying and certification companies, banking institutions for the management of payments supervisory and control bodies, accounting and tax consultants, legal consultants, credit recovery and consulting companies, IT assistance and data processing companies (e.g. web hosting, data entry, management and maintenance of IT infrastructures and services, etc.), postal service and mailing companies; all in their capacity, as applicable, as authorised persons, data processors or autonomous data controllers;
  • any partners or contractual party connected or related to the Events or Publications as well as partners in projects referable to ECR Community or participants in initiatives managed and coordinated by it as well as to third parties carrying out outsourcing activities in the interest of the Data Controller, for the performance of activities and services functional to the organisation and/or management of the Event or the sending of the Publications; all in their capacity as data processors;
  • ECR Members, which will process them as autonomous data controllers, at the conditions specified below.


Transfer of personal data outside the European Economic Area (“EEA”):

ECR Community does not transfer personal data of EU citizens outside the European Union.

Given the international presence of the ECR Members, with the purpose to optimize the quality of the services provided and to enable ECR Members to send you direct marketing emails, ECR Community may have to transfer non-EU citizens collected personal data to their national ECR Member located in countries outside the EEA, whose legal provisions on the protection of personal data are different from those of the European Union (GDPR).

In this cases, ECR Community: a) will request you a specific, freely given and informed consent to authorize this international transfer of personal data to your own ECR Member, b) expressly inform you that the international transfer of your personal data may be exposed to risks related to the peculiarities of local legislation regarding the processing of personal data in different countries.

To revoke your consent to the processing of your personal data, please send an email to

In absence of your consent, any international transfer of data to countries outside the EEA will only take place in compliance with the limits and conditions set forth in the GDPR and, therefore, only to countries that guarantee an adequate level of protection of personal data, where such adequacy is established by a decision of the European Commission or guaranteed on the basis of contractual instruments and specific clauses that ensure the implementation of technical and organisational security measures suitable for the protection of personal data. In any event, personal data will not be disclosed or disseminated, except where they are required and in accordance with the law, to law enforcement, legal authorities, information and security bodies or other public entities and for purposes of defence or State security or for the prevention, detection or prosecution of criminal offences.

7.    How personal data are processed?

Personal data is processed through electronic and paper-based means and tools made available to persons acting under the authority of the Data Controller who are authorised and trained for this purpose. The paper and electronic archives are protected by adequate security measures to counter the risk of violation.

8.    How long personal data are retained?

Personal data processed by the Data Controller is retained for the time necessary to carry out the activities connected to the management of the contractual relationship and for the related legal obligations and, for the period following its termination, for the fulfilment of any obligations necessary for the proper performance of the contractual or business relationship. Personal data processed on the basis of consent is retained until the consent is expressly revoked. For processing based on the legitimate interest of the Data Controller, personal data will be retained as long as this legitimate interest exists and, in any case, as long as there is an active relationship with the data subject, without prejudice to the data subject right to object to such processing.

When the purposes justifying the retention of personal data have been fulfilled, such data will be deleted.

9.    What are the rights under the GDPR?

In accordance with the provisions of GDPR, you has the right to:

  • access to personal data, e. to obtain confirmation of the existence of the processing of your personal data and to obtain specific information on the processing, such as, the purposes, the categories of data being processed and the existence of the other rights set out below;
  • obtain the correction of personal data, e. obtaining the rectification/integration of your personal data;
  • obtain the cancellation of personal data, i.e. obtaining the deletion of your data if (i) such data is no longer necessary for the purposes for which it was collected, (ii) you object to the processing of your personal data and there is no other overriding reasons for the processing, (iii) the personal data must be deleted due to legal obligation. This right does not apply if the processing is necessary for the fulfilment of a legal obligation or for the judicial ascertainment or exercise of a right;
  • obtain the restriction of processing of personal data, i.e. obtaining the restriction of the processing of your personal data, which means that data processing will be suspended for a certain period of time;
  • obtain the portability of personal data, i.e. the right to receive personal data in a structured, commonly used and machine-readable format and to transmit them to another data controller in the case of automatic processing based on consent or the performance of contractual obligations;
  • oppose to processing of personal data, i.e. objecting to the processing based on legitimate interest, unless the Data Controller demonstrate the existence of legitimate grounds for processing which prevail on the rights of the data subject;
  • lodge a complaint to the competent supervisory authority in the cases provided for in Article 77 of the GDPR.


The above-mentioned rights, together with any request for clarification regarding the assessment of the existence of legitimate interest or the details connected to the transfer of the personal data outside the EEA, may be exercised by making a request to the Data Controller by writing to the above addresses or by sending an email to . A reply will be reasonably provided within five working days.


The updated version of this Privacy Policy can be found on the web page:  Any amendments or updates will be brought to the user’s attention by publication on the mentioned web page of the site and will be applicable and binding from that moment on.


[Last update: 21/11/2023]