PRIVACY STATEMENT

Introduction

1.1. Privacy Statement

GEP is fully committed to maintaining the privacy and personal information collected through GEP’s mobile applications and software platforms (“GEP’s Technology Solution”). All privacy information is protected by GEP in accordance with the terms set forth in this Privacy Notice and GEP's terms of use (the Agreement). This Privacy Notice is incorporated by reference into and is fully subject to the terms of the Agreement. This Privacy Notice explains what personal data we collect from you, how we use it and to whom it is passed or provided.

2.Purpose

GEP's goals in collecting information, inclusive of any personal information, is to provide you with industry information regarding procurement and sourcing and to provide our clients and their suppliers with a secure, efficient and customized venue for electronic sourcing of products and services and communication and exchange of information. Personal Information, such as individual names, business address, business email, phone number, and non-Personal Information is retained for those providing consent to enable GEP to continue to provide information such as white papers and industry specific data to visitors of our Mobile application. Personal Information may also be required for use by our clients, and suppliers of our customers, of some features within GEP’s solution and to provide procurement services. Any Personal Information is stored in Microsoft® Azure® data centers in the U.S. & Europe where GEP’s technology platform solution is hosted. This web link to the Microsoft® web sites describes the privacy policy and practices that govern use of Azure® and Microsoft®’s other enterprise online services.

https://privacy.microsoft.com/en-ca/privacystatement

In addition to maintaining information, GEP may use your Personal Information for its internal business operations, to provide you with a subscription, including research and analysis in order to optimize the mobile application and the services provided thereby and better serve its client’s and members' needs.

Because GEP understands the importance of protecting the privacy of visitors to its mobile application, its clients and the suppliers to its clients (members) and maintaining the security of the Personal Information, GEP pledges that no Personal Information will be disclosed, distributed, published, disseminated, sold, traded, or shared with any third party, including advertisers, business or governmental organizations, or other clients or members.

Provided, however, that GEP shall be entitled to disclose Personal Information and/or member information to third parties in the following situations

When such disclosure is necessary to facilitate communications with members or transactions between members in accordance with the normal operation or services and transactions between members and clients;
When such disclosure is so ordered by any court, administrative body, governmental agency or regulatory agency, or when GEP in good faith determines that it is legally required to make such disclosure, or when such disclosure is requested by law enforcement authorities in connection with their investigations, or in the event of an emergency;
When enforcing the terms of the Agreement (including this privacy policy);
When communicating with a visitor to the Mobile application, a client or member outside of GEP’s mobile applications and software platforms;
When GEP in good faith determines that such disclosure is necessary to correct what GEP believes to be false or misleading information or to address activities that GEP believes to be manipulative or deceptive;
GEP may aggregate and publish member information relating to activity within GEP’s non-public mobile applications and software platforms, but such aggregated member information shall not include any member information that could be used to personally identify you; and
GEP may share Personal Information with our global affiliates, parent, subsidiaries, agents and integrated service providers that cooperate to provide content to visitors of the Mobile application, and/or to provide GEP’s technology platform to clients. GEP Affiliates follow practices no less protective as per practices described in this policy and to the extent allowed by applicable law.

2.1. Personal Information

GEP collects personal data to operate effectively and provide you the best experiences within GEP’s Mobile application, as well as within GEP’s products and services and non-public mobile applications and software platforms. Visitors, Clients, and members provide this data directly while registering on our mobile applications, through emails, by visiting our Mobile application and/or by updating their profile in the SMART by GEP® technology platform procurement tool and mobile application and through cookies.

IP address Information

Depending on whether you download and access the Mobile application, or are a client or member of the mobile application and/or software platform, the information gathered may include your Internet Protocol (IP) address, device and application identification numbers, your location, your browser type, your Internet service provider and/or mobile carrier, the pages and files you viewed, your searches, your operating system and system configuration information, and date/time stamps associated with your usage. Due to Internet communications standards, when you download or access the Mobile application and Services, we automatically receive information pertaining to your access. This information is used to analyze overall trends, to help us improve our Mobile application and Services, to track and aggregate non-personal information, and to provide the Mobile application and Services.

Cookies

Cookies are digital text files containing small amounts of mobile application visitor or member information. Cookies are stored to the computer or mobile device through an internet browser, mobile application and allow us to recognize and manager session of our mobile application users.

Why do we use cookies and similar technologies?

Cookies help in many ways, for example, letting you navigate in the mobile application easily, remembering your preferences and generally improving your experience of using the mobile application. They can also help make the advertisements you see online more relevant to you and your interests.

How does GEP use cookies for marketing and analytics?

We may use information collected from cookies through our mobile application to identify user behavior and to serve content and offers based on user profiles, and for other purposes listed below, to the extent that is legally permissible in certain jurisdictions.

Some cookies we use don't collect information that identifies an individual visitor. For example:

Performance cookies (see table below)
Targeting cookies (see table below)

In other cases, we may be able to associate cookie information (including information from cookies placed through our advertisements on third-party mobile applications) with an identifiable individual. For example:

When we send you an email which includes web beacons, cookies or similar tracking technologies. we can determine whether you’ve opened, read, or deleted the message.
When you click a link in a marketing e-mail you’ve received from GEP, we can use a cookie to log the pages viewed and content download from our mobile applications, even if you are not a registered member of — or signed into — our mobile application.
Combination and analysis of personal data – As described above, we may combine data from publicly available sources, and from our different e-mail, mobile application, and personal interactions with you (including information collected across our different mobile applications, such as our corporate sites and careers and information collected when you sign up or log on to our mobile application, or connect to our sites using your social media credentials (such as LinkedIn). We may combine this data to better assess your experience with GEP and to perform the other activities described in our privacy policy.

Do you use any cookies from third-party companies?

Some of the cookies we use are from third-party companies — such as Google Analytics, Pardot, Remarketing, and LinkedIn Analytics — to provide us with analytics and intelligence regarding our mobile applications. These companies use programming code to collect information about your interactions with our mobile applications, such as the pages you’ve visited, the links you’ve clicked on, and the time you’ve spent on our mobile applications. This code is only active while you are on our mobile application.

Does GEP use any non-cookie tracking technologies?

We may also use beacons (including conversion pixels) or other tracking technologies for similar purposes as above and we may include these on our mobile applications, in marketing e-mail messages, newsletters, and affiliated mobile applications, to determine whether you have opened the messages or have clicked on the links. Beacons do not place information on your device, but they may work in conjunction with cookies to monitor mobile application activity. The information provided below about cookies also applies to beacons and similar technologies. Conversion pixels are small codes located on a particular page which are triggered when someone visits a page resulting in an increase in the conversion count.

What if I don’t want to have cookies on my device?

By using our Mobile applications and/or our non-public mobile applications and software platforms, you agree that we can place cookies on your device as explained in our terms of use. If you want to remove existing cookies from your device, you can do this by using your browser options. If you want to block future cookies being placed on your device, you can do so by changing your browser settings. For more information on how to manage your cookies, see All About Cookies - Manage Cookies. Currently, our Mobile application, our non-public mobile applications and software platforms do not recognize "Do Not Track" initiatives.

Please note that blocking and deleting cookies will impact your user experience as parts of the specific mobile application may no longer work properly. Unless you have blocked cookies using your browser, our system will issue cookies as soon as you visit any of our mobile applications or click on a link in a targeted email that we have sent you, even if you have previously deleted our cookies.

What types of cookies are there, and which ones does the mobile application use?

The cookies used on GEP application have been categorized on the basis of the categories found in the ICC UK Cookie Guide issued in 2012. However, it is important to note that not all cookies may be used in all jurisdictions or mobile applications. A list of all the cookies used on this mobile application by category is set out below. Within these four categories below, cookies are classified as either session or persistent cookies.

“Session” cookies are temporary and once you close the browser window, they are deleted from your device.

“Persistent” cookies remain on your device for a longer period and are used by the mobile application to recognize your device when you return. You can find more information about cookies at: All About Cookies and Your Online Choices.

GEP uses both session and persistent cookies.

Category	Examples
Strictly Necessary cookies -- These cookies are essential in order to enable you to move around the mobile application and use its features, such as accessing secure areas of the mobile application. Without these cookies, services you have asked for cannot be provided.	We categorize the following as Strictly Necessary cookies: Registered User cookie – A unique identifier given to each registered user, used to recognize them through their access and when they return to the application. (See also Functionality cookies below.)
Performance cookies - These cookies collect information about your visit and use of this mobile application, for instance which pages you visit the most often, and if you get error messages from pages. All information these cookies collect is only used to improve how this mobile application works.	We categorize the following as Performance cookies: Referrer URL (internal page) – Used to store the URL of the previous page visited. Allows us to track how users navigate throughout our mobile application. URL history – Used to store the pages accessed by a user. Session Management cookies – These cookies allow us to follow the actions of a user on our mobile application during a browser session. A browser session starts when a user opens the application window, visits our application pages and finishes when they leave and close our application. Our Session Management cookies are created temporarily. Once you close your application, our Session Management cookies are deleted.
Functionality cookies These cookies allow a mobile application to remember choices you make (such as your user name, language or the region you are in) and provide more enhanced, personal features. These cookies cannot track your browsing activity on other mobile applications. They don’t gather any information about you that could be used for advertising or remembering where you’ve been on the Internet outside our mobile application.	We categorize the following as Functionality cookies: Registered User cookie – A unique identifier given to each registered user to our application, used to serve them content and offers based on their profiles. Also used for analysis and marketing purposes. (See also Strictly Necessary cookies above.)
Targeting cookies - These cookies are used to (1) deliver advertisements more relevant to you and your interests; (2) limit the number of times you see an advertisement; (3) help measure the effectiveness of the advertising campaign; and (4) understand people’s behavior after they view an advertisement. They are usually placed on behalf of advertising networks with the site operator’s permission. They remember that you have accessed the application and quite often they will be linked to application functionality provided by the other organization.	GEP does not use third-party advertising on our mobile application, so we do not use these Targeting cookies for advertising but we use them for gathering analytics and intelligence about the mobile application.

If you have any questions now or during your visit, please submit your request through our Contact Us form.

Contact Information

GEP provides cutting edge procurement technology, consulting and outsourcing services to its clients across the globe. To operate effectively and provide efficient services to our clients, GEP collects email address, phone numbers and designations of the client users accessing procurement applications. This information helps GEP to establish smooth and secure communication with GEP clients. GEP processes personal data, consisting primarily of individual names and individual’s email addresses, as it may relate to, or be included with, any data provided to GEP by its’ clients and their suppliers, solely for uses relative to providing procurement services.

3.Privacy principles

GEP complies with the Privacy requirements as set forth by the European Union’s data protection regulation regarding the collection, use, and retention of Personal Information transferred from the European Union and/or Switzerland to a third country or an international organization outside the European union. GEP adheres to the privacy principles relating to the processing of personal data.

Personal Information is processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).
Personal Information is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’).
Personal Information is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (‘data minimization’).
Information is accurate and, where necessary, kept up to date; every reasonable step is taken to provide that personal data which is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay (‘accuracy’).
Information is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed (‘storage limitation’).
Information is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).
When we collect your personal data, we'll give you timely and appropriate notice describing what personal data we’re collecting, how we'll use it, and the types of third parties with whom we may share it. We’ll give rights to access your personal data and method to communicate for any change.
We’ll give you choices about the ways we use, share your personal data, and we'll respect the choices you make.
To transfer Personal Information to a third party acting as a controller, we will comply with the Notice and Choice Principles. We will enter into a contract with the third-party controller to provide the same level of protection as the Principles.
We will take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
We will not process Personal Information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, we will take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.
We'll provide ways for you to access your personal data, as required by law, so you can correct inaccuracies.
We’ll provide independent recourse mechanism by which each individual’s complaints and dispute are investigated and expeditiously resolved at no cost to the individual.

Privacy Shield

GEP complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. GEP has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Privacy Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/

4.Individual rights

Please note the following which apply to an individual, in reference to the GDPR and a controller. In most circumstances, GEP is not considered a controller and is operating as a processor.

An individual has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit the data to another controller without hindrance from the controller to which the personal data have been provided.
An Individual has the right to object, on grounds relating to his or her particular situation, at any time, to the processing of personal data concerning him or her, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual or for the establishment, exercise or defense of legal claims.
An Individual has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
An individual has right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed, and, where that is the case, access to the personal data and the following information is provided:

The purposes of the processing.
The categories of personal data concerned.
The recipients or categories of recipient to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organizations.
Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing.
The right to lodge a complaint with a supervisory authority.
Where the personal data is not collected from the data subject, any available information as to their source.

An individual has rights to deny or withdraw the consent anytime where relevant.
An individual has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
An individual has the right to obtain from the controller the erasure or forgotten of personal data concerning him or her without undue delay.
An individual has the right to obtain from the controller restriction of processing in a situation where accuracy of the personal data is contested by the data subject, the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
The notification of personal data breaches with serious impact on the individual privacy will be reported to supervisory authorities and the communication of such personal data breaches to data subjects.
GEP may be subject to liability in cases of onward transfers to third parties.

5.Security of personal data

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we have implemented appropriate technical and organizational measures to provide a level of security appropriate to the risk.

The pseudonymization and encryption of sensitive or special category sensitive data.
The ability to provide the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
We have implemented technical controls to prevent unauthorized access to or unauthorized alteration, disclosure or destruction of information we hold.

We have encrypted many of our services using the latest strong encryption technologies.
We provide secure authentication to access non-public information.
We restrict access to Personal Information to employees, contractors and agents who need to know that information in order to process it for us, and who are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.

6.Compliance and cooperation with regulatory authorities

We regularly review our compliance with our Privacy Notice. We also adhere to regulatory frameworks, including the EU-US and Swiss-US Privacy Shield Frameworks and GDPR (General Data Protection Regulations). GEP is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), the Department of Transportation or any other U.S. authorized statutory body.

When we receive formal written complaints, we will contact the person who made the complaint to follow up. We will work with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of personal data that we cannot resolve with our users directly.