Privacy Policy
PRO Circularity Alliance – European Association of Producer Responsibility Organisations AISBL
Date: 09 January 2026
Website: https://procircularityalliance.eu/
1. Purpose and Regulatory Context
PRO Circularity Alliance – European Association of Producer Responsibility Organisations AISBL (the “Association”, “we”, “us”) considers the protection of personal data to be an essential component of institutional credibility, transparency and responsible governance. In light of the Association’s activities within the European circularity ecosystem and its interactions with professional, regulatory and public stakeholders, personal data is processed with particular care and restraint.
This Privacy Policy explains how and for which purposes the Association processes personal data through its website and electronic communication channels. It is adopted in accordance with Regulation (EU) 2016/679 (the “GDPR”), the Belgian Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, and the relevant guidance issued by European data-protection authorities. It applies to all visitors of the website and to all individuals whose personal data is processed in the context of online interactions with the Association.
2. Controller
The controller of the processing activities described in this Privacy Policy is:
PRO Circularity Alliance – European Association of Producer Responsibility Organisations AISBL
Rond Point Schuman, Box 5,
1040 Brussels, Belgium
Enterprise number: 1028.579.288
All questions relating to this Privacy Policy or to the exercise of data-subject rights may be addressed to: info@procircularityalliance.eu or via contact form.
The Association acts through its governing bodies in accordance with its Articles of Association. Given the limited nature and scope of its processing activities, the Association is not required to appoint a Data Protection Officer within the meaning of Article 37 of the GDPR. This assessment is periodically reviewed as activities evolve.
3. Categories of Personal Data processed
The Association processes only personal data that is adequate, relevant and limited to what is strictly necessary for its website operations and institutional communications.
When individuals contact the Association via the website or electronic means, the data processed include professional identification and contact details (i.e., name, professional role, organisation and business email address), as well as the content of the message and basic communication metadata.
When the website is accessed, limited technical data may be processed automatically, including partial or truncated IP addresses, device and browser information, access timestamps, visited pages, referring URLs, and security or diagnostic logs generated in the context of hosting and cybersecurity.
Where applicable, the Association also processes cookie-consent choices in order to apply user preferences and demonstrate compliance with applicable rules.
The Association does not intentionally process special categories of personal data within the meaning of Article 9 of the GDPR, does not engage in behavioural advertising, profiling or automated decision-making, and does not use the website as a marketing or membership-administration platform.
4. Purposes of Processing
Personal data is processed exclusively for legitimate, explicit and proportionate purposes. These purposes include responding to enquiries and managing professional communications initiated via the website, ensuring the technical functionality, stability and security of the website, preventing and addressing misuse or cyber incidents, and recording cookie-consent choices.
Given the Association’s institutional nature, limited professional contact data may also be processed in the context of governance-related and administrative communications with members, authorities, technical partners or other stakeholders, insofar as this is necessary for transparency, accountability and the proper functioning of the Association. Such processing remains strictly professional and purpose-bound.
5. Legal Bases for Processing
Processing activities are carried out on the legal bases provided for in Article 6 of the GDPR. Personal data submitted via the contact form or other electronic communications is processed in order to take steps at the request of the data subject and to respond to such requests. Processing of technical and security-related data necessary for the operation and protection of the website is based on the Association’s legitimate interests. Where non-essential cookies or optional third-party services are used, processing is based on the data subject’s consent. Consent may be withdrawn at any time without affecting the lawfulness of processing carried out prior to the withdrawal.
6. Cookies and Similar Technologies
The website may use cookies or comparable technologies that are strictly necessary to ensure basic functionality, security and the preservation of user preferences. Any non-essential cookies or optional services are activated only after valid consent has been provided through the cookie banner, where applicable. Users may review, modify or withdraw their consent at any time through the cookie settings available on the website.
7. Recipients and Processors
Access to personal data is limited to authorised persons within the Association who require it for the purposes described in this Privacy Policy.
For the operation and security of the website and the handling of electronic communications, the Association relies on external service providers acting as processors within the meaning of Article 28 of the GDPR. These processors act exclusively on the Association’s documented instructions and are subject to appropriate contractual, technical and organisational safeguards.
In particular, the Association uses the following processor for website hosting and related technical services:
Mittwald CM Service GmbH & Co. KG.
Where applicable, the Association may use a customer relationship management (CRM) service provider to manage professional contacts and communications. In this context, limited professional identification and contact data may be processed through HubSpot, Inc., acting as a processor. HubSpot processes personal data exclusively on the Association’s documented instructions and provides appropriate safeguards in accordance with the GDPR.
The Association may also use an EU-based email service provider for the receipt and handling of contact form enquiries.
Personal data is not sold, rented or disclosed to advertisers or data brokers.
8. International Data Transfers
Where optional third-country services are enabled by the data subject and depending on their technical configuration, limited technical data may be transferred outside the European Economic Area, including to the United States. In such cases, the Association relies on transfer mechanisms recognised under Chapter V of the GDPR, such as an applicable adequacy decision or the European Commission’s Standard Contractual Clauses, supplemented where necessary by additional safeguards to ensure a level of protection essentially equivalent to that guaranteed within the European Union.
9. Data Retention
Personal data is retained only for as long as necessary for the purposes for which it was collected. As a general rule, communications submitted via the contact form are retained for up to twelve months, server logs for up to thirty days, diagnostic and security logs for up to ninety days, and cookie-consent records for up to six months, unless a longer retention period is required for legal compliance or for the establishment, exercise or defence of legal claims. The Association does not retain personal data indefinitely and periodically reviews its retention practices.
10. Security and Confidentiality
The Association implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access. These measures are proportionate to the limited scope and nature of the processing activities carried out through the website and reflect a risk-based approach consistent with the GDPR.
11. Rights of Data Subjects
In accordance with Articles 12 to 23 of the GDPR, data subjects have the right to request access to their personal data, rectification of inaccurate or incomplete data, erasure, restriction of processing, and, where applicable, data portability. Data subjects may also object to processing based on legitimate interests, and may withdraw consent at any time where processing is based on consent. Requests should be submitted to info@procircularityalliance.eu or submitted via contact form and will be handled within the statutory time limits, subject to identity verification where necessary.
12. Complaints and Supervisory Authority
Without prejudice to any other administrative or judicial remedy, any data subject who considers that the processing of personal data relating to him or her infringes the GDPR has the right to lodge a complaint with the competent supervisory authority.
In Belgium, the competent authority is:
Autorité de protection des données / Gegevensbeschermingsautoriteit
Rue de la Presse 35
1000 Brussels
Website: https://www.autoriteprotectiondonnees.be
Contact page: https://www.autoriteprotectiondonnees.be/contact
Data subjects are encouraged to contact the Association first at info@procircularityalliance.eu so that any concerns may be addressed promptly and constructively.
13. Updates to this Privacy Policy
This Privacy Policy may be updated to reflect legal developments, operational changes or technological evolution. The date indicated at the top of the document corresponds to the most recent revision.