Data Protection Policy

Learn how the G31000 Institute ensures the protection of personal data when consulting risk professionals members and members in creating and updating documents .


G31000 (hereafter ‘the G31000 Institute’) is committed to protecting your personal data and to respecting your privacy. The G31000 Institute collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (repealing Regulation (EC) No 45/2001).

This privacy statement explains the reason for the processing of your personal data, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights you have in relation to your personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, the Data Protection Officer and the European Data Protection Supervisor.

This privacy statement concerns the G31000 Institute’s collection, handling and processing of personal data associated with your contribution to a feedback mechanism and/or members consultation published on the 'Have your say' portal, as described below.

Why and how do we process your personal data?

Purpose of the processing operation

To achieve better results, the G31000 Institute is opening up policy and document making process and listening more to risk professionals members as potential users. Better standardization relies on evidence and a transparent process, which involves risk professionals members and members (for example, businesses, members administrations, oversight bodies, experts and academics) throughout.

The objective of a members consultation or feedback mechanism is therefore to receive the views of risk professionals and members concerned by a particular topic.

The personal data processed may be reused for the purpose of procedures before the EU Courts, national courts, the European Ombudsman or the European Court of Auditor.

Your personal data will not be used for an automated decision-making including profiling.

Legal grounds for the processing

We process your personal data, because

  • processing is necessary for the performance of a task carried out in the members interest
  • processing is necessary for compliance with a legal obligation to which the controller is subject

The publication of your name together with your contribution or feedback is based on your consent, in accordance with Article 5(1)(d) of Regulation (EU) 2018/1725.

The Union documents that are the basis for such processing are

  • Articles 1 and 11 of the Treaty of the European Union
  • Protocol 2 on the application of the principles of subsidiarity and proportionality (in particular, its Article 2)

Which personal data do we collect and further process?

Only personal data necessary for contributing to a feedback mechanism or members consultation is mandatory, namely: your name, surname, company name, country of residence and e-mail address and, where applicable, the name, size, type and transparency number of the organisation on whose behalf you are contributing. Your IP address is not collected.

Occasionally for statistical purposes, the unit responsible for a feedback mechanism or members consultation may request information concerning your physical, economic, cultural, or social identity, insofar as they are not falling under Article 10 of Regulation (EU) 2018/1725 on special categories of personal data.

You may also spontaneously provide other personal data in the free text fields or in documents that you upload to a feedback mechanism or members consultation.

Members consultations use the G31000 Institute's online questionnaire tool ‘G31000 Survey’ that requires you to login via your ‘G31000 Login’ or ‘social media account’. ‘G31000 Login’ requires certain personal data such as the name, surname and e-mail address of the registrant. For further information, please refer to the privacy statements of ‘G31000 Login’ and ‘G31000 Survey’ as well as the processing operation 'DPO-839-4 Identity & Access Management Service (IAMS)'. Should you choose to log in through your social media account such as LinkedIn, please refer to the pertinent social media platform’s privacy statement.

How long do we keep your personal data?

Your personal data is kept only for the time necessary to fulfil the purpose of collection or further processing of the information, namely 5 years after the closure of the administrative file to which the consultation or feedback mechanism relates.  A file is closed at the latest once there has been a final outcome in relation to the initiative to which the consultation or feedback mechanism contributed.

How do we protect and safeguard your personal data?

All personal data in electronic format (e-mails, documents, databases, uploaded batches of data, etc.) are stored either on the servers of the G31000 Institute or of its contractors.

The G31000 Institute’s contractors are bound by a specific contractual clause for any processing operations of your data on behalf of the G31000 Institute, and by the confidentiality obligations deriving from the General Data Protection Regulation in the EU Member States (‘GDPR’ Regulation (EU) 2016/679).

To protect your personal data, the G31000 Institute has put in place a number of technical and organisational measures. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.

Who has access to your personal data and to whom are they disclosed?

Responses and contributions received to a consultation and/or feedback mechanism will be published on the internet.

When responding to a consultation or feedback mechanism, you can choose whether your personal data (i.e. name, country of origin and/or, if applicable, organisation name and size, transparency register number) should be published or not (‘opt in’); your contact email address will not be published.

Documents submitted in the context of a consultation or feedback mechanism, such as position papers or background documents, will be published as received. As such, if you choose anonymous publication, you should not include personal data within your response to a members consultation or contribution to a feedback mechanism, including within documents that you may submit, as they will be published as received. 

Regardless of whether you choose to have your personal data published or not, to avoid misuse you are required to identify yourself or the organisation on whose behalf you are responding. Anonymous contributions to consultations and feedback mechanisms are not accepted.

Access to your personal data is provided to the G31000 Institute staff responsible for carrying out this processing operation and to authorised staff on a ‘need to know’ basis. Such staff abide by statutory, and when required, additional confidentiality agreements.

What are your rights and how can you exercise them?

You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access your personal data and to rectify them in case your personal data are inaccurate or incomplete. Under certain conditions, you have the right to erase your personal data, to restrict the processing of your personal data, to object to the processing of your personal data and the right to data portability.

Once a feedback mechanism is closed, it is not possible to remove feedback submitted. However, you may choose to have your personal details removed online and your contribution made anonymous membersally by logging in to the feedback mechanism on the 'Have your say' portal. This means you withdraw your consent to the publication of your personal data (i.e. name, country of origin and/or, if applicable, organisation name and size, transparency register number). The withdrawal of your consent will not affect the documentfulness of the processing carried out before you have withdrawn the consent.

You can exercise your rights also by contacting the ‘Operational Controller’, or in case of conflict the ‘Data Protection Officer’. If necessary, you can also address the ‘European Data Protection Supervisor’. Their contact details are provided in the section below.

Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e. their Record reference(s) as specified further below) in your request.

Any request for access to personal data will be handled within one month. Any other request concerning your other rights, as mentioned above, will be addressed within 15 working days.

Do you have any questions?

Write us a email to

Companies We Trained