Data Confidentiality and Privacy Policy

Version: 1.0

Date: 28 August 2025

Introduction and Purpose

The Global Tuna Alliance (GTA) is committed to protecting the confidentiality of all supply chain data entrusted to us by our partners. This standalone policy outlines how GTA and its partners (retailers and their suppliers) handle confidential supply chain information – including volumes, fisheries, and supplier-specific data – in a secure and legally compliant manner. The purpose of this policy is to ensure all parties understand their obligations and rights regarding data confidentiality, and to foster trust that sensitive business information will be protected at all times. This policy is not tied to any specific contract; it applies broadly to GTA’s operations and collaborations with partners across multiple jurisdictions.

Scope and Applicability

Geographical Scope: This policy applies to GTA and all data-sharing partners in the United States, United Kingdom, European Union, and South Africa. We adhere to the data privacy and confidentiality laws and regulations of each of these jurisdictions, including but not limited to the EU’s General Data Protection Regulation (GDPR), the UK Data Protection Act (DPA) 2018 (and UK GDPR), the California Consumer Privacy Act (CCPA) in the US, and South Africa’s Protection of Personal Information Act (POPIA).

Parties Covered: All GTA employees, contractors, and authorized personnel who process partner data are bound by this policy. Likewise, all partner organizations (retailers and their downstream suppliers) that share data with GTA are expected to understand and respect the confidentiality provisions herein. Third-party service providers who handle the data on GTA’s behalf (such as our platform host) are also required to comply with equivalent confidentiality and data protection standards as described in this policy.

Information Covered: This policy covers all supply chain data submitted to GTA by partners or generated through GTA’s systems. This includes, for example, sourcing volumes, details of fisheries, supplier identities and performance data, and any associated personal information (such as contact details of partner personnel or suppliers, if provided). All such information is considered “Confidential Information” under this policy. It will be handled with strict confidentiality and in compliance with applicable privacy laws, regardless of whether it is business-sensitive data or personal data relating to identified individuals or entities.

Legal and Regulatory Compliance

EU and UK – GDPR / Data Protection Act: We comply with the GDPR (and the UK’s equivalent DPA 2018) which govern how personal data must be collected, processed, and protected. GTA ensures there is a lawful basis for any processing of personal information, such as consent or legitimate interests, and that only data necessary for specified purposes is collected. We uphold principles like transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity/confidentiality as set out in these laws. For example, in line with GDPR requirements, if a data breach involving personal data occurs, GTA will notify the appropriate supervisory authorities (and affected individuals when required) within 72 hours of becoming aware of the breach.

United States – CCPA (California): For partners or data subjects under the jurisdiction of CCPA, GTA’s practices ensure transparency in how personal information is collected, used, and shared. Although the supply chain data we handle is primarily business-related (and often not directly consumer personal data), if any personal information of California residents is included, we will honor CCPA rights such as the right to know, delete, or opt-out of sale (noting that GTA does not sell any personal data). We do not discriminate against any individual for exercising their privacy rights under CCPA. Clear mechanisms are in place for any data subject to contact GTA regarding their data, and our privacy notices will reflect the requirements of CCPA as applicable.

South Africa – POPIA: GTA complies with South Africa’s POPIA when handling personal information of South African partners or individuals. POPIA’s conditions for lawful processing (such as accountability, purpose specification, further processing limitation, information quality, openness, security safeguards, data subject participation, etc.) are embedded in our data management processes. Notably, POPIA extends protection to information about juristic persons (companies) as well as natural persons, meaning GTA treats even business supply chain data as confidential information. Any third-party operator processing data for GTA (e.g., our IT contractor) is legally bound to treat personal information as confidential and not disclose it without authorization, and must report data breaches to GTA immediately. GTA in turn will notify the South African Information Regulator and affected parties of breaches as required by POPIA.

GTA constantly monitors changes in privacy legislation and ensures ongoing compliance. All data processing agreements with partners or service providers reflect the requirements of these laws, and where necessary (for example, in cross-border data transfers from the EU), we implement appropriate safeguards such as Standard Contractual Clauses or rely on adequacy decisions to ensure data is protected in transit and storage.

Roles and Responsibilities

Global Tuna Alliance (GTA): GTA acts as the data custodian (and in many cases the “data controller” or “responsible party” under data protection law) for the supply chain data collected. GTA is responsible for implementing and enforcing this confidentiality policy across the organization. GTA will determine the purposes for which the data is used (limited to alliance objectives) and ensure compliance with all applicable laws. GTA staff are trained on confidentiality obligations and data protection best practices. All GTA personnel with access to partner data must adhere to strict non-disclosure obligations, using the information only for authorized purposes and protecting it with the utmost care. GTA also designates an Information Security/Data Protection Officer (or equivalent responsible official) to oversee compliance, handle any questions or requests regarding data, and manage incident response including breach notifications.

Data Partners (Retailers and Suppliers): Each partner providing data retains ownership of their own supply chain information. Partners serve as the source of data and are considered “data subjects” or even co-controllers for certain datasets (particularly where they determine what data to submit). Partners are expected to only share data that they have the right to disclose and that is accurate to the best of their knowledge. They should also comply with any obligations under privacy laws (for instance, providing any required notices to their own staff or suppliers if personal data is included in what they share). Partners have the right to expect that their data will be kept confidential and secure by GTA, and they may request access to or deletion of their data from GTA’s systems at any time, consistent with applicable law. Partners also agree not to attempt to access data of other partners and to respect the confidentiality of any aggregated results or reports provided to them through GTA.

Web Labs Ltd (Hosting and IT Service Provider): Web Labs Ltd is a UK-based contractor engaged by GTA to develop, host, and support the GTA Partner Dashboard platform. Web Labs acts as a data processor (or “operator” under POPIA) processing data on GTA’s behalf. Per our Master Services Agreement, Web Labs is bound by a comprehensive Non-Disclosure Agreement (NDA) and Service Level Agreement (SLA). Under these agreements, Web Labs must: hold all GTA and partner data in strict confidence, not disclose it to any unauthorized party, and use it solely for the purposes of providing the contracted services. Web Labs is required to implement robust security controls (aligned with ISO 27001 standards) including encryption in transit and at rest, access controls, and other measures to safeguard data. Web Labs personnel accessing the data are limited to those with a legitimate need and are themselves bound by confidentiality obligations equal to those of GTA staff. In the event of any security incident or breach on their side, Web Labs must promptly inform GTA so that we can take appropriate action. GTA’s contract with Web Labs also affirms that all data processed remains the property of GTA or our partners (as applicable), and Web Labs has no rights to such data beyond providing the service.

Other Third Parties: GTA does not routinely share partner confidential data with any third parties besides Web Labs. If in the future GTA engages any additional service providers or advisors who need access to partner data, such parties will only be engaged under strict confidentiality agreements and with obligations equivalent to those outlined in this policy. They would act only on GTA’s instructions and for the limited purposes defined, in line with applicable data protection laws. GTA will maintain a list of any such authorized processors and make it available to partners upon request.

Data Collection and Use Practices

Data Collection: GTA collects supply chain data from partners through secure means. The types of data we collect are limited to what is necessary for GTA’s mission of improving tuna sustainability and supply chain transparency. This may include data such as total tuna volumes, source fisheries and their locations, certifications or sustainability ratings, details of supply chain participants, and related compliance information. Whenever personal data might be incidentally collected, GTA will collect such data in compliance with consent requirements or other lawful bases and will clearly inform the partner of the purpose at the time of collection.

Purpose of Use: All collected data is used exclusively for the legitimate purposes of the Global Tuna Alliance, namely: to measure and report on progress towards sustainable tuna commitments, to provide partners with insights and benchmarking, and to facilitate collaborative efforts to improve supply chain practices. GTA will not use partner data for any other purpose outside of our stated mission. Each party’s confidential data will only be used for the benefit of that party and the broader alliance objectives in an aggregated, anonymized manner. In no event will GTA or its contractors use a partner’s data for any purpose that is incompatible with the purpose for which it was collected without obtaining the partner’s prior written consent.

Data Minimization: GTA follows the principle of data minimization – we request and retain only the minimum data necessary to achieve the intended outcomes. Partners will not be asked to provide irrelevant or excessive data. The data collection forms and templates are designed to avoid collection of sensitive personal data unless absolutely required. If any such sensitive data is ever collected, it will be handled with additional safeguards per legal requirements.

Confidentiality and Access Controls

Partner data is not accessible to GTA Board members or the Partner Advisory Group (PAG). Access is limited solely to assigned GTA employees and contracted technical service providers with a specific need-to-know basis. This is a deliberate design choice to preserve confidentiality and avoid any perception of competitive or political influence.

Internal Access: Access to confidential partner data within GTA is strictly limited to authorized personnel who need the information to perform their duties. GTA operates on a role-based access control model. All GTA employees and contractors with access sign confidentiality agreements and are obligated to handle information with care. Partner data is labeled and stored in restricted-access systems, and any misuse or unauthorized access is a serious disciplinary matter.

Partner Access: Each data partner will have access to their own data through the GTA portal or via reports. Partners will not be able to access other partners’ submissions or confidential details. The system is designed with tenant isolation and any comparative reports are anonymized and aggregated so that no individual company is identifiable without consent.

Third-Party Access: Aside from the partner and authorized GTA staff, the only other party with regular access to raw data is Web Labs Ltd as needed for maintenance and support. Any other third-party that might handle the data is similarly bound by strong confidentiality and security terms. GTA does not grant access to any government or regulatory agency unless required by law, and will notify partners when permissible.

Non-Disclosure Assurance: Every person or entity with access to partner confidential data is required to hold it in strict confidence and not disclose it further. Obligations of confidentiality continue even after employment or partnership ends, until the information enters the public domain through no fault of GTA or disclosure is agreed.

Data Sharing and Disclosure Restrictions

No Sharing Between Partners: GTA guarantees that one partner’s supply chain data will never be shared with or disclosed to another partner without permission. Data is siloed and confidential. Even within GTA, data is handled on a need-to-know basis.

Aggregate Reporting: GTA may produce industry-wide reports or aggregate analyses that use anonymized and aggregated data only. No individual company or supplier will be identifiable without consent. Aggregation is done to prevent reverse engineering of any single partner’s data.

External Disclosure Prohibitions: GTA will not disclose partner-provided confidential data to any external entity except if required by law, if the partner consents, or to contracted processors bound to confidentiality. Any requests from external parties will be refused or satisfied only with sufficient anonymization or consent.

Data Processing by Web Labs: Web Labs will not share or sub-process data beyond what is needed to host the platform. They have no ownership or independent rights over the data and cannot subcontract handling without GTA’s approval and equivalent confidentiality commitments.

Data Security and Storage Measures

Secure Hosting: All partner data is stored on secure servers managed by Web Labs Ltd in the UK, protected in certified data centers aligned with ISO 27001. The environment includes access control, encryption, backup, network security, high availability, and regular backups.

Encryption: Data is encrypted in transit (TLS/HTTPS) and at rest. Sensitive fields are encrypted within storage and keys are managed securely and rotated.

Access Controls: Role-based permissions protect user access. Strong authentication is enforced. Administrative access to servers or databases is limited and logged with audit trails.

Secure Development and Testing: Changes are developed and tested in secure environments. Live confidential data is not used in non-production without masking or anonymization. The platform is tested for vulnerabilities.

Monitoring and Prevention: Monitoring tools detect unusual activities. Firewalls, intrusion detection, and anti-malware protections are in place. Incidents are investigated immediately.

Employee and Contractor Training: Staff are trained on secure data handling and confidentiality. Access is granted on a need-to-know basis.

Compliance and Audits: Processes are reviewed periodically, including internal and independent audits. Partners may request summaries or certifications under appropriate confidentiality.

Data Ownership and Intellectual Property

Each partner retains ownership over the supply chain data they provide. GTA is a steward and custodian with a license to use data for alliance objectives. GTA claims no IP over raw partner data. Aggregated analyses produced by GTA are owned by GTA only in aggregated form and will not reveal a partner’s confidential information without consent. GTA owns the platform and methodologies but not partner-submitted content. Partners may request extraction of their data at any time.

Data Breach Notification and Incident Response

Immediate Containment: Upon detection of a potential breach, GTA and Web Labs will work to contain the incident by isolating systems, revoking credentials, or shutting off functions as needed.

Investigation: GTA will promptly investigate the scope and root cause, determine affected data and partners, and leverage logs and forensic tools with Web Labs’ assistance where relevant.

Partner Notification: GTA will inform affected partners without undue delay and, where required, notify authorities within regulatory timelines (e.g., GDPR’s 72-hour rule). Partners will receive information on the nature of the breach, affected data, mitigation steps, and recommended actions.

Authority Notification: GTA will notify relevant authorities as required by law in the applicable jurisdictions. Web Labs is required to promptly notify GTA of breaches on their side.

Remediation and Follow-up: GTA will remediate vulnerabilities, enhance monitoring, and provide support to affected partners. Incidents are reviewed to strengthen safeguards and partners are informed upon resolution.

Documentation: GTA documents all incidents, responses, and notifications in an internal breach register and can provide reports to affected partners.

Data Retention and Destruction

Retention Period: Data is retained as long as needed to fulfill alliance objectives, enabling year-on-year comparisons and trend analysis. Data no longer needed is deleted or anonymized.

End of Participation: When a partner exits, data is archived briefly and then securely deleted or returned upon request. GTA can export and then purge data, providing written confirmation of removal.

Ongoing Programs: For active partners, data is retained for longitudinal analysis with schedules per category. Personal data is deleted or anonymized when no longer necessary. Truly anonymized data may be retained for research or historical analysis.

Secure Destruction: Digital records are permanently erased from databases and backups within a reasonable timeframe. Physical records, if any, are securely destroyed. Destruction is documented.

Legal Holds: Where required by law, GTA retains data under legal hold and destroys it when permissible.

Accountability and Enforcement

GTA leadership and employees are accountable for following this policy. Implementation and compliance are overseen by the Executive Director or equivalent. Violations may result in disciplinary or legal action. Partners should report suspected misuse or incidents, which GTA will investigate promptly. The policy may be reflected in binding agreements and is updated as needed.

Policy Review and Updates

This policy is reviewed at least annually or when laws or GTA activities change. Material changes will be communicated to partners in advance. Partners may seek clarifications on new terms. GTA is committed to safeguarding sensitive information and maintaining trust through current legal, technical, and organizational measures.

Contact Information

For concerns or suspected breaches, contact GTA’s Data Protection Officer at privacy@globaltunaalliance.org. GTA commits to escalating legitimate concerns to its Executive Director within 24 hours and convening a response review if warranted.

Executive Director/DPO – Global Tuna Alliance

Email: privacy@globaltunaalliance.org

Address:
Transpolispark
Siriusdreef 17-27
Hoofddorp
2132 WT, Netherlands

Partners may contact the DPO for data access or deletion requests, copies of processing agreements, or to discuss confidentiality concerns. GTA will respond promptly to inquiries.