The Anti-Counterfeiting Network

Privacy Policy

De Cuserstraat 89
1081 CN Amsterdam The Netherlands

Data Subjects and Categories of Data 

REACT processes personal data of the following categories:  

  • Identified third party infringers of intellectual property rights of REACT’s members (hereafter: infringers), i.e. name, address, email address, company details. React does not process any special categories of personal data (9 GDPR)
  • Employees. This data contains names, addresses, email addresses, birth days, social security numbers, phone numbers, and bank accounts numbers. 
  • Partners (partner offices, associated law offices). This data contains names, addresses, phone numbers, and email addresses. 
  • Authorities (e.g. Police, Customs, Federal Public Service). This data contains names, phone numbers, addresses, and email addresses. 
  • Members of REACT. This data contains names, phone numbers, addresses and email addresses. 
  • Job applicants. This data contains names, phone numbers, addresses, email addresses and date of births. 

NB: Data which relates to a legal person (such as businesses and associations) instead of an identified or identifiable natural person is not ‘personal data’ covered by this policy / applicable Regulation. 

Lawful Processing Purposes: 

Processing the data of infringers is necessary to follow-up on infringement cases and register the recidivists/repeat offenders, in order to be able to protect and enforce the intellectual property rights of REACT members effectively. 

The applicable lawful ground of processing is Article 6, paragraph 1 under f GDPR: the protection of intellectual property rights, recognized by Article 17(1) of the EU Charter of Human Rights. Including the establishment, exercise or defense of legal claims. In case a data subject is/was a debtor of REACT (most infringement cases), the Dutch Tax Authority imposes adminstrative retention (52(4) AWR), making data processing legitimate for compliance with this legal obligation to which the controller is subject (6(1)(c) GDPR). 

With regard to data received from EU customs authorities, the lawfulness of processing follows from lex specialis article 21 of Reg. (EU) 608/2013. Customs authorities are data controllers and have informed data subjects of their rights in the seizure notifications. 

With regard to the processing of OSINT (open intelligence) data by REACT’s Intelligence team on behalf of Members, under the GDPR, the REACT staff is committed to take a restricted approach and such data is also manifestly made public. 

For the other data (on employees, partners, authorities, members of REACT, job applicants), the necessity for performance of a contract, including pre-contractual relationships, and/or free consent are acknowledged. The legal duties of REACT as an employer includes processing data about employees for social security and taxation reasons, and as a business it must process data about their customers for tax purposes (all in accordance with article 6(1)(c) GDPR). 


REACT obtains the infringers’ data through Customs notifications, police information, online research (e.g. Whois information, websites of infringers) and from the infringers themselves 

Access / international transfers: 

All employees of React can access the personal data of the infringers, including REACT’s offices outside the EU. Counterfeit trade is typically crossing borders, including those of the EU. In order to enable the protection of IP rights, disclosing international trade patterns of fake products is an important objective of React. REACT uses contractual clauses ensuring appropriate data protection safeguards according to EU standards, where no adequacy decision applies. 

Third parties:  

The infringers’ personal data will only be shared with a third party when used for the same purpose as those of REACT, namely to protect and enforce the intellectual property rights of REACT members, or when obliged to by law. React will not sell the infringers’ personal data to third parties. 

Storage period:  

In case a data subject is/was a debtor of REACT (most infringement cases), the Dutch Tax Authority imposes an administrative retention period of 7 years (52(4) AWR).  

In other cases the infringers’ personal data will be deleted after a process period of five years from the day following the one on which React has become aware of both the (damages caused by) the infringement in question, and the accurate identity of the responsible person (standard prescription term under article 3:310 of the Dutch Civil Code), and if the case is processed in Germany, at most six years (per article 50(1) of the Federal Lawyer’s Act (BRAO)) following the initial calendar year, unless there is a contractual relationship between React and the infringer or other particular circumstances that legitimise a longer period of processing.  

Data Subject's Rights and Complaints: 

Right not to be subject to a decision based solely on automated processing: REACT does not use wholly automated decision making (nor so-called 'profiling'). 

Right to data portability: does not apply since the processing is not carried out by automated means and not based on contractual/consent grounds.  

The right to withdraw consent only applies to data processing based on the consent ground (for employees, partners, authorities, members of REACT, job applicants)). 

Data subjects such as infringers (natural persons, not legal persons such as businesses and associations) have the following rights, within the limits of the applicable Regulation, with a response period of 1 month applying: 

-Right of access 

-Right to rectification 

-Right to erasure 

-Right to restrict processing 

-Right to object (on grounds relating to the data subject’s particular situation) 

Such requests or complaints can be made to 

REACT has its main establishment in The Netherlands, and the competent supervisory authority to follow up on any complaints under the GDPR is the Autoriteit Persoonsgegevens:  

Data security: 

REACT has taken requisite technical and organisational measures to ensure a level of security for personal data appropriate to the risk (32 GDPR). REACT’s computers and software are secured in accordance with business security standards, including protection of access. REACT employees are trained to use data in compliance with its Data Use Policy.  

REACT uses Microsoft software (Office 365) which is up to date to meet the highest security standards. 2-Factor authentication is required to access the REACT system. Other measures taken are not included in this public-facing Data Privacy Policy for security reasons.