PRIVACY NOTICE FOR INTERNATIONAL FORUM ON DIGITAL AND DEMOCRACY

General Data Protection Regulation 2016/679 (GDPR)

 

This Privacy Notice (Notice) explains how Associazione Politica “COPERNICANI”, with registered office at piazza della Repubblica, no. 1, Milan, Italy, processes your personal data when you attend its events (including forum, workshop, seminars, public lectures, demonstrations, and online events such as webinars (Event)) and your rights in relation to the personal data we hold.

 

For the purposes of any applicable data protection laws in Italy, including the EU General Data Protection Regulation 2016/679 (GDPR), the Company is the data controller of your personal data and may be reached at the following address

 

Associazione Copernicani
Piazza Repubblica, 1 – 20121 Milano
CF 97803240155
assistenza@copernicani.it

 

How your personal data is collected

The Company collects your personal data from the following sources:

  1. from you, typically when you:
  • complete forms in relation to attending or participating in an Event, including buying or registering for tickets online;
  • attend and participate in an Event;
  • interact with one of our representatives or employees during an Event (for example when you sign up to a mailing list);
  • complete our surveys and feedback forms;
  • communicate with us by post, email, online chat, social media, telephone or another format;
  • visit the Company’s website, including when you search, register or use our online payment/ticketing portals or sign-up for an event.
  1. from third parties such as:
  • ticketing agencies who sell tickets or process ticket orders on our behalf;
  • a third party who may purchase tickets on your behalf or register your details with us;
  • our website, webinar, ticketing and sign-up platform providers;
  • our payment provider who will confirm details of your payment;
  • publicly available sources when researching and creating biographies of speakers and key attendees.

 

What categories of personal data are collected?

We collect the following categories of personal data:

 

Identification, background and contact details

  • biographical information such as your name, title, gender and date of birth;
  • your image, audio and likeness (as captured on a webinar, in photographs or on recordings we make of the Event, and on cable tv or website where the Event is hosted);
  • your contact details including address, email address, online chat or social media account details and phone number;
  • your qualifications, professional experience and institution or employer (where this is relevant to an Event);

 

Online and transactional

  • details of your IP address, browser type and operating system when you visit our website;
  • events that you have attended in the past or for which you are registered to attend in the future;
  • payment details and your financial transactions in relation to Events;
  • records of communications sent to you by the Company or received from you;

 

The basis for processing your data, how we use that data and with whom we share it

 

We will process your personal data either in ways you have consented to, or because it is

otherwise necessary for a lawful purpose pr for providing services by the Company or related to the Events.

 

We set these out as follows:

 

As part of the contractual relationship between you and the Company (for example in relation to a ticket you have purchased)

 

In this respect we use your personal data for the following purposes:

  • to deliver the Event you have registered for;
  • to correspond with you about the Event, including sending you pre and post-event information.

 

As part of this process, we will expect to share your personal data with:

 

  • our agents, contractors and service providers (including providers of accommodation, catering, IT, webinar and other support services) where applicable and where it is necessary for them to receive the information;
  • our bank to whom payment details are provided in order to process a payment;
  • co-organisers or partners who are involved in the delivery of an Event;

 

Other legitimate interests

 

Your personal data will also be processed because it is necessary for the Company’s legitimate interests or the legitimate interests of a third party. This will always be weighed against your rights, interests and expectations. Examples of where we process data for purposes that fall under legitimate interests include:

 

  • creating biographies of attendees or a delegate or speaker list and distributing the biography/list to speakers and attendees (except in circumstances where it is appropriate to gain your consent);
  • sharing your information with sponsors of an event (except in circumstances where it is appropriate to gain your consent);
  • filming, photographing or otherwise recording Events and publishing such content on our website, social media accounts and other formats where it would not be necessary, appropriate or practicable to obtain your specific consent (for example, we may seek specific consent for prominent or impactful uses);
  • analysing and improving the use of our website;
  • analysing who is attending our Events, including so that we can monitor the success of our outreach programs and understand trends in participation;
  • processing feedback to improve the quality of our Events;
  • upon explicit consent, marketing the Company and its Events by post, telephone, social media and electronic mail (but without prejudice to your rights under the legislation that regulates the sending of marketing communications by electronic means);

 

In addition to those organisations named above, we will also share your personal data with:

 

  • our agents and contractors where they require your personal data to perform the services outlined above; and
  • direct mail agencies who assist the Company in the administration of marketing communications.

 

Legal obligations

 

Your personal data will be processed for compliance with the Company’s legal obligations. For example:

 

  • for the detection and prevention of crime and to assist the police and other competent authorities with investigations;
  • to comply with tax legislation, safeguarding duties and subject access requests of others.

 

In this respect, as well as the organisations mentioned above, we may in specific circumstances need to share your personal data with third parties who have made legitimate requests under data protection or freedom of information law; the police and other law enforcement agencies; Company’s external auditors.

 

Where you have consented

 

Your personal data will also be processed by the Company where we have your consent. Examples where consent would be sought include where the law or some other protocol requires that the Company obtains your consent (for certain marketing or fundraising communications) or where, having balanced the Company’s legitimate interests against your rights, interests and expectations, we feel it is appropriate to obtain your consent for our processing, rather than rely on the legitimate interests basis.

 

Where applicable, consent will always be specific and informed on your part, and the consequences of consenting or not, or of withdrawing consent, will be made clear.

 

Special categories of personal data

 

Company does not process and does not request to you types of personal data that the law considers to fall into a special category (such as race, religion, health, sexual life or criminal record).

 

However, if in any case we receive from you data that may be considered as data included in categories as per art. 9 and 10 of GDPR, the treatment of such data will be done under the following circumstances:

 

  • where you have provided your explicit consent. Examples might include where you have provided information on your health, allergies or where you inform us of the requirement for wheelchair access;
  • where such processing is necessary for the establishment, exercise or defence of legal claims (including sharing with the Company’s insurers and legal advisers) or the prevention or detection of crime;
  • where it is in your vital interests to do so and you are incapable of giving consent, for example to inform your specified emergency contact, or emergency services in the event of your illness or other emergency.

 

International transfers of data

 

The Company will in limited circumstances disclose personal data to third parties, or allow personal data to be stored or handled, in countries outside the European Economic Area. For example, we will transfer data to IT and ticketing/sign-up platform providers based overseas (such as MailChimp, Google and EventBrite) and share information with international coorganisers of an Event.

 

In these circumstances, your personal data will only be transferred where the transfer is subject to one or more of the “appropriate safeguards” for international transfers prescribed by applicable law, such as:

 

  • an approved certification mechanism;
  • where the Company has entered into contractual clauses approved by the European Commission that provide appropriate safeguards; or
  • there exists another situation where the transfer is permitted under applicable law (for example, where we have your explicit consent).

 

Profiling

 

We don’t use personal characteristics such as age, role, your expressed interests, your previous interactions with the Company or geographical location to target our communications, and advertising and promotions.

 

However we may use your personal characteristics (such as those contained within your Facebook profile) to assist us in identifying and targeting new audiences for our Events (for example, through tools such as Facebook Lookalike Audiences).

 

Your rights under the Data Protection Legislation

 

The GDPR confer a series of rights to the Data Subject that according to the Guidelines on Transparency WP 260 it is mandatory to summarise their main contents within the disclosure paper. These rights are summarised below:

Right of access (to personal data only): the right to obtain confirmation from the Data Processor that personal data is being processed concerning the Data Subject and, in this case, to obtain access to personal data and to be informed about the purposes of the processing; on the categories of personal data in question; on the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients are in other countries or belong to international organisations; whenever possible, on the retention period of the personal data provided or, if this is not possible, on the criteria used to determine such period; if the data has not been collected from the Data Subject, the right to receive every information available on its origin; the right to receive information on the existence of an automated decision-making process, including profiling and significant information on the logic employed, as well as the importance and expected consequences of such processing for the Data Subject.

Right of rectification and integration: The Data Subject has the right to obtain the correction of any inaccurate personal data without undue delay from the Data Processor. Taking into account the purposes of the processing, the Data Subject has the right to obtain the integration of incomplete personal data, also by providing an additional declaration. The Data Processor shall inform each of the recipients to whom the personal data have been transmitted of any corrections, unless this proves impossible or involves a disproportionate effort. The Data Processor shall inform the Data Subject about those recipients upon request of the latter.

Right to cancel: the Data Subject has the right to obtain from the Data Processor the cancellation of their personal data without unjustified delay (and where the specific reasons pursuant to Article 17, Paragraph 3 of the GDPR do not exist, on the contrary they relieve the Data Processor from the obligation of cancellation) if personal data is no longer necessary with respect to the purposes for which they were collected or otherwise processed; or if the Data Subject revokes the consent and there is no other legal basis for the processing; or if the Data Subject opposes the processing for marketing or profiling purposes, also by revoking its consent; if the personal data has been processed unlawfully or concerns information collected from minors, in violation of Article 8 of the GDPR. The Data Processor communicates to each of the recipients to whom the personal data has been transmitted, any cancellations, unless this proves impossible or involves a disproportionate effort. The Data Processor shall inform the Data Subject about those recipients upon request of the latter.

Right to limitation of processing: the Data Subject has the right to obtain the limitation of the processing from the Data Processor (i.e., according to the definition of “processing limitation” provided by Article 4 of the GDPR: “the marking of personal data stored with the objective to limit processing in the future”) when one of the following hypotheses occurs: the Data Subject disputes the accuracy of personal data for the period necessary for the Data Processor to verify the accuracy of such personal data; the processing is illegal and the interested party opposes the cancellation of personal data and asks instead that its use is limited; although the Data Processor no longer needs it for processing purposes, personal data is necessary for the Data Subject to ascertain, exercise or defend a right in court; the interested party opposed marketing processing, pending verification of the possible prevalence of the legitimate reasons of the Data Processor with respect to those of the Data Subject. If processing is limited, such personal data shall be processed, except for storage, only with the Data Subject’s consent or for the assessment, exercise or defence of a right in court or to protect the rights of another natural or legal person or for reasons of significant public interest the party who has obtained the limitation of processing is informed by the Data Processor before such limitation is revoked. The Data Processor shall inform each of the recipients to whom the personal data have been transmitted of any limitations, unless this proves impossible or involves a disproportionate effort. The Data Processor shall inform the Data Subject about those recipients upon request of the latter.

The right to oppose: the Data Subject has the right at any time to oppose, for reasons related to their particular situation, to the processing of their personal data concerning carried out by the Data Processor or for the performance of a task of public interest or connected to the exercise of public powers vested in the Data Processor or carried out for the pursuit of the legitimate interests of the Data Processor including by third parties (including profiling). Furthermore, if personal data is processed for direct marketing or commercial profiling purposes, they have the right at any time to oppose the processing of personal data for such purposes.

Right not to be subjected to automated decisions, including profiling: the Data Subject has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning the same or which significantly affects their person, except in cases where the automated decision is necessary for the conclusion or execution of a contract between the Data Subject and a Data Processor; is required by law, in compliance with measures and precautions; or is based on the explicit consent of the person concerned.

For any purpose, the link to the Articles from 15 to 23 of the Rules on the rights of the Data Subject.

Copyright 2020 IFDaD. All rights reserved