Privacy policy pursuant to Article 13/14 of Regulation (EU) 2016/679 (GDPR)
DATA CONTROLLER
INDICAM with registered office at Via Gabrio Serbelloni 5, Tax Code 97057580157 – VAT No. 11639900965, email: privacy@indicam.it, Tel: +39 02 46512116 (hereinafter the “Controller”)
Processed Data | Purposes of processing | Legal Basis | Nature of Provision | Data Retention Period |
Personal and contact details. | To manage the running and holding of the event in its entirety. To collect the personal data in order to allow the data subject to gain credits requested by his/her professional order. | Fulfilment of pre-contractual obligations to which the Data Subject is a party (Article 6, paragraph 1(b) of the GDPR). | Necessary for participation in the event or to certify that the data subject has attended the event in order to gain credits. In the absence of Data, it will not be possible to participate in the event. | The Data will be processed and stored for 10 years from the end of the event. |
Name, image and voice of Data Subjects in the case of recorded events and, in the case of online events, if the Data Subjects ask questions and have activated their webcam. | To maintain an internal archive of recordings of events at INDICAM. | The legitimate interest of the Data Controller (Article 6, paragraph 1(f) GDPR), fairly balanced with the rights and interests of the Data Subjects. | Optional. The Controller will notify the start of recording through the relevant function on the platform used. Data Subjects who do not wish to disclose their participation may refrain from entering their name in the list of participants through the relevant function on the platform or keep their webcam switched off. Any objection will not have any detrimental consequences for the Data Subject. | The Data will be processed and stored for 10 years from the end of the event. |
Name, image and voice of Data Subjects in the case of recorded events and, in the case of online events, if the Data Subjects ask questions and have activated their webcam. | To publish on INDICAM’s online channels for promotional purposes the recording of the event during which the Data Subject may be recognizable through his/her name or image or voice recorded during his/her participation or intervention. To post an image of the Data Subject recorded during the event on offline channels (e.g. press review) for promotional purposes. | Explicit consent of the Data Subject to the processing of Personal Data (Article 6, paragraph 1(a) GDPR). | Optional. In the event of failure to provide the Data, the Data Subject will not suffer any detrimental consequences and the Images will not be disseminated or transmitted. Consent may be withdrawn at any time by sending an email to privacy@indicam.it | The Data Controller will no longer use and will erase the Personal Data processed when consent is withdrawn or when they are no longer relevant for the promotion of its activities (maximum 5 years after publication). If the Images are disseminated on the Data Controller’s social media pages, the Data Controller shall only remove the Images from such platforms once they are deemed no longer relevant for the promotion of the Data Controller’s activities or in the event of withdrawal of the Data Subject’s consent, but their deletion by third parties that have disseminated them in the meantime cannot be required. |
Personal and contact details of Data Subjects not associated with INDICAM. | To carry out direct marketing activities, such as sending newsletters, information and communications, updates on activities and events organised or promoted by INDICAM. These activities will be carried out by e-mail or telephone, even by automated means (SMS, social media). | Express consent to the processing of Personal Data (Article 6, paragraph 1, letter a) of the GDPR). The Data Subject may withdraw consent to the processing at any time by sending an email to privacy@indicam.it or clicking, if present, on the link “You can unsubscribe from this list”. | Optional. In the event of failure to provide the Data, INDICAM will be unable to provide regular updates to the Data Subject on its activities and events. | The Controller will no longer use and will erase the Processed Data in the event of withdrawal of consent or 5 years after the date of the last contact with the Data Subject. This retention period is deemed adequate in relation to the purposes pursued by INDICAM as a non-profit association. |
In addition, and without prejudice to the above, the Controller undertakes to base the processing of Personal Data on the principles of minimization, verifying on an annual basis the need for their storage for a period not exceeding that required by the purposes for which the Data were collected and processed. The Controller may retain Personal Data in order to comply with the law or to exercise or defend any right or claim in judicial proceedings. Once the purposes for which the Personal Data have been collected and processed have been achieved, the Data Controller shall implement appropriate measures to make them anonymous, so that the Data Subject cannot be identified.
DATA RECIPIENTS/CATEGORIES OF RECIPIENTS
The Data will be processed by employees of the Data Controller expressly authorised to process the Data on the basis of specific instructions and by adopting appropriate measures to protect the Data in relation to all the purposes indicated above. The following entities may become aware of the Data in relation to the processing purposes provided for in this privacy notice and may process the Data both as autonomous data controllers and data processors duly appointed by the Data Controller (a list of such data processors and autonomous data controllers is available upon request via email to be forwarded to privacy@indicam.it):
- IT service providers for managing contact databases, digital service providers and IT consultants who provide technical support to the Data Controller;
- Persons performing activities related to the organization of the event (Eventbrite, Zoom Inc.);
- Service provider for sending newsletters (Mailchimp);
- Social platforms (LinkedIn, Twitter, Facebook).
Data may be disclosed to the Judicial, Public Security or other Public Authorities in order to fulfil instructions or requests received from them.
TRANSFER OF DATA TO A NON-EU COUNTRY
Personal data may be transferred to the United States where the supplier Mailchimp used by INDICAM for sending its newsletter, the supplier Zoom Inc. for the management of online events and the social platforms (LinkedIn, Twitter, Facebook) used for the promotion of INDICAM events are located. INDICAM confirms that the standard contractual clauses approved by the European Commission for the transfer of personal information outside the EEA have been adopted with these suppliers (these are clauses approved in accordance with Article 46 (2) GDPR). The Data Controller cannot, however, foresee a priori in which other third countries the images published on social networks will be visible, but will ensure use of platforms and channels that declare they comply with the requirements of the GDPR, to whose privacy policies reference should be made.
METHODS OF DATA PROCESSING
The Data will be processed in compliance with the principles of fairness, lawfulness and transparency, through manual and automated methods and using paper and electronic means, in any case within the limits of the purposes of the data processing(s) established by this privacy policy information sheet and, in any case, always guaranteeing the security and confidentiality of the Data.
RIGHTS OF DATA SUBJECTS
The Data Subject may at any time exercise the following rights under the conditions and within the limits established in Articles 12-22 of the GDPR by sending an email to privacy@indicam.it
- Right to rectification of inaccurate personal data and to have incomplete personal data completed (Article 16 GDPR);
- Right to erasure of personal data (Article 17 GDPR);
- Right to restrict processing (Article 18 GDPR);
- Right to object to processing pursuant to Article 6(1)(e) or (f) of the GDPR.
If the Data Subject believes that the processing of personal data by the Data Controller is in breach of the provisions of Regulation (EU) 2016/679, the Data Subject has the right to lodge a complaint with the Supervisory Authority, in particular in the Member State in which they normally reside or work or in the place where the alleged breach of the regulation occurred (in Italy, the Italian Data Protection Authority https://www.garanteprivacy.it/), or to take legal action.
This policy statement is updated on 10 April 2023.