Pursuant to the articles 13 and 14 of the EU Privacy Regulation 679/2016 ("GDPR") we inform you that the personal data provided by the interested party ("you"), for yourself or for the organization to which you belong, to Italian Exhibition Group S.p.A. ("IEG" or "we"), on the occasion of or in connection with events, exhibitions, events, conferences / congresses, championships / competitions and / or workshops, webinar and/or “business virtual meeting and/or face-to-face meeting” (the "Events"), organized by us, hosted or participated also in collaboration with third-party partners, they are treated in compliance with the principles of lawfulness, fairness, correctness, proportionality, necessity, accuracy, completeness and security and other legal obligations in force.
Categories of interested parties. Processing operations and collection methods
The processed data concerns customers (ie exhibitors, visitors, buyers, conference / congress participants, event speakers, participants in championships / races, workshops, webinar and/or “business virtual meeting and/or face-to-face meeting”, exhibition and / or advertising space dealers, organizers third parties and the sponsors who have played their respective roles over the last 10 years) and prospects (individuals who have expressed an interest in the Events over the last 10 years, including through the delivery of their own business card or request for information or quotes or by subscribing to newsletters, journalists, institutional guests / VIPs who have already taken part in the Events over the last 10 years), intended as natural persons over the age of 14 who act on their own and / or as internal contacts of legal entities, institutions or other organizations. The individual categories of data collected are indicated in our collection forms which supplements this information.
The processing takes place with electronic and paper instruments and with logics connected to the single purposes stated below.
We collect data i) through online forms or paper forms or via pre-registration or participation app you filled in and / or acquired by third parties authorized by us or ii) via mobile devices such as tablets, smartphones present in the place of the Events.
The data collected may be processed by the staff expressly authorized by us, within the limits strictly necessary for the performance of the respective activities assigned to it (eg legal, commercial, marketing, administrative, logistic, IT, management control, etc.).
Purpose of the processing
The processing has the following purposes:
1. Fulfillment of contractual and legal obligations deriving from participation or connected to the already contractual or potential participation of the interested party in the Events. (such as the participation in face-to-face and/or virtual business meetings through videocalls on specific online links or dedicated platforms, signing up for a webinar)
2. Planning and organizational management of events, eg issue and payment of securities, credits and entry passes (including check of payment termination by third-party services), management of the contracts we stipulate with third-party suppliers of goods and/or services used by you during the Events; publication of name and surname or company name and name, telephone number, e-mail, in the public online and paper catalog of the Event in which you participate; communication, by IEG, of information (eg programs, proposals, warnings and reminders, etc.) connected to the Events. For the best organization and the complete realization of the "virtual business meetings", IEG could foresee the sending of the e-mail address of the buyer to the customer, if a virtual meeting has already been planned and in case the same should jump due for major causes. Through the communication of the email address to the customer, the interested parties will be able to, autonomously, re-schedule the meeting according to their availability and in any case send communications of their interest.
3. Sending (via email, ordinary mail, SMS, MMS, push-up messages, instant messaging functions such as whatsapp, telefax, telephone calls with operator, social networks and other automated tools) of commercial communications, advertising and sales offers products / services related to those of your interest or relating to exhibition / congress and / or related products / services (eg sector publishing, championships / competitions, webinar, “business virtual meeting and/or face-to face meeting” etc.) (overall activities defined as "soft spam").
4. Profiling. The profiling detects for privacy purposes only if it concerns natural persons, that is individual companies or partnerships and relative partners / directors, or internal referents of corporations, institutions or organizations.
The profiling uses some data supplied by you and sometimes associates them with company data taken from public databases (eg the Business Register of the Chamber of Commerce). For example, we treat the following data, in the case of event / conference presenters / conference presenters / partecipants in webinar, partecipants in “business virtual meeting and/or face-to-face meeting”: name and surname, contact details, country of origin, sector to which they belong, professionalism / topics covered.
In some cases, if you are a customer or a prospect, we associate the data you provide to us with your personal data acquired during your browsing on our websites or during the use of the services provided by these sites (eg cookies relating to pages of our website that you have visited, to the country from which you connect) or through other communication channels (eg social media) or through mass mailing of commercial e-mail (eg which messages have arrived, such as e-mails you has opened, what proposals you have accepted through specific actions such as opening an attachment or adhering to our request to link to landing pages or attachments to the email message, etc.).
The profiling allows us, in particular, to limit the sending to you of promotional communications not pertinent to your probable expectations and needs or through unwanted channels.
The limited nature of profiling does not exclude you from specific advantages or from the possibility to freely exercise your privacy rights, nor has any particular legal effects; in particular it does not in any way prejudice your ability to participate in the Events and / or take advantage of our services (eg online pre-registration, purchase of services).
Legal basis of the processing. Mandatory or optional nature of providing data and consequences of failure to provide data
The processing for the purposes of sub 1 has its legal basis in our need to fulfill the obligations assumed through the stipulated contract or to stipulate with you (and to carry out all the actions necessary for the correct and complete execution of the commitments therein) and/or to the legal obligations connected to it. Therefore this treatment does not require your prior consent and you are also free not to give your data, however, in this case, we will not be able to stipulate the requested contract and / or regularly provide the service requested by you or by the organization to which you belong (eg make you participate in the Event of interest and provide you with related services for example for the webinar of interest and/or “business virtual meeting and/or face-to-face meeting” of interest) and / or we will not be able to fulfill the legal obligations connected with the contract.
The processing for the purposes of sub 2 has its legal basis in our legitimate interest to organize Events, plan and manage all organizational activities useful to allow you to participate efficiently and effectively in Events and to manage relations with third party suppliers of functional and event-related goods and services. (In particular, for example, by joining and perfecting the request to participate in a webinar you can receive, via e-mail, updates / notices and / or reminders relating to webinars of interest or similar to those of your interest; you wil be able to join the virtual business meeting through the IEG platform).
Therefore such treatment does not require your prior consent. You are free not to provide the data, but in this case you will not be able to participate in the Event.
In the event of an event such as the webinar and/or “business virtual meeting”, you may be asked to activate the PC cameras for a better and more profitable relationship and communication between the participants in the event and the speaker of the event. You will be free to decide not to activate the camera and even in this case you can participate in the webinar and/or “business virtual meeting”.
The treatment for the purposes of sub 3 (soft spam) has its legal basis in our legitimate interest in contacting our customers freely, as well as the prospects, in order to be able to offer them new opportunities relating to services through electronic / telephone / paper channels. products similar to those previously purchased / contracted (in the case of customers) or to those for which interest has been expressed (in the case of prospects), or relating to products / services for exhibitions / conferences and / or related to them (eg publishing of sector, championships / races, webinar, “business virtual meeting and/or face-to-face meeting”etc.). Therefore the cd. Soft spam, as described above, can lawfully take place even without your prior consent, which is therefore not necessary.
The treatment for the purposes of sub 4 (profiling) has a legal basis in our legitimate interest to maintain and analyze a limited set of information concerning you, in order to be able to more effectively recontact you if you are our client or prospect. Given the limited data perimeter used in profiling, it also occurs without his prior consent, which is therefore not necessary.
Communication and dissemination of data
For the purposes under 1 and 2 the data are communicated by us to: suppliers of the management and maintenance service of our IT systems, websites and databases, companies entrusted with services necessary for the organization and management of events (eg installation of fittings and equipment, publishers of paper and online catalogs, logistics, security, private security, first aid, hostesses, etc.), consultants, banks (for the execution or receipt of payments connected to the Events), to IEG personnel authorized to process data (Communication, Travel, Sales, Marketing, etc).
For the purposes under 3 and 4 the data are communicated to: companies charged with marketing analysis, advertising, communication and / or public relations agencies, digital and paper publishing companies that produce our advertising or promotional materials, production companies of websites or blogs, web marketing companies, subjects in charge of the design and / or maintenance of promotional materials, IT management and maintenance companies, websites and databases used to organize and manage events.
These third parties will process the data in the capacity of External Managers in accordance with our written guidelines and under our supervision.
For all the aforementioned purposes, we also communicate the data to third-party commercial partners who participate in the creation and / or promotion of the Events, which will treat the data as autonomous or co-titular or responsible owners. You can ask us for a list of co-owners, autonomous and responsible owners (see the "rights of the interested party" section of this information).
Data transfer abroad
In the case of Events in the U.S.A. we communicate the data to third party recipients who are based in the United States of America. In this case, the transfer will be based on the following legal basis:
a) the bilateral “Privacy Shield” agreement in force between the EU (European Union) and the U.S.A., which provides for the companies and other entities that import these data in the U.S.A. the obligation to apply a series of protections and measures to protect the personal data received;
b) in the event that the data importer in the U.S.A. has not adhered to the Privacy Shield mechanism, the communication of the data to the importer will take place only after stipulation by the U.S.A. importer of a contractual agreement with which he, for the treatments of his competence, undertakes to IEG to respect privacy obligations substantially equivalent to those provided for by the EU legislation on our charge, through the use of standard contractual clauses conforming to the text adopted by the EU Commission.
In the case of events taking place outside the EU in a country other than the U.S.A. (eg the People's Republic of China, United Arab Emirates, Colombia, Hong Kong), organized or participated by us, we can communicate the data to third-party recipients based in these countries. This data transfer takes place in the face of adequate guarantees, constituted by the prior stipulation by the third importer of a contractual agreement with us by which he, for the processing of his competence, undertakes to respect privacy obligations substantially equivalent to those provided from EU legislation to our load (through the use of standard contractual clauses conforming to the text adopted by the EU Commission).
In the event that the stipulation of such a transfer agreement with the third data importer is impossible or excessively burdensome, the transfer of data to the non-EU country takes place on the basis of the following reasons, even if disjointed: i) it is necessary for the execution of a contract concluded between the interested party and the co-owner of the processing or the execution of pre-contractual measures adopted at the request of the interested party; ii) it is necessary for the conclusion or execution of a contract stipulated between the data controller and another natural or legal person in favor of the data subject (such other natural or legal person is our subsidiary or partner having registered office) in the non-EU country). As an alternative to such cases of derogation, we reserve the right to request specific consent for the transfer of data to the non-EU country.
The list of third parties receiving the data is available on the site www.iegexpo.it/en/privacypolicy (“section importer of data”).
Duration of treatment
In the case of the purposes sub 1 e/o 2 we treat the data for 10 years from date of the contract and/or registration for the webinar of interest and/or “business virtual meeting and/or face-to-face meeting” (in the case of customers) or from the collection of the data of the interested party (in the case of prospects).
In the case of the purposes sub 3 and 4 we treat the data for 10 years from the collection of the data of the interested party (in the case of customers and prospects).
We treat the data contained in the promotional catalog (paper and / or digital) of the individual Events for a maximum of 2 editions of the catalog.
We treat the data necessary for the purposes of computer security (eg log-in registrations, failed logs and log-outs, when accessing restricted areas on the IEG websites related to the Events) for 1 year from collection. The recordings of the logs related to the reading of IEG online privacy information and the on-line actions (eg clicks, flags and the like) through which IEG is informed of the data subject's consent are kept for 10 years from collection .
In the event of a dispute between you and us or our third party suppliers process the data for the time necessary to exercise the protection of our rights or those of the third party suppliers, that is up to the issue and full execution of a provision having the value of a res judicata between the parties or of a transaction.
Once the aforementioned maximum duration has ceased, the personal data are definitively destroyed or made totally anonymous.
Rights of Data Subject
The GDPR confers to you specific rights in relation to your personal data:
- ask us to confirm whether or not a processing of personal data concerning you is in progress and, in this case, to obtain access to personal data and the following information: a) the purposes of the processing; b) the categories of personal data in question; c) the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if they are recipients of third countries or international organizations; d) when possible, the period of storage of personal data provided or, if this is not possible, the criteria used to determine this period; e) the existence of the data subject's right to request the data controller to rectify or delete personal data or limit the processing of personal data concerning him or to oppose their processing; f) the right to lodge a complaint with a supervisory authority; g) if the data is not collected from the interested party, all available information on their origin; h) the existence of an automated decision-making process, including profiling and, at least in such cases, significant information on the logic used, as well as the expected importance and consequences of such treatment for the data subject.
- if personal data is transferred to a third country or an international organization, the data subject has the right to be informed of the existence of adequate guarantees relating to the transfer;
- request, and obtain without undue delay, the correction of inaccurate data; taking into account the purposes of the processing, the integration of incomplete personal data, also providing a supplementary declaration;
- request deletion of data if: a) personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed; b) the data subject revokes the consent on which the processing is based and there is no other legal basis for the processing; c) the data subject opposes the processing, and there is no prevailing legitimate reason to proceed with the processing, or he opposes the processing carried out for direct marketing purposes (including the functional profiling of such direct marketing); d) personal data have been unlawfully processed; e) personal data must be deleted in order to fulfill a legal obligation established by Union law or the Member State to which the data controller is subject; f) personal data has been collected regarding the offer of information society services.
- request the limitation of the processing that concerns you, when one of the following hypotheses occurs: a) the data subject disputes the accuracy of the personal data, for the period necessary for the data controller to verify the accuracy of such personal data; b) the processing is unlawful and the data subject opposes the deletion of personal data and requests instead that its use be limited; c) although the data controller no longer needs it for the purposes of processing, personal data is necessary for the data subject to ascertain, exercise or defend a right in court; d) the person concerned has opposed the processing carried out for direct marketing purposes, pending verification regarding the possible prevalence of the legitimate reasons of the data controller with respect to those of the interested party;
- to obtain from the data controller, upon request, the communication of the third-party recipients to whom the personal data have been transmitted;
- revoke at any time the consent to the processing where previously communicated for one or more specific purposes of one's personal data, it being understood that this will not prejudice the lawfulness of the processing based on the consent given before the revocation.
- receive in a structured format, commonly used and readable by automatic device, the personal data concerning you provided by you and, if technically feasible, to have these data transmitted directly to another data controller without hindrance on our part, if necessary the following (cumulative) condition: a) the processing is based on the consent of the interested party for one or more specific purposes, or on a contract to which the interested party is a party and to whose execution the treatment is necessary; and b) the processing is carried out by automated means (software) - overall right to the c.d. "Portability." The exercise of the right c.d. portability is without prejudice to the right to cancellation provided above;
- not be subjected to a decision based solely on automated processing, including profiling, which produces legal effects that concern him or that significantly affects his person.
- lodge a complaint with the competent control authority based on the GDPR (that of its place of residence or domicile); in Italy it is the Data Protection Authority.
You can exercise your rights by writing to the Data Controller Italian Exhibition Group S.p.A., with registered office in Via Emilia, 155 - 47921 Rimini (Italy), e-mail address: firstname.lastname@example.org
In order to ensure compliance with the GDPR and the laws applicable to the processing of personal data, we have appointed Avv. Luca De Muri, domiciled for the position at Italian Exhibition Group S.p.A.
Having read the information communicated to me, I declare the following about the processing of data for autonomous direct marketing purposes by IEG third partners. (purpose 5 of the information)