PARTICIPANTS’ PRIVACY POLICY

March 2023

PREAMBLE

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals regarding the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereinafter referred to as the GDPR) sets out the legal framework for the processing of personal data.

The GDPR strengthens the rights and obligations of data controllers, data processors, data subjects and data recipients.

In the case of our activity, we must process personal data.

Article 12 of the GDPR requires that data subjects be informed of their rights in a concise, transparent, comprehensible, and easily accessible manner.

1. PURPOSE

The purpose of this policy is to meet the information obligation of clients and prospects participating in events organised by Europa Group.

This policy also applies to all participants in an event, including the staff of the organisers and partners as well as their possible contractors.

2. PURPOSES OF THE PROCESSING

Depending on the case, the purposes are as follows:

• Promotion of events and similar events.
• Commercial canvassing.
• Animation of communities.
• Creation and management of personal spaces on websites and applications related to events.
• Management of registration and participation in an event.
• Management of applications to an event participation fund.
• Management of contributions to the programme of events
• Management of contributions to books and journals published in connection with events or not.
• Management of access and traceability in the sites hosting the events and the various dedicated areas.
• Management of certificates of attendance and various certificates, invitation letters.
• Management of the purchase or subscription of other products and services online.
• Legal declarations to the authorities of the countries hosting the events or of the countries of origin of the participants in the events (as required).
• Service improvement and satisfaction surveys.
• Statistics.
• Rights and complaints management.
• Management of de-subscription requests.
• Management of payments and debt collection where necessary
• Communication of participants' data to third parties (event organisers, partners, service providers).
• Drawing up a list of participants in an event.

For the sake of clarity, the following are considered as:

• Event organisers: companies or other entities that initiate the event and for which Europa Group ensures the implementation of the event.
• Partners: companies or other entities, public or private, which participate in the event as exhibitors, stands, dedicated space, conferences, etc.
• Service provider: any company or other entity that provides services for the smooth running of an event (reception, security, logistics, etc.).

This list is intended to be as exhaustive as possible; any new purpose, modification or deletion of an existing processing operation will be brought to the attention of clients and prospects by an amendment to this policy.

3. LEGAL BASIS FOR PROCESSING

The data processed is based on the execution of the contract and the legitimate interest of having data concerning its customers and prospects.

Where necessary, the consent of the persons concerned is obtained.

4. TYPES OF DATA COLLECTED

Non-technical data (according to use cases)

• Identification (surname, first name, nickname, etc.).
• Contact details (email and/or postal address, landline and/or mobile phone number, etc.).
• Photo in cases where access to the event requires a photo, particularly for identification and security purposes.
• Professional life (profession, position, speciality, business numbers, etc.).
• Financial data (bank card, RIB, etc.).
• Video images (filmed conferences, video surveillance, etc.).

Technical data (depending on use cases)

• Identification data (IP).
• Connection data (logs in particular).
• Acceptance data (click).
• Location data.
• Traceability data (access to the places where the event takes place).
• Cookies

5. ORIGINS OF THE DATA

Data relating to customers or prospects (primary or otherwise) is generally collected directly from them.

It may also be collected indirectly, via third parties:

• via event organisers (membership files, prospects, participants, website users, etc.).
• via Europa Group's partners and suppliers involved in the organisation and holding of events.
• via the employers of the persons concerned.
• via sponsorship actions.
• via companies specialising in the sale or rental of databases.

In this case, Europa Group will ensure that the third parties, organisations or legal entities are following the GDPR and that the data subjects are informed of this personal data management policy.

6. DATA RECIPIENTS - EMPOWERMENT & TRACEABILITY

The data collected may be shared in whole or in part depending on the purpose.

Internal recipients

• authorised staff of the marketing department, the sales department, the departments responsible for handling customer relations and canvassing, the administrative departments, the logistics and IT departments and their line managers
• authorised staff of the departments responsible for internal control procedures.

The recipients of personal data of clients and prospects within Europa Group are subject to an obligation of confidentiality.

Europa Group decides which recipient may have access to which data according to an authorisation policy.

External recipients

• the organiser of the event.
• Europa Group's subcontractors and service providers.
• Europa Group's subsidiaries.
• exhibitors and event partners in certain cases (e.g., visit to their stand, participation in a promotional or sponsored session, etc.) where you have given your consent.
• all event participants in certain cases (e.g., publishing the list of participants)
• accreditation bodies, bodies awarding subsidies for participation fees.
• the authorities of the countries hosting the congress or of the participants' countries of origin, in the context of the application of legal provisions
• organisations, court officials and legal officers, in the context of their debt collection duties.
• the organisation in charge of managing the "Do not call" list.
• Authorised external staff of the supervisory authorities (e.g., auditors).

Europa Group is in no way responsible for damage of any kind that may result from unlawful access to personal data.

All accesses concerning the processing of personal data of clients and prospects are subject to a traceability measure.

Furthermore, personal data may be communicated to any authority legally entitled to know them. In this case, Europa Group is not responsible for the conditions under which the personnel of these authorities have access to and use the data.

7. RETENTION PERIOD

The duration of data retention is defined regarding legal and contractual constraints and, failing that, according to needs and according to the following principles:

Data relating to customers participating in the event
5 years from the end of the event or according to the authorisations obtained.

Data relating to the personal space on the websites and applications
Deletion of data upon unsubscription or, failing that, after 2 years of inactivity.

Data relating to prospects
3 years from the date of collection or from the last positive act of the prospect (request for documentation, click on a hypertext link, etc.).

Technical data
1 year.

Banking data
Deleted as soon as the transaction is completed, except with the customer's express agreement.
If the transaction is contested: stored for 13 months following the debit date.

Cookies
Cookies are kept for 13 months from the time they are deposited on your terminal, starting from the last time you use the website or the mobile application.

After the set deadlines, the data are either deleted or kept after being anonymised, notably for statistical purposes. They may be kept in the event of pre-litigation and litigation.

Customers and prospects are reminded that deletion or anonymisation are irreversible operations that do not allow data to be restored subsequently.

8. RIGHT TO OBJECT

Customers and prospects have the right to object to any commercial prospecting by post, telephone, or electronic means, including profiling insofar as it is linked to such prospecting.

In the case of electronic prospecting, it will be possible at any time for customers to object to such prospecting either by clicking on the link in the e-mail sent or by modifying the account preferences on our websites.

By SMS, it is possible to object to any prospecting by sending "stop" to the number appearing in the message received.

9. RIGHT OF CONFIRMATION AND RIGHT OF ACCESS

Customers and prospects have the right to request confirmation as to whether data relating to them is being processed.

Customers and prospects also have a right of access, the latter being subject to compliance with the following rules:

• the request comes from the person himself and may be subject to an identity check.
• the request is made to the e-mail address data.officer@europa-group.com or by using one of the forms available online.

Customers and prospects have the right to request a copy of their personal data. However, if additional copies are requested, customers and prospects may be required to pay for them.

If customers and prospects make their request for a copy of the data electronically, the information requested will be provided in a commonly used electronic form, unless otherwise requested.

Customers and prospects are informed that this right of access may not relate to confidential information or data or data which may not be disclosed by law.

The right of access must not be exercised in an abusive manner, i.e., on a regular basis with the sole aim of destabilising the service concerned.

10. UPDATING - UPDATING AND RECTIFICATION

Clients or prospects have the right to update:

• automatically for online changes to fields that technically or legally can be updated.
• upon written request by the person him/herself and may be subject to an identity check.

11. RIGHT TO ERASURE

The right to erasure of customers and prospects shall not apply in cases where the processing is carried out to meet a legal obligation.

Apart from this situation, customers and prospects may request the deletion of their data in the following limited cases:

• the personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
• when the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing.
• the data subject objects to processing which is necessary for the purposes of the legitimate interests pursued by the processing and there is no compelling legitimate reason for the processing.
• the data subject objects to the processing of his or her personal data for the purpose of marketing, including profiling.
• the personal data have been processed unlawfully.

In accordance with the legislation on the protection of personal data, customers and prospects are informed that this is an individual right that can only be exercised by the person concerned in relation to his or her own information: for security reasons, the department concerned will therefore have to verify your identity in order to avoid any communication of confidential information about you to anyone other than you.

12. RIGHT TO RESTRICTION

Customers and prospects are informed that this right is not intended to apply insofar as the processing is lawful and any personal data collected is necessary for the performance of the commercial contract.

13. RIGHT TO PORTABILITY

Customers and prospects have the right to the portability of their data in the case of data communicated by the customers or prospects themselves, on online services offered by the person from whom the request is made and for purposes based solely on the consent of the persons or the execution of the contract. In this case the data will be provided in a structured, commonly used, and machine-readable format.

14. AUTOMATED INDIVIDUAL DECISION

No processing is based on automated individual decisions.

15. POST-MORTEM RIGHTS

Customers and prospects are informed that they have the right to formulate directives concerning the conservation, deletion, and communication of their post-mortem data. The communication of specific post-mortem directives and the exercise of their rights can be made by e-mail to data.officer@europa-group.com

16. OPTIONAL OR MANDATORY NATURE OF RESPONSES

Customers and prospects are informed on each personal data collection form of the compulsory or optional nature of the answers by the presence of an asterisk.

17. RIGHT OF USE

Customers' and prospects' data are subject to a right of use and processing of their personal data for the purposes set out above.

However, the enriched data that is the result of processing and analysis, otherwise known as "enriched data", remains the exclusive property of Europa Group (analysis of usage, statistics, etc.).

18. SUBCONTRACTING

Europa Group informs clients and prospects that it may involve any subcontractor of its choice in the processing of their personal data.

In this case, Europa Group ensures that the subcontractor complies with its obligations under the GDPR.

Europa Group undertakes to sign a written contract with all its subcontractors and imposes the same data protection obligations on the subcontractors as on Europa Group. Furthermore, Europa Group reserves the right to audit its subcontractors to ensure compliance with the provisions of the GDPR.

19. SECURITY

Europa Group is responsible for defining and implementing the technical security measures, physical or logical, that it deems appropriate to combat the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of data.

These measures mainly include:

• management of authorisations to access data.
• the use of security protocol or solutions.
• encryption products.
• anti-virus.
• firewall.
• securing the Wi-Fi network and remote access.
• https security access.
• security patch policy.
• Conducting external audits.
• adoption of an information systems security policy.
• adoption of business continuity/disaster recovery plans.

20. DATA BREACH

Any data breach that we may suffer will be notified to the CNIL under the conditions prescribed by the regulations on personal data.

Customers and prospects are informed of any data breach that could pose a high risk to their privacy.

21. CROSS-BORDER FLOWS

Europa Group reserves the right to implement cross-border flows of the data it processes outside the EU.

In such a case, Europa Group will ensure that the rights of clients and prospects are respected and will, if necessary, sign one or more contracts to govern these flows with the recipient country or countries.

22. REGISTER OF PROCESSING OPERATIONS

Europa Group undertakes to keep an up-to-date register of all processing activities carried out.

This register is a document or application that makes it possible to identify all processing activities carried out by Europa Group.

Europa Group undertakes to provide the supervisory authority, on first request, with the information enabling the said authority to verify the compliance of the processing operations with the applicable data protection regulations.

23. DATA PROTECTION OFFICER

Europa Group has appointed a data protection officer.

The contact details of the data protection officer are as follows:

Name: Maître Éric Barbry, Cabinet Racine avocats
E-mail address: data.officer@europa-group.com
Phone: 01 44 82 43 00

In the event of new processing of personal data, Europa Group will first refer to the data protection officer.

If clients and prospects wish to obtain information or wish to ask a particular question, they will be able to contact the Data Protection Officer who will give them an answer within a reasonable timeframe regarding the question asked or the information required.

In the event of a problem with the processing of personal data, customers and prospects may refer the matter to the designated data protection Officer.

24. RIGHT TO LODGE A COMPLAINT WITH THE CNIL

Customers and prospects concerned by the processing of their personal data are informed of their right to lodge a complaint with a supervisory authority, namely the CNIL in France, if they consider that the processing of their personal data does not comply with the European data protection regulations, at the following address:

25. EVOLUTION

The present policy may be modified or amended at any time in the event of legal or jurisprudential developments, decisions, and recommendations of the CNIL (French Data Protection Authority) or practices.

Any new version of the present policy will be brought to the attention of clients and prospects by any means defined by Europa Group, including electronic means (distribution by e-mail or online, for example).

26. FOR FURTHER INFORMATION

For further information, you can contact the following department: data.officer@europa-group.com