PARTNERS’ PRIVACY POLICY

March 2023

1. GENERAL PROVISIONS

1.1. PREAMBLE

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals regarding the processing of personal data and on the free movement of such data, otherwise known as the General Data Protection Regulation (hereinafter referred to as the GDPR) sets out the legal framework applicable to the processing of personal data.

The GDPR strengthens the rights and obligations of data controllers, data processors, data subjects and data recipients.

Subsequently, and to implement the changes of the GDPR, the law n°78-17 of 6 January 1978 known as the Data Protection Act was amended by the law n°2018-493 of 20 June 2018 by the ordinance n°2018-1125 of 12 December 2018 on data protection.

The regulations applicable to the protection of personal data thus include the following texts:

• the GDPR
• the French Data Protection Act (Loi Informatique et Libertés), as updated by the aforementioned texts.
• the recommendations of the CNIL.

Article 12 of the GDPR requires that data subjects be informed of their rights in a concise, transparent, understandable, and easily accessible manner.

This privacy policy covers the personal data of event partners.

Partners are understood to be companies or other entities, public or private, which participate in the event as exhibitor, stand, dedicated space, conference, advertiser, etc.

1.2 PURPOSE

The purpose of this policy is to meet the obligation to provide information on the processing of personal data of partners.

If the staff of the partners and their possible service providers attend the event, their personal data will be processed in accordance with the online participant privacy policy.

1.3. GENERAL PRINCIPLES

No processing shall be carried out on your data if it does not relate to personal data collected by or for its services or processed in connection with its services and if it does not comply with the general principles of the GDPR.

Any new processing, modification or deletion of existing processing will be made known to the partners' contact persons by means of an amendment to this policy.

2. IDENTIFICATION OF TREATMENTS

2.1. CATEGORIES OF DATA COLLECTED AND ORIGIN OF THE DATA

The data collected are:

Non-technical data (depending on the use case)

• identity of the contact person(s) in charge of a file and/or present at the event, including the partner's representatives and collaborators and, if applicable, the partner's service providers who attend the event (e.g., title, surname, first name)
• professional details of the contact person(s) in charge of a file (e.g., email, postal address, fixed or mobile telephone number, fax number)
• professional information of the person(s) in charge of a file (e.g., position, grade, function)
• photo in cases where access to the event requires a photo, notably for identification or security purposes.

Technical data (depending on use cases)

• Identification data (IP)
• Connection data (logs in particular)
• Acceptance data (click)
• Location data
• Traceability data (access to the places where the event takes place)
• Cookies

2.2. PURPOSES OF THE PROCESSING

Pre-contractual exchanges
The data of the partners' contacts are processed for the purpose of participation in events organised by Europa Group, on its behalf or on behalf of third parties.

Contract and follow-up of the contract
The data of the partners' contact persons are processed for the purpose of follow-up of the contractual relations for the participation in events organised by Europa Group, on its behalf or on behalf of third parties.

Invoicing, payment, and accounting
The data of the partners' contact persons is used for invoicing and payment of the services provided.

Partner relationship management
The data of the partners' contact persons is processed to communicate with them in the context of questions that they may ask during the current or future execution of a contract with Europa Group.

Sending of canvassing, newsletters, or news feeds
The data of the partners ' contact persons is processed for the purposes of commercial canvassing, sending of newsletters or news feeds.

Management of access of third-party personnel to Europa Group's premises
The data of the partners ' contacts are processed to secure their access to Europa Group's premises (e.g.: keeping a register, access badges, etc.).

Video images (video surveillance)
Certain specific areas of our premises are subject to video surveillance, which results in the processing of data of third parties who may be filmed.

Statistical reporting
Data from partners may be used for statistical purposes.

2.3. RETENTION PERIODS

The duration of data retention is defined regarding legal and contractual constraints and, failing that, according to needs and according to the following principles:

Contracts concluded with partners
5 years from the end of the contractual relationship
10 years for contracts concluded by electronic means over 120 euros

Commercial correspondence (order forms, delivery notes, invoices, etc.)
10 years from the end of the accounting period

Data processed for canvassing purposes
3 years from the date of collection of the data or the last positive act (request for documentation, click on a hypertext link, etc.)

Images from video protection cameras
For a maximum of one month

Access to buildings
For up to one month

Technical data
1 year from collection

Cookies
Cookies are kept for 13 months from the time they are deposited on your terminal, starting from the last time you use the website or the mobile application.

The periods indicated are necessarily extended for the legal period of prescription as evidence in the event of litigation. In the latter case, the retention period is extended for the duration of the dispute.

Once the time limits have expired, the data are either deleted or kept after being anonymised, particularly for statistical purposes. They may be kept in the event of pre-litigation and litigation.

Customers and prospects are reminded that deletion or anonymisation are irreversible operations that do not allow data to be restored later.

2.4. LEGAL BASIS

The processing of the data of contact persons with the partners as presented above is based on pre-contractual or contractual execution.

2.5. RECIPIENTS OF THE DATA

The recipients of the data are the natural or legal persons who receive the personal data. Data recipients may therefore be employees of Europa Group as well as external organisations.

The data collected and processed in the context of relations with the partners are only accessible to authorised internal and external recipients, and to the following recipients:

• the staff of the competent departments authorised to manage relations with the partners' contacts and their line managers.
• the staff of the support services, i.e., the administrative services, the logistics and IT services and their line managers
• service providers or support services (e.g., IT service provider)
• the competent authorities if we are required to share certain data with judicial officers, departments responsible for internal control procedures, etc.

Regarding internal recipients, we decide which recipient may have access to which data according to an authorisation policy and we ensure that they are subject to an obligation of confidentiality.

Regarding external recipients, we inform you that the personal data of those who contact our partners may be communicated to some of our service providers, if necessary, to the company sponsoring the event or to any authority legally entitled to know about it (tax and social authorities in particular).

In this case, Europa Group is not responsible for the conditions under which the personnel of these authorities have access to and use the data.

3. MANAGEMENT OF PEOPLE'S RIGHTS

3.1. RIGHT OF ACCESS AND RIGHT TO COPY

Partners have the right to ask us whether we are processing data about their members (staff, managers, etc.).

They may also request a copy of their members' data being processed.

However, in the event of a request for additional copies, the partners may be required to bear the cost of the new copy.

If requests from partners are made electronically, the information requested will be provided in a commonly used electronic form, unless otherwise requested.

The partners are informed that this right of access may not relate to confidential information or data or to information which may not be disclosed by law.

The right of access must not be exercised in an abusive manner, i.e., on a regular basis with the sole aim of destabilising the proper performance of our services.

3.2. RIGHT OF RECTIFICATION

Partners have the right to request the rectification of certain data concerning their personnel that are obsolete or erroneous.

3.3. RIGHT TO ERASURE

Partners may only invoke the right to erasure of their staff data in the following cases:

• the contract has been terminated and is no longer in effect
• staff members whose data are processed and who are no longer employed by one of the partners and who therefore wish to be deleted from the partners' database.

3.4. RIGHT TO LIMITATION

The partners are informed that this right is not intended to apply to the extent that the conditions required by the applicable regulations are not fulfilled regarding the processing of the personal data of their staff members.

3.5. RIGHT TO PORTABILITY

The partners are informed that this right is not intended to apply insofar as the conditions required by the applicable regulations are not met regarding the processing of the personal data of their staff members.

3.6. EXERCISE OF INTERLOCUTORS' RIGHTS

To exercise their rights, partners should contact us at data.officer@europa-group.com.

4. SUPPLEMENTARY PROVISIONS

4.1. SUBCONTRACTING

We may use any subcontractor of our choice to process the personal data of contact persons with the partners.

In this case, we shall ensure that the subcontractor complies with its obligations under the GDPR.

We undertake to sign a written contract with all our subcontractors and impose the same data protection obligations on them as we impose on ourselves. In addition, we reserve the right to audit our processors to ensure compliance with the provisions of the GDPR.

4.2. REGISTER OF PROCESSING

We undertake to maintain a register of all processing activities carried out where required by law.

This register is a document or application allowing us to list all the processing activities carried out by Europa Group.

We undertake to provide the CNIL, on first request, with information enabling it to verify the compliance of the processing operations with the data protection regulations in force.

4.3. SECURITY MEASURES

We implement such physical or logical technical security measures as we consider appropriate to protect against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of data.

These measures mainly include:

• management of authorisations to access data
• the use of security protocol or solutions.
• encryption products
• anti-virus software
• firewall
• securing the Wi-Fi network and remote access,
• https security access
• security patch policy
• Conducting external audits
• adoption of an information systems security policy
• adoption of continuity / disaster recovery plans.

In any event, we undertake, in the event of a change in the means of ensuring the security and confidentiality of personal data, to replace them with means of superior performance. No change may lead to a reduction in the level of security.

4.4. DATA BREACH

Any data breach that we may suffer will be notified to the CNIL under the conditions prescribed by the regulations on personal data.

Contact persons for the partners are informed of any data breach that could pose a high risk to their privacy.

4.5. CROSS-BORDER FLOWS

Europa Group reserves the right to implement cross-border flows outside the EU of the data it processes.

In such a case, Europa Group will ensure that the rights of the partners are respected and will, if necessary, sign one or more contracts allowing it to control these flows with the recipient country or countries.

5. CONTACTS

5.1. DATA PROTECTION OFFICER

Europa Group has appointed a Data Protection Officer.

The contact details of the data protection officer are as follows:

Name: Maître Eric Barbry, Cabinet Racine Avocats ;
E-mail address: data.officer@europa-group.com
Phone: 01 44 82 43 00

In the event of new processing of personal data, Europa Group will first refer the matter to the Data Protection Officer

If the partners wish to obtain specific information or wish to ask a specific question, they may refer the matter to the Data Protection Officer, who will give them an answer within a reasonable period regarding the question asked or the information required.

In the event of problems with the processing of personal data, the partners may refer the matter to the appointed Data Protection Officer.

5.2. RIGHT TO LODGE A COMPLAINT WITH THE CNIL

Partners have the right to lodge a complaint with a supervisory authority, namely the Cnil in France, if they consider that the processing of personal data concerning them does not comply with European data protection regulations, at the following address:

5.3. EVOLUTION

This policy may be modified or amended at any time in the event of legal or jurisprudential developments, decisions, and recommendations of the CNIL, or changes in usage.

Any new version of this policy will be brought to the attention of the partners by any means we choose, including electronically (e.g., distribution by e-mail or online).

5.4. FOR FURTHER INFORMATION

For further information, you can contact the following departments data.officer@europa-group.com.