Event Privacy Notice


Effective as of September 6, 2018

 

Overview:
 
1. Who we are
2. Personal data we process about you
3. How we share information
4. Provisions applicable for persons in the European Union 
5. Security
6. Changes to our Privacy policy
7. Contact information

 
1. WHO WE ARE

The Association of Corporate Travel Executives (hereinafter “ACTE”, “we, “us” or similar) is an organization with its main office at 526 King Street, Suite 215, Alexandria, VA, United States of America. We collect and process several categories of personal data from you as a user of the ACTE website (hereinafter the “Website”). Insofar as European Union data protection law applies, we are a controller with regard to the data we process.

We take your privacy extremely seriously and this privacy notice describes our practices regarding our collection and use of your personal data – such as what data we collect, why we collect it, and what we do with it, and sets forth your privacy rights.

Please read this Privacy Notice carefully to understand how we handle your personal information.

2. PERSONAL DATA WE PROCESS ABOUT YOU

2.1 Event registrations through our Website

We use our Website to collect personal data that you directly input into the registration forms, as well as in any other page we set up as an event organizer, such as your name, email address, payment information, and other information. This data, except for payment information, is collected by us and we process it in the performance of a contract with you (the purchase of an event registration) as well as in our legitimate interest to manage our events and contact you, as follows:

(a) Manage our event attendees;
(b) Contact you with regard to the event you have registered for;
(c) Contact you with regard to other events that we organize and think may be of interest to you, from which you can opt out at any time by using the unsubscribe link in the email, or by contacting us as indicated in section 7;
(d) Run statistics with regard to our event attendees;
(e) Improve our future events;

By completing the registration process you represent and warrant that you are the person making the registration or have the express authority from that person to make the registration on their behalf.

2.2 Event registration, participation and related matters

In order to participate in our events, you will be issued a name badge that identifies the level of access that your registration grants you. You will be asked to show this name badge at the entry in the various areas of our events, as this is in our legitimate interest to manage the access to our events.

Our badges typically contain a barcode or QR code. This provides additional personal information including your name, title, company, and email that you provided during the registration process. Sponsors may use handheld scanners to facilitate information collection and they may directly request to scan your badge. Allowing them to scan your badge is optional and the sponsor may use this information to contact you after the event or for other purposes that you agree with them. The sponsor’s use of your information in this situation is subject to your direct relationship with the sponsor and their own privacy policies. ACTE takes no responsibility for how that company uses your personal information.

Where we provide food in our events, you may provide information about food allergies or other conditions, so that we may adapt our menu accordingly.

We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
 
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

By law we may have to keep basic information about our members (including contact, identity, and transaction data) for up to seven years after they cease being members (for tax purposes.)
 
If you provided us with your data while you were located in the EEA, in some circumstances, you can ask us to delete your data: see Request erasure in section 4 below for further information.

2.3 Photos and videos

We may be taking pictures and record video footage of our events. Given that our events are public areas with controlled access, and that we do not intend to photograph you directly but rather groups (unless you are a speaker or a special guest), we do this based on our legitimate interest to document our events and market their success.)

The photos and videos are stored by ACTE for the entire period ACTE (or its legal successor) exists.

2.4 Speakers

If you are a speaker in our events, we will be processing your name, title, company, professional bio, education, as well as your presentation slides (if applicable), photos and videos of you at our events. The presentation slides (if applicable), photos and videos may be made public through the channels we consider appropriate (our website, third party websites, social media).

We do ask for your consent to take photos and videos of you and share them publicly, however given that our interest is to publicize our events, if you do not agree we may refuse to appoint you as a speaker.

This processing is made in our legitimate interest to promote our events and the data is stored by us
for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
 
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
 
By law we may have to keep basic information about our speakers (including contact, identity, and transaction data) for up to seven years after they cease being members (for tax purposes.)
 
If you provided us with your data while you were located in the EEA, in some circumstances, you can ask us to delete your data: see Request erasure in section 4 below for further information.

2.5 Related services

During the registration process or thereafter you may ask us to book a hotel room with one of our event partners. If you ask us to do this, we will legally conclude a contract with the hotel in your name. In the performance of this contract we will share your personal data, to the minimum extent necessary, with the hotel where we book your room. The data we provide to them includes your name, address, email address, and other identification information the hotel may require. The processing of your data by the hotel is made in their capacity of data controller, subject to their own privacy policy.

2.6 Partner marketing

When you attend our events you may receive promotional goods or a conference bag with various items, some provided by us and some provided by our event partners. This product placement is made without providing your personal data to our partners, therefore if you are interested in any of their products please contact them directly.
 
2.7 Use of the Website

The Website collects certain information about which you can read here.

3. HOW WE SHARE INFORMATION

We will disclose your personal data only for the purposes and to those third parties, as described below.

We will take appropriate steps to ensure that your personal data are processed, secured, and transferred according to applicable law.

3.1 Disclosure to third parties

We will share the strictly necessary parts of your personal data, on a need-to-know basis with the following categories of third parties:
 
(a) Payment processors that process payment of registrations you buy for our events. These platforms act as controllers with regard to your data, collect most data directly from you, and such personal data processing is subject to the third party’s own privacy policy.

(b) Hotels where we book accommodation in your name, if you request us to;

(c) Companies that provide products and services to us (processors), such as:

(i) Third parties involved in organizing our events, client support, or sales activities;
(ii) Information technology systems suppliers and support, including email archiving, telecommunication suppliers, back-up and disaster recovery and cyber security services.

(d) Other parties such as public authorities and institutions, accountants, auditors, lawyers and other outside professional advisors, where their activity requires such knowledge or where we are required by law to make such a disclosure.

We will also disclose your personal information to third parties:

(i) If you request or authorize so;
(iii) If you are not an individual located in the EEA, we share your registration information with the event sponsors;
(iv) To persons demonstrating legal authority to act on your behalf;
(v) If we are under a duty to disclose or share your personal information in order to comply with any legal obligation, any lawful request from government officials and as may be required to meet national security or law enforcement requirements or prevent illegal activity;
(vi) To respond to any claims, to protect our rights or the rights of a third party, to protect the safety of any person or to prevent any illegal activity; or
(vii) To protect the rights, property or safety of ACTE, our employees, customers, suppliers, visitors, or other persons.

We, as well as some of these recipients may use your data in countries which are outside of the European Economic Area. Please see Section 4 below for more detail on this aspect.

3.2 Restrictions on use of personal information by recipients

Any third party processors with whom we choose to share your personal information pursuant to the above are limited (by law and by contract) in their ability to use your personal information for the specific purposes identified by us. We will always ensure that any third parties with whom we choose to share your personal information are subject to privacy and security obligations consistent with this Privacy Notice and applicable laws. However, for the avoidance of doubt this cannot be applicable where the disclosure is not our decision, including where you request it.

Save as expressly detailed above, we will never share, sell or rent any of your personal information to any third party without notifying you and, if applicable, obtaining your consent.

4. PROVISIONS APPLICABLE FOR PERSONS IN THE EUROPEAN UNION

4.1 Transfers of information outside of the European Union

Since we are an organization with based in the USA, we process your personal data outside of the European Union. We do this in the performance of the contract you conclude with us by purchasing a registration to our events.

In the event that you are an individual located in the EEA, where your personal data is transferred to other entities as mentioned in Section 3 above, we will take appropriate measures to ensure that the recipient protects your personal information adequately in accordance with this Privacy Notice.  These measures include entering into European Commission approved standard contractual arrangements with them, or ensuring they have signed up to the EU-US Privacy Shield (see further https://www.privacyshield.gov/welcome).

Further details on the steps we take to protect your personal information in these cases is available from us on request by contacting our Privacy Officer at privacy@acte.org at any time.

4.2 Your rights (EEA Individuals)

In the event that you are an individual located in the EEA, as a data subject, under EU data protection law you have specific legal rights relating to the personal data we collect from you. We will respect your individual rights and will deal with your concerns adequately.

Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
 
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
 
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
 
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
 
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
 
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
 
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Please note:

• Time period: We will try to fulfill your request within 30 days, which may be extended due to specific reasons relating to the specific legal right or the complexity of your request. In all cases, if this period is extended, we will inform you about the term of extension and the reasons that led to it.

• Restriction of access: In certain situations we may not be able to give you access to all or some of your personal data due to statutory provisions. If we deny your request for access, we will advise you of the reason for the refusal.

• No identification: In some cases, we may not be able to look up your personal data due to the identifiers you provide in your request. In such cases, where we cannot identify you as a data subject, we are not able to comply with your request to execute your legal rights as described in this section, unless you provide additional information enabling your identification. We will inform you and give you the opportunity to provide such additional details.

• Exercise your legal rights: In order to exercise your legal rights, please contact us in writing (including electronically) at the contact details provided in section 7 below.

Right to lodge a complaint: You can lodge a complaint to the data protection authority in your country.

5. SECURITY

We are committed to protecting personal information from loss, misuse, disclosure, alteration, unavailability, unauthorized access and destruction and take all reasonable precautions to safeguard the confidentiality of personal information, including through use of appropriate organizational and technical measures. Organizational measures include physical access controls to our premises, staff training, and locking physical files in filing cabinets.  Technical measures include use of encryption, passwords for access to our systems and use of anti-virus software.

In the course of provision of your personal data to us, your personal information may be transferred over the internet. Although we make every effort to protect the personal information which you provide to us, the transmission of information between you and us over the internet is not completely secure. As such, we cannot guarantee the security of your personal information transmitted to us over the internet and that any such transmission is at your own risk. Once we have received your personal information, we will use strict procedures and security features to prevent unauthorized access to it.

6. CHANGES TO OUR PRIVACY NOTICE

We reserve the right, at our discretion, to modify our privacy practices and update and make changes to this privacy policy at any time. For this reason, we encourage you to refer to this privacy policy on an ongoing basis. This privacy policy is current as of the date which appears at the top of the document. We will treat your personal data in a manner consistent with the privacy policy under which they were collected.

7. CONTACT INFORMATION

Please direct your questions regarding the subject matter of data protection and any requests in the exercise of your legal rights to the following contact details:

Privacy Officer
ACTE
526 King Street, Suite 215
Alexandria, VA 22314
800-228-3669 (800-ACTENOW)
privacy@acte.org

We will investigate and attempt to resolve any request or complaint regarding the use or disclosure of your personal information.

In the event that you are an individual located in the EEA, if you are not satisfied with our reply and you are from the European Union, you may also make a complaint to the data protection authority, as indicated in section 4.2 above.