PRIVACY POLICY ITALIAN EXHIBITION GROUP SPA

 

SUMMARY

INTRODUCTION………………………………………………………………………………………………………………………………………………………. 1

STAKEHOLDER CATEGORIES AND DATA COLLECTION………………………………………………………………………………………………………………………………………………………. 2

GENERAL PRINCIPLES OF TREATMENT………………………………………………………………………………………………………………………………………………………. 2

PURPOSE OF PROCESSING………………………………………………………………………………………………………………………………………………………. 2

LEGAL BASIS FOR PROCESSING. MANDATORY OR OPTIONAL PROVISION OF DATA AND CONSEQUENCES OF FAILURE TO PROVIDE DATA…………………………………………………………………………………………………………………………………………………….. 6

OWNERSHIP OF TREATMENT………………………………………………………………………………………………………………………………………………………. 8

DATA PROTECTION OFFICER………………………………………………………………………………………………………………………………………………………. 9

LEGAL REPRESENTATIVE WITHIN THE EU OF NON-EU COMPANIES………………………………………………………………………………………………………………………………………………………. 9

EXTRA-EU LEGAL REPRESENTATIVE OF EU COMPANIES………………………………………………………………………………………………………………………………………………………. 9

COMMUNICATION AND DISCLOSURE OF DATA…………………………………………………………………………………………………………………………………………………….. 10

TRANSFER OF DATA ABROAD…………………………………………………………………………………………………………………………………………………….. 11

DURATION OF TREATMENT…………………………………………………………………………………………………………………………………………………….. 13

TREATMENT MEANS…………………………………………………………………………………………………………………………………………………….. 14

SECURITY MEASURES…………………………………………………………………………………………………………………………………………………….. 15

RIGHTS OF THE INTERESTED PARTY…………………………………………………………………………………………………………………………………………………….. 16

CHANGES TO THE PRIVACY POLICY…………………………………………………………………………………………………………………………………………………….. 19

 

 

INTRODUCTION

This Privacy Policy (hereinafter referred to as the “Policy”) is provided in accordance with the applicable legislation on the protection of personal data, in relation to the personal data processed by the company ITALIAN EXHIBITION GROUP SpA (“IEG”) and/or by the other companies controlled by it listed intable below (the “Controlled Companies”), which:

• organize, host, also together with third party partners, also on behalf of third parties, events, exhibitions, conferences/congresses, workshops, webinars and/or business meetings, physical and/or virtual (the “Events”), or
• provide services and products (by way of example, but not limited to: catering, setups, cleaning and baggage handling, training, publishing, event services, etc.) (the “Services”).

Personal data (the “data”) are data consisting of any information that is connected or connectable to (i) subjects qualified as “interested parties” according to EU Regulation 679/2016 (“GDPR”) (i.e. natural persons, sole proprietorships and/or partnerships or other organisations with a restricted subjective basis to which the personal data relate) and/or (ii) other subjects substantially equated to interested parties by EU or foreign data protection legislation applicable to the relevant processing.

 

Data processing includes, where applicable, the operations of recording, organisation, storage and processing on paper, magnetic, automated or telematic media, the processing, modification, selection, extraction, comparison, use, interconnection between data based on qualitative, quantitative and temporal criteria, recurring or periodically definable, temporary processing intended for rapid aggregation or transformation of the data itself, the communication, cancellation and destruction of data, or combinations of two or more of the aforementioned operations, based on what is necessary for the purposes mentioned below.

 

STAKEHOLDER CATEGORIES AND DATA COLLECTION

The data processed concern the following categories of interested parties, who provide the data for themselves or for the organizations to which they belong:

• customers(i.e. exhibitors, visitors/consumers, buyers, conference attendees, congress participants, event speakers, workshop, webinar and business meeting attendees, buyers of services and products),
• potential customers(i.e., subjects who have expressed interest in the Events, Services and/or Products through requests for contact, information or quotes or in any other way, including subscribing to IEG Group newsletters),
• other categories of interested parties(recipients of invitations to participate in the Events, for example, guests, journalists and representatives of media outlets, minors under 14 years of age, users of websites and/or applications provided by IEG and/or Controlled Companies).

Data collection takes place:

• through the interested party and/or,
• in public and/or private databases, limited to the identification, contact, corporate, tax, economic-patrimonial and financial, solvency and business suitability of the data subject,
• through the Controlled Companies, limited to identification, contact, corporate, tax, economic-patrimonial and financial data, and
• on social media platforms (e.g. LinkedIn, Facebook), limited to identification data (first and last name or first name/company name), contact data (city and region of residence and/or headquarters, email address, landline-mobile telephone number), economic and commodity sector to which it belongs and/or commercial interest.

 

GENERAL PRINCIPLES OF TREATMENT

Data is processed in compliance with the principles of lawfulness, fairness, correctness, transparency, proportionality, necessity, accuracy, integrity and security and other regulatory obligations under applicable regulations from time to time in relation to the processing of personal data.

 

PURPOSE OF PROCESSING

The processing has the following purposes:

 

1.           Protection of intangible information assets of IEG and/or its Subsidiaries and Operational Continuity and IT Security.

2. a) Subscription to the newsletter service.

2.b) Satisfaction of pre-contractual needs(e.g. solvency checks and risk and fraud control, processing of interested party requests for quotations or other information and/or fulfillment of contractual obligations (including, among other things, the planning and technical-organizational management of the Events and/or Services and Products and/or obligations established by law, by a regulation or by Community or foreign legislation relating to the Events and/or Services and Products of IEG (including, for example, the preparation of the consolidated financial statements of the IEG Group, by the IEG Parent Company) and/or of the Subsidiary (for example, accounting, tax or administrative obligations).

3. Market research, carried out through nominative surveys (provided exclusively by IEG), with the objective of detecting perceived performance levels and/or degrees of satisfaction related to Events, Services and Products and the consequent expectations of customers and prospects of IEG and/or its Subsidiaries.
4. Basic profilecarried out by IEG and/or its Subsidiaries.

Profiling means the automated processing of personal data consisting of the use of such data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning (…) the economic situation, (…) individual preferences, interests, reliability, behavior, location (…) of that subject.

Profiling is relevant for privacy purposes only if it concerns natural persons, i.e. individual companies or partnerships and their partners/directors, or internal representatives of public limited companies, bodies or organisations.

Basic profiling uses limited data sets, provided to us by the data subject and collected from the third party sources indicated above and/or communicated to IEG by the Controlled Companies.

The following data is mainly processed:

• exhibitors: first and last name, company name of the organization to which they belong, contact details, residence or headquarters, country of origin, website, sector of activity, brand, types of service or product offered by the exhibitor, annual promotional/advertising budget, type of distribution (store, department store, concept store), markets of interest (e.g. countries, type of B2B or B2C customers);
• other buyers of Services and Products: first and last name, company name of the organization to which they belong, contact details, residence or headquarters, country of origin, website, sector of activity, type of Service or Product purchased,
• buyers/visitors: first and last name, company name of the organization to which they belong, contact details, position and level of responsibility of the contact person, residence or registered office, country of origin, website, year of foundation of the company, turnover, number of employees, sector of activity, percentage of business linked to Italy and abroad, Italian and foreign regions of interest, main categories of Events, Services or Products of interest to the buyer, main categories of services and/or products marketed by the same (also in terms of percentage of sales by geographical area), categories of customers of the organization, purpose of visiting the Event;

 

• journalists: name and surname, contact details, sector and newspaper to which they belong, country of origin, language;
• event speakers, conference/meeting participants: name and surname, contact details, sector to which they belong, professionalism/topics covered, language;
• Other customer categories: name and surname, contact details, country of origin, product or economic sector of activity, turnover, number of employees, main categories of services or products of interest and/or marketed by the customer.

5.   Advanced profiling performed exclusively by IEG

(NB: This purpose is limited to clients and potential clients of IEG and/or its Subsidiaries who are natural persons, individual companies or partnerships and related partners/directors and/or internal representatives of public limited companies, bodies or organizations. Same analysis, if, however, in relation to data of subjects other than the categories mentioned above, the legislation on the protection of personal data does not apply).

This purpose presupposes specific consent from the data subject.

The advanced profile aims to analyze the general interactions of the interested party with the various entities of the IEG Group (the so-called “customer centricity”) using and integrating with each other, comparing and reprocessing according to logics relevant to this objective, the data categories and/or the main criteria described below:

• product or economic sector of activityof the buyer/visitor/exhibitor/congressman or congressperson or other client of IEG and/or its Subsidiaries;
• categories of Events, Services and/or Productsrequested by interested parties and/or offered to them;
• transaction historywith IEG and/or its Subsidiaries. For example: categories of Events and Services and/or Products purchased or of interest, trend in relative purchase prices within pre-defined time periods, trend in the annual promotional/advertising budget of the Events declared by the interested party;
• levels of perceived performance and degree of stakeholder satisfactionin relation to the Participated Events and Services and/or Products purchased, deducted from:
  • nominative surveysprovided by IEG to interested parties and relating only to IEG and/or from
  • other statistical data reports, also nominative, processed by IEG from data relating to participation in Events or the purchase of Services and/or Products, relating to interested parties attributable to the Controlled and shared by IEG with the Controlled Companies, processed to identify common operational marketing strategies, functional for:
  • increase, over time, the level of satisfaction of interested parties regarding Events, Services and Products and as well as
  • the development of the turnover resulting from the IEG Group, both at the level of individual and consolidated Controlled Companies;
• commercial marginality, relating to the interested party and/or groups of interested parties, assessed at Group level (for individual Events, Services and/or Products and/or for aggregations thereof, e.g. based on product categories, relevant periods

 

of time, applied price ranges, etc.) based on the commercial margins applied to the interested party, by IEG and/or by the Subsidiaries;

• (if the interested party is a customer or prospect) data on browsing behavior on the websites of IEG and/or its Controlled Companies or during the use of the Services and/or Products provided through such websites (for example, through cookies related to the pages of the websites that the interested party visits or the country from which the interested party connects), interactions with other communication channels (for example, through cookies related to pages and profiles on social networks) and/or with commercial email messaging services (for example, cookies related to the successful completion of messages sent, user reactions to emails through actions such as opening an attachment or accepting a request for a link to landing pages or message attachments, etc.);

The advanced profile allows, depending on the case, to send the interested party only promotional communications relevant to their most likely expectations and needs deduced from the aforementioned analysis, to limit the frequency of such messages within predefined time periods avoiding fatigue, to limit the sending of messages from ineffective channels, to ensure the best purchasing experience for Events, Services and/or Products, to identify the most effective actions for certain target audiences.

6. Submission by IEG and/or its Subsidiaries(via email, text message, app push notifications, instant messaging functions such as WhatsApp and Telegram, telephone calls with operator, social networks and other automated tools, regular mail) of commercial and advertising communications – including newsletters – and offers to sell Events and/or Services and/or Products of a similar nature to those previously purchased by the data subject (client) or to those who have been the subject of pre-contractual requests or other expression of interest by the data subject (prospect), even implicit (for example, expressed through the spontaneous delivery of a business card to IEG and/or a Controlled Company (collectively referred to as “soft spam”)

In the case of processing by Controlled Companies based in BRAZIL, CHINA and SINGAPORE, the Data Controller may process for the purposes of sub 6 the data of the data subject (exclusively visitors to Events of a B2C nature) only based on the prior specific consent of the data subject.

7. Following, as a rule, but not limited to, the nominative surveys referred to in point 3 and/or the statistical reports referred to in point 5: Direct marketing actions (i.e. commercial and advertising communications – including newsletters – and/or sales offers for Events and/or Services and/or Products) exclusively by IEG (not also by the Controlled Companies) for
8. (that is, interested parties who have never purchased Events, Services or Products) from IEG and/or its Subsidiaries
9. customers and prospectsof IEG and/or the Controlled Companies if the Direct Marketing concerns Events, Services and Products of a nature not similar to those already purchased or of expressed interest in them, or however, iii) for customers and prospects of the Controlled Companies whose data is transferred to IEG by them.

This purpose presupposes specific consent from the data subject.

8.   Data transfer to

 

1. from IEG to partner companies or to third parties subjectof IEG and/or its Subsidiaries (for example, Event organizers, exhibitors, other operators active in the Events or Services/Products), for their autonomous direct marketing actions related to their respective services/products.

This purpose presupposes the specific consent of the data subject.

1. from IEG to social media platformswith the aim of determining – from the analysis of the social profile(s) of the data subject – new groups of leads (i.e. other potential customers) with a similar profile to those communicated by IEG, and subsequent direct marketing actions aimed at these new groups of leads (so-called “lookalike” services) by social media platforms.

This purpose presupposes the specific consent of the data subject, in favor of IEG.

9. Online and physical security management, especially to protect IEG and its Controlled Companies, participants in Events and Services, websites and applications of the IEG Group against fraud, theft, misappropriation, damages or other violations of the law, determine related liabilities and protect the related rights of IEG and/or its Controlled Companies.
10. Management of other organizational and productive activitiesof IEG and/or its Subsidiaries:
    • management of the quality system adopted by IEG and/or its Subsidiaries, improvement of the quality of Events, services and Products,
    • management control,
    • access management (for example, through spontaneous registration by the user) to the websites of IEG and/or its Subsidiaries and to the content and/or services accessible from them (if such activities are not already due by contract),
    • management of VIP data (e.g. for the application of conditions for facilitated access to Events),
    • production, printing and dissemination of printed and/or web-based editorial materials,
    • management of accreditation and participation in Events and/or Services of communication organizations, media outlets and representatives of journalistic and communication services,
    • extra-contractual management of the participation of interested parties in thematic initiatives of an extraordinary and/or temporary nature, collateral to the Events,
    • video surveillance management in the Event venues.

Specific additional purposes related to individual processing may be identified in detail through supplementary disclosures by Data Controllers.

11. Credit data management by the Controlled Company IEG Events Arabia LLC: the processing concerns data relating to an individual’s economic and financial situation, data on payment capacity, data relating to past transactions and payment and debt-related behavior.

This purpose presupposes the specific consent of the data subject.

 

LEGAL BASIS FOR PROCESSING. MANDATORY OR OPTIONAL PROVISION OF DATA AND CONSEQUENCES OF NON-PROVISION OF DATA

The legal bases for processing are as follows:

 

• In relation to the purposes of sub 1 (protection of intangible information assets and Business Continuity and Information Security): the legitimate interest of IEG and/or its Subsidiaries in the adequate protection, managed centrally at IEG and/or also decentralized at the Subsidiaries, of the intangible information assets of IEG and its Subsidiaries and the related operational continuity and IT security.
• In relation to purposes sub 2a (newsletter service): the legitimate interest of IEG and/or the Controlled Companies in maintaining commercial contact with those who have already shown interest in the Events, Services or Products of the IEG Group by subscribing to the newsletter service (therefore, without the need for consent from the data subject);
• In relation to purposes sub 2b (satisfaction of pre-contractual requirements and/or fulfilment of contractual obligations and/or obligations under an EU or foreign law, regulation or legislation): the need for IEG and/or the Controlled Companies to fulfil pre-contractual requirements and/or contractual obligations (including diligent planning and organisation of the Events and/or Services/Products and verification of the reliability of the company applying for an entry visa for the Events) and/or requirements of law, regulation or other legislation (applicable only at local or cross-border level, e.g. provisions of Italian law obliging the Controlled Companies to cooperate with IEG in the preparation of the Group’s consolidated financial statements).

The data subject is free not to provide his/her data, but in this case his/her pre-contractual requests and/or the conclusion of the requested contract and/or the aforementioned legal or regulatory obligations cannot be fulfilled.

In the case of an Event or Service/Product delivered online, the data subject is free not to activate the PC’s cameras and/or microphone, but in this case, if your image or voice is necessary to take advantage of the Event or Service/Product, we will not be able to deliver it.

• Regarding the purposes of sub-3 (nominative market research): IEG’s legitimate interest in analyzing and protecting the reputation of IEG, its Subsidiaries, Events, Services and/or Products among interested parties, and the quality perceived by them, since maximizing their satisfaction is also a benefit for interested parties. The interested party is free not to provide their data, but in this case, the specified investigations cannot be carried out.
• In relation to purpose sub 4 (basic profile): the legitimate interest of IEG and/or its Subsidiaries in having a minimum commercial profile of the interested party useful for guiding actions to maintain the commercial relationship with the same over time and, in particular, to verify and optimize the effectiveness of promotional communications and/or sales offers for Events, Services and/or Products, avoiding content that is not relevant to them.
• In relation to purposes sub 5 (advanced profiling): prior specific consent. The interested party is free not to provide his/her data and not to give his/her consent. In this case, such advanced profiling cannot be carried out, but there will be no other legal effects (in particular, the possibility for the interested party to participate in the Events and/or use the Services and/or Products will remain intact).

 

• In relation to purposes sub 6 (soft spam, also in the USA and DUBAI): the legitimate interest of IEG and/or its Subsidiaries in maintaining active, with reasonable frequency over time, commercial contact with customers and prospects, done without prejudice to the right of the interested party to object to processing for this purpose at any time.

In the case of processing by Controlled Companies headquartered in BRAZIL, CHINA and SINGAPORE, the Data Controller may process for the purposes below 6 the data of the data subject (exclusively visitors to Events of a B2C nature) only based on the specific prior consent of the data subject.

• Regarding purpose sub 7 (direct marketing by IEG other than soft spam): specific prior consent. The data subject is free not to provide his/her data and not to give his/her consent, but in this case it will not be possible to carry out such direct marketing activities other than soft spam.
• In relation to the purposes sub 8 ab (transfer of data to partner companies or to third parties other than the Controlled Companies; transfer of data to social media platforms for “similar” services): prior and specific consent. The data subject is free not to give his/her consent and, in this case, the transfer to third parties cannot be carried out.
• In relation to the purposes of sub 9 (security): the legitimate interest of IEG and/or its Subsidiaries in ensuring the security of the Events and Services.
• In relation to purposes sub 10 (various purposes): the legitimate interest of IEG and/or its Subsidiaries in diligently carrying out the activities related thereto, respectively.
• In relation to purposes sub 11 (management of credit data by the Controlled Company, IEG EVENTS ARABIA LLC): specific prior consent. The data subject is free not to give consent, in which case the management of credit data cannot take place.

OWNERSHIP OF TREATMENT

Based on the regulations applicable from time to time on the subject, the data controllers are:

• for all purposesestablished in this Policy: IEG, in relation to the personal data of

stakeholders(e.g. customer or website user data) processed by:

• IEGand/or its Controlled Companies headquartered in the EEA area,
• Controlled companieshaving its registered office outside the EEA area, when the abovementioned IEG Owner function derives from the rules of extraterritorial application

 

contained in local legislation applicable from time to time in the country of the respective registered offices of the Controlled Companies outside the EEA;

• tothe exclusive purposes sub 1, 2, 4, 6: each Controlled Company (whether headquartered in the EEA or outside the EEA), in relation to the data processed by it in accordance with the respective applicable local regulations; and
• tothe sole purpose under 11: the Controlled Company IEG Events Arabia LLC.

 

DATA PROTECTION OFFICER

The DPO – Data Protection Officer of ITALIAN EXHIBITION GROUP SPA is Luca De Muri, domiciled there.

The DPO – Data Protection Officer of the controlled company IEG ASIA PTE LDT. – 1, Seafront Plaza # 09-56, Harbourfront Centre – Singapore 099253, is Ilaria Cicero, domiciled there.

 

LEGAL REPRESENTATIVE WITHIN THE EU OF NON-EU COMPANIES

The companies IEG CHINA Co. Ltd (controlled company in CHINA), IEG Events Arabia LLC (controlled company in Saudi Arabia) IEG ASIA PTE. LIMITED (Controlled Company in SINGAPORE), IEG EVENTS MIDDLE EAST LLC (Controlled Company in DUBAI), ITALIANA

EXHIBITION GROUP USA INC. (controlled in the USA) and ITALIAN EXHIBITION GROUP BRASIL EVENTOS LTDA (controlled in BRAZIL), in their capacity as data controllers of the non-occasional processing of personal data for purposes sub 1, 2, 4, 6 and 11 (the latter carried out solely by IEG Events Arabia LLC) in the context of the offer of Services (including Events organized by them) and/or Products to interested parties based or resident in the EU, have appointed ITALIAN EXHIBITION GROUP SPA as their respective representative in the EU, in accordance with and for the purposes of art. 27 of the GDPR. As such, ITALIAN EXHIBITION GROUP SPA, replacing or in addition to the aforementioned designators, but without prejudice to their liability, acts as interlocutor before the national Supervisory Authorities and before the interested parties for any matter relating to these processing activities, in order to ensure compliance with the GDPR and to facilitate the exercise of their rights under the GDPR.

 

EXTRA-EU LEGAL REPRESENTATIVE OF EU COMPANIES

ITALIAN EXHIBITION GROUP SPA, in its capacity as controller of personal data in the context of the provision of Services (including Events organized by it) and/or Products to interested parties based or resident in China, has appointed IEG CHINA Co. Ltd (Controlled Company in CHINA) as its representative in China, in accordance with and for the purposes of art. 53 of the Chinese Personal Data Protection Law (PIPL). In this capacity, IEG CHINA Co. Ltd acts as interlocutor with the Chinese national supervisory authorities and interested parties on any matter relating to the aforementioned processing activities.

 

COMMUNICATION AND DISCLOSURE OF DATA

The data is shared with IEG personnel and/or its Subsidiaries authorized to process the data (e.g. Financial, Communication, Travel, Sales, Marketing, Legal teams, etc.).

Youdata is communicated for purposes sub 1, 2, 3 by IEG and for purposes sub 1, 2 and 7 by the Controlled Companies and for purposes sub 11 by the Controlled Company IEG Events Arabia LLC.To:

• providers of hosting, development, management, maintenance, disaster recovery and cybersecurity services in relation to the IT systems (services, websites and databases) of IEG and/or its Subsidiaries; research service providers;
• other suppliers activated for the organization and management of the Events and/or Services and/or Products (e.g. suppliers of materials and products; service providers: design, technical planning and assembly, ticketing, organizational secretarial services, mailing and sending, design, printing and maintenance of editorial, advertising or promotional materials, logistics, security, first aid, electronic payment, banking, insurance and financial materials, information on reputation and corporate reputation, hotels, restaurants, passenger transportation, language translations, business platforms, hospitality, issuing of titles, accreditations, tickets and entry passes for Events and Services and/or Products, event help desk, courier, carrier and shipping services, advertising, media relations and communication, direct marketing, web marketing, marketing analysis, CRM – Customer Relationship Management, compliance management, electronic communication, e.g. telephone or telematics),
• third party partners that carry out functional or complementary activities to the promotion of Events and/or the purchase of Services and Products, for example, private and public bodies, other trade fair bodies and/or event organizers, trade associations, with which IEG and/or the Subsidiaries activate co-marketing actions for Events,
• journalists, newspapers and representatives of other media organizations,
• agents, regional advisors,
• law offices and notaries,
• control and supervisory bodies, in particular, for example, auditing firms and auditors, statutory auditors, accounting experts, DPO – Data Protection Officers, members of supervisory bodies on the organizational models of IEG and/or Group companies designed to prevent the commission of certain categories of crimes, auditors and members of audit committees,
• companies and debt collection companies,
• Forensic computing companies and professionals in the case of technical and legal investigations related to suspected crimes or other offenses committed to the detriment of IEG, other Subsidiaries and/or third parties,
• other consultants and professionals,
• Public authorities to which communication is required by law, regulation or other legislation (e.g. diplomatic and consular representations, Police Headquarters,

 

City Hall, Police, other Public Security Authorities, Revenue Agency, Financial Police and similar),

• IEG (in this case, the data is communicated only by the Controlled Companies),
• Controlled Companies (in this case, the data is communicated only by IEG and at IEG’s discretion).

 

The identification and contact details and product details of visitors and buyers may be communicated to exhibitors (for example, through research and/or meeting requests and/or contact functions available on digital platforms or through QR Code or Barcode), and any spontaneous messages from interested parties themselves.

The identification, contact and product data of exhibitors and any spontaneous messages from them may be communicated to visitors/buyers (for example, through search and/or meeting request and/or contact features available on digital platforms, through QR Codes or Barcodes, or through event catalogues), the identification and contact data and product data of exhibitors and any spontaneous messages from them.

Data is communicated, as appropriate, by IEG for purposes sub 4 to 7 and/or by

Controlled companiesfor the exclusive purposes of sub 4 and 6 to:

• marketing analysis service providers, communications and/or public relations agencies,
• providers of services for purchasing advertising space on the Internet;
• suppliers of advertising or promotional materials (e.g. graphic and creative agencies in general),
• website or blog production and management companies, web marketing companies,
• landing page management service providers,
• large language model service providers that support data analysis for profiling and marketing purposes without publicly sharing the processed data.

If the aforementioned third party processes the data on behalf of and based on written directives from IEG and/or the sending Controlled Companies, they will be designated as External Data Processors in accordance with and for the purposes of Article 28 of the GDPR.

The Controlled Companies for the purposes of paragraphs 4 and 6 also communicate the data to the Controller IEG (see also the following chapter “TRANSFER OF DATA ABROAD”).

IEG and other subsidiaries refrain from disclosing any data.

Exhibitor data will be disclosed, upon request only, through the exhibition catalogue relating to the Events, both in paper and online.

 

TRANSFER OF DATA ABROAD

Data is transferred by IEG and/or its Controlled Companies based in the EU to the following categories of third-party recipients based outside the EU (hereinafter referred to as “importers”):

• Controlled companiesand/or its suppliers, based outside the EU

(China, Singapore, USA, UAE, Brazil), to the extent necessary for the

 

contractual, contractual and/or compliance with legal or regulatory obligations, for example, when IEG or other Controlled Companies, headquartered in the EU, transfer the data as agents in the interest of the foreign Controlled Company;

•   online service providers for

1. data collection through text formswhich can be filled in by the interested party and contained in the landing pages provided by the Data Controller,
2. social platforms(USA) on which the social pages and/or profiles of IEG and/or Group Companies are active (for more information on the co-ownership regime applicable in this specific case to the parties involved, please see the “joint ownership” section in the Privacy Policy).Cookies),and/or to which IEG communicates data in relation to “similar” services subscribed to with them,

• login managementthrough the user’s LinkedIn social account,

1. analysis of traffic generated by website usersof IEG and/or other companies of the Group (USA),
2. Electronic payment services, vi) CRM – Customer Relationship Ship Management.

The Privacy Policies of Online Service Providers outside the EU can be found at the followinglink

This data transfer will take place against appropriate safeguards, such as:

• In the case of transfer to the USA: the Adequacy Decision of the EU Commission of 10 July 2023 concerning US legislation on the protection of personal data as amended by the EU-US bilateral convention. “Transatlantic Data Protection Framework”.
• In case of transfer to Canada (active only for landing page management service providers): the EU Commission’s Adequacy Decision of January 15, 2024 concerning Canadian legislation on the protection of personal data, in particular the Personal Information Protection and Electronic Documents Act (PIPEDA);
• In the case of transfers to non-EU countries other than the USA and Canada: upon prior stipulation by IEG and/or its EU-based Subsidiaries for the third-party importer of standard contractual clauses – or so-called “SCCs” – in accordance with at least the text approved by the EU Commission (except for any additions and/or modifications more favourable to the data subject) by means of which, for the processing within its scope of competence, the data importer undertakes to comply with privacy obligations substantially equivalent to those provided for in the relevant EU legislation.

Data is also transferred by Controlled Companies based outside the EU, within the limits necessary for purposes sub 1, 2, 4, 6, 7 and 11, to IEG, as well as to the following third party recipients based outside the country of the same Controlled Companies (hereinafter the “importers”):

•   agents;

• Product Suppliersand/or Functional Services for activities and/or Events related to foreign Controlled Companies;
• social media platform providers(USA) on which the social pages and/or profiles of Group companies based outside the EU are active (for more information on the joint ownership regime applicable in this specific case to the parties involved, please see the “joint ownership” section in ourCookies Policy).

 

This transfer of data, if carried out by companies not controlled by the EU to the IEG or to the non-EU subject, will take place on the basis of appropriate guarantees, consisting of the stipulation, between the parties involved in the transfer, of standard contracts or standard contractual clauses, in compliance, as a minimum, with the texts approved by the competent Administrative Authorities of the country in which the natural person controlled abroad is headquartered (except for any additions and/or modifications more favourable to the interested party).

Through these contracts and/or clauses, IEG and/or the different data importers undertake to comply with obligations regarding the protection and processing of transferred personal data that are substantially equivalent to those provided for by applicable Community legislation.

Data is also transferred by the Controlled Companies, headquartered in the EU, for purposes sub 1, 2, 4, 6 and 7 to IEG without the need for particular and adequate guarantees, as the entire scope of processing appears to be adequately covered by the GDPR.

 

DURATION OF TREATMENT

Data is stored for maximum periods of time (retention) that depend on the purpose of the processing, after which the data is deleted or made anonymous, as follows:

• Purpose Sub 1 (Protection of Information Assets): for an indefinite period, except as provided herein:
  • (data processed for business continuity and IT security logs, e.g. login data, failure and logout logs, suspicious anomaly logs, etc.): areretained for 1 yearfrom the date of collection, except for any shorter period provided for by the Data Controller’s internal procedures.
• purpose sub 2 – pre-contractual needs (if the interested party is a lead), i.e. a potential customer who has not made any purchases and has not expressed interest in the Events, Services and/or Products): 2 years from the date of collection of the data (unless subsequent processing determines an expression of interest in the Events, Services and/or Products, in which case the processing will have the duration set out in the following paragraph);
• purpose sub 2 – pre-contractual needs (if the interested party is a prospect, i.e. a potential customer who has not made any purchase but has expressed interest in Events, Services and/or Products): 10 years from the collection of the interested party’s data; (unless this activity does not imply the stipulation of a contract, in which case the processing will have the duration described in the following paragraph);
• Subject Matter 2 – Performance of the contract (if the interested party is a customer): for the entire duration of the business relationship and for 10 years from the date of termination of the contract; subject to the shorter time limits below in relation to specific categories of data:
  • Data related to the preparation of invitation letters for consular visa applications

(e.g. copy of passport, etc.): 6 months from the end of the Event to which they refer.

• data on requests for assistance communicated at collection points (including insurance desk, information point and emergency room) by visitors and exhibitors during the Events: 60 days after the end of each Event; in the event of complaints filed by the interested party in relation to the Events (e.g. claims for compensation), the data may be processed further, as further provided for in the following chapter “In the event of a dispute”.

 

• data contained in the promotional catalog of Events: for 2 editions of the catalog.
• data related to the “Business Matching” service provided during the Events: 3 months from the end of the individual Event.
• editorial products: 5 yearsfrom publication (NB: after the sale of the Product containing the data, the Data Controller does not control its further circulation).

• Purpose Sub 2 – Compliance with legal and regulatory obligations: 10 years from the date of stipulation of the contract (in the case of clients) or collection of the interested party’s data (in the case of prospects);

The following shorter periods are reserved for specific categories of data:

• Event certification data: until the end of the certification and, therefore, until the certification is carried out;

• purpose sub 3 (nominative surveys): 2 years from the collection of the interested party’s data (in the case of customers and prospects);
• purpose sub 4 (basic profile): 2 years from the collection of the interested party’s data (in the case of customers and prospects);
• purpose sub 5 (advanced profile): 2 years from the collection of data from the interested party (in the case of customers and prospects);
• Purpose Sub 6 (soft spam): until the interested party objects.
• Purpose sub 7 (direct marketing) for leads, customers and prospects: 10 years from the date of data collection or until the date of revocation of consent by the interested party, if such revocation occurs before the deadline;
• purpose under 11 (credit data management operated by IEG Events Arabia LLC): 2 years

from the date of data collection;

• In the event of an extrajudicial or judicial dispute, in relation to the interested party and/or third parties (e.g. persons injured during the Events due to the activities of the Data Controller, the interested party and/or third parties), the data are processed for the time necessary to exercise the protection of the rights of the Data Controller (as a rule, until the 6th calendar year following the year of full execution of a final provision or amicable resolution between the parties to the dispute).

 

TREATMENT MEANS

IEG, also through its Subsidiaries and/or third-party suppliers delegated by them,

Collects data through:

• IEG Group Websiteswhose electronic pages the interested party browses;
• online or paper forms or pre-registration applicationsor participation completed by the interested party during or in relation to the Events and/or Services and/or Products,
• QR Codeor Barcode displayed and scanned at Event entrances or during participation in them,
• business cardsdelivered spontaneously by the interested party,
• Applications(paper or online) for the interested party to participate the Events, Services and/or Products,

 

• contractsstipulated with the interested party,
• budget requestsand/or information submitted by the interested party (e.g. online forms),
• online platformsfor the management of contact requests/business meetings and for the exchange of information between exhibitors, visitors and/or buyers (e.g. texts, videos, presentations, live sessions; insights and itineraries on trends and innovation, tourist visits, sharing and communication of events and/or other digital content; sharing of public comments relating to the content shared above, exchange of messages).

The IEGalso collects data from controlled companies as part of intra-group information exchanges.

Data is processed by personnel authorized and trained by IEG and/or its Controlled Companies., within the limits strictly necessary for the execution of their respective tasks (e.g. legal, commercial, marketing, administrative, logistical, IT, management control, etc.), using electronic and paper tools and with logic strictly connected to the individual purposes, as respectively provided above.

 

SECURITY MEASURES

Technical and organizational security measuresare applied to the processing of the data subject’s personal data to ensure their integrity, security and availability. For security reasons, not all relevant information is made available here. The measures may vary depending on the Group company. The main types of measures applied are as follows:

• IT Asset Management Procedures Firewall
• Antivirus
• Antispam
• DMZ – Demilitarized Zone
• Redundant storage
• Identity and access management procedures:
• Unique authentication credentials for data access; 2FA and VPN for remote access
• Limitation of access to data only to internal personnel, previously designated in writing, authorized and trained by the Data Controller
• Authorization profiles managed through Active Directory and/or Azure Directory (Sign-in ID) limited according to the “need to use, need to know” principle.
• Written confidentiality obligations
• Staff training
• Appointment of external managers who carry out outsourced processing on behalf of Data Controllers
• VLAN – Virtual Local Area Network
• Daily backup
• Disaster Recovery
• Patch Management Procedures
• Incident Management Procedure and Data Breach Procedure

 

• IDS (Intrusion Detection System), IPS (Intrusion Prevention System), EDR (Endpoint Detection and Response), DLP (Data Loss Prevention) systems
• SIEM – Security Information and Event Management
• SOC – Security Operations Center
• Connections over HTTP Secure Protocol (HTTPS) with 2048-bit encryption and TLS v1.x protocol (PCI DSS compliance)
• Periodic vulnerability assessment and penetration testing
• Periodic audits.

The use of ‘bot’ (i.e. automated) software programs violates our Terms of Use for our websites. IEG and its Subsidiaries therefore reserve all rights to compensation for damages resulting from such behavior and the right to suspend access to the services of anyone who violates this prohibition.

We reserve the right to carry out security checks (e.g. log analysis) at any time to validate your identity, the registration data provided by you and to verify your correct use of our online services, as well as to check for possible violations of the Conditions of Use of our websites and/or the law applicable to them.

 

RIGHTS OF THE INTERESTED PARTY

Interested parties, using the Data Controller’s contact details (visible in theTable of IEG Group Companies), may exercise the following rights, provided for by the GDPR and/or by different local legislation applicable from time to time in the relevant non-EU country in relation to data processing:

• Accessto your personal data processed by the Data Controller,
• Rectificationor integration of inaccurate or incomplete data,
• Exclusionof obsolete data, where the Data Controller has not done so independently, in cases where (i) they are no longer necessary for the purposes of the data processing, (ii) the data subject has revoked his or her consent to data processing for the purpose where such consent is required by law, (iii) the data subject has objected to the processing of the data, (iv) the processing of personal data is unlawful, (v) the personal data must be erased to comply with a legal obligation incumbent on the Owner. Each Data Controller undertakes to take all reasonable steps to inform the other companies of the IEG Group about the cancellation.
• Limitationof the processing of personal data, if (i) the accuracy of the data subject’s personal data is contested, in order to allow the Data Controller to carry out the necessary checks, (ii) the data subject wishes to restrict his or her personal data rather than erase it, although the processing is unlawful, (iii) the data subject wishes the Data Controller to retain the personal data as deemed necessary to defend legal claims, (iv) the data subject has objected to the processing, but the Data Controller must carry out checks to verify the existence of legitimate grounds for the processing which override the rights of the data subject.
• Data portability(i.e. to obtain a copy in a machine-readable format of the data provided by the data subject to the Data Controller, or for this copy to be communicated to another data controller indicated by the data subject, when the data relate to a

 

existing contract between the interested party and the first Data Controller and the same are processed using software) within the limits established by applicable legislation.

·      Objection to processing carried out based on a legitimate interest of the Data Controller.

• The right not to be subject to an automated decision-making process that produces legal effects concerning or significantly affecting the data subject and to object to the outcome of any automated decision of the Data Controller relating to the processing of the data subject’s personal data. Automated decision-making occurs when decisions are taken using technological means without human involvement.

This right does not exist where the automated decision i) is necessary for entering into, or the performance of, a contract between the data subject and a data controller, or ii) is authorised by EU or EU Member State law to which the Data Controller is subject, which in that case also specifies suitable measures to safeguard the rights, freedoms and legitimate interests of the data subject, or iii) is based on the data subject’s explicit consent.

(Please note: Data Controllers, in any case, do not use automated decision-making processes).

• Revocationconsent when consent by law is the legal basis for the processing (without prejudice to the lawfulness of the processing carried out up until the time of revocation).
• (where GDPR applies) Right to complain to the competent Supervisory Authority; in Italy, this is the Italian Data Protection Authority (Garante per la protezione dei dati personali) – Piazza Venezia 11 – IT-00187 – Roma), tel. (+39) 06.69677.1, e-mail:rpd@gpdp.it .
• (where applicable personal data protection legislation other than the GDPR) Right to complain, take legal action and/or alternative dispute resolution, provided from time to time by applicable foreign legislation(putFor example, in the State of New Jersey, the right to appeal any denial of a request to exercise rights under the New Jersey Data Privacy Act within a reasonable time after notice of the denial and in a manner similar to the process for reporting the first request; the Owner’s response must be communicated within 60 days; if the Owner denies the appeal, the consumer may file a complaint with the New Jersey Division of Consumer Affairs in the Department of Law and Public Safety (see https://njconsumeraffairs.gov/).

·               Right to request:

• to the IEGand/or to Controlled Companies based in the EU, as well as to Controlled Companies based in DUBAI, SAUDI ARABIA, SINGAPORE and/or the USA, a list of names of third-party data recipients designated as external data controllers (see also the chapter “COMMUNICATION AND DISCLOSURE OF DATA” of this Policy), and
• for Controlled Companies headquartered in CHINA and BRAZIL,a list of names of all third party recipients of the data (External Managers and Data Controllers).

 

 

Below are ways in which the interested party can obtain more information about their rights:

• if the interested party resides or is based in the EEA Area, or is in any case subject to processing of personal data regulated by the GDPR, they should consult for further details Articles 15 to 22 and 77 of the EU Privacy Regulation No. 679/2016 (“GDPR”), available in                      the                      link:https://eur-lex.europa.eu/legal- content/IT/TXT/HTML/?uri=CELEX:32016R0679#d1e2800-1-1;
• if the interested party resides or is based in China, or is in any case subject to processing regulated by Chinese legislation for the protection of personal data,For more details, please refer to Articles 44 to 50 of Chapter IV of the Personal Data Protection Law of the Republic of China (PIPL), available at the following link:http://en.npc.gov.cn.cdurl.cn/2021-12/29/c_694559.htm;
• if the interested party resides or is based in Dubai, or in any case is subject to processing regulated by Arab legislation for the protection of personal data, for further details he/she should consult – the United Arab Emirates – ‘The Guide to Accessing Government Information’ and Law No. 26 of 2015 on the Organization of Publication and Sharing of Data of Dubai, also known as Law No. 26 of 2015 Regulating the Dissemination and Exchange of Data; and the Personal Data Protection Law, Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data) at the following link:https://u.ae/en/about-the-uae/digital-uae/data/data-protection-laws;
• if the interested party resides or is based in Brazil, or in any case is subject to processing regulated by Brazilian personal data protection legislation, he/she should consult articles 17 to 22 of chapter III of the General Personal Data Protection Law (LGPD https://lgpd-brazil.info,in the following link;
• if the interested party resides or is based in Singapore or is in any case subject to processing regulated by Singapore legislation for the protection of personal data, he/she should refer to Articles 5.1 to 5.2 of Chapter V of the “Personal Data Protection Act 2012 (“PDPA”)” available at the following link:https://www.pdpc.gov.sg/overview-of-pdpa/the-legislation/personal-data-protection-act;
• if the data subject resides or is based in the USA, or is in any case subject to processing regulated by US legislation for the protection of personal data, he or she may consult the followingtable of rights, the information available at the following link:https://www.whitecase.com/insight-our-thinking/us-data-privacy-guide and, in relation to the processing of personal data relating to subjects qualified as consumers (i.e. acting in an individual or family context) carried out by our Controlled Company headquartered in the State of New Jersey (USA), the New Jersey Data Privacy Law visible in                            the                                          following                                   link:https://pub.njleg.state.nj.us/Bills/2022/S0500/332_R6.PDF;

 

• if the data subject resides or is based in Saudi Arabia, or is subject to processing governed by Saudi Arabian data protection legislation, please refer to the following link:

https://sdaia.gov.sa/en/Research/Pages/DataProtection.aspx

 

CHANGES TO THE PRIVACY POLICY

The policy may be modified from time to time to reflect changes made to the processing of personal data and/or to adapt to any regulatory requirements that may arise.

Updated Information will be communicated to the interested party as required by law and using appropriate methods (for example, by publication on the Website(s) of IEG and/or its Controlled Companies, or an e-mail message or insertion in online areas reserved for users).

REV. 11/30/2024

The previous version of the Privacy Policy can be found at the followinglink