×
It looks like you're using an obsolete version of internet explorer. Internet explorer is no longer supported by Microsoft since the end of 2015. We invite you to use a newer browser such as Firefox, Google Chrome or Microsoft Edge.



Personal Data and Privacy Protection: Confidentiality Policy

Foreword

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, also called the General Data Protection Regulation (GDPR), sets out the legal framework for processing personal data. The GDPR upholds the rights and obligations of controllers, processors, data subjects and recipients. We process personal data for the purposes of our business. To properly understand this policy:

  • the “controller” is Incathlab;
  • the “processor” is any physical person or legal entity who processes personal data on behalf of Incathlab;
  • “data subjects” are customers and/or prospects of the services provided by Incathlab on its own behalf or for third parties;
  • “services” are any event organised or sponsored by Incathlab, or which Incathlab contributes to; any service or product;
  • an “event" is any face-to-face or virtual tradeshow, conference, convention, training workshop, seminar, webinar, etc.;
  • “recipients” are physical persons or legal entities who receive personal data from Incathlab. The data recipients can be Incathlab employees or external organisations (third-party event organisers, partners, exhibitors, banking institutions, authorities, etc.).

Article 12 of the GDPR requires that data subjects be informed of their rights in a concise, transparent, intelligible and easily accessible form.

Purpose

The purpose of this policy is to meet Incathlab’s information obligation and formalise the rights and obligations of its customers and prospects regarding personal data processing for all of the services provided by Incathlab.

Scope

Incathlab makes every effort to ensure that data is processed according to clear internal governance. However, this policy only concerns processing for which Incathlab is responsible and therefore does not pertain to processing deployed or utilised outside Incathlab’s governance rules (stealth IT or shadow IT). Personal data processing can be managed directly by Incathlab or by a service provider specifically chosen by Incathlab. This policy is separate from any other documents which may apply between Incathlab and our customers and prospects.

Purpose of processing

Incathlab only processes the personal data of our customers and prospects collected by or for our services, or processed in connection with our services, in compliance with the general principles of the GDPR. Incathlab mainly processes your data to organise events and provide products and services. Data may be processed for the following purposes:

  • To promote our events and associated events;
  • Sales prospecting;
  • Community management (users, members, customers);
  • To create and manage personal spaces on websites and applications in connection with events;
  • To manage event registration and participation;
  • To manage applications for event participation funds;
  • To manage contributions to the events programme;
  • To manage access and tracking at event venues and in their dedicated spaces;
  • To manage attendance and other certificates, invitation letters;
  • To manage purchases or subscription to other products and services online;
  • Legal declarations to the authorities in countries hosting events or in the home countries of event participants (as required);
  • To improve services and satisfaction surveys;
  • Statistics;
  • To manage rights and claims;
  • To manage requests to disenroll and unsubscribe;
  • To manage payments and debt collection when necessary;
  • To manage and meet user requests on our websites;
  • To personalise our communication via our customer marketing programme in order to carry out marketing and promotional campaigns and gain a better understanding of your needs and wants;
  • To adapt our products and services to better meet your needs;
  • To personalise our sales offering;
  • To inform you of our companies’ special offers and new services;
  • To qualify our prospects and customer database, and segment customers based on web behaviour on our websites;
  • To manage requests to unsubscribe from newsletters, promotions and satisfaction surveys;
  • To manage the right to modify/rectify/erase data or process requests to unsubscribe.

This list is meant to be as exhaustive as possible. Customers and prospects will be informed of any new purpose, alteration or removal of existing processing by an amendment to this policy.

Basis for data processing

The processing purposes listed above are based on the following legal requirements:


Legal basis

Example

Precontractual or contractual implementation including via the general terms and conditions of sale

Registration for an event, purchase order, etc.

Legitimate interest

CCTV footage is kept for up to one month, etc.

Consent

Newsletter, cookie management, contact requests, satisfaction surveys, sales and news communication, etc.

Type of data collected

Non-technical data (depending on use)

  • Identity (surname, first name, username, etc.)
  • Contact information (email and/or postal address)
  • Photo
  • Career information (profession, position, specialty, etc.)
  • Banking information, if necessary (e.g. for refunds)
  • Video images (filmed conferences, CCTV footage)

Technical data (depending on use)

  • Identification data (IP)
  • Connection data (including logs)
  • Click data
  • Location data
  • Tracking data (cookies on our websites, access to conference rooms)

Data sources
Our (primary or other) customer or prospect data is generally collected directly from our customers and prospects.

  • data provided by the customer in files submitted to Incathlab (customer file);
  • business cards;
  • electronic sheets or forms filled out by the customer (attendance sheet, post-conference satisfaction survey);
  • registration or enrolment for our online services (website, social media networks, etc.);
  • registration for events organised by Incathlab;

Data can also be collected indirectly through third parties:

  • via event organisers (membership, prospects, participants, website user listings, etc.)
  • via Incathlab partners and suppliers involved in organising and hosting events;
  • via the employers of data subjects;
  • via sponsorship actions
  • via companies specialised in selling or leasing databases;
  • web session statistics via Google Analytics;
  • lists communicated by organisers of events or conferences in which we participate;

In this case, Incathlab will ensure that third parties, organisations or legal entities comply with the GDPR and that data subjects are informed of our personal data protection policy.

Data recipients – authorisation & tracking

Data collected by Incathlab may be shared in whole or in part, depending on the purpose.
Internal recipients

  • authorised staff from the marketing, communication, sales, customer service and prospecting departments, administrative departments, logistics and IT departments and their line management;
  • authorised staff from departments responsible for internal control procedures.

The recipients of customer and prospect personal data at Incathlab are required to respect data confidentiality. Incathlab decides who can have access to what data based on an authorisation policy.
External recipients

  • the event organiser;
  • Incathlab’s subcontractors;
  • Incathlab’s subsidiaries;
  • event exhibitors and partners in some cases (e.g. authorisation to scan badges at stands or during a session);
  • authorities in countries hosting conferences or in the home countries of participants, for legal purposes;
  • agencies, officers of the court and judicial officers, particularly as part of their debt collection duties;
  • authorised external staff responsible for internal control (e.g. statutory auditors).

Incathlab is not responsible for losses of any kind resulting from illegal access to personal data. Furthermore, personal data may be communicated to any authority legally entitled to receive it. In this case, Incathlab is not responsible for the conditions under which the employees of these authorities access and use the data.

Data storage period

Incathlab defines the data storage period based on applicable legal and contractual requirements or its needs, and based on the following principles:


Processing

Data storage period

Data related to customers participating or exhibiting at the event

The duration of contractual relationships and the event organised by Incathlab, plus 3 years for promotional and prospecting reasons, without prejudice to storage obligations or statutes of limitations

Data related to the website members and users

Until they have unsubscribed from the member space and for 1 year after the last session

Data related to prospects

3 years from when Incathlab collects their data or the last contact with the prospect

Technical data

1 year

Banking data

Data is deleted as soon as the transaction is completed, unless otherwise authorised by the customer. If the transaction is contested, data is archived for 13 months following the debit date

Prevention of money laundering

5 years

After expiry of these set periods, data is either erased or stored once it has been anonymised, particularly for statistical purposes. Data may be stored in the event of pre-litigation and litigation. Customers and prospects are advised that data erasure or anonymization is irreversible and that Incathlab will not be able to restore this data.

Right of confirmation and right of access

Customers and prospects have the right to ask Incathlab for confirmation as to whether or not their data is processed. Customers and prospects also have a right of access, provided the following rules are followed:

  • the request is issued by the person themselves, and is accompanied by a copy of a current piece of ID;
  • the request is made in writing and sent to the following address: Incathlab – Data Management – , 15 Bd Grawitz 13016 Marseille, France or to the email address pdo@comnco.com

Customers and prospects have the right to ask Incathlab for a copy of their processed personal data. However, if an additional copy is requested, Incathlab may require that customers and prospects bear the financial cost. If customers and prospects request a copy of their data via email, the information requested will be provided in standard electronic format, unless requested otherwise. Customers and prospects are also informed that their right of access does not apply to confidential information or data, or data which the law prohibits from being communicated. The right of access must not be exercised abusively, meaning on a regular basis for the sole purpose of disturbing the department in question.

Updating and rectification

Incathlab meets update requests:

  • automatically for online changes for fields which can be technically or legally updated;
  • on written request of the data subject, with proof of identity.

Right to erasure

The right to erasure of customers and prospects does not apply if data is processed to comply with legal obligations. Apart from this, customers and prospects may request that their data be erased within the following restrictive cases:

  • if personal data is no longer required for the purposes for which it was collected or otherwise processed;
  • if the data subject withdraws consent to the original purpose for processing and there is no other justified reason for processing;
  • if the data subject is opposed to Incathlab processing their data for legitimate purposes and there is no legitimate urgent reason for processing;
  • if the data subject is opposed to their personal data being processed for prospecting and profiling purposes;
  • if personal data was illegally processed.

In accordance with legislation on personal data protection, customers and prospects are advised that this is an individual right that can only be exercised by the data subject for their own data. For security reasons, the relevant department must therefore verify your identity to prevent your confidential information from being communicated to someone other than yourself.

Right to restriction

Customers and prospects are advised that this right is meant to be exercised if data is legally processed by Incathlab and if all the personal data collected is required for the performance of the sales agreement.

Right to data portability

Incathlab allows for data portability in the particular case of data communicated by the customers or prospects themselves, for online services provided by Incathlab itself and for purposes needing the sole consent of data subjects. In this case, data will be communicated in a standard structured machine-readable format.

Post-mortem right

Customers and prospects are advised that they have the right to give instructions on the storage, erasure and communication of their data after death. To exercise their rights and communicate specific post-mortem instructions, they must write to pdo@comnco.com or by post to Incathlab – Data Management, 15 Bd Grawitz, 13016 Marseille, France and include a signed copy of a piece of ID.

Optional or mandatory information

All forms used to collect personal data use asterisks to inform customers and prospects whether information is mandatory or optional. If answers are mandatory, Incathlab explains the consequences of not providing an answer to customers and prospects.

Right of use

Customers and prospects grant Incathlab the right to use and process their personal data for the purposes stated above. However, Incathlab maintains ownership of enriched data produced from Incathlab processing and analysis (usage analysis, statistics, etc.).

Subcontracting

Incathlab advises its customers and prospects that it may use any subcontractor of its choice to process their personal data. In this case, Incathlab will ensure that the subcontractor complies with its GDPR obligations. Incathlab will sign a written agreement with all its subcontractors and require that they comply with the same data protection obligations as Incathlab. Incathlab also reserves the right to audit its subcontractors in order to ensure that they comply with the GDPR.

Security

Incathlab is responsible for defining and implementing physical or logical security technical measures that it deems appropriate to prevent the unauthorised accidental or illegal destruction, loss, alteration or disclosure of data. These measures mainly include:

  • data access control;
  • use of an encryption protocol such as SSL for transferring data between user devices and the company’s servers.
  • data hosting in data centres located in France with maximum security.
  • access to infrastructure via VPN – only certain preselected people are authorised to create a tunnel
  • Regular and systematic application of security patches on infrastructure components.

Incathlab may hire any third party of its choice to do this. If all or part of personal data processing is subcontracted, Incathlab will contractually require that its subcontractors provide security guarantees through technical data protection measures and suitable human resources.

Data breaches

In the event of a personal data breach, Incathlab will notify the CNIL as required by the GDPR. If the breach entails a high risk for customers and prospects, and their data was not protected, Incathlab will:

  • notify the affected customers and prospects;
  • communicate all necessary information and recommendations to the affected customers and prospects

Processing record

As the controller, Incathlab will keep an updated record of all processing activities. This record is a document or application detailing all processing carried out by Incathlab as the controller. At first request, Incathlab will provide the supervisory authority with information enabling the authority to verify that processing complies with IT regulations and civil liberties in force.

Right to submit a complaint to the CNIL

Customers and prospects whose personal data is processed are advised of their right to submit a complaint to the supervisory authority, which is the CNIL in France, if they feel that their personal data is not being processed in compliance with European regulations on data protection, by writing to the following address: CNIL – Service des plaintes 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07, FRANCE Tel: +33(0)1 53 73 22 22

Changes

This policy may be changed or amended at any time in the event of changes to legislation, case law, CNIL decisions and recommendation or uses. Customers and prospects will be informed of any new versions of this policy by any means chosen by Incathlab, including electronically (e.g. via email or online).

Applicable law

These Terms of Use are governed by French Law.  Any disputes relating to the interpretation and performance of these terms will be brought before the competent French courts.

Information technology and civil liberties


In accordance with French Act no. 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties, you have the right to access and rectify your personal data. You may receive information about our business. If you do not wish to receive information, please contact us and include the name of your business, your name and address. You can also do this to stop receiving sales offers.

Find out more...

For more information, please contact pdo@comnco.com. For more general information on personal data protection, please consult the CNIL website at www.cnil.fr

Scroll Up