Event Privacy Notice
The Financial Services Information Sharing and Analysis Center (hereinafter “FS-ISAC,” “we, “us” or similar) is an organization with its headquarters office in the Commonwealth of Virginia, United States of America. We collect and process several categories of personal data from you as a user of the FS-ISAC website (hereinafter the “Website”) and to all products and services offered by FS-ISAC (collectively, “FS-ISAC”, “Platform”, "we", "us" or "our") when you register for a Summit, event, training, exercise or other activities (each, an “event”). Insofar as European Economic Area data protection law applies, we are a controller with regard to the personal data we process.
We take your privacy seriously and this Privacy Notice describes our practices regarding our collection and use of your personal data – such as what data we collect, why we collect it, what we do with it and sets forth your privacy rights.
1. PERSONAL DATA WE PROCESS ABOUT YOU
1.1 Event registration through our Platform
We use our Platform to collect personal data that you directly input into event registration forms as well as in any other page we set up as an event organizer, such as your name, title, email, company, and other transaction-related information. This data, except for cardholder information, is collected by us and we process it in the performance of a contract with you (the event registration) as well as in our legitimate interest to manage our events and contact you, as follows:
(a) Manage our event attendees;
(b) Contact you with regard to the event you have registered for;
(c) Run statistics with regard to our event attendees;
(d) Improve our future events; or
(e) Contact you with regard to other events, activities, products and services offered by FS-ISAC.
1.2 Event registration, photography, participation and related matters
By entering an event or program of FS-ISAC, you are entering an area where photography, audio, and video recording may occur and you consent to its/their release, publication, exhibition, or reproduction to be used or any purpose whatsoever in perpetuity in connection with FS-ISAC and its initiatives, including, by way of example only, use on websites, in social media, news and advertising. Images, photos and/or videos may be used to promote similar FS-ISAC events in the future, highlight the event, or any other promotional or educational purpose.
In order to participate in our in-person events, you may be issued a name tag that identifies the level of access that your registration grants you. You will be asked to show this name tag at the entry in the various areas of our events, as this is in our legitimate interest to manage access to our events.
When we provide food and beverage at our events, we may ask you about food allergies or other conditions, so that we adapt our menu accordingly. Providing this information is optional and we will only process it at your request.
The information above is stored by us in accordance with our retention policy.
If you are a speaker at our events, we may be processing your name, title, email, company, employment history, education, as well as your presentation slides (if applicable), photos and videos of you at our events. The presentation slides (if applicable), photos and videos may be shared with our members through the channels we consider appropriate.
Speaking at our event will constitute consent to take photos and videos of you and share them publicly, given that our interest is to publicize our events. This processing is made in our legitimate interest to promote our events and the data is stored in compliance with the FS-ISAC retention policy.
1.4 Related services
1.5 Partner marketing
When you attend our Events, you may receive promotional goods or a conference bag with various items, provided by FS-ISAC and some provided by our event partners. This product placement is made without providing your personal data to our partners, therefore if you are interested in any of their products, please contact them directly.
2. HOW WE SHARE INFORMATION
We will disclose your personal data only for the purposes and to those third-parties as described below. We will take appropriate steps to ensure that your personal data is processed, secured and transferred according to applicable law.
2.1 Disclosure to third-parties
We will share the strictly necessary parts of your personal data, on a need-to-know basis with the following categories of third-parties:
(b) Hotels where we book accommodation in your name if you request us to;
(c) Corporate affiliates of the FS-ISAC, such as Sheltered Harbor and FDX;
(d) Companies that provide products and services to us (processors) and are located in the United States or, in the event of in-person or hybrid events, in the countries where the events are held, such as:
(i) Third-parties involved in organizing our events, client support or sales activities; and
(ii) Information technology systems suppliers and support, including email archiving, telecommunication suppliers, back-up and disaster recovery and cybersecurity services.
(e) Other parties such as public authorities and institutions, accountants, auditors, lawyers and other outside professional advisors located in the United States, the United Kingdom, and any other country where our in-person or hybrid event is held, where their activity requires such knowledge or where we are required by law to make such a disclosure.
(f) We will also disclose your personal information to third-parties:
(i) If you request or authorize us to do so, such as by consenting to us sharing your contact information with FS-ISAC members in connection with an event or with sponsors/exhibitors of an event;
(ii) To persons demonstrating legal authority to act on your behalf;
(iii) If we are under a duty to disclose or share your personal information in order to comply with any legal obligation, any lawful request from government officials and as may be required to meet national security, law enforcement requirements, or prevent illegal activity;
(iv) To respond to any claims, to protect our rights or the rights of a third-party, to protect the safety of any person or to prevent any illegal activity; or
(v) To protect the rights, property or safety of FS-ISAC, our employees, customers, suppliers, visitors or other persons.
(g) We, as well as some of these recipients, may use your data in countries which are outside of the European Economic Area. Please see Section 2 below for more detail on this aspect.
2.2 Restrictions on use of personal information by recipients
Any third-party processors with whom we choose to share your personal information pursuant to the above are limited (by law and by contract) in their ability to use your personal information for the specific purposes identified by us. We will always ensure that any third parties with whom we choose to share your personal information are subject to privacy and security obligations consistent with this Privacy Notice and applicable laws. However, for the avoidance of doubt this cannot be applicable where the disclosure is not our decision, including where you request it.
Save as expressly detailed above, we will never share, sell or rent any of your personal information to any third party without notifying you and, if applicable, obtaining your consent.
3. PROVISIONS APPLICABLE FOR PERSONS IN THE EEA
3.1. Transfers of information outside of the European Union
Since we are an organization based in the United States, we process your personal data outside of the European Union.
Where your personal data is transferred to other entities as mentioned in Section 2, we will take appropriate measures to ensure that the recipient protects your personal information adequately in accordance with this Privacy Notice. These measures include entering into European Commission approved standard contractual arrangements with them or ensuring they have signed up to the EU-US Privacy Shield (see further https://www.privacyshield.gov/welcome).
Further details on the steps we take to protect your personal information in these cases is available from us on request by contacting our Chief Privacy Officer at firstname.lastname@example.org.
3.2 Your rights
We are committed to protecting personal information from loss, misuse, disclosure, alteration, unavailability, unauthorized access and destruction and take all reasonable precautions to safeguard the confidentiality of personal information, including through use of appropriate organizational and technical measures. Organizational measures include physical access controls to our premises, staff training and locking physical files in filing cabinets. Technical measures include use of encryption, passwords for access to our systems and use of anti-virus software.
In the course of provision of your personal data to us, your personal information may be transferred over the internet. Although we make every effort to protect the personal information which you provide to us, the transmission of information between you and us over the internet is not completely secure. As such, we cannot guarantee the security of your personal information transmitted to us over the internet and that any such transmission is at your own risk. Once we have received your personal information, we will use strict procedures and security features to prevent unauthorized access to it.
5. CHANGES TO OUR EVENT PRIVACY NOTICE
We reserve the right, at our discretion, to modify our privacy practices, update and make changes to this privacy notice at any time. For this reason, we encourage you to refer to this privacy notice on an ongoing basis. This privacy notice is current as of the date which appears at the bottom of the document. We will treat your personal data in a manner consistent with the privacy notice under which it is collected.
6. CONTACT INFORMATION
Please direct your questions regarding the subject matter of data protection and any requests in the exercise of your legal rights to our Chief Privacy Officer at email@example.com.
We will investigate and attempt to resolve any request or complaint regarding the use or disclosure of your personal information. If you are not satisfied with our reply and you are from the European Union, you may also make a complaint to the data protection authority in your country.
Effective 2023 Nov 29