Event Privacy Notice

The Financial Services Information Sharing and Analysis Center (hereinafter “FS-ISAC,” “we, “us” or similar) is an organization with its headquarters office in the Commonwealth of Virginia, United States of America. We collect and process several categories of personal data from you as a user of the FS-ISAC website (hereinafter the “Website”) and to all products and services offered by FS-ISAC (collectively, “FS-ISAC”, “Platform”, "we", "us" or "our") when you register for a Summit, event, training, exercise or other activities (each, an “event”). Insofar as European Economic Area data protection law applies, we are a controller with regard to the personal data we process.

We take your privacy seriously and this Privacy Notice describes our practices regarding our collection and use of your personal data – such as what data we collect, why we collect it, what we do with it and sets forth your privacy rights.

Please read this Event Privacy Notice to understand how we handle your personal information. In addition to the information you provide in connection with an Event registration, if you use our Website for such registration, the Website collects certain information about which you can read in our Privacy Policy and our Cookie Policy.

1. PERSONAL DATA WE PROCESS ABOUT YOU

1.1 Event registration through our Platform

We use our Platform to collect personal data that you directly input into event registration forms as well as in any other page we set up as an event organizer, such as your name, title, email, company, and other transaction-related information. This data, except for cardholder information, is collected by us and we process it in the performance of a contract with you (the event registration) as well as in our legitimate interest to manage our events and contact you, as follows:

(a) Manage our event attendees;

(b) Contact you with regard to the event you have registered for;

(d) Improve our future events; or

(e) Contact you with regard to other events, activities, products and services offered by FS-ISAC.

1.2 Event registration, photography, participation and related matters

By entering an event or program of FS-ISAC, you are entering an area where photography, audio, and video recording may occur and you consent to its/their release, publication, exhibition, or reproduction to be used or any purpose whatsoever in perpetuity in connection with FS-ISAC and its initiatives, including, by way of example only, use on websites, in social media, news and advertising. Images, photos and/or videos may be used to promote similar FS-ISAC events in the future, highlight the event, or any other promotional or educational purpose.

In order to participate in our in-person events, you may be issued a name tag that identifies the level of access that your registration grants you. You will be asked to show this name tag at the entry in the various areas of our events, as this is in our legitimate interest to manage access to our events.

When we provide food and beverage at our events, we may ask you about food allergies or other conditions, so that we adapt our menu accordingly. Providing this information is optional and we will only process it at your request.

The information above is stored by us in accordance with our retention policy.

1.3 Speakers

If you are a speaker at our events, we may be processing your name, title, email, company, employment history, education, as well as your presentation slides (if applicable), photos and videos of you at our events. The presentation slides (if applicable), photos and videos may be shared with our members through the channels we consider appropriate.

Speaking at our event will constitute consent to take photos and videos of you and share them publicly, given that our interest is to publicize our events. This processing is made in our legitimate interest to promote our events and the data is stored in compliance with the FS-ISAC retention policy.

1.4 Related services

During the registration process or thereafter you may ask us to book a hotel room with one of our event partners. If you ask us to do this, we will legally conclude a contract with the hotel in your name. In the performance of this contract, we will share your personal data, to the minimum extent necessary, with the hotel where we book your room. The data we provide to them includes your name, residence, email and other identification information the hotel may require. The processing of your data by the hotel is made in their capacity of data controller, subject to their own privacy policy.

1.5 Partner marketing

When you attend our Events, you may receive promotional goods or a conference bag with various items, provided by FS-ISAC and some provided by our event partners. This product placement is made without providing your personal data to our partners, therefore if you are interested in any of their products, please contact them directly.

2. HOW WE SHARE INFORMATION

We will disclose your personal data only for the purposes and to those third-parties as described below. We will take appropriate steps to ensure that your personal data is processed, secured and transferred according to applicable law.

2.1 Disclosure to third-parties

We will share the strictly necessary parts of your personal data, on a need-to-know basis with the following categories of third-parties:

(a) Payment processors that process payments for event registrations. These platforms act as controllers with regard to your data, collect most data directly from you and such personal data processing is subject to the third-party’s own privacy policy;

(b) Hotels where we book accommodation in your name if you request us to;

(d) Companies that provide products and services to us (processors) and are located in the United States or, in the event of in-person or hybrid events, in the countries where the events are held, such as:

(i) Third-parties involved in organizing our events, client support or sales activities; and

(ii) Information technology systems suppliers and support, including email archiving, telecommunication suppliers, back-up and disaster recovery and cybersecurity services.

(e) Other parties such as public authorities and institutions, accountants, auditors, lawyers and other outside professional advisors located in the United States, the United Kingdom, and any other country where our in-person or hybrid event is held, where their activity requires such knowledge or where we are required by law to make such a disclosure.

(f) We will also disclose your personal information to third-parties:

(i) If you request or authorize us to do so, such as by consenting to us sharing your contact information with FS-ISAC members in connection with an event or with sponsors/exhibitors of an event;

(ii) To persons demonstrating legal authority to act on your behalf;

(iii) If we are under a duty to disclose or share your personal information in order to comply with any legal obligation, any lawful request from government officials and as may be required to meet national security, law enforcement requirements, or prevent illegal activity;

(iv) To respond to any claims, to protect our rights or the rights of a third-party, to protect the safety of any person or to prevent any illegal activity; or

(v) To protect the rights, property or safety of FS-ISAC, our employees, customers, suppliers, visitors or other persons.

(g) We, as well as some of these recipients, may use your data in countries which are outside of the European Economic Area. Please see Section 2 below for more detail on this aspect.

2.2 Restrictions on use of personal information by recipients

Any third-party processors with whom we choose to share your personal information pursuant to the above are limited (by law and by contract) in their ability to use your personal information for the specific purposes identified by us. We will always ensure that any third parties with whom we choose to share your personal information are subject to privacy and security obligations consistent with this Privacy Notice and applicable laws. However, for the avoidance of doubt this cannot be applicable where the disclosure is not our decision, including where you request it.

Save as expressly detailed above, we will never share, sell or rent any of your personal information to any third party without notifying you and, if applicable, obtaining your consent.

3. PROVISIONS APPLICABLE FOR PERSONS IN THE EEA

3.1. Transfers of information outside of the European Union

Since we are an organization based in the United States, we process your personal data outside of the European Union.

Where your personal data is transferred to other entities as mentioned in Section 2, we will take appropriate measures to ensure that the recipient protects your personal information adequately in accordance with this Privacy Notice. These measures include entering into European Commission approved standard contractual arrangements with them or ensuring they have signed up to the EU-US Privacy Shield (see further https://www.privacyshield.gov/welcome).

Further details on the steps we take to protect your personal information in these cases is available from us on request by contacting our Chief Privacy Officer at privacy@fsisac.com.

3.2 Your rights

If you are an individual located in the EEA, under EEA data protection law you have specific legal rights relating to the personal data we collect from you (and may include the right to access your data, to ask for erasure, correction, restriction, porting, or to object to certain processing). We will respect your individual rights and will deal with your concerns adequately. For additional information, please see the section of our Privacy Policy addressing Access to Your Information and Other Rights (EEA Individuals Only).

4. SECURITY

We are committed to protecting personal information from loss, misuse, disclosure, alteration, unavailability, unauthorized access and destruction and take all reasonable precautions to safeguard the confidentiality of personal information, including through use of appropriate organizational and technical measures. Organizational measures include physical access controls to our premises, staff training and locking physical files in filing cabinets. Technical measures include use of encryption, passwords for access to our systems and use of anti-virus software.

In the course of provision of your personal data to us, your personal information may be transferred over the internet. Although we make every effort to protect the personal information which you provide to us, the transmission of information between you and us over the internet is not completely secure. As such, we cannot guarantee the security of your personal information transmitted to us over the internet and that any such transmission is at your own risk. Once we have received your personal information, we will use strict procedures and security features to prevent unauthorized access to it.

5. CHANGES TO OUR EVENT PRIVACY NOTICE

We reserve the right, at our discretion, to modify our privacy practices, update and make changes to this privacy notice at any time. For this reason, we encourage you to refer to this privacy notice on an ongoing basis. This privacy notice is current as of the date which appears at the bottom of the document. We will treat your personal data in a manner consistent with the privacy notice under which it is collected.

6. CONTACT INFORMATION

Please direct your questions regarding the subject matter of data protection and any requests in the exercise of your legal rights to our Chief Privacy Officer at privacy@fsisac.com.

We will investigate and attempt to resolve any request or complaint regarding the use or disclosure of your personal information. If you are not satisfied with our reply and you are from the European Union, you may also make a complaint to the data protection authority in your country.

Effective 2023 Nov 29