DATA CONTROLLER/ PROCESSOR – FORUM EVENTS LTD
DATA PROTECTION OFFICER – Charles Williams, firstname.lastname@example.org, 01992 374095
What information does Forum Events Ltd collect?
Email address (predominantly business email address but may occasionally be personal depending on client’s preference)
Telephone number (predominantly business telephone number but may occasionally be personal depending on client’s preference)
How we collect this information
Forum Events Ltd may collect this information in a variety of ways which may include retaining information from forms completed by you, from correspondence with you, sourcing information in the public domain, contacting potential clients through social media as well as acquiring information from third parties (providing they have consent to share this data with us and are able to provide proof of consent.)
How we store this information
After we have obtained consent to retain personal data, this data will be stored in our secure Customer Relationship Management system. From here we can pull information for marketing, administrative and operational purposes.
Why do we need this personal data?
We use the information you provide about yourself when booking onto an event only to complete that instruction, keep you up to date with information regarding the relevant events and ensure that we maintain high levels of customer service. In some cases, Forum Events Ltd may use legitimate interest to ensure performance of a contract i.e. sharing data with relevant suppliers attending an event.
Who has access to this data?
Your information may be accessed internally by any member of the sales, administrative or marketing teams in order to perform a range of tasks from updates regarding an event to confirmation of booking details.
From time to time, providing the correct consent has been obtained by ourselves, we may share information with relevant third parties whose services we believe may be of value to you.
How does Forum Events Ltd protect data?
We have internal policies and steps in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed by anyone outside of our organisation without lawful consent. If ever data is to be passed onto relevant third parties, we will ensure that they have the relevant policies in place to protect the data as well.
How long will Forum Events Ltd retain data?
As a general rule, we will retain contact information for 20 years however a data subject is able to withdraw consent at ANY time and Forum Events Ltd will comply.
Your rights as a data subject
- Right To Erasure – request the removal or deletion of their personal data.
- Right to be Informed – every consumer has the right to know if, when and how an organisation is using their personal information.
- Right to Access – any data subject has the right to access their information free of charge.
- Right to Rectification – the right to make alterations to the data is you discover that the information is incorrect or incomplete.
- Right to Restrict Processing – data subjects can ask for their information to no longer be processed.
- Right to Object – object to the use of personal data for marketing purposes.
- Right To Portability – allows individuals to obtain their personal data and reuse it elsewhere.
In the event that you would like to exercise any of these rights, please contact Charles Williams.
If you believe that Forum Events Ltd has not complied with your data protection rights, you can complain to the Information Commissioners Office.
DATA CONTROLLER/ PROCESSOR – FORUM EVENTS LTD
Why Consent is important to us
It is important that we get consent from customers to ensure that we are sending the correct and appropriate communications. By obtaining company and job title information, we are able to tailor communications so that contacts are able to receive information regarding relevant events and services we provide.
What we use consent for
We hold onto your consent so that we understand how much of our marketing materials and event information you would like to receive directly from us as well as specific consent regarding third parties. We don’t want to send you anything you don’t want, so should you just want to receive information solely from Forum Events and related brands and not third parties, we keep a detailed record of this and ensure that your information is never passed on to anyone else.
How we obtain consent
We will never automatically opt you in and rely on you telling us that you wish to opt out. All consent requires an affirmative action on the customer’s part and the question as to whether you would like to be opted in will be asked in a clear and direct manner and the response recorded accordingly.
How we retain consent
When we obtain consent we then record in detail the method, time and date that consent was given. We store this in our Customer Relationship Management system so that any member of our company is able to see and understand the consent choices a data subject makes. We will seek to refresh this consent unless we are told otherwise.
Consent for Third Party Communications
At the time that we request consent to send you correspondence from ourselves, we will also ask if you would like to receive information from carefully selected third parties. Any third parties we communicate with, will only be organisations that we believe would be of genuine interest to you as a data subject however, none of your information will be shared unless you as the subject, have given direct consent to be included in these communications. We will keep detailed records of this, so should you withdraw consent at any time, we will comply. Should you ever want to withdraw consent solely for third parties yet continue to receive information from Forum Events and its related brands, we can do this at any time.
Should you wish to withdraw consent
Under data protection legislation, you as a data subject have the right to withdraw consent at ANY time. In the event that you wish to do this, all you have to do is get in contact. We will then make a note of this on our system to ensure that any data is then dealt with according to the client’s wishes. Once consent is withdrawn, we retain the basic information for our reference however, we will make notes and adjust our system so that we are able to still see the client on the system but also will know that no further communication is to take place. By retaining this basic data, we can ensure that you will not be disturbed by any of our communications again. In the event that you decide that you would once again like to sign up to correspondence from Forum Events or any of our brands, we can easily re-adjust our system and reinstate consent. All that the subject will need to do is confirm their details and then once again, communications will be restored.
With the intention of full transparency, when consent has not been provided, Forum Events will continue to process the data for marketing on the premise of Legitimate Interest.
The legitimate interest is the processing of data for each contact (individual) records’ “Job Title” along with their Companys’ “activity/industry” (both requirements should always be met, but a job title may suffice in an event case basis). This is to ensure that email marketing will only reach potentially relevant individuals, based on their role in the industry, relevant to the events hosted by Forum Events.
Third party sharing of our marketing list falls under the application of legitimate interest.
This does not affect our attempts in obtaining a full consent for marketing. Nor does legitimate interest affect your rights to withdraw consent or your rights as defined by GDPR.
In line with the General Data Protection Regulations, we have a disposal policy in place so that, should we need to, any data we collect is disposed of in a safe and secure manner.
What We Collect
We collect personal information that includes:
- Job Title
- Address Information
- Telephone Number
- Email Address
We do not store or use any sensitive personal information such as credit card information or medical information and will never store information that isn’t relevant to what we do, for example, gender, religious or racial information and sexual preference.
What we store will only ever be used for the express purposes that the data subjects was originally obtained for and will not be passed on to any outside parties unless directly stated.
How It Is Stored
We primarily store personal information on our CRM system, where we can manage contact with any of the data subjects whose data we hold however, on some occasions, it may be necessary to keep information in hard copy. This can happen when attending events, when working outside of the office or for easier processing between departments in the office however we have policies in place to ensure that, should these be the cases, data is protected no matter what the circumstances.
How It Will Be Disposed Of
When dealing with data on the CRM system, should people invoke their right to erasure and request that their data in its entirety is removed, we will ensure that no member of the company is able to view the information so that it disappears from the overall view as well as ensuring that data is removed from anywhere it can be stored without it actually being seen. This will be performed by our CRM company so that it can be removed from back up servers, emails and any other places that the data could end up.
When dealing with hard copies of data, the handling of this data will be minimal however we want to ensure that any data that is kept in this manner is destroyed once it is no longer required and not left in an unsecure, unmonitored location. Within our office, we have shredders in place to ensure that any document containing personal data is removed, shredded and disposed of in a secure method.
We at Forum Events operate a retention policy when it comes to our data, this meaning that Forum Events can store any data collected for a limited time.
LENGTH OF TIME
Under the General Data Protection Regulations, Forum Events are able to decide how long exactly the period of data retention would be. We have determined that that will be a period of 40 years. After this period has passed, the data will be removed from all systems and locations that Forum Events occupy.
Any data subject has rights when it comes to their data and should they invoke these rights, Forum Events are bound by law to comply.
RIGHT TO ERASURE
The right to erasure surrounds a subjects’ rights to their data and their ability to request that data is deleted in its entirety, at any time. Please see the ‘Right to Erasure’ policy for details of this right in detail.
RIGHT TO BE INFORMED
Under GDPR, every consumer has the right to know if, when and how an organisation is using their personal information.
RIGHT TO ACCESS
Under the new legislation, any data subject has the right to access their information free of charge however organisations also have the right to charge for, or refuse, any requests that are considered to be excessive or irrelevant. The reasons behind any refusals must be fully and clearly explained, while outlining their right to appeal the decision to the appropriate authority within a month.
RIGHT TO RECTIFICATION
Anyone whose personal data is stored by an organisation, has the right to make alterations to the data if they discover that the information is incorrect or incomplete. While giving individuals greater quality control over their data, it also provides organisations with more accurate, and therefore, better quality data. If we have already disclosed that data in question to third parties, it is our responsibility to inform them of the changes.
RIGHT TO RESTRICT PROCESSING
Just as data subjects can ask for their data to be deleted, they can also ask for their information to no longer be processed. It is important to note that a request to stop processing an individuals’ data does not mean the information must be deleted. It can be stored, but no longer processed.
RIGHT TO OBJECT
Used in cases when someone gets in contact to object to the use of their data for marketing purposes. In the event that this happens, processing must cease immediately.
RIGHT TO PORTABILITY
Allows individuals to obtain their personal data and reuse it elsewhere if they wish. Organisations are obliged to comply with requests and must be provided in a commonly used and readable format.
DATA CONTROLLER/ PROCESSOR – FORUM EVENTS LTD
PLEASE READ THIS POLICY SHOULD YOU REQUEST TO INVOKE YOUR RIGHT TO ERASURE
The Right to Erasure
Under the new GDPR, data subjects have new rights that will enable greater control over the use of their personal data. One of these rights has the official title of ‘The Right to Erasure’. This means that any data subject has the right to request that their data be forgotten at any time and the data controller/ processor has to comply in accordance with Article 17 of the GDPR.
Art. 17 GDPR Right to Erasure (‘right to be forgotten’)
- The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
- the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
- Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
- Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
What the Right Means to Forum Events
Forum Events wants to ensure that all data subjects are comfortable with how their data is stored and handled so if, as a customer, you choose to withdraw your data in its entirety, we will comply.
When it comes to how we, Forum Events, operate, we rely a lot on making professional connections, both online and in person and whilst we will only retain information with the subjects’ express consent, in the event that you no longer wish to be contacted and want us to remove all information from our systems, there may be a risk that at a later date, another connection will be attempted.
What We Recommend
In the event that a data subject no longer wishes to be contacted by Forum Events, we keep a record on our system of this opt out and ensure that contact information is removed from any marketing and mailing lists that we possess.
Our current method of operation is, in order to ensure that once opted out a request to connect is not sent again at a later date or by a different manager in charge of a separate event, is store basic contact details in a separate area of our Customer Relationship Management system with a note to guarantee no contact will take place again and will never be used for any other reason.
What this Means for the Right to Erasure
In the event that a data subject would like to withdraw all information from our records in line with the Right to Erasure, we will comply and remove every trace of any data belonging to the subject from our system, however due to the way Forum Events operates, if we are unable to keep a record of those that no longer wish to be contacted, we cannot guarantee that at a later date another connection will not be attempted.
AFTER READING THIS POLICY, PLEASE CONFIRM TO A MEMBER OF STAFF, EITHER VERBALLY OR IN WRITING, THAT YOU ARE HAPPY WITH EVERYTHING OUTLINED IN THIS POLICY AND WHETHER YOU WISH TO CONTINUE TO INVOKE YOUR RIGHT TO ERASURE. THANK YOU.
DATA CONTROLLER/ PROCESSOR – FORUM EVENTS LTD
What is a Subject Access Request?
A subject access request is something that can be submitted by a data subject in order to request a copy of any and all information that the organisation possesses regarding the specific data subject.
How new Data Protection regulations will affect SAR’s
- Fees – Under the DPA there was a small fee when submitting a request to an organisation however, after 25th May 2018, organisations will not be able to charge for complying with a request.
- Electronic access – it must be possible to make requests electronically (e.g. by email). Where a request is made electronically, the information should be provided in the same format unless otherwise requested by the individual.
- Content of response – the request should allow the individual to know what information is held about them and what processing is being carried out. In responding to a request, data controllers may need to provide further information such as the relevant data retention period and the right to have inaccurate data corrected as well as verify the identity of the person requesting by using ‘reasonable means’.
- Time to respond – the data controller must respond to these requests within a month.
Exemptions and Refusals
- Fee – an organisation will not be able to charge for complying with a request UNLESS the request is ‘manifestly unfounded or excessive’. The data controller may also charge a reasonable administrative-cost fee if further copies are requested.
- Excessive requests – if a request is ‘manifestly unfounded or excessive’ data controllers can also refuse to respond but will need to be able to provide evidence of how the conclusion that the request is manifestly unfounded or excessive was reached.
- Time to respond – there is a possibility to extend the response period for particularly complex requests but again, it will be down to the data controller to argue the case.
- Right to withhold – data controllers can withhold personal data if disclosing it would ‘adversely affect the rights and freedoms of others’.
When a refusal is made
When we as an organisation choose to refuse to respond to a request, we must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
DATA CONTROLLER/ PROCESSOR – FORUM EVENTS LTD
What we share/ sell
We at Forum Events will only ever share the contents of our ‘Marketing List’ which is made up of Name, Organisation, Job Title and Contact Information
What we class as ‘third parties’
Attending our Events
When attending our event as a Delegate, we detail on our booking form how contact details will be passed on to the relevant suppliers attending the event in order to ensure provision of services i.e. arrangement of networking meetings with the correct and pertinent companies.
Outside of our Events
We do associate with other data companies and do both obtain data from and sell our data to other companies providing we have the right approval and consent. In the event that we share our data only Name, Job Title, Organisation & Contact Information will be divulged.
Consent to ‘third party’ sharing
Attending our Events
The consent that we obtain by agreeing to the terms and conditions on our booking form is consent solely to share information with those suppliers attending the said event. Just by agreeing to these terms DOES NOT mean that your personal data will automatically be included in any other third-party use of data. We will not do this until this form of consent has been obtained and recorded.
Outside of our Events
In the event that we begin communicating with you, we will always ask whether you would like to give to your consent to future communications, both from Forum Events and relevant brands as well as third parties. We will then keep a record of this on our systems to ensure that you only receive the correct correspondence.
Our promise regarding Third Parties
- We will never discuss or divulge your information unless express consent has been obtained.
- In the event that you do not want to opt in to receiving information from third parties, we will keep a clear record on our systems
- Your information will never be sold to companies that aren’t relevant
When third parties enquire about our data, we will never send a sample of the data before selling post the introduction of GDPR, in order to make sure that data protection is maintained.
We will not de dupe data with a third-party company without said company completing the ‘Supplier GDPR Compliance Questionnaire’ whereby we request a guarantee that the company has permission to share data with a third party. In the event that this isn’t done, data will not be shared.