The Financial Services Information Sharing and Analysis Center (hereinafter “FS-ISAC”, “we, “us” or similar) is an organization with its main office in the state of Virginia, United States of America. We collect and process several categories of personal data from you as a user of the FS-ISAC website (hereinafter the “Website”) and to all products and services offered by FS-ISAC (collectively, “FS-ISAC”, “Platform”, "we", "us" or "our") when you register for a Summit, an event, a training, an exercise or other activities (each, an “event”). Insofar as European Economic Area data protection law applies, we are a controller with regard to the personal data we process.
We take your privacy seriously and this privacy notice describes our practices regarding our collection and use of your personal data – such as what data we collect, why we collect it, what we do with it and sets forth your privacy rights.
1.1 Event registration through our Platform
We use our Platform to collect personal data that you directly input into event registration forms as well as in any other page we set up as an event organizer, such as your name, title, email address, your employer’s name, and other transaction-related information. This data, except for cardholder information, is collected by us and we process it in the performance of a contract with you (the event registration) as well as in our legitimate interest to manage our events and contact you, as follows:
(a) Manage our event attendees;
(b) Contact you with regard to the event you have registered;
(c) Contact you with regard to other events that we organize and think may be of interest to you, from which you can opt-out at any time by using the unsubscribe link in the email or by contacting us as indicated in section 7;
(d) Run statistics with regard to our event attendees;
(e) Improve our future events; or
(f) Contact you with regard to other events, activities, products and services offered by FS-ISAC
1.2 Event registration, participation and related matters
In order to participate in certain of our in-person events, you may be issued a name tag that identifies the level of access that your registration grants you. You will be asked to show this name tag at the entry in the various areas of our events, as this is in our legitimate interest to manage the access to our events.
Where we provide food in our events, we may ask you about food allergies or other conditions, so that we adapt our menu accordingly. Providing this information is optional and we will only process it with your consent and at your request.
The information above is stored by us for a period of three (3) years after the termination of the event.
If you are a speaker in our events, we may be processing your name, title, employer, employment history, education, as well as your presentation slides (if applicable), photos and videos of you at our events. The presentation slides (if applicable), photos and videos may be shared with our members through the channels we consider appropriate.
We do ask for your consent to take photos and videos of you and share them publicly, however given that our interest is to publicize our events, if you do not agree we may refuse to appoint you as a speaker.
This processing is made in our legitimate interest to promote our events and the data is stored by us for three (3) years after the termination of the event.
1.4 Related services
1.5 Partner marketing
When you attend our events you may receive promotional goods or a conference bag with various items, some provided by us and some provided by our event partners. This product placement is made without providing your personal data to our partners, therefore if you are interested in any of their products please contact them directly.
We will disclose your personal data only for the purposes and to those third-parties as described below. We will take appropriate steps to ensure that your personal data are processed, secured and transferred according to applicable law.
2.1 Disclosure to third-parties
We will share the strictly necessary parts of your personal data, on a need-to-know basis with the following categories of third-parties:
(b) Hotels where we book accommodation in your name, if you request us to;
(c) Companies that provide products and services to us (processors) and are located in the United States or, in the event of in-person events, in the countries where the events are held, such as:
(i) Third-parties involved in organizing our events, client support or sales activities; and
(ii) Information technology systems suppliers and support, including email archiving, telecommunication suppliers, back-up and disaster recovery and cybersecurity services.
(e) Other parties such as public authorities and institutions, accountants, auditors, lawyers and other outside professional advisors located in the United States, the United Kingdom, and any other country where your in-person event is held, where their activity requires such knowledge or where we are required by law to make such a disclosure.
We will also disclose your personal information to third-parties:
(i) if you request or authorize us to do so, such as by consenting to us sharing your contact information with FS-ISAC members in connection with an event or with sponsors/exhibitors of an event;
(ii) to persons demonstrating legal authority to act on your behalf;
(iv) if we are under a duty to disclose or share your personal information in order to comply with any legal obligation, any lawful request from government officials and as may be required to meet national security or law enforcement requirements or prevent illegal activity;
(v) to respond to any claims, to protect our rights or the rights of a third-party, to protect the safety of any person or to prevent any illegal activity; or
(vi) to protect the rights, property or safety of FS-ISAC, our employees, customers, suppliers, visitors or other persons.
We, as well as some of these recipients, may use your data in countries which are outside of the European Economic Area. Please see Section 3 below for more detail on this aspect.
2.2 Restrictions on use of personal information by recipients
Any third-party processors with whom we choose to share your personal information pursuant to the above are limited (by law and by contract) in their ability to use your personal information for the specific purposes identified by us. We will always ensure that any third parties with whom we choose to share your personal information are subject to privacy and security obligations consistent with this Privacy Notice and applicable laws. However, for the avoidance of doubt this cannot be applicable where the disclosure is not our decision, including where you request it.
Save as expressly detailed above, we will never share, sell or rent any of your personal information to any third party without notifying you and, if applicable, obtaining your consent.
3.1 Transfers of information outside of the European Union
Since we are an organization based in the United States, we process your personal data outside of the European Union.
Where your personal data is transferred to other entities as mentioned in Section 3 above, we will take appropriate measures to ensure that the recipient protects your personal information adequately in accordance with this Privacy Notice. These measures include entering into European Commission approved standard contractual arrangements with them or ensuring they have signed up to the EU-US Privacy Shield (see further https://www.privacyshield.gov/welcome).
Further details on the steps we take to protect your personal information in these cases is available from us on request by contacting our Chief Privacy Officer, email@example.com at any time.
3.2 Your rights
We are committed to protecting personal information from loss, misuse, disclosure, alteration, unavailability, unauthorized access and destruction and take all reasonable precautions to safeguard the confidentiality of personal information, including through use of appropriate organizational and technical measures. Organizational measures include physical access controls to our premises, staff training and locking physical files in filing cabinets. Technical measures include use of encryption, passwords for access to our systems and use of anti-virus software.
In the course of provision of your personal data to us, your personal information may be transferred over the internet. Although we make every effort to protect the personal information which you provide to us, the transmission of information between you and us over the internet is not completely secure. As such, we cannot guarantee the security of your personal information transmitted to us over the internet and that any such transmission is at your own risk. Once we have received your personal information, we will use strict procedures and security features to prevent unauthorized access to it.
We reserve the right, at our discretion, to modify our privacy practices and update and make changes to this privacy notice at any time. For this reason, we encourage you to refer to this privacy notice on an ongoing basis. This privacy notice is current as of the date which appears at the top of the document. We will treat your personal data in a manner consistent with the privacy notice under which they were collected.
Please direct your questions regarding the subject matter of data protection and any requests in the exercise of your legal rights to our Chief Privacy Officer at firstname.lastname@example.org.
We will investigate and attempt to resolve any request or complaint regarding the use or disclosure of your personal information. If you are not satisfied with our reply and you are from the European Union, you may also make a complaint to the data protection authority in your country.
Effective as of December 2018