IRION S.b.r.l. (hereinafter the “Data Controller”), acting as Data Controller, pursuant to Articles 13–14 of EU Regulation No. 679/2016 — General Data Protection Regulation (hereinafter the “GDPR”), as amended and supplemented, collects and subsequently processes the personal data of participants (hereinafter the “Data Subjects”) — including in their capacity as speakers, instructors, or attendees — at congresses and/or other events of a scientific, educational, or other nature (hereinafter the “Event”), including those held virtually.
Categories of Personal Data
The personal data processed by the Data Controller are collected directly from the Data Subjects and freely provided by them.
This information includes personal data (e.g., biographical data, contact details, telephone numbers, email addresses) and professional data (occupation, company role, membership of professional registers, associations, etc.). Photographic images and video recordings may also be collected and processed.
Purposes and Legal Bases for Processing
The personal data of the Data Subjects, provided through the completion of the Event registration form or otherwise collected in connection with participation in the Event, are processed for the following purposes, each accompanied by its legal basis:
a) Registration and participation in the Event; Legal basis: Art. 6(1)(b) GDPR — implementation of pre-contractual measures taken at the request of the Data Subject.
b) Fiscal, administrative, and accounting obligations strictly connected to participation in the Event; Legal basis: Art. 6(1)(b) GDPR — performance of the relationship connected to participation in the Event; and Art. 6(1)(c) GDPR — compliance with legal obligations.
c) Performance of specific tasks required by laws, regulations, or EU rules; Legal basis: Art. 6(1)(c) GDPR — compliance with legal obligations.
d) Free distribution of documentation relating to the Event; Legal basis: Art. 6(1)(b) GDPR — performance of the relationship connected to participation in the Event.
e) Network security (cybersecurity), and the establishment, exercise, or defence of a legal claim in judicial and extrajudicial proceedings, in pursuit of the Data Controller’s legitimate interest pursuant to Art. 6(1)(f) GDPR; Legal basis: Art. 6(1)(f) GDPR — legitimate interest of the Data Controller in system security, the prevention of abuse, and the protection of its rights.
f) Acquisition, recording, use, publication, and dissemination of photographic images, audio recordings, and audiovisual footage taken during the Event — including virtual events — for purposes of documentation, institutional communication, promotion, and enhancement of the Data Controller’s activities and of the Event, including via publication on websites, social networks, digital platforms, brochures, posters, and informational, educational, and promotional materials; Legal bases:
- For participants: Art. 6(1)(f) GDPR — legitimate interest of the Data Controller for documentation, institutional communication, and promotion of the Event and its activities, in compliance with Art. 10 of the Italian Civil Code and Arts. 96 and 97 of Law No. 633 of 22 April 1941; where individual interviews or content featuring a specific participant are produced and disseminated via the web, social networks, magazines, brochures, publications, or posters, the legal basis for processing will be the consent of the Data Subject pursuant to Art. 6(1)(a) GDPR;
- For speakers, where images, voice recordings, or audiovisual footage are strictly necessary for the management, recording, dissemination, and enjoyment of their contribution to the Event: Art. 6(1)(b) GDPR — performance of a contractual relationship or pre-contractual measures.
g) Sending of communications and/or documentation by IRION S.b.r.l. to keep the Data Subject informed about future projects, initiatives, and events promoted within the same area of interest, both through automated means (e.g., newsletters, email, SMS, MMS, automated calls, etc.) and through traditional contact methods (post and/or direct calls with an operator); Legal basis: Art. 6(1)(a) GDPR — consent of the Data Subject.
h) Sharing of contact details with other participants, in order to facilitate the establishment of direct communication channels and the initiation of new collaborations; Legal basis: Art. 6(1)(a) GDPR — consent of the Data Subject.
i) Communication of personal and contact data to third parties, such as partner companies and sponsors, for promotional and marketing purposes; Legal basis: Art. 6(1)(a) GDPR — consent of the Data Subject.
The processing of personal data is carried out, under the authority of the Data Controller, by specifically designated, authorised, and instructed persons pursuant to Art. 2-quaterdecies of Legislative Decree No. 196 of 30 June 2003, as amended by Legislative Decree No. 101 of 10 August 2018 (hereinafter the “Privacy Law”), and pursuant to Art. 29 of the GDPR, using manual, automated, or electronic means, in accordance with logic strictly connected to the purposes of processing and in any case in a manner that guarantees the confidentiality and security of personal data.
Consequences of Refusing to Provide Data
The provision of personal data for the purposes referred to in points a), b), c), d) and, to the extent strictly necessary, e) and f), is optional but necessary to enable registration, organisation, management, and proper participation in the Event, as well as compliance with regulatory obligations and protection of the Data Controller’s legitimate interests in relation to the security and management of the Event.
Accordingly, any refusal to provide the data necessary for these purposes may result in the inability to complete registration, participate in the Event, benefit from related services, or enable the Data Controller to properly fulfil its legal obligations and organisational, administrative, and security requirements.
The provision of data for the purposes referred to in points g), h), and i) is, however, optional. Failure to provide data or to give consent for these purposes will not in any way affect the possibility of participating in the Event; however, it will result in the inability to involve the Data Subject in future projects, initiatives, and events in the same area of interest.
With regard to the purpose referred to in point f), it is understood that the Data Subject may object, in the cases provided for by applicable legislation, to processing based on the Data Controller’s legitimate interest.
Retention Period
Personal data will generally be retained for the time necessary to pursue the purposes of processing for which they were collected. In particular, data will be retained for the entire duration of the Event and, following its conclusion, for the time necessary to pursue related purposes, including on the basis of any consent given by the Data Subject. Data processed for marketing purposes will be retained for a maximum period of 24 months from collection, unless the Data Subject renews their consent; in the absence of such renewal, the data will be deleted or otherwise removed.
It is understood that the Data Controller may retain data for a further period, even after processing has ceased, where necessary to comply with legal obligations, to give effect to orders or requests of the competent Authority, or for the purpose of defending or protecting its rights, within the limitation periods provided for by applicable legislation.
Transfers Outside the EU
Processing will take place primarily in Italy and within the European Union. However, where necessary for the pursuit of the processing purposes, it may also take place outside the European Union, in compliance with the guarantees provided by applicable legislation for the protection of Data Subjects.
Recipients and Categories of Recipients to Whom Personal Data May Be Disclosed
In connection with the processing purposes described above, and strictly within the limits of relevance to those purposes, the Data Subject’s personal data may be disclosed to the following parties for the purposes of registration and subsequent participation in the Event:
- Tax authorities and other public authorities, where required by law or upon their request;
- Financial institutions for the execution of payments related to participation or associated services;
- External structures and/or companies engaged by the Data Controller to carry out activities connected, instrumental, or consequential to registration and participation in the Event (such as printing services, data processing and IT consultancy, promotional activities of companies participating in the Event, distribution of the Event programme, hotel reservations, etc.);
- Internally authorised persons and external consultants acting as Data Processors, performing specific tasks and operations (e.g., management of Event registrations or tax compliance);
- The client and parties participating in the Event as sponsors or partner companies, where present and where permitted.
The parties referred to above, to whom the Data Subject’s personal data will or may be disclosed (where not designated as Data Processors), will process personal data as independent Data Controllers pursuant to the GDPR, in full autonomy and entirely separately from the original processing carried out by the Data Controller.
Without consent to the disclosure of personal data and the related processing, where required by the GDPR, the operations requiring such disclosure may not be carried out, with consequences known to the Data Subject.
A detailed and up-to-date list of such parties is always available upon request at the Data Controller’s registered office.
Rights of Data Subjects
Articles 15 et seq. of the GDPR confer upon the Data Subject the right to obtain:
- Confirmation or denial of the existence of personal data relating to the Data Subject, even if not yet recorded, and their communication in an intelligible format;
- Information on the origin of personal data, their purposes and methods of processing, the logic applied in the case of processing carried out with the aid of electronic tools, and the identifying details of the Data Controller;
- Updating, rectification, supplementation, deletion, anonymisation, or blocking of data processed in violation of the law, including data whose retention is no longer necessary in relation to the purposes for which they were collected and subsequently processed. Documentation of such operations, including their content, will be brought to the attention of the Data Subjects whose data have been communicated or published, unless this task is impossible to perform or would require the use of means manifestly disproportionate to the right being exercised.
In addition, the Data Subject has the right to:
- Object, in whole or in part, on legitimate grounds, to the processing of their personal data, even where such processing is consistent with the purpose of collection;
- Lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) as provided for by the GDPR.
To obtain the detailed and continuously updated list of parties to whom the Data Subject’s personal data may be disclosed, and to exercise the rights conferred by Articles 15 et seq. of the GDPR, pursuant to Article 12 of the GDPR and within the limits of Section 2-undecies of the Privacy Code, the Data Subject may contact the Data Controller at the following details:
IRION S.b.r.l., registered office at Via Livorno, 60 – 10144, Turin (TO) Tel.: 0113818311 — Email: [email protected]