Are you a Virtual Services customer?
Privacy Notice regarding the processing of personal data included in ICE Virtual Services
Dear Partner, dear Operator,
Below we provide you with some information that is important to communicate not only in order to comply with legal obligations, but also because transparency and fairness towards data subjects are a fundamental part of this Public Administration.
ICE Agency, in compliance with the principles established by EU Regulation 2016/679 concerning the protection of individuals with regard to the processing and free movement of personal data, offers users the opportunity to consult or use Virtual Services (as defined below) by interacting with their own Virtual Platform (as defined below).
In order to ensure that processing is carried out in accordance with European Data Protection Law, ICE Agency, as data controller, provides data subjects with the following notice pursuant to Article 13 of the General Data Protection Regulation (GDPR), highlighting the information regarding the processing of personal data carried out by ICE Agency.
This notice only concerns data processing carried out on or through the Virtual Platform (which can be accessed at www.ice.it, the homepage of ICE Agency’s official website), as better defined below, and on websites created by the Virtual Platform. According to the circumstances, data may be processed by one or more of the following parties (as better defined below):
∙ ICE – Agency;
∙ Managers of Virtual Exhibition Centers, Virtual Meeting Rooms, or E-learning Platforms; ∙ Virtual Trade Fair Organizers;
∙ Organizers of Events/Meetings/Virtual Missions;
∙ E-learning Service Organizers;
∙ Visitors of Virtual Fair Events.
Joining the Virtual Platform does not in itself ensure compliance with the GDPR, national legislation, the provisions of the Italian Data Protection Authority, or European Data Protection Board guidelines, which the members of the Virtual Platform are nevertheless required to respect autonomously whenever they process data in the capacity of data controllers.
In the event that ICE Agency acts as data controller in processing data related to Virtual Services, ICE is responsible for the privacy notice. In the event that ICE acts as data processor—that is, on behalf of third parties—for data relating to Virtual Services, the third party controller bears sole responsibility for communicating the information in this notice to data subjects, and ICE Agency therefore assumes no responsibility in this regard, unless otherwise agreed in writing with the controller case by case. In particular, in the case of any agreement with the third-party data controller, ICE undertakes only to post a privacy notice online, which is to be prepared and provided by the third-party controller and under their sole responsibility.
Without prejudice to the foregoing, the Virtual Platform allows each Third-Party Organizer as defined below to independently submit the necessary privacy policies provided for by the GDPR, including one for each Virtual Trade Fair or other Virtual Service.
Further information on the Virtual Platform’s functions and the processing of personal data connected to it can be found in the document called Utenze e dati Piattaforma ICE ver. 1.0 21.07.2020 (ICE Platform Users and Data ver. 1.0 21.07.2020).
Without prejudice to the definitions contained in Article 4 of the GDPR, to which reference is expressly made, nor to the definitions contained in Legislative Decree 196/2003, as amended by Legislative Decree 101/2018, we use the following terms and definitions for the purposes of Virtual Services:
∙ Trade fair activities: the collective parties and activities that promote or contribute to promoting the products and services of Exhibitors through the organization of Trade Fairs. These exhibition events can also assume the characteristics of a conference or convention; in this case, the event is aimed at building, spreading, and refining knowledge in specific professional and cultural spheres (the Conference).
∙ Marketing activities: marketing or monitoring activities for marketing purposes (e.g., integration with direct email marketing services (DEM), tracking systems such as Google Analytics, etc.), as well as the consequent personal data processing that can be configured independently from the Virtual Platform and on the basis of dedicated configurations from time to time on the site of the Virtual Trade Fair or in relation to another Virtual Service by the Third-Party Organizer.
∙ Exhibitor: someone who is granted exhibition space on the Virtual Platform (and related technical services) or advertising space to promote/exhibit products or services during the Virtual Trade Fair.
∙ Virtual Trade Fair: a periodic event and/or exhibition delivered through the Virtual Platform, in which products/services are presented to the public in order to sell or advertise them.
In addition to its own back-end administration, the Virtual Platform provides a website for each Virtual Trade Fair via a dedicated URL (e.g., eventname.ice.it or www.eventname.it).
∙ Virtual Conference: a conference or convention delivered through the Virtual Platform.
∙ Supplier: an entity other than ICE that provides products or services needed to realize the Virtual Trade Fair (for example, setting up virtual stands and virtual reception services, hiring various virtual services and IT services in general).
∙ Virtual Exhibition Center Manager: the party—ICE—that manages a Virtual Exhibition Center owned by ICE, ensuring its ordinary and extraordinary maintenance and seeing to its promotion, improvement, and economic optimization. The Virtual Exhibition Center Manager can also assume the role of Virtual Fair Organizer or host of Virtual Trade Fairs organized by third parties.
∙ Virtual Meeting/Mission Manager: the party—ICE—that manages the Virtual Meeting Rooms owned by ICE, ensuring their ordinary and extraordinary maintenance and seeing to their promotion, improvement, and economic optimization. The Virtual Meeting/Mission Manager can also assume the role of Virtual Meeting/Mission Organizer or host of Virtual Meetings/Missions organized by third parties.
∙ E-learning Platform Manager: the party—ICE—that manages the E-learning Platform, ensuring its ordinary and extraordinary maintenance and seeing to its promotion, improvement, and economic optimization. The E-learning Platform Manager can also assume the role of E-learning Service Organizer or host of E-learning Services organized by third parties.
∙ Virtual Meetings: B2B and B2C meetings initiated and conducted on or through the Virtual Platform.
∙ Operators: parties, other than Users and Partners, who use Virtual Services.
∙ Virtual Trade Fair Organizer: someone who owns a trademark associated with a Virtual Trade Fair, which is prepared by the Virtual Trade Fair Organizer, including through third parties, within or outside the EU.
∙ Virtual Meeting/Mission Organizer: someone who receives Virtual Services on the ICE Virtual Platform and/or through ICE to organize their own Virtual Meetings/Missions.
∙ E-learning Service Organizer: someone who receives Virtual Services on the ICE Virtual Platform and/or through ICE to organize their own E-learning Services.
∙ Third-Party Organizer: someone who is granted space and/or Virtual Services on the ICE Virtual Platform and/or through ICE to organize their own Virtual Trade Fairs, Virtual Meetings/Missions, or E-learning Services.
∙ Virtual Missions: foreign B2B and B2C missions initiated and conducted on or through the Virtual Platform.
∙ Partners: parties, other than Operators, who have an agreement with ICE to use Virtual Services through the Virtual Platform or manage them on their own.
∙ Virtual Platform: the set of technical features made available as SaaS-IaaS from or through the ICE website (www.ice.it) for the provision of individual Virtual Services.
∙ Prospects: parties–including potential Users, Operators, and Partners–who have expressed a concrete interest in a Virtual Service (e.g., a Virtual Trade Fair) or in another service or product from ICE and/or its Partners by requesting commercial contact or
information, registering for a Virtual Event, or sending their business card, without then subscribing to the Virtual Service or purchasing the service or product; journalists.
∙ Virtual Exhibition Center: a permanent digital structure (Virtual Platform) owned by ICE and/or its suppliers used mainly to host Virtual Trade Fairs managed by ICE or by third party Trade Fair Organizers. The Virtual Exhibition Center may also include virtual spaces for conferences and conventions (Virtual Conference Venues).
∙ Virtual Services: services provided by or through the Virtual Platform.
∙ E-learning Service: the e-learning service provided from time to time by or through the Virtual Platform.
∙ Users: natural persons who use Virtual Services provided by the Managers of Virtual Exhibition Centers, and/or Virtual Meetings, or E-learning Services, or by the Organizers.
∙ Visitors: natural persons who visit the Virtual Trade Fair with the aim of acquiring information, making purchases, participating in side events (e.g., competitions, championships), or getting in touch with Exhibitors. They include those who access the Virtual Trade Fair for professional purposes (Trade Visitors), as well as speakers and
conference participants (commonly understood as those taking part in a conference, convention, workshop, or seminar).
Virtual Services refer to the following services made available by ICE Agency and/or its subcontractors on or through the Virtual Platform:
∙ Virtual Fairs/Conferences
∙ Virtual Meetings/Missions (B2B, B2C)
as better described respectively in the General Conditions for the Provision of Virtual Services, which can be viewed at the following link: https://ice.it/servizivirtuali/condizionigenerali/ and/or in the ICE Service Catalogue.
Videoconferencing and collaboration services
Some Virtual Services use high definition videoconferencing tools (e.g., for the purposes of virtual B2B or B2C meetings) moderated by ICE staff and/or third-party Partners (e.g., trade fair organizations, consortia, training companies, etc.) and/or video collaboration (e.g., chat) by third-party Suppliers. Please, refer to the section entitled ‘Will you transfer data to non
EU countries’ below for further information.
Virtual Services legal and economic conditions
Virtual Services are provided in accordance with the General Conditions for the Provision of ICE Virtual Services, which can be viewed at the following link: https://ice.it/servizivirtuali/condizionigenerali/
Purpose and lawful basis for processing
ICE Agency processes personal data for the purposes of performing its institutional and public tasks and consequently fulfilling its obligations (including providing, supporting, and
updating Virtual Services) as set out by contract, law, regulation, or any other legislation applicable to ICE.
Data may also be processed to implement pre-contractual measures (usually in response to the data subject’s request for information, documents, advice, or support). The potential purposes mentioned above include, from a technical perspective:
(i) managing the website www.ice.it and the security features of Virtual Services; (ii) generating reports on operations carried out and sharing these reports with ICE’s third-party partners (e.g., suppliers offering products or services through this Site) for information purposes;
(iii) implementing measures to prevent digital fraud relating to ongoing transactions between ICE and users and/or third parties, or between an Organizer and users, operators, and/or third parties.
Data will not be used for any purposes other than those described in this notice without prior notification and, where necessary, your consent.
Processing is carried out under the following lawful bases:
1. Processing is necessary for the performance of tasks which ICE Agency carries out in the public interest (Article 6(1)(e), GDPR).
2. Processing is necessary for the conclusion and/or performance of a contract or the implementation of pre-contractual measures taken at the data subject’s request (Article 6(1)(b), GDPR).
3. Processing is necessary for compliance with legal obligations to which the data controller is subject, e.g., obligations of a legal (accounting, tax) or regulatory nature, implementation of measures adopted by judicial or administrative authorities (Article 6(1)(c), GDPR).
Personal data which is collected in ICE Agency’s Centralized Database (CDB) may also be used as part of its institutional activity and therefore to promote and develop trade of your product and/or service abroad, as provided for in Article 14, Paragraph 20 in the Italian Legislative Decree 98/11, converted into Law 111/11, as replaced by Article 22, Paragraph
6 of Legislative Decree 201/11, converted into Law 214/11. Your data may, therefore, be used to send proposals for participation in other initiatives organized by ICE Agency such as fairs, workshops, seminars, training courses, etc., and used to evaluate customer satisfaction and carry out other surveys relating to ICE Agency’s institutional and public tasks.
In the case of commercial proposals sent to parties who have not already used the services provided by ICE Agency, the lawful basis for any processing is the institutional task of public interest, which ICE Agency carries out as data controller.
You reserve the right to object to the sending of such communications at any time, but your objection will not affect the lawfulness of any processing previously carried out.
Categories of data subjects
The provisions of the GDPR apply only to the processing of data relating to identified or identifiable natural persons (‘you’ or the ‘data subject’). Virtual trade fair activities involve processing the personal information of data subjects encompassing:
∙ Exhibitors (meaning those who have already had a contractual relationship in the past for any reason with an Organizer of Trade Fairs, either physical or virtual) and their staff; ∙ Prospects and their staff;
∙ Third-Party Managers and Organizers of Virtual Trade Fairs, Virtual Meetings (B2B and B2C), and E-learning Services, and their staff;
∙ Visitors, including trade visitors;
∙ Media professionals;
∙ Institutional representatives;
What types of data are processed?
As a rule, it is possible to visit the Virtual Services webpage without providing any personal data. In some circumstances, the Virtual Platform may require users to provide personal information. In the context of the purposes and methods described in this notice, processing operations concern:
1) navigation data;
2) data relating to subscriptions/registrations to the Virtual Platform or Virtual Services, necessary for managing relations with ICE, including fulfilling requests for information or contact, orders with payment, or the provision of a Virtual Service;
3) data necessary or useful for effective corporate communications on ICE’s part; 4) data necessary or useful for fulfilling legal, regulatory, or contractual obligations.
In the case of journalists: name and surname, contact details, sector and newspaper, country of origin, language.
The categories of data processed under 2, 3 and 4 include:
a) personal data, inter alia, identifiers and personal details (e.g., name, surname, place and date of birth), name of the personally-managed company or partnership, names of shareholders and directors, business role (e.g., professional title, job description, responsibility level), telephone/fax/email contact details, geographical position (e.g.,
residence, domicile, registered office, country of origin), education and culture (e.g., academic qualifications, professional certifications), contact language, tax data (tax identification number, VAT number), addresses and shipping and/or billing data; b) data of various kinds, inter alia: company name, company details (e.g., registered office, AER), data on economic activity (e.g., the type of goods and services offered by an Operator using Virtual Services, their ATECO code, turnover, number of employees, target countries of their business activities, countries in which the Operator is present, goods and services of current and/or potential interest to the Operator, channels of distribution, project budgets, data on participation in initiatives promoted by ICE, data on public funding). In the event that Virtual Services entail Virtual Events organized and/or managed by third party Partners, the latter can independently request further information from data subjects (e.g., Operators, Visitors); if the data collection requires a privacy notice other than ICE’s, the third-party Partners will communicate this additional privacy notice independently via the Virtual Platform or through separate means which they manage independently.
In some cases, if you are a customer or a prospect, we merge the data you provide us with additional personal information obtained during your navigation on our websites, through the use of services provided by these sites (e.g., cookies relating to pages of our website that you have visited or the country from which you connect), via other communication channels (e.g., social media), or through mass email marketing services (e.g., which messages you have received, which emails you have opened, which offers you accepted through specific actions such as opening an attachment or responding to our request to link to landing pages or email attachments, etc.).
As a rule, the performance of Virtual Services does not involve processing special categories of data as per Article 9(1) of the GDPR, except for data necessary or important for the provision of Virtual Services specifically dedicated to people with disabilities, or for managing the participation of institutional representatives occupying political, trade union, or religious offices in Virtual Events.
The information of data subjects, which is processed in the context of Virtual Services, can be drawn from one or more of the following three general types of databases at any one time:
a) the ICE database (e.g., national operators database, foreign operators database, CRM cloud)
b) the database of a third-party Partner affiliated with ICE, Virtual Service user; c) the database of an Operator, either Italian or foreign, when using the Virtual Services for various reasons.
We collect your personal data: i) through online or paper forms, or pre-registration or participation applications completed by you and/or acquired by third parties authorized by us; ii) through mobile devices like tablets and smartphones present at events organized by ICE Agency and/or its Partners, or iii) by a business card you have given us.
For Virtual Events/Meetings/Missions which require the creation of your virtual photo identification card for security for safety or user identification purposes, a photo of you can be collected through the online registration forms or a remote photo session (via the webcam on your PC, laptop, tablet, or smartphone) held by the Videoconferencing Service Providers associated with the Virtual Platform.
Data may also be collected from publicly accessible sources (e.g., personal, fiscal, economic, and contact details can be found on the internet, the business register at the Chamber of Commerce, or websites of foreign trade fairs), pursuant to Article 14 of the GDPR. In the case of Virtual Events organized or hosted on the Virtual Platform by third
party Partners who act as independent data controllers, the data may also be collected through third-party Partners.
Obligation/Option to provide data and consequences of failure to provide such data
The provision of information, personal or otherwise, marked as mandatory on the ICE Service Order Form or on other ICE forms for joining Virtual Services is essential for using Virtual Services; any refusal to provide such information precludes the possibility of using them.
The provision of information, personal or otherwise, marked as optional on the ICE Service Order Form or the other aforementioned ICE forms is aimed exclusively at the possibility of offering you a personalized service tailored to context, preferences, or interests identified based on your economic activity (this usually does not constitute personal information—e.g., turnover, company type, ATECO code, export data, etc.).
In the case of data processing for direct marketing purposes carried out by ICE Agency’s third-party Partners, the data subject must freely consent to the processing, and failure to provide consent will preclude the possibility of processing the data for this purpose, without prejudice to the data subject’s right to obtain any services or products that may have been ordered from ICE. ‘Direct marketing’ here refers to marketing to Customers and Prospects by ICE Agency’s Partners: i) through communication channels other than email and text and/or instant messages; ii) otherwise in relation to services or products unlike those you have already purchased from the aforementioned Partners; or, iii) in relation to services or products which the aforementioned third-party Partners have never previously proposed to you nor discussed with you (in which case you would be viewed as a ‘lead’ by the Partners).
Who are the Data Controller and the Data Protection Officer?
The Data Controller is the ICE Agency for the Promotion and Internationalization of Italian Companies Abroad, based at Via Liszt, 21, 00144, Rome, Tel. 06 59921 (‘ICE Agency’). The ICE Data Protection Officer can be contacted at the email address firstname.lastname@example.org.
Further information on the privacy responsibilities of the parties involved in various capacities in data processing through the Virtual Platform can be found in the chapter ‘Determination of privacy roles’ below.
What privacy responsibilities are envisaged in the context of processing operations?
Each of the participating parties can take on a different role in processing personal data, depending on the tasks undertaken in the context of Virtual Services, as follows.
The Organizer of Virtual Trade Fairs, Virtual Meetings/Missions, or E-learning Services is the data controller for all personal information necessary to realize the Events themselves.
The Manager of the Virtual Exhibition Center, the Virtual Meeting Room, and/or the E learning Platform is, in any case, the data controller for all personal information necessary to:
∙ ensure the ordinary and extraordinary maintenance of the Virtual Exhibition Center, Virtual Meeting Room, or E-learning Platform;
∙ protect the security and integrity of the Virtual Service as well as the associated Virtual Platform;
∙ ensure the technical progress of the Virtual Services’ supporting infrastructure; ∙ promote the use of Virtual Services among Customers and/or Prospects;
∙ ensure compliance with the regulations applicable to the Virtual Platform, where they are not the sole responsibility of third parties.
The Manager of the Virtual Exhibition Center, Virtual Meetings/Missions, or E-Learning Platform is data processor if processing operations are carried out on behalf of the Organizer of Virtual Trade Fairs, Virtual Meetings, or E-Learning Services. Where the Organizer of Virtual Trade Fairs, Virtual Meetings/Missions, or E-learning Services coincides with the Manager, he or she is usually the data controller for all processing operations described above. Where Managers of Virtual Exhibition Centers, Virtual Halls, or E-Learning Platform, on the one hand, and Organizers of Virtual Trade Fairs, Virtual Meetings/Missions, or E-learning Services, on the other hand, both contribute, in differing forms, to the performance of the activity covered by the Virtual Service by jointly determining, in whole or in part, the purpose and means of consequent processing operations, they will enter into a joint controllership agreement that duly reflects their respective roles and responsibilities in the protection of personal data, as well as their relationships vis-à-vis the data subjects, in accordance with the provisions of Article 26 of the GDPR.
Suppliers offering services that involve data processing on behalf of the Organizer of Virtual Trade Fairs, Virtual Meetings/Missions, or E-learning Services or the Manager of the Virtual Exhibition Center, Virtual Meeting Room, or E-learning Platform (Data Controllers) are the data processors for such operations, pursuant to and for the purposes of Article 28 of the GDPR.
Means of Providing Virtual Services
Virtual Services can be provided in two different ways:
a) directly, by ICE Agency and/or an Agency Supplier;
b) by a third-party Partner of ICE Agency (e.g., a fair, export consortium, etc.) or by a Supplier authorized by the Partner.
In case a), ICE Agency acts as data controller, unless it is otherwise agreed between the parties in writing that ICE will assume the role of data processor on behalf of a third-party controller (particularly when data subjects’ personal, contact, and economic information originally comes from a database belonging to an affiliated third-party partner).
In case b), ICE Agency assumes the role of data processor on behalf of the third-party Partner, unless it is otherwise agreed in writing between the parties that ICE Agency will assume the role of joint controller (particularly when data subjects’ personal, contact, and economic information originally comes from a database belonging to an affiliated third-party partner who intends to act jointly with ICE Agency in making certain decisions regarding the purpose and/or means of processing the relevant personal data).
In the case of joint controllership, ICE Agency and the affiliated third-party Partner formalize the terms and conditions of the arrangement in a specific agreement and provide data subjects with a summary thereof.
Your personal data may be processed using paper and electronic means and cloud services, for purposes strictly related to the purposes stated above, in compliance with the rights and safeguards provided for by the General Data Protection Regulation (EU) 2016/679 (GDPR).
In particular, ICE Agency processes personal data in compliance with the provisions of the GDPR, holding all processing operations to the principles of lawfulness, fairness, and transparency, purpose limitation, and data minimization in relation to the purpose for which data is collected and subsequently processed, for explicit and legitimate purposes.
Data processing is carried out by suitably qualified Agency personnel who act as personnel authorized to process the data, or by any persons authorized for occasional maintenance of the systems, applications, and data necessary for Virtual Services.
Assumptions of lawfulness of processing for the purposes of marketing and legitimate interests pursued by third parties
The data subjects’ personal information is processed by ICE Agency’s Partners for marketing purposes (e.g., by Organizers of Trade Fairs, Virtual Meetings/Missions, or E learning Services and by Managers of Exhibition Centers, Virtual Meeting Rooms, or the E learning Platform, in their respective capacities as Controllers) on the basis of the data subjects’ consent, pursuant to Article 6(1)(a) of the GDPR, or on the basis of the legitimate interest of ICE Agency’s third-party Partners as independent data controllers, deemed from time to time to override the data subjects’ right to privacy.
Data subjects are however protected by the ability to exercise their right to object to ICE Agency’s Partners pursuant to Article 21(2) of the GDPR, which allows them to object at any time to the processing of their personal data for marketing purposes, including any profiling of data that is connected to such direct marketing, that is, to withdraw consent as per Article
7(3) of the Regulation.
How long will you keep my data?
a) Data retention periods for institutional purposes
Personal data and related metadata will be kept for a period of time not exceeding what is necessary to achieve the respective purposes, according to the time limits provided for by the applicable legislation on the subject (e.g., Articles 43–44 of the Italian Digital Administration Code (Codice dell’amministrazione digitale, CAD), Legislative Decree no. 82,
dated 7 March 2005, as amended by Legislative Decree 217/2017; the Agency for Digital Italy (AgID) Guidelines of December 2015 on the retention of electronic documents; Technical rules for the formation, transmission, copying, duplication, reproduction, and timestamping of electronic documents, as well as the formation and retention of PA electronic documents pursuant to Articles 20, 22, 23-bis, 23-ter, 40(1), 41, and 71(1) of the CAD).
Data may be kept for longer periods (including long-term or indefinitely) than those indicated above when processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to the implementation of appropriate technical and organizational measures required by this regulation in order to safeguard the rights and freedoms of the data subject.
b) Data retention periods for marketing and market analysis purposes
The data retention period for the purposes of marketing and profiling or market analysis of data subjects (Visitors, Exhibitors, Third-Party Organizers, and Prospects) by third-party Partners should they process the data in the capacity as independent data controllers is finite, taking into consideration the specificities of Trade Fair Activities which entail holding Trade Fairs on an annual, biennial, triennial, or four-year basis. For these reasons and considering the technical requirements of data management, the retention period is ten
years (proportionate to the purpose of providing information on subsequent editions to the above-mentioned parties who have expressed interest in the Virtual Trade Fair by registering for and/or participating in a previous edition and/or by requesting information or contact).
c) Notice and consent logs
ICE Agency keeps records of logs relating to i) the reading of ICE’s online privacy notices and the online actions (e.g., clicks, flags, and the like) through which Virtual Service users communicate to the Virtual Platform or with ICE Agency’s third-party Partners through the Platform (e.g., the data subject can give consent with a click where such third-party Partners are required by the current legislation to obtain consent) for an indefinite period of time, without prejudice to any differing terms of retention independently applied by ICE Agency’s third-party Partners.
d) Logs of electronic monitoring activities (cybersecurity, proper functioning)
ICE Agency provides its cyber security monitoring service for the purpose of protecting, inter alia, Exhibitors, Suppliers, and Visitors during Virtual Trade Fairs or Virtual Meetings. The retention period ranges from a minimum of 90 days to a maximum of 180 days from the date of collection.
In the event of a dispute between you and ICE or our third-party suppliers, we will process data for the time necessary to exercise the protection of our rights or those of third-party suppliers and that is, as a rule, until the issuance and full execution of a provision constituting a final decision between the parties or a dispute settlement.
Will you share my data with other parties?
Data relating to Virtual Services is not intended for third parties nor is it subject to communication or dissemination, unless otherwise provided for by legal or regulatory provisions or other applicable legislation.
In carrying out our Public Administration activities, ICE may communicate your data to parties that perform inspection activities or to public bodies or administrations, including tax authorities, as well as to parties legally entitled to such information, Italian and foreign judicial authorities, and other public authorities (e.g., the Italian National Anti-Corruption Authority, the Guardia di Finanza), for the purposes of fulfilling obligations established by law, regulations, or other applicable legislation, or fulfilling obligations arising from the contractual relationship with the data subject, including the need for defense in court.
To the extent necessary for pursuing the aforementioned purposes or implementing pre contractual measures, data will be disclosed to third parties, including suppliers, partners (e.g., trade fairs, trade associations), consultants and professional firms (e.g., chartered accountants, lawyers), other customers who subscribe to Virtual Services, which collectively involve more customers, business networks, industrial districts, consortia, and inspection bodies (e.g., auditors, statutory auditors, Supervisory Board).
For the purposes of ICE’s corporate communication (e.g., marketing activities connected to individual Virtual Events), data may be disclosed to: companies in charge of marketing analysis, advertising, communications, and/or public relations agencies, the electronic and physical publishing companies that print our advertising and promotional materials, website and blog hosting providers, digital marketing agencies, parties responsible for designing and/or maintaining promotional materials, managed IT system service providers, websites and databases used to organize and manage Events, and photography agencies.
For the purpose of maintaining the Virtual Platform and its associated technical services, data may be disclosed to third-party hosting and maintenance service providers.
A complete, up-to-date list of parties who process data in the capacity of Data Processors is available upon request, which can be made by emailing email@example.com.
As part of the services called ‘Virtual Fairs’ or ‘Virtual B2B Meetings’, ICE can disclose your data.
Will you transfer data to non-EU countries?
Personal data collected in the CDB (e.g., data concerning Exhibitors, natural persons, Exhibitors’ employees or collaborators, or the Organizer of Virtual Trade Fairs and/or Virtual Meetings or E-learning Services) may be transferred by the Organizer of Virtual Trade Fairs and/or Virtual Meetings or E-learning Services to non-EU countries in which one of the following is based: (i) the ICE offices1; and/or, (ii) ICE Suppliers and/or Partners; or, ( iii) the Managers or Organizers of Virtual Trade Fairs, Virtual Meetings, or E-learning Services, or the respective suppliers of such parties other than ICE.
This transfer by ICE or the Trade Fair Organizer takes place in accordance with the provisions of Chapter V in the RGPD and that is on the basis of EU Commission adequacy decisions pursuant to Article 45 of the GDPR, or in full compliance with the appropriate safeguards and provisions set out in Articles 46, 47, and 49 of the Regulation.
The aforementioned safeguards are usually constituted, where reasonably possible, by the third-party data importer’s prior drafting of a contractual agreement with ICE in which the data importer undertakes to respect privacy obligations for the contracted data processing which are substantially equivalent to those provided for by the GDPR and upheld by ICE (through the use of standard contractual clauses in accordance with the text adopted by the EU Commission without prejudice to any possible integrations and amendments, which were more favorable for the data subject).
Should drafting such a transfer agreement with the data importer prove impossible or excessively burdensome, transferring data to the non-EU country may be considered lawful on the basis of any one of the following reasons: i) it is necessary for the performance of a contract concluded between the data subject, on the one hand, and ICE Agency or a ‘Third
Party Organizer’, on the other hand, or for the implementation of pre-contractual measures adopted at the data subject’s request; ii) it is necessary for the conclusion or execution of a contract between the data controller or joint controller and another natural or legal person in favor of the data subject (this other natural or legal person is one of our branches or Partners based in a non-EU country).
As an alternative to such derogation, we reserve the right to ask you for specific consent to transfer your data to the non-EU country, which would in this case constitute the lawful basis for the data transfer.
ICE’s videoconferencing and/or video collaboration services use SaaS-IaaS features that are mainly provided by ICE’s third-party suppliers based outside the EU. In addition, ICE uses cloud-based database and productivity services provided by third-party suppliers based outside the EU.
In the event that any data is transferred to suppliers with HQ or datacenter in the U.S.A., the US supplier will be subject to the regulations issued by the US Federal Trade Commission. In some cases, the US supplier may be obliged to communicate personal data at the lawful request of any public authorities, also to meet any national security or law enforcement requirements. In the light of the US regulations, which the EU Court of Justice refers to in the Schrmes II ruling of 16 July 2020, ICE AGENCY may not theoretically and absolutely exclude the risk that the US public authorities access such data on special, occasional situations connected to national security purposes (i.e. for anti-terror purposes). However, if the following applies:
i) limited scope of the service provided by ICE Agency (exporter) to the benefit of the data subjects, whose data is processed by the importer (the US supplier), and of the related data processing consequences,
ii) limited types of processed personal data and limited categories of data subjects, who data refer to (exhibitors, virtual trade-fair visitors, other Virtual Service attendants), the risk that the US public authorities may concretely access the data (which the importer may not report to the exporter based on the local national regulations) appears objectively negligible.
Therefore, with the exception of the single case of an access by the US public authorities in the special, limited situations above – which is exceptional by nature and thus quite improbable – the Data Controller believes that the standard contractual clauses applied in the relationship between the parties reasonably guarantee the protection of the data subjects’ rights in a way that is substantially identical to that provided for by the GDPR.
ICE Agency, thus, does not currently believe it necessary to agree any additional provisions with the importer (this possibility being envisaged in the ruling by the EU Court of Justice above). Future additional measures may be adopted in view of the indications provided by the EDPB.
Each and every non-EU supplier of ICE Agency is a data processor concerning the data that the same receives, and later transfers it to a third party acting as agent on the latter’s behalf.
If the first transfer of personal data from the EU to the U.S.A. is made by ICE Agency as the first data processor (and hence on behalf of third-party independent controllers or joint controllers), the supplier is a sub-processor of such data.
Is data processed for profiling purposes?
Some of the information on the data subjects in the databases used by ICE as controller or joint controller in managing Virtual Services may be processed for the purposes of limited market analysis. For the purposes of the GDPR, profiling is relevant only if it concerns natural persons (including individual owners of sole proprietorships and partnerships, shareholders and directors of partnerships, and internal contact persons for companies, associations, organizations, and other collective bodies other than partnerships). In particular, the data processed for this profiling purpose includes, for example: the type of goods and services offered by the Operator using Virtual Services, the Operator’s ATECO code, contact language, target countries of their business activities, countries in which the Operator is present, and goods and services of interest to the Operator.
Profiling allows us, in particular, to avoid sending you promotional communications that are not likely to be relevant to your expectations and needs or through unwanted channels.
The restricted nature of this profiling does not preclude specific advantages or the possibility of freely exercising your privacy rights, nor does it have particular legal effects; in particular, it does not in any way affect your ability to participate in Events and/or use our Virtual Services (e.g., online pre-registration, purchase of services).
Considering the limited data set used for the purposes of such analysis, profiling finds its lawful basis in ICE Agency’s institutional obligation to have some basic information to guide/focus promotional communications and service or product offers from ICE and/or ICE’s affiliated third-party Partners on whose behalf ICE sometimes carries out marketing activities to develop the trade of its product and/or service abroad, as established by the legal reference standards cited in the paragraph ‘Purpose and lawful basis’.
How do you handle personal data breaches?
ICE Agency implements appropriate technical and organizational measures to promptly detect any personal data breaches and, if necessary, notify the competent authorities and inform the data subject in accordance with the provisions of Articles 33 and 34 of the GDPR. ICE keeps one or more logs of the security events related to the functioning of Virtual Services on its internal systems and/or those of its assignors. ICE records incidents and personal data breaches together with the details of the event and the subsequent mitigation and recovery actions taken. In the event of incidents that seriously impact the security of Virtual Services, these logs can be shared with third-party partners affiliated with ICE and/or with the Operators using Virtual Services, based on the data breach procedure adopted by ICE and in compliance with up-to-date written agreements with the aforementioned third parties.
What are my rights?
The data subject may at any time exercise his or her rights and, in particular, request access to personal information and ask that it be corrected or limited, updated if incomplete or incorrect, or erased if collected in violation of the law, as well as object to its processing, subject to the existence of legitimate reasons on the part of the Data Controller. The data
subject also has the right to portability, i.e., to receive – or have a third-party controller receive – the personal information provided by the data subject to the Controller in a structured, commonly used, and machine-readable format. For a more complete description of your rights, see this link.
It is possible to contact the Data Controller or the Data Protection Officer for this purpose. Any further information may be requested at the following email address: firstname.lastname@example.org.
Lastly, we inform you of the possibility of lodging a complaint with the Italian Supervisory Authority – Data Protection Authority (Garante per la protezione dei dati personali), Piazza Venezia 11, 00187, Rome.
Who responds to requests to exercise rights?
In the event that ICE acts as data processor on behalf of third party data controller affiliated with ICE or a third-party Operator Controller, responding to the data subject’s request to exercise his or her rights will be the sole responsibility of the aforementioned third party. To this end, the third party will indicate their contact details in their privacy notice.
This privacy notice may be supplemented with further information, including the integration of regulatory changes and/or the provisions of the EDPB and the Italian Privacy Authority.