With this document, the publisher Blue Financial Communication S.p.A. (hereinafter also referred to as "BFC" or "Organizer") provides you with information regarding the processing of your personal data in relation to the event “Artificial Intelligence & The Ethics Mandate” (hereinafter also referred to as "Event"), partnerd by SAS Institute Inc. (hereinafter also referred to as the “Partner”), according to privacy law (in particular EU Regulation 2016/679, the "General Data Protection Regulation" - hereinafter referred to as "GDPR", as per English acronym), pursuant to Article 13 of the GDPR.
The "Personal data processing" is, in simple terms, any operation concerning any "information relating to an identified or identifiable natural person". For example, your first and last name, or an email address with a "user name" that identifies you (e.g. mariorossi@....), is considered "personal data". "Processing" operations include actions such as collecting, registering and using personal data to send you a communication, as well communication of such personal data to other organisations and archiving.
We, as Organizer, are also referred to as a "data controller" because we determine how and for what purposes we process information about natural persons; persons under our direct authority (e.g. our employees) must comply with the privacy laws.
You, as the "natural person to whom the personal data relates", are defined as a "data subject", and are entitled to receive the following information about who we are, what personal data we process, why, how and for how long we process it, and what obligations and rights you have in this respect.
Who are we?
Blue Financial Communication S.p.A., with registered office and operational headquarters at Via Melchiorre Gioia 55, 20124 Milan (MI) - Tax Code and VAT no. 11673170152 (hereinafter also referred to as "Organizer" or "data controller")
Why do we process personal data (purpose), what is the basis of the processing (legal basis) and what is the data retention period?
Purpose 1: To fulfil your request concerning the Event.
Legal basis: the need to fulfil pre-contractual measures taken at your request (the need to handle your request regarding the Event).
Retention period: two years from the last contact.
Purpose 2: To enable you to participate in the Event and to send you information about it.
Legal basis: the need to perform the contract entered into with you (the participation in the Event).
Retention period: two years following the Event, unless applicable laws require us to retain them for a longer period (or allows us to do so to protect our rights and/or legitimate interests).
Purpose 3: The Organiser's direct marketing (for the purposes of sending advertising material, commercial communications, direct sales and carrying out market research).
Legal basis: the Organiser's legitimate interest in carrying out marketing activities with a qualified contact (you as a participant to the Event).
Retention period: until you object to the processing for reasons related to your particular situation.
Purpose 4: share your contact information (e-mail address) with SAS Institute Inc. and its affiliates to allow them to inform you about SAS’ products and services.
Legal basis: your explicit consent, freely given and subject to withdrawal at any time (by clicking the opt-out link in the emails or by contacting SAS directly).
Retention period: until the Partner objects to the processing for reasons related to its particular situation.
Purpose 5: to comply with obligations under applicable laws(e.g. accounting and tax, security, etc.) and/or to execute orders issued by Authorities.
Legal basis: need to fulfil legal obligations to which the data controller is subject.
Retention period: ten years from the Event, unless the law requires us to store the data for a longer period (or allows us to do so to protect our rights).
Purpose 6: to ascertain, exercise and/or defend a right.
Legal basis: need to pursue this purpose before courts of law or alternative dispute resolution bodies.
Retention period: not determinable.
To whom do we disclose the data (categories of recipients)?
To the minimum extent necessary to achieve each of the purposes, on one of the legitimate grounds described above and on the basis of applicable legislation and/or a contractual agreement with the data controller, we will or may disclose data to:
SAS Institute Inc. and its affiliates, which will process your data in accordance to SAS Privacy Statement;
organizations necessary for the execution of activities connected with and consequent to the realisation of the Event (e.g. providers of IT services, such Star Chestnut s.r.l. with "Virtual Event Solution” https://www.starchestnut.com/virtual-event-solution), who act as data processors duly appointed by the Organizer;
subjects authorised by us, committed to confidentiality or recipients of a legal obligation to confidentiality;
public organisations and Authorities, if and to the extent that this is required by applicable law or by their orders, or for the exercise, verification and/or defence of a right in a court of law.
The data controller may disseminate the images (still and/or moving) and any voice recordings by any means (in print, by cable, over the air, via the web, via social networks, etc.: e.g. YouTube, Vimeo, Facebook, LinkedIn, BFC websites). In the event of the data subject exercising his/her right to rectification, erasure or restriction of processing, the data controller will, as far as possible and where this does not entail a disproportionate effort, inform the recipients of this fact.
Further dissemination of data may be requested, in accordance with the law, by authorities or other public entities for purposes of defence or State security or prevention, detection or repression of crimes, or by press organisations for information purposes.
Do we transfer personal data outside the European Union?
This may be the case, in particular, depending on the platform used to collect registrations for the Event or to manage its online operation, or for ancillary activities (e.g. sending communications).
In any case, we ensure that the transfer of personal data outside the European Union takes place only to countries that guarantee an adequate level of protection, for which there is an adequacy decision by the European Commission, or on the basis of one of the other guarantees provided for in Chapter V of the GDPR.
Are you obliged to provide us with personal data?
For purposes 1, 2, and 5, you must provide the data because they are necessary for the performance of the contract or of a legal obligation.
For purpose n. 3 you cannot refuse to provide the data, but you can object to processing directly to the Organizer.
For purpose n. 4 you are absolutely not obliged to consent to the processing.
You may not object to processing for purpose no. 6 (establishment, exercise or defence of a right).
What happens if you do not provide us with your data?
If your refusal relates to purposes set out in nn. 1 and 2, we will not be able to comply with your requests concerning the Event, nor will we be able to process your application to participate in the Event.
You may not refuse to provide us with data for the purposes set out in n. 3 (unless you exercise your right to object to the Organiser). In the case of MailChimp, if you do not wish to make it known that you have clicked on the links in the Organiser's e-mails, you must copy the links and open them directly in your browser.
There is no consequence if you do not consent to the processing for purpose n. 4.
Finally, you cannot refuse to provide the data for purposes 5 and 6.
What rights do you have?
You have the right to:
access to your data in our possession, and to request a copy thereof, except where the exercise of the right affects the rights and freedoms of other natural persons;
request the rectification of any incomplete or inaccurate data;
request the erasure of data, subject to the exclusions or limitations established by the applicable legislation (e.g. Article 17 § 3 GDPR);
request the restriction of processing, where the conditions are met and subject to the exclusions set out in Article 18 § 2 GDPR;
request the portability of the data (i.e. to receive them in a structured, commonly used and machine-readable format, in order to be able to transmit them to another data controller without hindrance), to the extent that the processing is based on consent or on the need to perform a contract, where technically possible and except where the exercise of the right affects the rights and freedoms of other natural persons;
lodge a complaint with the Italian Data Protection Authority (in Italy, www.garanteprivacy.it), or with the national Data Protection Authority of the EU country in which he/she normally resides or works, or of the place where the alleged infringement occurred.
Right to object
You may object to processing based:
on your consent (purpose n. 4), by not giving consent initially or by withdrawing it in a second time by clicking the opt-out link in the emails or by contacting SAS directly (with the caveat that any subsequent revocation of consent shall not affect the lawfulness of the data processing carried out in the period prior to such revocation);
on the legitimate interest of the Organizer, and specifically for the Purpose n. 3, upon simple request, either initially (by writing to the email address below) or in a second time in each communication;
on the legitimate interest of the Organizer, at any time, for reasons related to your particular situation (e.g. harm to your honour, reputation, decorum), unless the data controller demonstrates a compelling and overriding legitimate interest pursuant to Article 21.1 GDPR, and unless the processing is necessary for the establishment, exercise or defence of legal claims.
The exercise of the above rights may also be delayed, limited or excluded in the cases provided for in Article 2-undecies of Italian Legislative Decree 196/2003.
If you have any doubts or questions about the processing of your data, what can you do?
You can contact us at the following e-mail address: email@example.com.
the Organizer does not knowingly collect personal information about individuals who, according to their national legislation, lack the legal capacity to act for the purpose of entering into contracts. In the event that information about such individuals is recorded, the Organizer will delete it in a timely manner, at the request of the data subject or of the person exercising parental authority over them.