Personal data


Personal data processing

Definitions
In the Terms and Conditions of Use (TCU), the terms and expressions identified by a capital letter have the following signification, w
hether
they are used in singular or plural.

“Events”: refers to any manifestation with a professional purpose (conferences, evenings, forums, symposium, conventions, trade shows, etc…) organized by the Organizer and to which guests participate;

“Guest”: refers to any person invited by the Organizer to register and participate in the Event using the Service;

“Organizer”: refers to the legal entity organizing the event which invites guests using the Service;

“Service”: refers to the online software of EVENTMAKER SAS and associated Apps;

“Data”: refers to the personal data of the guests collected online, transferred by client to the EVENTMAKER SAS software thanks to automated means of importation or using the API;

“API”: refers to the Machine à Machine programming interface proposed by EVENTMAKER to use its software and documented on http://developers.eventmaker.io/;

“Presentation”: refers to the overall service ordered by the Organizer to EVENTMAKER and covered by the TCU;

“Processing”: the overall collection and usage process of the guests’ personal data on the EVENTMAKER platform for the organization of the event by the organizer. For information purposes, here is the list:
- To invite “guests”
- Importation of invitation lists
- Sending of invitation emails
- To register “guests”
- Registration forms
- Importation of the attendance list
- Registration via API
- To collect online payments
- To confirm “guests”
- To send confirmation of registration emails
- To publish confirmation of registration documents
- To publish accreditation documents (badges) with identification codes
- To control “guests”
- To scan the guests’ identification codes for identification purposes
- To verify access authorizations
- To notify the organizer
- For every guest registration
- For every guest passage
- To publish the personal data of the guests
- To publish on the event website the data of the guests
- To open user areas for guests
- To modify the published data
- To make guests participate
- To save and publish the comments of the guests
- To save and publish the votes of the guests
- To save and publish online the pictures of the guests
- To discuss with guests
- To collect the messages of the DoYouBot chatbot
- To respond to messages
- To stock messages


Information about data processing

a) Respect of French and European principles on personal data protection
The Parties agree to collect and process personal data in compliance with regulation currently in force regarding data processing; in particular the modified version of Law No 78-17 of 6 January 1978.

In accordance with such law, the Organizer is responsible for the Data Processing undertaken within the framework of the contract.

b) Existence of a system to report security breaches and complaints
The Provider shall communicate with the Client in case of security breaches having direct or indirect consequences with Data Processing. Furthermore, the Provider ought to report to the Client any complaint filed by any person concerned about data processing undertaken in the frame of the contract. In case a security breach is discovered or if any complaint is filed, the Provider must inform the Client as soon as possible and in a maximum time frame of 48 hours.

c) Data Processing Means
In order to follow the terms of the contract, the Provider will process data using the following means of processing:
• The online software Eventmaker.io (invitation, registration, badges, access control)
• The online software Voxevent (publishing, personal spaces, the participation of guests)
• The online software invitations (partnership invitations)
• The online software doyoubot

The different software is Web Apps developed in Ruby on Rails with MongoDB databases:
• Eventmaker Checkin IOS App (attendance list and access control)
• MobilNetwork IOS and Android App (contact management for partners)

d) Outsourcing
Conditioned to the Client’s acceptance, the Provider shall inform the Client of the outsourcing of the Contract execution by the following subcontractors:
• Amazon Web Service (infrastructure as a Service, cloud)
• Mailjet (emailing)
• Zoho (invoicing, CRM)
• Ingenico (payment)
• Stripe (payment)
• Twilio (SMS)
• Intercom (Live Chat)
• Essendex (SMS)

The Provider remains the only responsible for the Client of the execution of contractual obligations resulting from this document.

b) Existence of simple procedures to allow the respect of the rights on personal data protection
The Provider ought to cooperate with the Client to help him meet his legal obligations on personal data protection in order to respect the rights of people in compliance with articles 38 to 43 of the modified Law No 78-17 of 6 January 1978.

Safeguards and guarantees implemented by the provider

a) The duration of data retention is limited and reasonable in respect of the purpose for which they have been collected
The Provider gives the Client the possibility to delete, at all times, the data stored on its interface.
The Provider shall not retain data more than 30 months after the end of the event, or sooner if the Organizer requests so.

b) Data destruction and data recovery
At all times during the period of the contract and for a duration of 3 months following the termination of the contract, the Provider gives the Organizer the possibility to collect its data according to API and export formats available in the EVENTMAKER software.

c) Duty of cooperation with competent data protection authorities
The Parties shall cooperate with data protection legal bodies, especially in case of control where information requests can be addressed to them.

d) Audits
The Client is entitled to proceed to any verification he judges useful to assess the respect of the Provider’s contractual obligations including the realization of an audit. The Provider ought to respond to the Client’s audit questions asked by the Client himself or by a third support person. The third person shall be selected by the Client himself who acknowledges his independence from the Provider and his adequate qualification. Thus, the third person shall be free to provide the Client with the details of his remarks and the conclusion of his audit. The audit shall allow an analysis of the said Contract and the respect of the Law on Computing and Liberties especially by verifying the overall security measures implemented by the Provider; by verifying the logs for data location, copy, and deletion; by verifying measures implemented for data deletion to prevent illegal data transmission to unauthorized jurisdictions or to prevent data transmission to a country which was not authorized by the Client. The audit shall verify that confidentiality and security measures that are implemented cannot be bypassed without being detected and notified.

The amount of time spent by the Provider on monitoring the audit will be counted by Eventmaker and charged to the Organizer 800€ a day excl. taxes.

Location and transfers

a) Recipients
The Provider shall give the Client all useful information on Data recipients so that he can inform those concerned by data processing and answer their access requests in compliance with article 32 and 39 of the modified version of Law No 78-17 of 6 January 1978.

b) Clear and comprehensive indications of countries hosting the Provider’s servers
The Provider shall inform the Client that their data will be host in servers located in the following countries:
Ireland.

Formalities with the CNIL

The Client shall fulfill the declarative formalities about data Processing with the competent authorities in charge of data protection. The Provider shall give any useful information to proceed with these formalities.

Security and confidentiality

a) Indications on the Provider’s obligations regarding data safety and indication that he can only act upon the Client’s request
Within the framework of the Contract, the Provider solely will act on the Client’s request. Thus, the Provider shall not use Data for his personal benefit or for the benefit of a third person. In compliance with article 34 of the modified version of the Law on Computing and Liberties the Provider shall take any necessary disposition to ensure data security especially to protect them against any illegal or accidental destruction; accidental loss, alteration, dissemination, or unauthorized access especially when the processing entails data transmission in a network and against any other form of illegal processing or communication to unauthorized persons.

b) Security policy and measures
The Provides supplies the Client with the security policy on information systems that he implemented. The Provider also informs the Client on the evolution of his security policy. The Provider supplies the Client with all the data security-related documents especially the technical documentation and the detailed list of implemented security measures. The computing media along with other documents supplied by the Provider to the Client remain the Client’s property. Data contained in those media and documents lie under the principle of professional confidentiality (article 226-13 Criminal Code) along with all the data the Provider is aware of due to the execution of the Contract. The Provider and his staff shall respect the following obligations:
• Do not make any copies of documents or information supports in its possession except those necessary for the execution of the contractual service conditioned to the preliminary consent of the Client;
• Do not use documents or information supports for other purposes than those defined in the contract;
• Do not share these documents or information supports to other persons whether they are private or public, natural or legal persons.
• Take any necessary measures to avoid any misusage of illegal use of computing files during the validity period of the contract.