Privacy policy

Foreword

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, also called the General Data Protection Regulation (GDPR), sets out the legal framework for processing personal data. The GDPR upholds the rights and obligations of controllers, processors, data subjects and recipients. We process personal data for the purposes of our business. To properly understand this policy:

  • the “controller” is Com&Co Group;
  • the “processor” is any physical person or legal entity who processes personal data on behalf of Com&Co Group;
  • “data subjects” are customers and/or prospects of the services provided by Com&Co Group on its own behalf or for third parties;
  • “services” are any event organised or sponsored by Com&Co Group, or which Com&Co Group contributes to; any service or product;
  • an “event” is any face-to-face or virtual tradeshow, conference, convention, training workshop, seminar, webinar, etc.;
  • “recipients” are physical persons or legal entities who receive personal data from Com&Co Group. The data recipients can be Com&Co Group employees or external organisations (third-party event organisers, partners, exhibitors, banking institutions, authorities, etc.).

Article 12 of the GDPR requires that data subjects be informed of their rights in a concise, transparent, intelligible and easily accessible form.

 

Purpose

The purpose of this policy is to meet Com&Co Group’s information obligation and formalise the rights and obligations of its customers and prospects regarding personal data processing for all of the services provided by Com&Co Group.

 

Scope

Com&Co Group makes every effort to ensure that data is processed according to clear internal governance. However, this policy only concerns processing for which Com&Co Group is responsible and therefore does not pertain to processing deployed or utilised outside Com&Co Group’s governance rules (stealth IT or shadow IT). Personal data processing can be managed directly by Com&Co Group or by a service provider specifically chosen by Com&Co Group. This policy is separate from any other documents which may apply between Com&Co Group and our customers and prospects.

 

Purpose of processing

Com&Co Group only processes the personal data of our customers and prospects collected by or for our services, or processed in connection with our services, in compliance with the general principles of the GDPR. Com&Co Group mainly processes your data to organise events and provide products and services. Data may be processed for the following purposes:

  • To promote our events and associated events;
  • Sales prospecting;
  • Community management (users, members, customers);
  • To create and manage personal spaces on websites and applications in connection with events;
  • To manage event registration and participation;
  • To manage applications for event participation funds;
  • To manage contributions to the events programme;
  • To manage access and tracking at event venues and in their dedicated spaces;
  • To manage attendance and other certificates, invitation letters;
  • To manage purchases or subscription to other products and services online;
  • Legal declarations to the authorities in countries hosting events or in the home countries of event participants (as required);
  • To improve services and satisfaction surveys;
  • Statistics;
  • To manage rights and claims;
  • To manage requests to disenroll and unsubscribe;
  • To manage payments and debt collection when necessary;
  • To manage and meet user requests on our websites;
  • To personalise our communication via our customer marketing programme in order to carry out marketing and promotional campaigns and gain a better understanding of your needs and wants;
  • To adapt our products and services to better meet your needs;
  • To personalise our sales offering;
  • To inform you of our companies’ special offers and new services;
  • To qualify our prospects and customer database, and segment customers based on web behaviour on our websites;
  • To manage requests to unsubscribe from newsletters, promotions and satisfaction surveys;
  • To manage the right to modify/rectify/erase data or process requests to unsubscribe.

This list is meant to be as exhaustive as possible. Customers and prospects will be informed of any new purpose, alteration or removal of existing processing by an amendment to this policy.

 

Basis for data processing

The processing purposes listed above are based on the following legal requirements:

 

Legal basis Example
Precontractual or contractual implementation including via the general terms and conditions of sale Registration for an event, purchase order, etc.
Legitimate interest CCTV footage is kept for up to one month, etc.
Consent Newsletter, cookie management, contact requests, satisfaction surveys, sales and news communication, etc.

 

Type of data collected

Non-technical data (depending on use)

  • Identity (surname, first name, username, etc.)
  • Contact information (email and/or postal address)
  • Photo
  • Career information (profession, position, specialty, etc.)
  • Banking information, if necessary (e.g. for refunds)
  • Video images (filmed conferences, CCTV footage)

Technical data (depending on use)

  • Identification data (IP)
  • Connection data (including logs)
  • Click data
  • Location data
  • Tracking data (cookies on our websites, access to conference rooms)

 

What are cookies?

Cookies allow to keep, for as long as they last (367 days maximum), information about a user when he/she goes through different pages of a website, or when that user goes back on said website. Only the user emitting cookies can read or modify the information contained in it.

There are different types of cookies:

  • Session cookies, that disappear as soon as you exit a website or browser;
  • Persistent cookies, that remain on your device until their expiration date or until you delete them thanks to your browser’s functionalities.

The installation of certain cookies is subject to your approval. During your first visit on Com&Co Group’s website requiring cookies usage, an information banner will appear at the bottom of the screen, inviting you to give your consent towards our cookies or other trackers usage.

If you do consent, in accordance with the General Data Protection Regulation (GDPR), you can still reconsider your initial choice.

More precisely, here are the cookies we use:

Number Type Name Company What are they for ? Lifespan
1. Third party session cookies _ga Google Inc Internet audience analysis for statistics purposes and to measure traffic, allowing websites and applications’ owners to understand users’ behavior better 13 months
2. Persistent cookies _utma Google Inc This cookie is used to distinguish unique visitors on the website. It is updated for each viewed page. 13 months
3. Statistical and monitoring third party persistent cookies __utmb Google Inc This cookie is used to follow the user’s visit. The usage of this cookie paired with the utmc cookie allows to follow sessions on a given website. 30 minutes
4. Third party session cookies __utmc Google Inc This cookie is complementary to the _utmb cookie to identify if there was a new visit from the current user. Expires at the end of your session
5. Third party session cookies __utmt Google Inc It’s a cookie used as part of the Google Analytics services. Its purpose is to limit the number of requests sent to the server. 10 minutes
6. Statistical and monitoring third party persistent cookies __utmz Google Inc This cookie stores all information useful to the identification of a traffic source. 6 months
7. Preference cookie variable Com&Co Group This cookie allows to save your preferences, in order to automatically re-connect, or simplify your navigation. 13 months

 

How to disable cookies?

There are several options available in order to disable or delete cookies and other trackers.

 

Browser settings

A cookie’s record in your terminal is essentially subservient to your will, which you can express and change anytime, for free, through choices offered by your web browser.

If most web browser use default settings, you have the possibility, if you wish, to choose to systematically accept or reject all cookies, or even pick which particular ones you accept according to their issuers. You can also set your web browser to accept or refuse cookies on a case-by-case basis prior to their installation. Don’t forget to set the entirety of the web browsers you use on different devices (tablets, smartphones, computers, etc.).

Each web browser’s automatic setting about the handling of your cookies and choices about is different. It is described in the “help” menu of your browser, which will let you know how you can modify your decisions regarding cookies.

As an example:

For Internet Explorer™ or Edge™: http://windows.microsoft.com/fr-FR/windows-vista/Block-or-allow-cookies

For Safari™: http://www.apple.com/fr/privacy/use-of-cookies

For Chrome™: http://support.google.com/chrome/bin/answer.py?hl=fr&hlrm=en&answer=95647

For Firefox™: http://support.mozilla.org/fr/kb/Activer%20et%20d%C3%A9sactiver%20les%20cookies.

To fully take advantage of the website’s functionalities, cookies activation is required. If your browser is set up to refuse all cookies, this could prevent you from using some of our services, which Com&Co Group is not responsible for. In order to manage cookies as close to your expectations as possible, we suggest you set your browser by taking into account cookies’ purposes.

 

Publishers’ opposition modules

You can choose to deactivate Google Analytics’ cookies directly by visiting this page: https://tools.google.com/dlpage/gaoptout?hl=fr. For more practical information on cookie management, we suggest you visit the Commission Nationale Informatique et Libertés website: https://www.cnil.fr/en/home

Com&Co Group does not process sensitive data, except when “processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.” [article 9 of GDPR].

 

Data sources
Our (primary or other) customer or prospect data is generally collected directly from our customers and prospects.

  • data provided by the customer in files submitted to Com&Co Group (customer file);
  • business cards;
  • electronic sheets or forms filled out by the customer (attendance sheet, post-conference satisfaction survey);
  • registration or enrolment for our online services (website, social media networks, etc.);
  • registration for events organised by Com&Co Group;

Data can also be collected indirectly through third parties:

  • via event organisers (membership, prospects, participants, website user listings, etc.)
  • via Com&Co Group partners and suppliers involved in organising and hosting events;
  • via the employers of data subjects;
  • via sponsorship actions
  • via companies specialised in selling or leasing databases;
  • web session statistics via Google Analytics;
  • lists communicated by organisers of events or conferences in which we participate;

In this case, Com&Co Group will ensure that third parties, organisations or legal entities comply with the GDPR and that data subjects are informed of our personal data protection policy.

 

Data recipients – authorization & tracking

Data collected by Com&Co Group may be shared in whole or in part, depending on the purpose.
Internal recipients

  • authorised staff from the marketing, communication, sales, customer service and prospecting departments, administrative departments, logistics and IT departments and their line management;
  • authorised staff from departments responsible for internal control procedures.

The recipients of customer and prospect personal data at Com&Co Group are required to respect data confidentiality. Com&Co Group decides who can have access to what data based on an authorisation policy.
External recipients

  • the event organiser;
  • Com&Co Group’s subcontractors;
  • Com&Co Group’s subsidiaries;
  • event exhibitors and partners in some cases (e.g. authorisation to scan badges at stands or during a session);
  • authorities in countries hosting conferences or in the home countries of participants, for legal purposes;
  • agencies, officers of the court and judicial officers, particularly as part of their debt collection duties;
  • authorised external staff responsible for internal control (e.g. statutory auditors).

Com&Co Group is not responsible for losses of any kind resulting from illegal access to personal data. Furthermore, personal data may be communicated to any authority legally entitled to receive it. In this case, Com&Co Group is not responsible for the conditions under which the employees of these authorities access and use the data.

 

Data storage period

Com&Co Group defines the data storage period based on applicable legal and contractual requirements or its needs, and based on the following principles:

 

Processing Data storage period
Data related to customers participating or exhibiting at the event The duration of contractual relationships and the event organised by Com&Co Group, plus 3 years for promotional and prospecting reasons, without prejudice to storage obligations or statutes of limitations
Data related to the website members and users Until they have unsubscribed from the member space and for 1 year after the last session
Data related to prospects 3 years from when Com&Co Group collects their data or the last contact with the prospect
Technical data 1 year
Banking data Data is deleted as soon as the transaction is completed, unless otherwise authorised by the customer. If the transaction is contested, data is archived for 13 months following the debit date
Prevention of money laundering 5 years

 

After expiry of these set periods, data is either erased or stored once it has been anonymised, particularly for statistical purposes. Data may be stored in the event of pre-litigation and litigation. Customers and prospects are advised that data erasure or anonymization is irreversible, and that Com&Co Group will not be able to restore this data.

 

Right of confirmation and right of access

Customers and prospects have the right to ask Com&Co Group for confirmation as to whether or not their data is processed. Customers and prospects also have a right of access, provided the following rules are followed:

  • the request is issued by the person themselves, and is accompanied by a copy of a current piece of ID;
  • the request is made in writing and sent to the following address: Com&Co Group – Data Management – , 15 Bd Grawitz 13016 Marseille, France or to the email address pdo@comnco.com

Customers and prospects have the right to ask Com&Co Group for a copy of their processed personal data. However, if an additional copy is requested, Com&Co Group may require that customers and prospects bear the financial cost. If customers and prospects request a copy of their data via email, the information requested will be provided in standard electronic format, unless requested otherwise. Customers and prospects are also informed that their right of access does not apply to confidential information or data, or data which the law prohibits from being communicated. The right of access must not be exercised abusively, meaning on a regular basis for the sole purpose of disturbing the department in question.

 

Updating and rectification

Com&Co Group meets update requests:

  • automatically for online changes for fields which can be technically or legally updated;
  • on written request of the data subject, with proof of identity.

 

Right to erasure

The right to erasure of customers and prospects does not apply if data is processed to comply with legal obligations. Apart from this, customers and prospects may request that their data be erased within the following restrictive cases:

  • if personal data is no longer required for the purposes for which it was collected or otherwise processed;
  • if the data subject withdraws consent to the original purpose for processing and there is no other justified reason for processing;
  • if the data subject is opposed to Com&Co Group processing their data for legitimate purposes and there is no legitimate urgent reason for processing;
  • if the data subject is opposed to their personal data being processed for prospecting and profiling purposes;
  • if personal data was illegally processed.

In accordance with legislation on personal data protection, customers and prospects are advised that this is an individual right that can only be exercised by the data subject for their own data. For security reasons, the relevant department must therefore verify your identity to prevent your confidential information from being communicated to someone other than yourself.

 

Right to restriction

Customers and prospects are advised that this right is meant to be exercised if data is legally processed by Com&Co Group and if all the personal data collected is required for the performance of the sales agreement.

 

Right to data portability

Com&Co Group allows for data portability in the particular case of data communicated by the customers or prospects themselves, for online services provided by Com&Co Group itself and for purposes needing the sole consent of data subjects. In this case, data will be communicated in a standard structured machine-readable format.

 

Post-mortem right

Customers and prospects are advised that they have the right to give instructions on the storage, erasure and communication of their data after death. To exercise their rights and communicate specific post-mortem instructions, they must write to pdo@comnco.com or by post to Com&Co Group – Data Management, 15 Bd Grawitz, 13016 Marseille, France and include a signed copy of a piece of ID.

 

Optional or mandatory information

All forms used to collect personal data use asterisks to inform customers and prospects whether information is mandatory or optional. If answers are mandatory, Com&Co Group explains the consequences of not providing an answer to customers and prospects.

 

Right of use

Customers and prospects grant Com&Co Group the right to use and process their personal data for the purposes stated above. However, Com&Co Group maintains ownership of enriched data produced from Com&Co Group processing and analysis (usage analysis, statistics, etc.).

 

Subcontracting

Com&Co Group advises its customers and prospects that it may use any subcontractor of its choice to process their personal data. In this case, Com&Co Group will ensure that the subcontractor complies with its GDPR obligations. Com&Co Group will sign a written agreement with all its subcontractors and require that they comply with the same data protection obligations as Com&Co Group. Com&Co Group also reserves the right to audit its subcontractors in order to ensure that they comply with the GDPR.

 

Security

Com&Co Group is responsible for defining and implementing physical or logical security technical measures that it deems appropriate to prevent the unauthorised accidental or illegal destruction, loss, alteration or disclosure of data. These measures mainly include:

  • data access control;
  • use of an encryption protocol such as SSL for transferring data between user devices and the company’s servers.
  • data hosting in data centres located in France with maximum security.
  • access to infrastructure via VPN – only certain preselected people are authorised to create a tunnel
  • Regular and systematic application of security patches on infrastructure components.

Com&Co Group may hire any third party of its choice to do this. If all or part of personal data processing is subcontracted, Com&Co Group will contractually require that its subcontractors provide security guarantees through technical data protection measures and suitable human resources.

 

Data breaches

In the event of a personal data breach, Com&Co Group will notify the CNIL as required by the GDPR. If the breach entails a high risk for customers and prospects, and their data was not protected, Com&Co Group will:

  • notify the affected customers and prospects;
  • communicate all necessary information and recommendations to the affected customers and prospects

 

Processing record

As the controller, Com&Co Group will keep an updated record of all processing activities. This record is a document or application detailing all processing carried out by Com&Co Group as the controller. At first request, Com&Co Group will provide the supervisory authority with information enabling the authority to verify that processing complies with IT regulations and civil liberties in force.

 

Right to submit a complaint to the CNIL

Customers and prospects whose personal data is processed are advised of their right to submit a complaint to the supervisory authority, which is the CNIL in France, if they feel that their personal data is not being processed in compliance with European regulations on data protection, by writing to the following address: CNIL – Service des plaintes 3 Place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07, FRANCE Tel: +33(0)1 53 73 22 22

 

Changes

This policy may be changed or amended at any time in the event of changes to legislation, case law, CNIL decisions and recommendation or uses. Customers and prospects will be informed of any new versions of this policy by any means chosen by Com&Co Group, including electronically (e.g. via email or online).

 

Applicable law

These Terms of Use are governed by French Law.  Any disputes relating to the interpretation and performance of these terms will be brought before the competent French courts.

 

Information technology and civil liberties

In accordance with French Act no. 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties, you have the right to access and rectify your personal data. You may receive information about our business. If you do not wish to receive information, please contact us and include the name of your business, your name and address. You can also do this to stop receiving sales offers.

 

Find out more…

For more information, please contact pdo@comnco.com. For more general information on personal data protection, please consult the CNIL website at www.cnil.fr