Políticas de Privacidad

SUMMARY

• INTRODUCTION
• CATEGORIES OF INTERESTED PARTIES AND DATA COLLECTION
• GENERAL PRINCIPLES OF THE PROCESSING
• PURPOSE OF THE PROCESSING
• LEGAL BASIS OF THE PROCESSING. MANDATORY OR OPTIONAL PROVISION OF DATA AND CONSEQUENCES OF FAILURE TO PROVIDE DATA
• OWNERSHIP OF THE PROCESSING
• DATA PROTECTION OFFICER
• LEGAL REPRESENTATIVE WITHIN THE EU OF EXTRA-EU COMPANIES
• EXTRA-EU LEGAL REPRESENTATIVE OF EU COMPANIES
• COMMUNICATION AND DISSEMINATION OF DATA
• TRANSFER OF DATA ABROAD
• DURATION OF TREATMENT
• MEANS OF PROCESSING
• SECURITY MEASURES
• RIGHTS OF THE INTERESTED PARTY
• CHANGES TO THE PRIVACY POLICY

INTRODUCTION

This Privacy Policy (hereinafter the "Policy") is provided pursuant to the applicable personal data protection legislation, in relation to the personal data processed by the company ITALIAN EXHIBITION GROUP S.p.A. ("IEG") and/or by the other companies controlled by the same listed in the below table (the "Controlled Companies"), that:

• organize, host, also together with third-party partners, also in favor of third parties, events, exhibitions, conferences/congresses, workshops, webinars and/or business meetings, physical and/or virtual (the "Events"), or
• provide services and products (by way of example but not limited to: catering, set-ups, cleaning and porterage, training, publishing, event services, etc.) (the "Services").

Personal data (the "data") are data consisting of any information that is connected or connectable to i) subjects qualifying as "interested parties" pursuant to EU Regulation 679/2016 ("GDPR") (i.e., natural persons, individual companies and /or partnerships or other organizations with a restricted subjective basis to which the personal data refer) and/or ii) other subjects substantially assimilated to the

Data processing includes, as appropriate, recording, organization, storage and processing operations on paper, magnetic, automated or telematic media, processing, modification, selection, extraction, comparison, use, interconnection between data based on qualitative criteria, quantitative and temporal, recurring or definable from time to time, temporary processing aimed at rapid aggregation or transformation of the data itself, communication, cancellation and destruction of data, or combinations of two or more of the aforementioned operations, based on what is necessary by the purposes referred to below.

CATEGORIES OF INTERESTED PARTIES AND DATA COLLECTION

The data processed concerns the following categories of interested parties, who provide the data for themselves or for the organizations to which they belong:

• customers (i.e., exhibitors, visitors/consumers, buyers, conference attendees, congress participants, event speakers, participants in workshops, webinars and business meetings, buyers of services and products),
• prospects (i.e. subjects who have expressed interest in the Events, Services and/or Products through requests for contact, information or quotes or in any other form, including subscribing to IEG Group newsletters),
• other categories of interested parties (recipients of invitations to attend the Events, for example guests, journalists and representatives of communication bodies, minors over the age of 14, users of the websites and/or apps provided by IEG and/or the Controlled Companies).

Gathering of data happens:

• through the interested party and/or,
• in public and/or private databases, limited to identification, contact, corporate, tax, economic - asset and financial, solvency and business reputation of the data subject,
• through the Controlled Companies, limited to identification, contact, corporate, tax, economic - asset and financial data, and
• at social networking platforms (e.g. LinkedIn, Facebook), limited to identification data (name and surname or name/company name), contact data (city and region of residence and/or headquarters, e-mail address, landline-mobile telephone number), economic and commodity sector to which it belongs and/or of commercial interest.

GENERAL PRINCIPLES OF THE PROCESSING

The data are processed in compliance with the principles of lawfulness, fairness, correctness, transparency, proportionality, necessity, accuracy, completeness and security and other regulatory obligations under the regulations applicable from time to time regarding the processing of personal data.

PURPOSE OF THE PROCESSING

Processing has the following purposes:

1. Protection of the intangible information assets of IEG and/or its Controlled Companies and Operational Continuity and IT security.

2.a) Subscription of newsletter service.

2.b) Satisfaction of pre-contractual needs (e.g. solvency checks and risk and fraud control, processing of requests from the interested party for quotes or other informations, and/or fulfillment of contractual obligations (including, among other things, the planning and technical-organizational management of the Events and/or Services and Products and/or obligations established by a law, by a regulation or by a related community or foreign legislation to the Events and/or Services and Products of IEG (including for example the preparation of the consolidated financial statements of the IEG Group, by the Parent Company IEG) and/or the Controlled (e.g. accounting, tax or administrative obligations).

3. Market surveys, carried out through nominative surveys (provided exclusively by IEG), aimed at detecting perceived performance levels and/or degrees of satisfaction related to Events, Services and Products and the consequent expectations of customers and prospects of IEG and/or its Controlled Companies.

4. Basic profiling carried out by IEG and/or its Controlled Companies. Profiling means automated processing of personal data consisting of the use of such data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning (…) the economic situation, (…) individual preferences, the interests, reliability, behaviour, location (…) of that subject. Profiling is relevant, for privacy purposes, only if it concerns natural persons, i.e. sole proprietorships or partnerships and their partners/administrators, or internal representatives of joint-stock companies, bodies or organizations. Basic profiling uses limited data sets, provided to us by the data subject and collected from the third-party sources indicated above and/or communicated to IEG by the Controlled Companies.

• exhibitors: name and surname, company name of the organization to which they belong, contact details, residence or headquarters, country of origin, website, sector of activity, brand, types of service or product offered by the exhibitor, annual promotional/advertising budget, type of distribution (store, department store, concept store), markets of interest (e.g., countries, type of B2B or B2C customers);
• other buyers of Services and Products: name and surname, company name of the organization to which they belong, contact details, residence or headquarters, country of origin, website, sector of activity, type of Service or Product purchased;
• buyers/visitors: name and surname, company name of the organization to which they belong, contact details, job position and level of responsibility of the contact person, residence or headquarters, country of origin, website, year of foundation of the company, turnover, number of employees, sector of activity, percentage of business connected to Italy and abroad, Italian and foreign regions of interest, main categories of Events, Services or Products of interest to the buyer, main categories of services and/or products marketed by the same (also in percentage terms of sales by area geographical), categories of the organization's customers, purpose of visiting the Event;
• journalists: name and surname, contact details, sector and newspaper to which they belong, country of origin, language;
• event speakers, conference/meeting attendees: name and surname, contact details, sector to which they belong, professionalism/topics covered, language;
• other categories of customers: name and surname, contact details, country of origin, product or economic sector of activity, turnover, number of employees, main categories of services or products of interest and/or marketed by the customer.

5. Advanced profiling carried out exclusively by IEG (NB: This purpose is limited to customers and prospects of IEG and/or its Controlled Companies who are natural persons, sole proprietorships or partnerships and related partners/directors and/or internal representatives of joint-stock companies, bodies or organizations. Same analysis, if however, relating to data of subjects other than the categories mentioned above, the legislation on the protection of personal data does not apply). This purpose presupposes a specific consent from the data subject. Advanced profiling aims to analyze the overall interactions of the interested party with the various entities of the IEG Group (so-called "customer centricity") using and integrating with each other, comparing and reprocessing according to logics relevant to this objective, the categories of data and/or the main criteria described below:

• product or economic sector of activity of the buyer/visitor/exhibitor/congressor or conventioneer or other customer of IEG and/or its Controlled Companies;
• categories of Events, Services and/or Products requested by the interested parties and/or offered to them;
• history of transactions with IEG and/or its Controlled Companies. For example: categories of Events and Services and/or Products purchased or of interest, trend of the relative purchase prices within predefined periods of time, trend of the annual promotional/advertising budget of the Events declared by the interested party;
• levels of perceived performance and degree of satisfaction of the interested party with respect to the Participated Events and Services and/or Products purchased, deduced from:

• nominative surveys provided by IEG to interested parties and referable only to IEG and/or from
• other statistical data reports, also nominative, processed by IEG starting from data relating to participation in Events or the purchase of Services and/or Products, relating to interested parties attributable to the Controlled and shared by IEG with the Controlled Companies, processed to identify common operational marketing strategies, functional to:

• increase, over time, in the level of satisfaction of interested parties with respect to the Events, Services and Products and as well as
• the development of the IEG Group's resulting turnover both at the level of individual Controlled Companies and consolidated;

• trade marginality, referable to the interested party and/or to clusters of interested parties, assessed at Group level (for individual Events, Services and/or Products and/or for aggregations of the same, for example based on product categories, relevant periods of time, price ranges applied, etc.) based on the commercial margins applied to the interested party, by IEG and/or by the Controlled Companies;
• (if the interested party is a customer or prospect) data on browsing behavior on the websites of IEG and/or its Controlled Companies or during the use of the Services and/or Products provided through such websites (e.g. through cookies relating to the pages of the websites that the interested party visits, or to the country from which the interested party connects), interactions with other communication channels (e.g. through cookies relating to pages and profiles on social media networks) and/or with services for sending messages commercial emails (e.g. cookies relating to the successful completion of messages sent, to user reactions to emails through actions such as opening an attachment or accepting a request to link to landing pages or attachments to the message, etc.);

Advanced profiling allows, depending on the case, to send to the interested party only promotional communications relevant to his most probable expectations and needs deduced from the aforementioned analysis, limit the frequency of such messages within predefined periods of time avoiding fatigue, limit the sending of messages from ineffective channels, guarantee the best purchasing experience of Events, Services and/or Products, identify the most effective actions for certain target audiences.

6. Sending by IEG and/or its Controlled Companies (via e-mail, text message, push notifications from apps, instant messaging functions such as WhatsApp and Telegram, telephone calls with an operator, social networks and other automated tools, ordinary mail) of commercial and advertising communications - including newsletters - and offers for the sale of Events and/or Services and/or Products of a similar nature to those previously purchased by the data subject (customer) or to those that have been made the subject of pre-contractual requests or another manifestation of interest by the data subject (prospect), even implicit (e.g., expressed through spontaneous delivery of a business card to IEG and/or to a Controlled Companies (collectively referred to as "soft spam").

In the case of processing by Controlled Companies based in BRAZIL, CHINA and SINGAPORE, the Data Controller may process for the purpose sub 6 the data of the data subject (exclusively visitor of Events of B2C nature) only on the basis of prior specific consent from the data subject.

7. Following, as a rule but not only, the nominative surveys referred to in point 3 and/or the statistical reports referred to in point 5:

Direct marketing actions (i.e. commercial and advertising communications - including newsletter - and/or sales offers of Events and/or Services and/or Products) exclusively by IEG (not also by the Controlled Companies) towards

• i) lead (i.e. interested parties who have never purchased Events, Services or Products)
• ii) customers and prospects of IEG and/or of the Controlled Companies if the Direct marketing concerns Events, Services and Products of a nature not similar to those already purchased or of expressed interest of the same, or however,
• iii) towards customers and prospects of the Controlled Companies whose data are transferred to IEG by them.

This purpose presupposes a specific consent from the data subject.

8. Transfer of data to

a) from IEG to partner companies or to third-party subjects of IEG and/or its Controlled Companies (e.g. Event organizers, exhibitors, other operators active in the Events or Services/Products), for their autonomous direct marketing actions relating to their respective services/products.

This purpose presupposes specific consent from the data subject.

b) from IEG to social network platforms for the purpose of determining - starting from the analysis of the data subject's social profile(s) - new groups of leads (i.e. potential other customers) with a profile similar to those communicated by IEG, and subsequent direct marketing actions aimed at such new groups of leads (so-called "lookalike" services) by social network platforms.

This purpose presupposes specific consent from the data subject, in favour of IEG.

9. Online and physical security management, especially to protect IEG and Controlled Companies, participants in Events and Services, IEG Group websites and apps from fraud, theft, misappropriation, damage or other violations of law, ascertain related liabilities and protect the related rights of IEG and/or its Controlled Companies.

10. Management of other organizational and production activities of IEG and/or its Controlled Companies:

• management of the quality system adopted by IEG and/or its Controlled Companies, improvement of the quality of Events, services and Products,
• management control,
• management of access (e.g., through spontaneous registration by the user) to the websites of IEG and/or its Controlled Companies and to contents and/or the services accessible from them (if such activities are not already due by contract),
• management of VIPs data (e.g. for the application of facilitated access conditions to Events),
• production, printing and dissemination of print and/or web-based editorial materials,
• management of accreditation and participation in the Events and/or Services of communication bodies, media and representatives of journalistic and communication services,
• extra-contractual management of the participation of interested parties in thematic initiatives of an extraordinary and/or temporary nature, collateral to the Events,
• management of video surveillance at Event venues.

Specific additional purposes related to individual processing may be identified in detail through supplementary disclosures by Data Controllers.

11. Credit data management by the Controlled Company IEG Events Arabia LLC: the processing concerns data related to an individual's economic - financial situation, data on repayment capacity, data concerning past transactions and behavior related to payments and debts.

This purpose presupposes specific consent from the data subject.

LEGAL BASIS OF THE PROCESSING. MANDATORY OR OPTIONAL PROVISION OF DATA AND CONSEQUENCES OF FAILURE TO PROVIDE DATA

The legal bases of the processing are as follows:

• In relation to the purposes sub 1 (protection of intangible information assets and Business Continuity and Information Security): the legitimate interest of IEG and/or the Controlled Companies in adequate protection, managed centrally at IEG and/or decentralized also at the Controlled Companies, of the intangible information assets of IEG and the Controlled Companies and related operational continuity and IT security.
• In relation to the purposes sub 2a (newsletter service): the legitimate interest of IEG and/or Controlled Companies to remain in business contact with those who have already demonstrated an interest in IEG Group Events, Services or Products by subscribing to the newsletter service (thus without the need for consent from the data subject);
• In relation to the purposes sub 2b (satisfaction of pre-contractual requirements and/or fulfillment of contractual obligations and/or obligations under a law, regulation or EU or foreign legislation): the need for IEG and/or Controlled Companies to fulfill pre-contractual requirements and/or contractual obligations (including that of diligent planning and organization of the Events and/or Services/Products and ascertaining the reliability of the company applying for an entry visa to the Events) and/or requirements of law, regulation or other legislation (applicable at local or at a transnational level only, e.g. provisions of Italian law obliging Controlled Companies to cooperate with IEG in the preparation of the Group's consolidated financial statements).

The data subject is free not to provide his or her data, but in this case his or her pre contractual requests and/or entering the requested contract and/or the above-mentioned legal or regulatory obligations cannot be fulfilled. In the case of an Event or Service/Product delivered online, the data subject is free not to activate the cameras and/or microphone of the PC, but in that case, if his/her image or voice is required to take advantage of the Event or Service/Product, we will not be able to deliver the same.

• In relation to the purposes sub 3 (nominative market surveys): IEG's legitimate interest in analyzing and protecting the reputation of IEG, its Controlled Companies, Events, Services and/or Products among interested parties, and the perceived quality by them, since maximizing their satisfaction is also a benefit to the interested parties. The interested party is free not to provide their data but, in this case, the specified investigations cannot be carried out.
• In relation to the purpose sub 4 (basic profiling): the legitimate interest of IEG and/or its Controlled Companies in having a minimal commercial profile of the interested party useful for guiding actions to maintain the commercial relationship with the same over time and in particular to verify and optimize the effectiveness of promotional communications and/or sales offers of Events, Services and/or Products, avoiding content that is not relevant to the same.
• In relation to the purposes sub 5 (advanced profiling): prior specific consent. The interested party is free not to provide their data and not to give their consent. In this case, such advanced profiling cannot be carried out, but there will be no other legal effects (in particular, the possibility of the interested party participating in the Events and/or use the Services and/or Products will remain intact).
• In relation to the purposes sub 6 (soft spam, also in the USA and DUBAI): the legitimate interest of IEG and/or its Controlled Companies in maintaining active, with reasonable frequency over time, commercial contact with customers and prospects, done without prejudice to the right of the interested party to object to processing for this purpose at any time. In the case of processing by Controlled Companies based in BRAZIL, CHINA and SINGAPORE, the Data Controller may process for the purpose sub 6 the data of the data subject (exclusively visitor of Events of B2C nature) only based on prior specific consent of the data subject.
• In relation to the purpose sub 7 (direct marketing by IEG other than soft spam): prior specific consent. The data subject is free not to provide their data and not to give their consent, but in this case, it will not be possible to carry out such direct marketing activities other than soft spam.
• In relation to the purposes sub 8 a-b (transfer of data to partner companies or to third-party subjects other than the Controlled Companies; transfer of data to social network platforms for "lookalike" services): prior specific respective consent. The data subject party is free not to give their consent and in this case the transfer to third parties cannot take place.
• In relation to the purposes sub 9 (security): the legitimate interest of IEG and/or its Controlled Companies in ensuring the security of Events and Services.
• In relation to the purposes sub 10 (various purposes): the legitimate interest of IEG and/or its Controlled Companies to diligently carry out the activities related to them, respectively.
• In relation to the purposes sub 11 (management of credit data by the Controlled Company, IEG EVENTS ARABIA LLC): the prior specific consent. The data subject is free not to give consent, in which case the management of credit data cannot take place.

The consent given, where required by law, for the purposes 5, 6 (operated by the Controlled Company, exclusively visitor of Events of a B2C nature based in BRAZIL, CHINA and SINGAPORE), 7, 8 and 11 (operated by the Controlled Company IEG Events Arabia LLC) referred to in the Privacy Policy, by the legal representative of a company or organization, is understood to be extended to the other interested parties belonging to the same company or organization whose data the same provides. Anyone who provides the Data Controller with personal data from another data subject declares and guarantees, as of now, that he or she has a regular right to lawfully make such communication.

OWNERSHIP OF THE PROCESSING

Based on the regulations applicable from time to time on the matter, data controllers are:

• for all the purposes set out in this Policy: IEG, in relation to the personal data of interested parties (e.g. data of customers or users of websites) processed by:
  • IEG and/or its Controlled Companies based in the EEA area,
  • Controlled Companies with headquarters outside the EEA area, when the aforementioned role of IEG Owner derives from the rules of extra-territorial application contained in the local legislation applicable from time to time in the country of respective headquarters of the Controlled Companies outside the EEA;
• for the sole purposes sub 1, 2, 4, 6: each Controlled Company (with registered office in the EEA or outside the EEA), in relation to the data processed by it in accordance with the respective applicable local regulations; and
• for the sole purpose sub 11: the Controlled Company IEG Events Arabia LLC.

DATA PROTECTION OFFICER

The DPO – Data Protection Officer of ITALIAN EXHIBITION GROUP SPA is Luca De Muri, domiciled at the same.

The DPO - Data Protection Officer of the Controlled Company IEG ASIA PTE LTD. – 1, Maritime Square # 09-56, Harbourfront Center – Singapore 099253, is Ilaria Cicero, domiciled at the same.

LEGAL REPRESENTATIVE WITHIN THE EU OF EXTRA-EU COMPANIES

The companies IEG CHINA Co. Ltd (Controlled Company in CHINA), IEG Events Arabia LLC (Controlled Company in Saudi Arabia) IEG ASIA PTE. LIMITED (Controlled Company in SINGAPORE), IEG EVENTS MIDDLE EAST LLC (Controlled Company in DUBAI), ITALIAN EXHIBITION GROUP USA INC. (Controlled company in the U.S.A.) and ITALIAN EXHIBITION GROUP BRASIL EVENTOS LTDA (Controlled company in BRAZIL), in their capacity as data controllers of the non-occasional processing of personal data for the purposes sub 1, 2, 4, 6 and 11 (the latter carry out only by IEG Events Arabia LLC) in the context of the offer of Services (including Events organized by them) and/or Products to interested parties with headquarters or residence in the EU, have designated ITALIAN EXHIBITION GROUP SPA as their respective representative in the EU, pursuant to and for the purposes of art. 27 of the GDPR. As such, ITALIAN EXHIBITION GROUP SPA, in replacement or in addition to the aforementioned designators but without prejudice to their liability, acts as an interlocutor towards the national Supervisory Authorities and towards the interested parties for any issue concerning these processing activities, in order to ensure compliance with the GDPR and facilitate the exercise of your rights under the GDPR.

EXTRA-EU LEGAL REPRESENTATIVE OF EU COMPANIES

ITALIAN EXHIBITION GROUP SPA, in its capacity as data controller of personal data in the context of the offer of Services (including Events organized by the same) and/or Products to interested parties based or resident in China, has designated IEG CHINA Co. Ltd (Controlled Company in CHINA) as its representative in China, pursuant to and for the purposes of art. 53 of ChinÀs Personal Data Protection Law (PIPL). In this capacity, IEG CHINA Co. Ltd acts as an interlocutor towards the Chinese national supervisory authorities and the interested parties for any issue concerning the aforementioned processing activities.

COMMUNICATION AND DISSEMINATION OF DATA

The data is shared with the personnel of IEG and/or its Controlled Companies authorized to process the data (example of Financial, Communication, Travel, Sales, Marketing, Legal teams, etc.).

The data is communicated for purposes sub 1, 2, 3 by IEG and for purposes sub 1, 2 and 7 by the Controlled Companies and for the purpose sub 11 by the Controlled Company IEG Events Arabia LLC., to:

• providers of hosting, development, management, maintenance, disaster recovery and cybersecurity services in relation to IT systems (services, websites and databases) of IEG and/or its Controlled Companies; survey service providers;
• other suppliers activated for the organization and management of the Events and/or Services and/or Products (e.g. suppliers of materials and products; suppliers of services: design, technical planning and set-up, ticketing, organizational secretariat, enveloping and forwarding of correspondence, design, printing and maintenance of editorial, advertising or promotional materials, logistics, security, first aid, electronic payment, banking, insurance and financial materials, information on corporate standing and reputation, hospitality/hotel, catering, passenger transport, linguistic translations, business platforms, hospitality, issuing of titles, accreditations, tickets and entry passes to Events and Services and/or Products, help desk event, courier, carrier and shipping services, advertising, media relations and communication, direct e-mail marketing, web marketing, marketing analysis, CRM - Customer Relationship Management, compliance management, electronic communication, for example telephone or telematics),
• third party partners who carry out functional or complementary activities to the promotion of the Events and/or the purchase of Services and Products, for example private and public bodies, other trade fair bodies and/or event organizers, trade associations, with which IEG and/or the Controlled Companies activate co-marketing actions for Events,
• journalists, newspapers and representatives of other communication bodies,
• agents, regional advisors,
• law firms and notaries,
• control and supervisory bodies, in particular, for example, auditing firms and auditors, chartered accountants, accounting experts, DPO - Data Protection Officers, members of supervisory bodies on the organizational models of IEG and/or the Group companies aimed at preventing the commission of certain categories of crimes, auditors and members of boards of auditors,
• debt collection firms and companies,
• Computer forensics companies and professionals in the case of technical and legal investigations relating to suspected crimes or other offenses committed to the detriment of IEG, the other Controlled Companies and/or third parties,
• other consultants and professionals,
• Public authorities to which communication is necessary by law, regulation or other legislation (e.g. diplomatic and consular representations, Police Headquarters, Prefecture, Police, other Public Security Authorities, Revenue Agency, Financial Police, and similar),
• IEG (in this case the data are communicated only by the Controlled Companies),
• Controlled Companies (in this case the data is communicated only by IEG and at IEG's discretion).

The identification and contact data and product data of visitors and buyers may be communicated to exhibitors (e.g. through search and/or request for meetings and/or contact functions available on digital platforms or via QR Code or Bar Code), and any spontaneous messages from the interested parties themselves.

Identification data, contact and product data of exhibitors and any spontaneous messages from them may be communicated to visitors/buyers (e.g. through search and/or meeting request and/or contact features available on digital platforms, through QR Codes or Bar Codes, or through Event catalogs) the identifying and contact and product data of exhibitors and any spontaneous messages from them.

The data are communicated, as appropriate, by IEG for purposes sub 4 to 7 and/or by the Controlled Companies for the sole purposes sub 4 and 6 to:

• providers of marketing analysis services, communication and/or public relations agencies,
• providers of internet advertising space purchase services;
• suppliers of advertising or promotional materials (e.g. graphic and creative agencies in general),
• website or blog production and management companies, web marketing companies,
• landing page management service providers,
• providers of large language model services that support data analysis for profiling and marketing purposes without public sharing of the processed data.

If the aforementioned third-party process the data on behalf of and based on written directives from IEG and/or the sending Controlled Companies, they are designated as External Data Processors pursuant to and for the purposes of article 28 of the GDPR.

The Controlled Companies for the purposes sub 4 and 6 also communicate the data to the Parent Company IEG (see also the following chapter "TRANSFER OF DATA ABROAD").

IEG and the other Controlled Companies refrain from any dissemination of data.

Exhibitors’ data will be disclosed, only upon request, through the exhibition catalog relating to the Events, both in paper and online format.

TRANSFER OF DATA ABROAD

The data is transferred by IEG and/or its Controlled Companies based in the EU to the following categories of third-party recipients based outside the EU (hereinafter the "importers"):

• Controlled Companies and/or their suppliers, with headquarters outside the EU (China, Singapore, USA, United Arab Emirates, Brazil), to the extent necessary for pre-contractual, contractual and/or fulfillment of legal or regulatory obligations, for example, when IEG or the other Controlled Companies, based in the EU, transfer the data as agents in the interest of the foreign Controlled;
• providers of online services for
  • i) data collection through text forms that can be filled in by the interested party and contained in landing pages provided by the Data Controller,
  • ii) social platforms (U.S.A.) in which social pages and/or profiles of IEG and/or are active of the Group Companies (for more information on the joint ownership regime applicable in this specific case to the parties involved, see the "joint ownership" section in Cookie Policy), and/or to which IEG communicates data in relation to the "lookalike" services subscribed with them,
  • iii) log-in management via the user's LinkedIn social account,
  • iv) analysis of the traffic generated by users of the websites of IEG and/or other Group companies (U.S.A.),
  • v) E-payment services,
  • vi) CRM – Customer Relation Ship Management. The Privacy Policies of non-EU Providers of online services can be found at the following link

This data transfer will take place against adequate guarantees, such as:

• In the case of transfer to the USA: the Adequacy Decision of the EU Commission of 10 July 2023 relating to the American legislation on the protection of personal data as amended by the EU – USA bilateral convention. "Trans-Atlantic Data Protection Framework".
• In the case of transfer to Canada (active only to landing page management service providers): the Adequacy Decision of the EU Commission of 15 January 2024 relating to Canadian legislation on the protection of personal data, in particular the Personal Information Protection and Electronic Documents Act (PIPEDA);
• In the case of transfer to non-EU countries other than USA and Canada: from the prior stipulation by IEG and/or its Controlled Companies based in the EU, towards the third-party importer, of standard contractual clauses - or so-called "CCS" - compliant at least with the text approved by the EU Commission (except for any additions and/or modifications more favorable to the interested party) through which, for the processing within its competence, the data importer undertakes to comply with privacy obligations substantially equivalent to those provided for by the relevant EU legislation.

The data is also transferred by the Controlled Companies based outside the EU, within the limits necessary for the purposes sub 1, 2, 4, 6, 7 and 11, to IEG as well as to the following third-party recipients based outside the country of the same Controlled Companies (hereinafter the "importers"):

• agents;
• suppliers of Products and/or Services functional to the activities and/or Events relating to the foreign Controlled Companies;
• providers of social network platforms (U.S.A.) in which social pages and/or profiles of Group companies with headquarters outside the EU are active (for more information on the joint ownership regime applicable in this specific case to the parties involved, see the "joint ownership" section in our Cookie Policy).

This data transfer, in the event that it is carried out by non-EU Controlled Companies to IEG or non-EU subject, will take place against adequate guarantees, consisting of the stipulation, between the parties involved in the transfer, of standard contracts or standard contractual clauses, compliant at least with the texts approved by the competent Administrative Authorities of the country in which the individual Foreign Controlled Company is based (except for any additions and/or modifications more favorable to the interested party).

Through these contracts and/or clauses IEG and/or the different importers of the data undertake to comply with obligations of protection and processing of personal data transferred substantially equivalent to those provided for by the relevant EU legislation. The data are also transferred by the Controlled Companies, based in the EU, for the purposes sub 1, 2, 4, 6 and 7 to IEG without the need for particular, adequate guarantees, as the entire scope of processing, appears to be adequately covered by the GDPR.

DURATION OF TREATMENT

The data are stored for maximum periods of time (retention) which depend on the purpose of the processing, after which the data are deleted or made anonymous, as follows:

• purpose sub 1 (protection of information assets): for an indefinite period, except as further provided herein:
  • data processed for Business Continuity and IT security logs, for example log-in data, failed and log-out logs, logs of suspected anomalies, etc.: are retained 1 year from the date of collection, except for any shorter term provided for by the internal procedures of the Data Controller.
• purpose sub 2 - pre-contractual needs (if the interested party is a lead), i.e. a potential customer who has not made any purchases and has not expressed an interest in the Events, Services and/or Products): 2 years from the date of collection of the data (unless subsequent processing determines an expression of interest in the Events, Services and/or Products, in which case the processing will have the duration set out in the following paragraph);
• purpose sub 2 - pre-contractual needs (if the interested party is a prospect, i.e. a potential customer who has not made any purchase, but has expressed interest in Events, Services and/or Products): 10 years from the collection of the interested party's data (unless this activity does not lead to the stipulation of a contract, in which case the processing will have the duration described in the following paragraph);
• purpose sub 2 - contract execution (if the interested party is a customer): for the entire duration of the commercial relationship and for 10 years from the date of termination of the contract; subject to the shorter terms below in relation to specific categories of data:
  • data related to the drafting of invitation letters for the request for consular visas (e.g. copy of passport, etc.): 6 months from the end of the Event to which they refer.
  • data of requests for assistance communicated at collection points (including insurance desk, Info point and Emergency Room) by visitors and exhibitors during the Events: 60 days after the end of each Event; in the case of complaints presented by the interested party in relation to the Events (e.g. requests for compensation) the data may be further processed as better provided for in the following chapter "In case of dispute".
  • data contained in the promotional catalog of the Events: for 2 editions of the catalogue.
  • data connected to the "Business Matching" service provided during the Events: 3 months from the end of the individual Event.
  • editorial products: 5 years from publication (NB: after the sale of the Product containing the data, the Data Controller does not control its further circulation).
• purpose sub 2 - fulfillment of legal and regulatory obligations: 10 years from the date of stipulation of the contract (in the case of customers) or from the collection of the interested party's data (in the case of prospects); the following shorter terms in relation to specific categories of data are reserved:
  • Event certification data: until the end of the certification and therefore until certification has taken place;
• purpose sub 3 (nominative surveys): 2 years from the collection of the interested party's data (in the case of customers and prospects);
• purpose sub 4 (basic profiling): 2 years from the collection of the interested party's data (in the case of customers and prospects);
• purpose sub 5 (advanced profiling): 2 years from the collection of the interested party's data (in the case of customers and prospects);
• purpose sub 6 (soft spam): until any opposition by the interested party.
• purpose sub 7 (direct marketing) towards leads, customers and prospects: 10 years from the date of data collection or until the date of revocation of consent by the interested party, if such revocation occurs before the deadline;
• purpose sub 11 (credit data management operated by IEG Events Arabia LLC): 2 years from the date of data collection;
• In the event of extrajudicial or judicial litigation, towards the interested party and/or third parties (e.g. people injured during the Events due to the activities of the Data Controller, the interested party and/or third parties), the data are processed, for the time necessary to exercise the protection of the Data Controller's rights (as a rule, up to the 6th calendar year following the year of full execution of a provision having the force of res judicata or a settlement between the parties in dispute).

MEANS OF PROCESSING

IEG, also through its Controlled Companies and/or third-party suppliers delegated by them, collects data through:

• IEG Group websites whose electronic pages the interested party browses;
• online or paper forms or pre-registration or participation apps filled in by the interested party during or in relation to the Events and/or Services and/or Products;
• QR Code or BAR Code displayed and scanned at the entrances to the Events or during participation in the same;
• business cards spontaneously delivered by the interested party;
• applications (paper or online) for the interested party to participate in the Events, Services and/or Products;
• contracts stipulated with the interested party;
• requests for quotes and/or information sent by the interested party (e.g. online forms);
• online platforms for the management of contact requests / business meetings and for the exchange of information between exhibitors, visitors and/or buyers (e.g. texts, videos, presentations, live sections; insights and itineraries on trends and innovation, visit tours, sharing and communication of events and/or other digital content; sharing of public comments relating to contents as shared above, exchange of messages).

IEG also collects data from Controlled Companies as part of intragroup information exchanges.

The data is processed by personnel authorized and trained by IEG and/or its Controlled Companies, within the limits strictly necessary for the execution of their respective tasks (e.g. legal, commercial, marketing, administrative, logistics, IT, management control, etc.), using electronic and paper tools and with logic strictly connected to the individual purposes as respectively envisaged above.

SECURITY MEASURES

Technical and organizational security measures are applied to the processing of the interested party's personal data to guarantee their integrity, security and availability. For security reasons, not all relevant information is made available here. The measures may vary depending on the Group company. The main types of measures applied are the following:

• IT Asset Management procedures
• Firewall
• Antivirus
• Antispam
• DMZ - De-Militarized Zone
• Redundant Storage
• Identity and Access Management procedures:
  • Unique authentication credentials for data access; 2FA and VPN for remote access
  • Limitation of access to data to internal personnel only, previously designated in writing authorized and trained by the Data Controller
  • Authorization profiles managed via Active Directory and/or Azure Directory (Enter ID) limited in accordance with the "need-to-use, need-to-know" principle.
• Written confidentiality obligations
• Staff Training
• Appointment of external managers who carry out outsourced processing on behalf of the Data Controllers
• VLAN - Virtual Local Area Network
• Daily Back-up
• Disaster Recovery
• Patch Management procedures
• Incident Management Procedure and Data Breach Procedure
• IDS (Intrusion Detection System), IPS (Intrusion Prevention System), EDR (Endpoint Detection and Response), DLP (Data Loss Prevention) systems
• SIEM – Security Information and Event Management
• SOC – Security Operation Center
• Connections over secure HTTP protocol (HTTPS) with 2048-bit encryption and TLS v1.x protocol (PCI DSS Compliance)
• Periodic Vulnerability Assessment and Penetration Test
• Periodic Audits

The use of 'bot' (i.e. automated) software programs violates our Terms of Use of our websites. IEG and its Controlled Companies therefore reserve all rights to compensation for damages resulting from such behavior and the right to suspend access to the services of anyone who violates this ban.

We reserve the right to conduct security checks (e.g. log analysis) at any time to validate your identity, the registration data provided by you and to verify your correct use of our online services as well as to ascertain possible violations of the Conditions of Use of our websites and/or the law applicable to them.

RIGHTS OF THE INTERESTED PARTY

Interested parties, using the contact details of the Data Controller (viewable in the Table of IEG Group Companies), can exercise the following rights, provided for by the GDPR and/or by the different local legislation applicable from time to time in the country non-EU relevant in relation to data processing:

• Access to your personal data processed by the Data Controller
• Rectification or integration of inaccurate or incomplete data
• Deletion of obsolete data, where the Data Controller has not done so independently, in cases where:
  • they are no longer necessary for the purposes of data processing,
  • the interested party has revoked their consent to the processing of data where such consent is required by law,
  • the interested party has objected to the processing of the data,
  • the processing of personal data is unlawful,
  • the personal data must be erased to comply with a legal obligation in headed by the Owner. Each Data Controller undertakes to take all reasonable measures to inform the other companies in the IEG Group of the cancellation.
• Limitation of the processing of personal data, if:
  • the accuracy of the personal data of the interested party is contested, to allow the Data Controller to carry out the necessary checks,
  • the interested party intends to limit their personal data rather than delete them, although the processing is unlawful,
  • the interested party wishes the Data Controller to retain the personal data as deemed necessary to defend themselves in legal actions,
  • the interested party has opposed the processing but the Data Controller must carry out checks to ascertain the existence of legitimate reasons for the processing which prevail over rights of data subject.
• Data portability (i.e., to obtain a copy in machine-readable format of the data provided by the interested party to the Data Controller, or to have this copy communicated to another data controller indicated by the interested party, when the data refers to a contract existing between the interested party and the first Data Controller and the same are processed using software) within the limits established by the applicable legislation.
• Opposition to processing carried out based on a legitimate interest of the Data Controller.
• Right not to be subject to an automated decision-making process that produces legal effects that concern or similarly significantly affect the interested party and object to the outcome of any automated decision of the Data Controller relating to the processing of the interested party's personal data. Automated decision making occurs when decisions are made using technological means without human involvement. This right does not exist when the automated decision:
  • is necessary for the conclusion or execution of a contract between the interested party and a data controller,
  • is authorized by the law of the EU or the EU Member State to which the Data Controller is subject, which in that case also specifies appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, or
  • is based on the explicit consent of the interested party.
• Revocation of consent when consent by law is the legal basis of the processing (without prejudice to the lawfulness of the processing carried out up to the time of revocation).
• (when the GDPR is applicable) Right to Complain to the competent Supervisory Authority; in Italy it is The Italian Data Protection Authority (Garante per la protezione dei dati personali) – Piazza Venezia 11 - IT-00187 - Rome), tel. (+39) 06.69677.1, e-mail: rpd@gpdp.it.
• (when applicable legislation on the protection of personal data other than the GDPR) Right to Complain, take legal action and/or alternative dispute resolution, provided from time to time by the applicable foreign legislation (e.g. in the State of New Jersey, right to appeal against any rejection of a request to exercise the rights provided by the New Jersey Data Privacy Act, within a reasonable time after communication of the rejection and in a manner similar to that of the communication process of the first request; the Owner's response must be communicated within 60 days; in the event that the Owner rejects the appeal, the consumer can file a complaint with the New Jersey Division of Consumer Affairs in the Department of Law and Public Safety (see https://www.njconsumeraffairs.gov/).
• Right to request:
  • to IEG and/or to the Controlled Companies based in the EU space, as well as to the Controlled Companies based in DUBAI, SAUDI ARABIA, SINGAPORE and/or the USA, a list of names of the third-party recipients of the data designated as external data controllers (see also chapter "COMMUNICATION AND DISCLOSURE OF DATA" of this Policy), and
  • to the Controlled Companies based in CHINA and BRAZIL, a list of names of all third-party recipients of the data (both External Managers and Data Controllers).

If the interested party has a reserved area/online account to manage the options (e.g. relating to consent) that can be exercised in relation to the above rights towards IEG and/or its Controlled Companies, please view and use this account.

Below are the ways in which the interested party can obtain further information about their rights:

• if the interested party resides or is based in the EEA area, or in any case is subject to personal data processing regulated by the GDPR, they must consult for further details articles 15 to 22 and 77 of the EU Privacy Regulation 679/2016 ("GDPR"), available at the link: https://eur-lex.europa.eu/legal-content/IT/TXT/HTML/?uri=CELEX:32016R0679#d1e2800-1-1
• if the interested party resides or is based in China, or is in any case subject to processing regulated by Chinese legislation for the protection of personal data, they must consult for further details articles 44 to 50 of chapter IV of the Data Protection Law of the People's Republic of China (PIPL), available at the following link: http://en.npc.gov.cn.cdurl.cn/2021-12/29/c_694559.htm
• if the interested party resides or is based in Dubai, or in any case is subject to processing regulated by the Arab legislation for the protection of personal data, for further details they must consult - the UAE - 'The Guide to Access Government Information' and Law No. 26 of 2015 on the Organization of Dubai Data Publication and Sharing, also known as Law No. 26 of 2015 Regulating Data Dissemination and Exchange; and the Personal Data Protection Law, Federal Decree Law No. 45 of 2021 regarding the Protection of Personal Data at the following link: https://u.ae/en/about-the-uae/digital-uae/data/data-protection-laws
• if the interested party resides or is based in Brazil, or in any case is subject to processing regulated by Brazilian legislation for the protection of personal data, they must consult articles 17 to 22 of chapter III of the General Personal Data Protection Act (LGPD), at the following link: https://lgpd-brazil.info
• if the interested party resides or is based in Singapore or is in any case subject to processing regulated by Singapore legislation for the protection of personal data, they must consult articles 5.1 to 5.2 of chapter V of the "The Personal Data Protection Act 2012 ("PDPA")" available at the following link: https://www.pdpc.gov.sg/overview-of-pdpa/the-legislation/personal-data-protection-act
• if the data subject resides or is based in the U.S.A., or is in any case subject to processing regulated by American legislation for the protection of personal data, they can consult the following table of rights, the information available at the following link: https://www.whitecase.com/insight-our-thinking/us-data-privacy-guide and, in relation to the processing of personal data relating to subjects qualified as consumers (i.e., acting in an individual or family context) carried out by our Controlled Company based in the State of New Jersey (U.S.A.), the New Jersey Data Privacy Law viewable at the following link: https://pub.njleg.state.nj.us/Bills/2022/S0500/332_R6.PDF
• if the data subject resides or is based in Saudi Arabia, or is otherwise subject to processing governed by Saudi Arabian data protection legislation, should consult the following link: https://sdaia.gov.sa/en/Research/Pages/DataProtection.aspx

CHANGES TO THE PRIVACY POLICY

The policy may be modified over time to reflect changes made to the processing of personal data and/or to adapt to any regulatory requirements that may arise.

The updated Information will be communicated to the interested party as required by law and with suitable methods (e.g. by publication on the Site(s) of IEG and/or its Controlled Companies, or an e-mail message or insertion in online areas reserved for users).

REV. 30.11.2024

The previous version of the Privacy Policy can be found at the following link.