ICEF provides business to business services to student recruitment agents and to schools and institutions worldwide. These include our ICEF Networking Events, Market Intelligence and Consulting and Training. As such ICEF has a legitimate interest, as defined in the GDPR legislation1 in retaining the personal data of individuals associated with its customers and prospects so as to propose relevant services and deliver contracted services.
ICEF treats all your personal information as private and confidential, except where we are required by law, to disclose it and except when it is with a 3rd party software provider that we have engaged to deliver or propose our services to you (see Data Processors below). We never provide your information to 3rd parties for their own use unless they are also participants at ICEF events.
You may request to see copies of the records we hold for you, or to be removed from our database or mailing lists, at any time you choose.
We seek to fully comply with the General Data Protection Regulation (GDPR).
For further information please contact ICEF at email@example.com
You can get in touch with us:
to access, amend or take back the personal data that you have given to us
if you suspect any misuse or loss of or unauthorised access to your personal information
to withdraw your consent to the processing of your personal data (where consent is the legal basis on which we process your personal data)
The company responsible for your personal data (“ICEF” or “us”) is:
Am Hofgarten 9
You can send an email to: firstname.lastname@example.org
Alternatively, you can click the unsubscribe link in any marketing e-mail we send to you. Where your company has contracted ICEF services then we do not provide an unsubscribe link to emails related to delivering the service as any unsubscribe would stop ICEF from being able to deliver the service.
Legal basis for processing your data
Under the GDPR there are six bases upon which to justify collecting and using personal data.
the individual has given their Consent to the processing of their Personal Data.
processing of Personal Data is necessary for the performance of a contract to which the individual is a party or for the Controller to take pre-contractual steps at the request of the individual.
C) LEGAL OBLIGATION
processing of Personal Data is necessary for compliance with a legal obligation to which the Controller is subject.
D) VITAL INTERESTS
processing of Personal Data is necessary to protect the vital interest of the individual or of another individual.
E) PUBLIC TASK
processing of Personal Data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
F) LEGITIMATE INTERESTS
processing is necessary under the Legitimate Interests of the Controller or Third Party, unless these interests are overridden by the individual’s interests or fundamental rights.
ICEF relies primarily on the following three justifications for processing your data:
Article 6(1)(f) of the GDPR says that we can process your data where it “is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of [you] which require protection of personal data.” You have the right to object to us processing your personal data on this basis.
To ensure that we provide you with the best service possible, we store your personal data and/or the personal data of individual contacts at your organisation as well as keeping records of our conversations, meetings, registered jobs and placements. We may also ask you to undertake a post mandate feedback survey to gain valuable insight into our key performance indicators as a business.
We think this is reasonable use of your data for our legitimate interests as an organisation providing various recruitment services to you. NOTE – We will never share your details with any 3rd parties, without your permission.
We use and store the personal data of individuals within your organisation in order to facilitate the receipt of services from you as one of our Suppliers. We also hold your financial details, so that we can pay you for your services. We deem all such activities to be necessary within the range of our legitimate interests as a recipient of your services.
In certain circumstances, we are required to obtain your consent to the processing of your personal data in relation to certain activities. Depending on exactly what we are doing with your information, this consent will be opt-in consent.
Article 4(11) of the GDPR states that (opt-in) consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” This means that:
• you have to give us your consent freely, without us putting you under any type of pressure;
• you have to know what you are consenting to – so we’ll make sure we give you enough information;
• you should have control over which processing activities you consent to and which you don’t. We provide these finer controls within our privacy preference centre; and
• you need to take positive and affirmative action in giving us your consent.
We will keep records of the consents that you have given in this way. We will be able to rely on soft opt-in consent to market products or services to you which are related to the recruitment services we provide as long as you do not actively opt-out from these communications. You have the right to withdraw your consent to these activities. You can do so at any time, by sending an email with your details to email@example.com.
Establishing, exercising or defending legal claims
Sometimes it may be necessary for us to process personal data and, where appropriate and in accordance with local laws and requirements, sensitive personal data in connection with exercising or defending legal claims. Article 9(2)(f) of the GDPR allows this where the processing “is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity”. This may arise for example where we need to take legal advice in relation to legal proceedings or are required by law to preserve or disclose certain information as part of the legal process.
How do we collect personal data?
In order to propose and provide the best possible service to our customers and prospects, ICEF asks for details about the people that represent these companies and also for data about the companies themselves. We only ask for personal data that will genuinely help us to help you.
There are three main ways in which we collect your personal data:
• Directly from you via forms on our website or paper forms;
• Cookies and IP addresses and other data that is captured from website visits;
• From third parties (event participant lists) and other limited sources (e.g. online and offline research).
What kind of personal data do we collect?
We may collect some or all of the information listed below to enable us to provide you, in the context of the services that we provide to your company or institution, with the best possible service:
• Contact details;
• In the case of visa support, birthdate and passport number
• IP address;
• The dates, times and frequency with which you access our services;
• Information relating to emails sent and opened and links clicked
This data is used so that we can communicate with you, either to propose our services or to deliver those services that your company has already contracted.
How do we use your personal data?
The main reason for using your personal data is to help us communicate with you as a prospective or current customer of ICEF either to propose relevant services or to deliver services that your company or institution has contracted.
Who do we share your personal data with?
In the context of ICEF Events, business to business networking events, we share your information with other participants of that event and other ICEF events. You give us your specific consent for this when you sign in to our scheduling platform.
All participants of our events attend for the specific purpose of building business relationships and as such, all our participants have a legitimate interest justification for continuing to contact each other after the events.
Otherwise, we do not share your personal data without your specific consent, except with third parties service providers that ICEF has contractually engaged to assist us in providing our service or; where we are legally obliged to do so. The full list of 3rd parties (Data Processors) is listed below.
ICEF does not store any personal data relating to people under 16.
SUPPLIER DATA (including prospect Suppliers)
We collect your personal data during the course of our work with you. We need a small amount of information from our Suppliers to ensure that things run smoothly. We need contact details of relevant individuals at your organisation so that we can communicate with you. We also need other information such as your bank details so that we can pay for the services you provide (if this is part of the contractual arrangements between us).
What kind of personal information do we collect?
We don’t collect much data about Suppliers – we simply need to make sure that our relationship runs smoothly. We’ll collect the details for our contacts within your organisation, such as names, telephone numbers and email addresses. We’ll also collect bank details, so that we can pay you. We may also hold extra information that someone in your organisation has chosen to tell us.
How do we use your personal data?
The main reasons for using your personal data are to ensure that the contractual arrangements between us can properly be implemented so that the relationship can run smoothly, and to comply with legal requirements.
We realise that you’re probably busy, and don’t want us to be contacting you about all sorts of things. To find the right balance, we will only use your information:
• To store (and update when necessary) your details on our database, so that we can contact you in relation to our agreements;
• To offer services to you or to obtain support and services from you;
• To perform certain legal obligations;
• In more unusual circumstances, to help us to establish, exercise or defend legal claims.
We may use your personal data for these purposes if we deem this to be necessary for our legitimate interests.
Who do we share your personal data with?
We share your information with associated third parties such as our service providers such as Salesforce and FinancialForce in order that we can manage our supply chain and pay our invoices on time.
ICEF STAFF DATA
ICEF also holds personal data on its employees, past and present. Any member of staff, current or past, may at any time request details of all the personal data that ICEF holds. This data is retained whilst the person is working for ICEF and for a reasonable amount of time thereafter, namely 5 years.
YOUR RIGHTS UNDER GDPR
How do we safeguard your personal data?
We are committed to taking all reasonable and appropriate steps to protect the personal information that we hold from misuse, loss, or unauthorised access. We do this by having in place a range of appropriate technical and organisational measures. These include measures to deal with any suspected data breach. If you suspect any misuse or loss of or unauthorised access to your personal information please let us know immediately by sending an email to firstname.lastname@example.org.
How long do we keep your personal data for?
We will delete your personal data from our systems if we have not had any meaningful contact with you for some time as it is likely your data will no longer be relevant for the purposes for which it was collected.
When we refer to “meaningful contact”, we mean, for example, communication between us (either verbal or written), or where you are actively engaging with our online services. We will also consider it meaningful contact if you communicate with us, either by verbal or written communication or click through from any of our marketing communications. Your receipt, opening or reading of an email or other digital message from us will count as meaningful contact.
How can you access, amend or take back the personal data that you have given to us?
One of the GDPR’s main objectives is to protect and clarify the rights of EU citizens and individuals in the EU with regards to data privacy. This means that you retain various rights in respect to your data, even once you have given it to us.
To get in touch about these rights, please contact us at email@example.com. We will seek to process with your request without undue delay, and in any event within 30 days (subject to any extensions to which we are lawfully entitled). Please note that we may keep a record of your communications to help us resolve any issues which you raise.
Right to object
This right enables you to object to us processing your personal data where we do so for one of the following four reasons:
• our legitimate interests;
• to enable us to perform a task in the public interest or exercise official authority;
• to send you direct marketing materials; and
• for scientific, historical, research, or statistical purposes.
The “legitimate interests” and “direct marketing” categories above are the ones most likely to apply to our website users, customers and suppliers. If your objection relates to us processing your personal data because we deem it necessary for our legitimate interests, we must act on your objection by ceasing the activity in question unless we can show that we have compelling legitimate grounds for processing which overrides your interests; or we are processing your data for the establishment, exercise or defence of a legal claim.
If your objection relates to direct marketing, we must act on your objection by ceasing this activity.
Right to withdraw consent
Where we have obtained your consent to process your personal data for certain activities (for example, for our marketing), you may withdraw this consent at any time and we will cease to carry out the particular activity that you previously consented to unless we consider that there is an alternative reason to justify our continued processing of your data for this purpose in which case we will inform you of this condition.
Data Subject Access Requests (DSAR)
You may ask us to confirm what information we hold about you at any time, and request us to modify, update or delete such information. We may ask you to verify your identity and for more information about your request. If we provide you with access to the information we hold about you, we will not charge you for this unless your request is “manifestly unfounded or excessive”. If you request further copies of this information from us, we may charge you a reasonable administrative cost where legally permissible. Where we are legally permitted to do so, we may refuse your request. If we refuse your request we will always tell you the reasons for doing so.
Right to erasure
You have the right to request that we erase your personal data in certain circumstances. Normally, the information must meet one of the following criteria:
• the data is no longer necessary for the purpose for which we originally collected and/or processed it;
• where previously given, you have withdrawn your consent to us processing your data, and there is no other valid reason for us to continue processing;
• the data has been processed unlawfully (i.e. in a manner which does not comply with the GDPR);
• it is necessary for the data to be erased in order for us to comply with our legal obligations as a data controller; or
• if we process the data because we believe it necessary to do so for our legitimate interests, you object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.
We would only be entitled to refuse to comply with your request for one of the following reasons:
• to exercise the right of freedom of expression and information;
• to comply with legal obligations or for the performance of a public interest task or exercise of official authority;
• for public health reasons in the public interest;
• for archival, research or statistical purposes; or
• to exercise or defend a legal claim.
When complying with a valid request for the erasure of data we will take all reasonably practicable steps to delete the relevant data.
Right to restrict processing
You have the right to request that we restrict our processing of your personal data in certain circumstances. This means that we can only continue to store your data and will not be able to carry out any further processing activities with it until either:
One of the circumstances listed below is resolved;
• you consent; or
• further processing is necessary for either the establishment, exercise or defence of legal claims, the protection of the rights of another individual, or reasons of important EU or Member State public interest.
The circumstances in which you are entitled to request that we restrict the processing of your personal data are:
• where you dispute the accuracy of the personal data that we are processing about you. In this case, our processing of your personal data will be restricted for the period during which the accuracy of the data is verified;
• where you object to our processing of your personal data for our legitimate interests. Here, you can request that the data be restricted while we verify our grounds for processing your personal data;
• where our processing of your data is unlawful, but you would prefer us to restrict our processing of it rather than erasing it; and
• where we have no further need to process your personal data but you require the data to establish, exercise, or defend legal claims.
If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your personal data.
Right to rectification
You also have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. Where appropriate, we will also tell you which third parties we have disclosed the inaccurate or incomplete personal data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.
Right to lodge a complaint with a supervisory authority
You also have the right to lodge a complaint with your local supervisory authority. If you would like to exercise any of these rights, or withdraw your consent to the processing of your personal data (where consent is our legal basis for processing your personal data), please contact us by email at firstname.lastname@example.org.
You may withdraw your consent to receive marketing communications only or all consent to receiving any communication from ICEF. Please note that we may keep a record of your communications to help us resolve any issues which you raise.
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during the period for which we hold your data.
ICEF’S DATA PROCESSORS
In most cases, ICEF is the “data controller” in that we are the entity that has collected your personal data. In some specific instances, we use third-party software providers to store and manage your data. They do this on our behalf and do not share this information under any circumstances unless required to by Law.
ICEF is committed to ensuring all our suppliers are fully GDPR compliant. Please refer to their individual Data Protection Policies:
1. Under Recital 47
‘The legitimate interests of a controller, including those of a controller to which the Personal Data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.’