1. APPLICATION OF THIS PPA
If any data submitted by or for Registrant to IT Revolution includes personal data, then this PPA governs the processing of the personal data that is subject to the GDPR. Certain terms used in this PPA have the meanings given to them in the “Definitions” section of this PPA.
2. DATA PROCESSING
2.1 Details of Data Processing.
(a) Subject matter. The subject matter of the processing under this PPA is data provided by Registrant (“Registrant Data”) to IT Revolution in connection with the Event.
(b) Duration. The duration of the processing under this PPA is the duration of the event and for so long as IT Revolution has reason to keep it, such as post-event communications.
(c) Nature and purpose. The nature and purpose of the data processing under this PPA is the participation of Registrant in the Event.
(d) Type of personal data. The type of personal data that will be processed under this PPA is Registrant Data provided by Registrant to IT Revolution for the Event, such as name, address, and email.
(e) Categories of data subjects. The categories of data subjects whose data will be processed under this PPA may include (i) Registrant, (ii) if Registrant is a company, shareholders, partners, limited partners, directors, officers, employees and other individuals connected with corporations and other entities, the records of which are managed by Registrant, and (ii) Registrant’s attendees, employees, and end-users.
2.2 Compliance with Laws. Each party will comply with all Applicable Laws in the performance of this PPA, including the GDPR.
3. IT Revolution and Third Party Cookies
3.1 Cookies. Cookies are small text files which are transferred to Registrant’s computer or mobile device when Registrant visits a website or app.
3.3 Types of Cookies. Some cookies are always on when you visit IT Revolution, and Registrant is unable to turn them off unless Registrant changes his or her browser settings (“strictly necessary cookies”). IT Revolution uses these cookies to make sure IT Revolution’s digital services work correctly and are meeting Registrant’s needs and interests. IT Revolution also uses functional, performance, and advertising cookies to make Registrant’s experience more enjoyable. Registrant can turn these cookies on and off at any time with Registrant’s browser settings. Please be aware that there are third party cookies, such as Google or Facebook, which might track how Registrant uses IT Revolution’s website. For example, Registrant might get a social media company’s cookie when Registrant sees the option to share something. Registrant can turn off third party cookies through the third party company, not IT Revolution.
3.4 Duration of Cookies. Some cookies are erased when Registrant closes his or her browser or app. Other cookies stay longer, sometimes forever, and are saved on Registrant’s device so that the cookies are present when Registrant returns to IT Revolution’s website. If Registrant does not want cookies remaining on his or her computer, he or she must take affirmative steps to remove the cookies.
4. REGISTRANT INSTRUCTIONS
4.1 Documented Instructions . The parties agree that this PPA, any agreements between IT Revolution and Registrant, and the procedures disclosed in this PPA by IT Revolution for the Event constitute Registrant’s documented instructions regarding IT Revolution’s processing of Registrant Data (“ Documented Instructions”), including with respect to transfers of personal data to a third country or an international organization. IT Revolution will process Registrant Data only in accordance with Documented Instructions. Registrant agrees that the Documented Instructions are Registrant’s complete and final instructions to IT Revolution in relation to processing of Registrant Data. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between IT Revolution and Registrant, including agreement on any additional fees payable by Registrant to IT Revolution for carrying out such instructions. Registrant will ensure that the Documented Instructions comply with all Applicable Laws, and that the processing of Registrant Data in accordance with the Documented Instructions will not cause IT Revolution to be in breach of any Applicable Laws. Registrant has sole responsibility for the legality, reliability, integrity, accuracy and quality of Registrant Data and of the means by which Registrant acquires Registrant Data, and will establish the legal basis for processing under Applicable Laws. IT Revolution will immediately inform Registrant if IT Revolution is of the opinion that a Documented Instruction infringes the GDPR or other Applicable Laws of the EEA or of a member state of the European Union.
5. USE AND DISCLOSURE OF REGISTRANT DATA
Use and Disclosure of Registrant Data.
IT Revolution will only use Registrant Data to provide Registrant access to Event, including to select Event sponsors, and associated products or services except with the prior written consent of Registrant or as otherwise expressly permitted under the Agreement. With the exception of the above, IT Revolution will not disclose Registrant Data outside of IT Revolution except (a) as Registrant directs or as required to provide the Services, (b) to Registrant’s third party service providers as directed by Registrant, (c) as otherwise described in any other applicable agreements between IT Revolution and Registrant, or (d) as required by Applicable Laws of the United States, Registrant’s country, or of a member state of the European Union to which IT Revolution is subject.
Disclosure of Registrant Data under Applicable Laws of the United States, Registrant’s Country, or a member of the European Union.
If IT Revolution is required to disclose Registrant Data by Applicable Laws of the United States, Registrant’s country, or of a member state of the European Union to which IT Revolution is subject, then IT Revolution will promptly notify Registrant unless prohibited by law. Upon receipt of any other third party request for Registrant Data, IT Revolution will promptly notify Registrant unless prohibited by law. IT Revolution will reject the request unless required by law to comply. If the request is valid, IT Revolution will attempt to redirect the third party to request the Registrant Data directly from Registrant.
6. IT REVOLUTION PERSONNEL
IT Revolution will ensure that its personnel authorized to process Registrant Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. IT Revolution will take steps to ensure that its personnel authorized to process Registrant Data do not process Registrant Data except pursuant to the Documented Instructions.
IT Revolution Security Measures.
IT Revolution will implement and maintain appropriate technical and organizational measures to protect Registrant Data, including measures to protect Registrant Data from unauthorized access, use, modification, deletion, loss or disclosure. IT Revolution uses and stores Registrant Data in United States and takes the following security measures to protect Registrant Data: data encryption, secured servers, password protection, limited access to sensitive data, storage of data in a secure database. IT Revolution will make available other information reasonably requested by Registrant regarding IT Revolution security practices and policies.
Registrant is solely responsible for making an independent determination as to whether IT Revolution’s technical and organizational measures for the Services meet Registrant’s requirements, including any of its security obligations under the GDPR or other Applicable Laws. Registrant agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks to individuals) IT Revolution’s technical and organizational measures for the Services provide a level of security appropriate to the risk.
Registrant agrees that IT Revolution may use sub-processors to provide the Services to Registrant, to fulfill its contractual obligations under this PPA, or to provide certain services on its behalf. Registrant consents to IT Revolution’s use of sub-processors as described in this section.
Agreements with Sub-processors.
IT Revolution will enter into a written agreement with the sub-processor (a) permitting the sub-processor to access and use Registrant Data only to deliver the services IT Revolution has retained the sub-processor to provide and for no other purpose, and (b) requiring the sub-processor to provide at least the level of data protection required of IT Revolution under this PPA.
A list of the sub-processors that are currently engaged by IT Revolution to carry out processing activities on Registrant Data on behalf of Registrant is available upon request.
Controller Objection to New Sub-Processor.
Registrant may object to IT Revolution’s use of a new sub-processor where there are reasonable grounds to believe that the new sub-processor will be unable to comply with the terms of this PPA. If Registrant objects to IT Revolution’s use of a new sub-processor, Registrant will notify IT Revolution promptly in writing within ten days after notification regarding such sub-processor. Registrant’s failure to object in writing within such time period will constitute approval to use the new sub-processor. Registrant acknowledges that IT Revolution’s inability to use a particular new sub-processor may result in delay or inability to register for the Event or increased fees. IT Revolution will notify Registrant in writing of any change to fees that would result from IT Revolution’s inability to use a new sub-processor to which Registrant has objected.
9. DATA SUBJECT RIGHTS
IT Revolution will, to the extent legally permitted, promptly notify Registrant if (a) IT Revolution receives a request from a data subject for access to his or her own personal data, or for the rectification or erasure of such personal data, (b) IT Revolution receives any other request or query from a data subject relating to his or her own personal data, or (c) a data subject exercises any rights under the GDPR, such as rights of objection, restriction of processing, data portability or the right not to be subject to automated decision making (each, a “ Data Subject Request”). Taking into account the nature of the processing, IT Revolution will assist Registrant by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Registrant’s obligations to respond to Data Subject Requests. Registrant will pay for assistance performed by IT Revolution at reasonable market rates.
10. PERSONAL DATA BREACHES
IT Revolution will notify Registrant without undue delay after becoming aware of a personal data breach, and will provide Registrant with detailed information about the personal data breach to the extent reasonably possible and to the extent known. IT Revolution will use commercially reasonable efforts to provide to Registrant the information required by Registrant to fulfil any obligations under Applicable Laws to notify Registrant regulators and data subjects of the personal data breach.
Demonstration of Compliance.
At Registrant’s reasonable written request, IT Revolution will provide Registrant with information to demonstrate IT Revolution’s compliance with its obligations under this PPA. Registrant will pay for work performed by IT Revolution in response to the request at reasonable market rates.
12. PRIVACY IMPACT ASSESSMENTS AND PRIOR CONSULTATIONS
IT Revolution will assist Registrant in complying with Registrant’s obligations in respect of data protection impact assessments and prior consultation pursuant to Articles 35 and 36 of the GDPR, to the extent Registrant does not otherwise have access to the relevant information and to the extent such information is available to IT Revolution. Registrant will pay for assistance performed by IT Revolution at reasonable market rates.
13. TRANSFERS OF PERSONAL DATA
Registrant Data will be stored in the United States, unless otherwise specified by Registrant
(the “Region”). Registrant consents to the storage of Registrant Data in, and the transfer of Registrant Data into and out of, the Region, including the transfer of Registrant Data across international borders. IT Revolution will not move Registrant Data from the Region, except (i) as provided below, (ii) with the consent of Registrant, or (iii) as necessary to comply with Applicable Laws or a binding order of a Governmental Authority (such as a subpoena or court order). If Registrant provides Registrant Data as part of a request for assistance, IT Revolution may store and process that Registrant Data in the locations from which IT Revolution provides that assistance. To investigate fraud, abuse or violations of the Agreement, IT Revolution may process Registrant Data where IT Revolution maintains its support and investigation personnel. IT Revolution does not control or limit the locations from which Registrant or Registrant’s end-users may access Registrant Data or to which they may move Registrant Data.
Application of Standard Contractual Clauses.
The Standard Contractual Clauses will not apply to Registrant Data that is transferred, either directly or by onward transfer, to (a) any country that is a member of the EEA, (b) an organization in the United States that is a participant in the Privacy Shield Framework (or any successor recognized by the European Commission), (c) Canada or any other country recognised by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR), (d) any organization within the
IT Revolution group of companies that is subject to binding corporate rules under the GDPR, or (e) any country or organization where the transfer is otherwise permitted under the GDPR. The Standard Contractual Clauses will apply to all other transfers of Personal Data to a country that is not a member of the European Union.
14. TERMINATION OF THIS PPA
This PPA will continue in force for a period of three years after last contact Registrant has made with IT Revolution. (the “ Termination Date”).
15. RETURN OR DELETION OF REGISTRANT DATA
For a period of three years, IT Revolution will make any Registrant Data in IT Revolution’s possession or control available to Registrant for export or download as reasonably agreed between the parties. Three years after last contact by Registrant with IT Revolution, IT Revolution will have no obligation to maintain or provide any Registrant Data, and will delete or destroy all copies of Registrant Data in its systems or otherwise in its possession or control, unless legally prohibited by Applicable Laws of the United States, Registrant’s country, or a member state of the European Union to which IT Revolution is subject. If Registrant would like his or her Registrant Data deleted prior to the three year retention period, Registrant may contact IT Revolution directly at firstname.lastname@example.org.
16. RECORDS OF PROCESSING ACTIVITIES
IT Revolution will maintain all records required by Article 30(2) of the GDPR and, to the extent applicable to the processing of Registrant Data on behalf of Registrant, will make those records available to Registrant upon request.
Order of Precedence.
In the event of any inconsistency between a term of this PPA and a term of the Agreement, the term of this PPA will take precedence over any separate agreements between IT Revolution and Registrant.
Changes to Applicable Data Protection Laws.
If either party seeks changes to this PPA to comply with a change in Applicable Laws or a binding and final decision of a regulator with jurisdiction over the party’s processing of personal data, then the parties will discuss in good faith how to address any necessary changes. IT Revolution may update this policy periodically. This policy was last updated April 21, 2020.
18.1 Contact Us. If you have any questions about this PPA, the Registrant Data, or you would like to exercise one of your data protection rights, please do not hesitate to contact us at email@example.com or firstname.lastname@example.org
17.2 Contact the Appropriate Authority. Should you wish to report a complaint or if you feel IT Revolution has not addressed your concern in an appropriate manner, you may contact the Information Commissioner’s Office through its website: https://ico.org.uk/global/contact-us/ .
“Agreement” means any separate agreements entered into between IT Revolution and Registrant.
“Applicable Laws” has the meaning specified in the Agreement and, for the purpose of this PPA, includes the GDPR.
“Registrant Data” means personal data that is part of the data submitted by or for Registrant to the IT Revolution Services and that is subject to the GDPR.
“data subject” has the meaning given to it in the GDPR.
“Documentation” has the meaning specified in the Agreement.
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“personal data” has the meaning given to it in the GDPR.
“personal data breach” has the meaning given to it in the GDPR.
“processing” has the meaning given to it in the GDPR, and “process”, “processes” and “ processed” will be interpreted accordingly.
“Standard Contractual Clauses” means the Standard Contractual Clauses (Processor) attached as an annex to the European Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC, or any successors to those clauses approved by the European Commission.