Declaration on the protection of Personal data General Data Protection Regulation – GDPR
1. Preliminary Provisions
The General Data Protection Regulation — GDPR (Regulation EU 2016/679 of 27 April 2016) – contains provisions for managing, Processing and more effectively securing the Personal data of European citizens. When performing Contracts entrusted to it by its clients, Co-mana processes the Personal data communicated to it by its clients and/or by Participants in the Events which it organises. Most of the Processing is carried out by Co-mana as a Processor since it processes Personal data under instructions it receives from the client who is the Controller. Co-mana may also act as Controller where it has itself defined the purposes of the Processing operations.
The purpose of this Declaration is to define the terms and conditions applicable to the Processing by Co-mana of the Personal data entrusted to it by Participants and/or its clients.
In this Declaration, the terms below have the following meanings assigned to them:
- Contract: the formal or informal request received by Co-mana from its client to organise an Event;
- GDPR: Regulation 2016/679 of 27/04/2016 by the European Parliament and the Council;
- Event: any Event organised by the client who subcontracts all or part of it to Co-mana on the basis of a Contract, and bringing together Participants who have voluntarily manifested their desire to take part in it;
- Participant: any natural person who has expressed his interest in participating in or in being informed of the existence of an Event organised by the client and who agrees to supply Personal data for the purpose of having it processed in order to facilitate the communication of information regarding the Event and/or his presence at it;
- Registration website: a website dedicated to the collection of data on Participants for a given Event;
- Processing: any operation or set of operations which is performed on Personal data or on sets of Personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- Personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data,an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal data; where the purposes and means of such Processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- Processor: a natural or legal person, public authority, agency or other body which processes Personal data on behalf of the Controller.
4. The categories of Personal data processed by Co-mana
The Personal data processed by Co-mana is only that of Participants as supplied by them through the Registration website or by the client. The categories of data are as follows:
- Identification data: name, forename, address, passport number, date of birth, nationality, telephone number, mobile phone number, email address, …
- Job data: company, position, …
- Travel data: departure and arrival airports, airline company, flight schedule, name of the hotel, number of nights, …
- Accounting and financial data: bank account numbers, VAT number, credit card details, participation fees, reimbursement class, …
- Private life data: diet, shared accommodation, relevant medical data (allergies, …), contacts in case of emergency, dependent children, …
5. Nature and purpose of Processing
The nature and purpose of the Processing carried out by Co-mana are solely to enable it to organise the Event for which the data has been collected. Co-mana undertakes to process the Personal data of Participants only, and insofar as is necessary, for the purpose of carrying out the services described in the Contract with its client. Unless expressly agreed otherwise beforehand and in writing by the Participant and the client, Co-mana shall refrain from Processing the data for any other purpose. Where Co-mana carries out the Processing in pursuit of legitimate interests, it shall satisfy itself that the interests or basic rights and freedoms of the data subject do not prevail over the legitimate interests it seeks to pursue.
6. Duration of the Processing
The Processing of the data shall be carried out throughout the duration of the Contract.
7. Storage and erasure of Personal data
Co-mana will store Personal data throughout the duration of the Contract. At the end of the Contract, Co-mana will erase all Personal data or render it anonymous after the expiry of storage periods imposed by law and relevant periods of limitation.
8. Data Protection Officer
The Data Protection Officer of Co-mana is:
Eric VANDEN BORRE
Rue Ortelius, 22
9. Security of Personal data
Co-mana carries out all necessary technical and organisational measures to ensure the security of any Personal data entrusted to it, and in particular:
- Ensuring user awareness
- Authentication and authorisation of users
- Access management and incident management
- Rendering workstations secure
- Protection of the internal data network
- Security of servers
- Security of the websites
- Ongoing updates of infrastructure security
- Maintenance and planning for the continuation of the business
- Secure and validated archiving
- Secure physical access to data
- Control of data storage and erasure
- Management of subcontractors
- Secure exchanges with other bodies
- Protection of premises
- Control of data Processing developments
- Use of encryption.
10. The rights of data subjects
Data subjects have the following rights:
- right to access
- right to rectification
- right to erasure or to be forgotten
- right to restriction of Processing
- right to objection
- right to data portability.
Data subjects also have the right to lodge a complaint with the Data Protection Authority regarding
the application of the provisions contained in the GDPR.
11. Obligations of Co-mana as a Processor
11.1 As a Processor, Co-mana will process data only according to documented instructions from the Controller. The Contract constitutes the documented instructions which the client hands Co-mana concerning the Processing of Personal data. If Co-mana considers that such an instruction infringes the European Regulation or other Union or Member State data protection provisions, he will immediately inform the Controller.
11.2 Co-mana undertakes to process Personal data in total secrecy. To that end it informs the members of its staff of their obligations regarding Personal data and guarantees that the persons authorised to process such data are bound by an obligation of secrecy.
11.3 At the request of the client and, given the nature of the Processing and the information to which Co-mana is privy, Co-mana will assist the client to:
- implement appropriate technical and organisational measures to guarantee a level of security
that is appropriate to the risk,
- notify, if necessary, any violations of Personal data to the Supervisory Authority and/or the
- carry out, where necessary, an assessment of the impact of Processing Personal data and to
consult the supervisory authority in advance.
11.4 Co-mana will notify the client and the Participant concerned of any violation of Personal data occurring in the Processing procedure covered by the Contract and will do so as soon as possible once the violation has come to its attention.
11.5 Co-mana will make available all information necessary to demonstrate its compliance with the obligations laid down in Article 28 of the GDPR.
11.6 Where it is informed by the client, Co-mana will, given the nature of the Processing and the information to which it is privy, assist the client insofar as is possible to meet its obligation to respond to requests it receives from data subjects exercising their rights.