Introduction

The International Association of Privacy Professionals is a membership association for professionals who work in the field of information privacy and data protection. We do not knowingly attempt to solicit or receive information from children.

We know you care about your privacy, and we take that seriously. This Privacy Notice describes the IAPP’s policies and practices regarding its collection and use of your personal data and sets forth your privacy rights. We recognize that information privacy is an ongoing responsibility, and so we will from time to time update this Privacy Notice as we undertake new personal data practices or adopt new privacy policies.


Data Protection Officer

The IAPP is headquartered in New Hampshire, in the United States. The IAPP has appointed an internal data protection officer for you to contact if you have any questions or concerns about the IAPP’s personal data policies or practices. If you would like to exercise your privacy rights, please direct your query to the IAPP’s data protection officer. The IAPP’s data protection officer’s name and contact information are as follows:

Rita Heimes
IAPP
75 Rochester Avenue
Portsmouth, New Hampshire, 03801, USA
dpo@iapp.org
+1 603-427-9200


How we collect and use (process) your personal information

The IAPP collects personal information about its members and other customers. This information is generally limited to the kinds of information that can be found on a business card: first name, last name, job title, employer name, work address, work email, and work phone number. We use this information to provide members and customers with goods and services they purchase from us. We do not sell personal information to anyone and only share it with third parties who are facilitating the delivery of IAPP services.

The IAPP collects personal information about its members and other customers. This information is generally limited to the kinds of information that can be found on a business card: first name, last name, job title, employer name, work address, work email, and work phone number. We use this information to provide members and customers with goods and services they purchase from us. We do not sell personal information to anyone and only share it with third parties who are facilitating the delivery of IAPP services.

Most IAPP customers provide their personal information directly to the IAPP. In some cases, the IAPP receives personal information about individuals from third parties. This may happen, for example, if your employer is a corporate member of the IAPP and signs you up for training, certification, or membership. One of our third-party training partners may also share your personal information with the IAPP when you purchase IAPP products from them. Your name may be given to the IAPP if you accept an invitation to speak at one of our meetings or events. We may also collect your personal data from a third party website (e.g. LinkedIn) if you fill out a form on that site requesting content from or registering for an event with the IAPP. You may always access and update your data with IAPP if you have an IAPP account and you may always contact us at dpo@iapp.org.

  1. Personal information IAPP collects:

    1. Membership

      When you become an IAPP member, we collect information about you including but not limited to your name, your employer’s name, your work address (including your country location), and your email address.

      We may also collect your personal email address, a personal mailing address, and a mobile phone number. We allow members to voluntarily provide additional information in their membership profile, such as information about their educational background, number of years in privacy, and related personal data. Members may opt-in to publish their membership status and information to the Member Directory, which is available to other IAPP members on the IAPP website.

      We process your personal information for membership administration, to deliver member benefits to you, and to inform you of IAPP-related events, content, and other benefits or opportunities associated with your IAPP membership. The IAPP may also use this information to help the IAPP understand our members’ needs and interests to better tailor our products and services to meet your needs.

      Members often participate in local KnowledgeNet chapter meetings. These meetings are organized by volunteers (KnowledgeNet chapter chairs) and take place at various locations that donate their space for the meetings. The IAPP collects registration information from IAPP members and their guests, which it shares with the KnowledgeNet chapter chairs and location hosts for purposes of verifying registration and to ensure only registered guests are allowed attendance.

      Personal data categories

      Purpose

      GDPR Lawful Basis

      Name and contact information; payment information

      Provide membership services, including access to website and other content and discounts on purchases; fulfill customer subscriptions

      Contractual necessity (Article 6(1)(b))

      Employment and other professional biographical information; professional activities

      Provide customer service support; inform customer of membership benefits and professional opportunities; assist customer with professional networking and self-promotion, and participation in IAPP community; programming events; understanding members’ needs and interests to better tailor products and services to meet member needs; verifying registration and ensuring only registered guests are allowed attendance; supplement member profile; enhance Member Directory for improved networking; business intelligence

      IAPP’s legitimate interest (Article 6(1)(f))

    2. Live events

      The IAPP hosts many live, in-person events throughout the year. These include conferences such as the Global Privacy Summit and the Data Protection Congress. If you register for one of our events and you are a member, we will access the information in your member account to provide you with information and services associated with the event. You may be asked to provide more information when signing up for an event than is found in your IAPP profile (e.g. whether it’s your first IAPP event, your meal preferences, and some information about your title and industry).

      If you are not a member and you sign up for one of our events, we will collect the following information: name, email, company, title, industry, address, phone number, whether it’s your first IAPP event, and your meal preferences.

      IAPP uses the information provided by event attendees to provide them with event services, including badge printing, tracking your Continuing Privacy Education (CPE) credits, tailoring sessions to meet the audience profile and to determine the sessions likely to require the biggest rooms, and related purposes connected with the event. We also use the information for billing purposes, as some attendees do not pay at the time of registration. After the event, IAPP de-identifies the information collected from attendees and uses de-identified information to review outcomes of past events and plan for future events.

      If you are a presenter at one of our events, we will collect information about you including your name, employer and contact information, and photograph, and we may also collect information provided by event attendees who evaluated your performance as a presenter. We may also make and store a recording of your voice and likeness in certain instances.

      We keep a record of your participation in IAPP events as an attendee or presenter. This information may be used to provide you with membership and certification services (such as, for example, keeping track of your Continuing Privacy Education (CPE) credits, or to tell you about other events and publications). It may also be used to help the IAPP understand our members’ needs and interests to better tailor our products and services to meet your needs.

      In association with attending one or more of our conferences, you will have the option to download the “IAPP Events App” to help you navigate the conference and plan your schedule. The IAPP Events App’s sole purpose is to act as a mobile interface for IAPP conferences, not to collect your data. The IAPP does not collect any personal information from your device, nor will the application ask for personal information to use the app. We do not access any other applications on your device. We do not monitor app data or analytics, nor do we use any tracking or analytics tools on this app. Although we may send “push notifications” to update your app, IAPP does not otherwise use it to communicate with you.

      When you register for a live event, you will have an opportunity to opt-in to be listed in an attendee list. This list is shared with event sponsors/exhibitors as well as other attendees. You will also have the opportunity to opt-in to receive advertising by mail from our event sponsors/exhibitors. In that case, the IAPP would engage a third-party mailing house and would not share your mailing address directly with the sponsor/exhibitor.

      Exhibitors at IAPP events may wish to scan your badge so they can contact you with more information. The IAPP uses Cvent to provide badge scanning services to exhibitors who request it. By allowing an exhibitor to scan your badge you are consenting to have Cvent provide the exhibitor with your contact information, and thereafter you may be contacted by the exhibitor post-event. If you do not wish the exhibitor to contact you, please communicate this directly with the exhibitor at the event or thereafter.

      Personal data categories

      Purpose

      GDPR Lawful Basis

      Name, contact information, payment information

      Event registration; event app validation

      Contractual necessity (Article 6(1)(b))

      Professional biographical information; professional activities information; meal preference

      Ensure event subject matter and content is relevant to attendee needs; ensure adequate food and dietary provisions; badge printing; tracking Continuing Privacy Education (CPE credits); determining which sessions require larger rooms; providing attendees with information and services associated with the event

      IAPP’s legitimate interest (Article 6(1)(f))

    3. Web conferences

      The IAPP offers several web conferences throughout the year. Many of them are free to IAPP members, while non-members are charged a fee. IAPP also offers web conferences that are co-sponsored by the IAPP and its corporate partners and these conferences are free to everyone because of the co-sponsor’s underwriting. This means that when you register for a co-sponsored, live web conference, you will be providing your registration information to both the IAPP and the applicable co-sponsor. All IAPP web conference co-sponsors must agree to follow applicable privacy and data protection laws. Recorded web conferences may be accessed without providing information to the co-sponsor.

      Personal data categories

      Purpose

      GDPR Lawful Basis

      Name and contact information

      Access to web conference

      Contractual necessity (Article 6(1)(b))

      Name and contract information

      Direct marketing

      IAPP’s legitimate interest (Article 6(1)(f))

    4. Publications & Newsletters

      In addition to producing original content, the IAPP also subscribes to news feeds and blogs produced by others, which we often link to from our website and within our newsletters. This means you may find yourself on the IAPP website or reading an email from the IAPP publications team and we will offer you a link to another organization’s website where you will find content on privacy or data protection that we find relevant and useful to you. At these times, you will be leaving the IAPP website. The IAPP is not responsible or liable for content provided by these third-party websites or personal information they may happen to gather from you.

      To receive IAPP newsletters by email, you will need to create a “profile” with us which involves providing the IAPP with at least your first name and last name, an email address, and the country in which you live. The purpose of processing this data is to have the necessary information to deliver the IAPP’s newsletters by email. You may at your own option choose to subscribe to IAPP News and Updates which may be considered direct marketing. You may unsubscribe at any time to newsletter subscriptions as well as marketing messages.

      The IAPP from time to time sends research surveys to subscribers of the IAPP Daily Dashboard. By subscribing to the Daily Dashboard, you agree to receive these survey requests occasionally. You are under no obligation to take the surveys.

      The IAPP uses a third-party email service provider (Marketo) to manage our subscriptions. Services like this are necessary because email hosts like Marketo are able to send bulk emails, manage subscribe/unsubscribe features, and keep track of open rates and invalid email addresses. When you click on a hyperlink in the email, the URL will include a tracking code. If (and only if) you have accepted Marketo’s cookie (Munchkin) through the IAPP’s cookie tool, then that information will be recorded in IAPP’s account with Marketo and associated with you. The IAPP uses this information to better understand what information is of interest to its subscribers so it can produce more of that information for them. Marketo does not use or sell this information.

      As noted above, you may manage your IAPP subscriptions by subscribing or unsubscribing at any time. Please note that if you have set your browser to block cookies, this may have an impact on your ability to unsubscribe. If you have any difficulties managing your email or other communication preferences with the IAPP, please contact us at dpo@iapp.org.

      Personal data categories

      Purpose

      GDPR Lawful Basis

      Name and contact information

      Access to email newsletters; direct marketing

      IAPP’s legitimate interest (Article 6(1)(f))

    5. Web and digital analytics

      The IAPP uses Google Analytics (GA4) to track how often people gain access to or read our content. Provided you have opted-in to analytics cookies, we use this information in the aggregate to understand what content our members find useful or interesting, so we can produce the most valuable content to meet your needs.

      Personal data categories

      Purpose

      GDPR Lawful Basis

      Anonymous website usage intelligence

      Improve products and services

      IAPP’s legitimate interest (Article 6(1)(f))

      Cookies data

      Business intelligence

      Consent (Article 6(1)(a))

    6. Training

      If you participate in IAPP training, you may sign up directly through the IAPP, in which case we collect your name and contact information directly from you. You may, alternatively, sign up for training – or be signed up for training – by or through a third party such as one of our training partners, or your own employer. We may also use independent contractors to conduct the training and third parties to provide the training venue. Your personal information will be stored in our database (hosted by a cloud service provider) and may also be shared with our training partners, trainers, and/or the venue hosting the event (to verify your identity when you arrive). The IAPP’s training partners, trainers, and data transfer hosts have agreed not to share your information with others and not to use your personal information other than to provide you with IAPP products and services.

      Personal data categories

      Purpose

      GDPR Lawful Basis

      Name and contact information

      Provide access to purchased training

      Contractual necessity (Article 6(1)(b))

      Professional details

      Tailor content to customers

      IAPP’s legitimate interest (Article 6(1)(f))

    7. Certification

      When you sign up to take one of the IAPP’s certification exams, we will collect your name and contact information. We will also collect and store information you provide to us about your need for special accommodations. IAPP shares your personal information as necessary with our exam hosting service, Pearson Vue.

      Pearson Vue uses third-party testing centers in a variety of locations throughout the world. These testing centers collect personally identifying information from anyone who arrives at the center to take any exam. This information may include your name, your photograph, and a government-issued identification. The testing centers use this information to verify your identity should you return to re-take the same exam and eliminate examination by proxy (someone else taking your exam). The testing centers act as data controllers with this information and this information is not shared with the IAPP.

      IAPP engages Pearson VUE’s “OnVue” program for test candidates electing to take exams online. This process requires taking the exam in a location in which no other people are present during the exam and also requires the disclosure of certain personal information to Pearson VUE. For more information about IAPP’s online certification data processing practices, please visit Certification Privacy FAQ.

      The IAPP will collect your exam results and, in conjunction with maintaining your certification(s), your record of participation in continuing privacy education. Only authorized employees within the IAPP have access to your certification exam scores and personal information pertaining to any special accommodations you may request. Information submitted to support special accommodation requests is maintained for no more than one year after submission.

      Personal data categories

      Purpose

      GDPR Lawful Basis

      Name and contact information; special accomodation requirements; testing information

      Provide certification exam services (in-person or online)

      Contractual necessity (Article 6(1)(b))

    8. Your correspondence with the IAPP

      If you correspond with us by email, the postal service, or other form of communication, we may retain such correspondence and the information contained in it and use it to respond to your inquiry or to keep a record of your complaint, accommodation request, or similar concern. As always, if you wish to have the IAPP “erase” your personal information or otherwise refrain from communicating with you, please contact us at dpo@iapp.org.

      Note: if you ask the IAPP not to contact you by email at a certain email address, the IAPP will retain a copy of that email address on its “master do not send” list in order to comply with your no-contact request.

      Personal data categories

      Purpose

      GDPR Lawful Basis

      Name, contact information, communication content

      Customer service and support

      IAPP’s legitimate interest (Article 6(1)(f))

    9. Payment and purchase information

      You may choose to purchase goods or services from the IAPP using a payment card. Typically, payment card information is provided directly by users, via the IAPP website, into the PCI/DSS-compliant payment processing service to which the IAPP subscribes, and the IAPP does not, itself, process or store the card information. Occasionally, members or customers ask IAPP employees to, on their behalf, enter payment card information into the PCI/DSS-compliant payment processing service to which the IAPP subscribes. We strongly encourage you not to submit this information by email. When IAPP employees receive payment card information from customers or members by email, fax, phone, or mail, it is entered as instructed and then deleted or destroyed.

      IAPP’s ecommerce system collects shipping and billing information to fulfill customer orders. IAPP relies on the legitimate interest basis for processing this personal data.

      Personal data categories

      Purpose

      GDPR Lawful Basis

      Name; payment information; billing address; shipping address

      Fulfilling customer orders

      IAPP’s legitimate interest (Article 6(1)(f))

  2. What happens if you don’t give us your data

    You can enjoy many of the IAPP’s services without giving us your personal data because a great deal of information on our website is available even to those who are not IAPP members. You can also enjoy subscriptions to our newsletters without becoming an IAPP member, but you will need to create a profile with us which involves providing your name, email, country and postal code. Some personal information is necessary so that the IAPP can supply you with the services you have purchased or requested, and to authenticate you so that we know it is you and not someone else.


Use of the iapp.org Website

As is true of most other websites, the IAPP’s website collects certain information automatically and stores it in log files. The information may include internet protocol (IP) addresses, the region or general location where your computer or device is accessing the internet, browser type, operating system and other usage information about the use of the IAPP’s website, including a history of the pages you view. We use this information to help us design our site to better suit our users’ needs. We may also use your IP address to help diagnose problems with our server and to administer our website, analyze trends, track visitor movements, and gather broad demographic information that assists us in identifying visitor preferences.

As is true of most other websites, the IAPP’s website collects certain information automatically and stores it in log files. The information may include internet protocol (IP) addresses, the region or general location where your computer or device is accessing the internet, browser type, operating system and other usage information about the use of the IAPP’s website, including a history of the pages you view. We use this information to help us design our site to better suit our users’ needs. We may also use your IP address to help diagnose problems with our server and to administer our website, analyze trends, track visitor movements, and gather broad demographic information that assists us in identifying visitor preferences.

The IAPP has a legitimate interest in understanding how members, customers and potential customers use its website. This assists the IAPP with providing more relevant products and services, with communicating value to our sponsors and corporate members, and with providing appropriate staffing to meet member and customer needs.

  • Cookies and web beacons

    The IAPP makes available a comprehensive Cookie Notice that describes the cookies used on the IAPP website and provides information on how users can accept or reject them. Click here to view the notice.

  • Do not track

    The IAPP tracks users when they cross from our primary public website (iapp.org) to our “IAPP community” portion of the site (my.iapp.org) by logging in with their user name and password, as well as when visitors to our website enter through a marketing landing page (pages.iapp.org). The IAPP also keeps a record of third party websites accessed when a user is on the IAPP site and clicks on a hyperlink. But the IAPP does not track users to subsequent sites and does not serve targeted advertising to them. The IAPP does not, therefore, respond to Do Not Track (DNT) signals.


When and how we share information with others

Information about your IAPP purchases and certification status are maintained in association with your membership or profile account. The personal information the IAPP collects from you is stored in one or more databases hosted by third parties located in the United States. These third parties do not use or have access to your personal information for any purpose other than cloud storage and retrieval. On occasion, the IAPP engages third parties to mail information to you, including items like books you may have purchased, or material from an event sponsor.

Information about your IAPP purchases and certification status are maintained in association with your membership or profile account. The personal information the IAPP collects from you is stored in one or more databases hosted by third parties located in the United States. These third parties do not use or have access to your personal information for any purpose other than cloud storage and retrieval. On occasion, the IAPP engages third parties to mail information to you, including items like books you may have purchased, or material from an event sponsor.

We do not otherwise reveal your personal data to non-IAPP persons or businesses for their independent use unless: (1) you request or authorize it; (2) it’s in connection with IAPP-hosted and IAPP co-sponsored conferences as described above; (3) it is to assist your employer with confirming receipt or consumption of a purchase they made on your behalf; (4) the information is provided to comply with the law (for example, to comply with a search warrant, subpoena, or court order), enforce an agreement we have with you, or to protect our rights, property or safety, or the rights, property or safety of our employees or others; (5) the information is provided to our agents, vendors or service providers who perform functions on our behalf; (6) to address emergencies or acts of God; or (7) to address disputes, claims, or to persons demonstrating legal authority to act on your behalf; and (8) through the IAPP Member Directory as described below. We may also gather aggregated data about our members and Site visitors and disclose the results of such aggregated (but not personally identifiable) information to our partners, service providers, advertisers, and/or other third parties for marketing or promotional purposes.

The IAPP website uses interfaces with social media sites such as Facebook, LinkedIn, Twitter and others. If you choose to "like" or share information from the IAPP website through these services, you should review the privacy policy of that service. If you are a member of a social media site, the interfaces may allow the social media site to connect your site visit to your personal data.


Transferring personal data to the U.S.

The IAPP has its headquarters in the United States. Information we collect about you will be processed in the United States. By using the IAPP’s services, you acknowledge that your personal information will be processed in the United States and, depending on the circumstances, that may involve a transfer of your information to the United States. The IAPP provides safeguards by entering binding, standard data protection clauses where appropriate for the data subjects’ location. The IAPP also enters into data processing agreements and model clauses with its suppliers whenever feasible and appropriate. Since it was founded in 2000, the IAPP has received zero government requests for information.

For more information or if you have any questions, please contact us at dpo@iapp.org.


Data subject rights

The European Union’s General Data Protection Regulation and other countries’ privacy laws provide certain rights for data subjects. A good explanation of them (in English) is available on the website of the Irish Data Protection Commission.

The European Union’s General Data Protection Regulation and other countries’ privacy laws provide certain rights for data subjects. A good explanation of them (in English) is available on the website of the Irish Data Protection Commission.

This Privacy Notice is intended to provide you with information about what personal data the IAPP collects about you and how it is used. If you have any questions, please contact us at dpo@iapp.org.

If you wish to confirm that the IAPP is processing your personal data, or to have access to the personal data the IAPP may have about you, please contact us at dpo@iapp.org.

You may also request information about: the purpose of the processing; the categories of personal data concerned; who else outside the IAPP might have received the data from the IAPP; what the source of the information was (if you didn’t provide it directly to the IAPP); and how long it will be stored. You have a right to correct (rectify) the record of your personal data maintained by the IAPP if it is inaccurate. You may request that the IAPP erase that data or cease processing it, subject to certain exceptions. You may also request that the IAPP cease using your data for direct marketing purposes. In many countries, you have a right to lodge a complaint with the appropriate data protection authority if you have concerns about how the IAPP processes your personal data. When technically feasible, the IAPP will—at your request—provide your personal data to you or transmit it directly to another controller.

You may, at no cost to you, generate a report of most of the personal data the IAPP has regarding you by visiting our data access request portal: https://iapp.org/about/data-access-request/. Using this portal also authenticates you and supports your submission of a more comprehensive access request. If access cannot be provided within a reasonable time frame, the IAPP will provide you with a date when the information will be provided. If for some reason access is denied, the IAPP will provide an explanation as to why access has been denied.

For questions or complaints concerning the processing of your personal data, you can email the IAPP’s data protection officer at dpo@iapp.org.

In many jurisdictions, including but not limited to in the European Union, you have recourse with your nation’s data protection authority. To find your DPA, visit the IAPP’s global privacy directory.


Security of your information

To help protect the privacy of data and personally identifiable information you transmit through use of this Site, we maintain physical, technical and administrative safeguards. We update and test our security technology on an ongoing basis. We restrict access to your personal data to those employees who need to know that information to provide benefits or services to you. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your information. We commit to taking appropriate disciplinary measures to enforce our employees' privacy responsibilities.


Data storage and retention

Your personal data is stored by the IAPP on its servers, and on the servers of third party cloud-based database management services the IAPP engages, located in the United States. The IAPP retains data for the duration of the customer’s or member’s business relationship with the IAPP and for a period of time thereafter to allow members to recover accounts if they decide to renew, to analyze the data for IAPP’s own operations, and for historical and archiving purposes associated with IAPP’s history as a membership association. For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact the IAPP’s data protection officer at dpo@iapp.org.


Questions, concerns or complaints

If you have questions, concerns, complaints, or would like to exercise your rights, please contact the IAPP’s data protection officer:

Rita Heimes
IAPP
75 Rochester Avenue
Portsmouth, New Hampshire, 03801, USA
dpo@iapp.org
+1 603-427-9200