Reading Preference
Introduction

The International Association of Privacy Professionals is a professional membership association for people who work in the field of information privacy and data protection. We do not knowingly attempt to solicit or receive information from children.

We understand that you are aware of and care about your own personal privacy interests, and we take that seriously. This Privacy Notice describes the IAPP’s policies and practices regarding its collection and use of your personal data, and sets forth your privacy rights. We recognize that information privacy is an ongoing responsibility, and so we will from time to time update this Privacy Notice as we undertake new personal data practices or adopt new privacy policies.

Data Protection Officer

The IAPP is headquartered in New Hampshire, in the United States. The IAPP has appointed an internal data protection officer for you to contact if you have any questions or concerns about the IAPP’s personal data policies or practices. The IAPP’s data protection officer’s name and contact information are as follows:

Rita Heimes
IAPP
75 Rochester Avenue
Portsmouth, New Hampshire, USA
dpo@iapp.org
+1 603-427-9200

How we collect and use (process) your personal information

The IAPP collects personal information about its members and other customers. With a few exceptions, this information is limited to the kinds of information that can be found on a business card: first name, last name, job title, employer name, work address, work email, and work phone number. We use this information to provide members and customers with goods and services, including membership services, privacy and data protection content, certification, training, and the like. We do not sell personal information to anyone and only share it with third parties who are facilitating the delivery of IAPP services.

How we collect and use (process) your personal information close
  1. Personal information you give to us:

    1. Membership

      When you become an IAPP member, we collect information about you including but not limited to your name, your employer’s name, your work address (including your country location), and your email address. We may also collect your personal email address, a personal mailing address, and a mobile phone number. We ask members to voluntarily provide additional information in their membership profile, such as information about their educational background, number of years in privacy, and related personal data.

      When people sign up for an IAPP event, we ask for information to help us program our events to match audience interests. You may be asked to update your IAPP membership profile when you sign up for an event; this is optional, but we find the information provided at event registration is often more accurate and up-to-date than information provided at membership registration. Members may edit their profile at any time to change, add, or remove personal information.

      We process your personal information for membership administration, to deliver member benefits to you, and to inform you of IAPP-related events, content, and other benefits or opportunities associated with your IAPP membership. The IAPP may also use this information to help the IAPP understand our members’ needs and interests to better tailor our products and services to meet your needs.

      Members often participate in local KnowledgeNet chapter meetings. These meetings are organized by volunteers (KnowledgeNet chapter chairs) and take place at various locations that donate their space for the meetings. The IAPP collects registration information from IAPP members and their guests, which it shares with the KnowledgeNet chapter chairs and location hosts for purposes of verifying registration and to ensure only registered guests are allowed attendance.

      The IAPP relies on fulfillment of contract as the lawful basis under GDPR Article 6 for processing members’ personal information.

    2. Live events

      The IAPP hosts many live, in-person events throughout the year. These include conferences like the Global Privacy Summit and the Data Protection Congress, for example. If you register for one of our events and you are a member, we will access the information in your member account to provide you with information and services associated with the event. You may be asked to provide more information when signing up for an event than is found in your IAPP profile (e.g. whether it’s your first IAPP event, your meal preferences, and some information about your title and industry).

      If you are not a member and you sign up for one of our events, we will collect the following information: name, email, company, title, industry, address, phone number, whether it’s your first IAPP event, meal preferences, and the like.

      IAPP uses the information provided by event attendees to provide them with event services, including badge printing, tracking your Continuing Privacy Education (CPE) credits, tailoring sessions to meet the audience profile and to determine the sessions likely to require the biggest rooms, and related purposes connected with the event. We also use the information for billing purposes, as some attendees do not pay at the time of registration. After the event, IAPP de-identifies the information collected from attendees and uses de-identified information to review outcomes of past events and plan for future events.

      If you are a presenter at one of our events, we will collect information about you including your name, employer and contact information, and photograph, and we may also collect information provided by event attendees who evaluated your performance as a presenter. We may also make and store a recording of your voice and likeness in certain instances. The IAPP relies on a legitimate interest basis for collecting, storing and processing this information.

      We keep a record of your participation in IAPP events as an attendee or presenter. This information may be used to provide you with membership and certification services (such as, for example, keeping track of your Continuing Privacy Education (CPE) credits, or to tell you about other events and publications). It may also be used to help the IAPP understand our members’ needs and interests to better tailor our products and services to meet your needs.

      In association with attending one or more of our conferences, you will have the option to download the “IAPP Events App” to help you navigate the conference and plan your schedule. The IAPP Events app’s sole purpose is to act as a mobile interface for IAPP conferences, not to collect your data. The IAPP does not collect any personal information from your device, nor will the application ask for personal information to use the app. We do not access any other applications on your device. We do not monitor app data or analytics, nor do we use any tracking or analytics tools on this app. Although we may send “push notifications” to update your app, IAPP does not otherwise use it to communicate with you.

      Some of our events are sponsored. The IAPP provides an attendee list to sponsors, co-sponsors and exhibitors of our events. The IAPP may also allow sponsors, co-sponsors and/or exhibitors to send you material by mail once per sponsored event, in which case the IAPP engages a third-party mailing house and does not share your mailing address directly with the sponsor/exhibitor. If you do not wish to have your information included in an attendee list or to receive information from sponsors, co-sponsors and/or exhibitors, you can express your preferences when you register for events or you may contact the IAPP directly at dpo@iapp.org. Sharing your personal information with a sponsor allows you to receive the content for free. We do give attendees a choice not to receive marketing messages from the sponsor or from the IAPP.

      Exhibitors at IAPP events may wish to scan your badge so they can contact you with more information. The IAPP uses Expo Logic to provide badge scanning services to exhibitors who request it. By allowing an exhibitor to scan your badge you are consenting to have Expo Logic provide the exhibitor with your contact information, and thereafter you may be contacted by the exhibitor post-event. If you do not wish the exhibitor to contact you, please communicate this directly with the exhibitor at the event or thereafter.

    3. Web conferences

      The IAPP offers several web conferences throughout the year. Many of them are free to IAPP members, while non-members are charged a fee. IAPP also offers web conferences that are co-sponsored by the IAPP and its corporate partners and these conferences are often free to everyone because of the co-sponsor’s underwriting. This means that when you register for a co-sponsored web conference, you will be providing your registration information to both the IAPP and the applicable co-sponsor. All IAPP web conference co-sponsors must agree to follow applicable privacy and data protection laws.

    4. Publications

      The IAPP offers a great deal of content for our members (and non-members). In addition to producing original content, the IAPP also subscribes to news feeds and blogs produced by others, which we often link to from our website. This means you may find yourself on the IAPP website or reading an email from the IAPP publications team and we will offer you a link to another organization’s website where you will find content on privacy or data protection that we find relevant and useful to you. At these times, you will be leaving the IAPP website. The IAPP is not responsible or liable for content provided by these third-party websites or personal information they may happen to gather from you.

      You may wish to subscribe to the IAPP’s publications without becoming a member of the IAPP. For example, many people sign up to receive the IAPP’s Daily Dashboard even though they are not IAPP members. To receive IAPP newsletters by email, you will need to create a “profile” with us which involves providing the IAPP with at least your first name and last name, an email address, and the country in which you live. The IAPP does not share this information with any third party other than to store the information in our cloud-hosted databases. We rely on a contract basis to process your personal information for purposes of fulfilling your request to receive our publications. You may at your own option choose to subscribe to IAPP News and updates which may be considered direct marketing.

      The IAPP from time to time sends research surveys to subscribers of the IAPP Daily Dashboard. By subscribing to the Daily Dashboard, you agree to receive these survey requests occasionally. You are under no obligation to take the surveys.

      The IAPP uses a third-party email service provider (Marketo) to manage our subscriptions. Services like this are necessary because email hosts like Marketo are able to send bulk emails, manage subscribe/unsubscribe features, keep track of open rates and invalid email addresses, and related functions. When you click on a hyperlink in the email, the URL will include a tracking code. If (and only if) you have accepted Marketo’s cookie (Munchkin) through the IAPP’s cookie tool, then that information will be recorded in IAPP’s account with Marketo and associated with you. The IAPP uses this information to better understand what information is of interest to its subscribers so it can produce more of that information for them. Marketo does not use or sell this information.

      You may manage your IAPP subscriptions by subscribing or unsubscribing at any time. Please note that if you have set your browser to block cookies, this may have an impact on your ability to unsubscribe. If you have any difficulties managing your email or other communication preferences with the IAPP, please contact us at dpo@iapp.org.

      The IAPP uses Google Analytics to track how often people gain access to or read our content. Provided you have opted-in to analytics cookies, we use this information in the aggregate to understand what content our members find useful or interesting, so we can produce the most valuable content to meet your needs.

    5. Training

      If you participate in IAPP training, you may sign up directly through the IAPP, in which case we collect your name and contact information directly from you. You may, alternatively, sign up for training – or be signed up for training – by or through a third party such as one of our training partners, or your own employer. We may also use independent contractors to conduct the training and third parties to provide the training venue. Your personal information will be stored in our database (hosted by a cloud service provider) and may also be shared with our training partners, trainers, and/or the venue hosting the event (to verify your identity when you arrive). The IAPP’s training partners, trainers, and data transfer hosts have agreed not to share your information with others and not to use your personal information other than to provide you with IAPP products and services. The IAPP relies on fulfillment of a contract to process personal data associated with providing training services.

    6. Certification

      When you sign up to take one of the IAPP’s certification exams, we will collect your name and contact information. We will also collect and store information you provide to us about your need for special accommodations. IAPP shares your personal information as necessary with our computer-based exam hosting service, Pearson Vue. The computer-based exam hosting service may also share with us information you provide to them to verify your identity in taking the exam.

      Pearson Vue uses third-party testing centers in a variety of locations throughout the world. These testing centers collect personally identifying information from anyone who arrives at the center to take any exam. This information may include your name, your photograph, a government-issued identification, and the like. The testing centers use this information to verify your identity should you return to re-take the same exam and eliminate examination by proxy (someone else taking your exam). The testing centers act as data controllers with this information and this information is not shared with the IAPP.

      As of May 2020, IAPP has engaged Pearson VUE’s “OnVue” online protecting program for test candidates electing to take exams online. This process requires taking the exam in a location in which no other people are present during the exam and also requires the disclosure of certain personal information to Pearson VUE. Specifically, Pearson VUE will collect test candidates’ photographs and photo identifications and use artificial intelligence to confirm that they are the same person for the purpose of preventing exam fraud. In addition, test candidates must take pictures of their environment to demonstrate that they do not have materials at hand that could assist them in answering the questions (e.g. cheating). The candidates’ testing experience will be recorded as well, and Pearson will collect a phone number in case the candidates’ online connection is disrupted. Pearson VUE maintains this data for 30 days after which, if there is no appeal of the exam experience by the candidate, it is deleted.

      The IAPP will collect your exam results and, in conjunction with maintaining your certification(s), your record of participation in continuing privacy education. Only authorized employees within the IAPP have access to your certification exam scores and personal information pertaining to any special accommodations you may request. Information submitted to support special accommodation requests is maintained for no more than one year after submission. The IAPP relies upon a contract fulfillment basis to process personal data associated with providing certification services.

    7. Your correspondence with the IAPP

      If you correspond with us by email, the postal service, or other form of communication, we may retain such correspondence and the information contained in it and use it to respond to your inquiry; to notify you of IAPP conferences, publications, or other services; or to keep a record of your complaint, accommodation request, or similar concern. As always, if you wish to have the IAPP “erase” your personal information or otherwise refrain from communicating with you, please contact us at dpo@iapp.org.

      Note: if you ask the IAPP not to contact you by email at a certain email address, the IAPP will retain a copy of that email address on its “master do not send” list in order to comply with your no-contact request.

      The IAPP has a legitimate interest in maintaining personal information of those who communicate voluntarily with the IAPP.

    8. Purposes for processing your data

      As explained above, the IAPP processes your data to provide you with the goods or services you have requested or purchased from us, including membership services, events, publications and other content, certification, and training. We use this information to refine our goods and services to better tailor them to your needs and to communicate with you about other services the IAPP offers that may assist you in your career or otherwise help you do your job as a privacy professional. Most of the time, the IAPP needs to process your personal data to fulfill an order for goods or services – including membership services, with all the attendant benefits and professional opportunities the IAPP provides. Sometimes the IAPP has a legitimate interest in processing data to better understand the needs, concerns, and interests of IAPP members and customers so the IAPP can operate optimally as an association and as a business. And sometimes, the IAPP relies upon your consent, in which case we will keep a record of it and honor your choices.

    9. Payment card information

      You may choose to purchase goods or services from the IAPP using a payment card. Typically, payment card information is provided directly by users, via the IAPP website, into the PCI/DSS-compliant payment processing service to which the IAPP subscribes, and the IAPP does not, itself, process or store the card information. Occasionally, members or customers ask IAPP employees to, on their behalf, enter payment card information into the PCI/DSS-compliant payment processing service to which the IAPP subscribes. We strongly encourage you not to submit this information by email. When IAPP employees receive payment card information from customers or members by email, fax, phone, or mail, it is entered as instructed and then deleted or destroyed.

  2. Personal information we get from third parties

    From time to time, the IAPP receives personal information about individuals from third parties. This may happen if your employer is a corporate member of the IAPP and signs you up for training, certification, or membership. One of our third-party training partners may also share your personal information with the IAPP when you sign up for training, certification or membership through that training partner.

  3. What happens if you don’t give us your data

    You can enjoy many of the IAPP’s services without giving us your personal data. For our Daily Dashboard, for example, we need only a valid email address. Much of the information on our website is available even to those who are not IAPP members. Some personal information is necessary so that the IAPP can supply you with the services you have purchased or requested, and to authenticate you so that we know it is you and not someone else. You may manage your IAPP subscriptions and you may opt-in or opt-out of receiving marketing communication at any time.

Use of the iapp.org website

As is true of most other websites, the IAPP’s website collects certain information automatically and stores it in log files. The information may include internet protocol (IP) addresses, the region or general location where your computer or device is accessing the internet, browser type, operating system and other usage information about the use of the IAPP’s website, including a history of the pages you view. We use this information to help us design our site to better suit our users’ needs. We may also use your IP address to help diagnose problems with our server and to administer our website, analyze trends, track visitor movements, and gather broad demographic information that assists us in identifying visitor preferences.

The IAPP has a legitimate interest in understanding how members, customers and potential customers use its website. This assists the IAPP with providing more relevant products and services, with communicating value to our sponsors and corporate members, and with providing appropriate staffing to meet member and customer needs.

Use of the iapp.org Website close

As is true of most other websites, the IAPP’s website collects certain information automatically and stores it in log files. The information may include internet protocol (IP) addresses, the region or general location where your computer or device is accessing the internet, browser type, operating system and other usage information about the use of the IAPP’s website, including a history of the pages you view. We use this information to help us design our site to better suit our users’ needs. We may also use your IP address to help diagnose problems with our server and to administer our website, analyze trends, track visitor movements, and gather broad demographic information that assists us in identifying visitor preferences.

The IAPP has a legitimate interest in understanding how members, customers and potential customers use its website. This assists the IAPP with providing more relevant products and services, with communicating value to our sponsors and corporate members, and with providing appropriate staffing to meet member and customer needs.

  • Cookies and web beacons

    The IAPP makes available a comprehensive Cookie Notice that describes the cookies used on the IAPP website and provides information on how users can accept or reject them. To view the notice, just click here.

  • Do not track

    The IAPP tracks users when they cross from our primary public website (iapp.org) to our “IAPP community” portion of the site (my.iapp.org) by logging in with their user name and password, as well as when visitors to our website enter through a marketing landing page (pages.iapp.org). The IAPP also keeps a record of third party websites accessed when a user is on the IAPP site and clicks on a hyperlink. But the IAPP does not track users to subsequent sites and does not serve targeted advertising to them. The IAPP does not, therefore, respond to Do Not Track (DNT) signals.

When and how we share information with others

Information about your IAPP purchases and certification status are maintained in association with your membership or profile account. The personal information the IAPP collects from you is stored in one or more databases hosted by third parties located in the United States. These third parties do not use or have access to your personal information for any purpose other than cloud storage and retrieval. On occasion, the IAPP engages third parties to mail information to you, including items like books you may have purchased, or material from an event sponsor.

When and how we share information with others close

Information about your IAPP purchases and certification status are maintained in association with your membership or profile account. The personal information the IAPP collects from you is stored in one or more databases hosted by third parties located in the United States. These third parties do not use or have access to your personal information for any purpose other than cloud storage and retrieval. On occasion, the IAPP engages third parties to mail information to you, including items like books you may have purchased, or material from an event sponsor.

We do not otherwise reveal your personal data to non-IAPP persons or businesses for their independent use unless: (1) you request or authorize it; (2) it’s in connection with IAPP-hosted and IAPP co-sponsored conferences as described above; (3) the information is provided to comply with the law (for example, to comply with a search warrant, subpoena, or court order), enforce an agreement we have with you, or to protect our rights, property or safety, or the rights, property or safety of our employees or others; (4) the information is provided to our agents, vendors or service providers who perform functions on our behalf; (5) to address emergencies or acts of God; or (6) to address disputes, claims, or to persons demonstrating legal authority to act on your behalf; and (7) through the IAPP Member Directory as described below. We may also gather aggregated data about our members and Site visitors and disclose the results of such aggregated (but not personally identifiable) information to our partners, service providers, advertisers, and/or other third parties for marketing or promotional purposes.

The IAPP website uses interfaces with social media sites such as Facebook, LinkedIn, Twitter and others. If you choose to "like" or share information from the IAPP website through these services, you should review the privacy policy of that service. If you are a member of a social media site, the interfaces may allow the social media site to connect your site visit to your personal data.

  • Member Directory

    The IAPP makes member information available through the IAPP Member Directory to other IAPP members using this Site. Members are invited to opt-in to having their information shared in the Member Directory.

Transferring personal data from the EU to the US

The IAPP has its headquarters in the United States. Information we collect from you will be processed in the United States, and by using the IAPP’s services you acknowledge and consent to the processing of your data in the United States. The United States has not sought nor received a finding of “adequacy” from the European Union under Article 41 of the GDPR. The IAPP relies on derogations for specific situations as set forth in Article 44 of the GDPR. In particular, the IAPP collects and transfers to the U.S. personal data only: with your consent; to perform a contract with you; or to fulfill a compelling legitimate interest of the IAPP in a manner that does not outweigh your rights and freedoms. The IAPP endeavors to apply suitable safeguards to protect the privacy and security of your personal data and to use it only consistent with your relationship with the IAPP and the practices described in this Privacy Statement. The IAPP also enters into data processing agreements and model clauses with its vendors whenever feasible and appropriate.

Data subject rights

This Privacy Notice is intended to provide you with information about what personal data the IAPP collects about you and how it is used. If you have any questions, please contact us at dpo@iapp.org.

If you wish to confirm that the IAPP is processing your personal data, or to have access to the personal data the IAPP may have about you, please contact us at dpo@iapp.org.

Data subject rights close

The European Union’s General Data Protection Regulation and other countries’ privacy laws provide certain rights for data subjects. A good explanation of them (in English) is available on the website of the United Kingdom’s Information Commissioner’s Office.

This Privacy Notice is intended to provide you with information about what personal data the IAPP collects about you and how it is used. If you have any questions, please contact us at dpo@iapp.org.

If you wish to confirm that the IAPP is processing your personal data, or to have access to the personal data the IAPP may have about you, please contact us at dpo@iapp.org.

You may also request information about: the purpose of the processing; the categories of personal data concerned; who else outside the IAPP might have received the data from the IAPP; what the source of the information was (if you didn’t provide it directly to the IAPP); and how long it will be stored. You have a right to correct (rectify) the record of your personal data maintained by the IAPP if it is inaccurate. You may request that the IAPP erase that data or cease processing it, subject to certain exceptions. You may also request that the IAPP cease using your data for direct marketing purposes. In many countries, you have a right to lodge a complaint with the appropriate data protection authority if you have concerns about how the IAPP processes your personal data. When technically feasible, the IAPP will—at your request—provide your personal data to you or transmit it directly to another controller.

Reasonable access to your personal data will be provided at no cost to IAPP members, conference attendees and others upon request made to the IAPP at dpo@iapp.org. If access cannot be provided within a reasonable time frame, the IAPP will provide you with a date when the information will be provided. If for some reason access is denied, the IAPP will provide an explanation as to why access has been denied.

Security of your information

To help protect the privacy of data and personally identifiable information you transmit through use of this Site, we maintain physical, technical and administrative safeguards. We update and test our security technology on an ongoing basis. We restrict access to your personal data to those employees who need to know that information to provide benefits or services to you. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your information. We commit to taking appropriate disciplinary measures to enforce our employees' privacy responsibilities.

Data storage and retention

Your personal data is stored by the IAPP on its servers, and on the servers of the cloud-based database management services the IAPP engages, located in the United States. The IAPP retains data for the duration of the customer’s or member’s business relationship with the IAPP and for a period of time thereafter to allow members to recover accounts if they decide to renew, to analyze the data for IAPP’s own operations, and for historical and archiving purposes associated with IAPP’s history as a membership association. For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact the IAPP’s data protection officer at dpo@iapp.org.

Questions, concerns or complaints

Please contact the IAPP’s data protection officer:

Rita Heimes
IAPP
75 Rochester Avenue
Portsmouth, New Hampshire, USA
dpo@iapp.org
+1 603-427-9200