Privacy statement

PRIVACYSTATEMENT – PCO / ESVD

1. PCO / ESVD
We are Partners in Congress Organisation B.V. (‘PCO’), a Dutch company that organizes and advises on conferences. We operate in the European Economic Area (EEA) and we store our data on servers located in the EEA, unless otherwise specified.
We process your personal data if you use our services, visit a conference organized by us or if you use our applications, websites and software. In this privacy statement we summarize when and how we collect, use and protect your personal data.

2. General
We may change provisions of this privacy statement from time to time. If we do that, we will inform you of the changes beforehand. However, we also advise you to check for yourself from time to time whether the privacy statement has been changed.

3. Which personal data do collect and for which purposes?
There are a number of ways in which we can collect and process your personal, which depend on your role towards us. For example, you can be a visitor to our website (section 3.1), a conference visitor (section 3.2) or work for a conference sponsor or customer (section 3.3). In this paragraph we explain to you per role which personal data we can collect from you. The personal data are sorted according to the various processing purposes.

3.1 Website visitors (including job applicants)
A. Improving our website
In order to improve our website and resolve error messages, we process the personal data listed below for up to 2 years after collection. Our ground for processing the data is our legitimate interest to be able to keep our website running and to improve it. The invasion of your privacy is limited as much as possible by only processing limited data and linking data to an identification number, instead of a name.
• online/cookie identification number
• IP-address
• your use of our website
• information regarding the device from which you visit and use our website

B. Securing our website
To secure our website, we process the personal data listed below for up to 6 months after collection. Our ground for processing the data is our legitimate interest to be able to adequately secure our website. The invasion of your privacy is limited as much as possible by only processing limited data and linking data as much as possible to an identification number, instead of a name.
• username and password
• IP-address
• device-ID
• user-ID
• operating system
• time, date and place of login

C. Job applications
If you apply for a job with us, we will process the personal data listed below up to 4 weeks after completing the application or up to 1 year if you request it. Our basis for processing the data is our legitimate interest to be able to process your application.

• Name
• e-mail address
• telephone number
• CV (including a photo)
• motivation letter
• communication
• your social media profilers and the statements made on them
• an assessment of your capabilities (if this is reasonable in view of your intended position)

D. Communication
If you contact us, for example by asking us a question, we process your name, the name of your employer, your e-mail address, your telephone number and all other information that you share with us in your communication. Our processing ground is our legitimate interest to be able to respond to your requests and communications. We store your personal data for up to 2 months after your request or question has been resolved. We receive this information from you.
You are not obliged to provide us with the personal data mentioned here. If you do not provide us with the personal data, this will not have any negative consequences for your use of our website or services.

E. Newsletters
If you sign up for the newsletter, we will process your e-mail address in order to send you the newsletter until you unsubscribe from the newsletter. You can unsubscribe by using the unsubscribe button at the bottom of each newsletter. Our processing ground is the consent you give us if you request us to send you our newsletter. We receive your email address from you.

You are not obliged to provide us with the personal data mentioned here. If you do not provide us with the personal data, this will not have any negative consequences for your use of our website or services.

3.2 Conference visitors
F. Administration obligations
If you visit one of our conferences, you may be conducting financial transactions with us (e.g. the purchase of an admission ticket). In such cases, we are legally obliged to keep our financial records. Our processing ground is therefore our legal obligation. We process invoices and the personal data contained therein up to 7 years after the year in which the transaction took place. The data is provided by you. If you make the payment in another way, we will process from you:

• customer-ID
• payment cluster-ID
• payment method
• paid amount
• date of payment

We share this personal data with our accountant to comply with our legal obligations.

G. Visiting conferences and events
If you visit one of our conferences, we will process your personal data to make this possible and to communicate with you. Our ground for processing is the performance of an agreement that you have concluded with us or that you have concluded with your employer. We process the following personal data up to 2 years after the conference or event has taken place. Exactly which personal data are processed depends on the conference you are attending (for example, at a medical specialist conference, more information about your work history may be requested or that you can share your BIG number to obtain accreditation points). For each conference we indicate which information we need from you. The data is provided by you.
• name
• address
• private and/or business e-mail address (including for contacting and communicating about the service)
• telephone number (work and/or private)
• title
• function
• company Name
• department
• country where you work
• gender
• age category (if you want to participate in age-related contests)
• dietary requirements
• registration number
• BIG registration number
• customer ID
• membership number of your association (for discount schemes)
• amounts and dates of payments made
• payment method
• bank account number (when using a bank account instead of a payment provider)
• educational level
• work history
• area of interest
• communication
• registrations for courses and events at the congress
• all other personal data provided to us in the context of our services
• other personal data that you provide when contacting PCO

Your name may be stored in Dropbox. Dropbox stores its data in the United States.

In order to provide our services, we may share the above data with the following parties who act independently as controllers if you use the relevant services and only insofar as this is necessary for an adequate service:
- hotels and booking offices: name and address, email address
- caterers: name and any dietary requirements
- publishers of (scientific) journals: name and address if you wish to receive the journal physically or name and email address if you wish to receive the journal digitally
- our client, the party organizing the congress, in order to tailor the program to the visitors: name and address, position, employer, country where you work, work history, title, area of interest
- conference sponsors if you participate in their workshops, in order to guarantee the quality of the workshop: name, e-mail address of employer, country where you work, work history, title, function, area of interest
- PE-online: BIG registration number

H. Improving our services
To improve our services, we process the personal data listed below for up to 2 years after collection if you participate in our evaluation. Our basis for processing the data is our legitimate interest to be able to improve the service. The invasion of your privacy is limited as much as possible by only processing limited data and because participation in the evaluation is voluntary.
• name
• e-mail address
• (other) information provided with the evaluation form

I. Event photos and videos
Photos and/or videos can be taken at conferences. These photos/videos can be used on public websites of us or our customers as an illustration or in news items, reports, newsletters, guides, brochures, advertisements and/or social media of us or our customers. Photos and videos can be processed in the United States (e.g. by Google's YouTube).
Our basis for being allowed to process the data is our legitimate interest to be able to share photos/videos for journalistic purposes and to increase our brand awareness and/or the reputation of the conference or the customer. The infringement of your privacy is limited as much as possible by informing you in advance and giving you the opportunity to object to the processing. If you object to the processing, we will remove the photos/videos online where possible and we will stop using them offline.

J. Newsletters
If you register for a conference, we will process your e-mail address in order to send you updates about the next edition of the conference in question. You can unsubscribe by using the unsubscribe button at the bottom of each update. Our processing ground is our legitimate interest to be able to inform you about the next edition of the conference you are attending. We receive your email address from you. If you use the opt-out option, we can still send you communications that are necessary for the edition of the conference for which you have registered.

3.3 Employees or contact persons of conference sponsors and customers
K. Administration obligations
If you or your employer use our services, you may conduct financial transactions with us. In such cases, we are legally obliged to keep invoices and our financial records. Our processing ground is therefore our legal obligation. We process the following personal data up to 7 years after the year in which the transaction took place. The data is provided by you.
• name (employer)
• address (employer)
• VAT identification number
• invoice data

Wij delen deze persoonsgegevens met onze accountant om aan onze wettelijke verplichtingen te voldoen.

L. Visiting conferences and events
If you visit one of our conferences, we will process your personal data to make this possible and to communicate with you. Our ground for processing is the performance of an agreement that you have concluded with us or that you have concluded with your employer. We process the following personal data up to 2 years after the conference or event has taken place. Exactly which personal data are processed depends on the conference you are attending. For each conference we indicate which information we need from you. The data is provided by you.
• name
• address
• private and/or business e-mail address (including for contacting and communicating about the service)
• telephone number (work and/or private)
• company name
• dietary requirements
• registration number
• membership number of your association (for discount schemes)
• all other personal data provided to us in the context of our services
• other personal data that you provide when contacting PCO

Your name may be stored in Dropbox. Dropbox stores its data in the United States.

In order to provide our services, we may share the above data with the following parties who act independently as controllers if you use the relevant services and only insofar as this is necessary for an adequate service:
- hotels and booking offices: name and address, email address
- caterers: name and any dietary requirements
- our client, the party organizing the congress, in order to tailor the program to the visitors: name and address, e-mail address, registration number, membership number of your association
- stand construction companies (only if you are the contact person of a conference sponsor): name and address, email address, telephone number and VAT number

M. Improving our services
To improve our services, we process the personal data listed below for up to 2 years after collection if you participate in our evaluation. Our basis for processing the data is our legitimate interest to be able to improve the service. The invasion of your privacy is limited as much as possible by only processing limited data and because participation in the evaluation is voluntary.
• name
• e-mail address
• (other) information provided with the evaluation form


N. Event photos and videos
Photos and/or videos can be taken at conferences. These photos/videos can be used on public websites of us or our customers as an illustration or in news items, reports, newsletters, guides, brochures, advertisements and/or social media of us or our customers. Photos and videos can be processed in the United States (e.g. by Google's YouTube).
Our basis for being allowed to process the data is our legitimate interest to be able to share photos/videos for journalistic purposes and to increase our brand awareness and/or the reputation of the conference or the customer. The infringement of your privacy is limited as much as possible by informing you in advance and giving you the opportunity to object to the processing. If you object to the processing, we will remove the photos/videos online where possible and we will stop using them offline.

4. Sharing of personal data
4.1 Processing by processor
We may ask others to assist in providing our services. It is possible that these third parties process your personal data as a result. These third parties are referred to as “processors” in this privacy statement. We conclude processing agreements with these processors, in which we agree that they may only process your personal data for the benefit of our services.

We use the following types of processors:
• storage of (personal) data and database management and maintenance (Dropbox);
• research agencies and analytical software to improve our services (including privacy-friendly configured Google Analytics, so that no personal data is shared with Google);
• administrators of evaluation forms;
• file transfer software (WeTransfer);
• app developers;
• hosting provider(s), and;
• administrators of videos and their storage (YouTube).

In some cases, the processor may collect your personal data on our behalf.

If you yourself provide additional information to these processors outside of our services, we are not responsible for this. Please inform yourself about the processor and his company before you provide your personal data.

4.2 Sharing with your permission
We may also share personal data with others if you give us permission to do so. For example, we may work with other parties to provide you with specific services or offerings. If you sign up for these services or marketing offers, we may provide your name or contact details as necessary to provide that service or to contact you.

4.3 Our legal responsibilities
We may also share personal data with third parties if this:
1. is reasonably necessary or appropriate to comply with legal obligations;
2. is necessary to comply with legal requests from authorities;
3. is necessary to respond to any (legal) claims;
4. is necessary to protect the rights, property, or safety of us, our users, our employees, or the public;
5. is necessary to protect ourselves or our users against fraudulent, abusive, inappropriate or unlawful use of the services.

We will notify you immediately if a government agency makes a request related to your personal data, unless prohibited by law.

4.4 Merger or sale of (parts) of our company
We may disclose, share or transfer your personal data if we transfer (parts of) our business. Examples of this are (negotiations about) a merger, sale of parts of the company or obtaining financing. We will of course try to limit the impact for you as much as possible by transferring personal data only if necessary and anonymizing or pseudonymizing it where possible.

5. Protection of personal data
We think it is important to handle your personal data carefully and to protect it. We have therefore taken appropriate technical and organizational security measures to protect your personal data. In any case, we have taken the following measures:
- We have put in place physical and electronic measures designed to minimize unauthorized access, loss or misuse of personal data.
- Transmission of sensitive information or personal data to and from us is encrypted.
- Where reasonably possible, back-ups of personal data are made.
- Sensitive information is stored encrypted where possible and the database cannot be accessed externally.
- Vulnerabilities in the software are addressed as soon as reasonably possible and servers and software are frequently provided with security updates.

However, we would like to point out that absolute security for the transmission of personal data via the internet or the storage of personal data cannot always be guaranteed.

6. Links to websites of third parties
Our websites and applications may contain links to other websites and services. Third-party websites and services may track information about you. We have no control over these sites or their activities. If you provide your personal data to third parties, we are not involved. In that case, the privacy policy of this third party applies. We are not responsible for the content of the privacy policies of these parties and the way in which these parties handle personal data. We encourage you to review their privacy and security practices and policies before providing them with any personal information.

7. Your rights
As a data subject, you have certain rights in relation to your personal data. The rights we describe below are not absolute rights. We will always check whether we can reasonably comply with your request. If we cannot comply with your request, if you submit excessive or manifestly unfounded requests or if this would be at the expense of the privacy of others, we may refuse your request. If we decline a request, we will let you know and explain the reasons.

Right of access
You have the right to request which personal data we process about you. You can also ask us to provide insight into the processing grounds, relevant categories of personal data, the (categories of) recipients of personal data, the retention period, the source of the data and whether or not we use automated decision making.
You may also request a copy of your personal data that we process. Do you want additional copies? Then we can charge a reasonable fee for this.

Right to rectification
If the personal data processed by us about you is incorrect or incomplete, you can request us to adjust or supplement the personal data.
If we grant your request, we will, to the extent reasonably possible, inform the parties to whom we provide information.

Right to erasure
Do you no longer want us to process certain personal data about you? Then you can request us to delete certain (or all) personal data about you. Whether we will delete data depends on the processing ground. We only delete data that we process on the basis of a legal obligation or for the performance of the agreement if the personal data is no longer necessary. If we process data based on our legitimate interest, we will only delete data if your interest outweighs ours. We will make this assessment. If we process the data on the basis of consent, we will only delete the data if you withdraw your consent. Have we accidentally processed data or does a specific law require that we delete data? Then we will delete the data. If the data is necessary for the settlement of a legal proceeding or a (legal) dispute, we will only delete the personal data after the end of the proceedings or the dispute.
If we grant your request, we will, to the extent reasonably possible, inform the parties to whom we provide information.

Restriction of processing
If you dispute the accuracy of personal data processed by us, if you believe that we have processed your personal data unlawfully, if we no longer need the data or if you have objected to the processing, you can also request us to restrict the processing of that personal data. For example, during the time that we need to assess your dispute or objection, or if it is already clear that there is no longer any legal ground for further processing of those personal data, but you still have an interest in us not deleting the personal data. If we limit the processing of your personal data at your request, we may still use that data for the settlement of legal proceedings or a (legal) dispute.

Right to data portability
At your request, we may transfer the data that we automatically process to execute the agreement or based on your consent, to you or another party designated by you. You can make such a request at reasonable intervals.

Automated individual decision making
We do not make decisions solely on the basis of automated processing that has legal consequences for you or that otherwise significantly affects you.
Right of restriction of processing and withdrawal of permission
If we process data on the grounds of a legitimate interest, you may object to the processing. If we process data on the basis of your consent, you may withdraw that consent. For more information, please refer to the relevant processing purposes above.

Exercising your rights
You can send a request for access, correction, deletion, data transfer of your personal data or request for withdrawal of your consent or objection to the processing of your personal data to the e-mail address as mentioned under ‘contact’ below.
To prevent abuse, we may ask you to identify yourself adequately in the case of a written request for access, rectification or erasure.
We strive to process your request, complaint or objection within a month. If it is not possible to make a decision within a month, we will inform you of the reasons for the delay and the time when the decision is expected to be made (no longer than 3 months after receipt).

Dutch Data Protection Authority
Do you have a complaint about our processing of your personal data? Please contact us first. We will try to find a solution that works for the both of us. If we cannot come to a solution, you are entitled to submit a complaint to the national privacy authority, in this case the Dutch Data Protection Authority. For this you can contact the Dutch Data Protection Authority via https://autoriteitpersoonsgegevens.nl

8. Contact
If you have questions, concerns or comments about this privacy statement or our data processing, please contact us via e-mail on info@pcopartners.nl