1. PERSONS RESPONSIBLE (CONTROLLER)
1.1 Controllers within the meaning of the EU General Data Protection Regulation (hereinafter
„GDPR“) are: Parenteral Drug Association. Inc. (hereinafter: “PDA”), 4350 East-West-Highway, Suite
600, Bethesda, MD 20814, USA, Phone: +1 301 656-5900, Fax: +1 301 986-0296, Email: registration@pda.org and PDA Europe gGmbH (hereinafter „PDA EU“), Am Borsigturm 60, 13507 Berlin, Germany, Phone: +49 30 436 55 08-0, Fax: +49 30 436 55 08-66, Email: registration-europe@pda.org as joint controllers pursuant to Article 26 GDPR (hereinafter: “joint controllers”, “we” or “us”).
1.2 With regard to processing of Personal Data concerning persons within the European Union, PDA has designated PDA Europe gGmbH, Am Borsigturm 60, 13507 Berlin, Germany, Phone: +49 30 436 55 08-0, Fax: +49 30 436 55 08-66, Email: registration-europe@pda.org as its representative in the European Union. PDA Europe is mandated by PDA to be the recipient on behalf of the Company of all issues related to processing of personal data concerning
persons within the European Union.
1.3 With respect to the joint processes, we jointly determine the purposes and means of processing. In an agreement on joint controllership pursuant to Article 26 GDPR, we have determined how the respective tasks and responsibilities in the processing of personal data are structured and who fulfills which data protection obligations. In particular, it was determined how an appropriate level of security and the attendee´s rights as a data subject can be ensured, how the information duties under data protection law can be fulfilled jointly and how potential data protection incidents can be monitored. This also includes ensuring that
reporting and notification obligations are fulfilled.
2. PERSONAL DATA PROCESSED
We only process personal data if the attendee provides this, e.g. as part of a registration, a contact form, a survey, or for the execution of a contract, and even in these cases only insofar as this is permitted to us on the basis of a consent given by the attendee or in accordance with the applicable legal provisions. The provision of this information is voluntary. However, if the attendee does not provide the information requested, we might be unable to process the registration or respond to the inquiry.
2.1 PROCESSING FOR INITIATING OR FULFILLING A CONTRACT, ART. 6 (1) (B) GDPR
2.1.1 We process personal data of attendees for the purposes of initiating or fulfilling a contract (e.g. offer preparation, execution or termination of a contract). For this purpose we process personal information (e.g. name, title, job title, billing address, phone and fax number, email, company, department); contract data (e.g. status of PDA membership, membership number; duration of the membership), payment information (e.g. bank data, payment behavior
and history).
2.1.2 If we ask to book a hotel room with one of our event partners for attendees, we will legally conclude a contract with the hotel in the attendee´s name. In the performance of this contract, we will share personal data of the attendee, to the minimum extent necessary, with the hotel where we book the room. The data we provide to them includes name, residence, email address, and other identification information the hotel may require. The processing of the personal data by the hotel is made in their capacity of data controller and subject to their own privacy policy.
2.1.3 In case we are providing food at our events, we may ask attendees about food allergies or other conditions, so that we can adapt the menu accordingly. Providing this information is optional, and we will only process it if the attendee updates their profile with such information.
2.2 PROCESSING ON CONSENT, ART. 6 (1) (A) GDPR If the attendee has consented to the processing of their personal data by us for certain purposes
(e.g. data transmission to us initiating a contract, SEPA Direct Debit Scheme, surveys or promotional purposes, transmission of data within the PDA-Group, taking and using photos and film recordings for promotional purposes, printing contact information on attendee lists, share the personal information with our event sponsors/exhibitors), that consent is the legal basis for the processing.
2.3 PROCESSING FOR FULFILLMENT OF OUR LEGAL DUTIES, ART. 6 (1) (C) GDPR We are processing attendee´s personal data if this is necessary for the fulfilment of our legal obligations (e.g. for the retention of data according to commercial or tax law).
2.4 PROCESSING ON LEGITIMATE INTERESTS, ART. 6 (1) (F) GDPR
2.4.1 JOINT MEMBER AND REGISTRATION DATABASE / MARKETING Since PDA EU and PDA are both parties of the PDA-Group the attendee´s personal data (mentioned under Section 2.1 and 2.2.) is processed in a joint member and registration database and we process personal data for administrative purposes and also for joint marketing, market and opinion research, to run statistics about our event attendees e.g. to improve our future events, for personalized offers and to contact attendee´s about other events that we organize and think may be of interest to the attendee.
2.4.2 PICTURES AND VIDEO FOOTAGE
We may be taking pictures and record video footage of the events. Given that the events are public areas with controlled access, and that we do not intend to photograph attendees directly but rather groups (unless the attendee is a speaker or a special guest), we do this based on our legitimate interest to document the events and market their success, etc. We will not use photos or videos for marketing purposes if they identify attendees unless we obtain their prior consent.
2.4.3 PROTECTION OF LEGAL INTERESTS
Furthermore, we use attendee´s personal data in the case that we must assert or to defend against legal claims.
3. DISCLOSURE OF PERSONAL DATA
3.1 We will share the strictly necessary parts of attendee´s personal data, on a need-to-know basis with hotels where we book accommodation in the attendee´s name, if they request us to; third parties involved in organizing the events, client support, or sales activities; financial institutions, payment processors and collection agencies for payment services; external processors (e.g. IT-Service-Provider) in accordance with the legal requirements of Art. 28 GDPR; other parties such as public authorities and institutions, accountants, auditors, lawyers and other outside professional advisors, to protect our rights or the rights of a third party or where we are required by law to make such a disclosure; persons demonstrating legal authority to act on the attendee´s behalf; if attendees consented with other event attendees solely for networking purposes by placing their contact information on the event attendee list or with exhibitors or sponsors to contact them about their offerings of goods and services.
3.2 Any third-party processors with whom we choose to share the attendee´s personal information under the above are limited (by law and by contract) in their ability to use the attendee´s personal information for the specific purposes identified by us. We will always ensure that any third parties with whom we choose to share attendee´s personal information are subject to privacy and security obligations consistent with this Privacy Notice and applicable laws.
4. TRANSFERS OF INFORMATION OUTSIDE THE EEA
4.1 Since our joint member and registration database is located in the USA, we process attendee´s personal data outside of the European Economic Area (hereinafter „EEA“) within the PDA-Group on the basis of the most current European Commission approved standard contractual clauses.
4.2 Where attendee´s personal data is transferred to other entities as mentioned in Section 3 above, we will take appropriate measures to ensure that the recipient protects the attendee´s personal information adequately by this Privacy Notice. These measures include entering into the most current European Commission approved standard contractual clauses with them.
5. SECURITY
We use technical and organizational security measures to protect the attendee´s data managed by us against manipulation, loss, destruction and against access by unauthorized persons.
6. DURATION OF STORAGE AND DELETION OF PERSONAL DATA
The duration of the storage of personal data depends on the existing legal archival requirements (such as retention periods relating to commercial or tax law). After expiry of the various statutory retention periods all personal data will be deleted immediately, if the data is no longer necessary for contract processing, contract initiation and/or there is no other legitimate interest for continued storage or in the case that the attendee has expressively consented to further use of their data beyond this.
7. ATTENDEE´S RIGHTS
As data subjects under EU data protection law attendees have the following rights:
7.1 The attendee has the right of access (Art. 15 GDPR), the right to rectification (Art. 16 GDPR), the right to erasure (Art. 17 GDPR), the right to restriction of processing (Art. 18 GDPR), the right to be informed about each recipient to whom their personal data has been disclosed (Art. 19 GDPR) and the right to data portability (Art. 20 GDPR).
7.2 To the extent that data processing is based on a consent the attendee has the right to
withdraw consent for data processing under such consent at any time free of charge with future effect (Art. 7 para. 3 GDPR).
7.3 Right to object (Art. 21 GDPR)
The attendee has the right to object at any time to the processing of their personal data pursuant to Art. 6 para. 1 letter e GDPR (data processing in the public interest) or Art. 6 para. 1 letter f GDPR (data processing based on a balance of interests) on grounds relating to their particular situation. If the attendee objects, we will only process the attendee´s personal data if we can prove compelling legitimate reasons that outweigh the attendee´s interests, rights and freedoms, or for the establishment, exercise or defense of legal claims. If the attendee objects to processing for direct marketing purposes, the attendee´s personal data will no longer be processed for such purposes.
7.4 To exercise their legal rights, attendees can contact us in writing (including electronically) at the contact details provided in section 1.1 and 1.2 above.
7.5 Furthermore, the attendee has the right to lodge a complaint about the processing of your data by us with a data protection supervisory authority in Europe (Art. 77 GDPR). For us, the State Commissioner for Data Protection (“Berliner Beauftragte für Datenschutz und Informationsfreiheit”), Friedrichstraße 219, 10969 Berlin, Germany, Phone: +49 30 138890, is responsible. Alternatively, the attendee may also contact the data protection supervisory authority at their usual place of residence or workplace within the European Union.
8. USE OF THE WEBSITE WWW.PDA.ORG
The attendee may use the Website www.pda.org for registration. In this case the Website collects certain information about the user, which is processed as stated in more detail in the Websites´ Privacy Policy and Cookie Policy.
9. CHANGES TO OUR PRIVACY NOTICE
We reserve the right, at our discretion, to modify our privacy practices and update and make changes to this privacy notice at any time.