This website uses technical cookies, Analytics cookies and third-party cookies for the operation of the site and to improve the user experience. By clicking on Accept, you consent to the use of cookies.

Privacy | Cookie Policy

Privacy 

Are you a Virtual Services customer? 

(…) 

Privacy Notice regarding the processing of personal data included in ICE Virtual  Services 

Dear Partner, dear Operator, 

Below we provide you with some information that is important to communicate not only in  order to comply with legal obligations, but also because transparency and fairness towards  data subjects are a fundamental part of this Public Administration. 

Scope 

ICE Agency, in compliance with the principles established by EU Regulation 2016/679  concerning the protection of individuals with regard to the processing and free movement of  personal data, offers users the opportunity to consult or use Virtual Services (as defined  below) by interacting with their own Virtual Platform (as defined below). 

In order to ensure that processing is carried out in accordance with European Data  Protection Law, ICE Agency, as data controller, provides data subjects with the following  notice pursuant to Article 13 of the General Data Protection Regulation (GDPR), highlighting  the information regarding the processing of personal data carried out by ICE Agency. 

This notice only concerns data processing carried out on or through the Virtual Platform (which can be accessed at www.ice.it, the homepage of ICE Agency’s official website), as  better defined below, and on websites created by the Virtual Platform.  According to the circumstances, data may be processed by one or more of the following  parties (as better defined below):  

ICE – Agency; 

Managers of Virtual Exhibition Centers, Virtual Meeting Rooms, or E-learning Platforms; Virtual Trade Fair Organizers; 

Organizers of Events/Meetings/Virtual Missions; 

E-learning Service Organizers; 

Operators; 

Visitors of Virtual Fair Events. 

The contents of this privacy notice constitute, as far as compatible, an integration of the  general privacy notice/privacy policy, which ICE Agency sends to customers and suppliers.  In case of conflict between the notice’s respective provisions with regard to Virtual Services  (as defined below), this privacy notice shall prevail.

Joining the Virtual Platform does not in itself ensure compliance with the GDPR, national  legislation, the provisions of the Italian Data Protection Authority, or European Data  Protection Board guidelines, which the members of the Virtual Platform are nevertheless  required to respect autonomously whenever they process data in the capacity of data  controllers. 

Privacy Notice 

In the event that ICE Agency acts as data controller in processing data related to Virtual  Services, ICE is responsible for the privacy notice. In the event that ICE acts as data  processor—that is, on behalf of third parties—for data relating to Virtual Services, the third party controller bears sole responsibility for communicating the information in this notice to  data subjects, and ICE Agency therefore assumes no responsibility in this regard, unless  otherwise agreed in writing with the controller case by case. In particular, in the case of any  agreement with the third-party data controller, ICE undertakes only to post a privacy notice online, which is to be prepared and provided by the third-party controller and under their sole responsibility. 

Without prejudice to the foregoing, the Virtual Platform allows each Third-Party Organizer  as defined below to independently submit the necessary privacy policies provided for by the  GDPR, including one for each Virtual Trade Fair or other Virtual Service. 

Further information on the Virtual Platform’s functions and the processing of personal data  connected to it can be found in the document called Utenze e dati Piattaforma ICE ver. 1.0  21.07.2020 (ICE Platform Users and Data ver. 1.0 21.07.2020). 

Definitions 

Without prejudice to the definitions contained in Article 4 of the GDPR, to which reference  is expressly made, nor to the definitions contained in Legislative Decree 196/2003, as  amended by Legislative Decree 101/2018, we use the following terms and definitions for the  purposes of Virtual Services: 

Trade fair activities: the collective parties and activities that promote or contribute to  promoting the products and services of Exhibitors through the organization of Trade  Fairs. These exhibition events can also assume the characteristics of a conference or  convention; in this case, the event is aimed at building, spreading, and refining  knowledge in specific professional and cultural spheres (the Conference). 

Marketing activities: marketing or monitoring activities for marketing purposes (e.g., integration with direct email marketing services (DEM), tracking systems such as Google  Analytics, etc.), as well as the consequent personal data processing that can be  configured independently from the Virtual Platform and on the basis of dedicated  configurations from time to time on the site of the Virtual Trade Fair or in relation to  another Virtual Service by the Third-Party Organizer. 

Exhibitor: someone who is granted exhibition space on the Virtual Platform (and related  technical services) or advertising space to promote/exhibit products or services during  the Virtual Trade Fair. 

Virtual Trade Fair: a periodic event and/or exhibition delivered through the Virtual  Platform, in which products/services are presented to the public in order to sell or  advertise them.

In addition to its own back-end administration, the Virtual Platform provides a website  for each Virtual Trade Fair via a dedicated URL (e.g., eventname.ice.it or  www.eventname.it).  

Virtual Conference: a conference or convention delivered through the Virtual Platform. 

Supplier: an entity other than ICE that provides products or services needed to realize the Virtual Trade Fair (for example, setting up virtual stands and virtual reception  services, hiring various virtual services and IT services in general). 

Virtual Exhibition Center Manager: the party—ICE—that manages a Virtual Exhibition  Center owned by ICE, ensuring its ordinary and extraordinary maintenance and seeing  to its promotion, improvement, and economic optimization. The Virtual Exhibition Center  Manager can also assume the role of Virtual Fair Organizer or host of Virtual Trade Fairs  organized by third parties. 

Virtual Meeting/Mission Manager: the party—ICE—that manages the Virtual Meeting  Rooms owned by ICE, ensuring their ordinary and extraordinary maintenance and seeing to their promotion, improvement, and economic optimization. The Virtual  Meeting/Mission Manager can also assume the role of Virtual Meeting/Mission  Organizer or host of Virtual Meetings/Missions organized by third parties. 

E-learning Platform Manager: the party—ICE—that manages the E-learning Platform,  ensuring its ordinary and extraordinary maintenance and seeing to its promotion,  improvement, and economic optimization. The E-learning Platform Manager can also  assume the role of E-learning Service Organizer or host of E-learning Services  organized by third parties. 

Virtual Meetings: B2B and B2C meetings initiated and conducted on or through the  Virtual Platform. 

Operators: parties, other than Users and Partners, who use Virtual Services. 

Virtual Trade Fair Organizer: someone who owns a trademark associated with a  Virtual Trade Fair, which is prepared by the Virtual Trade Fair Organizer, including  through third parties, within or outside the EU.  

Virtual Meeting/Mission Organizer: someone who receives Virtual Services on the  ICE Virtual Platform and/or through ICE to organize their own Virtual Meetings/Missions. 

E-learning Service Organizer: someone who receives Virtual Services on the ICE  Virtual Platform and/or through ICE to organize their own E-learning Services. 

Third-Party Organizer: someone who is granted space and/or Virtual Services on the  ICE Virtual Platform and/or through ICE to organize their own Virtual Trade Fairs, Virtual  Meetings/Missions, or E-learning Services. 

Virtual Missions: foreign B2B and B2C missions initiated and conducted on or through  the Virtual Platform. 

Partners: parties, other than Operators, who have an agreement with ICE to use Virtual  Services through the Virtual Platform or manage them on their own. 

Virtual Platform: the set of technical features made available as SaaS-IaaS from or  through the ICE website (www.ice.it) for the provision of individual Virtual Services. 

Prospects: parties–including potential Users, Operators, and Partners–who have  expressed a concrete interest in a Virtual Service (e.g., a Virtual Trade Fair) or in another  service or product from ICE and/or its Partners by requesting commercial contact or 

information, registering for a Virtual Event, or sending their business card, without then  subscribing to the Virtual Service or purchasing the service or product; journalists. 

Virtual Exhibition Center: a permanent digital structure (Virtual Platform) owned by  ICE and/or its suppliers used mainly to host Virtual Trade Fairs managed by ICE or by  third party Trade Fair Organizers. The Virtual Exhibition Center may also include virtual  spaces for conferences and conventions (Virtual Conference Venues). 

Virtual Services: services provided by or through the Virtual Platform. 

E-learning Service: the e-learning service provided from time to time by or through the  Virtual Platform. 

Users: natural persons who use Virtual Services provided by the Managers of Virtual  Exhibition Centers, and/or Virtual Meetings, or E-learning Services, or by the  Organizers. 

Visitors: natural persons who visit the Virtual Trade Fair with the aim of acquiring  information, making purchases, participating in side events (e.g., competitions,  championships), or getting in touch with Exhibitors. They include those who access the  Virtual Trade Fair for professional purposes (Trade Visitors), as well as speakers and 

conference participants (commonly understood as those taking part in a conference,  convention, workshop, or seminar). 

Virtual Services 

Virtual Services refer to the following services made available by ICE Agency and/or its subcontractors on or through the Virtual Platform: 

Virtual Fairs/Conferences  

Virtual Meetings/Missions (B2B, B2C) 

E-learning 

as better described respectively in the General Conditions for the Provision of Virtual  Services, which can be viewed at the following link:  https://ice.it/servizivirtuali/condizionigenerali/ and/or in the ICE Service Catalogue. 

Videoconferencing and collaboration services 

Some Virtual Services use high definition videoconferencing tools (e.g., for the purposes of  virtual B2B or B2C meetings) moderated by ICE staff and/or third-party Partners (e.g., trade  fair organizations, consortia, training companies, etc.) and/or video collaboration (e.g., chat)  by third-party Suppliers. Please, refer to the section entitled ‘Will you transfer data to non 

EU countries?’ below for further information. 

Virtual Services legal and economic conditions  

Virtual Services are provided in accordance with the General Conditions for the Provision of  ICE Virtual Services, which can be viewed at the following link:  https://ice.it/servizivirtuali/condizionigenerali/ 

Purpose and lawful basis for processing 

ICE Agency processes personal data for the purposes of performing its institutional and  public tasks and consequently fulfilling its obligations (including providing, supporting, and 

updating Virtual Services) as set out by contract, law, regulation, or any other legislation  applicable to ICE.  

Data may also be processed to implement pre-contractual measures (usually in response  to the data subject’s request for information, documents, advice, or support). The potential purposes mentioned above include, from a technical perspective: 

(i) managing the website www.ice.it and the security features of Virtual Services; (ii) generating reports on operations carried out and sharing these reports with ICE’s  third-party partners (e.g., suppliers offering products or services through this Site) for information purposes; 

(iii) implementing measures to prevent digital fraud relating to ongoing transactions  between ICE and users and/or third parties, or between an Organizer and users,  operators, and/or third parties. 

Data will not be used for any purposes other than those described in this notice without prior  notification and, where necessary, your consent. 

Processing is carried out under the following lawful bases: 

  1. Processing is necessary for the performance of tasks which ICE Agency carries out in the public interest (Article 6(1)(e), GDPR).
  2. Processing is necessary for the conclusion and/or performance of a contract or the implementation of pre-contractual measures taken at the data subject’s request (Article 6(1)(b), GDPR).  
  3. Processing is necessary for compliance with legal obligations to which the data controller is subject, e.g., obligations of a legal (accounting, tax) or regulatory nature, implementation of measures adopted by judicial or administrative authorities (Article  6(1)(c), GDPR). 

Personal data which is collected in ICE Agency’s Centralized Database (CDB) may also be  used as part of its institutional activity and therefore to promote and develop trade of your  product and/or service abroad, as provided for in Article 14, Paragraph 20 in the Italian  Legislative Decree 98/11, converted into Law 111/11, as replaced by Article 22, Paragraph 

6 of Legislative Decree 201/11, converted into Law 214/11. Your data may, therefore, be  used to send proposals for participation in other initiatives organized by ICE Agency such  as fairs, workshops, seminars, training courses, etc., and used to evaluate customer  satisfaction and carry out other surveys relating to ICE Agency’s institutional and public  tasks. 

In the case of commercial proposals sent to parties who have not already used the services  provided by ICE Agency, the lawful basis for any processing is the institutional task of public  interest, which ICE Agency carries out as data controller. 

You reserve the right to object to the sending of such communications at any time, but your objection will not affect the lawfulness of any processing previously carried out. 

Categories of data subjects 

The provisions of the GDPR apply only to the processing of data relating to identified or  identifiable natural persons (‘you’ or the ‘data subject’). Virtual trade fair activities involve  processing the personal information of data subjects encompassing:

Exhibitors (meaning those who have already had a contractual relationship in the past  for any reason with an Organizer of Trade Fairs, either physical or virtual) and their staff; Prospects and their staff; 

Third-Party Managers and Organizers of Virtual Trade Fairs, Virtual Meetings (B2B and  B2C), and E-learning Services, and their staff; 

Visitors, including trade visitors; 

Users; 

Media professionals; 

Institutional representatives; 

Suppliers. 

What types of data are processed? 

As a rule, it is possible to visit the Virtual Services webpage without providing any personal  data.  

In some circumstances, the Virtual Platform may require users to provide personal  information.  

In the context of the purposes and methods described in this notice, processing operations concern:  

1) navigation data; 

2) data relating to subscriptions/registrations to the Virtual Platform or Virtual  Services, necessary for managing relations with ICE, including fulfilling requests for information or contact, orders with payment, or the provision of a Virtual  Service; 

3) data necessary or useful for effective corporate communications on ICE’s part; 4) data necessary or useful for fulfilling legal, regulatory, or contractual obligations. 

In the case of journalists: name and surname, contact details, sector and newspaper,  country of origin, language.  

The categories of data processed under 2, 3 and 4 include: 

  1. a) personal data, inter alia, identifiers and personal details (e.g., name, surname, place and date of birth), name of the personally-managed company or partnership, names of shareholders and directors, business role (e.g., professional title, job description,  responsibility level), telephone/fax/email contact details, geographical position (e.g., 

residence, domicile, registered office, country of origin), education and culture (e.g., academic qualifications, professional certifications), contact language, tax data (tax  identification number, VAT number), addresses and shipping and/or billing data; b) data of various kinds, inter alia: company name, company details (e.g., registered office,  AER), data on economic activity (e.g., the type of goods and services offered by an Operator  using Virtual Services, their ATECO code, turnover, number of employees, target countries  of their business activities, countries in which the Operator is present, goods and services  of current and/or potential interest to the Operator, channels of distribution, project budgets,  data on participation in initiatives promoted by ICE, data on public funding). In the event that Virtual Services entail Virtual Events organized and/or managed by third party Partners, the latter can independently request further information from data subjects  (e.g., Operators, Visitors); if the data collection requires a privacy notice other than ICE’s,  the third-party Partners will communicate this additional privacy notice independently via the  Virtual Platform or through separate means which they manage independently.

In some cases, if you are a customer or a prospect, we merge the data you provide us with  additional personal information obtained during your navigation on our websites, through the  use of services provided by these sites (e.g., cookies relating to pages of our website that  you have visited or the country from which you connect), via other communication channels  (e.g., social media), or through mass email marketing services (e.g., which messages you  have received, which emails you have opened, which offers you accepted through specific  actions such as opening an attachment or responding to our request to link to landing pages  or email attachments, etc.).  

As a rule, the performance of Virtual Services does not involve processing special categories  of data as per Article 9(1) of the GDPR, except for data necessary or important for the  provision of Virtual Services specifically dedicated to people with disabilities, or for managing  the participation of institutional representatives occupying political, trade union, or religious  offices in Virtual Events. 

Databases 

The information of data subjects, which is processed in the context of Virtual Services, can  be drawn from one or more of the following three general types of databases at any one  time: 

  1. a) the ICE database (e.g., national operators database, foreign operators database, CRM cloud)
  2. b) the database of a third-party Partner affiliated with ICE, Virtual Service user; c) the database of an Operator, either Italian or foreign, when using the Virtual Services for various reasons.

Data collection 

We collect your personal data: i) through online or paper forms, or pre-registration or  participation applications completed by you and/or acquired by third parties authorized by  us; ii) through mobile devices like tablets and smartphones present at events organized by  ICE Agency and/or its Partners, or iii) by a business card you have given us.  

For Virtual Events/Meetings/Missions which require the creation of your virtual photo identification card for security for safety or user identification purposes, a photo of you can  be collected through the online registration forms or a remote photo session (via the webcam  on your PC, laptop, tablet, or smartphone) held by the Videoconferencing Service Providers  associated with the Virtual Platform. 

Data may also be collected from publicly accessible sources (e.g., personal, fiscal,  economic, and contact details can be found on the internet, the business register at the  Chamber of Commerce, or websites of foreign trade fairs), pursuant to Article 14 of the  GDPR. In the case of Virtual Events organized or hosted on the Virtual Platform by third 

party Partners who act as independent data controllers, the data may also be collected  through third-party Partners.  

Obligation/Option to provide data and consequences of failure to provide such data  

The provision of information, personal or otherwise, marked as mandatory on the ICE  Service Order Form or on other ICE forms for joining Virtual Services is essential for using  Virtual Services; any refusal to provide such information precludes the possibility of using  them. 

The provision of information, personal or otherwise, marked as optional on the ICE Service  Order Form or the other aforementioned ICE forms is aimed exclusively at the possibility of  offering you a personalized service tailored to context, preferences, or interests identified  based on your economic activity (this usually does not constitute personal information—e.g.,  turnover, company type, ATECO code, export data, etc.). 

In the case of data processing for direct marketing purposes carried out by ICE Agency’s third-party Partners, the data subject must freely consent to the processing, and failure to provide consent will preclude the possibility of processing the data for this purpose, without  prejudice to the data subject’s right to obtain any services or products that may have been  ordered from ICE. ‘Direct marketing’ here refers to marketing to Customers and Prospects  by ICE Agency’s Partners: i) through communication channels other than email and text  and/or instant messages; ii) otherwise in relation to services or products unlike those you  have already purchased from the aforementioned Partners; or, iii) in relation to services or  products which the aforementioned third-party Partners have never previously proposed to  you nor discussed with you (in which case you would be viewed as a ‘lead’ by the Partners). 

Who are the Data Controller and the Data Protection Officer? 

The Data Controller is the ICE Agency for the Promotion and Internationalization of Italian  Companies Abroad, based at Via Liszt, 21, 00144, Rome, Tel. 06 59921 (‘ICE Agency’). The ICE Data Protection Officer can be contacted at the email address privacy@ice.it

Further information on the privacy responsibilities of the parties involved in various  capacities in data processing through the Virtual Platform can be found in the chapter  ‘Determination of privacy roles’ below. 

What privacy responsibilities are envisaged in the context of processing operations

Each of the participating parties can take on a different role in processing personal data,  depending on the tasks undertaken in the context of Virtual Services, as follows. 

The Organizer of Virtual Trade Fairs, Virtual Meetings/Missions, or E-learning Services is  the data controller for all personal information necessary to realize the Events themselves.  

The Manager of the Virtual Exhibition Center, the Virtual Meeting Room, and/or the E learning Platform is, in any case, the data controller for all personal information necessary to: 

ensure the ordinary and extraordinary maintenance of the Virtual Exhibition Center, Virtual Meeting Room, or E-learning Platform;  

protect the security and integrity of the Virtual Service as well as the associated Virtual  Platform; 

ensure the technical progress of the Virtual Services’ supporting infrastructure; promote the use of Virtual Services among Customers and/or Prospects;  

ensure compliance with the regulations applicable to the Virtual Platform, where they  are not the sole responsibility of third parties.

The Manager of the Virtual Exhibition Center, Virtual Meetings/Missions, or E-Learning  Platform is data processor if processing operations are carried out on behalf of the Organizer  of Virtual Trade Fairs, Virtual Meetings, or E-Learning Services.  

Where the Organizer of Virtual Trade Fairs, Virtual Meetings/Missions, or E-learning  Services coincides with the Manager, he or she is usually the data controller for all  processing operations described above. 

Where Managers of Virtual Exhibition Centers, Virtual Halls, or E-Learning Platform, on the  one hand, and Organizers of Virtual Trade Fairs, Virtual Meetings/Missions, or E-learning  Services, on the other hand, both contribute, in differing forms, to the performance of the  activity covered by the Virtual Service by jointly determining, in whole or in part, the purpose  and means of consequent processing operations, they will enter into a joint controllership agreement that duly reflects their respective roles and responsibilities in the protection of  personal data, as well as their relationships vis-à-vis the data subjects, in accordance with  the provisions of Article 26 of the GDPR. 

Suppliers offering services that involve data processing on behalf of the Organizer of Virtual  Trade Fairs, Virtual Meetings/Missions, or E-learning Services or the Manager of the Virtual  Exhibition Center, Virtual Meeting Room, or E-learning Platform (Data Controllers) are the  data processors for such operations, pursuant to and for the purposes of Article 28 of the  GDPR. 

Means of Providing Virtual Services 

Virtual Services can be provided in two different ways:  

  1. a) directly, by ICE Agency and/or an Agency Supplier;
  2. b) by a third-party Partner of ICE Agency (e.g., a fair, export consortium, etc.) or by a Supplier authorized by the Partner.

In case a), ICE Agency acts as data controller, unless it is otherwise agreed between the  parties in writing that ICE will assume the role of data processor on behalf of a third-party  controller (particularly when data subjects’ personal, contact, and economic information  originally comes from a database belonging to an affiliated third-party partner).  

In case b), ICE Agency assumes the role of data processor on behalf of the third-party Partner, unless it is otherwise agreed in writing between the parties that ICE Agency will  assume the role of joint controller (particularly when data subjects’ personal, contact, and  economic information originally comes from a database belonging to an affiliated third-party  partner who intends to act jointly with ICE Agency in making certain decisions regarding the  purpose and/or means of processing the relevant personal data). 

In the case of joint controllership, ICE Agency and the affiliated third-party Partner formalize  the terms and conditions of the arrangement in a specific agreement and provide data  subjects with a summary thereof. 

Processing methods 

Your personal data may be processed using paper and electronic means and cloud services, for purposes strictly related to the purposes stated above, in compliance with the rights and  safeguards provided for by the General Data Protection Regulation (EU) 2016/679 (GDPR).

In particular, ICE Agency processes personal data in compliance with the provisions of the  GDPR, holding all processing operations to the principles of lawfulness, fairness, and  transparency, purpose limitation, and data minimization in relation to the purpose for which  data is collected and subsequently processed, for explicit and legitimate purposes.  

Data processing is carried out by suitably qualified Agency personnel who act as personnel  authorized to process the data, or by any persons authorized for occasional maintenance of  the systems, applications, and data necessary for Virtual Services. 

Assumptions of lawfulness of processing for the purposes of marketing and  legitimate interests pursued by third parties 

The data subjects’ personal information is processed by ICE Agency’s Partners for  marketing purposes (e.g., by Organizers of Trade Fairs, Virtual Meetings/Missions, or E learning Services and by Managers of Exhibition Centers, Virtual Meeting Rooms, or the E learning Platform, in their respective capacities as Controllers) on the basis of the data  subjects’ consent, pursuant to Article 6(1)(a) of the GDPR, or on the basis of the legitimate interest of ICE Agency’s third-party Partners as independent data controllers, deemed from  time to time to override the data subjects’ right to privacy. 

Data subjects are however protected by the ability to exercise their right to object to ICE  Agency’s Partners pursuant to Article 21(2) of the GDPR, which allows them to object at any  time to the processing of their personal data for marketing purposes, including any profiling  of data that is connected to such direct marketing, that is, to withdraw consent as per Article 

7(3) of the Regulation. 

How long will you keep my data? 

  1. a) Data retention periods for institutional purposes 

Personal data and related metadata will be kept for a period of time not exceeding what is  necessary to achieve the respective purposes, according to the time limits provided for by  the applicable legislation on the subject (e.g., Articles 43–44 of the Italian Digital  Administration Code (Codice dell’amministrazione digitale, CAD), Legislative Decree no. 82, 

dated 7 March 2005, as amended by Legislative Decree 217/2017; the Agency for Digital  Italy (AgID) Guidelines of December 2015 on the retention of electronic documents;  Technical rules for the formation, transmission, copying, duplication, reproduction, and  timestamping of electronic documents, as well as the formation and retention of PA  electronic documents pursuant to Articles 20, 22, 23-bis, 23-ter, 40(1), 41, and 71(1) of the  CAD). 

Data may be kept for longer periods (including long-term or indefinitely) than those indicated  above when processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to the implementation of  appropriate technical and organizational measures required by this regulation in order to  safeguard the rights and freedoms of the data subject. 

  1. b) Data retention periods for marketing and market analysis purposes 

The data retention period for the purposes of marketing and profiling or market analysis of  data subjects (Visitors, Exhibitors, Third-Party Organizers, and Prospects) by third-party Partners should they process the data in the capacity as independent data controllers is  finite, taking into consideration the specificities of Trade Fair Activities which entail holding  Trade Fairs on an annual, biennial, triennial, or four-year basis. For these reasons and  considering the technical requirements of data management, the retention period is ten

years (proportionate to the purpose of providing information on subsequent editions to the  above-mentioned parties who have expressed interest in the Virtual Trade Fair by  registering for and/or participating in a previous edition and/or by requesting information or  contact).  

  1. c) Notice and consent logs 

ICE Agency keeps records of logs relating to i) the reading of ICE’s online privacy notices  and the online actions (e.g., clicks, flags, and the like) through which Virtual Service users communicate to the Virtual Platform or with ICE Agency’s third-party Partners through the  Platform (e.g., the data subject can give consent with a click where such third-party Partners  are required by the current legislation to obtain consent) for an indefinite period of time,  without prejudice to any differing terms of retention independently applied by ICE Agency’s  third-party Partners. 

  1. d) Logs of electronic monitoring activities (cybersecurity, proper functioning)  

ICE Agency provides its cyber security monitoring service for the purpose of protecting, inter  alia, Exhibitors, Suppliers, and Visitors during Virtual Trade Fairs or Virtual Meetings. The  retention period ranges from a minimum of 90 days to a maximum of 180 days from the date  of collection.  

  1. e) Litigations 

In the event of a dispute between you and ICE or our third-party suppliers, we will process  data for the time necessary to exercise the protection of our rights or those of third-party  suppliers and that is, as a rule, until the issuance and full execution of a provision constituting  a final decision between the parties or a dispute settlement.  

Will you share my data with other parties? 

Data relating to Virtual Services is not intended for third parties nor is it subject to  communication or dissemination, unless otherwise provided for by legal or regulatory  provisions or other applicable legislation. 

In carrying out our Public Administration activities, ICE may communicate your data to  parties that perform inspection activities or to public bodies or administrations, including tax  authorities, as well as to parties legally entitled to such information, Italian and foreign judicial  authorities, and other public authorities (e.g., the Italian National Anti-Corruption Authority, 

the Guardia di Finanza), for the purposes of fulfilling obligations established by law,  regulations, or other applicable legislation, or fulfilling obligations arising from the contractual  relationship with the data subject, including the need for defense in court. 

To the extent necessary for pursuing the aforementioned purposes or implementing pre contractual measures, data will be disclosed to third parties, including suppliers, partners  (e.g., trade fairs, trade associations), consultants and professional firms (e.g., chartered  accountants, lawyers), other customers who subscribe to Virtual Services, which collectively  involve more customers, business networks, industrial districts, consortia, and inspection bodies (e.g., auditors, statutory auditors, Supervisory Board). 

For the purposes of ICE’s corporate communication (e.g., marketing activities connected to  individual Virtual Events), data may be disclosed to: companies in charge of marketing  analysis, advertising, communications, and/or public relations agencies, the electronic and  physical publishing companies that print our advertising and promotional materials, website  and blog hosting providers, digital marketing agencies, parties responsible for designing

and/or maintaining promotional materials, managed IT system service providers, websites  and databases used to organize and manage Events, and photography agencies. 

For the purpose of maintaining the Virtual Platform and its associated technical services,  data may be disclosed to third-party hosting and maintenance service providers. 

A complete, up-to-date list of parties who process data in the capacity of Data Processors is available upon request, which can be made by emailing privacy@ice.it

As part of the services called ‘Virtual Fairs’ or ‘Virtual B2B Meetings’, ICE can disclose your  data 

Will you transfer data to non-EU countries? 

Personal data collected in the CDB (e.g., data concerning Exhibitors, natural persons,  Exhibitors’ employees or collaborators, or the Organizer of Virtual Trade Fairs and/or Virtual  Meetings or E-learning Services) may be transferred by the Organizer of Virtual Trade Fairs  and/or Virtual Meetings or E-learning Services to non-EU countries in which one of the  following is based: (i) the ICE offices1; and/or, (ii) ICE Suppliers and/or Partners; or, ( iii) the  Managers or Organizers of Virtual Trade Fairs, Virtual Meetings, or E-learning Services, or  the respective suppliers of such parties other than ICE.  

This transfer by ICE or the Trade Fair Organizer takes place in accordance with the  provisions of Chapter V in the RGPD and that is on the basis of EU Commission adequacy  decisions pursuant to Article 45 of the GDPR, or in full compliance with the appropriate safeguards and provisions set out in Articles 46, 47, and 49 of the Regulation. 

The aforementioned safeguards are usually constituted, where reasonably possible, by the  third-party data importer’s prior drafting of a contractual agreement with ICE in which the data  importer undertakes to respect privacy obligations for the contracted data processing which  are substantially equivalent to those provided for by the GDPR and upheld by ICE (through  the use of standard contractual clauses in accordance with the text adopted by the EU  Commission without prejudice to any possible integrations and amendments, which were  more favorable for the data subject).  

Should drafting such a transfer agreement with the data importer prove impossible or  excessively burdensome, transferring data to the non-EU country may be considered lawful  on the basis of any one of the following reasons: i) it is necessary for the performance of a  contract concluded between the data subject, on the one hand, and ICE Agency or a ‘Third 

Party Organizer’, on the other hand, or for the implementation of pre-contractual measures  adopted at the data subject’s request; ii) it is necessary for the conclusion or execution of a  contract between the data controller or joint controller and another natural or legal person in  favor of the data subject (this other natural or legal person is one of our branches or Partners  based in a non-EU country).  

As an alternative to such derogation, we reserve the right to ask you for specific consent to  transfer your data to the non-EU country, which would in this case constitute the lawful basis  for the data transfer. 

ICE’s videoconferencing and/or video collaboration services use SaaS-IaaS features that  are mainly provided by ICE’s third-party suppliers based outside the EU. In addition, ICE  

  

1 A list of ICE offices can be found at www.ice.it.

uses cloud-based database and productivity services provided by third-party suppliers  based outside the EU. 

In the event that any data is transferred to suppliers with HQ or datacenter in the U.S.A., the  US supplier will be subject to the regulations issued by the US Federal Trade Commission.  In some cases, the US supplier may be obliged to communicate personal data at the lawful  request of any public authorities, also to meet any national security or law enforcement  requirements. In the light of the US regulations, which the EU Court of Justice refers to in  the Schrmes II ruling of 16 July 2020, ICE AGENCY may not theoretically and absolutely  exclude the risk that the US public authorities access such data on special, occasional  situations connected to national security purposes (i.e. for anti-terror purposes). However, if the following applies: 

  1. i) limited scope of the service provided by ICE Agency (exporter) to the benefit of the data  subjects, whose data is processed by the importer (the US supplier), and of the related data  processing consequences, 
  2. ii) limited types of processed personal data and limited categories of data subjects, who data  refer to (exhibitors, virtual trade-fair visitors, other Virtual Service attendants), the risk that the US public authorities may concretely access the data (which the importer  may not report to the exporter based on the local national regulations) appears objectively  negligible. 

Therefore, with the exception of the single case of an access by the US public authorities in  the special, limited situations above – which is exceptional by nature and thus quite  improbable – the Data Controller believes that the standard contractual clauses applied in  the relationship between the parties reasonably guarantee the protection of the data  subjects’ rights in a way that is substantially identical to that provided for by the GDPR. 

ICE Agency, thus, does not currently believe it necessary to agree any additional provisions  with the importer (this possibility being envisaged in the ruling by the EU Court of Justice  above). Future additional measures may be adopted in view of the indications provided by  the EDPB. 

Each and every non-EU supplier of ICE Agency is a data processor concerning the data that the same receives, and later transfers it to a third party acting as agent on the latter’s behalf. 

If the first transfer of personal data from the EU to the U.S.A. is made by ICE Agency as the  first data processor (and hence on behalf of third-party independent controllers or joint  controllers), the supplier is a sub-processor of such data. 

Is data processed for profiling purposes? 

Some of the information on the data subjects in the databases used by ICE as controller or  joint controller in managing Virtual Services may be processed for the purposes of limited  market analysis. For the purposes of the GDPR, profiling is relevant only if it concerns  natural persons (including individual owners of sole proprietorships and partnerships,  shareholders and directors of partnerships, and internal contact persons for companies,  associations, organizations, and other collective bodies other than partnerships). In  particular, the data processed for this profiling purpose includes, for example: the type of  goods and services offered by the Operator using Virtual Services, the Operator’s ATECO  code, contact language, target countries of their business activities, countries in which the  Operator is present, and goods and services of interest to the Operator. 

Profiling allows us, in particular, to avoid sending you promotional communications that are  not likely to be relevant to your expectations and needs or through unwanted channels.

The restricted nature of this profiling does not preclude specific advantages or the possibility  of freely exercising your privacy rights, nor does it have particular legal effects; in particular,  it does not in any way affect your ability to participate in Events and/or use our Virtual  Services (e.g., online pre-registration, purchase of services). 

Considering the limited data set used for the purposes of such analysis, profiling finds its  lawful basis in ICE Agency’s institutional obligation to have some basic information to  guide/focus promotional communications and service or product offers from ICE and/or  ICE’s affiliated third-party Partners on whose behalf ICE sometimes carries out marketing  activities to develop the trade of its product and/or service abroad, as established by the  legal reference standards cited in the paragraph ‘Purpose and lawful basis’. 

How do you handle personal data breaches? 

ICE Agency implements appropriate technical and organizational measures to promptly  detect any personal data breaches and, if necessary, notify the competent authorities and inform the data subject in accordance with the provisions of Articles 33 and 34 of the GDPR.  ICE keeps one or more logs of the security events related to the functioning of Virtual  Services on its internal systems and/or those of its assignors. ICE records incidents and  personal data breaches together with the details of the event and the subsequent mitigation  and recovery actions taken. In the event of incidents that seriously impact the security of  Virtual Services, these logs can be shared with third-party partners affiliated with ICE and/or  with the Operators using Virtual Services, based on the data breach procedure adopted by  ICE and in compliance with up-to-date written agreements with the aforementioned third  parties. 

What are my rights? 

The data subject may at any time exercise his or her rights and, in particular, request access  to personal information and ask that it be corrected or limited, updated if incomplete or  incorrect, or erased if collected in violation of the law, as well as object to its processing,  subject to the existence of legitimate reasons on the part of the Data Controller. The data 

subject also has the right to portability, i.e., to receive – or have a third-party controller  receive – the personal information provided by the data subject to the Controller in a  structured, commonly used, and machine-readable format. For a more complete description  of your rights, see this link. 

It is possible to contact the Data Controller or the Data Protection Officer for this purpose.  Any further information may be requested at the following email address: privacy@ice.it. 

Lastly, we inform you of the possibility of lodging a complaint with the Italian Supervisory  Authority – Data Protection Authority (Garante per la protezione dei dati personali), Piazza  Venezia 11, 00187, Rome. 

Who responds to requests to exercise rights? 

In the event that ICE acts as data processor on behalf of third party data controller affiliated  with ICE or a third-party Operator Controller, responding to the data subject’s request to  exercise his or her rights will be the sole responsibility of the aforementioned third party. To  this end, the third party will indicate their contact details in their privacy notice.

This privacy notice may be supplemented with further information, including the  integration of regulatory changes and/or the provisions of the EDPB and the Italian  Privacy Authority.