In every area related to IT and Data Security, we have well-established procedures in place that safeguard your data – and we are very proud of that!
An international management standard for information security. The standard is a management tool that helps businesses protect valuable information, including personal data, in a secure and trustworthy manner. ISO 27001 sets requirements for risk management, documentation of processes, and the allocation of roles and responsibilities for information security, among other things.
The privacy protection standard is a management tool that provides insights into the processes and measures organizations should establish to achieve appropriate protection of personal information. This is an extension of the management standard ISO/IEC 27001 for information security.
Above all, it is crucial that our customers feel completely secure entrusting their data to us. They should be able to focus on their business without worrying about how their data is handled. Often, the information we deal with is sensitive, and by nature, this gives us a high-risk profile in terms of data security management.
Therefore, it is essential that we have standards in place to support our process of continuously maintaining and improving our security. We have evidence of this through our ISO certifications.
You could say that standards are a common language that allows us to understand things in the same way. This means that we can be confident that what we collaborate on or buy from each other meets expectations – whether it’s between businesses, authorities, or consumers.
Standards can, for example, set requirements for a product’s performance or describe technical terminology in a specific field. In our case, it’s a management tool that helps protect valuable information – including personal data – in a secure and trustworthy manner.
We will undergo annual audits, and every three years, we must be re-certified to maintain our ISO 27001 security certification. The evaluation and certification have been carried out by DNV, which is one of the leading global providers of accredited certification of management systems.
All participant activities are automatically logged, ensuring a comprehensive overview down to the smallest detail. We are always available for your organization’s data security expert to ensure compliance with security policies.
Conference Manager is encrypted using TLS (https). Encryption certificates are regularly updated, and keys are changed according to established standards. Whether it’s setting up and administering events or participants’ registration processes, data is completely secure when using Conference Manager.
As a default, we store data for 6 months after your event has been held, in compliance with typical legislation. If different needs arise, our standard packages include data storage for 24 months. All data is stored in Conference Manager’s own data center, and we do not use external parties for operations or hosting. Therefore, we have no data located outside the EU/EEA.
Everyone must have a data processing agreement that complies with the legal requirements, and in practice, it’s impossible to meet the legislative requirements without satisfactory IT support. This means, among other things, that you must be able to:
Conference Manager enables you to easily comply with the regulation’s rules. Without the use of an IT system for this, it becomes an almost impossible task.
When you buy a license from Conference Manager, you also get our mandatory data protection package, which supports our ISO certification. You are assured that your company both complies with applicable legislation and at the same time can document how your and your participants’ data is handled.
Conference Manager’s data protection package contains the following documents:
Geared towards your company’s use of Conference Manager and the evaluation of 12 points, assessing compliance with the law, recommended security measures, etc. The report is based on a specific assessment of your particular events, a review of registration pages, the fields used, agreements, security features, and more. The report also includes management’s confirmation that personal data during the latest reporting period has only been processed within the EU, and that we never use subprocessors or cloud services.
Issued by DNV-GL
Overview of all the security measures that Conference Manager has implemented according to ISO 27001, as indicated in the ISO 27001 certificate. The document consists of more than 15 pages with descriptions and references to international standards, enabling direct verification of compliance with security requirements for authorities and companies that also operate based on international security standards.
Issued by DNV-GL
Conference Manager does not have any independent rights to your data. You, as the customer, are the data controller for the content you input into Conference Manager, and therefore, it is your responsibility to ensure that we fulfill our obligations.
For this reason, we enter into a data processing agreement with all our customers. It is an integral part of our contractual basis. The data processing agreement ensures that:
A complete system for handling registrations and administration of conferences, courses, exhibitions, and workshops. We offer support on all weekdays, and you are always welcome to contact us for advice and collaboration.
Be on track with new releases and related news by signing up to our newsletters.
© Conference Manager A/S. All rights reserved · Cookiepolicy · Privacy policy
Version 1.2 of December 12, 2018
1 | SCOPE OF THE AGREEMENT |
2 | PROCESSING OF PERSONAL INFORMATION |
3 | REQUIREMENTS FOR CONFERENCE MANAGER A/S |
4 | REQUIREMENTS FOR CONFERENCE ORGANIZERS |
5 | SUB-DATA PROCESSORS |
6 | CONFIDENTIALITY |
7 | AMENDMENTS AND ASSIGNMENTS |
8 | DURATION AND TERMINATION OF AGREEMENT |
9 | PRIORITY |
10 | APPENDIX 1 |
11 | APPENDIX 2 |
1.1 | The conditions in this Annex A to “Conditions for the use of Conference Manager™” version 1.8 of 25 September 2018 (“the Conditions”) constitute the data processing agreement that applies to Conference Manager A/S” processing of personal data when using Conference Manager ™ |
1.2 | Conference Manager A/S is a data processor for Conference Organizer, as Conference Organizer has purchased a license for the Conference Manager™ system from Conference Manager A/S and Conference Manager A/S in connection with this takes care of the data processing tasks described in Appendix 1 for Conference Organizer. |
1.3 | The personal data processed by Conference Manager A/S includes the purposes of the processing, the categories of personal data and the categories of registered persons listed in Appendix 1. |
1.4 | “Personal data” means any type of information about an identified or identifiable natural person, cf. Article 4(1) of Regulation (EU) 2016/679 of 27 April 2016 (“the personal data regulation”). If, as part of the fulfillment of the Agreement, confidential information other than personal data is processed, e.g. information which pursuant to the Financial Business Act is considered confidential, any reference to “personal information” also includes the other confidential information. |
1.5 | Definitions used in the Agreement must be understood in the same way as in the Conditions. |
2.1 | Instructions: Conference Manager A/S is instructed to only process the personal data for the purpose of carrying out the data processing tasks set out in Appendix 1. Conference Manager A/S may not process or use the personal data for purposes other than those specified in the instructions, including transferring the personal data to a third country or an international organization, unless Conference Manager A/S is obliged to do so under EU law or the legislation of a member state which Conference Manager A/S is subject. If applicable, Conference Manager A/S must notify the Conference Organizer in writing of this legal obligation before the processing begins, unless relevant legislation prohibits such notification based on important societal interests. |
2.2 | If the Conference Organizer in the instructions in Appendix 1 or specifically has given permission for a transfer of personal data to a third country or to international organisations, it is the responsibility of Conference Manager A/S to ensure that there is a legal basis for the transfer, e.g. The EU Commission’s standard contracts for the transfer of personal data to third countries. |
2.3 | If Conference Manager A/S deems that an instruction from the Conference Organizer is in violation of the Personal Data Regulation or data protection provisions in other EU law or in the legislation of a Member State, Conference Manager A/S must immediately, in writing, inform the Conference Organizer of this. |
3.1 | Conference Manager A/S must ensure that the persons who are authorized to process the personal data are subject to unconditional silence regarding the information that they may come into contact with in their work for the Conference Organizer.
|
3.3 | Conference Manager A/S must also comply with the special requirements for security measures that apply to Conference Organizers, cf. Appendix 1, as well as comply with the requirements for security measures that directly obligate Conference Manager A/S, including the requirements for security measures in the country where the Conference Manager A/S is established, or in the country where the data processing takes place. |
3.4 | The determination of the necessary technical and organizational security measures must take into account
|
3.6 | In addition, the conference organizer has the right, at its own expense, to appoint an independent expert who must have access to Conference Manager A/S” physical facilities for processing personal data and receive the necessary information to carry out the investigation of whether Conference Manager A/S complies its obligations under the Agreement. The independent expert cannot gain access to information relating to other Conference Manager A/S” Customers. The expert must, at Conference Manager A/S’s request, sign a customary confidentiality declaration and treat any information obtained from or received directly from Conference Manager A/S as confidential, and may only share the information with the Conference Organizer. The conference organizer may not pass on the information or use the information for purposes other than assessing the extent to which Conference Manager A/S has taken the necessary technical and organizational security measures. |
3.7 | Conference Manager A/S must provide the authorities and the Conference Organiser’s external advisers, including auditors, with all requested information in relation to the performance of the data processing task, to the extent that the information is necessary for their performance of the task pursuant to EU law or the legislation of a Member State. |
3.8 | Conference Manager A/S must grant authorities who, according to EU law or the legislation of a Member State, have access to the facilities of the Conference Organizer and the Conference Organizer’s suppliers, or representatives acting on behalf of the authorities, access to Conference Manager A/S” physical facilities on presentation of proper identification.
|
3.10 | Conference Manager A/S must assist the Conference Organizer with the handling of any request from a person registered under Chapter III of the Personal Data Regulation, including requests for insight, correction, blocking or deletion. Conference Manager A/S must also implement appropriate technical and organizational measures to assist the Conference Organizer in fulfilling the Conference Organizer’s obligation to respond to such requests. |
3.11 | Conference Manager A/S must assist the Conference Organizer in complying with the other obligations that may fall on the Conference Organizer under EU law or the legislation of a member state where Conference Manager A/S’ assistance is required, as well as where Conference Manager A/S” assistance is necessary for the Conference Organizer to comply with its obligations. This includes, among other things, but is not limited to, upon request, providing the Conference Organizer with all necessary information about an incident. This includes, among other things, but is not limited to, upon request, providing the Conference Organizer with all necessary information about an incident covered by point 3.9 (ii) as well as all necessary information for use in an impact analysis pursuant to Articles 35-36 of the Personal Data Regulation. |
3.12 | In Appendix 1, Conference Manager A/S has provided the physical location of servers, service centers, etc., which are included in the execution of the data processing. Conference Manager A/S undertakes to inform the Conference Organizer in writing prior to changes to the physical location. This does not require a formal amendment to Appendix 1; prior written notice via post or email is sufficient. |
3.13 | Point is empty. |
3.14 | At Conference Manager A/S” or its sub-processors, assistance with audits, handling of requests from registered users, provision of information to authorities, etc. after this point 3, Conference Manager A/S is entitled to demand payment for time spent according to the hourly rate applicable at any time. |
4.1 | The conference organizer is obliged to ensure that prior to each disclosure/transfer of information about a conference participant, speaker or other person, including when entering or otherwise publishing such information in Conference Manager™, the necessary authority for the collection, disclosure and processing is secured of the information, if such information is referred to in the Personal Data Regulation. |
4.2 | This duty also applies in relation to information that a Conference Participant, Lecturer or other person gets access to enter or otherwise make available in Conference Manager™ via a login provided by the Conference Organiser. |
4.3 | Conference Manager™ stores the information/data that is entered or otherwise made available in Conference Manager™ in relation to the conference/event, in the period leading up to the holding of the conference/event and in the period agreed upon, cf. Clause 11 of the Terms and Conditions . |
4.4 | At the end of the agreed retention period after the conference/event has been held, access to Conference Manager™ in relation to this conference/event will be automatically and immediately deleted without further notice, and the information/data that may have been entered or otherwise made available in Conference Manager™ by the Conference Organizer himself or by others in relation to the conference/event will be lost, as they will be automatically deleted without the possibility of re-establishment. It is the Conference Organizer’s own responsibility to remove information that it does not want to lose from Conference Manager™ before the end of the storage period. |
4.5 | If the event is cancelled, all stored information/data relating to the event will be deleted without further notice. Information/data can only be read from Conference Manager™, to the extent that reports and the like are made available in the Conference Manager™ application. |
5.1 | Conference Manager A/S must use a sub-data processor. At the time of entering into the Agreement, Conference Manager A/S uses the sub-processors listed in Appendix 2. Conference Manager A/S must notify the Conference Organizer in writing of any planned changes regarding the addition or replacement of sub-processors before use begins. The conference organizer has the right to refuse the use of a sub-data processor without reason. Upon termination of the use of a sub-data processor, Conference Manager A/S must notify the Conference Organizer in writing. |
5.2 | Before using a sub-data processor, Conference Manager A/S must enter into a written agreement with the sub-data processor, in which the sub-data processor is at least imposed the same obligations that Conference Manager A/S has assumed in the Agreement, including the duty to implement appropriate technical and organizational measures to ensuring that the processing meets the requirements of the Personal Data Regulation. |
5.3 | The conference organizer has the right to be provided with a copy of Conference Manager A/S” agreement with a sub-data processor, as far as provisions in said agreement which relate to data protection obligations are concerned. Conference Manager A/S is liable to the Conference Organizer for the sub-processor’s fulfillment of its data protection obligations. The fact that the Conference Organizer has given consent to Conference Manager A/S’ entering into an agreement with a sub-data processor is without prejudice to Conference Manager A/S’ obligation to comply with the Agreement. |
6.2 | If Conference Manager A/S is a legal person, the provisions of the Agreement apply to any of Conference Manager A/S” employees, and Conference Manager A/S guarantees that the employees comply with the Agreement. |
6.3 | Conference Manager A/S may not convey the personal data to anyone or take a copy of the personal data, unless this is absolutely necessary for the performance of Conference Manager A/S” obligations towards the Conference Organizer pursuant to the Agreement and provided that the person to whom the personal data is entrusted , is aware of the confidential nature of the information and has agreed to keep the personal data confidential in accordance with the Agreement. |
6.4 | Conference Manager A/S must limit access to the personal data to those employees for whom it is necessary to have access to personal data in order to fulfill Conference Manager A/S” obligations towards the Conference Organizer. |
6.5 | Conference Manager A/S” obligations according to this point 6 remain without time limit, and regardless of whether the cooperation of the Parties may otherwise have ended. |
6.6 | The conference organizer must treat confidential information received from Conference Manager A/S confidentially and must not unjustifiably use or pass on the confidential information. |
7.1 | The parties can agree to change the Agreement at any time. Changes must be in writing. To the extent that changes to the Agreement result in additional obligations for Conference Manager A/S, Conference Manager A/S is entitled to demand payment for this in accordance with the hourly rate applicable at any time. |
7.2 | Conference Manager A/S may not assign its rights and obligations under the Agreement without the Conference Organizer’s prior written consent. |
8 DURATION AND TERMINATION OF THE AGREEMENT
8.1 | The agreement enters into force upon the Conference Organizer’s online approval of the Terms and Conditions and is valid until it is terminated in accordance with point 16 of the Terms and Conditions. |
8.2 | Regardless of the Agreement’s formal agreement period, the Agreement must continue to apply as long as Conference Manager A/S processes the personal data for which the Conference Organizer is the data controller. |
8.3 | In the event of termination of the Agreement, regardless of the legal basis for this, Conference Manager A/S must provide the necessary transition services to the Conference Organizer. Conference Manager A/S is obliged to cooperate loyally and as soon as possible so that the data processing is transferred to another supplier or returned to the Conference Organiser. Conference Manager A/S is entitled to demand payment for time spent in connection with this in accordance with the hourly rate applicable at any time. |
8.4 | Conference Manager A/S must immediately transfer or delete personal data that Conference Manager A/S processes on behalf of the Conference Organizer at the request of the Conference Organizer, unless EU law or the legislation of a Member State prescribes the storage of the personal data. Conference Manager A/S is entitled to demand payment for time spent in connection with this in accordance with the hourly rate applicable at any time. |
9.1 | In the event of a discrepancy between the provisions of the Agreement and the provisions of other written or oral agreements entered into between the Parties, the provisions of the Agreement shall take precedence. However, the provisions in point 3 do not apply to the extent that stricter obligations have been set for Conference Manager A/S in another agreement between the Partners. In addition, the Agreement does not apply to the extent that stricter obligations are set for Conference Manager A/S and/or sub-data processors when using the Commission’s standard contracts for the transfer of personal data to third countries. |
This Appendix constitutes the Conference Organizer’s instructions to Conference Manager A/S in connection with Conference Manager A/S” data processing for the Conference Organizer and is an integral part of the Agreement.
The processing of personal data
a) | Purpose and nature of the data processing Conference Manager A/S makes the Conference Manager™ system available to Conference Organizers. The conference organizer’s use of the system constitutes the conference organizer’s instructions to Conference Manager A/S in relation to the processing of the personal data that the conference organizer registers and uses.
|
c) | Categories of personal data Name, email address, telephone number, address and other general personal data The conference organizer or the conference participant chooses to upload |
d) | Special categories of personal data None, unless the Conference Organizer or the Conference Participant themselves choose to upload these |
e) | Location(s), including indication of country of processing Conference Manager A/S – DTU |
f) | Special requirements for security measures that apply to Conference organizers None |
No sub-processors
You can expect to receive one or more emails per month with relevant content about our systems and services. You can unsubscribe at any time by clicking the link at the bottom of our emails.
Best regards,
Conference Manager