Privacy Notice

The IAPP collects personal information about its members and other customers. This information is generally limited to the kinds of information that can be found on a business card: first name, last name, job title, employer name, work address, work email, and work phone number. We use this information to provide members and customers with goods and services they purchase from us. We do not sell personal information to anyone and only share it with third parties who are facilitating the delivery of IAPP services.

Most IAPP customers provide their personal information directly to the IAPP. In some cases, the IAPP receives personal information about individuals from third parties. This may happen, for example, if your employer is a corporate member of the IAPP and signs you up for training, certification, or membership. One of our third-party training partners may also share your personal information with the IAPP when you purchase IAPP products from them. Your name may be given to the IAPP if you accept an invitation to speak at one of our meetings or events. We may also collect your personal data from a third party website (e.g. LinkedIn) if you fill out a form on that site requesting content from or registering for an event with the IAPP. You may always access and update your data with IAPP if you have an IAPP account and you may always contact us at privacy@iapp.org.

1. Personal information IAPP collects:

   1. Membership

      When you become an IAPP member, we collect information about you including but not limited to your name, your employer’s name, your work address (including your country location), and your email address.

      We may also collect your personal email address, a personal mailing address, and a mobile phone number. We allow members to voluntarily provide additional information in their membership profile, such as information about their educational background, number of years in privacy, and related personal data. Members may opt-in to publish their membership status and information to the Member Directory, which is available to other IAPP members on the IAPP website.

      We process your personal information for membership administration, to deliver member benefits to you, and to inform you of IAPP-related events, content, and other benefits or opportunities associated with your IAPP membership. The IAPP may also use this information to help the IAPP understand our members’ needs and interests to better tailor our products and services to meet your needs.

      Members often participate in local KnowledgeNet chapter meetings. These meetings are organized by volunteers (KnowledgeNet chapter chairs) and take place at various locations that donate their space for the meetings. The IAPP collects registration information from IAPP members and their guests, which it shares with the KnowledgeNet chapter chairs and location hosts for purposes of verifying registration and to ensure only registered guests are allowed attendance.

      Personal data categories	Purpose	GDPR Lawful Basis
      Name and contact information; payment information	Provide membership services, including access to website and other content and discounts on purchases; fulfill customer subscriptions	Contractual necessity (Article 6(1)(b))
      Employment and other professional biographical information; professional activities	Provide customer service support; inform customer of membership benefits and professional opportunities; assist customer with professional networking and self-promotion, and participation in IAPP community; programming events; understanding members’ needs and interests to better tailor products and services to meet member needs; verifying registration and ensuring only registered guests are allowed attendance; supplement member profile; enhance Member Directory for improved networking; business intelligence	IAPP’s legitimate interest (Article 6(1)(f))

   2. Live events

      The IAPP hosts many live, in-person events throughout the year. These include conferences such as the Global Privacy Summit and the Data Protection Congress. If you register for one of our events and you are a member, we will access the information in your member account to provide you with information and services associated with the event. You may be asked to provide more information when signing up for an event than is found in your IAPP profile (e.g. whether it’s your first IAPP event, your meal preferences, and some information about your title and industry).

      If you are not a member and you sign up for one of our events, we will collect the following information: name, email, company, title, industry, address, phone number, whether it’s your first IAPP event, and your meal preferences.

      IAPP uses the information provided by event attendees to provide them with event services, including badge printing, tracking your Continuing Privacy Education (CPE) credits, tailoring sessions to meet the audience profile and to determine the sessions likely to require the biggest rooms, and related purposes connected with the event. We also use the information for billing purposes, as some attendees do not pay at the time of registration. After the event, IAPP de-identifies the information collected from attendees and uses de-identified information to review outcomes of past events and plan for future events.

      If you are a presenter at one of our events, we will collect information about you including your name, employer and contact information, and photograph, and we may also collect information provided by event attendees who evaluated your performance as a presenter. We may also make and store a recording of your voice and likeness in certain instances.

      We keep a record of your participation in IAPP events as an attendee or presenter. This information may be used to provide you with membership and certification services (such as, for example, keeping track of your Continuing Privacy Education (CPE) credits, or to tell you about other events and publications). It may also be used to help the IAPP understand our members’ needs and interests to better tailor our products and services to meet your needs.

      In association with attending one or more of our conferences, you will have the option to download the “IAPP Events App” to help you navigate the conference and plan your schedule. The IAPP Events App’s sole purpose is to act as a mobile interface for IAPP conferences, not to collect your data. The IAPP does not collect any personal information from your device, nor will the application ask for personal information to use the app. We do not access any other applications on your device. We do not monitor app data or analytics, nor do we use any tracking or analytics tools on this app. Although we may send “push notifications” to update your app, IAPP does not otherwise use it to communicate with you.

      When you register for a live event, you will have an opportunity to opt-in to be listed in an attendee list. This list is shared with event sponsors/exhibitors as well as other attendees. You will also have the opportunity to opt-in to receive advertising by mail from our event sponsors/exhibitors. In that case, the IAPP would engage a third-party mailing house and would not share your mailing address directly with the sponsor/exhibitor.

      Exhibitors at IAPP events may wish to scan your badge so they can contact you with more information. The IAPP uses Cvent to provide badge scanning services to exhibitors who request it. By allowing an exhibitor to scan your badge you are consenting to have Cvent provide the exhibitor with your contact information, and thereafter you may be contacted by the exhibitor post-event. If you do not wish the exhibitor to contact you, please communicate this directly with the exhibitor at the event or thereafter.

      Personal data categories	Purpose	GDPR Lawful Basis
      Name, contact information, payment information	Event registration; event app validation	Contractual necessity (Article 6(1)(b))
      Professional biographical information; professional activities information; meal preference	Ensure event subject matter and content is relevant to attendee needs; ensure adequate food and dietary provisions; badge printing; tracking Continuing Privacy Education (CPE credits); determining which sessions require larger rooms; providing attendees with information and services associated with the event	IAPP’s legitimate interest (Article 6(1)(f))

   3. Web conferences

      The IAPP offers several web conferences throughout the year. Many of them are free to IAPP members, while non-members are charged a fee. IAPP also offers web conferences that are co-sponsored by the IAPP and its corporate partners and these conferences are free to everyone because of the co-sponsor’s underwriting. This means that when you register for a co-sponsored, live web conference, you will be providing your registration information to both the IAPP and the applicable co-sponsor. All IAPP web conference co-sponsors must agree to follow applicable privacy and data protection laws. Recorded web conferences may be accessed without providing information to the co-sponsor.

      Personal data categories	Purpose	GDPR Lawful Basis
      Name and contact information	Access to web conference	Contractual necessity (Article 6(1)(b))
      Name and contract information	Direct marketing	IAPP’s legitimate interest (Article 6(1)(f))

   4. Publications & Newsletters

      In addition to producing original content, the IAPP also subscribes to news feeds and blogs produced by others, which we often link to from our website and within our newsletters. This means you may find yourself on the IAPP website or reading an email from the IAPP publications team and we will offer you a link to another organization’s website where you will find content on privacy or data protection that we find relevant and useful to you. At these times, you will be leaving the IAPP website. The IAPP is not responsible or liable for content provided by these third-party websites or personal information they may happen to gather from you.

      To receive IAPP newsletters by email, you will need to create a “profile” with us which involves providing the IAPP with at least your first name and last name, an email address, and the country in which you live. The purpose of processing this data is to have the necessary information to deliver the IAPP’s newsletters by email. You may at your own option choose to subscribe to IAPP News and Updates which may be considered direct marketing. You may unsubscribe at any time to newsletter subscriptions as well as marketing messages.

      The IAPP from time to time sends research surveys to subscribers of the IAPP Daily Dashboard. By subscribing to the Daily Dashboard, you agree to receive these survey requests occasionally. You are under no obligation to take the surveys.

      The IAPP uses third-party service providers to manage our subscriptions. Services like this are necessary because it helps us send emails, manage subscribe/unsubscribe features, and improve the effectiveness of our emailing services. Emails contains a unique link to a transparent image which is loaded when the email is opened. We track the requests to download this hosted image. When you click on a hyperlink in the email, the unique redirect URL will reach our service for tracking and then immediately forward you to the target destination. The IAPP uses this information to better understand what information is of interest to its subscribers so it can produce more of that information for them. These third-party services do not use or sell this information.

      As noted above, you may manage your IAPP subscriptions by subscribing or unsubscribing at any time. Please note that if you have set your browser to block cookies, this may have an impact on your ability to unsubscribe. If you have any difficulties managing your email or other communication preferences with the IAPP, please contact us at privacy@iapp.org.

      Personal data categories	Purpose	GDPR Lawful Basis
      Name and contact information	Access to email newsletters; direct marketing	IAPP’s legitimate interest (Article 6(1)(f))

   5. Web and digital analytics

      The IAPP uses Google Analytics (GA4) to track how often people gain access to or read our content. Provided you have opted-in to analytics cookies, we use this information in the aggregate to understand what content our members find useful or interesting, so we can produce the most valuable content to meet your needs.

      Personal data categories	Purpose	GDPR Lawful Basis
      Anonymous website usage intelligence	Improve products and services	IAPP’s legitimate interest (Article 6(1)(f))
      Cookies data	Business intelligence	Consent (Article 6(1)(a))

   6. Training

      If you participate in IAPP training, you may sign up directly through the IAPP, in which case we collect your name and contact information directly from you. You may, alternatively, sign up for training – or be signed up for training – by or through a third party such as one of our training partners, or your own employer. We may also use independent contractors to conduct the training and third parties to provide the training venue. Your personal information will be stored in our database (hosted by a cloud service provider) and may also be shared with our training partners, trainers, and/or the venue hosting the event (to verify your identity when you arrive). The IAPP’s training partners, trainers, and data transfer hosts have agreed not to share your information with others and not to use your personal information other than to provide you with IAPP products and services.

      Personal data categories	Purpose	GDPR Lawful Basis
      Name and contact information	Provide access to purchased training	Contractual necessity (Article 6(1)(b))
      Professional details	Tailor content to customers	IAPP’s legitimate interest (Article 6(1)(f))

   7. Certification

      When you sign up to take one of the IAPP’s certification exams, we will collect your name and contact information. We will also collect and store information you provide to us about your need for special accommodations. IAPP shares your personal information as necessary with our exam hosting service, Pearson Vue.

      Pearson Vue uses third-party testing centers in a variety of locations throughout the world. These testing centers collect personally identifying information from anyone who arrives at the center to take any exam. This information may include your name, your photograph, and a government-issued identification. The testing centers use this information to verify your identity should you return to re-take the same exam and eliminate examination by proxy (someone else taking your exam). The testing centers act as data controllers with this information and this information is not shared with the IAPP.

      IAPP engages Pearson VUE’s “OnVue” program for test candidates electing to take exams online. This process requires taking the exam in a location in which no other people are present during the exam and also requires the disclosure of certain personal information to Pearson VUE. For more information about IAPP’s online certification data processing practices, please visit Certification Privacy FAQ.

      The IAPP will collect your exam results and, in conjunction with maintaining your certification(s), your record of participation in continuing privacy education. Only authorized employees within the IAPP have access to your certification exam scores and personal information pertaining to any special accommodations you may request. Information submitted to support special accommodation requests is maintained for no more than one year after submission.

      Personal data categories	Purpose	GDPR Lawful Basis
      Name and contact information; special accomodation requirements; testing information	Provide certification exam services (in-person or online)	Contractual necessity (Article 6(1)(b))

   8. Your correspondence with the IAPP

      If you correspond with us by email, the postal service, or other form of communication, we may retain such correspondence and the information contained in it and use it to respond to your inquiry or to keep a record of your complaint, accommodation request, or similar concern. As always, if you wish to have the IAPP “erase” your personal information or otherwise refrain from communicating with you, please contact us at privacy@iapp.org.

      Note: if you ask the IAPP not to contact you by email at a certain email address, the IAPP will retain a copy of that email address on its “master do not send” list in order to comply with your no-contact request.

      Personal data categories	Purpose	GDPR Lawful Basis
      Name, contact information, communication content	Customer service and support	IAPP’s legitimate interest (Article 6(1)(f))

   9. Payment and purchase information

      You may choose to purchase goods or services from the IAPP using a payment card. Typically, payment card information is provided directly by users, via the IAPP website, into the PCI/DSS-compliant payment processing service to which the IAPP subscribes, and the IAPP does not, itself, process or store the card information. Occasionally, members or customers ask IAPP employees to, on their behalf, enter payment card information into the PCI/DSS-compliant payment processing service to which the IAPP subscribes. We strongly encourage you not to submit this information by email. When IAPP employees receive payment card information from customers or members by email, fax, phone, or mail, it is entered as instructed and then deleted or destroyed.

      IAPP’s ecommerce system collects shipping and billing information to fulfill customer orders. IAPP relies on the legitimate interest basis for processing this personal data.

      Personal data categories	Purpose	GDPR Lawful Basis
      Name; payment information; billing address; shipping address	Fulfilling customer orders	IAPP’s legitimate interest (Article 6(1)(f))

2. What happens if you don’t give us your data

   You can enjoy many of the IAPP’s services without giving us your personal data because a great deal of information on our website is available even to those who are not IAPP members. You can also enjoy subscriptions to our newsletters without becoming an IAPP member, but you will need to create a profile with us which involves providing your name, email, country and postal code. Some personal information is necessary so that the IAPP can supply you with the services you have purchased or requested, and to authenticate you so that we know it is you and not someone else.

As is true of most other websites, the IAPP’s website collects certain information automatically and stores it in log files. The information may include internet protocol (IP) addresses, the region or general location where your computer or device is accessing the internet, browser type, operating system and other usage information about the use of the IAPP’s website, including a history of the pages you view. We use this information to help us design our site to better suit our users’ needs. We may also use your IP address to help diagnose problems with our server and to administer our website, analyze trends, track visitor movements, and gather broad demographic information that assists us in identifying visitor preferences.

The IAPP has a legitimate interest in understanding how members, customers and potential customers use its website. This assists the IAPP with providing more relevant products and services, with communicating value to our sponsors and corporate members, and with providing appropriate staffing to meet member and customer needs.

• Cookies and web beacons

  The IAPP makes available a comprehensive Cookie Notice that describes the cookies used on the IAPP website and provides information on how users can accept or reject them. Click here to view the notice.

• Do not track

  The IAPP tracks users when they cross from our primary public website (iapp.org) to our “IAPP community” portion of the site (my.iapp.org) by logging in with their user name and password, as well as when visitors to our website enter through a marketing landing page (pages.iapp.org). The IAPP also keeps a record of third party websites accessed when a user is on the IAPP site and clicks on a hyperlink. But the IAPP does not track users to subsequent sites and does not serve targeted advertising to them. The IAPP does not, therefore, respond to Do Not Track (DNT) signals.

Information about your IAPP purchases and certification status are maintained in association with your membership or profile account. The personal information the IAPP collects from you is stored in one or more databases hosted by third parties located in the United States. These third parties do not use or have access to your personal information for any purpose other than cloud storage and retrieval. On occasion, the IAPP engages third parties to mail information to you, including items like books you may have purchased, or material from an event sponsor.

We do not otherwise reveal your personal data to non-IAPP persons or businesses for their independent use unless: (1) you request or authorize it; (2) it’s in connection with IAPP-hosted and IAPP co-sponsored conferences as described above; (3) it is to assist your employer with confirming receipt or consumption of a purchase they made on your behalf; (4) the information is provided to comply with the law (for example, to comply with a search warrant, subpoena, or court order), enforce an agreement we have with you, or to protect our rights, property or safety, or the rights, property or safety of our employees or others; (5) the information is provided to our agents, vendors or service providers who perform functions on our behalf; (6) to address emergencies or acts of God; or (7) to address disputes, claims, or to persons demonstrating legal authority to act on your behalf; and (8) through the IAPP Member Directory as described below. We may also gather aggregated data about our members and Site visitors and disclose the results of such aggregated (but not personally identifiable) information to our partners, service providers, advertisers, and/or other third parties for marketing or promotional purposes.

The IAPP website uses interfaces with social media sites such as Facebook, LinkedIn, Twitter and others. If you choose to "like" or share information from the IAPP website through these services, you should review the privacy policy of that service. If you are a member of a social media site, the interfaces may allow the social media site to connect your site visit to your personal data.

The European Union’s General Data Protection Regulation and other countries’ privacy laws provide certain rights for data subjects. A good explanation of them (in English) is available on the website of the Irish Data Protection Commission.

This Privacy Notice is intended to provide you with information about what personal data the IAPP collects about you and how it is used. If you have any questions, please contact us at privacy@iapp.org.

If you wish to confirm that the IAPP is processing your personal data, or to have access to the personal data the IAPP may have about you, please contact us at privacy@iapp.org.

You may also request information about: the purpose of the processing; the categories of personal data concerned; who else outside the IAPP might have received the data from the IAPP; what the source of the information was (if you didn’t provide it directly to the IAPP); and how long it will be stored. You have a right to correct (rectify) the record of your personal data maintained by the IAPP if it is inaccurate. You may request that the IAPP erase that data or cease processing it, subject to certain exceptions. You may also request that the IAPP cease using your data for direct marketing purposes. In many countries, you have a right to lodge a complaint with the appropriate data protection authority if you have concerns about how the IAPP processes your personal data. When technically feasible, the IAPP will—at your request—provide your personal data to you or transmit it directly to another controller.

You may, at no cost to you, generate a report of most of the personal data the IAPP has regarding you by visiting our data access request portal: https://iapp.org/about/data-access-request/. Using this portal also authenticates you and supports your submission of a more comprehensive access request. If access cannot be provided within a reasonable time frame, the IAPP will provide you with a date when the information will be provided. If for some reason access is denied, the IAPP will provide an explanation as to why access has been denied.

For questions or complaints concerning the processing of your personal data, you can email the IAPP’s data protection officer at privacy@iapp.org.

In many jurisdictions, including but not limited to in the European Union, you have recourse with your nation’s data protection authority. To find your DPA, visit the IAPP’s global privacy directory.