EuRA has completed a full data audit under legal guidance to ensure we are fully GDPR compliant. GDPR is probably the biggest update to privacy regulations of the last 20 years and comes into effect as of May 25th, 2018. Its goal is to ensure all data is handled correctly and fairly.
The main principles of the GDPR regulation are that data shall be:
processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, are erased or rectified without delay (‘accuracy’);
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
The data we process comes from EuRA Members, non-member conference delegates, non-member networking events delegates, employees and supplier data. We obtain this data directly from members, initially upon application for membership and then on renewal of membership. Similarly, we obtain data from event delegates upon application to join an event, either online or in person.
Processing this data is a necessary part of delivery association services and ensures the smooth running of the EuRA organisation. It allows us to fulfil our contractual obligations in terms of membership and in terms of event management and training delivery for members and non-members.
Certain non-sensitive member data, such as company details and contact person, are published online and in print through our annual member directory. This information is freely accessible to persons and organisations in and outside of Europe. Members are able to amend and update their public records at any time by logging in to their secure company profile. Members have the right to opt out of publication of a public company profile, simply send us an email if you do not wish your company to be featured on the EuRA website.
Sensitive member data is never published by EuRA, although certain special categories may be shared with third parties under limited and specific circumstances. Special categories of sensitive member data that we process can for example include delegate dietary requirements (which may indicate religious affiliation), or delegates bringing a guest for events (which may indicate a same sex couple/marriage). This data will be shared with suppliers on a need to know basis; i.e. names of delegates and guests booking into a hotel, or information on allergens with catering companies. This data will not be held beyond the duration of the event and will be removed from our records following the event. Please note that these details may be given to a supplier outside the EU such as a EuRA Global conference venue or US reception venue.
Registered event delegates will be featured in the EuRA delegate list and enjoy a profile on the event app. The delegate list and profiles are not publicly accessible and are only distributed to other registered attendees of the same event, including attendees from outside the EU. Member and non-member delegates are able to update their personal profile by logging in to the event app or can request updates to the printed delegate list by contacting the EuRA office.
Training records of individual employees are held and processed by the EuRA office. Individual trainees can view their training records and personal accreditations by logging in to their personal profile on the EuRA website. Trainees cannot amend these records themselves, but can ask EuRA to make any necessary changes at any time by simple email request. Training progress and accreditation is a personal achievement, and as such is linked to the individual trainee, not the employing company. Training data is kept indefinitely and will only be deleted upon request of the individual trainee.
Member company data is held for the duration of the membership. If membership is discontinued then this data will be kept in our system for 366 days, after which it will be removed from our records.
All contemporary and much of EuRA's archive and legacy data is stored securely by EuRA in legacy servers and secure encrypted cloud/online storage facilities to ensure sufficient backup and continuity of operations at all times. Folders are shared across all team members for all day to day activities. Sensitive data such as HR records and payroll are held separately and are accessible only by the parties needing such data.
The data held on this website and its CMS is secured in compliance with GDPR by Open Up Media bvba, based in Belgium, with whom EuRA has a Data Processing Agreement (DPA).
In case of a breach likely to harm individuals occurring within any EuRA storage areas and systems, they will be reported to the ICO within 72 hours and whether or not the breach will result in high risk to affected individuals and the individuals informed without delay, i.e. within the same 72 hour window. EuRA will maintain records of all data breaches whether internal or reported by a member or non member in its data breach log.
Members and delegates of EuRA have the right to request a copy of all data held on their company and to request rectification or deletion of these files. A simple request to the EuRA office is enough to set this in process. Should you feel EuRA is not meeting your rights as set out under GDPR regulation, then you have the right to complain to a national data protection authority. For the UK this is The Information Commissioner's Office.
GDPR regulations apply to any organisation or individual residing in Europe, or any global company that handles data by or on behalf of an organisation or individual located in Europe. Find out more about GDPR by requesting your copy of EuRA's Guide to GDPR.