PRIVACY POLICY
Pursuant to articles 13 and 14 of Regulation (EU) 2016/679 - General Data Protection Regulation (“GDPR”), we inform you that the personal data provided by the data subject (“you”), for yourself or for the organisation to which you belong, to the company Cesena Fiera S.p.A. (“hereinafter referred to as “we”), on the occasion of or in connection with trade fairs, exhibitions, events, conferences/congresses, championships/competitions and/or workshops (the ““Events”) organised, hosted or attended by us, also in collaboration with third-party partners, are processed in compliance with the principles of lawfulness, fairness, transparency, proportionality, necessity, accuracy, completeness and security and with the other regulatory obligations in force.
Categories of data subjects. Processing operations and collection procedures
The data processed concern customers (i.e. exhibitors, visitors, buyers, conference/congress participants, speakers at Events, participants in championships/competitions and/or workshops, concessionaires of exhibition and/or advertising spaces, third-party organisers and sponsors who have held their respective role during the last 10 years) and prospects (individuals who have expressed an interest in Events, over the last 10 years – for example, also by providing their business card or requesting information or quotes –journalists), understood as natural persons over 14 years of age acting on their own account and/or as internal contact persons of legal persons, entities or other organisations. The individual categories of data collected are listed in our collection forms, which supplement this privacy policy.
Data is processed electronically or on paper and in a manner that is compatible with the purposes specified below.
We collect data i) through online forms or paper forms or via pre-registration or participation apps filled out by you and/or acquired by third-party operators authorised by us or ii) via mobile devices such as tablets and smartphones present at the venue of the Events or iii) through a business card provided by you.
The collected data will be recorded and retained on the servers managed by Cesena Fiera S.p.A. and on those managed by Italian Exhibition Group S.p.A. The data collected may be processed by authorised personnel for the activities for which they are responsible, within the limits strictly necessary for the performance of the respective activities assigned to them (e.g. legal, commercial, marketing, administrative, logistics, IT and management control departments, etc.).
Purposes of processing
Data processing has the following purposes:
1. Fulfilment of contractual and legal obligations arising out of or in connection with the participation –
already contractually agreed upon or potential – of the data subject in the Events.
2. Planning and organisational management of the Events, for example issuing and paying for tickets, accreditation and entrance passes (including checking whether payment has been made successfully via third-party services), management of personal identification tags (with passport photo) for security reasons, planning and managing specific services requested by you (e.g. set-up services, hotel booking and hospitality services, ticketing, translations, hostesses, catering, escorting), managing the contracts we enter into with third-party suppliers of goods and/or services used by you during or on the occasion of the Events; publishing your name and surname or business/company name, phone number, fax number, e-mail, website, in the public online and printed catalogue of the Event in which you are participating; communication, at your request, of pre-contractual information (e.g. programmes, proposals, etc.) related to the Events, drafting invitation letters for consular visa applications.
3. Sending (via e-mail, phone calls, social networks and other automated means) commercial messages, advertising and sale offers for products/services that are similar to those of your interest or relating to trade fair/congress products/services, i.e. relating to the fresh fruit and vegetable supply chain, agricultural sector and/or related to them (e.g. sector publishing, championships/competitions, etc.) - activities collectively defined as “soft spam”.
4. Profiling. Profiling is only relevant for privacy purposes if it concerns natural persons, that is, sole proprietorships or partnerships and their partners/directors, or internal contacts of corporations, institutions or organisations.
Profiling uses some of the data you provide us with and, in some cases, combines it with company data from public databases (e.g. Business Register, CCIAA - Chamber of Commerce, Industry, Agriculture and Crafts). For example, we process the following data:
i) in the case of exhibitors: name and surname, company name of the organisation to which they belong, contact details, domicile or registered office, country of origin, business/product sector;
ii) in the case of buyers/visitors: name and surname, business name of the organisation to which they belong, contact details, job position and level of responsibility of the contact person, domicile or registered office, country of origin, website, year of foundation of the company, turnover, number of employees, business sector, percentage of business related to Italy and abroad, Italian and foreign regions of interest, main categories of products or services of interest to the buyer and/or marketed;
iii) in the case of journalists: name and surname, contact details, sector and newspaper to which they belong, country of origin, language,
iv) in the case of speakers at the Events/congresses/conferences: name and surname, contact details, sector, skills/topics covered.
In some cases, if you are a customer or prospect, we will associate the data provided by you with additional personal data acquired while you are visiting our websites or when using the services provided by these sites (e.g. cookies relating to the pages of our website that you have visited, the country you are browsing from) or through other communication channels (e.g. social media) or through services for sending bulk commercial e-mails (e.g. what messages you have received, which e-mails you have opened, what proposals you have accepted by performing specific actions such as opening an attachment or following our request to click on a link to landing pages or attachments to the e-mail message, etc.).
In particular, profiling allows us to minimise the number of promotional messages that are sent to you, which are not relevant to your likely expectations and needs, or that are sent to you through unwanted channels.
The limited nature of profiling does not exclude you from specific advantages or from the possibility of freely exercising your privacy rights, nor does it have any specific legal effects; in particular, it does not in any way affect your ability to participate in the Events and/or to use our services (e.g. online pre-registration, purchase of services).
5. Only with your separate consent: communication of data to our third-party partners (e.g., Italian Exhibition Group S.p.A., Cesena Fiera S.p.A., exhibitors or other operators active in the Events), for independent direct marketing activities relating to goods/services concerning such third-party partners.
Legal basis for processing. Compulsory or optional provision of data and consequences of failure to provide data
Data processing for the purposes set out in sub 1 has its legal basis in our need to fulfil the obligations arising from the contract stipulated or to be stipulated with you (and to carry out all the activities necessary to ensure that the commitments undertaken therein are correctly and completely fulfilled) and/or the legal obligations connected therewith. Therefore, such processing does not require your prior consent and you are also free not to provide your data. However, in this case, we will not be able to conclude the requested contract and/or regularly provide the service requested by you or by the organisation to which you belong (e.g. allowing you to participate in the Event of interest and providing you with related services) and/or we will not be able to fulfil our legal obligations arising from the contract.
The legal basis for processing for the purposes set out in sub 2 is our legitimate interest to organise the Events, plan and manage all organisational activities that will allow you to participate efficiently and effectively in the Events and to handle relationships with third-party suppliers of goods and services that are functional and/or connected to the Events.
In particular, the request for personal data and documents, especially for foreign guests, will make it possible to understand such data correctly and, above all, to verify that the company applying for a travel visa is reliable.
Therefore, such processing does not require your prior consent. You are not obliged to provide data, but in this case you will not be able to participate in the Event.
During the Events, videos (including voice) are shot and/or photographs are taken by us and/or photographers and/or videographers authorised by us. Such generic images concern trade fair Events that can be considered public events and are therefore processed, without requiring your consent, so that we can publish them on our websites/landing pages and social profiles (e.g. Twitter, Facebook, WhatsApp, YouTube, Instagram, etc.) as well as on brochures, catalogues, flyers and other printed material promoting the Events. If, however, the above-mentioned images portray you in a recognisable way, Cesena Fiera S.p.A. may publish them for the same promotional purposes on our printed materials, as mentioned above, or electronic/digital channels intended for the public (e.g. catalogues, brochures, flyers, websites/landing pages, blogs, social networks), only after having received your specific consent (which is the legal basis for processing), given on site to our official photographer and/or videographer.
In the latter case, you may withhold your consent and thus prevent us from processing your image; however, by giving us your consent, you expressly waive any financial compensation for the use of your image. You may subsequently request, at any time, that the face shown in the images published online be blacked out, without prejudice to the lawfulness of the processing carried out up to the date on which the images were blacked out. Cesena Fiera S.p.A. does not guarantee that images will be blacked out on the online channels of third- party independent data controllers.
The legal basis for processing for the purposes set out in sub 3 (soft spam) is our legitimate interest to freely contact our customers, as well as prospects, in order to be able to offer them – through electronic/phone/paper channels – new opportunities relating to services or products similar to those previously purchased/contracted (in the case of customers) or to those for which interest has been expressed (in the case of prospects), or relating to trade fair/congress products/services and/or those related to them (e.g. sector publishing, championships/competitions, etc.). Consequently, the so-called “soft spam” described above may lawfully take place even without your prior consent, which is therefore not necessary.
The legal basis for processing for the purposes set out in sub 4 (profiling) is our legitimate interest in maintaining and analysing a limited set of information about you so that we can contact you more effectively if you are one of our customers or prospects. Given the limited scope of data used in profiling, it also takes place without your prior consent, which is therefore not necessary.
Processing for the purposes set out in sub 5 (transfer of data to third parties) takes place only with your explicit consent (thus constituting the legal basis for the lawfulness of processing).
You are free to refuse to give your consent, but this will not affect your right to participate in the Events and/or to receive the services you requested from us.
Communication and disclosure of data
For the purposes set out in sub 1 and 2, we disclose such data to: service providers in charge of managing and maintaining our computer systems, websites and databases, photographers and/or videographers who produce video and audio material or related post-production, journalists and newspapers, companies providing services necessary for the organisation and management of the Events (e.g. installation of fittings and equipment, publishers of printed and online catalogues, logistics, security, private surveillance, first aid, hostesses, etc.), diplomatic representatives, consultants, banks (for making or receiving payments related to the Events), personnel authorised by Cesena Fiera S.p.A. to process such data (Communication, Travel, Sales, Marketing departments, etc).
For purposes under 3 and 4, the data are communicated to: companies appointed to carry out marketing analysis, advertising, communication and/or public relations agencies, digital and print publishing companies that produce our advertising or promotional materials, companies producing websites or blogs, web marketing companies, persons in charge of designing and/or maintaining promotional materials, companies managing and maintaining the computer systems, websites and databases used to organise and manage the Events, image agencies.
Such third parties will process the data as External Data Processors in accordance with our written guidelines and under our supervision.
As for all the purposes mentioned above, we also communicate data to third-party business partners (including, for example, Italian Exhibition Group S.p.A. and Cesena Fiera S.p.A.), which are involved in the implementation and/or promotion of the Events, who will process the data as independent data controllers, joint data controllers or data processors.
You may request that we provide you with a list of our joint data controllers, independent data controllers and data processors (see the “rights of the data subject” section of this privacy policy).
Transferring data abroad
If data is communicated to any third-party recipients with registered offices outside the EU, such data will be transferred provided that adequate assurances are in place, namely that the third-party importer has entered into a contractual agreement with us whereby the importer undertakes, with regard to the processing of its personal data, to comply with privacy obligations that are substantially equivalent to those provided for by the EU legislation that we are required to comply with (through the use of standard contractual clauses, i.e. “SCC”, which are at least compliant with the text adopted by the European Commission, unless supplemented and/or amended in a way that is more favourable to the data subject).
In some cases of data transfer to cloud providers with registered office or having data centres outside the EU, such providers are subject to the regulatory powers of local public authorities and, in some situations, under foreign law, (in the USA: the Federal Trade Commission, Art. 702 of FISA - Foreign Intelligence Surveillance Act and the Executive Order EO 12333) the data importer may be required to communicate the transferred personal data in response to requests from public authorities in order to meet national security requirements (e.g. counterterrorism) or local law enforcement requirements (which may result in access to such data, of which the importer, under local law, may not have to give notice to the exporter and the data subject, who will therefore not be able to exercise the relevant rights that are normally recognised by the GDPR).
Therefore, in abstracto, we cannot exclude the risk that, in certain exceptional situations linked to the above-mentioned specific requirements, the foreign public authority may process such data without applying safeguards for the data subject that are substantially equivalent to those provided for by the GDPR.
However, in practice, the risk of the US public authority actually having an interest in applying local legislation to the data transferred appears to be reasonably negligible on the basis of the following circumstances:
i) the service of the exporter (Cesena Fiera S.p.A.) in favour of the data subjects whose data are processed by the importer and the consequent data processing have a limited object (the provision of trade fair services) and a limited purpose (the management of technical and organisational processes that are instrumental to the above-mentioned services and the fulfilment of legal obligations); the service does not involve publishing personal opinions, comments or similar information, nor does it involve making services or products available that could be used for activities against national security;
ii) the types of personal data transferred are limited (e.g. personal data, contact data, contractual data, administrative data); special categories of data are not transferred (e.g. data concerning political and religious opinions, biometric data); the categories of data subjects to which the data refer are limited (exhibitors, visitors, participants in the Events, buyers, journalists and speakers) and they concern operators belonging to product or economic categories that are not reasonably relevant with regard to national security purposes (e.g. tourism, wellness, machinery handling, sports activities, and so on).
As a result, Cesena Fiera S.p.A. believes that the SCC applied in the relationship with importers (especially in the USA) actually ensure that the rights of the data subjects are protected in a way that is substantially similar to that provided for by the GDPR, regardless of the application of any additional measures to the processing under consideration.
The adoption of additional contractual measures by Cesena Fiera S.p.A. towards the importers (e.g. obligations to communicate public access, the right to suspend or terminate the transfer and to terminate the contract with the importer, and similar measures), may be introduced at any time by the exporter as a result of any information that the EDPB – European Data Protection Board may provide to the operators following the ruling of the European Court of Justice (ECJ) of 17 July 2020, which declared the bilateral convention called “Privacy Shield” invalid in EU relations.
However, the transfer of data to the non-EU country takes place also because it is necessary to fulfil (i) a contract concluded between the data subject and Cesena Fiera S.p.A. and/or pre-contractual measures taken at the request of the data subject, or (ii) a contract stipulated between Cesena Fiera S.p.A. and another natural or legal person (e.g. our subsidiary, supplier, with registered office outside the EU, etc. in favour of the data subject.
Duration of processing
In the case of purposes sub 1 and/or 2, we process the data for 10 years from the date on which the contract is concluded (in the case of customers) or from the date on which the data subject’s data is collected (in the case of prospects).
In the case of purposes sub 3 and 4, we process the data for 10 years from the collection of the data subject’s data (in the case of customers and prospects).
We process the data for a period of 60 days, after each Event has ended, in the case of data made available at collection points for requests of assistance that visitors and exhibitors have made to us (including any insurance desk, Info points and First Aid).
We process the data contained in the promotional catalogue (printed and/or digital) of the individual Events for a maximum of 2 editions of the catalogue.
We process certification data concerning the Exhibitions/Events until the end of the certification process, and then until certification is complete.
Should a dispute arise between you and us, or between you and our third-party suppliers, we will only process the data for as long as it is necessary to safeguard our rights or those of the third-party suppliers, that is, until a final judgement has been issued and fully executed or an agreement has been made between the parties.
Data related to the drafting of invitation letters for consular visa applications (e.g. copy of passport, etc.) are processed for 3 months from the end of the individual Event to which they relate.
At the end of this maximum period, the personal data will either be destroyed or rendered completely anonymous.
Rights of the data subject
You have the right to:
- ask us to confirm whether or not personal data concerning the data subject is being processed and, in this case, to obtain access to such personal data and the following information: a) the purposes of processing; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom the personal data have been or will be communicated, especially if they are recipients based in non-EU countries or international organisations; d) where possible, the retention period of the personal data or, if that is not possible, the criteria used to determine that period; e) the existence of the right of the data subject to request that the data controller rectify or erase the personal data concerning the data subject or restrict their processing, or to object to their processing; f) the right to lodge a complaint with a supervisory authority; g) if the data are not collected from the data subject, all available information as to their source; h) whether any automated decision-making, including profiling, takes place and, at least in such cases, meaningful information about the logic used as well as on the importance and expected consequences of such processing for the data subject.
- if personal data are transferred to a non-EU country or to an international organisation, the data subject has the right to be informed as to whether adequate safeguards are in place for the transfer of such data;
- request, and obtain without undue delay, to rectify inaccurate data; taking into account the purposes of processing, the integration of incomplete personal data, also by providing a supplementary statement;
- request the erasure of data if a) the personal data are no longer necessary with regard to the purposes for which they were collected or otherwise processed; b) the data subject withdraws the consent on which the processing is based and there is no other legal basis for processing the data; c) the data subject objects to the processing, and there is no overriding legitimate ground to proceed with the processing, or objects to processing carried out for direct marketing purposes (including profiling for the purpose of such direct marketing); d) the personal data have been unlawfully processed; e) the personal data must be erased in order to comply with a legal obligation under EU or Member State law to which the data controller is subject; f) the personal data have been collected in connection with the offer of the IT company to provide services.
- request that limitation of processing concerning you be applied in any of the following cases: a) the data subject questions the accuracy of the personal data, for the period necessary for the data controller to check whether the personal data are accurate; b) the processing is unlawful and the data subject objects to the erasure of such personal data and, instead, requests that their use be restricted; c) although the data controller no longer needs the personal data for processing purposes, they are necessary for the data subject
to verify, exercise or defend a right in court; d) the data subject has objected to data processing carried out for direct marketing purposes, while awaiting verification as to whether the legitimate reasons of the data controller prevail over those of the data subject:
- obtain from the data controller, upon request,
information on third-party recipients to whom the personal data have been transmitted;
-
at any time, withdraw consent to the processing of personal data, if previously given for one or more
specific purposes; it is also understood that this will not affect the lawfulness of the processing based on the consent given before it was withdrawn.
- receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and, if technically feasible, to have such data transmitted directly to another data controller without hindrance on our part, if the following (cumulative) conditions are met: a) data processing is based on the consent of the data subject for one or more specific purposes, or on a contract to which the data subject is a party and for the performance of which processing is necessary; and b) data is processed automatically (through software) – the overall right to so-called “
portability”. The exercise of the so-called right to data portability will not affect the above-mentioned right to erasure;
-
not be subject to a
decision that is based solely on automated processing, including profiling,
which produces legal effects that concern the data subject or significantly affect the latter in a similar way.
- lodge a
complaint with the competent supervisory authority under the GDPR (that of its place of residence
or domicile); in Italy, it is the Garante della protezione dei dati personali (Italian Personal Data Protection Authority).
You can exercise your rights by writing to the Data Controller, which is Cesena Fiera S.p.A., with registered office in Via Dismano, 3845 — 47522 Pievesestina di Cesena (Italy), e-mail address: privacy@macfrut.com.
(The company’s Legal Representative or the organisation’s Representative undertakes to make this Privacy Policy available also to other data subjects belonging to the company or the organisation itself and whose data he/she declares to provide legitimately. Likewise, the consent given for the purposes set out in point 5 by the company’s Legal Representative or by the organisation’s Representative, is understood
to be extended also to other data subjects belonging to the company or the organisation itself for whom the Representative declares to legitimately provide the relevant data.
Macfrut Customer-Prospect privacy policy - Rev.1 - 30.03.2021