Occasionally, legitimate interests mentioned in this policy may take precedence over the routine protection of your personal data. If you have any question about how or when such an interest affects how your personal information is treated, you may contact our Data Protection Office. Our websites and online services are normally designed for individuals who are at least 18 years of age.
2. WHEN WE DISCLOSE YOUR INFORMATION
IIR does not regularly provide your PII to third parties. We do not “sell” or “rent” your PII
as provided to us. We may disclose your PII to third parties as follows:
- To process the data for the purposes disclosed in this policy
- When we have your specific consent or authorization to do so
- To third parties who work on our behalf to provide technical services or operations (e.g., printing materials for an event or seminar)
- To third parties providing services to us who have a need to access your information, such as professional service providers (e.g., auditors and lawyers) or those providing venues for our events
- To comply with applicable laws; protect rights, safety, and property; and respond to lawful requests from public authorities (such as disclosing data in appropriate situations for national security or law enforcement purposes)
We may share information with our organizational participants about how their employees use the sites and the resources available to them through the sites (e.g., how employees used certain features of the sites, utilization trends, which features were most popular with the member’s employees). If any information is shared, IIR will require the third party to provide the same or equal protection of your information, as is required by this policy.
3. RETENTION PERIODS
We will retain your PII for as long as required to perform the purposes for which the data was
collected, depending on the legal basis for which that data was obtained and/or whether additional
legal/regulatory obligations mandate that we retain your personal information. We also may retain
personal information for the period during which a claim may be made in relation to our dealings
In general terms, this will mean that your personal data will be kept for the duration of our relationship with you or a time period required by our clients and:
- The period required by laws, regulations, or audit requirements.
- As long as is necessary for you to be able to bring a claim against us and for us to be able to defend ourselves against any legal claims. This will generally be the length of the relationship plus the length of any applicable statutory limitation period under applicable laws.
Any information that has been anonymized or aggregated, as well as raw data, also may be kept for such time as the information is of value to IIR.
4. CHOICES ABOUT YOUR INFORMATION
We believe it is important to give you choices about the use of your PII. We will use your PII as
described in this Notice (or any other event- or service-specific privacy notice). If we want to use
your information for a purpose not described in this Notice and not previously consented to, we
will first get your consent to do so. As previously noted, anonymized or aggregated information
does not constitute PII.
We will respect your wishes not to receive marketing communications from us. (“Marketing communications,” as used by IIR, means advising you of upcoming events, webinars, new apps related to our ongoing operations, and similar communications.) Marketing communications are done primarily through email.
If you have previously given us your email address to receive marketing communications, you can withdraw your permission at any time by using the “unsubscribe” links or instructions included at the bottom of our emails. If you receive marketing communications through a method other than email, you can withdraw your permission by following the instructions provided with that method.
Please note that as long as you continue to use our managed apps, access our managed websites or social media pages, or otherwise utilize our IIR services, we will continue to send you service-related communications regardless of any withdraw request.
As a nonprofit company, we will not sell your personal information. We will not share your personal information with third parties (other than our clients or subcontractors working on our behalf) unless you give us specific consent to do so and where sharing is permitted by applicable law or we are otherwise required to do so by law or regulation.
5. DATA SUBJECT RIGHTS
You have certain rights, in certain circumstances, in relation to your PII. A summary of each right
and how an individual can take steps to exercise it is set out further in this section. If you wish to exercise any of
these rights, please contact us using the contact details specified in the “How to Contact Us” section of this Notice for the Data
Protection Office. Such requests should include appropriate identity verification information
(such as your name, address, email address, or other information reasonably required).
Where we receive a request to exercise one of these rights, we shall provide information on the action we take on the request without undue delay and usually within one month of receipt of the request. This may be extended in certain circumstances, e.g., where requests are complex or numerous.
The information may be provided free of charge, except where requests are manifestly unfounded or excessive, in particular, because of their repetitive character. In these circumstances, we may charge a reasonable fee or refuse to act on the request. We will advise you of any fees prior to proceeding with a request.
We may ask for additional information to verify your identity before carrying out a request.
Where we do not carry out a request, we shall inform you without delay and within one month of receipt of the request and provide our reasons for not taking the action requested.
You have the right to access PII that we hold about you, as well as to be provided with a copy of the PII (in most circumstances). You also have the right to correct any information that we may hold about you that is inaccurate.
You have the right to ask us to restrict the processing of your personal data where one of the following applies:
- Your data could be destroyed, but you may ask us to restrict use of the data instead of deleting it and provide specifics supporting the reason for your request.
- You are contesting the accuracy of your personal data. Where you contest the accuracy of your personal data, the restriction will apply until we have verified the accuracy or corrected your personal data or have anonymized the data.
- We no longer require the personal data for the purposes of processing, but you have requested in writing that we keep it in connection with a specified legal claim.
- You maintain that we have no basis to process your data, and you object to the processing of your data by providing us with a legitimate specific basis for your objection. The restriction will apply until we have taken steps to verify whether we have legitimate grounds to continue processing.
You have the right to ask us to delete your personal information. However, in certain circumstances, there are certain exceptions where we may refuse your request for deletion (e.g., where the personal data is required to comply with an active legal obligation or for the establishment, exercise, or defense of legal claims).
You may object to the processing of your personal data in cases where we have used legitimate interests as the basis for processing. In such cases, we will stop processing your personal data until we verify that we have legitimate grounds for processing that outweigh your interests, rights, and freedoms in asking us to stop processing the data or, in limited cases, where we need to continue processing the data for the establishment, exercise, or defense of legal claims.
In most cases, you have the right to receive all personal data that you have provided to us in a structured, commonly used, and machine-readable format and to transmit this data to another data controller, where technically feasible.
In some jurisdictions, if you object to our processing of your personal data, you have a right to complain to the data protection authority in the jurisdiction where you reside and/or work or where an alleged infringement of data protection laws has taken place. We request that you first attempt to resolve your issue with us if at all possible.
We have implemented administrative, technical, and physical security measures to help prevent unauthorized access or attempts to harm the information system(s). IIR complies with generally accepted industry or other applicable standards for security. IIR operates in a secure facility protected from external intrusion and utilizes secure internal and external safeguards against network intrusions. IIR has in place privacy and security safeguards/controls to protect the security and confidentiality of PII and records. Despite these measures, no data transmission over the Internet can be entirely secure, and we cannot and do not guarantee or warrant the security of any information you transmit via our websites or apps. Please note that you are responsible for maintaining the security of your credentials used to access any IIR service or account, and we request that you immediately report to us any suspected or confirmed unauthorized activity involving IIR services or accounts. We make efforts to restrict access to information to only those employees, contractors, and agents who need such access to operate, develop, improve, or deliver our programs, products, and services.
7. COOKIES AND SIMILAR TECHNOLOGIES
A cookie is a small text file that includes a unique identifier that is sent by a Web server to the browser on your computer, mobile phone, or any other Internet-enabled device when you visit an online site. Cookies and similar technologies are widely used to make websites work efficiently and to collect information about your online preferences. For simplicity, we refer to all of these technologies as “cookies.” IIR collects session-related cookies. By collecting this information, we learn how to best tailor our sites for our users and to analyze how our managed sites are being used. We will advise you should we utilize cookies at IIR-managed sites for any purpose not related to improving services provided to our users or otherwise in a manner not discussed in this Notice.