1Index Communications Meeting Services Ltd’s Privacy Policy,
updated for the GDPR May 2018
Background as provided by the Information Commissioner’s Office (ICO)


The European Union’s GDPR is a new set of regulations intended to give the power back into the hands of EU citizens over how their data is processed and used. EU citizens will be able to request that businesses delete their personal data if required.

The new regulations come into force from 25th May 2018.

Under the GDPR, the data protection principles set out the main responsibilities for organisations.
Article 5 of the GDPR requires that personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.” 


Article 5(2) requires that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Index Communications Meeting Services Ltd and GDPR
Index is an established data controller, registered with the Information Commissioner reference
Z7263558.
The protection of individuals’ privacy has always been key to our principles, our office systems and our data management.
2) This Privacy Policy sets out how we receive, collect and store contact data and how individuals can
control that information. In the name of good governance, we will be handling data relating to all
citizens with the same rights as those from the EU.
To ensure continued compliance with data protection and privacy laws, we may update this Privacy
Policy from time to time. The latest version will always be available on our company website at
www.indexcommunications.com

Meeting the Requirements of Article 5 (as set out above):
Article 5 of the GDPR requires that personal data shall be Index confirmation: 

a) processed lawfully, fairly and in a transparent manner in relation to individuals; All data is processed lawfully, fairly and in a transparent manner

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; All data is collected for specific purposes relating to individuals’ interest in attending (or attendance at) events with which we are involved; contact data is never released to third parties

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
The data that we hold for data subjects is provided by them for the purposes of informing them about events or booking them into an event. It is limited in nature to name, address, contact telephone numbers, dietary preferences, choices relating to programmes and payment information. We hold no other personal data
d) accurate and, where necessary, kept up to date; Where we are notified of a death, retirement or change of interest area, contacts are removed from our forward-looking systems (ie for future events) to avoid them or their families receiving future contact; we do not delete financial records less than 6 years old which are required
for archived accounts purposes; these may reflect bookings and transactions from an individual who has been removed from our contact databases

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; By way of good practice, we enable attendees to opt out of hearing about future events at the booking stage and at any time. Our storage and publicity methodology enables us to pinpoint and manage details of 3 a data subject quickly, to make any required change promptly

f) processed in a manner that ensures appropriate security of the personal data Booking data (including financial
aspects) is encrypted and held securely. Contact databases for future events are held on a secure server which is professionally managed Our lawful basis for processing data:

Index works on the basis of this lawful basis:
1   Consent: the individual has given clear consent for you to process their personal data for
a specific purpose.” This is because we are receiving data from data subjects who wish to express an interest in an event or who book to attend. By providing their data they are requiring us to process it in order to provide
them with the information – or the booking – that they require.

2  What type of information is collected?
We collect name, organisation, contact information, dietary requirements and preferences of
activities on offer. This does not include an individuals’ IP address or details of their pathway through our websites. If this kind of data collection becomes important in the future and we implement software to capture this information, we will revise this Policy.
We do not store/have any requirement for personal information about family members, criminal convictions, vehicle or travel patterns. All information that we receive, store, process and manage has been received from the individuals.

3  How is contact data used?
To inform relevant potential delegates (who have expressed an interest or attended before) about a
forthcoming event.
To process and manage their booking to attend an event.
To collect feedback after an event about their experience.
Who has access to the data subjects’ data?
We never sell or rent data subjects’ contact data to third parties for any reason whatsoever.
At events, simple outline delegate lists are produced by way of summarising who is present. This
does not contain any contact information: simply names. Delegates can opt out of being listed,
when they make their booking.
When using our booking software, the purchase is processed by a specialist third party payment
processor, which specialises in global events. The system is totally encrypted such that staff do not
have sight of the financial details.
Internally, all Index staff have been trained and are aware of our strict data protocols.

4   How do data subjects opt out?
There is always a choice about whether or not to receive information from us. Only those who have
opted in receive information which is targeted and relevant to them.
All contact from Index includes instructions on how to Unsubscribe at any time.

5  Accuracy
The accuracy of contact information is important to us, to reduce wastage in what we do. We
therefore urge all contacts to keep us informed of changes to E-Mail addresses (our main channel of
communication).
6  Links to other websites
Many of our websites contain links to other website run by other organisations. This Privacy Policy
applies only to Index’s operation and protocols, so we urge all data subjects to read the privacy statements/policies on the other sites that you visit. We cannot be responsible for the privacy
policies and practices of other sites even if you access them using links from our websites.
Checklist of compliance with GDPR
We have reviewed the purposes of our processing activities, and selected the most appropriate lawful basis for each activity.
 We have checked that the processing is necessary for the relevant purpose, and are satisfied that there is no other reasonable way to achieve that purpose.
We have documented our decision on which lawful basis applies to help us demonstrate compliance.
We have included information about both the purposes of the processing and the lawful basis for the processing in our privacy notice.
 We do not process special category data
 We do not process criminal offence data
We keep this Privacy Policy under review. This Privacy Policy was last updated in May 2018 to check compliance with the forthcoming implementation of new GDPR rules.