Lux Events Privacy & Data Policy

March 2024

The type of personal information we collect

We ask participants to register for an event via an online system in order to process their registration effectively. We will need to collect and use certain aspects of your personal information to progress your registration.

When registering for an event we may collect and process personal identifiers such as your name, your email address, the name of your organisation, work address, your job title, your phone number, dietary requirements, access requirements.

How we get the personal information and why we have it

Event-related

The personal information we process is provided to us directly by you when you register for an event.

We also receive personal information indirectly, e.g. from our client when we are marketing the event on their behalf, from a friend/colleague who recommends you attend the event, from social media, from partner events,

We use the information that you have given us in order to communicate with you regarding the event and also pass on to the relevant third-party suppliers who require certain information to plan your attendance at the event.

We may share your information (name, special dietary requirements) with venues and/or catering who require these specific details.

Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are:

(a) Your consent. You are able to remove your consent at any time. You can do this by contacting hello@luxevents.co.uk

(b) We have a contractual obligation.

(d) We have a vital interest.

(e) We need it to perform a public task.

(f) We have a legitimate interest.

Website-related

When you visit our website, we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. Additionally, as you browse the site, we collect information about the individual web pages or products that you view, what websites or search terms referred you to the site, and information about how you interact with the Site.

We collect Device Information using the following technologies:

- “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org.

- “Log files” track actions occurring on the Site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.

- “Web beacons”, “tags”, and “pixels” are electronic files used to record information about how you browse the Site.

How we store your personal information

Your information is securely stored in Dropbox for Business.

The owners of the Dropbox for Business are an organisation called Dropbox Inc. who are based in the USA so your personal data may be transferred out with the EEA. Such transfers of personal data to the USA will be made pursuant to the EU-US and Swiss-US Privacy Shield Frameworks under which Dropbox for Business is certified.

We will keep your personal information for as long as we hold the event management contract. Data may then be passed on to our client. If not, it will be destroyed securely by us within 6 months.

Data protection principles

The security and management of data is important to ensure that we can function effectively and successfully for the benefit of our clients and customers.

We are committed to upholding the GDPR data protection principles and all personal data under our control will be processed in accordance with these principles.

All personal data will be:

processed in a lawful, fair and transparent manner.
collected only for specific, explicit and limited purposes (‘purpose limitation’).
adequate, relevant and not excessive (‘data minimisation’).
accurate and kept up-to-date where necessary.
kept for no longer than necessary (‘retention’).
handled with appropriate security and confidentiality.

Lawful processing

All processing of personal data must meet one of the six lawful bases defined in Article 6(2) of the GDPR:

Where we have the consent of the data subject
Where it is in our legitimate interests and this is not overridden by the rights and freedoms of the data subject.
Where necessary to meet a legal obligation.
Where necessary to fulfil a contract, or pre-contractual obligations.
Where we are protecting someone’s vital interests.
Where we are fulfilling a public task, or acting under official authority.

Any special category data (sensitive types of personal data as defined in Article 9(1) of the GDPR) must further be processed only in the line with one of the conditions specified in Article 9(2).

Where processing is based on consent, the data subject has the option to easily withdraw their consent. Where electronic direct marketing communications are being sent, the recipient should have the option to opt-out in each communication sent, and this choice should be recognised and adhered to by us.

Data minimisation and control

Data collection processes will be regularly reviewed to ensure that personal data collected and processed is kept to a minimum. We will keep the personal data that we collect, use and share to the minimum amount required to be adequate for its purpose. Where we do not have a legal obligation to retain some personal data, we will consider whether there is a business need to hold it.

We will retain personal data only for as long as it is necessary to meet its purpose. Our approach to retaining and erasing data no longer required will be specified in the retention policy and schedule. This schedule will be reviewed annually. In the case of sharing personal data with any third party, only the data that is necessary to fulfil the purpose of sharing will be disclosed.

Security

We shall ensure:

Personal data is stored securely using modern software that is kept-up-to-date.
Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
When personal data is deleted, this should be done safely such that the data is irrecoverable.
Appropriate back-up and disaster recovery solutions shall be in place.

Breach

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, we shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO. Lux are members of the ICO.

Main points

To help protect people’s personal data we:

Always treat people’s personal information with integrity and confidentiality
Know what the data protection principles are and apply them
Be alert to cyberattacks and report suspicious emails or calls
Report losses of data or devices as soon as possible
Take care to use the ‘bcc’ option for bulk emailing
Ensure personal devices has appropriate security measures if using it for work-related activity

Your data protection rights

Under data protection law, you have rights including:

Your right of access - You have the right to ask us for copies of your personal information.

Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing - You have the the right to object to the processing of your personal information in certain circumstances.

Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at hello@luxevents.co.uk or 41 Craighouse Gardens Edinburgh EH10 5LR if you wish to make a request.

Photography/Videography at Events

Photographs and/or video recordings including images of you may be used both internally and externally to showcase the event online and also promote forthcoming events. These images could be used in print and digital media formats including print publications, websites, email communication and social media. If you do know want your images to be used you must contact us ahead of the event at hello@luxevents.co.uk

Networking at Events

To help facilitate networking at events we may share a delegate list with all those attendees - this will include your name and organisation, no other personal information. When using an event app you will have the opportunity to upload personal information directly should you wish to be contracted by other delegates.

Registration processing platforms

Depending on the event, we use the following platforms for registration, networking, event apps etc.

B2Match Privacy Policy | Data

Formsite Privacy Policy | Terms of Service

Eventbrite Privacy Policy | Terms and Policies

Cvent Privacy Policy | Security

How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us at hello@luxevents.co.uk

You can also complain to the ICO if you are unhappy with how we have used your data.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk

Our contact details

Name: Lux Events

Registered Address: 41 Craighouse Gardens, Edinburgh EH10 5LR

E-mail: hello@luxevents.co.uk