Privacy Notice regarding the processing of personal data included in ICE Virtual
Dear Partner, dear Operator,
Below we provide you with some information that is important to communicate not only in
order to comply with legal obligations, but also because transparency and fairness towards
data subjects are a fundamental part of this Public Administration.
ICE Agency, in compliance with the principles established by EU Regulation 2016/679
concerning the protection of individuals with regard to the processing and free movement of
personal data, offers users the opportunity to consult or use Virtual Services (as defined
below) by interacting with their own Virtual Platform (as defined below).
In order to ensure that processing is carried out in accordance with European Data
Protection Law, ICE Agency, as data controller, provides data subjects with the following
notice pursuant to Article 13 of the General Data Protection Regulation (GDPR), highlighting
the information regarding the processing of personal data carried out by ICE Agency.
This notice only concerns data processing carried out on or through the Virtual Platform
(which can be accessed at www.ice.it, the homepage of ICE Agency’s official website), as
better defined below, and on websites created by the Virtual Platform.
According to the circumstances, data may be processed by one or more of the following
parties (as better defined below):
ICE – Agency;
Managers of Virtual Exhibition Centers, Virtual Meeting Rooms, or E-learning Platforms;
Virtual Trade Fair Organizers;
Organizers of Events/Meetings/Virtual Missions;
E-learning Service Organizers;
Visitors of Virtual Fair Events.
The contents of this privacy notice constitute, as far as compatible, an integration of the
In case of conflict between the notice’s respective provisions with regard to Virtual Services
(as defined below), this privacy notice shall prevail.
Joining the Virtual Platform does not in itself ensure compliance with the GDPR, national
legislation, the provisions of the Italian Data Protection Authority, or European Data
Protection Board guidelines, which the members of the Virtual Platform are nevertheless
required to respect autonomously whenever they process data in the capacity of data
In the event that ICE Agency acts as data controller in processing data related to Virtual
Services, ICE is responsible for the privacy notice. In the event that ICE acts as data
processor—that is, on behalf of third parties—for data relating to Virtual Services, the third-
party controller bears sole responsibility for communicating the information in this notice to
data subjects, and ICE Agency therefore assumes no responsibility in this regard, unless
otherwise agreed in writing with the controller case by case. In particular, in the case of any
agreement with the third-party data controller, ICE undertakes only to post a privacy notice
online, which is to be prepared and provided by the third-party controller and under their
Without prejudice to the foregoing, the Virtual Platform allows each Third-Party Organizer
as defined below to independently submit the necessary privacy policies provided for by the
GDPR, including one for each Virtual Trade Fair or other Virtual Service.
Further information on the Virtual Platform’s functions and the processing of personal data
connected to it can be found in the document called Utenze e dati Piattaforma ICE ver. 1.0
21.07.2020 (ICE Platform Users and Data ver. 1.0 21.07.2020).
Without prejudice to the definitions contained in Article 4 of the GDPR, to which reference
is expressly made, nor to the definitions contained in Legislative Decree 196/2003, as
amended by Legislative Decree 101/2018, we use the following terms and definitions for the
purposes of Virtual Services:
Trade fair activities: the collective parties and activities that promote or contribute to
promoting the products and services of Exhibitors through the organization of Trade
Fairs. These exhibition events can also assume the characteristics of a conference or
convention; in this case, the event is aimed at building, spreading, and refining
knowledge in specific professional and cultural spheres (the Conference).
Marketing activities: marketing or monitoring activities for marketing purposes (e.g.,
integration with direct email marketing services (DEM), tracking systems such as Google
Analytics, etc.), as well as the consequent personal data processing that can be
configured independently from the Virtual Platform and on the basis of dedicated
configurations from time to time on the site of the Virtual Trade Fair or in relation to
another Virtual Service by the Third-Party Organizer.
Exhibitor: someone who is granted exhibition space on the Virtual Platform (and related
technical services) or advertising space to promote/exhibit products or services during
the Virtual Trade Fair.
Virtual Trade Fair: a periodic event and/or exhibition delivered through the Virtual
Platform, in which products/services are presented to the public in order to sell or
In addition to its own back-end administration, the Virtual Platform provides a website
for each Virtual Trade Fair via a dedicated URL (e.g., eventname.ice.it or
Virtual Conference: a conference or convention delivered through the Virtual Platform.
Supplier: an entity other than ICE that provides products or services needed to realize
the Virtual Trade Fair (for example, setting up virtual stands and virtual reception
services, hiring various virtual services and IT services in general).
Virtual Exhibition Center Manager: the party—ICE—that manages a Virtual Exhibition
Center owned by ICE, ensuring its ordinary and extraordinary maintenance and seeing
to its promotion, improvement, and economic optimization. The Virtual Exhibition Center
Manager can also assume the role of Virtual Fair Organizer or host of Virtual Trade Fairs
organized by third parties.
Virtual Meeting/Mission Manager: the party—ICE—that manages the Virtual Meeting
Rooms owned by ICE, ensuring their ordinary and extraordinary maintenance and
seeing to their promotion, improvement, and economic optimization. The Virtual
Meeting/Mission Manager can also assume the role of Virtual Meeting/Mission
Organizer or host of Virtual Meetings/Missions organized by third parties.
E-learning Platform Manager: the party—ICE—that manages the E-learning Platform,
ensuring its ordinary and extraordinary maintenance and seeing to its promotion,
improvement, and economic optimization. The E-learning Platform Manager can also
assume the role of E-learning Service Organizer or host of E-learning Services
organized by third parties.
Virtual Meetings: B2B and B2C meetings initiated and conducted on or through the
Operators: parties, other than Users and Partners, who use Virtual Services.
Virtual Trade Fair Organizer: someone who owns a trademark associated with a
Virtual Trade Fair, which is prepared by the Virtual Trade Fair Organizer, including
through third parties, within or outside the EU.
Virtual Meeting/Mission Organizer: someone who receives Virtual Services on the
ICE Virtual Platform and/or through ICE to organize their own Virtual Meetings/Missions.
E-learning Service Organizer: someone who receives Virtual Services on the ICE
Virtual Platform and/or through ICE to organize their own E-learning Services.
Third-Party Organizer: someone who is granted space and/or Virtual Services on the
ICE Virtual Platform and/or through ICE to organize their own Virtual Trade Fairs, Virtual
Meetings/Missions, or E-learning Services.
Virtual Missions: foreign B2B and B2C missions initiated and conducted on or through
the Virtual Platform.
Partners: parties, other than Operators, who have an agreement with ICE to use Virtual
Services through the Virtual Platform or manage them on their own.
Virtual Platform: the set of technical features made available as SaaS-IaaS from or
through the ICE website (www.ice.it) for the provision of individual Virtual Services.
Prospects: parties–including potential Users, Operators, and Partners–who have
expressed a concrete interest in a Virtual Service (e.g., a Virtual Trade Fair) or in another
service or product from ICE and/or its Partners by requesting commercial contact or
information, registering for a Virtual Event, or sending their business card, without then
subscribing to the Virtual Service or purchasing the service or product; journalists.
Virtual Exhibition Center: a permanent digital structure (Virtual Platform) owned by
ICE and/or its suppliers used mainly to host Virtual Trade Fairs managed by ICE or by
third party Trade Fair Organizers. The Virtual Exhibition Center may also include virtual
spaces for conferences and conventions (Virtual Conference Venues).
Virtual Services: services provided by or through the Virtual Platform.
E-learning Service: the e-learning service provided from time to time by or through the
Users: natural persons who use Virtual Services provided by the Managers of Virtual
Exhibition Centers, and/or Virtual Meetings, or E-learning Services, or by the
Visitors: natural persons who visit the Virtual Trade Fair with the aim of acquiring
information, making purchases, participating in side events (e.g., competitions,
championships), or getting in touch with Exhibitors. They include those who access the
Virtual Trade Fair for professional purposes (Trade Visitors), as well as speakers and
conference participants (commonly understood as those taking part in a conference,
convention, workshop, or seminar).
Virtual Services refer to the following services made available by ICE Agency and/or its
subcontractors on or through the Virtual Platform:
Virtual Meetings/Missions (B2B, B2C)
as better described respectively in the General Conditions for the Provision of Virtual
Services, which can be viewed at the following link:
https://ice.it/servizivirtuali/condizionigenerali/ and/or in the ICE Service Catalogue.
Videoconferencing and collaboration services
Some Virtual Services use high definition videoconferencing tools (e.g., for the purposes of
virtual B2B or B2C meetings) moderated by ICE staff and/or third-party Partners (e.g., trade
fair organizations, consortia, training companies, etc.) and/or video collaboration (e.g., chat)
by third-party Suppliers. Please, refer to the section entitled ‘Will you transfer data to non-
EU countries?’ below for further information.
Virtual Services legal and economic conditions
Virtual Services are provided in accordance with the General Conditions for the Provision of
ICE Virtual Services, which can be viewed at the following link:
Purpose and lawful basis for processing
ICE Agency processes personal data for the purposes of performing its institutional and
public tasks and consequently fulfilling its obligations (including providing, supporting, and
updating Virtual Services) as set out by contract, law, regulation, or any other legislation
applicable to ICE.
Data may also be processed to implement pre-contractual measures (usually in response
to the data subject’s request for information, documents, advice, or support).
The potential purposes mentioned above include, from a technical perspective:
(i) managing the website www.ice.it and the security features of Virtual Services;
(ii) generating reports on operations carried out and sharing these reports with ICE’s
third-party partners (e.g., suppliers offering products or services through this Site)
for information purposes;
(iii) implementing measures to prevent digital fraud relating to ongoing transactions
between ICE and users and/or third parties, or between an Organizer and users,
operators, and/or third parties.
Data will not be used for any purposes other than those described in this notice without prior
notification and, where necessary, your consent.
Processing is carried out under the following lawful bases:
1. Processing is necessary for the performance of tasks which ICE Agency carries out in
the public interest (Article 6(1)(e), GDPR).
2. Processing is necessary for the conclusion and/or performance of a contract or the
implementation of pre-contractual measures taken at the data subject’s request (Article
3. Processing is necessary for compliance with legal obligations to which the data controller
is subject, e.g., obligations of a legal (accounting, tax) or regulatory nature,
implementation of measures adopted by judicial or administrative authorities (Article
Personal data which is collected in ICE Agency’s Centralized Database (CDB) may also be
used as part of its institutional activity and therefore to promote and develop trade of your
product and/or service abroad, as provided for in Article 14, Paragraph 20 in the Italian
Legislative Decree 98/11, converted into Law 111/11, as replaced by Article 22, Paragraph
6 of Legislative Decree 201/11, converted into Law 214/11. Your data may, therefore, be
used to send proposals for participation in other initiatives organized by ICE Agency such
as fairs, workshops, seminars, training courses, etc., and used to evaluate customer
satisfaction and carry out other surveys relating to ICE Agency’s institutional and public
In the case of commercial proposals sent to parties who have not already used the services
provided by ICE Agency, the lawful basis for any processing is the institutional task of public
interest, which ICE Agency carries out as data controller.
You reserve the right to object to the sending of such communications at any time, but your
objection will not affect the lawfulness of any processing previously carried out.
Categories of data subjects
The provisions of the GDPR apply only to the processing of data relating to identified or
identifiable natural persons (‘you’ or the ‘data subject’). Virtual trade fair activities involve
processing the personal information of data subjects encompassing:
Exhibitors (meaning those who have already had a contractual relationship in the past
for any reason with an Organizer of Trade Fairs, either physical or virtual) and their staff;
Prospects and their staff;
Third-Party Managers and Organizers of Virtual Trade Fairs, Virtual Meetings (B2B and
B2C), and E-learning Services, and their staff;
Visitors, including trade visitors;
What types of data are processed?
As a rule, it is possible to visit the Virtual Services webpage without providing any personal
In some circumstances, the Virtual Platform may require users to provide personal
In the context of the purposes and methods described in this notice, processing operations
1) navigation data;
2) data relating to subscriptions/registrations to the Virtual Platform or Virtual
Services, necessary for managing relations with ICE, including fulfilling requests
for information or contact, orders with payment, or the provision of a Virtual
3) data necessary or useful for effective corporate communications on ICE’s part;
4) data necessary or useful for fulfilling legal, regulatory, or contractual obligations.
In the case of journalists: name and surname, contact details, sector and newspaper,
country of origin, language.
The categories of data processed under 2, 3 and 4 include:
a) personal data, inter alia, identifiers and personal details (e.g., name, surname, place and
date of birth), name of the personally-managed company or partnership, names of
shareholders and directors, business role (e.g., professional title, job description,
responsibility level), telephone/fax/email contact details, geographical position (e.g.,
residence, domicile, registered office, country of origin), education and culture (e.g.,
academic qualifications, professional certifications), contact language, tax data (tax
identification number, VAT number), addresses and shipping and/or billing data;
b) data of various kinds, inter alia: company name, company details (e.g., registered office,
AER), data on economic activity (e.g., the type of goods and services offered by an Operator
using Virtual Services, their ATECO code, turnover, number of employees, target countries
of their business activities, countries in which the Operator is present, goods and services
of current and/or potential interest to the Operator, channels of distribution, project budgets,
data on participation in initiatives promoted by ICE, data on public funding).
In the event that Virtual Services entail Virtual Events organized and/or managed by third-
party Partners, the latter can independently request further information from data subjects
(e.g., Operators, Visitors); if the data collection requires a privacy notice other than ICE’s,
the third-party Partners will communicate this additional privacy notice independently via the
Virtual Platform or through separate means which they manage independently.
In some cases, if you are a customer or a prospect, we merge the data you provide us with
additional personal information obtained during your navigation on our websites, through the
use of services provided by these sites (e.g., cookies relating to pages of our website that
you have visited or the country from which you connect), via other communication channels
(e.g., social media), or through mass email marketing services (e.g., which messages you
have received, which emails you have opened, which offers you accepted through specific
actions such as opening an attachment or responding to our request to link to landing pages
or email attachments, etc.).
As a rule, the performance of Virtual Services does not involve processing special categories
of data as per Article 9(1) of the GDPR, except for data necessary or important for the
provision of Virtual Services specifically dedicated to people with disabilities, or for managing
the participation of institutional representatives occupying political, trade union, or religious
offices in Virtual Events.
The information of data subjects, which is processed in the context of Virtual Services, can
be drawn from one or more of the following three general types of databases at any one
a) the ICE database (e.g., national operators database, foreign operators database,
b) the database of a third-party Partner affiliated with ICE, Virtual Service user;
c) the database of an Operator, either Italian or foreign, when using the Virtual Services
for various reasons.
We collect your personal data: i) through online or paper forms, or pre-registration or
participation applications completed by you and/or acquired by third parties authorized by
us; ii) through mobile devices like tablets and smartphones present at events organized by
ICE Agency and/or its Partners, or iii) by a business card you have given us.
For Virtual Events/Meetings/Missions which require the creation of your virtual photo
identification card for security for safety or user identification purposes, a photo of you can
be collected through the online registration forms or a remote photo session (via the webcam
on your PC, laptop, tablet, or smartphone) held by the Videoconferencing Service Providers
associated with the Virtual Platform.
Data may also be collected from publicly accessible sources (e.g., personal, fiscal,
economic, and contact details can be found on the internet, the business register at the
Chamber of Commerce, or websites of foreign trade fairs), pursuant to Article 14 of the
GDPR. In the case of Virtual Events organized or hosted on the Virtual Platform by third-
party Partners who act as independent data controllers, the data may also be collected
through third-party Partners.
Obligation/Option to provide data and consequences of failure to provide such data
The provision of information, personal or otherwise, marked as mandatory on the ICE
Service Order Form or on other ICE forms for joining Virtual Services is essential for using
Virtual Services; any refusal to provide such information precludes the possibility of using
The provision of information, personal or otherwise, marked as optional on the ICE Service
Order Form or the other aforementioned ICE forms is aimed exclusively at the possibility of
offering you a personalized service tailored to context, preferences, or interests identified
based on your economic activity (this usually does not constitute personal information—e.g.,
turnover, company type, ATECO code, export data, etc.).
In the case of data processing for direct marketing purposes carried out by ICE Agency’s
third-party Partners, the data subject must freely consent to the processing, and failure to
provide consent will preclude the possibility of processing the data for this purpose, without
prejudice to the data subject’s right to obtain any services or products that may have been
ordered from ICE. ‘Direct marketing’ here refers to marketing to Customers and Prospects
by ICE Agency’s Partners: i) through communication channels other than email and text
and/or instant messages; ii) otherwise in relation to services or products unlike those you
have already purchased from the aforementioned Partners; or, iii) in relation to services or
products which the aforementioned third-party Partners have never previously proposed to
you nor discussed with you (in which case you would be viewed as a ‘lead’ by the Partners).
Who are the Data Controller and the Data Protection Officer?
The Data Controller is the ICE Agency for the Promotion and Internationalization of Italian
Companies Abroad, based at Via Liszt, 21, 00144, Rome, Tel. 06 59921 (‘ICE Agency’).
The ICE Data Protection Officer can be contacted at the email address firstname.lastname@example.org.
Further information on the privacy responsibilities of the parties involved in various
capacities in data processing through the Virtual Platform can be found in the chapter
‘Determination of privacy roles’ below.
What privacy responsibilities are envisaged in the context of processing operations?
Each of the participating parties can take on a different role in processing personal data,
depending on the tasks undertaken in the context of Virtual Services, as follows.
The Organizer of Virtual Trade Fairs, Virtual Meetings/Missions, or E-learning Services is
the data controller for all personal information necessary to realize the Events themselves.
The Manager of the Virtual Exhibition Center, the Virtual Meeting Room, and/or the E-
learning Platform is, in any case, the data controller for all personal information necessary
ensure the ordinary and extraordinary maintenance of the Virtual Exhibition Center,
Virtual Meeting Room, or E-learning Platform;
protect the security and integrity of the Virtual Service as well as the associated Virtual
ensure the technical progress of the Virtual Services’ supporting infrastructure;
promote the use of Virtual Services among Customers and/or Prospects;
ensure compliance with the regulations applicable to the Virtual Platform, where they
are not the sole responsibility of third parties.
The Manager of the Virtual Exhibition Center, Virtual Meetings/Missions, or E-Learning
Platform is data processor if processing operations are carried out on behalf of the Organizer
of Virtual Trade Fairs, Virtual Meetings, or E-Learning Services.
Where the Organizer of Virtual Trade Fairs, Virtual Meetings/Missions, or E-learning
Services coincides with the Manager, he or she is usually the data controller for all
processing operations described above.
Where Managers of Virtual Exhibition Centers, Virtual Halls, or E-Learning Platform, on the
one hand, and Organizers of Virtual Trade Fairs, Virtual Meetings/Missions, or E-learning
Services, on the other hand, both contribute, in differing forms, to the performance of the
activity covered by the Virtual Service by jointly determining, in whole or in part, the purpose
and means of consequent processing operations, they will enter into a joint controllership
agreement that duly reflects their respective roles and responsibilities in the protection of
personal data, as well as their relationships vis-à-vis the data subjects, in accordance with
the provisions of Article 26 of the GDPR.
Suppliers offering services that involve data processing on behalf of the Organizer of Virtual
Trade Fairs, Virtual Meetings/Missions, or E-learning Services or the Manager of the Virtual
Exhibition Center, Virtual Meeting Room, or E-learning Platform (Data Controllers) are the
data processors for such operations, pursuant to and for the purposes of Article 28 of the
Means of Providing Virtual Services
Virtual Services can be provided in two different ways:
a) directly, by ICE Agency and/or an Agency Supplier;
b) by a third-party Partner of ICE Agency (e.g., a fair, export consortium, etc.) or by a
Supplier authorized by the Partner.
In case a), ICE Agency acts as data controller, unless it is otherwise agreed between the
parties in writing that ICE will assume the role of data processor on behalf of a third-party
controller (particularly when data subjects’ personal, contact, and economic information
originally comes from a database belonging to an affiliated third-party partner).
In case b), ICE Agency assumes the role of data processor on behalf of the third-party
Partner, unless it is otherwise agreed in writing between the parties that ICE Agency will
assume the role of joint controller (particularly when data subjects’ personal, contact, and
economic information originally comes from a database belonging to an affiliated third-party
partner who intends to act jointly with ICE Agency in making certain decisions regarding the
purpose and/or means of processing the relevant personal data).
In the case of joint controllership, ICE Agency and the affiliated third-party Partner formalize
the terms and conditions of the arrangement in a specific agreement and provide data
subjects with a summary thereof.
Your personal data may be processed using paper and electronic means and cloud services,
for purposes strictly related to the purposes stated above, in compliance with the rights and
safeguards provided for by the General Data Protection Regulation (EU) 2016/679 (GDPR).
In particular, ICE Agency processes personal data in compliance with the provisions of the
GDPR, holding all processing operations to the principles of lawfulness, fairness, and
transparency, purpose limitation, and data minimization in relation to the purpose for which
data is collected and subsequently processed, for explicit and legitimate purposes.
Data processing is carried out by suitably qualified Agency personnel who act as personnel
authorized to process the data, or by any persons authorized for occasional maintenance of
the systems, applications, and data necessary for Virtual Services.
Assumptions of lawfulness of processing for the purposes of marketing and
legitimate interests pursued by third parties
The data subjects’ personal information is processed by ICE Agency’s Partners for
marketing purposes (e.g., by Organizers of Trade Fairs, Virtual Meetings/Missions, or E-
learning Services and by Managers of Exhibition Centers, Virtual Meeting Rooms, or the E-
learning Platform, in their respective capacities as Controllers) on the basis of the data
subjects’ consent, pursuant to Article 6(1)(a) of the GDPR, or on the basis of the legitimate
interest of ICE Agency’s third-party Partners as independent data controllers, deemed from
time to time to override the data subjects’ right to privacy.
Data subjects are however protected by the ability to exercise their right to object to ICE
Agency’s Partners pursuant to Article 21(2) of the GDPR, which allows them to object at any
time to the processing of their personal data for marketing purposes, including any profiling
of data that is connected to such direct marketing, that is, to withdraw consent as per Article
7(3) of the Regulation.
How long will you keep my data?
a) Data retention periods for institutional purposes
Personal data and related metadata will be kept for a period of time not exceeding what is
necessary to achieve the respective purposes, according to the time limits provided for by
the applicable legislation on the subject (e.g., Articles 43–44 of the Italian Digital
Administration Code (Codice dell’amministrazione digitale, CAD), Legislative Decree no. 82,
dated 7 March 2005, as amended by Legislative Decree 217/2017; the Agency for Digital
Italy (AgID) Guidelines of December 2015 on the retention of electronic documents;
Technical rules for the formation, transmission, copying, duplication, reproduction, and
timestamping of electronic documents, as well as the formation and retention of PA
electronic documents pursuant to Articles 20, 22, 23-bis, 23-ter, 40(1), 41, and 71(1) of the
Data may be kept for longer periods (including long-term or indefinitely) than those indicated
above when processed solely for archiving purposes in the public interest, scientific or
historical research purposes, or statistical purposes, subject to the implementation of
appropriate technical and organizational measures required by this regulation in order to
safeguard the rights and freedoms of the data subject.
b) Data retention periods for marketing and market analysis purposes
The data retention period for the purposes of marketing and profiling or market analysis of
data subjects (Visitors, Exhibitors, Third-Party Organizers, and Prospects) by third-party
Partners should they process the data in the capacity as independent data controllers is
finite, taking into consideration the specificities of Trade Fair Activities which entail holding
Trade Fairs on an annual, biennial, triennial, or four-year basis. For these reasons and
considering the technical requirements of data management, the retention period is ten
years (proportionate to the purpose of providing information on subsequent editions to the
above-mentioned parties who have expressed interest in the Virtual Trade Fair by
registering for and/or participating in a previous edition and/or by requesting information or
c) Notice and consent logs
ICE Agency keeps records of logs relating to i) the reading of ICE’s online privacy notices
and the online actions (e.g., clicks, flags, and the like) through which Virtual Service users
communicate to the Virtual Platform or with ICE Agency’s third-party Partners through the
Platform (e.g., the data subject can give consent with a click where such third-party Partners
are required by the current legislation to obtain consent) for an indefinite period of time,
without prejudice to any differing terms of retention independently applied by ICE Agency’s
d) Logs of electronic monitoring activities (cybersecurity, proper functioning)
ICE Agency provides its cyber security monitoring service for the purpose of protecting, inter
alia, Exhibitors, Suppliers, and Visitors during Virtual Trade Fairs or Virtual Meetings. The
retention period ranges from a minimum of 90 days to a maximum of 180 days from the date
In the event of a dispute between you and ICE or our third-party suppliers, we will process
data for the time necessary to exercise the protection of our rights or those of third-party
suppliers and that is, as a rule, until the issuance and full execution of a provision constituting
a final decision between the parties or a dispute settlement.
Will you share my data with other parties?
Data relating to Virtual Services is not intended for third parties nor is it subject to
communication or dissemination, unless otherwise provided for by legal or regulatory
provisions or other applicable legislation.
In carrying out our Public Administration activities, ICE may communicate your data to
parties that perform inspection activities or to public bodies or administrations, including tax
authorities, as well as to parties legally entitled to such information, Italian and foreign judicial
authorities, and other public authorities (e.g., the Italian National Anti-Corruption Authority,
the Guardia di Finanza), for the purposes of fulfilling obligations established by law,
regulations, or other applicable legislation, or fulfilling obligations arising from the contractual
relationship with the data subject, including the need for defense in court.
To the extent necessary for pursuing the aforementioned purposes or implementing pre-
contractual measures, data will be disclosed to third parties, including suppliers, partners
(e.g., trade fairs, trade associations), consultants and professional firms (e.g., chartered
accountants, lawyers), other customers who subscribe to Virtual Services, which collectively
involve more customers, business networks, industrial districts, consortia, and inspection
bodies (e.g., auditors, statutory auditors, Supervisory Board).
For the purposes of ICE’s corporate communication (e.g., marketing activities connected to
individual Virtual Events), data may be disclosed to: companies in charge of marketing
analysis, advertising, communications, and/or public relations agencies, the electronic and
physical publishing companies that print our advertising and promotional materials, website
and blog hosting providers, digital marketing agencies, parties responsible for designing
and/or maintaining promotional materials, managed IT system service providers, websites
and databases used to organize and manage Events, and photography agencies.
For the purpose of maintaining the Virtual Platform and its associated technical services,
data may be disclosed to third-party hosting and maintenance service providers.
A complete, up-to-date list of parties who process data in the capacity of Data Processors
is available upon request, which can be made by emailing email@example.com.
As part of the services called ‘Virtual Fairs’ or ‘Virtual B2B Meetings’, ICE can disclose your
Will you transfer data to non-EU countries?
Personal data collected in the CDB (e.g., data concerning Exhibitors, natural persons,
Exhibitors’ employees or collaborators, or the Organizer of Virtual Trade Fairs and/or Virtual
Meetings or E-learning Services) may be transferred by the Organizer of Virtual Trade Fairs
and/or Virtual Meetings or E-learning Services to non-EU countries in which one of the
following is based: (i) the ICE offices1
; and/or, (ii) ICE Suppliers and/or Partners; or, ( iii) the
Managers or Organizers of Virtual Trade Fairs, Virtual Meetings, or E-learning Services, or
the respective suppliers of such parties other than ICE.
This transfer by ICE or the Trade Fair Organizer takes place in accordance with the
provisions of Chapter V in the RGPD and that is on the basis of EU Commission adequacy
decisions pursuant to Article 45 of the GDPR, or in full compliance with the appropriate
safeguards and provisions set out in Articles 46, 47, and 49 of the Regulation.
The aforementioned safeguards are usually constituted, where reasonably possible, by the
third-party data importer’s prior drafting of a contractual agreement with ICE in which the data
importer undertakes to respect privacy obligations for the contracted data processing which
are substantially equivalent to those provided for by the GDPR and upheld by ICE (through
the use of standard contractual clauses in accordance with the text adopted by the EU
Commission without prejudice to any possible integrations and amendments, which were
more favorable for the data subject).
Should drafting such a transfer agreement with the data importer prove impossible or
excessively burdensome, transferring data to the non-EU country may be considered lawful
on the basis of any one of the following reasons: i) it is necessary for the performance of a
contract concluded between the data subject, on the one hand, and ICE Agency or a ‘Third-
Party Organizer’, on the other hand, or for the implementation of pre-contractual measures
adopted at the data subject’s request; ii) it is necessary for the conclusion or execution of a
contract between the data controller or joint controller and another natural or legal person in
favor of the data subject (this other natural or legal person is one of our branches or Partners
based in a non-EU country).
As an alternative to such derogation, we reserve the right to ask you for specific consent to
transfer your data to the non-EU country, which would in this case constitute the lawful basis
for the data transfer.
ICE’s videoconferencing and/or video collaboration services use SaaS-IaaS features that
are mainly provided by ICE’s third-party suppliers based outside the EU. In addition, ICE
1 A list of ICE offices can be found at www.ice.it.
uses cloud-based database and productivity services provided by third-party suppliers
based outside the EU.
In the event that any data is transferred to suppliers with HQ or datacenter in the U.S.A., the
US supplier will be subject to the regulations issued by the US Federal Trade Commission.
In some cases, the US supplier may be obliged to communicate personal data at the lawful
request of any public authorities, also to meet any national security or law enforcement
requirements. In the light of the US regulations, which the EU Court of Justice refers to in
the Schrmes II ruling of 16 July 2020, ICE AGENCY may not theoretically and absolutely
exclude the risk that the US public authorities access such data on special, occasional
situations connected to national security purposes (i.e. for anti-terror purposes). However, if
the following applies:
i) limited scope of the service provided by ICE Agency (exporter) to the benefit of the data
subjects, whose data is processed by the importer (the US supplier), and of the related data
ii) limited types of processed personal data and limited categories of data subjects, who data
refer to (exhibitors, virtual trade-fair visitors, other Virtual Service attendants),
the risk that the US public authorities may concretely access the data (which the importer
may not report to the exporter based on the local national regulations) appears objectively
Therefore, with the exception of the single case of an access by the US public authorities in
the special, limited situations above – which is exceptional by nature and thus quite
improbable – the Data Controller believes that the standard contractual clauses applied in
the relationship between the parties reasonably guarantee the protection of the data
subjects’ rights in a way that is substantially identical to that provided for by the GDPR.
ICE Agency, thus, does not currently believe it necessary to agree any additional provisions
with the importer (this possibility being envisaged in the ruling by the EU Court of Justice
above). Future additional measures may be adopted in view of the indications provided by
Each and every non-EU supplier of ICE Agency is a data processor concerning the data that
the same receives, and later transfers it to a third party acting as agent on the latter’s behalf.
If the first transfer of personal data from the EU to the U.S.A. is made by ICE Agency as the
first data processor (and hence on behalf of third-party independent controllers or joint
controllers), the supplier is a sub-processor of such data.
Is data processed for profiling purposes?
Some of the information on the data subjects in the databases used by ICE as controller or
joint controller in managing Virtual Services may be processed for the purposes of limited
market analysis. For the purposes of the GDPR, profiling is relevant only if it concerns
natural persons (including individual owners of sole proprietorships and partnerships,
shareholders and directors of partnerships, and internal contact persons for companies,
associations, organizations, and other collective bodies other than partnerships). In
particular, the data processed for this profiling purpose includes, for example: the type of
goods and services offered by the Operator using Virtual Services, the Operator’s ATECO
code, contact language, target countries of their business activities, countries in which the
Operator is present, and goods and services of interest to the Operator.
Profiling allows us, in particular, to avoid sending you promotional communications that are
not likely to be relevant to your expectations and needs or through unwanted channels.
The restricted nature of this profiling does not preclude specific advantages or the possibility
of freely exercising your privacy rights, nor does it have particular legal effects; in particular,
it does not in any way affect your ability to participate in Events and/or use our Virtual
Services (e.g., online pre-registration, purchase of services).
Considering the limited data set used for the purposes of such analysis, profiling finds its
lawful basis in ICE Agency’s institutional obligation to have some basic information to
guide/focus promotional communications and service or product offers from ICE and/or
ICE’s affiliated third-party Partners on whose behalf ICE sometimes carries out marketing
activities to develop the trade of its product and/or service abroad, as established by the
legal reference standards cited in the paragraph ‘Purpose and lawful basis’.
How do you handle personal data breaches?
ICE Agency implements appropriate technical and organizational measures to promptly
detect any personal data breaches and, if necessary, notify the competent authorities and
inform the data subject in accordance with the provisions of Articles 33 and 34 of the GDPR.
ICE keeps one or more logs of the security events related to the functioning of Virtual
Services on its internal systems and/or those of its assignors. ICE records incidents and
personal data breaches together with the details of the event and the subsequent mitigation
and recovery actions taken. In the event of incidents that seriously impact the security of
Virtual Services, these logs can be shared with third-party partners affiliated with ICE and/or
with the Operators using Virtual Services, based on the data breach procedure adopted by
ICE and in compliance with up-to-date written agreements with the aforementioned third
What are my rights?
The data subject may at any time exercise his or her rights and, in particular, request access
to personal information and ask that it be corrected or limited, updated if incomplete or
incorrect, or erased if collected in violation of the law, as well as object to its processing,
subject to the existence of legitimate reasons on the part of the Data Controller. The data
subject also has the right to portability, i.e., to receive – or have a third-party controller
receive – the personal information provided by the data subject to the Controller in a
structured, commonly used, and machine-readable format. For a more complete description
of your rights, see this link.
It is possible to contact the Data Controller or the Data Protection Officer for this purpose.
Any further information may be requested at the following email address: firstname.lastname@example.org.
Lastly, we inform you of the possibility of lodging a complaint with the Italian Supervisory
Authority – Data Protection Authority (Garante per la protezione dei dati personali), Piazza
Venezia 11, 00187, Rome.
Who responds to requests to exercise rights?
In the event that ICE acts as data processor on behalf of third party data controller affiliated
with ICE or a third-party Operator Controller, responding to the data subject’s request to
exercise his or her rights will be the sole responsibility of the aforementioned third party. To
this end, the third party will indicate their contact details in their privacy notice.
This privacy notice may be supplemented with further information, including the
integration of regulatory changes and/or the provisions of the EDPB and the Italian