Privacy policy & data subject rights

This policy aims to support your right to be informed. The document covers how we process the data of individuals who are members, customers or prospects of the Meetings & Events Support Association (referred to as MESA from now on), or suppliers to MESA.

Identity and contact details

Please click here to find out more about MESA. Our postal address is C/O Skytax, 37th floor Canada Square 1, London, E14 5AA, United Kingdom. You can contact us by email using sandie@themesa.community.

Our supervisory authority under the UK's General Data Protection Regulation (GDPR) is the Information Commissioner’s Office (ICO). We are based in the United Kingdom.

To contact the individual responsible for Data Protection in our company please use the details above.

What data we process

MESA gathers and processes data on:

• Members and customers.
• Prospects (including ex-customers).
• Staff.
• Suppliers.

Members and customers

MESA gathers and processes information on individuals in member, customer and prospective customer organisations who have engaged with us either directly or through our website or contacted us using email or telephone. We use a reason of ‘Contract’ to process this data as we are taking steps towards providing services to these individuals when we gather and process this data.

MESA gathers and processes information on individuals in customer organisations that we are in the process of providing services for so that we can effectively manage and communicate with them as we deliver our services. We use Contract to process this data.

The data we gather and process on individuals in our customers and prospective customer organisations includes contact name, email address, physical address, job title and telephone numbers.

We may gather and process special category information (click here for more information on what special category information is) on individuals in customer organisations if they come to physical events, where we may gather information on specific dietary or access needs. We use this information only in relation to the physical event and securely delete the data within 6 months of the event taking place. We use a legal basis of explicit “Employment, social security and social protection law” to gather and process this special category information.

Prospects

MESA gathers and processes information on individuals who we believe could have a need for our services: our prospects. We can either gather this data directly from the individuals in the process of selling to them, through referrals that we solicit from existing members or customers, or we can licence this data from reputable data providers.

We use the data on prospects for the purposes of direct marketing to the individuals who are corporate employees of the organisations that we target. We process this data because it is in our business interests to do so and use the legal basis of legitimate interests for direct marketing to these prospects (click here for some background information on Legitimate Interests as a basis for processing personal data). We have conducted our gating and balancing tests to determine whether our legitimate interests do not outweigh the rights and freedoms of the individuals we are targeting.

Where regulations mandate that that we must obtain consent from individuals, for example if the prospect is a consumer and not an employee of a business (a 'corporate subscriber') and we intend to use email to communicate, then we will use the lawful basis of Consent to process data to promote our services. This lawful basis of consent can include the use of a 'soft opt-in' where the individuals we are targeting have bought from us within the past 2 years.

The data we gather and process on our prospects includes contact name, email address, physical address, job title and telephone numbers.

We do not gather special category data on prospects.

Staff

We gather and process data on staff in several ways.

We use the lawful basis of Contract to gather and process data for the purposes of a managing their work within MESA. For example, if the individual enters into a contract of employment or other work for MESA, or if individuals are taking steps to enter into a contract (for example for recruitment).  We can gather and process special category information on staff when managing their work, as this is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection. 

We gather and process data on staff and can pass data on to specific parties because we are acting as an intermediary to a contract between the member of staff and the third party.  For example, where we organise pension payments for staff. We use a lawful basis of Contract to process this data.  We do not gather special category information on staff where we are acting as an intermediary to specific parties.

We gather and process data on staff and their next of kin where it is in MESA's interest to do so for operational purposes. For example, to keep staff up to date with MESA news, to maintain a list of the staff's next of kin for communication in the event of an emergency, or to create business cards for staff. We use the lawful basis of legitimate interests to process this data.  We have completed the specification, gate analysis and balancing tests specified under GDPR for this data.  We do not gather special category information on staff and next of kin where we are gathering it for operational purposes.

The data we gather and process on our staff includes name, email address, physical address, job title and telephone numbers, as well as other identifiers such as national insurance numbers.

Suppliers and partners

We gather and process information on suppliers and partners so that we can purchase goods and services from them. We use a lawful basis of Contract to process this data.

The data we gather and process on our suppliers includes contact name, email address, physical address, job title and telephone numbers.

We do not gather special category information on suppliers or partners

Any recipient or categories of recipients of the personal data

MESA pass data on to other data controllers for the following purposes:

• For data relating to those applying to be members of staff or for staff who have found other employment after the end of a contract, we share data with third parties to obtain and provide references.
• As the data controller of data, we may provide access to data processors that process data on our behalf, who will only process the data according to the written instructions in the Data Processing Agreements in place with them.
• We share data with organisations with which we have a legal obligation to share data (for example the tax authorities).
• We share data on staff with organisations where we are acting as an intermediary between the staff and an organisation providing benefits to the staff member (for example pension providers).

Details of transfers to third country and safeguards

We will not transfer your data to countries outside the UK to destinations that are not considered 'adequate' by relevant legislation without additional safeguards or where we have the explicit consent of the individuals concerned.

Retention period or criteria used to determine the retention period

• We will retain the information described in the members  and customers section for 7 years after the latest engagement as we will need to retain this information for financial purposes.
• We will retain information that we outlined in the section on prospects for the purposes of direct marketing for 3 years after the latest interaction with the individual where we use legitimate interests as a lawful basis for processing the data.
• We will retain information that we outlined in the section on prospects for the purposes of direct marketing for 3 years after the latest interaction with the individual where we use consent as a lawful basis for processing the data.
• We will retain information on staff members for 7 years after their employment with us ends, as we need to retain information on staff members for legal reasons.
• We will retain information on individuals who we have details on for recruitment purposes, but who have not gone on to be employees, for 3 months after the job role that they were being considered for has been filled. If we believe that their details may be suitable for future roles, we will obtain their consent to retain their CVs for longer periods.
• We will retain the details of the suppliers or partners for as long as we might have a need for the services that the supplier or partner offer. 

If these data retention timescales clash with legal or contractual obligations then these other obligations will override the retention timescales outlined. All records are disposed of securely when deleted.

How we look after data

We take reasonable technical and procedural precautions to prevent the loss, misuse or unauthorised alteration of personal data.

We store the personal data that we collect securely. We do not publish the details of the safeguards we use to protect the personal data that we control as this could reduce the effectiveness of those safeguards.

Cookies

Cookies are text files placed on your computer to collect information about which pages you visit, and how long for. This information is used to track use of the website and to compile statistical reports on website activity.

When you visit our website you will be presented with a choice which will allow you to decide whether cookies are used or not. In a few cases some of our website features may not function if you choose not to allow cookies on our website.

Anonymised data derived from the cookies may be shared with third parties to enable us to conduct web analytics to monitor use of our website. We use Google Analytics and you can opt out of Google Analytics by using this link: https://tools.google.com/dlpage/gaoptout?hl+en=GB.

Other websites

This privacy policy only applies to data under our control. The policy does not cover data controlled by other organisations, even if we publish the link to their websites on our web pages. Please view the privacy policy of the organisation’s website concerned to see how they manage your data if you are providing your data to them.

Your rights

MESA recognises the rights of individuals as defined in the UK and EU’s GDPR.

We will always seek to uphold those rights and the links provided will enable you to communicate with us to exercise those rights, where relevant.

• Your right to be informed (this page and further information in communications we might send to you); for more information, please click here.
• Your right of access; for more information, please click here.
• Your right to rectification; for more information, please click here.
• Your right of erasure; for more information, please click here.
• Your right of restriction of processing; for more information, please click here.
• Your right to data portability; for more information, please click here.
• Your right to object; for more information, please click here.

We do not carry out automated decision making and profiling; for more information, please click here.

MESA recognises your right to lodge a complaint with a supervisory authority. You can access the ICO's website from this link.

You can access a list of contact details for the EEA’s supervisory authorities using this link.