Effective Date: September 23, 2022
The Institute of International Finance (“IIF” or “we”) is an association of financial institutions from around the world which promotes international financial cooperation.
The Institute of International Finance is the controller for the purposes of applicable privacy law, including the EU General Data Protection Regulation 2016/679 (the “GDPR”), and is responsible for the personal data collected and used as described in this Policy. We are headquartered at 1333 H Street NW, Suite 800E, Washington, D.C. 20005, USA.
1 How to contact us
We have appointed a data privacy officer who is responsible for overseeing questions concerning this Policy. If you have any questions regarding this Policy, including any requests to exercise your legal rights, please contact our data privacy officer in the following ways:
- By email: [email protected]
- By phone: +1 202 857-3600 (and follow prompts to Communications Department)
- By post: 1333 H St NW, Suite 800E, Washington, DC 20005-4770, USA
2 Changes to this Policy
We may change this Policy from time to time, so please review this page periodically for changes. If we make any material changes to this Policy, we will notify you either by placing a notice on our website, or by contacting you through the email address you have provided to us. The “Effective Date” provided at the top of this page will indicate when the Policy was most recently updated.
3 Information collection and use
3.1 What personal data does IIF collect?
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We collect personal data that is provided to us by our members, event attendees, event sponsors, website users and others, which may include:
• Contact data, such as your name, employer, job title, department, username or similar identifier, postal address, email address and telephone numbers. Contact data is provided when you create a new user account on our website, provide your business card at a meeting or one of our events, when you communicate with us and when organizations complete our membership or subscription forms.
• Credentials, such as passwords, your secret question and answer, or similar security information used for authentication and account access.
• Marketing and subscription data, such as your preferences in receiving our marketing from us and our third parties, and your interests when you subscribe to email subscriptions on our website.
• Event data, such as the contact data you provide when you register for an event, a record of your participation in our events as an attendee, presenter or a member of the press and photographs taken at events that may include your image.
• Survey information, such as the contact data and content you provide when you respond to surveys or our requests for public comments, and a record of your participation in groups, forums or task forces that we organise or sponsor.
• Invoicing information, such as invoice data and bank account details to process payments.
• Candidate data, such as employment history, qualifications, academic qualifications and education records, and any other information that you provide to us when applying for a role, for example in your curriculum vitae, a covering letter, on an application form or during an interview, or that we have received from a recruitment agency or background check provider.
In addition, we collect personal data from publicly available sources, such as corporate and industry websites, social media platforms (such as LinkedIn), press releases and other news outlets. When new staff members join IIF, they may also have contacts from their previous employment. Personal data relating to these contacts will be processed in line with this Policy.
At this time, our website does not support “do not track” signals (“DNT”) that may be available in your browser for letting websites know that you do not want them collecting certain kinds of information. If you turn on the DNT setting on your browser, our website is not currently capable of following whatever DNT preferences you set. For more information about DNT, visit www.donottrack.us.
3.2 How does IIF process personal data?
We process your personal data for the purposes set out in this Policy only where we have a valid legal ground for doing so under applicable data protection law. The legal ground will depend on the purpose for which we process your personal data.
We use your personal data in the following ways as necessary in our legitimate business interests, including to meet our membership and subscription obligations:
• to administer or otherwise carry out our obligations in relation to any agreement to which we are a party;
• to provide our products and services, and contact you regarding your use of our products and services;
• to provide you with copies of our educational research and other membership content that you have requested;
• to manage registration, payments and your attendance to our events; and
• to respond to requests or inquiries.
We may use your sensitive information, such as health data, to provide you with specialized services, such as disabled access to our events, where you have given your explicit consent to the extent required by applicable law (such consent can be withdrawn at any time).
We use your personal data in the following ways as necessary for certain legitimate interests, or where you have given your consent to such processing to the extent required by applicable law (such consent can be withdrawn at any time):
• to invite you to events;
• where you attend one of our events, to share your contact data with sponsors and other attendees through our event app and to publish photographs taken at events to promote the event after it has taken place;
• to contact you after you have attended one of our events;
• to deal with any enquiries or complaints you or others make;
• to confirm, update and improve our records;
• to analyze and develop our relationship with you;
• to conduct other marketing and commercial activities;
• to send you email content in line with your interests;
• to identify and inform you of services that may be of interest;
• to gather statistical information to make our research products more relevant to you;
• to administer surveys or public consultations and to review, analyse and report on the responses/comments received;
• to offer our products and services to you in a personalized way;
• to administer our website;
• for internal administrative and technical operations to keep our website, network and information systems secure; and
• to (i) comply with legal obligations, (ii) respond to requests from competent authorities; (iii) protect our interests; (iv) protect our rights, safety or property, and/or that of our partners, you or others; and (v) enforce or defend our legal rights.
If you apply to work for IIF on a permanent or temporary basis, including as a consultant or intern, we will use your personal data in the following ways as necessary in our legitimate interests, and to decide whether to enter into a contract with you:
• to assess your skills, qualifications, and suitability for the role you have applied for;
• to carry out background and reference checks, where applicable;
• to communicate with you about the recruitment process;
• to keep records related to our hiring processes; and
• to comply with legal or regulatory requirements.
3.3 When and how does IIF share personal data with others?
There are circumstances where we wish to disclose or are compelled to disclose your personal data to third parties. This will only take place in accordance with the applicable law and for the purposes listed in this Policy.
We publish attendee lists ahead of our events which contain each attendee’s name, job title, country and employer/company. Attendee lists are available to sponsors and attendees through our event apps. From time to time, we share contact data between our members on an ad hoc basis so that they can connect and collaborate. For example, where we invite you to attend an event we may do so using an application which allows you to see who else has been invited to the event so you can connect with other attendees/potential attendees in advance of or after the event. We also may publish photographs in various media, including social media, taken at events to promote the event after it has taken place.
We will share your personal data with:
• Our associated offices.
• Third-party vendors, consultants and other service providers who we employ to perform tasks on our behalf. These companies include our payment processing providers, website analytics companies, CRM service providers, email service providers, IT service providers, conference call providers, events management, website developer and others.
• Travel agents, hotels, airlines, car rental companies and others where we are arranging travel and accommodation for our members, event attendees and speakers, etc.
• Our data center providers (based in the United States).
• Advertising partners who enable us to deliver personalized ads to your devices or similar advertising where you have given your consent if required under the applicable law.
• Our marketing partners and event sponsors, who may contact you by post, email, telephone, SMS or by other means, subject to your consent to the extent required by applicable law (such consent can be withdrawn at any time).
• Another legal entity, on a temporary or permanent basis, for the purposes of a joint venture, collaboration, financing, sale, merger, reorganization, change of legal form, dissolution or similar event.
• A successor organization or other legal entity, in the case of a merger, financing, acquisition or dissolution, transition, or proceeding involving the sale, transfer, divestiture, or disclosure of all or a portion of our business or assets. We do not guarantee that any entity receiving your information in connection with one of these transactions will comply with all of the terms of this Policy following such transaction.
• Public authorities and other third parties, to comply with the law, applicable regulations, governmental and quasi-governmental requests, court orders or subpoenas, to enforce other agreements you may have with IIF, or to protect our rights, property or safety or the rights, property or safety of our members, event attendees, website users or others (e.g. to a reporting agency for fraud protection). We reserve the right to release information that we collect to law enforcement or other government officials, as we, in our sole and absolute discretion, deem necessary or appropriate.
• Any other third party where you have provided your consent.
We may also share aggregated or anonymous information that cannot identify you with third parties. For example, we may disclose the number of visitors to our website, attendees to our events, or the number of people who have downloaded content from our website.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
4 Storage and security
4.1 Where does IIF store personal data?
IIF is based in the United States. Where personal data is provided to our international offices or during our events around the world, it will be stored on our computers and other devices in those locations and may be transferred and stored on our servers in the United States.
We employ third-party vendors, consultants and other service providers to store and process personal data on our behalf. These companies may be based in the United States or around the world.
4.2 How long does IIF retain personal data?
We will store your personal data, in a form which permits us to identify you, for no longer than is necessary for the purpose for which the personal data is processed. We may retain and use your personal data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements and rights, or if it is not technically reasonably feasible to remove it.
4.3 Is personal data secure?
The security of your personal data is important to us, and we strive to implement and maintain reasonable, commercially acceptable security procedures and practices appropriate to the nature of the information we store, to protect it from unauthorized access, destruction, use, modification, or disclosure. However, please be aware that no method of transmission over the internet, or method of electronic storage is 100% secure and we are unable to guarantee the absolute security of the personal data we have collected from you.
5 Communications and marketing
5.1 When will IIF contact me?
We use your contact, marketing and subscription data to send you educational research, email subscriptions, event invitations, or other information.
5.2 How can I opt-out of receiving IIF emails?
You may opt-out of receiving any, or all, of these communications from us by clicking the unsubscribe link in the email communications we send to you, or by visiting our website and changing your subscription preferences.
6 Rights under the General Data Protection Regulation 2016/679 (the “GDPR”)
6.1 What are my rights?
If you are a resident of the EEA or the United Kingdom, in certain circumstances you have the right to access, correct, restrict the processing of, delete or transfer the personal data we hold about you.
Where you believe that we have not complied with our obligations under this Policy or applicable data protection law, we ask that you contact us first to see if we can resolve the issue. However, you have the right to make a complaint to an EU Data Protection Authority (if you are based in the EEA), or the UK Information Commissioner’s Office (if you are based in the United Kingdom).
7. Rights under the Brazilian General Personal Data Protection Law (“LGPD”)
7.1 What are my rights?
If you are a resident of Brazil, in certain circumstances you have the right to receive confirmation that we are processing your data, as well as the right to access, correct, anonymize, block the processing of, delete or transfer the personal data we hold about you. Where we rely on your consent to process your personal data, such consent can be withdrawn at any time.
Where you believe that we have not complied with our obligations under this Policy or applicable data protection law, we ask that you contact us first to see if we can resolve the issue. However, you have the right to make a complaint before the national authority in Brazil.
8. Rights under the Dubai International Financial Centre (DIFC) Data Protection Law
8.1 What are my rights?
If you are a resident of the DIFC or otherwise attend one of our events in the DIFC, in certain circumstances you have the right to receive confirmation that we are processing your data, as well as the right to access, correct, anonymize, object to or restrict the processing of, delete or transfer the personal data we hold about you. Where we rely on your consent to process your personal data, such consent can be withdrawn at any time.
Where you believe that we have not complied with our obligations under this Policy or applicable data protection law, we ask that you contact us first to see if we can resolve the issue. However, you have the right to make a complaint before the DIFC Commissioner of Data Protection.
If you would like to exercise any of your rights under this section, please contact us using the contact details set out in the “How to contact us” section of this Policy.
9. Rights under the Personal Information Protection Law (PIPL) of the People’s Republic of China (PRC)
9.1 What are my rights?
If you are located within the territory of the PRC, in certain circumstances you have the right to access, correct, restrict the processing of, delete or transfer the personal data we hold about you. Where we rely on your consent to process your personal data, such consent can be withdrawn at any time.
Where you believe that we have not complied with our obligations under this Policy or applicable data protection law, we ask that you contact us first to see if we can resolve the issue. However, you have the right to make a complaint to the Cyberspace Administration of China and other competent regulatory authorities of the PRC if you feel we have not handled your concern appropriately (or without contacting us first).
If you would like to exercise any of your rights under this section, please contact us using the contact details set out in the “How to contact us” section of this Policy.
10.1 Children’s privacy
Only persons age 16 or older have permission to access our website and services. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and you learn that your children have provided us with personal data, please contact us. If we become aware that we have collected personal data from a child under age 16 without verification of parental consent, we will take steps to remove that information from our servers.
10.2 Links to third party websites
Our website contains links to and from the websites of our partners, sponsors, advertisers, affiliates and other third parties. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
© 2022 The Institute of International Finance. All rights reserved.