Edinburgh Aortic Summit (EAS) customer privacy notice
Registered name: Edinburgh Aortic Summit Limited
We are the controller of your personal data. For more information on controllers and their responsibilities please see our guidance on data protection principles, definitions, and key terms.
This privacy notice tells you what to expect us to do with your personal information.
Contact details
admin@easummit.org.uk
What information we collect, use, and why
We collect or use the following information to provide services and goods, including delivery:
Names and contact details
Addresses
Purchase or account history
Payment details (including card or bank information for transfers and direct debits)
Health information (including dietary requirements, allergies and health conditions)
Health and safety information
Account information
Website user information (including user journeys and cookie tracking)
Photographs or video recordings
Records of meetings and decisions
Information relating to compliments or complaints
Information relating to sponsorship
Professional and event participation information, including job title, organisation, clinical speciality, professional biography, speaker and faculty details, abstracts, presentation materials, programme participation, attendance and CPD records, emergency contacts, and travel and accommodation arrangements.
We also collect or use the following special category information to provide services and goods, including delivery. This information is subject to additional protection due to its sensitive nature:
Health information
We collect or use the following information for the operation of customer accounts and guarantees:
Names and contact details
Purchase history
Account information, including registration details
Information used for security purposes
Marketing preferences
We collect or use the following information to prevent, detect, investigate or prosecute crimes:
Names and contact information
Customer or client accounts and records
Financial transaction information
We collect or use the following information for service updates or marketing purposes:
Names and contact details
Marketing preferences
Recorded images, such as photos or videos
Purchase or viewing history
Website and app user journey information
Information relating to sponsorship
Records of consent, where appropriate
Professional information, including job title, organisation, clinical speciality, professional interests and delegate, speaker, sponsor or exhibitor status, where used to tailor relevant event communications.
We collect or use the following information to comply with legal requirements:
Name
Contact information
Financial transaction information
Any other personal information required to comply with legal obligations
Health and safety information
We also collect or use the following special category information to comply with legal requirements. This information is subject to additional protection due to its sensitive nature:
Health information
We collect or use the following personal information for dealing with queries, complaints or claims:
Names and contact details
Address
Payment details
Account information
Purchase or service history
Witness statements and contact details
Relevant information from previous investigations
Customer or client accounts and records
Financial transaction information
Information relating to health and safety
Correspondence
Registration, attendance and event-access records; speaker, faculty, abstract, programme, sponsor and exhibitor information; travel and accommodation records; and insurance or legal information relevant to the query, complaint or claim.
We also collect the following special category information for dealing with queries, complaints or claims. This information is subject to additional protection due to its sensitive nature:
Health information
We collect or use the following information to To organise and run the Edinburgh Aortic Summit, including registration, cpd certificates, speakers, programme, payments, access, travel, media, and post-event feedback.:
Names and contact details
Purchase or account history
Payment details (including card or bank information for transfers and direct debits)
Health information (including dietary requirements, allergies and health conditions)
Photographs or video recordings
Records of meetings and decisions
Customer or client accounts and records
Financial transaction information
Purchase or viewing history
Records of consent, where appropriate
Professional and event participation information, including job title, organisation, clinical speciality, biography, abstract submissions, presentation materials, programme participation, attendance and CPD records, speaker travel and accommodation arrangements, accessibility requirements, emergency contact details, and sponsor or exhibitor participation information.
We also collect or use the following special category information to To organise and run the Edinburgh Aortic Summit, including registration, cpd certificates, speakers, programme, payments, access, travel, media, and post-event feedback.. This information is subject to additional protection due to its sensitive nature:
Health information
Lawful bases and data protection rights
Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.
Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:
Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about the right of access.
Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.
Your right to erasure - You have the right to ask us to delete your personal information. Read more about the right to erasure.
Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information. Read more about the right to restriction of processing.
Your right to object to processing - You have the right to object to the processing of your personal data. Read more about the right to object to processing.
Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about the right to data portability.
Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time. Read more about the right to withdraw consent.
If you make a request, we must respond to you without undue delay and in any event within one month.
To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.
Our lawful bases for the collection and use of your data
Our lawful bases for collecting or using personal information to provide services and goods are:
Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
reasonable operational administration that is not strictly necessary to perform a contract, such as organising faculty, maintaining attendance records and coordinating suppliers.
For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.
Our lawful bases for collecting or using personal information for the operation of customer accounts and guarantees are:
Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
EAS has a legitimate interest in efficiently organising, administering and improving the Edinburgh Aortic Summit. This includes coordinating delegates, speakers, sponsors, exhibitors and suppliers; managing the scientific programme; maintaining appropriate attendance and participation records; securing event systems and accounts; responding to enquiries and complaints; and protecting EAS against misuse or legal claims. We only rely on legitimate interests where the processing is necessary, reasonably expected and does not override the individual’s rights and interests.
For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.
Our lawful bases for collecting or using personal information to prevent, detect, investigate or prosecute crimes are:
Recognised legitimate interests - our pre-approved purpose for collecting or using personal information to prevent, detect, investigate or prosecute crimes are:
We need to prevent, detect, or investigate a crime, including the apprehension and prosecution of offenders (the ‘crime condition’).
Our lawful bases for collecting or using personal information for service updates or marketing purposes are:
Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
We have a legitimate interest in sending relevant information about the Edinburgh Aortic Summit and related educational, sponsorship and exhibition opportunities to appropriate professional and business contacts; understanding engagement with our communications; and maintaining accurate marketing and suppression records, where this is necessary, proportionate and does not override individuals’ rights and freedoms. Recipients can object or unsubscribe at any time.
For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.
Our lawful bases for collecting or using personal information for legal requirements are:
Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
We have a legitimate interest in maintaining accurate business, financial, governance and compliance records; demonstrating accountability; responding to legal or regulatory enquiries; and protecting Edinburgh Aortic Summit Limited and others in connection with legal and regulatory matters, where the processing is not strictly required by law and does not override individuals’ rights and freedoms.
For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.
Our lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:
Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
We have a legitimate interest in responding to and investigating enquiries and complaints, resolving disputes, maintaining relevant records and evidence, protecting the rights and interests of Edinburgh Aortic Summit Limited and others, and establishing, exercising or defending legal claims, provided that this processing does not override the rights and freedoms of the individuals concerned.
For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.
Our lawful bases for collecting or using personal information for To organise and run the Edinburgh Aortic Summit, including registration, cpd certificates, speakers, programme, payments, access, travel, media, and post-event feedback. are:
Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
We have a legitimate interest in efficiently organising, administering and documenting the Edinburgh Aortic Summit and its related educational activities, including coordinating delegates, speakers, faculty, sponsors, exhibitors, partners and suppliers; managing the scientific programme; maintaining appropriate attendance, participation and CPD records; protecting event systems; and evaluating and improving the summit, where this processing is necessary, proportionate and does not override individuals’ rights and freedoms.
For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.
Where we get personal information from
Directly from you
CCTV footage or other recordings
Schools, colleges, universities or other education organisations
Publicly available sources
Suppliers and service providers
Third parties:
Employers and professional organisations registering or nominating delegates, speakers or faculty; sponsors and exhibitors providing details of their representatives; group-booking coordinators; abstract submitters and co-authors; educational and event partners; charities and patient organisations; and authorised representatives acting on an individual’s behalf.
Information generated through a person’s participation in or interaction with the Edinburgh Aortic Summit, including registration and attendance records, portal activity, abstract and programme participation, CPD records, event-access records, feedback, correspondence, and event photographs or recordings.
How long we keep information
We retain personal information only for as long as reasonably necessary for the purposes for which it was collected, including satisfying legal, accounting, tax, contractual and reporting requirements. We regularly review the information we hold and securely delete or anonymise it when it is no longer required.
Our usual retention periods are:
General enquiries and contact-form submissions: up to two years after the last meaningful contact.
Delegate registration, booking, attendance and event-access records: up to three years after the relevant summit, unless the information must be retained for financial, legal or contractual purposes.
Marketing contact details and communication preferences: until the person unsubscribes, objects or their details are no longer valid. We review inactive marketing records at least every two years.
Unsubscribe and suppression records: retained for as long as necessary to ensure that we respect the person’s marketing preferences.
Speaker, faculty, moderator and committee contact details: up to five years after the person’s last involvement with EAS, subject to periodic review.
Speaker biographies, programme information, published abstracts, author details and other material forming part of the summit’s scientific or historical record: may be retained indefinitely as part of the EAS programme and educational archive.
Presentation files and event recordings: retained for the agreed publication, educational or on-demand availability period, normally up to three years after the event, unless a longer period has been agreed with the contributor.
Sponsor, exhibitor, supplier and contractual records: normally six years after the end of the relevant agreement or financial year.
Invoices, payments, reimbursements, accounting and tax records: normally six years from the end of the relevant company financial year, or longer where required by law or an ongoing HMRC enquiry.
Bank details supplied for reimbursements: deleted or access-restricted once payment and reconciliation are complete, except where information must remain within legally required financial records.
Dietary, allergy, accessibility and other health-related information: normally deleted within three months after the event, unless required in connection with an incident, complaint or legal claim.
Speaker and delegate portal accounts and uploaded administrative documents: normally deleted or anonymised within twelve months after the relevant event, unless the information is required for another stated purpose.
Complaints, disputes, accident reports and legal claims: retained for the duration of the matter and for up to six years after it is closed, or longer where legal proceedings or another legal requirement applies.
Event photographs and promotional recordings: retained while they remain relevant to EAS’s educational, historical or promotional activities and reviewed at least every three years.
Website analytics and cookie information: retained in accordance with our cookie notice and the settings of the relevant analytics provider, normally for no longer than twenty-four months.
Where more than one retention period applies, we use the longer period where reasonably necessary. We may retain information for longer if required by law, a regulator, a court, an insurer or an ongoing legal claim. When information is no longer needed, we securely delete it or anonymise it so that it can no longer identify an individual.
Who we share information with
Data processors
Squarespace, Inc.
This data processor does the following activities for us: Hosts and operates the EAS website and processes information submitted through website forms, mailing-list functions and website administration tools.
Noloco Limited, a cloud-based no-code portal and application platform provider based in Ireland.
This data processor does the following activities for us: Provides, hosts and operates the secure EAS speaker and sponsor portals, including user accounts, role-based access, forms, records, document uploads, communications and event administration workflows.
Google LLC and relevant Google Workspace subprocessors, Cloud email, file storage, spreadsheet, document-management and collaboration provider, United States of America.
Zimma Ltd, trading as Ticket Tailor, and its hosting subprocessors, Online event-registration, ticketing and cloud-hosting provider, Ireland and France.
Others we share personal information with
Insurance companies
Professional or legal advisors
Financial or fraud investigation authorities
Relevant regulatory authorities
External auditors or inspectors
Professional consultants
Organisations we’re legally obliged to share personal information with
Emergency services
Publicly on our website, social media or other marketing and information media
Suppliers and service providers
Other relevant third parties:
Event venues, abstract reviewers, travel and accommodation providers, caterers, partners, employers and others supporting the Edinburgh Aortic Summit., We share only the personal information reasonably necessary for their specific role, such as registration, attendance, professional, dietary, accessibility, travel or programme information.
Sharing information outside the UK
Where necessary, our data processors may share personal information outside of the UK. When doing so, they comply with the UK GDPR, making sure appropriate safeguards are in place.
Organisation name: Google LLC and relevant Google Workspace subprocessors
Category of recipient: Cloud email, file storage, spreadsheet, document-management and collaboration provider
Country the personal information is sent to: United States of America
How the transfer complies with UK data protection law: Addendum to the EU Standard Contractual Clauses (SCCs)
Organisation name: Zimma Ltd, trading as Ticket Tailor, and its hosting subprocessors
Category of recipient: Online event-registration, ticketing and cloud-hosting provider
Country the personal information is sent to: Ireland and France
How the transfer complies with UK data protection law: The country or sector has been assessed as providing adequate protection to data subjects (also known as Adequacy Regulations or UK data bridge)
Organisation name: Noloco Limited
Category of recipient: Cloud-based no-code portal and application platform provider
Country the personal information is sent to: Ireland
How the transfer complies with UK data protection law: The country or sector has been assessed as providing adequate protection to data subjects (also known as Adequacy Regulations or UK data bridge)
Organisation name: Squarespace, Inc.
Category of recipient: Website hosting, website forms and digital platform provider
Country the personal information is sent to: United States of America
How the transfer complies with UK data protection law: The country or sector has been assessed as providing adequate protection to data subjects — UK Extension to the EU–US Data Privacy Framework.
How to complain
If you have any concerns about our use of your personal information, you can make a data protection complaint to us:
Email: admin@easummit.org.uk
If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint