The Data Controller, ETSI (European Telecommunications Standard Institute) is a not-for-profit organization established under the French law of 1st July 1901 and recognized as a European Standards Organization dealing with telecommunication, broadcasting and other electronic communication networks and services.
“Personal data” has the meaning ascribed to it in the French Data Protection Act n°78-17 dated 6 January 1978 modified in 2018 and means any information relating to an identified or identifiable person; an identifiable person being one who can be identified, directly or indirectly by reference to an identification number or to one or more elements specific to the person.
What kind of personal data we collect and why
When using ETSI website, services, and when participating to ETSI activities, we undertake to collect and process only the personal data necessary to achieve the purposes for which your personal data are collected. As far as ETSI members and EC (European Commission) counsellors are concerned, their delegates and representatives can access to most ETSI services and participate to ETSI activities subject to the creation of an EOL (ETSI Online) account on the ETSI portal.
ETSI needs to collect, process and store some of your personal data, namely name and surname, title, phone number (fix and/or mobile), e-mail and professional postal address, function, and eventually signature in the context of following activities:
Administrative management of Membership, ISG/SDG Participants and Partnerships:
- To manage any administrative task in relation with your ETSI membership or engagement as an ISG/SDG Participant or in a context of a Partnership (for example with other Standardization Development Organisations, National Standard organizations…), such as processing your application or ISG/SDG agreement, partnership agreement, invoicing, sending you any relevant communication in relation with the aforementioned…
This processing is justified by the contract legal basis of the GDPR, to prepare, execute and follow-up the contract ETSI has with you and keep records of them.
- To maintain an updated list of official and voting contacts of the National Standardization Bodies of the European Union.
This processing is justified by the legal obligation basis of GDPR, for ETSI to comply with European Regulation 1025/12.
Organization of Corporate meetings (General Assemblies, Boards, special committees…) and meetings of the Technical Organization (technical committees…) and management of corresponding work:
- For the preparation and implementation, in terms of logistic, of the meetings to which you are entitled or invited to participate to send you invitations, allow you to register, submit written contributions, edit your badge for check-in, calculate the quorum, manage the voting process or the remote consensus process, manage the process specific to elaboration of European Standards, and communicate to you any relevant information in relation with the aforementioned.
This processing is justified by:
- The contract legal basis of GDPR in the case of ETSI members, ISG/SDG Participants and representatives entitled to attend a meeting in the context of a partnership (including NSO - National Standards Organizations - agreements).
- The legitimate interest basis of GDPR for EC Counsellors and other guests.
- The legal obligation basis of GDPR as far as elaboration of European Standards are concerned, to comply with regulation 1025/12.
- For the management of written contributions, of ETSI deliverables such as standards, technical reports, and any other documents presented during those meetings or produced in the context of ETSI activities, and keep records of them, as well as keeping track of participants in the minutes.
This processing is justified by:
- The legal obligation basis as far as identification of persons with an official role (General Assembly Chair, Secretary of General Assembly...) in corporate meetings are concerned.
- The legitimate interest basis of GDPR for other participants.
- For organization of elections either for roles at corporate level (General Assembly Chair or Vice, Chair, Board…) or at Technical Level (TC Chair, TC Vice Chair…), to receive and process applications, organize the voting process, communicate the results...
This processing is based on the contract legal basis of GDPR, to comply with our Bylaws and operating rules.
In addition, when applying to a role at corporate level, we ask you to enclose a CV with your application. We only ask you to provide us only with the necessary professional information to enable the ETSI membership to appreciate your application, excluding any sensitive information such as religious faith or political affiliation.
This processing of additional information is justified by the legitimate interest basis of GDPR.
- For the declaration of Elected Officials before relevant French authorities when required by Law.
This Processing is justified by the legal obligation basis of GDPR.
ETSI IPR Database:
- For the creation of your account to submit declarations of Standard Essential Patents (SEPs) and licensing commitments, as well as allowing us to process your declaration.
- To make your declarations publicly available in accordance with the ETSI IPR policy, with the provided contact person to address requests in relation with your SEPs.
These processing are justified by the contract legal basis of GDPR.
Events (conferences, Plugtests, webinars…):
- For the preparation and implementation of the events to which you participate, in terms of logistic, to send you invitations, allow you to register, edit your badge for check-in, manage confidentiality issues with NDAs (Non-Disclosure Agreements) when applicable, and communicate to you any relevant information in relation with the aforementioned.
- For the management of presentations for conferences, display for information the names of speakers on the programme, event’s website and other medias used to communicate on the event.
These processing are justified by:
- The legitimate interest legal basis of GDPR or the contract legal basis when you are bound by a contract with us.
- The legal obligation basis of GDPR, as far as acknowledgement of authors is concerned, in accordance with copyright law.
Online Store (algorithms, codes, ISG – Industry Specification Groups - Meetings…):
- For the creation of your account to purchase items, licenses or services sold on the ETSI online store, and allow us to process your purchase, the corresponding invoicing, and ensure the follow-up of your contract with us, keep records of the latter.
This processing is based on the contract legal basis of GDPR.
- To fulfil export control obligations before relevant French Authorities.
This processing is justified by the legal obligation basis of GDPR.
Marketing Communication (Newsletters, magazines…)
- To send you marketing communication in relation with ETSI activities and standardization, either:
- Including you, when becoming an ETSI member, in some of dedicated the mailing list.
- Giving you the possibility to subscribe to dedicated mailing list to receive such communications.
This processing is justified by the legitimate interest basis of GPDR in the first case and on the consent legal basis of GDPR in the second case.
Management of ETSI IT system
- For the management of your accounts of the ETSI tools you use or of the e-mail lists to which you subscribed, when participating to ETSI activities. For the management of requests made to the Helpdesk in relation with our IT environment, the management of the information systems, of security issues, and communicate to you any relevant information in relation with your use of the ETSI IT environment.
This processing is justified by the legitimate interest basis of GDPR.
Statistics and reporting
- For compiling statistics and producing reporting for ETSI’s own needs, to evaluate ETSI’s activities and their impact, or in the context of funding/grant agreements such as grant agreements with the European Commission.
This processing is justified by the legitimate basis of GDPR.
- statistical or survey purposes to improve ETSI websites and services for you or evaluate the impact of ETSI’s activities.
- to administer and provide you with the content of ETSI websites and services
Reasons we communicate personal data to Third Parties
We never sell, lease, or rent your personal data.
We communicate your personal data to third parties only with your consent or when it is necessary in the context of activities described above in section “What Kind of Personal Data We Collect And Why”, or otherwise when required by law or to respond to a legal proceeding, to protect our users, to protect lives, to maintain the security of our products, and to protect the rights or property of ETSI.
We may hence share your personal data with:
- suppliers and service providers working on our behalf, partners operating on a contractual basis with us,
- Public or Legal Authorities, when required by law or to respond to legal proceedings,
- Public Agencies or Public Entities (such as European Commission) funding and/or collaborating with ETSI.
Besides, activities within ETSI are based on collaborative work between ETSI members, the Secretariat, Counsellors, and other partners involved in ETSI’s activities. When participating to such activities within ETSI, you agree that your personal data as you provide it to us (Title, name, surname, e-mail and postal address, function, organization, phone number), will be accessible to other ETSI members, the Secretariat, EC Counsellors, and other partners to enable you collaborate with them and vice versa. Such personal data may also be available on contributions and other ETSI documents that are shared with other ETSI members, Counsellors and when entitled, to other partners in the context of such collaborative work. However, your personal data, as accessible to other ETSI members, may not be used for another purpose than collaborating with you in the context of ETSI’s activities, may it be in ETSI’s technical activities or ETSI’s corporate activities.
Transfer of Personal Data Outside of the European Economic Area (EEA)
In certain situations, ETSI transfer your personal data outside the EEA (EUROPEAN ECONOMIC AREA). Such Transfer is made on the following basis:
- The countries have been deemed by the Commission of the European Union to have an adequate level of protection of personal data (so called safe third countries).
- Otherwise, we will request on a contractual basis that adequate protection for your personal data is provided by our service providers and partners.
- In particular, when you participate to ETSI's activities, and given that ETSI’s membership is global, this implies that ETSI members located outside the EEA have access to your personal data, in the conditions indicated in the section “Reason We Communicate Personal Data to Third Parties” hereabove.
Unless expressly invited or requested to do so, for specific purpose and needs, we ask you not to communicate to us confidential or sensitive personal data such as passport or ID card number, health insurance number, date of birth, driving license number. In case of a request from us involving confidential or sensitive data, you shall be informed of the purpose and method used.
In this instance, you are informed that there are two specific purposes for which you may provide us, on a voluntary basis, your sensitive personal data:
- we may need your passport number and data indicating on it, when you wish us to assist you in obtaining your visa to travel to some ETSI events or meetings, as required by the hosting country’s immigration law.
- When registering to an event or a meeting, for which ETSI offers a meal, we may invite you, on a voluntary basis, to inform us of any special dietary requirements to consider.
For both the above cases, the sensitive personal data you communicate to us shall be processed for these sole purposes as indicated hereabove, in accordance with regulations in force. Also, you are informed that we do not store such sensitive personal data once visa formalities have been accomplished or once the corresponding event or meeting has ended
Accuracy of your personal data
We take all reasonable measures to keep the personal data we process accurate and to delete incorrect or unnecessary personal data.
Part of ETSI websites and services are open to a general audience and are designed to allow visitors to browse through the websites without providing any personal data.
However, ETSI’s website and more generally, ETSI activities are not intended for minors. We do not knowingly collect personal data from anyone under the age of 13 and will immediately destroy such information from our records if we discover it.
Links to other websites
We may provide links to other websites for your convenience and information, but these websites may operate independently from ETSI and have their own privacy notice or policy which we strongly recommend that you review those organizations’ policies insofar as they apply to your visit to those websites. We are not responsible for the content of those websites and their privacy practices.
The security of your personal data
Wherever your personal data may be held by ETSI, we will take reasonable and appropriate measures to protect the personal data that you share with us from unauthorized access or disclosure.
You are responsible to safeguard your credentials, IDs, and passwords. If you suspect that your credentials, IDs and/or passwords have been compromised, please inform us immediately, using the contact methods detailed below.
You have rights of access, rectification, objection, and erasure related to the personal data we hold about you. You may exercise your rights by contacting us by e-mail or regular mail (see section Contact Us below) or by managing your account and choices through available profile management tools available through our services. When updating your personal data, we may ask you to prove your identity before acting on your request. We may also reject requests that are repetitive, require disproportionate technical effort, conflict with legal requirements, harm the privacy rights of others or would be extremely impracticable.
Privacy and Legal department
650 Route des Lucioles
06921 Sophia-Antipolis CEDEX
Right to lodge a complaint
If you consider, after contacting us, that your data protection rights have not been respected, you have the possibility of lodging a complaint before the CNIL online or by regular mail at:
Commission Nationale de l’Informatique et des Libertés
Service des Plaintes
3 places Fontenoy
75334 Paris Cedex 07