FIG PRIVACY POLICY

The International Federation of Surveyors – FIG is the premier international organisation representing the interests of surveyors worldwide. FIG’s vision is of a modern and sustainable surveying profession in support of society, environment and economy by providing innovative, reliable and best practice solutions to our rapidly changing and complex world, acting with integrity and confidence about the usefulness of surveying, and translating these words into action. FIG’s Vision and Mission critically depend on the provision of accurate, relevant data and on building valuable personal connections between members of our community (FIG members and non-members).

The Council and office of FIG play a crucial role in guaranteeing the privacy of those involved. With this policy FIG gives a clear direction to privacy and shows that it guarantees, protects and maintains privacy. This policy applies to the entire organisation, all processes, all parts, objects and data collections.

This privacy policy is in line with the general policy of FIG and the relevant national and European laws and regulations. The policy will be evaluated every year and revised if necessary. Changes to this policy will be announced via FIG communication channels/website. The latest version of the policy can be found on the FIG website.

Legal framework for dealing with data

 FIG collects and works with personal data of staff, FIG member organisations (associations, affiliates, academics and corporates) and non-FIG members, such as but not limited to sister associations, partners, press and other stakeholders in the international surveying and geospatial industry.

This privacy policy has been set up for FIG as to act in accordance with and be in line with the regulations as described in the ‘‘Act on processing of personal data from 2001’ (persondatalov)persondataloven jf. lov nr. 429 af 31. maj 2000’, which as of May 25th 2018 to has beenbe replaced by the ‘General Data Protection Regulation (GDPR)’.

Principles

FIG will treat personal data in a safe manner and respects the privacy of those involved. FIG commits to the following principles:

FIG ensures that personal data are collected and processed only for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data minimisation

FIG processes only data that is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Storage period

Personal data will be kept no longer than is necessary. Keeping of personal data can be necessary for FIG to perform its core duties or to comply with legal obligations.

Integrity and confidentiality

Personal data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Sharing with third parties

Whenever FIG cooperates with external parties that involves the processing of personal data, FIG will make an agreement that clearly states the requirements that must be met for the transfer of this data. These agreements comply with privacy legislation.

Subsidiarity

While achieving the purpose for which the personal data are processed, the infringement of privacy will be limited as much as possible.

Proportionality

The breach of the interest of the data subject may not be disproportionate in relation to the purpose to be served.

The rights of data subjects

FIG honors all rights of those involved.

For more practical details regarding the implementation of our privacy policy, please also see our privacy regulations.

Contact us

If you have any questions about this privacy policy, please contact us.

Changes to provacy policy

We reserve the right to add to or amend this privacy policy at our sole discretion, without prior notice to you. Please review our privacy policy on a regular basis to make sure you have read the latest version and you understand what we do with your personal information. Your continued use of our services or our web sites following the posting of changes to these terms means that you consent to those changes.

This version of the privacy policy is effective as of 24 May 2018.

PRIVACY REGULATIONS FIG

May 2018

Data, including personal data plays an important role in the strategic Mission and day to day operations of FIG. As FIG is regarded as the global community for the international surveying and geospatial profession, and the long established recorder of data regarding the surveying profession, we strive to collect and provide meaningful data to our membership and build valuable personal connections between members of the surveying community. This community consists of FIG member organisations (associations, affiliates, academics and corporations) and non-FIG member organisations, such as sister associations, partners, press and other stakeholders in the international surveying and geospatial industry.

Our community relies on FIG’s careful and safe handling of data about surveying and the surveying industry, and particularly personal data. New technological developments, innovative facilities and globalisation impose different demands on the protection of data and privacy. Protecting privacy is complex, and is becoming more and more complex due to technological developments and new European legislation. That is why we think it is important to be transparent about the way in which we deal with personal data and to ensure that privacy policies protect the interests of all those whose data we process.

1.Legislation and important definitions

At present, each member state of the European Union has its own privacy legislation, based on the European directive of 1995. The ‘Act on processing of personal data from 2001’ (persondatalov) - regulates the legal framework for handling personal data in Denmark. The persondataloven will expire on 25 May 2018 and its successor, the European Regulation, the General Data Protection Regulation (GDPR) will come into effect; The GDPR builds on the persondatalov and, among other things, reinforces and extends the privacy rights with more responsibilities for organisations.

The following terms are used in the GDPR:

Person concerned: The person to whom the personal data relates. The person concerned is the person whose data is processed. The person concerned is also called ‘Data subject’.

Personal data: All data that concerns people and by which people can be identified as individuals. This not only concerns confidential data, such as a person's health, but any information that can be traced back to a specific person (for example, name, address, date of birth, etcetera). In addition to ordinary personal data, the law also defines special categories of personal data. These categories of data deal with sensitive topics, such as ethnic background, political preferences, religious or philosophical beliefs, genetic or biometric data, but also a natural person’s sexual orientation or his or her ID Number are regarded as special categories of personal data.

Controller: A natural or legal person, public authority, agency, organisation or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Processor: A natural or legal person, public authority, agency, organisation or other body which processes personal data on behalf of the controller.

 Processing: Processing is everything you do with personal data, such as: recording, storing, collecting, joining, providing to another, and destroying.

Data Protection Impact Assessment (DPIA): With a data protection impact assessment, the effects and risks of new or existing processing operations are assessed in view of safeguarding privacy. This is often the case when new technologies are introduced for the processing of (personal) data.

2. Scope

These regulations apply to all processing of personal data insofar as this is done by or on behalf of FIG and its staff and deal with all processes, all parts, objects and data collections. However, whenever FIG member organisations themselves process (personal) data, provided to them by FIG, the member organisations themselves become responsible for the processing of this data and should be regarded as ‘Controller’ under the privacy legislation.

FIG clearly communicates to its members that they are responsible for setting and managing their own privacy policies, including with regard to the processing of personal data, whatever the source.

3. Controller

FIG’s Council and Office are responsible for the processing carried out by or on behalf of FIG. FIG Office is responsible for setting and communicating policies and regulations.

4. Processing

According to GDPR, article 4, the processing of personal data is any action or set of actions with personal data, whether or not carried out via automated processes. FIG processes information for the following categories of data subjects:

FIG Members:
ordinary personal data, i.e name, business address details, business phone number, email address + job title of contact persons;
special category of data: photo

FIG non Members:
ordinary personal data, i.e. name, address details, phone number, email address + job title of contact persons

Registration Data FIG events:
ordinary personal data: i.e name, address details, phone number, email address + job title of persons; special category of data: photo, diets + special medical needs, events attended, papers presented

FIG elected, nominated or appointed Officials records:
ordinary personal data: Name, address, phone number, email, age, educational background, previous employment history
special category of data: photo, nominator (member)

FIG Staff records:
ordinary personal data: Name, address, phone number, email.
special category of personal data: date of birth, social security number, salary, pension, copy passport, appraisal records

In general, for FIG’s relationship with members, the primary rationale is “contract”. For non-members, the primary rationale is “legitimate interest”.

5. Transparency and Communication

5.1. Obligation to provide Information (Article 13, 14 GDPR):

FIG informs data subjects about the processing of their personal data whenever the data is directly obtained from the data subject itself (ref Article 13 GDPR). As an example, whenever people fill in a form on our website/-database a privacy statement will inform them as to what data is processed and with what purpose. The data subject is responsible for the accuracy of the data provided.

Where a member organisation provides FIG with personal data on their staff, delegates, representatives, this is governed by the contract between FIG and the member, and the member is responsible for informing their contact that their personal data has been provided to FIG.

When the personal data has been obtained indirectly from public records or other sources, contacts will normally be contacted during the regular data verification processes that FIG undertakes.

5.2. Deletion of data:

FIG only holds personal data for as long as is needed for the execution of its activities and tasks, and has clear policies for each category of personal data. If personal data is no longer needed for the appropriate function for which it is collected, it will be deleted in accordance with the relevant published timeframe.

5.3 Rights of Data Subjects

FIG ensures that the rights of data subjects are fully respected. These rights are the following:

5.3.1. Right to information: Data subjects have the right to ask FIG if their personal data are processed.

5.3.2. Right to request access to their personal data: The possibility to check if, and in what way, their personal data are processed.

5.3.3. Right to request rectification/correction: If it becomes clear that the data of the data subject is not correct, the person concerned can submit a request to FIG to correct this.

5.3 4. Right to request erasure of personal data (‘right to be forgotten’): -if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; -the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;

5.3.5. Right to restriction of processing: There may be certain situations where the data subject can ask to temporarily not process (but ‘lock’) his or her personal data until a certain problem or objection has been resolved. FIG is not aware of any type of processing/situations to which this restriction would be applicable.

5.3.6. Right to data portability: Personnel data will be provided to staff on leaving FIG, on request. Other data is a copy of publicly available data, and portability is not normally relevant. Electronic versions of a person’s records will be made available upon request.

5.3.7. Right to object: The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), GDPR including profiling based on those provisions. The controller/FIG shall no longer process the personal data unless the controller/FIG demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

Additional rights

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
(Article 21.3, GDPR): Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Data subjects have the right for their contact details to be suppressed within the FIG database, but the data on the event itself cannot be deleted.

Data subjects have the right to request that FIG provides detailed information on the data held on them. FIG will provide detailed data in response to any such request no later than 30 days after the request is made. FIG will correct any inaccurate personal data no later than 14 days after being notified of the inaccuracy.

6. Automated Processing

FIG does not currently carry out any automated processing of personal data.

6.1 Profiling

FIG does not currently conduct automated profiling of data subjects.

6.2. Big Data and Tracking

FIG does not conduct Big Data tracking at the current time with relation to the personal contacts in its membership or on its databases.

Data minimisation
FIG processes personal data that are minimally required for reaching the predetermined goal. FIG aims at keeping the processing of personal data to a minimum.

Email-, website- and application tracking
Tracking Technologies such as: cookies, tags and scripts are used by FIG and our analytics and server providers to track usage of our emails, websites and applications. We may receive reports based on the use of these technologies on an individual as well as aggregated basis.

7. Duties

7.1. Registry of Activities

FIG maintains a record of processing activities which are undertaken under FIG’s responsibility. FIG keeps this record for the event that the Danish Authorities wishes to check our activities.

7.2 Data breach

FIG will report to the Danish Authority whenever it becomes aware of a breach that involves personal data, in accordance with the statutory timing of such reports. In addition, FIG will take any other action that it deems necessary to resolve the issue and fulfil its legal obligations.

8. Social Media Protocol

FIG uses social media to engage and interact with its target groups. Consent and data use of personal information shared on social media is covered by the terms and conditions and privacy notices of the social media software tools.
FIG does not store social media-derived personal data out of the tools in its CRM system. FIG does store social media accounts of FIG members in the CRM, if submitted by the FIG member and/or if this account information is publicly available. Social media accounts of FIG members are published in FIG’s membership directory with the consent of FIG members.

8.1 How to deal with personal data

FIG does not process personal data derived from social media profiles; only links to profiles are processed, where these are shared by contacts.

8.2. Photography and video material

Pictures taken at FIG Events (including FIG activities at tradeshows) are published on social media and could be reproduced in FIG Annual Review, publications, news or promotional material, whether in print, electronic or other media, including the FIG websites.
 FIG reserves the right to crop, splice, treat and edit any imagery or photographs taken at FIG events. The Participant waives the right to inspect or approve the finished product, including written or electronic copy. Additionally, all rights to royalties or other compensation arising or related to use of the name, photograph or biography are waived by the Participant, Participant’s agents or employees. All photographs and video materials taken at FIG events become the property of FIG. FIG related material may not be photographed, drawn, copied or reproduced without FIG’s written permission.

8.3. Separation of business and private data

FIG only processes business-related personal data. There is no private data collected, so no requirement for separation of the two categories.

9. Intranet protocol

FIG’s internal communication processes are subject to guidelines set out in the House Rules, which are in compliance with GDPR requirements.

If you want to know more about our privacy and security policy, or have any complaints about it, please contact
FIG@fig.net.