Privacy Policy

This Policy applies to all processing of personal data carried out in connection with registration for, payment for, admission to, and the general operation of the Event.

For the purposes of this Policy, the “controller” determining the purposes and means of the processing (Article 4(7) GDPR) is the Organiser, whose point of contact is contact@jsc-amsterdam.nl.

Through the registration form, the Organiser collects the Data Subject’s name, email address, number of attendees, student or non-student status, the name of the higher-education institution at which the Data Subject is enrolled (only where the Data Subject indicates that they are a student), confirmation that the Data Subject is 18 years of age or older, and information concerning how the Data Subject came to learn of the Event.

In connection with use of the Site, the Organiser may automatically collect technical information such as access logs, IP address, date and time of access, and information relating to the browser and device, by means of the Site’s hosting provider.

Payment information (including card number, expiry date and security code) is processed by the payment service provider referred to in Article 7; the Organiser does not collect or retain such information.

The Organiser collects personal data by means of the Data Subject’s own entry and submission of the registration form on the Site, or by means automatically generated through use of the Site.

The Organiser shall not collect personal data by unlawful means or without the Data Subject’s consent.

The Organiser uses the personal data collected for the purposes of: (1) receiving and managing registrations for the Event; (2) issuing and dispatching the QR-code entry ticket; (3) communicating in relation to the Event (including notices of any change, postponement or cancellation); (4) managing admission and headcount on the day; (5) accounting and responding to enquiries; (6) producing statistical information and improving the planning and operation of future events; and (7) complying with legal obligations.

The Organiser shall not process personal data beyond the extent necessary to achieve the purposes set out in the preceding paragraph. Where the Organiser changes the purposes of processing, it shall do so only to the extent that the changed purposes bear a reasonable connection to the original purposes, and shall, where necessary, notify the Data Subject or publish such change on the Site.

The Organiser processes personal data on one or more of the following legal bases: (1) performance of a contract with the Data Subject (the provision of the ticket) (Article 6(1)(b) GDPR); (2) the consent of the Data Subject (Article 6(1)(a)); (3) compliance with a legal obligation (Article 6(1)(c)); and (4) the legitimate interests of the Organiser in operating the Event safely and smoothly (Article 6(1)(f)).

Personal data collected by the Organiser is recorded in, and stored on a continuing basis within, a database managed by the Organiser or by a cloud provider engaged by the Organiser. Such personal data is not automatically erased following the conclusion of the Event but shall continue to be stored in that database until one of the events described below occurs.

The Organiser retains personal data for: (1) the period necessary to achieve the purposes of processing; (2) the period for which retention of records is required under accounting, tax or other applicable law; and (3) the period necessary for the Organiser’s legitimate interests, including communications relating to the Organiser’s future events.

Notwithstanding the foregoing, where a Data Subject requests erasure pursuant to Article 11 and the Organiser is obliged to comply, the Organiser shall, save for information which it is required by law to retain, erase or irreversibly anonymise the relevant personal data without undue delay.

To the extent necessary to achieve the purposes of processing, the Organiser may entrust all or part of the handling of personal data to, or provide personal data to, a payment service provider (Stripe), an email delivery provider, and providers of hosting and database services (including Google LLC and Firebase). Such recipients shall process personal data as processors within the meaning of Article 28 GDPR, in accordance with the Organiser’s instructions.

Save where required by law or where necessary to protect the life, body or property of a Data Subject, the Organiser shall not provide personal data to any third party other than as set out in the preceding paragraph without the prior consent of the Data Subject. The Organiser shall not, under any circumstances, sell personal data.

In connection with processing by the recipients referred to in the preceding Article, personal data may be transferred to a country or territory outside the European Economic Area (EEA). The Organiser shall endeavour to ensure that any such transfer is subject to appropriate safeguards as provided in Chapter V of the GDPR, such as an adequacy decision or Standard Contractual Clauses.

The Organiser shall implement reasonable technical and organisational measures, including access controls and encryption of communications, in order to prevent the leakage, loss or damage of personal data and otherwise to ensure its security.

Where the Organiser entrusts all or part of the handling of personal data to a processor, it shall require that processor to implement security measures equivalent to those set out in this Policy.

The Organiser does not make decisions based solely on automated processing (including profiling) that produce legal effects concerning the Data Subject or that similarly significantly affect the Data Subject.

In accordance with the GDPR, the Data Subject has the right, in respect of their own personal data, to: (1) access (Article 15); (2) rectification (Article 16); (3) erasure (Article 17, the so-called “right to be forgotten”); (4) restriction of processing (Article 18); (5) object to processing (Article 21); (6) data portability (Article 20); and (7) withdraw consent in respect of processing based on consent (Article 7(3)).

Where a Data Subject wishes to exercise any of the foregoing rights, they shall submit a request to contact@jsc-amsterdam.nl. The Organiser shall, having verified the identity of the requester, respond without undue delay in accordance with applicable law. The withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal.

The Data Subject has the right to lodge a complaint concerning the handling of personal data with the supervisory authority having jurisdiction over their location (in the Netherlands, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens)).

The Event is intended for persons aged 18 or older. The Organiser requires confirmation, upon registration, that the registrant is 18 years of age or older, and does not knowingly collect the personal data of persons under 18.

The Site uses cookies and similar technologies only to the minimum extent necessary for the provision of the Site, such as remembering the display language. The Site does not engage in tracking for advertising purposes.

The Organiser may amend this Policy in response to changes in law or operational requirements. The amended Policy shall take effect from the time it is posted on the Site, and where material changes are made, the Organiser shall endeavour to notify Data Subjects by reasonable means.

Any enquiries concerning this Policy or the handling of personal data, and any request to exercise the rights set out in Article 11, should be addressed to contact@jsc-amsterdam.nl.