Effective June 5, 2018
In general, any information and data that you provide to the CSA over the Website, or which is otherwise gathered via the Website by the CSA, in the context of the use of the CSA’s services, or that is gathered from email correspondence, from or about registrants or attendees at events, or through interactions with CSA representatives (“Services”) as better defined in Section 3 below, will be processed by the CSA in a lawful, fair and transparent manner. To this end, and as further described below, the CSA takes into consideration internationally recognised principles governing the processing of personal data, such as purpose limitation, storage limitation, data minimisation, data quality and confidentiality.
1. Data controller and Office of Data Protection
To get in touch with CSA’s Office of Data Protection, please contact [email protected].
2. Personal Data processed
When you use the Website or the Services, the CSA will collect and process information regarding you (as an individual) which allows you to be identified either by itself, or together with other information that has been collected. The CSA may also be able to collect and process information regarding other persons in this same manner, if you choose to provide it to the CSA.
This information may be classified as “Personal Data” and can be collected by the CSA both when you choose to provide it (e.g., when you fill out a form to download a research working paper, or request other Services provided by the CSA over the Website or otherwise) or simply by analysing your behavior on the Website or the Services that you request.
Personal Data that can be processed by the CSA through the Website or in connection with the Services are as follows:
a. Name, contact details and other Personal Data
In various sections of the Website – including, in particular, if you request to join one of the CSA’s research working groups, download certain research reports or create an account on the Website (where available) – you will be asked to submit information about yourself, such as your name, e-mail address, phone number, billing address and organisation.
When requesting Services for which payment is required (such as the purchasing of tokens for the CCSK exam or a license to use the STARWatch application), you will be asked to provide information on the payment card and bank account used – this information will be collected and processed by an external payment processor and will not be accessed or stored by the CSA.
In addition, whenever you communicate with the CSA via forms available on the Website (such as the “Contact Us” form provided for Membership inquiries), or by means of the contact details displayed in the “Contact” section of the Website, or when you visit with use at events, the CSA may collect additional information on you which you choose to provide.
b. Special categories of Personal Data
Certain areas of the Website include free text fields, where you can write messages to the CSA, or otherwise allow you to post various types of content on the Website, which may contain Personal Data.
Where these fields are completely free, you may use them to disclose (inadvertently or not) more sensitive categories of Personal Data, such as data revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. The content you upload in these fields may also (inadvertently or not) include other types of sensitive information relating to you, such as your genetic data, biometric data or data concerning your health, sex life or sexual orientation.
The CSA asks that you do not disclose any sensitive Personal Data on the Website, unless you consider this to be strictly necessary. The CSA requires your explicit consent to process this sort of Personal Data (which can be provided, e.g., by declaring that you “explicitly consent to the processing of special categories of personal data, as necessary to comply with my request” in messages you send to the CSA).
c. Other persons’ Personal Data
As mentioned in the previous section, certain areas of the Website include free text fields where you can write messages to the CSA or otherwise allow you to post various types of content on the Website. These messages and content may (inadvertently or not) include Personal Data related to other persons.
In any situation where you decide to share Personal Data related to other persons, you will be considered as an independent data controller regarding that Personal Data and must assume all inherent legal obligations and responsibilities. This means, among other things, that you must fully indemnify the CSA against any complaints, claims or demands for compensation for damages that may arise from the processing of this Personal Data, brought by the third parties whose information you provide through the Website.
As the CSA does not collect this information directly from these third parties (but rather collects them, indirectly, from you), you must make sure that you have these third parties’ consent before providing any information regarding them to the CSA; if not, then you must make sure there is some other appropriate grounds on which you can rely to lawfully give the CSA this information.
d. Browsing data
The Website’s operation, as is standard with any websites on the Internet, involves the use of computer systems and software procedures, which collect information about the Website’s users as part of their routine operation. While the CSA does not collect this information in order to link it to specific users, it is still possible to identify those users either directly via that information, or by using other information collected – as such, this information must also be considered Personal Data.
This information includes several parameters related to your operating system and IT environment, including your IP address, location (country), the domain names of your computer, the URI (Uniform Resource Identifier) addresses of resources you request on the Website, the time of requests made, the method used to submit requests to the server, the dimensions of the file obtained in response to a request, the numerical code indicating the status of the response sent by the server (successful, error, etc.), and so on.
These data are used to compile statistical information on the use of the Website, as well as to ensure its correct operation and identify any faults and/or abuse of the Website. Save for this last purpose, these data are not kept for more than 7 business days.
- Definitions, characteristics, and application of standards
Cookies are small text files that may be sent to and registered on your computer by the websites you visit, to then be re-sent to those same sites when you visit them again. It is thanks to these cookies that those websites can “remember” your actions and preferences (e.g., login data, language, font size, other display settings, etc.), so that you do not need to configure them again when you next visit the website, or when you change pages within a website.
When browsing a website, you may also receive cookies from websites or web servers other than the website being visited (i.e., “third-party cookies”).
There are various types of cookies, depending on their characteristics and functions, that may be stored on your computer for different periods of time: “session cookies”, which are automatically deleted when you close your browser, and “persistent cookies”, which will remain on your device until their pre-set expiration period passes.
According to the law that may be applicable to you, your consent may not always be necessary for cookies to be used on a website. In particular, “technical cookies” – i.e. cookies that are only used to send messages through anelectronic communications network, or that are needed to provide services you request – typically do not require this consent. This includes browsing or session cookies (used to allow users to login) and function cookies (used to remember choicesmade by a user when accessing the website, such as language or products selected for purchase).
On the other hand, “profiling cookies” – i.e., cookies used to create profiles on users and to send advertising messages in line with the preferences revealed by users while browsing websites – typically require specific consentfrom users, although this may vary according to the applicable law.
- Types of cookies used by the Website
The Website uses the following types of cookies:
- Browsing or session cookies, which are strictly necessary for the Website’s operation, and/or to allow you to use the Website’s content and Services.
- Analytics cookies, which allow the CSA to understand how users make use of the Website, and to track traffic to and from the Website.
- Function cookies, which are used to activate specific Website functions and to configure the Website according to your choices (e.g., language), in order to improve your experience.
- Profiling cookies, which are used to observe the preferences you reveal through your use of the Website and to send you advertising messages in line with those preferences.
The CSA also uses third-party cookies – i.e. cookies from websites / web servers other than the Website, owned by third parties. These third parties will either act as independent data controllers from the CSA regarding their own cookies (using the data they collect for their own purposes and under terms defined by them) or as data processors for the CSA (processing personal data on the CSA’s behalf). For further information on how these third parties may use your information, please refer to their privacy policies:
- Cookies present on the Website
In detail, the first-party cookies present on the Website are as follows:
|Technical Name||Cookie Type, Function and Purpose||Duration|
|CSA||https://cloudsecurityalliance.org and https://csacongress.org|
Function cookies: Identifying information saved from form fields when user:
|csa_cn_hide||Function cookie: Used to hide the cookie consent notification once the user has accepted cookies, avoiding to ask the use again for 30 days.||30 days|
|_csa||https://star.watch and https://ccsk.cloudsecurityalliance.org|
Function cookies: Temporary session identifier.
|Same as the session.|
Function cookies: Temporary session identifier.
|Same as the session.|
You can block or delete cookies used on the Website via your browser options. Your cookie preferences will be reset if different browsers are used to access the Website. For more information on how to set the preferences for cookies via your browser, please refer to the following instructions:
You may also provide set your preferences on third-party cookies by using online platforms such as AdChoice and Network Advertising Imitative http://www.networkadvertising.org/choices/.
CAUTION: If you block or delete technical and/or function cookies used by the Website, the Website may become impossible to browse, certain services or functions of the Website may become unavailable or other malfunctions may occur. In this case, you may have to modify or manually enter some information or preferences every time you visit the Website.
The CSA uses Google Analytics on the Website. This is a tool developed by Google and used to collect information that permits evaluation of the use of the Website, analysis of your behaviour and improvement of your experience with the Website. You can obtain more information about how to opt out of Google Analytics at: https://tools.google.com/dlpage/gaoptout.
3. Purposes of processing
The CSA intends to use your Personal Data, collected through the Website, for the following purposes:
- To allow you to create and maintain a registered user account, verify your identity and assist you in case you lose or forget your login / password details, respond to your inquiries, submit entries to the STAR Registry, acquire a STARWatch license (or request a trial), allow you to sign up in order to contribute to CSA research working groups and download CSA research artefacts, to finalise purchase orders and deliver any other Services that you may request (“Service Provision”);
- For future marketing, promotional and publicity purposes, including to carry out direct marketing, market research and surveys, via e-mail, SMS, over the phone, through push notifications / pop-up banners, instant messaging, through an operator, through the CSA’s official social media pages, regarding the CSA’s products and services, as well as those of selected third parties (sponsors and CSA corporate members) (“Marketing”);
- For future marketing, promotional and publicity purposes, by sending you direct e-mail marketing communications regarding products and services provided by the CSA and which are identical or similar to those you have previously purchased or requested via the Website (“Soft Opt-In Marketing”);
- To create a profile of you as a Website user, through the use of profiling cookies and by collecting and analysing information on the preferences you select and choices you make in the Website, as well as your general activities on the Website. This profile will be used to give you information about other websites / Services that the CSA believes you may be interested in, and to show you information and advertisements that may be relevant to you and your interests. All algorithms involved in this processing are regularly tested, to ensure the processing’s fairness and control for bias (“Profiling”);
- For compliance with laws that impose upon the CSA the collection and/or further processing of certain kinds of Personal Data (“Compliance”);
- For development and administration of the Website or our Services, in particular by use of data analytics regarding how you and other users make use of the Website, as well as the information and feedback you provide, in order to improve the CSA’s offerings and troubleshoot any technical issues which may arise in connection with the use of the Website or Services (“Analytics”);
- To prevent and detect any misuse of the Website or Services, or any fraudulent activities carried out through the Website or Services (“Misuse/Fraud”).
4. Grounds for processing and mandatory / discretionary nature of processing
The grounds on which the CSA relies on to process your Personal Data, according to the purposes identified in Section 3, are as follows:
- Service Provision: processing for these purposes is necessary to provide the Services and, therefore, is necessary to address a request made by you, to perform a contract entered into with you or to take steps prior to entering into a contract with you. It is not mandatory for you to give the CSA your Personal Data for these purposes; however, if you do not, the CSA will not be able to provide certain Services to you over the Website or otherwise
- Marketing: processing for these purposes is based on your consent. It is not mandatory for you to give consent to the CSA for use of your Personal Data for these purposes, and you will suffer no consequence if you choose not to give it (aside from not being able to receive further marketing communications from the CSA). Any consent given may also be withdrawn at a later stage (please see Section 8 for more information).
- Soft Opt-In Marketing: processing for these purposes is based on the CSA’s interest in sending you direct e-mail marketing communications regarding products and services provided by the CSA and which are identical or similar to those you have previously purchased or requested through the Website or otherwise. You can opt-out of these communications when you provide your information to the CSA, as well as block these communications subsequently, and you will suffer no consequence if you do so (aside from not being able to receive further communications from the CSA) (please see Section 8 for more information).
- Profiling: processing for this purpose is based on your consent, collected by means of the cookie pop-up banner and/or a specific tick box. It is not mandatory for you to give consent to the CSA for use of your Personal Data for this purpose, and you will suffer no consequence if you choose not to (aside from not being able to benefit from greater personalisation of your user experience regarding the Website). Any consent given may also be withdrawn at a later stage (please see Section 8 for more information).
- Compliance: processing for this purpose is necessary for the CSA to comply with its legal obligations. When you provide any Personal Data to the CSA, the CSA must process it in accordance with the laws applicable to it, which may include retaining and reporting your Personal Data to official authorities for compliance with tax, customs or other legal obligations.
- Analytics: processing for this purpose is based on the CSA’s interest in understanding the performance of Services provided over the Website and improving the Website accordingly, with the aim to provide a better user experience, as well as to troubleshoot any technical issues which users may encounter on the Website.
- Misuse/Fraud: processing for this purpose is based on the CSA’s interest in preventing and detecting fraudulent activities or misuse of the Website (for potentially criminal purposes).
5. Recipients of Personal Data
Your Personal Data may be shared with the following list of persons / entities (“Recipients”):
- Sponsors and selected CSA Corporate Members, where you provide consent for your Personal Data to be used for third-party marketing purposes;
- Persons, companies or professional firms providing the CSA with advice and consultancy regarding accounting, administrative, legal, tax, financial and debt collection matters related to the provision of the Services and which act typically as data processors on behalf of the CSA;
- Entities engaged in order to provide the Services (e.g., hosting providers or e-mail platform providers, event organizers);
- Persons authorised to perform technical maintenance (including maintenance of network equipment and electronic communications networks);
- Persons authorised by the CSA to process Personal Data needed to carry out activities strictly related to the provision of the Services, who have undertaken an obligation of confidentiality or are subject to an appropriate legal obligation of confidentiality (e.g., employees or contractors working for the CSA);
- Other entities within the CSA for internal administrative purposes, including the processing of Personal Data on users making inquiries, customers and Working Group volunteers; and
- Public entities, bodies or authorities to whom your Personal Data may be disclosed, in accordance with the applicable law or binding orders of those entities, bodies or authorities;
- Our payment processing service provider (“BrainTree Payments,” a PayPal service). All credit card information and other customer details that are required to process credit card payments are collected directly by our payment processing service provider, in accordance with its data handling practices (see https://www.paypal.com/us/webapps/mpp/ua/privacy-full).
6. Transfers of Personal Data
Considering the CSA’s worldwide presence and business operations, your Personal Data may be transferred to Recipients located in several different countries. The CSA implements appropriate safeguards to ensure the lawfulness and security of these Personal Data transfers, such as by relying on adequacy decisions from the European Commission, standard data protection clauses adopted by the European Commission, or other safeguards or conditions considered adequate to the transfer at hand.
More information on these transfers is available upon written request to the CSA at the following address: [email protected].
7. Retention of Personal Data
Personal Data processed for Service Provision will be kept by the CSA for the period deemed strictly necessary to fulfil such purposes – in any case, as this Personal Data is processed for the provision of the Services, the CSA may continue to store this Personal Data for a longer period, as may be necessary to protect the CSA’s interests related to potential liability related to the provision of the Services.
Personal Data processed for Marketing and Profiling will be kept by the CSA from the moment you give consent (if any) until it is withdrawn. Where it is not withdrawn. Once consent is withdrawn (or not given, following a renewal), Personal Data will no longer be used for these purposes, although it may still be kept by the CSA, in particular as may be necessary to protect the CSA’s interests related to potential liability related to this processing.
Personal Data processed for Soft Opt-In Marketing will be kept by the CSA from the moment where you provide it to the CSA (in the context of purchases or requests made via the Website or otherwise) until you object to this processing. Once you have objected, Personal Data will no longer be used for these purposes, although it may still be kept by the CSA, in particular, as may be necessary to protect the CSA’s interests related to potential liability related to this processing.
Personal Data processed for Compliance will be kept by the CSA for the period required by the specific legal obligation or by the applicable law.
Personal Data processed for preventing Misuse/Fraud, as well as for Analytics will be kept by the CSA for as long as deemed strictly necessary to fulfil the purposes for which it was collected, unless you validly object to the processing of your Personal Data for these purposes (please see Section 8 for further information).
8. Data subjects’ rights
As a data subject, you are entitled to exercise the following rights before the CSA, at any time:
- Access your Personal Data being processed by the CSA (and/or a copy of that Personal Data), as well as information on the processing of your Personal Data;
- Correct or update your Personal Data processed by the CSA, where it may be inaccurate or incomplete;
- Request erasure of your Personal Data being processed by the CSA, where you feel that the processing is unnecessary or otherwise unlawful;
- Request the restriction of the processing of your Personal Data, where you feel that the Personal Data processed is inaccurate, unnecessary or unlawfully processed, or where you have objected to the processing;
- Exercise your right to portability: the right to obtain a copy of your Personal Data provided to the CSA, in a structured, commonly used and machine-readable format, as well as the transmission of that Personal Data to another data controller;
- Object to the processing of your Personal Data, based on relevant grounds related to your particular situation, which you believe must prevent the CSA from processing your Personal Data (for Misuse/Fraud or Analytics);
- Object to the processing of your Personal Data for Soft Opt-In Marketing; or
- Withdraw your consent to processing (for Marketing and Profiling).
Please note that most of the Personal Data you provide to the CSA can be changed at any time, including your e-mail preferences, by accessing, where applicable, your user profile created on the Website.
When requesting Services via the Website, you may have selected one or more means of communication through which Personal Data processing for Marketing purposes may be carried out (e.g., phone, SMS, email, mail, social media). You may withdraw your consent to this processing for all selected means of communication, or you can choose to block specific means only (e.g., if you only withdraw consent or SMS marketing communications, you will not receive further communications via SMS, but may continue to receive them via e-mail), by means of your user profile created on the Website, where applicable.
You can also withdraw consent for Marketing (for communications received via e-mail) or object to Soft Opt-In Marketing by selecting the appropriate link included at the bottom of every marketing e-mail message received. The same applies to communications you may receive by subscribing to the CSA Announcements Mailing List.
Consent for Profiling carried out by cookies may be withdrawn as described in Section 2(f). Where consent for Profiling was given via a specific tick box, you may withdraw this consent by changing your preferences, at any time, within your user profile created on the Website, where applicable.
Aside from the above means, you can always exercise your rights described above by sending a written request to the CSA at the following address: [email protected].
In any case, please note that, as a data subject, you are entitled to file a complaint with the competent supervisory authorities for the protection of Personal Data, if you believe that the processing of your Personal Data carried out through the Website is unlawful.
9. Rights of California Residents
California requires operators of websites or similar services to make certain disclosures to users who reside in California regarding their rights, specifically:
Shine the Light
Under California law, a business that has an established business relationship with an individual, and has, within the immediately preceding calendar year, disclosed personal data that is primarily used for personal, family or household purposes to third party for the third party’s direct marketing purposes, must disclose to its California users, upon request, the identity of any such third party, along with the type of personal data disclosed.
You can contact us to as provided in the “How to Contact Us” section. Please note that under California law, businesses are only required to respond to a user’s request once during any calendar year.
Some browsers give individuals the ability to communicate that they wish not to be tracked while browsing on the Internet. California law requires that we disclose to users how we treat do-not-track requests. The Internet industry has not yet agreed on a definition of what “Do Not Track” means, how compliance with “Do Not Track” would be measured or evaluated, or a common approach to responding to a “Do Not Track” signal. Due to the lack of guidance, we have not yet developed features that would recognize or respond to browser-initiated Do Not Track signals in response to California law.
In the meantime, there are technical means to prevent some of the tracking, if any. See Section “Your Advertising Choices.”
COOKIE POP-UP BANNER