The compliance date for GDPR is May 25, 2018. As ASTA learns more about the intentions and requirements of this legislation, we may adjust our positions in this statement. We will keep all posted versions of this statement current on the ASTA website.
ASTA has four processor systems which contain and utilize the personal contact information of ASTA members, event participants, colleagues doing business with ASTA, and prospects for any of these three groups. One system, called NetForum Pro, is the ASTA membership database, provided by the company Community Brands; the second, a2z, is the exhibitor database, where exhibit and appointment table registration is handled; the third, iContact, is the digital marketing software utilized for the ASTA newsletter, ASTA event promotions and other member/event participant alerts, such as trade leads; and the fourth, BadgeOnDemand, is a service provided by the company Expo Logic to print badges on-site at ASTA events and provide a bar code that is scanned on participants’ badges to track session attendance. For AST’s CSS & Seed Expo event in Chicago, a fifth service called eventBit, offered by the company Experient, uses beacon technology, by virtue of a transmitter tile on the back of participants’ badges, to track the locations where registrants are engaged in event activity areas only during the event and how long they stay, including the demographics of that registrant. This data is utilized by ASTA show management, and shared with exhibitors for “hub” readers near their own exhibit space, to measure the interest levels of attendees and plan for future events. Additionally, ASTA on rare occasions uses a technology provider called Survey Monkey to ask for basic contact information within online surveys for the purpose of data consent forms or for identification of survey respondents for prize giveaways, within evaluation surveys on ASTA events and services (however most survey responses are collected anonymously and can be kept anonymous at the respondent’s discretion). Each processor, Community Brands, a2z, iContact, ExpoLogic, Experient and Survey Monkey have provided their privacy policy and GDPR compliance documentation to ASTA to ensure the full protection of privacy, and voluntary opt-in/opt-out processes, for thie member and event participant data. The ASTA staff has access to these applications via a secure and unique login for each ASTA staff member. These services are brower-based applications, accessible via the internet. The general public who would like to consume event data presented by ASTA via these tools can access the data via their own secure login, in the case of NetForum Pro; by viewing the posted exhibitor information on ASTA exhibit and conference programs, or by secure login for exhibitor company contacts, in the case of a2z; and by receiving the marketing and promotional emails, in the case of iContact, which each individual has requested a subscription to and can be unsubscribed from at any time. Event participants who are either scanned, using ExpoLogic, or tracked, using eventBit, at ASTA events have voluntarily provided their data in each instance. Additionally, event participants have the option to opt out of such tracking technology if they so choose, at each ASTA event site.
The list of stored data fields includes, but are not limited to: name, email, title, employer, address, phone number, business role, crop focus area, years in the seed industry, event supplier categories that most interest them, ASTA strategic issues that most interest them, event participation history, and user ID. ASTA does not collect not store sensitive information, such as social security number, date of birth, driver’s license number, race/ethnicity, religious or philosophical beliefs, health/medical information, political beliefs, sexual orientation, genetic data, biometric data, nor trade union membership for any individual.
GDPR Chapter II states 7 major principles of the requirement. ASTA’s response to these principles are as follows:
According to GDPR, ASTA is a data controller. As such, ASTA provides required and transparent “opt-in” language and check boxes requiring manual action on the forms an individual completes when applying to become a registered attendee, exhibitor or speaker; or for the general public who would like to log in to access the ASTA website’s members-only information. If at any time the individual would like a report on how or when their data was accessed, that can be provided by ASTA. If an individual requests to be deleted from the data set, that individual can request ASTA take anonymization procedures, or be removed entirely. ASTA has a standard practice for anonymization of user data by request and specifically related to GDPR, so that historical data on event participation and years of membership can still be maintained.
ASTA collects data only to improve the member or event participant experience in near and long-term future and to serve and support its membership, registration and marketing operations. ASTA has no reason to believe that anyone would object to any of its data practices.
The data that ASTA members, exhibitors, speakers, event participants and members of the general public who have voluntary interactions with ASTA will only be available to the ASTA staff and visitors to their websites in accordance with the purpose limitations decided on in Principle 2.
ASTA staff have complete control over the accuracy of the data. When the user edits their information on the ASTA processor online forms, they have complete control over the accuracy of their data. If inaccuracies are found, in many cases, the user can update this information themselves. If, for any reason, they are unable to do so, ASTA will be able to access their record and make the edits.
For historical purposes and comparison of year over year participation in ASTA membership and events, ASTA can store personal data as long as an individual would like to keep it. Keeping several years’ data is important for business comparisons. Printable registration forms containing credit card information for conference registrants are destroyed within one month of the close of the event. Event websites will only be available to the public for approximately one month after the event.
ASTA’s data processors are secured and accessed with TLS 1.2 and all financial transactions are PCI Compliant. ASTA also limits availability of event registration data to other registrants, behind a secure login. These measures were already enhanced in 2017 with individual privacy in mind, as GDPR now requires. ASTA does not sell or provide unauthorized access to any data that it has.
The nature of the association and events business doesn’t naturally lend itself to anonymity. Attendees and exhibitors are participating because they want to be seen, and speakers are participating because they want to be heard. With security in mind, ASTA only exposes the data that is pertinent to member and participant business concerns, to foster education and networking.
According to Article 37 of the act, ASTA does not feel that our processing operations are large enough to require a Data Protection Officer. In accordance with Article 35, ASTA will notify clients of any data breach without undue delay.
ASTA does not collect nor store information on minors as a general rule. In the case of a conference registration, a minor will have only their first and last name stored in the ASTA registration data history, as minors are registered only as sub-registrants of a primary delegate registration. Only the primary delegate registration includes the full contact information for said delegate. Likewise, spouse registrations for ASTA events are also sub-records under the primary delegate’s registration record.
ASTA will notify individuals affected by any known data breach within 72 hours of its awareness of such a breach.
Any individual who wishes to have their data deleted may email your request to info@firsttheseedfoundation.org to request your profile to be forgotten. All personally identifiable information (PII) data will be removed from your profile in 30 business days following the request.
If you have questions about this document, please contact us at 703-837-8140.