Privacy Notice
Introduction
At IPFA, we are committed to safeguarding the privacy of our website visitors and service users. This policy applies where we are acting as a data controller with respect to the personal data of our website visitors and service users; in other words, where we determine the purposes and means of the processing of that personal data. Further details about how we process personal data can be found throughout this statement. The IPFA is referred to as “we”, “us”, “our” / “I” throughout this privacy statement.
Our company contact details
IPFA is the trading name of The Project Finance Association.
Company registration: IPFA is registered in England and Wales under registration number 3592310
Address: our registered office and principle place of business is at 38 Chancery Lane, London WC2A 1EN
Phone number: on +44 (0)207 427 0900 from 9 am – 6 pm GMT
Email: [email protected]
Amendments
We may update this policy from time to time by publishing a new version on our website. You should check this page occasionally to ensure you are happy with any changes to this policy. Where we make changes to this policy, we will take reasonable steps to notify you, including by email.
This policy was last updated in December 2023.
How we use Personal Data
The following section outlines how we process personal data – including members, employees etc. A high-level overview of how we use personal data is outlined here. Full details – including our lawful basis and how long we keep your information can be found in the ‘Your Personal Data’ section below.
We use cookies on our website. Insofar as those cookies are not strictly necessary for the provision of our website and services, we will ask you to consent to our use of cookies when you first visit our website. This website is owned and operated by Plug and Play Design Ltd.
Our website incorporates privacy controls which affect how we will process your personal data. By using the privacy controls, you can specify whether you would like to receive updates about IPFA activities via direct marketing communications. You can access the privacy controls via the My IPFA Dashboard (navigate to ‘Edit Mailing Preferences’ when website user is logged in).
We may process data about your use of our website and services (“usage data“). The usage data may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. The source of the usage data is our analytics tracking system. This usage data may be processed for the purposes of analysing the use of the website and services. The legal basis for this processing is our legitimate interests, namely monitoring and improving our website and services.
We may process your personal data that are provided in the course of the use of our services (“service data“). The service data may include your name, job title or role, employment details, email address, telephone number, address, and information contained in communications between us. The service data may be processed for the purposes of:
- providing our services and operating our website
- communicating with you
- notify you of changes to our services
- sending you communications which you have requested and that may be of interest
- ensuring the security of our website and services
- maintaining back-ups of our databases
The legal basis for this processing is outlined in the ‘Your Personal Data’ section of this policy and is namely carried out for the proper administration of our website and IPFA business.
We may process information relating to transactions, including purchases of services, that you enter into with us or through our website or over the phone. Your card information is not held by us, it is collected by our third-party payment processors, who specialise in the secure online capture and processing of credit/debit card transactions etc.
In addition to the specific purposes for which we may process your personal data set out in this section, we may also process any of your personal data where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
Your Personal Data
Under the GDPR, the IPFA must be transparent about the data we collect, about whom and why we need it. Details of what personal data we collect, about whom, why we collect it, how we use it, the lawful basis, and where appropriate, the condition for processing can be found in the following section. Where we rely on consent as a lawful basis, you have the right to withdraw your consent at any time and can do this by contacting us at [email protected] or by clicking the unsubscribe link in email communications.
Full details about how we process your data can be found in the section below.
Members – Private Sector, Honorary/Affiliate and complementary
Data captured: Name, organisation name, telephone number, email address, organisation/billing address, Username, password, Region (e.g. location/country information), payment details (card details), Signature, date of signature
Data sharing: Branch Councils, Chairs & FLN Committees so that they can understand the membership. Full details can be found in the ‘Who we share your data with section’ of this policy.
| Purpose for processing | Lawful Basis | How long is the data kept for? |
| Main contact, admin contact, and billing contacts | ||
| To administer corporate membership of IPFA | Legitimate Interest | 10 years after inactivity |
| To confirm eligibility for membership (Honorary only) | Legitimate Interest | 10 years after inactivity |
| To identify the main contact for the corporate membership. | Legitimate Interest | 10 years after inactivity |
| To identify role and department in organisation and seniority | Legitimate Interest | 10 years after inactivity |
| To administer payments for membership – including to issue, administer and take payments for invoices, for credit control and, to chase outstanding payments. | Legitimate Interest | 7 years |
| To receive a declaration of authorisation to set up / continue membership on behalf of the organisation. | Legitimate Interest | 10 years after inactivity |
| To contact members about their membership (e.g. welcome email, renewal reminder), and member opportunities. | Legitimate Interest | 10 years after inactivity |
| Communications with key contacts about benefits – e.g. membership opportunities | Legitimate Interest | 10 years after inactivity |
| To share regional/location and country information with Branch Councils and FLN Committees. | Legitimate Interest | 10 years after inactivity |
| All other contacts at a member organisation | ||
| To facilitate access to MyIPFA dashboard.
To facilitate access to the Knowledge Hub platform. |
Legitimate Interest | 5 years after inactivity |
| To manage member communication preferences | Legitimate Interest | 5 years after inactivity |
| For the individual/users to access all our website and platforms; used in membership to measure engagement. | Legitimate Interest | 5 years after inactivity |
| To liaise with members about their membership and joining networks. | Legitimate Interest | 5 years after inactivity |
| To follow up on enquiries and liaise with members regarding membership services and where business cards are collected at events. | Legitimate Interest | 5 years after inactivity |
| Business Development contacts | ||
| Business development contact that IPFA can liaise with regarding marketing opportunities. | Legitimate Interest | 5 years after inactivity |
| Future Leaders Network contacts | ||
| To be the main point of contact for FLN.
To be notified about upcoming FLN activities. |
Legitimate Interest | 5 years after inactivity |
| Training contacts | ||
| For IPFA to liaise with about training needs. | Legitimate Interest | 5 years after inactivity |
| Regional Representative | ||
| To be the main point of contact in the region. | Legitimate Interest | 5 years after inactivity |
| Potential Speakers | ||
| Legitimate Interest | 5 years after inactivity | |
| Taskforce volunteers | ||
| For IPFA to liaise with regarding assistance with strategic direction for different initiatives. | Legitimate Interest | 5 years after inactivity |
Mailing list subscribers – members and non-members
Data captured: Name, organisation name, telephone number, email address, country
| Purpose for processing | Lawful Basis | How long is the data kept for? |
| To send IPFA mailing alerts to subscribers | Consent | 5 years after inactivity |
| To send invitations for IPFA events to sponsors’ clients | Consent | 1 year |
| To send IPFA mailing alerts to members | Legitimate Interest | 5 years after inactivity |
How we collect your information
We collect your personal via the following methods:
- Directly from you – we collect your personal data directly from you for the purposes outlined in ‘Your Personal Data’ above. We collect personal data via a number of methods – e.g. email, telephone, online via our website, paper forms, and business cards.
- Indirectly – from partner organisations and third parties – e.g. recruitment agents, your employer who may be a member etc. Where we do not collect data directly from you, where possible we will notify you that we have your data and how it will be used.
How we store personal data
IPFA store your personal data on our internal, paper and digital systems as well as on our Data Processor systems – e.g. Global Payments Inc., Microsoft365, Microsoft Dynamics, WordPress, Smart Portal, Mailchimp, WebEx, Zoom, our customer relationship management database, Active Campaign, WordPress, Siteground and Google Analytics, Zoom, Wufoo, Survey Monkey, Hootsuite and social media platforms e.g. LinkedIn etc. for the purposes of displaying relevant content to you. The providers of these platforms are the IPFA’s Data Processors who have access to your data for the purposes of enabling us to process it using their platforms.
Who we share personal data with
IPFA will not sell or rent your information to third parties. We will not share your information with third parties for marketing purposes unless you have specifically consented to us doing so – e.g. for an external initiative that we are endorsing and you have requested to get involved in. Should you provide your consent for these purposes, you can withdraw your consent at any point by contacting the organiser directly.
We may disclose your personal data to any of our employees, board members, council members, chairs or subcontractors insofar as reasonably necessary for the purposes, and on the legal bases, set out in this privacy notice.
Financial transactions relating to our website and services are handled by our payment services providers, Global Payments Inc. We will share transaction data with our payment services providers only to the extent necessary for the purposes of processing your payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds. You can find information about the payment services providers’ privacy policies and practices at https://resourcecentre.globaliris.com/privacypolicy.
We may disclose your enquiry data, at your request, to a selected third party supplier of services identified on our website for the purpose of enabling them to contact you so that they can offer, market and sell to you relevant goods and/or services. In some cases, they will be acting as a data controller of your information and therefore we advise you to read their Privacy Notice. These third party product providers will share your information with us which we will use in accordance with this Privacy Notice.
In addition to the specific disclosures of personal data set out in this, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your personal data where such disclosure is necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
How we keep personal data secure
IPFA have appropriate physical and technical security measures in place to protect your personal information. We ensure that we have provisions in place to ensure that only authorised parties have access, that your data is kept secure, and that we have processes and procedures in place to prevent accidental loss, destruction, alteration, unauthorised access or disclosure of your personal data. We have incident and breach processes and procedures in place to deal with a respond to any suspected breaches of your personal data and will notify you and any relevant regulators where we are required to do so.
How long we keep personal data
IPFA has a Data Retention Policy and Retention Schedule in place to ensure that your data is only kept for a long a necessary, and in line with the purposes that it was collected. We will only hold Personal Information for as long as there is a business purpose to do so. Retention timescales are outlined in the ‘Your Personal Data’ table above.
We may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
How we use personal data for marketing, profiling and automated decision making
IPFA will use your information to market relevant products and services to you where you have given your consent for us to do so. You have the right to withdraw your consent at any time by contacting us on [email protected]
Transferring data internationally (outside the EEA)
IPFA operates a global service. European Economic Area (“EEA”) Member States and other countries all have different laws. When your information is moved from your home country to another country, the laws and rules that protect your personal information in the country to which your information is transferred may be different from those in the country in which you live. For example, the circumstances in which law enforcement can access personal information may vary from country to country.
The GDPR places obligations on Data Controllers to ensure that provisions are put in place when data is being transferred outside of the EEA. When tendering for new suppliers and systems, the IPFA will carry out due diligence to ensure that, where possible, data is not transferred outside of the EEA. In the event that data will be transferred outside of the EEA, we will ensure that appropriate safeguards and provisions – as outlined under the GDPR – are in place prior to transferring the data.
Our website provides a voluntary service; you can choose whether or not you want to use the Services. However, if you want to use the Services, you need to agree to our Terms of Use, which set out the contract between IPFA and its users. As we operate in countries worldwide (including in the US, Japan, South Korea), in accordance with the contract between us, we may need to transfer your personal information to other jurisdictions as necessary to provide the Services.
You acknowledge that personal data that you submit for publication through our website or services may be available, via the internet, around the world. We cannot prevent the use (or misuse) of such personal data by others.
Our use of cookies
Like many other websites, the IPFA website uses cookies. ‘Cookies’ are small pieces of information sent by an organisation to your computer and stored on your hard drive to allow that website to recognise you when you visit. They collect statistical data about your browsing actions and patterns, for example, we use cookies to store your country preference. Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies. This helps us to improve our website and deliver a better more personalised service.
It is possible to switch off cookies by setting your browser preferences. For more information on how to switch off cookies on your computer, visit our full cookies policy. Turning cookies of may result in a loss of functionality when using our website.
Links to other websites
IPFA’s website may contain links to other websites run by other organisations. This privacy notice applies only to our website‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links from our website.
In addition, if you linked to our website from a third party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party site and recommend that you check the policy of that third party site.
Your rights
We have summarised the rights that you have under data protection law. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.
Your principal rights under data protection law are:
- the right to access;
You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee. To request a copy of your personal data, please email us at [email protected]
- the right to rectification;
You have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed.
- the right to erasure;
In some circumstances, you have the right to the erasure of your personal data without undue delay. Those circumstances include: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; you withdraw consent to consent-based processing; you object to the processing under certain rules of applicable data protection law; the processing is for direct marketing purposes; and the personal data have been unlawfully processed. However, there are exclusions of the right to erasure. The general exclusions include where processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise or defence of legal claims.
- the right to restrict processing;
In some circumstances, you have the right to restrict the processing of your personal data. Those circumstances are: you contest the accuracy of the personal data; processing is unlawful but you oppose erasure; we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims; and you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it: with your consent; for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest.
- the right to object to processing;
You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes). If you make such an objection, we will cease to process your personal data for this purpose.
To the extent that the legal basis for our processing of your personal data is:
consent; or
that the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract, and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
- the right to data portability;
- the right to complain to a supervisory authority; and
If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
- the right to withdraw consent.
To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
You may exercise any of your rights in relation to your personal data by written notice to us at our address written below, or by emailing us at [email protected]
Your right to complain
If you are unhappy with how IPFA use your personal data you have the right to complain the ICO:
Information Commissioners Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
