The compliance of VirtualExpo Group’s marketplaces with the european laws on personal data collection and tracking

Regulations concerning the use of personal data are generally divided into two areas:

• the collection, storage and processing of service users’ personal data
• the tracking and identification of individuals as they browse websites

You will find an explanation below of the legal compliance of VirtualExpo Group’s marketplaces in these two areas and how sellers can also ensure that they process the data provided to them by VirtualExpo Group in full legal compliance.

Table of Contents

• 1. COMPLIANCE WITH THE ePRIVACY DIRECTIVE CONCERNING COOKIES (TRACKERS)
  • 1.1 WHAT ARE THE NEW OBLIGATIONS IMPOSED BY THE ePRIVACY DIRECTIVE ON THE USE OF COOKIES?
  • 1.2 HOW DOES VIRTUALEXPO GROUP’S USE OF COOKIES RESPECT THE DIRECTIVE?
  • 1.3 HOW DOES THE COOKIES POP-IN WORK?
  • 1.4 WHAT IS THE IMPACT OF THIS POP-IN ON THE VOLUME OF DATA COLLECTED AND TRANSMITTED BY VIRTUALEXPO GROUP TO SELLERS?
  • 1.5 HOW TO GET MORE PROSPECTS ON YOUR STAND?
• 2. COMPLIANCE WITH THE GDPR REGULATION REGARDING THE PROTECTION OF PERSONAL DATA
  • 2.1 WHAT ARE THE PROTECTION MESURES FOR PERSONAL DATA IMPOSED BY THE GDPR?
  • 2.2 IN CONCRETE TERMS, WHAT TYPE OF DATA IS IMPACTED BY THE GDPR?
  • 2.3 WHERE IS THE VIRTUALEXPO GROUP SERVER LOCATED AND WHAT DATA IS STORED THERE?
  • 2.4 HOW IS VIRTUALEXPO GROUP’S COLLECTION AND TRANSMISSION OF PERSONAL DATA COMPLIANT WITH THE GDPR?
  • 2.5 WHAT IS THE PROCEDURE FOR AN INDIVIDUAL TO REQUEST THAT THEIR PERSONAL DATA BE DELETED?
  • 2.6 HOW IS VIRTUALEXPO GROUP COMPLIANT WITH THE GDPR CONCERNING THE STORAGE OF PERSONAL DATA?
  • 2.7 HOW IS VIRTUALEXPO GROUP COMPLIANT WITH THE GDPR CONCERNING THE AUTOMATIC PURGING OF PERSONAL DATA?
  • 2.8 WHAT MEASURES WOULD VIRTUALEXPO GROUP TAKE IN THE EVENT OF A BREACH OF CERTAIN PERSONAL DATA?
• 3. RIGHTS AND OBLIGATIONS OF SELLERS ON VIRTUALEXPO GROUP MARKETPLACES
  • 3.1 WHAT IS THE LEGAL STATUS OF VIRTUALEXPO GROUP?
  • 3.2 WHAT IS THE LEGAL STATUS OF SELLERS?
  • 3.3 CAN THE SELLER TRANSFER THE LEGAL RESPONSIBILITY FOR PROCESSING PERSONAL DATA TO VIRTUALEXPO GROUP?
  • 3.4 HOW CAN THE SELLER PROCESS PERSONAL DATA TRANSFERRED TO THEM THROUGH THE MARKETPLACE IN ACCORDANCE WITH THE GDPR?
  • VIRTUALEXPO GROUP BY YOUR SIDE

---

1. COMPLIANCE WITH THE ePRIVACY DIRECTIVE CONCERNING COOKIES (TRACKERS)

On March 31, 2021, a strengthening of the ePrivacy Directive on cookies (trackers) came into force. A cookie is a computer script deposited on the device (computer, tablet, smartphone) of the visitor to a website that allows the visitor to be identified when they return to the same website. Cookies facilitate the visitor’s navigation. Depending on the type of cookies:

• they reduce the number of forms to be filled in to access features
• they allow the display of relevant content and advertisements based on the visitor’s browsing history

For the website, cookies allow, among other things:

• to compile data concerning visitor attendance and origin
• to identify visitors and to use this data for commercial/marketing purposes

1.1 WHAT ARE THE NEW OBLIGATIONS IMPOSED BY THE ePRIVACY DIRECTIVE ON THE USE OF COOKIES?

Since March 31, 2021, the ePrivacy Directive imposes the following new measures for the use of cookies by websites:

• visitors to a website must be informed, upon arrival on a website, of the possible deposit of cookies concerning:
  • the essential functioning of the website for navigation purposes
  • content personalization (geo-targeted ads and content, etc.)
  • sharing information with partners (social networks, search engines, etc.)
  • performance (reduction in the number of forms to be filled out, speed of page loading, etc.)
• the website must offer visitors the option of agreeing or disagreeing to the use of cookies, as soon as they arrive on the site (it must be as easy to disagree as it is to agree)
• the website must ask visitors to renew their consent every 6 months
• visitors must be able to withdraw their consent at any time
• visitors must be able to browse the website even if they refuse cookies

1.2 HOW DOES VIRTUALEXPO GROUP’S USE OF COOKIES RESPECT THE DIRECTIVE?

VirtualExpo Group fully complies with the new requirements of the ePrivacy Directive. When a visitor accesses one of our marketplaces, we display a pop-in that contains:

• a short explanation of the cookies offered by VirtualExpo Group
• buttons “Agree to all” or “Disagree to all”
• a “Learn More” link to the details of each cookie and the ability to consent to the use of each one individually

When a visitor arrives on one of our marketplaces:

When the visitor clicks on “Learn more” and makes their selection:

When the visitor clicks on “By all our partners” and makes their selection:

1.3 HOW DOES THE COOKIES POP-IN WORK?

• When the visitor agrees or disagrees to the use of cookies, their consent is saved and they are asked again every 6 months or if:
  • we add a new cookie to the website
  • the visitor accesses the marketplace with a new device
• As the visitor can change their consent at any time, they can redisplay the pop-in by clicking on a link in the footer of any page on the website
• If the visitor disagrees to the use of cookies, the tracking of the visitor stops immediately but the previously collected data is preserved.
• If the visitor closes the pop-in, this is considered a temporary refusal of all cookies except those necessary for navigation of the website (the pop-in will be displayed again on each visit until the visitor agrees or disagrees to the cookies.)

1.4 WHAT IS THE IMPACT OF THIS POP-IN ON THE VOLUME OF DATA COLLECTED AND TRANSMITTED BY VIRTUALEXPO GROUP TO SELLERS?

Cookie consent pop-ins have become standard on the web and are visible on all websites, including those of marketplaces and their sellers. As these pop-ins are everywhere, they do not have a direct impact on the overall volume of visitors accessing websites. They only act on the ability to identify and track visitors once they arrive on a website. This means:

• There will be little to no impact on visitor volume and request volume
• There will likely be a decline in the volume of prospects* and ad displays

*These are mainly visitors who have already been identified before visiting the sellers’ stands. These contacts have always required sellers to obtain their consent before they can be exploited.

Our consent management provider sees an average refusal rate of cookies via the pop-in of between 10% and 35%.

1.5 HOW TO GET MORE PROSPECTS ON YOUR STAND?

To respond to a possible drop in “Stand Prospects” due to the cookies pop-in, VirtualExpo Group advises sellers to make price documents available on their stands. This service is free of charge. Adding a price document activates the “See price options” button. By clicking on it, the visitor is presented with a form so they can transmit their personal data to the seller in order to consult the price options on the stand. For more information, we invite you to read this guide.

If you have any questions regarding the protection of personal data on the VirtualExpo Group marketplaces, please send an email to dpo@virtual-expo.com.

---

2. COMPLIANCE WITH THE GDPR REGULATION REGARDING THE PROTECTION OF PERSONAL DATA

2.1 WHAT ARE THE PROTECTION MESURES FOR PERSONAL DATA IMPOSED BY THE GDPR?

The GDPR, “The General Data Protection Regulation,” sets the guidelines for the treatment of personal data within the European Union. The reglement came into effect in May 2018 and strengthened the control of European citizens over the use of their personal data, including the right to object, the right to transparent information and the right to erasure.

The GDPR requires websites to inform their visitors, before their personal data is collected and transferred:

• of the potential use of their personal data
• of the procedures in place to request their data be deleted or rectified

It also requires that personal data be stored securely and for a specified period of time.

2.2 IN CONCRETE TERMS, WHAT TYPE OF DATA IS IMPACTED BY THE GDPR?

The GDPR concerns:

• nominative data allowing the identification of a private person.
  • example firstname.lastname@guzzini.com, a mobile phone number or the address of a private residence.

The GDPR does not concern:

• non-nominative data that does not allow the identification of a private person.
  • example info@guzzini.com, the number of a switchboard or reception or the address of a company.

2.3 WHERE IS THE VIRTUALEXPO GROUP SERVER LOCATED AND WHAT DATA IS STORED THERE?

VirtualExpo Group’s six marketplaces enable buyers to be put in contact with sellers through forms and secure messaging. The data collected is stored on our server located in France in a building controlled by a secure operator (ISO 27001). The data stored on this server includes:

• the contact details of the staff working for the sellers in charge of administering the stands as well as those of the members of their sales network present on our marketplaces
• the personal data of potential buyers who have filled in a form to send a request, consult information or sign up for our various mailings
• the history of messages posted via the negotiation interface by sellers and potential buyers including attachments and quotes.

Because this data is stored in Europe, its use must comply with the General Data Protection Regulation (GDPR) regardless of the geographical location of the data subjects.

For example:

If a Japanese potential buyer who is in Tokyo views the product of a Chinese seller domiciled in Beijing, the GDPR must be applied to the exploitation of that Japanese potential buyer by the Chinese seller if the user data is all stored in Europe.

2.4 HOW IS VIRTUALEXPO GROUP’S COLLECTION AND TRANSMISSION OF PERSONAL DATA COMPLIANT WITH THE GDPR?

i) Forms on sellers’ stands

When a visitor to a seller’s stand clicks on a button to connect with the seller, we display a text informing them:

• that their data will be transferred to a member of the seller in question’s sales force who will then be able to contact them concerning their request
• of the privacy policy which explains how to request that personal data be rectified or deleted

“The VirtualExpo Group protects your privacy: when you request a quote, documentation or price options, when you ask a question or consult a Seller’s price options or contact details, your Personal Data will be transferred to the Seller or, if applicable, to one of their area managers or distributors who will be able to respond to you directly. See our Privacy Policy for details on the method used to process your data, the purpose and your rights concerning this data. By continuing to use our website you agree to our general terms of use.“

ii) Subscription to the product newsletter, the news site newsletter or to information emails from our partners

When a visitor enters their email address to sign up for one of our newsletters or partner information emails, we display this text:

By clicking on “CONFIRM”, you confirm that you accept our General Terms of Use and our Privacy Policy which inform you of the methods of processing your personal data as well as your rights over this data. We use your email address exclusively to send you newsletters that interest you. In accordance with the law, you have a right of access, rectifications and opposition. These rights can be exercised by sending an email to the email address dpo@virtual-expo.com or by post by writing to the address of the Editor’s headquarters.

iii) The Privacy Policy

Visitors can also find out about the use of their personal data and their rights to have their data deleted or rectified at any time by consulting our privacy policy. This page is accessible via the footer of the marketplaces.

IV) The General Sales Conditions

The acceptance of our General Sales Conditions is compulsory when subscribing to services linked to the VIRTUALEXPO offer. Article 9.1 of the General Sales Conditions informs the seller that acceptance implies knowledge of our privacy policy concerning the protection of their personal data.

2.5 WHAT IS THE PROCEDURE FOR AN INDIVIDUAL TO REQUEST THAT THEIR PERSONAL DATA BE DELETED?

Visitors and sellers may request that their personal data be deleted by sending a letter to our headquarters located at 17 avenue André Roussin, 13016 Marseilles (with a copy of a piece of identification of the person whose profile is the subject of the deletion request). A visitor can also make a request by sending an email to dpo@virtual-expo.com. In order for this request to be admissible, the email must be sent from the email address entered in the visitor’s profile on the marketplace.

Upon receipt of the request, the data subject’s data will be deleted:

• from the VirtualExpo Group newsletter and mailing database
• from the seller’s request archive, including the conversation history

If the visitor is the originator of the request:

• from the archive of prospects for sellers whose stands the visitor visited while a cookie was placed on their device
• from the visitor’s “MySpace” account

If the seller is the originator of the request:

• from the VirtualExpo Group’s internal CRM tool
• from the sales network(s) in which the seller appeared on the marketplaces
• from the sales network(s) in which the seller appeared in the back offices

The data subject will receive an email confirming that their data has been deleted within 30 days.

2.6 HOW IS VIRTUALEXPO GROUP COMPLIANT WITH THE GDPR CONCERNING THE STORAGE OF PERSONAL DATA?

The personal data collected on VirtualExpo Group’s marketplaces is stored by an ISO 27001 certified host in a secure building with access controls. Only authorized employees have access to this data, equipment and hardware and only upon authentication.

2.7 HOW IS VIRTUALEXPO GROUP COMPLIANT WITH THE GDPR CONCERNING THE AUTOMATIC PURGING OF PERSONAL DATA?

The GDPR allows the retention of personal data for marketing and communication purposes (e.g. sending a newsletter) as long as the data subjects’ consent is not withdrawn and they continue to use the services. If data subjects do not use the services for a period of two years, their data is automatically deleted.

The following profiles are deleted:

• visitors who do not open a single email from VirtualExpo Group AND do not visit one of our marketplaces for a period of 2 years
• people who work for a seller with no commercial activity on our marketplaces for 2 years

This data purging mechanism is explicitly mentioned in our privacy policy, (Article I, Section B) “Retention and Purge”

2.8 WHAT MEASURES WOULD VIRTUALEXPO GROUP TAKE IN THE EVENT OF A BREACH OF CERTAIN PERSONAL DATA?

In 20 years of existence, thanks to continuous improvement to personal data protection measures, VirtualExpo Group has never experienced a security breach with regard to the information stored on its server. Our security unit (security@virtual-expo.com) raises awareness within our workforce of security best practices and regularly disseminates information about new risks. In the event of a security breach, the following cybersecurity management process will be applied:

• our security unit will be mobilized to identify the danger
• appropriate communication will be made to potentially affected individuals and/or organizations as soon as possible
• as a precautionary measure, VirtualExpo Group could change the passwords of accounts of people suspected of having been victims of a cyber attack

---

3. RIGHTS AND OBLIGATIONS OF SELLERS ON VIRTUALEXPO GROUP MARKETPLACES

In order to understand the legal obligations of sellers with regard to processing personal data transferred to them by VirtualExpo Group, it is necessary to understand the legal status of VirtualExpo Group and the sellers on its marketplaces with respect to the GDPR.

The GDPR recognizes two statuses determining the obligations of actors in the processing of personal data: “Data controller” and “Data processor.”

Data controller

The data controller is the actor who determines the means and purposes of processing personal data: how and for what purpose it is collected and used. Sometimes the data controller subcontracts the processing of personal data to a third party company: the data processor.

Data processor

The data processor is only responsible for the operational processing of the data. They only act under the instructions of the data controller. The data processor is neither the owner of the personal data, nor the one who determines the purposes of the data processing. A typical activity of a data processor is to offer IT solutions, including cloud storage or services for sending advertising emails. The obligations of the data processor to the data controller must be specified in a contract or other legal act.

3.1 WHAT IS THE LEGAL STATUS OF VIRTUALEXPO GROUP?

VirtualExpo Group has the status of data controller as it determines the means and purposes of the use of the personal data that is transmitted to sellers.

The personal data of visitors that is transferred to sellers is collected by VirtualExpo Group via online forms. The visitor accesses these forms when they click on a button corresponding to their requirement. The buttons and forms have been defined by VirtualExpo Group and are identical for all sellers on our marketplaces:

• Request a personalized quote
• Request price options
• See price options
• Request documentation
• Question
• See contact information

In each form, VirtualExpo Group informs the visitor that their personal data will be transferred to a member of the seller in question’s sales force (internal or external) who will then be able to contact them concerning their request in compliance with VirtualExpo Group’s .

3.2 WHAT IS THE LEGAL STATUS OF SELLERS?

Sellers on VirtualExpo Group’s marketplaces have the status of data controllers, not as joint controllers but as successive independent controllers with regards to VirtualExpo Group:

• Successive independent controllers:

The personal data collected on the marketplaces by VirtualExpo Group is transferred to the sellers who can then copy it on their own server and use it for their own purposes (after obtaining the required consent).

• Not joint controllers:

The sellers and VirtualExpo Group are independent controllers. The sellers do not define the purposes of the collection and use of personal data on VirtualExpo Group’s marketplaces. Conversely, VirtualExpo Group does not define the purposes of the use of personal data transferred to the seller’s server.

3.3 CAN THE SELLER TRANSFER THE LEGAL RESPONSIBILITY FOR PROCESSING PERSONAL DATA TO VIRTUALEXPO GROUP?

Given its independent role with regard to the seller, VirtualExpo Group does not legally act as a data processor in the name and on behalf of the seller. The seller cannot therefore transfer the legal responsibility for the processing of personal data to VirtualExpo Group by asking it to sign a processor mandate. This is explained in article 9.2 of the General Terms and Condition of Sale and in section B of the privacy policy which are accepted by the seller when contracting the services of VirtualExpo Group.

3.4 HOW CAN THE SELLER PROCESS PERSONAL DATA TRANSFERRED TO THEM THROUGH THE MARKETPLACE IN ACCORDANCE WITH THE GDPR?

The GDPR obliges successive data controllers to collect the consent of the visitors to our marketplaces concerning the use of their personal data. In the case of “See price options” requests and prospects, VirtualExpo Group collects the consent and the seller and their sales network do not need to collect it again.

VirtualExpo Group does not collect consent for the “Stand” Prospects. We inform visitors via the privacy policy that their personal data will be transferred to sellers whose stand they have simply visited. It is then up to the seller to obtain the consent of these visitors in the first communication made to them. The following is a description of the three types of sales contacts and the rights and obligations of sellers with regard to the exploitation of these contacts:

A. “STAND PROSPECTS”

Action taken by the prospect
The potential buyer visited the seller’s stand. Thanks to the prior acceptance of a cookie, the buyer’s personal profile could be identified and transferred to the seller via the seller’s secure search results page.

Obligations of the seller for the use of the personal data of a “Stand” Prospect
According to Articles 13, 14, 21 and 22 of the GDPR, the seller must obtain the consent of the “Stand” prospect in order to communicate with them by sending an initial email explaining the source by which the seller obtained the prospect’s contact details (the VirtualExpo Group marketplace), as well as the subject matter and the frequency of the future communications. This email must also contain:

• For professional buyers (company name provided): a link allowing the prospect to unsubscribe from future communications. If unclicked, the seller may send the proposed communications (“Opt-out”).
• For private buyers (no company name provided): a button allowing the prospect to consent to receive communications from the seller. Only if clicked may the seller send the proposed communications (“Opt-in”).

In either case, the seller must ensure that future communications respect the agreed purpose and frequency and contain a link allowing the prospect to unsubscribe at any time.

B. “SEE PRICE OPTIONS” AND “SEE CONTACT INFORMATION” PROSPECTS

Action taken by the prospect
After visiting the seller’s stand, the potential buyer clicked on the “See price options” or “See contact information” button and filled in their information (last name, first name, email address) in a form to access the desired information. When filling in the form, the potential buyer is informed that they agree that the seller, or a member of the seller’s sales network, may contact them using their personal data, without having to obtain prior consent.

The seller’s rights for the use of personal data for “See price options” and “See contact information” prospects
By clicking on a button on the stand to access specific information, the potential buyer has agreed to be contacted by a member of the seller’s sales force. The seller can therefore contact the potential buyer a few days after they have completed this action on the seller’s stand.

C. REQUESTS FOR “A PERSONALIZED QUOTE”, “PRICE OPTIONS”, “DOCUMENTATION” OR A “QUESTION”

The buyer initiated the request
After visiting the seller’s stand, the potential buyer clicked on the “Request a personalized quote,” “Request price options,” “Request documentation” or “Question” button and filled in their information (last name, first name, email address, telephone number) in a form in order to send the request to the seller. The potential buyer has thus consented to these details being used so they can be contacted by a seller (parent company, regional manager, distributors or brand agent).

Rights of the seller for the use of the personal data related to requests
Buyers who send requests wish to be contacted quickly. Sellers are advised to respond directly to the request by telephone or email.

---

VIRTUALEXPO GROUP BY YOUR SIDE

To enable sellers to verify their rights and obligations regarding the processing of visitors’ personal data at any time, VirtualExpo Group provides a summary in the “My Results” page of the back office. In addition, to avoid unintentional misuse of personal data, VirtualExpo Group requires sellers to check a box acknowledging their obligations under the GDPR to access this data (see image)

If you have any questions regarding the protection of personal data on the VirtualExpo Group marketplaces, please send an email to dpo@virtual-expo.com.