Conference Privacy Notice — ICC Annual Conference 2026

This Conference Privacy Notice ("Notice") is issued by ISACA Chennai Chapter ("Chapter", "we", "us", or "our") in connection with the ICC Annual Conference 2026 ("Conference"). It sets out how we collect, use, store, share, transfer, and retain personal data about delegates, speakers, sponsors, exhibitors, and other individuals who interact with us in relation to the Conference.

Where any provision of this Notice applies only to residents of a specific jurisdiction, this is clearly indicated. All other provisions apply universally to all individuals whose personal data we process in connection with the Conference.

By registering for, attending, or otherwise participating in the Conference, you acknowledge that you have read and understood this Notice. Where we rely on your consent as the lawful basis for processing, such consent is sought separately, explicitly, and in a manner that is specific, informed, and freely given.

For the purposes of applicable data protection law, the entity responsible for your personal data is:

Under the DPDPA, ISACA Chennai Chapter acts as the Data Fiduciary. Under the GDPR and UK GDPR, the Chapter acts as the Data Controller. Under PIPEDA, ISACA Chennai Chapter is the responsible organization for personal information under its control.

We collect only such personal data as is reasonably necessary for the purposes described in Section 5 of this Notice. The categories of personal data we may collect include:

• Identity and contact information: Full name, designation, organisation name, professional email address, postal / delivery address, and telephone number.
• Registration and participation data: Registration tier selected, session preferences, attendance records, CPE credit data, and workshop participation records.
• Payment information: Transaction references and payment confirmation details. We do not store full payment card details; all payment processing is conducted through PCI-DSS compliant third-party payment gateways.
• Delegate preferences: Dietary requirements and T-shirt size, where provided voluntarily.
• Media and communications data: Photographs, video recordings, and audio-visual content captured during Conference sessions, workshops, networking events, and related activities.
• Correspondence: Communications you send to us before, during, or after the Conference.

We do not knowingly collect or process sensitive personal data (as defined under the DPDPA), special categories of personal data (as defined under Article 9 of the GDPR), or sensitive information (as defined under applicable provincial law in Canada) unless strictly necessary and with your explicit consent obtained separately.

We process your personal data only where a lawful basis exists. The applicable bases, by jurisdiction, are as follows:

We process personal data for the following specific and identified purposes:

• Conference administration and registration: Processing registrations, issuing confirmation communications, generating delegate badges, Lanyards, managing attendance records, and coordinating front-desk and on-site operations.
• Contractual fulfilment: Processing payments, managing cancellations and refunds, and delivering delegate kit items and other entitlements arising from registration.
• CPE credit management: Recording session attendance and issuing CPE certificates in compliance with ISACA's Continuing Professional Education reporting requirements.
• Event logistics and operational support: Coordinating venue, hospitality, catering, and related operational activities; managing security and safety at the Conference venue.
• Communications: Sending you information about the Conference, including pre-event updates, session changes, logistical instructions, and post-event materials.
• Post-event administration: Conducting post-event reconciliation, archiving records, and producing internal and published Conference reports and summaries.
• Legal and regulatory compliance: Meeting applicable statutory, regulatory, audit, accounting, and contractual obligations.
• Sponsor communication (consent-dependent): Where you have provided explicit, separate consent during registration, sharing your name, organization, designation, and email address with Conference sponsors for professional networking. This sharing is conditional and not a prerequisite for registration.
• Photography and media (consent-dependent): Using photographs, videos, and audio-visual content in which you appear for pre-event, during and post-event communications, Chapter promotional and educational materials, social media, and archival records.

We do not use your personal data for automated decision-making or profiling with legal or similarly significant effects.

Where we rely on consent as our lawful basis:

• Consent is sought at the point of registration through a clear, affirmative opt-in mechanism, separately from the registration terms.
• Consent requests are specific to each purpose; we do not use a single bundled consent for multiple distinct purposes.
• Providing or withholding consent for sponsor communication or media use does not affect your ability to register for or attend the Conference.
• You may withdraw consent at any time by contacting us at isacachennai@isaca-chennai.org.

We share personal data only to the extent necessary and only with the following categories of recipients:

• Authorized service providers and operational partners: Event management companies, logistics providers, catering and hospitality suppliers, badge-printing vendors, technology service providers, and payment gateway operators engaged by us solely for purposes connected with the Conference. Such parties are bound by contractual data processing obligations.
• Conference sponsors and commercial partners: Only where you have provided explicit consent during registration. Once your data has been transmitted to a sponsor or partner on the basis of your consent, we are unable to retrieve or delete that data from the recipient's systems. Any request to withdraw from further sponsor communications must be directed to the relevant sponsor or partner.
• ISACA Global and affiliated entities: Chapter administration records, CPE data, and event statistics may be shared with ISACA ("ISACA Global") for the purposes of chapter governance, CPE reporting, and programme benchmarking.
• Regulatory, legal, and governmental authorities: Where required by applicable law, court order, regulatory direction, or to protect the rights, property, or safety of the Chapter, its members, or the public.

Photography, videography, and audio-visual recordings will be conducted at Conference sessions, workshops, networking events, and associated activities.

• For delegates resident in India: By attending the Conference, you acknowledge that your image, voice, and likeness may be captured in the course of Conference activities and used by the Chapter. Where we use your image in identifiable promotional materials beyond incidental appearance, we will seek your separate consent.
• For delegates resident in the EEA, UK, or Canada: We rely on our legitimate interests in documenting and promoting the Conference as the lawful basis for incidental photography and video in public areas of the Conference. Where your image is used in a manner that singles you out, we will seek your explicit consent separately.

Where you have concerns about specific media use, please contact us at isacachennai@isaca-chennai.org. We will make reasonable efforts to address your request, subject to editorial discretion and the practical limitations of managing third-party attendee photography in a public conference environment.

Please be aware that delegates, speakers, sponsors, and media personnel attending the Conference may independently photograph or record video in public areas. The Chapter cannot control or prevent the sharing of such independently captured content.

The Conference is organized and administered primarily in India. Where personal data is transferred outside India to countries that have not been notified as providing adequate data protection under the DPDPA, such transfers will be made subject to appropriate safeguards as prescribed under the DPDPA.

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required or permitted by applicable law.

• Operational records: Contact and registration data is retained for the duration required to administer the Conference and for a reasonable post-event period to resolve queries, process refunds, and address complaints.
• CPE and participation records: In accordance with ISACA CPE reporting requirements, records of Conference attendance and session participation are retained for a period of up to three (3) years from the date of the Conference.
• Financial and accounting records: Payment transaction records and related financial data are retained for the period required under applicable Indian taxation and accounting law, which is currently a minimum of eight (8) years.
• Marketing and consent records: Records of consent obtained and withdrawn are retained for the period necessary to demonstrate compliance with applicable law.

Following expiry of the applicable retention period, personal data will be securely deleted or anonymized, subject to our obligations under applicable law and any legitimate archival or backup requirements.

Depending on your jurisdiction of residence, you may be entitled to exercise the following rights with respect to your personal data. We will respond to all verified requests within the timeframes prescribed under applicable law.

We implement appropriate technical and organizational measures to protect personal data against accidental loss, unauthorized access, disclosure, alteration, or destruction, commensurate with the nature of the data and the risks involved. Our service providers and operational partners are required to maintain equivalent standards of data security.

Notwithstanding the foregoing, no method of electronic transmission or storage is completely secure. Where a personal data breach occurs that is likely to result in a risk to your rights, we will notify you and the relevant supervisory authority as required by applicable law.

For any privacy-related query, concern, request to exercise your rights, or grievance in connection with this Notice or our data processing practices, please contact:

We will acknowledge receipt of your request promptly and endeavor to respond substantively within the period prescribed under applicable law, being 72 hours for breach notifications after being aware of the incident, 30 days for data subject requests under the GDPR, and a comparable reasonable period under the DPDPA and PIPEDA.

We may update or revise this Notice from time to time to reflect changes in applicable law, regulatory guidance, or our processing activities. Material changes will be communicated to registered delegates by email prior to taking effect. The version of this Notice that is current at the time of the Conference will govern our processing of personal data in connection with that Conference.

The current version of this Notice is available at isaca-chennai.org/privacy-notice. The effective date and version number are stated at the top of this Notice.