Conference Privacy Notice — ICC Annual Conference 2026

This Conference Privacy Notice ("Notice") is issued by ISACA Chennai Chapter ("Chapter", "we", "us", or "our") in connection with the ICC Annual Conference 2026 ("Conference"). It sets out how we collect, use, store, share, transfer, and retain personal data about delegates, speakers, sponsors, exhibitors, and other individuals who interact with us in relation to the Conference.

By registering for, attending, or otherwise participating in the Conference, you acknowledge that you have read and understood this Privacy Notice. Where we rely on your consent as the lawful basis for processing, such consent is sought separately, explicitly, and in a manner that is specific, informed, and freely given.

For the purposes of applicable data protection law, the entity responsible for your personal data is:

Under the DPDPA, ISACA Chennai Chapter acts as the Data Fiduciary is responsible for personal information under its control.

We collect only such personal data as is reasonably necessary for the purposes described in Section 5 of this Notice. The categories of personal data we may collect include:

• Identity and contact information: Full name, designation, organisation name, professional email address, postal / delivery address, and telephone number.
• Registration and participation data: Registration tier selected, session preferences, attendance records, CPE credit data, and workshop participation records.
• Payment information: Transaction references and payment confirmation details. We do not store full payment card details; all payment processing is conducted through PCI-DSS compliant third-party payment gateways.
• Delegate preferences: T-shirt size
• Media and communications data: Photographs, video recordings, and audio-visual content captured during Conference sessions, workshops, networking events, and related activities.
• Correspondence: Communications you send to us before, during, or after the Conference.

We do not knowingly collect or process sensitive personal data (as defined under the DPDPA), unless strictly necessary and with your explicit consent obtained separately.

We process your personal data only where a lawful basis exists. The applicable bases, by jurisdiction, are as follows:

• Under the DPDPA:
  We process personal data primarily on the basis of consent, which is obtained in a manner that is free, specific, informed, unconditional, and unambiguous, through a clear affirmative action as required under Section 6 of the DPDPA. Where processing is necessary to perform or prepare to perform a contract to which you are a party (such as Conference registration), we may rely on that contractual necessity. Where personal data is processed to comply with legal obligations, we rely on that legal obligation as our basis.

We process personal data for the following specific and identified purposes:

• Conference administration and registration: Processing registrations, issuing confirmation communications, generating delegate badges, Lanyards, managing attendance records, and coordinating front-desk and on-site operations.
• Contractual fulfilment: Processing payments, managing cancellations and refunds, and delivering delegate kit items and other entitlements arising from registration.
• CPE credit management: Recording session attendance and issuing CPE certificates in compliance with ISACA's Continuing Professional Education reporting requirements.
• Event logistics and operational support: Coordinating venue, hospitality, catering, and related operational activities; managing security and safety at the Conference venue.
• Communications: Sending you information about the Conference, including pre-event updates, session changes, logistical instructions, and post-event materials.
• Post-event administration: Conducting post-event reconciliation, archiving records, and producing internal and published Conference reports and summaries.
• Legal and regulatory compliance: Meeting applicable statutory, regulatory, audit, accounting, and contractual obligations.
• Sponsor communication (consent-dependent): Where you have provided explicit, separate consent during registration, sharing your name, organisation, designation, and email address with Conference sponsors and commercial partners for professional networking and relevant engagement communications. This sharing is conditional on your consent and is not a prerequisite for Conference registration.
• Photography and media (consent-dependent): Using photographs, videos, and audio-visual content in which you appear for pre-event, during and post-event communications, the Chapter's promotional and educational materials, social media, and archival records. Further details are set out in Section 8 of this Notice.

We do not use your personal data for automated decision-making or profiling with legal or similar significant effects.

Where we rely on consent as our lawful basis:

• Consent is sought at the point of registration through a clear, affirmative opt-in mechanism, separately from the registration terms.
• Consent requests are specific to each purpose; we do not use a single bundled consent for multiple distinct purposes.
• Providing or withholding consent for sponsor communication or media use does not affect your ability to register for or attend the Conference.
• You may withdraw consent at any time by contacting us at privacy@isaca-chennai.org. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.
• Under the DPDPA, you have the right to withdraw consent and to have your personal data erased, subject to applicable exceptions, including our legal retention obligations.

We share personal data only to the extent necessary and only with the following categories of recipients:

• Authorized service providers and operational partners: Event management companies, logistics providers, catering and hospitality suppliers, badge-printing vendors, technology service providers, and payment gateway operators engaged by us solely for purposes connected with the Conference. Such parties are bound by contractual data processing obligations consistent with applicable law.
• Conference sponsors and commercial partners: Only where you have provided explicit consent during registration, as described in Section 5. Once your data has been transmitted to a sponsor or partner on the basis of your consent, we are unable to retrieve or delete that data from the recipient's systems. Any request to withdraw from further sponsor communications must be directed to the relevant sponsor or partner.
• ISACA Global and affiliated entities: Chapter administration records, CPE data, and event statistics may be shared with ISACA ("ISACA Global") for the purposes of chapter governance, CPE reporting, and programme benchmarking, in accordance with ISACA Global's applicable privacy framework.
• Regulatory, legal, and governmental authorities: Where required by applicable law, court order, regulatory direction, or to protect the rights, property, or safety of the Chapter, its members, or the public.

We do not sell, rent, or trade personal data to any third party.

Photography, videography, and audio-visual recordings will be conducted at Conference sessions, workshops, networking events, and associated activities.

• For delegates resident in India: By attending the Conference, you acknowledge that your image, voice, and likeness may be captured in the course of Conference activities and used by the Chapter for the purposes described in Section 5. Where we use your image in identifiable promotional materials beyond incidental appearance, we will seek your separate consent.

Where you have concerns about specific media use, please contact us at privacy@isaca-chennai.org. We will make reasonable efforts to address your request, subject to editorial discretion and the practical limitations of managing third-party attendee photography in a public conference environment.

Please be aware that delegates, speakers, sponsors, and media personnel attending the Conference may independently photograph or record video in public conference areas. The Chapter cannot control or prevent the sharing of such independently captured content on social media or other platforms.

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required or permitted by applicable law.

• Operational records: Contact and registration data is retained for the duration required to administer the Conference and for a reasonable post-event period to resolve queries, process refunds, and address complaints.
• CPE and participation records:In accordance with ISACA CPE reporting requirements, records of Conference attendance and session participation are retained for a period of up to three (3) years from the date of the Conference.
• Financial and accounting records:Payment transaction records and related financial data are retained for the period required under applicable Indian taxation and accounting law, which is currently a minimum of eight (8) years.
• Marketing and consent records:Records of consent obtained and withdrawn are retained for the period necessary to demonstrate compliance with applicable law.

Following expiry of the applicable retention period, personal data will be securely deleted or anonymized, subject to our obligations under applicable law and any legitimate archival or backup requirements. Certain data may continue to exist in backup systems, statutory records, or audit logs for legally permissible periods.

Depending on your jurisdiction of residence, you may be entitled to exercise the following rights with respect to your personal data. We will respond to all verified requests within the timeframes prescribed under applicable law.

Under the DPDPA (India — Data Principals):

You have the right to:

• Obtain a summary of the personal data we hold about you and the purposes for which it is being processed;
• Correction of inaccurate or misleading personal data and completion of incomplete personal data;
• Erasure of personal data that is no longer necessary for the purpose for which it was collected, subject to our legal retention obligations;
• Request nomination of another individual to exercise these rights in the event of your death or incapacity;
• Grievance redressal through our designated grievance contact (see Section 12);

We implement appropriate technical and organisational measures to protect personal data against accidental loss, unauthorized access, disclosure, alteration, or destruction, commensurate with the nature of the data and the risks involved. Our service providers and operational partners are required to maintain equivalent standards of data security.

Notwithstanding the foregoing, no method of electronic transmission or storage is completely secure. Where a personal data breach occurs that is likely to result in a risk to your rights, we will notify you and the relevant authority as required by applicable law.

For any privacy-related query, concern, request to exercise your rights, or grievance in connection with this Notice or our data processing practices, please contact:

We will acknowledge receipt of your request promptly and endeavor to respond substantively within the period prescribed under applicable law for breach notifications after being aware of the incident.

We may update or revise this Notice from time to time to reflect changes in applicable law, regulatory guidance, or our processing activities. Material changes will be communicated to registered delegates by email prior to taking effect. The version of this Notice that is current at the time of the Conference will govern our processing of personal data in connection with that Conference.

The current version of this Notice is available at isaca-chennai.org/privacy-notice. The effective date and version number are stated at the top of this Notice.

ISACA Chennai Chapter · ICC Annual Conference 2026 · Conference Privacy Notice · Version 1.0 [31-May-2026]