GLOBAL PRIVACY NOTICE

Last Updated: 1 October 2024

This ISACA® Privacy Notice describes the types of personal data that the Information System Audit and Control Association, Inc., and its respective subsidiaries and affiliated companies (“ISACA”, “we” or “us”) collect, how we use it, how and when it may be shared, and the rights and choices you have with respect to your data. We provide this Privacy Notice to help you understand how we process your data as part of our commitment to maintaining your trust. Thank you for taking the time to read and understand our data and privacy related practices.

Please note, our privacy practices are subject to the applicable laws of the places in which we operate. You will see additional region-specific terms that only apply to customers located in those geographic regions, or as required by applicable laws.

You can click on the following links to go directly to the corresponding sections of this Privacy Notice.

TABLE OF CONTENTS

1. WHAT OUR PRIVACY NOTICE COVERS
2. CHANGES TO THIS NOTICE
3. PERSONAL DATA WE COLLECT AND HOW WE USE IT
4. WHY WE COLLECT YOUR PERSONAL DATA
5. HOW WE DISCLOSE YOUR PERSONAL DATA
6. HOW WE PROTECT YOUR PERSONAL DATA
7.  DATA RETENTION
8.  YOUR CHOICES
9.  YOUR RIGHTS
10. INTERNATIONAL TRANSFERS
11.  ADDITIONAL NOTICE FOR INDIVIDUALS LOCATED IN THE EEA, UNITED KINGDOM AND SWITZERLAND
12. ADDITIONAL NOTICE TO INDIVIDUALS IN CANADA
13. ADDITIONAL NOTICE TO INDIVIDUALS IN AUSTRALIA
14. ADDITIONAL NOTICE TO INDIVIDUAL IN BRAZIL
15. CHILDREN’S PRIVACY
16.  CONTACT INFORMATION

1. WHAT OUR PRIVACY NOTICE COVERS

This Privacy Notice applies to all personal data that we collect about you when you do any of the following (collectively “Services”):

  • use the ISACA websites located at sz-xinda.net, cmmiinstitute.com, and other websites owned or controlled by ISACA or related mobile applications that link to this Privacy Notice (collectively “Sites”);
  • use ISACA products or services and complete related forms, participate in ISACA events, or communicate with one of our customer service representatives; or
  • interact with CMMI or other ISACA affiliated companies.

This Privacy Notice does not cover the privacy practices of local ISACA chapters, which are separate legal entities. You should contact them directly or review the privacy notice located on their websites to understand how they process your personal data.  

Our Sites may contain links to third-party websites. These third-party websites and services are not related to us and may have separate privacy policies and data collection practices. We have no responsibility for these websites or their privacy practices and encourage you to read the privacy policies of all websites you visit.

By accessing and using our Services, subject to applicable law, you acknowledge you understand the terms of this Privacy Notice and agree to our Terms of Use. If you are not comfortable with any aspect of this Privacy Notice or our Terms of Use, you should immediately discontinue access to and use of our Services.

2. CHANGES TO THIS NOTICE

We may need to update this Privacy Notice from time to time to reflect changes in our business practices, data collection practices or changes in the applicable law. If we make a change that we believe materially affects how we process your personal data, we will provide notice of such change on this Site or via email, at the email address we have on file for you. After such notice, your continued use of our Services will be subject to the then-current Privacy Notice. We encourage you to look for updates and changes to this Privacy Notice by checking the “Last Updated” date located at the top of the new Privacy Notice.

3. PERSONAL DATA WE COLLECT AND HOW WE USE IT

We collect personal data when you interact with our Services. Personal data is typically data that can be used to identify you directly or indirectly. The definition of personal data depends on the applicable law based on your physical location. Only the definition that applies to your physical location will apply to you under this Privacy Notice. This Notice does not apply to anonymized information as it cannot be used to identify you.

The types of personal data that we may collect about you include, but are not limited to, information you provide to us, information from third parties, and information collected automatically about your use of our Services.

A. Data You Directly and Voluntarily Provide to Us

  • Membership or Registered User

    If you sign up to become a registered user or an ISACA Member, you will be required to provide certain personal data as part of the registration process. This information may include your first and last name, email address, and business or home address. We use this information to communicate with you, to design content and activities that we believe would be of interest to you, and to ensure that we will not violate any applicable U.S. sanctions in providing you access to our Services.
    We rely on fulfillment of contract as the lawful basis for processing your personal data.
    We may also request that you voluntarily provide other information, such as your phone number, date of birth, demographic information, educational background, work experience, information about your non-ISACA certifications, courses or areas of study in which you may be interested and information about your company as it relates to our Services and your membership.
    We rely on our legitimate interests as the lawful basis for processing your personal data in this way.


  • Events and Conferences

    We may host events that include in-person and virtual conferences, training, knowledge sharing and webinars.
    • Registrants. If you register for an event, and you already have an account, we will access the personal data in your account to provide you with information and services associated with the event. We may also ask for additional demographic information during the registration process. We may also collect dietary restrictions and disabilities information that you voluntarily provide to ensure appropriate accommodations are provided during events and conferences.
      If you register for one of our events and you do not have an account or are not a member, we will collect certain personal data such as your first and last name, email address, business or home address, information about the type of business you work for or with, and your role in that business. We use this personal data to provide event attendees with event services, including badge printing, tracking your Continuing Professional Education (CPE) credits, tailoring sessions to meet the audience profile and to determine the sessions likely to require the biggest rooms, and related purposes connected with the event. We rely on fulfillment of contract as the lawful basis for processing your personal data in relation to events and conferences.
    • Presenters. If you are a presenter at one of our events, we will collect information about you such as your name, employer, contact information and photograph, and we may also collect information provided by event attendees who evaluated your performance as a presenter. We may also make and store a recording of your voice and likeness in certain instances, subject to applicable law. We rely on a legitimate interest as the lawful basis for collecting, storing and processing your personal data in this way.

  • Publications

    We offer various publications and materials through our Sites. Some of these publications and materials are publicly accessible, and others require that you be a member, or that you create an account and subscribe to receive these publications and materials. If you are not a member and you create an account for this purpose, you will be required to provide certain information as part of your account registration, which may include your first and last name, email address, business or home address and professional information. We rely on our contract with you as the lawful basis to process your personal data for purposes of fulfilling your request to receive our publications.

  • Exams and Certification

     When you register to take an ISACA exam, we will collect certain personal data such as your first and last name, email address, phone number, business address, home address, demographic information and professional and education history. We may also collect and store information you provide to us about special accommodations that you may request. Only authorized employees within ISACA have access to your exam scores and personal data pertaining to any special accommodations you may request. ISACA will collect your exam results and, in conjunction with maintaining your certification(s), if applicable, your record of participation in continuing professional education. We rely on a contract fulfillment basis to process personal data associated with providing certification services.

  • Certification Status

    If you hold an ISACA certification, we will only share your certification status with a third party to the extent we have received your prior consent to share such information, or to the extent you have provided the third party with the necessary information to access your certification status on our Site. We rely on your consent as the legal basis for processing your personal data in this way.

  • Communications

    If you communicate or correspond with us by email, through postal mail, via telephone or through other forms of communication, including our customer service center, we may collect the personal data you provide as part of those communications.  For example, if you correspond with us through email, we may collect and store the email address you use to send the applicable correspondence and use it to respond to your inquiry; to notify you of ISACA conferences, publications, or other services; or to keep a record of your complaint, accommodation request, and similar purposes. We have a legitimate interest in processing the personal data of those who communicate voluntarily with us seeking our Services.

  • CMMI Services

    If you contact CMMI about its services, we may collect the personal data you provide in order to communicate with you about our services. If you retain CMMI to provide you with their services, we will process certain personal data of your employees who interact with us in finalizing the contract and in providing the services, including their first and last name, email address, business address and telephone number. We rely on fulfillment of contract as the lawful basis for processing your personal data in such situations.

B. Information We Automatically Collect

As you navigate through and interact with our Sites, we may use automatic data collection technologies to collect certain information about your device (computer, tablet, smart phone) and your activities, including:

  • If you access the Services through a computer, we will automatically collect certain information such as your browser type and version, computer and connection information, IP address, mobile device advertising identifier, Media Access Control (MAC) address pages you have visited, type of device, operating system name and version, device manufacturer, browser information (type, version), screen resolution, Internet service provider or mobile carrier’s name, connection speed and connection type, date stamp, URL of the last webpage visited before visiting our Platform, and URL of the first page visited after leaving our Platform, pages viewed, time spent on a page, click through, clickstream data, queries made, search results selected, comments made, search history, type of service requested, purchases made, and information collected through cookies, pixel tags, and other technologies. For more information on the tracking technology we use, please see our Cookie Notice, which describes the cookies used on our Sites and provides information on how you can control the personal data processed.
  • If you access the Services through a mobile device, we may also be able to identify the location of your mobile device. We use your location information (if shared) to identify the geographic locations from which our content is accessed so that we can better understand what content topics may be most relevant in that region, and to our members generally, and to develop resources around those content topics. You may choose not to share your location details with us by adjusting your mobile device’s location services settings. For instructions on changing the relevant settings, please contact your service provider or device manufacturer.

To the extent our Sites use non-essential tracking technology, we rely on consent as the legal basis for processing the personal data of individuals located in the European Economic Area, the United Kingdom and Switzerland.

C. Information from Third Parties

We may receive personal data about individuals from third parties. This may happen if your employer pays and registers you for training, certification, or membership, however, we will only share information about you with your employer if you consent in advance to our sharing this information. Our third-party training partners may also share your personal data with us when you sign up for training, certification or membership through the applicable training partner.

We may also receive personal data about you from companies controlled by or under common control of ISACA. When you interact with our Services on a social media platform, we may collect the personal data that you or the platform make available to us on that page or account, including your social media account ID and/or user name associated with that social media service, your profile picture, email address, friends list or information about the people and groups you are connected to and how you interact with them, and any information you have made public in connection with that social media service. The information we obtain depends on your privacy settings on the applicable social media service; we will comply with the privacy policies of the social media platform and we will only collect and store such personal data that we are permitted to collect by those social media platforms. When you access our Sites through social media channels or when you connect the Site to social media services, you are authorizing us to collect, store, and use such information and content in accordance with this Privacy Notice.

D. Information You Post on the Sites

If you post personal data on public areas of the Sites, that information may be collected and used by us, other users of the Sites, and the public generally.

If you are a member or registered user and choose to participate in our professional networking features, which are provided by our third-party vendor and volunteer platform provider, Higher Logic, your postings will be associated with the personal data in your public member profile (which includes your name, user name, and other optional information you may choose to include). ISACA may share the following personal data, to the extent you have provided it, with Higher Logic for this volunteer management platform and other ISACA platforms: your name, state, zip code, country, phone number, bio, email, job title, company, ISACA and non-ISACA certifications, education (university or school and degree), areas of interest, membership level, chapter membership, chapter leader role, chapter ID, work experience, date of birth, photo and staff membership.

If you decide to participate in our platforms and professional networking features, keep in mind that your personal data (for example, your name and online user name), along with any substantive information you disclose in the communication you decide to post, will be publicly accessible and viewable by others who visit that area. In addition, we may highlight certain users’ postings or contributions to other members of the ISACA professional networking features. For example, users who participate actively in our social networking features, like contributing materials and engaging in certain online activities, will be listed as “active members” in a roster that is viewable by all other registered users, to the extent that they consent to being listed. It is possible that your posting may result in unsolicited messages from third parties. We strongly recommend that you do not post any information on the public areas of the Sites that allows strangers to identify or locate you or that you otherwise do not want to share with the public.

E. Payment Information

All credit or debit card numbers you provide to pay for our Services are processed by a third party payment processing service that is compliant with the Payment Card Industry Data Security Standard (PCI/DSS). All information collected by these third-party providers for purposes of processing your payments is not available to us, unless you have otherwise provided this information to us in connection with your use of the Sites or our Services.

4. WHY WE COLLECT YOUR PERSONAL DATA

We use your information for business purposes, including to provide the products and services you request, to perform customer service functions, for security and fraud prevention, for marketing and promotional purposes, and to perform website and mobile application analytics. We may use the data we collect about you to:

A. To Provide and Maintain Our Services

We will use your personal data to provide information or deliver Services that you request and to allow you to participate in interactive features of our Sites and Services when you choose to do so. For example:

  • We process your personal data to provide membership benefits and other services to you, including order processing, processing of certification or membership applications, registering you for event or training programs, or registering you for reduced hotel price rates.
  • When you sign up for a certification course or seminar, we will use your personal data to facilitate the delivery of such course or seminar.
  • To the extent your organization has paid for your certification course or seminar, subject to your consent, we may provide the status of your course or seminar to your organization.
  • In compliance with applicable laws, we may also publish the names, titles, country and business affiliations of officers, committee members and others who have assisted with initiatives or projects to provide recognition of their achievements to the ISACA community.

B. To Provide Customer Support or Respond to You

We collect any information that you provide to us when you contact us, such as with questions, concerns, feedback, disputes or issues. Without your personal data, we cannot respond to you.

C. To Personalize Your Experience

We may also use your personal data to tailor your experience at our Sites, to compile and display content and information that we think you might be interested in, and to provide you with content according to these preferences. We may also use this information to help us understand your needs and interests, and to better tailor our products and services to meet your needs.

D. For Research and Development

We may use your information to gather analysis or valuable information so that we can improve our Services and to detect, prevent and address technical issues. We may also use your information to monitor the usage of our Site including without limitation search terms entered, pages visited and documents viewed.

E. For Security Reasons

We may use personal data to help monitor, prevent and detect fraud, enhance security, monitor and verify identity or access, or security risks.

F. To Send You Marketing and Promotional Emails

We may use your personal data we collect from you and third-party sources to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you, to deliver targeted and relevant advertising and marketing to you, and to promote our Services. Our marketing will be conducted in accordance with your advertising / marketing preferences and as permitted by applicable law.

G. To Advise You of Other Services

From time to time, subject to the applicable law, we may share your personal data with third parties or partners. You may opt out of having your personal data shared with third parties. If you choose to limit the use of your personal data , certain features or Services may not be available to you.

H. To Post Testimonials

We may use personal data to post testimonials on our Sites. Prior to posting a testimonial, we will obtain your consent to use your name and testimonial. You can request your testimonial be updated or deleted at any time by sending a request with your name, testimonial location and contact information.

I. To Enforce Our Terms, Agreements or Policies

When you access or use our Services, you are bound to our Terms of Use. To ensure you comply with them, we process your personal data by actively monitoring, investigating, preventing and mitigating any alleged or actual prohibited, illicit or illegal activities on our Services. We may process your personal data to: investigate, prevent or mitigate violations of our internal terms, agreements or policies; enforce our agreements with third parties and business partners; and, as applicable, collect fees based on your use of our Services. We may also use your data to ensure that we will not violate any applicable U.S. sanctions in accepting your donation or by providing you access to our Services.

J. To Maintain Legal and Regulatory Compliance

Our Services are subject to certain laws and regulations which may require us to process your personal data. For example, we process your personal data to fulfill our business obligations, or as necessary to manage risk as required under applicable law, or to respond to requests by judicial process or governmental agencies.

K. With Your Consent

For any other purpose disclosed to you prior to you providing us your personal data or which is reasonably necessary to provide the services or other related services requested, with your permission or upon your direction.

5. HOW WE DISCLOSE YOUR PERSONAL DATA

Except as set forth in this Privacy Notice or when specifically agreed to by you, we take care to allow your personal data to be accessed only by those who need access in order to perform their tasks and duties, or have a legitimate purpose for accessing it. In general, we do not share your information with a third party for their independent use unless: (i) you request or authorize it, (ii) it is required by law, or (iii) it is in connection with a co-sponsored event. We may share your personal data in the following circumstances:

A. For Recognition

Subject to applicable law, we may also make publicly available the names, titles, country and business affiliations of officers, committee members and others who have assisted with initiatives or projects to ensure they receive the appropriate recognition.

B. When We Work with Service Providers

We may share your personal data with our suppliers, subcontractors, and other third parties who provide services to us (collectively “service providers”) in connection with advertising, hosting, data analytics, information technology and infrastructure, email delivery, auditing, exam-testing, training providers, conference or event venues or on-site service providers, and other related activities. Our service providers are given only the information they need to perform their designated functions and are prohibited from using the data we provide them for their own purposes.

C. When We Work with Business Partners and Sponsors

From time to time, we may engage in joint sales or product promotions with selected business partners. If you purchase or specifically express interest in a jointly-offered product, promotion or service, we may share relevant personal data with those partners as permitted under applicable law. If you are an event attendee, speaker, or sponsor, certain personal data about you may be included in the event roster, which may also be shared with third-party event sponsors and exhibitors and publicly disclosed, subject to the applicable law. While we do not control our business partners’ use of such information, we do take appropriate steps to ensure that they use appropriate safeguards to protect your personal data. Our partners and sponsors are responsible for managing their own use of the personal data collected in these circumstances, including providing privacy notices to you about how they use your personal data. We recommend you review the privacy policies of the relevant partner to find out more about their handling of your personal data. Where we do share your personal data with third parties, ISACA takes steps to ensure that they use appropriate safeguards to protect your personal data in compliance with applicable laws.

D. Within Our Corporate Organization and with Our Local Chapters and Volunteers

We are part of a corporate organization that has many legal entities, business processes, management structures and technical systems. If you participate in our “Enterprise Participation Program,” your personal data, particularly with respect to the goods and/or services your company has purchased from ISACA for your benefit, will be shared with your organization’s program coordinator. As permitted under applicable law, we may also share your personal data:

  • Within this organization and with our subsidiaries and/or affiliates to provide services and support, provide recommendation to optimize services, to provide members and prospective members with information about our Services, and for the purposes otherwise described in this Privacy Notice.
  • With our board members and our volunteers for the purposes of conducting our internal business operations. 
  • With your local ISACA chapter so they may offer membership and associated services to you pursuant to your membership in that Chapter.
  • With One in Tech, an ISACA Foundation to provide information regarding their programs and initiatives.

E. When Sharing Helps Us Protect Safety and Lawful Interests

We may disclose your personal data to government authorities or third parties if: (i) required to do so by law or regulation, or in response to a subpoena or court order or any other enforceable governmental request or order; (ii) we believe disclosure is reasonably necessary to protect against fraud, to protect the property or other rights of us or other users, third parties or the public at large; or (iii) to exercise, establish or defend our legal rights.

F. When We Work on Business Transactions

If we become involved with a merger, corporate transaction or another situation involving the transfer of some or all of our business assets, we may share your information with business entities or people involved in the negotiation or transfer. The use and disclosure of all transferred user information will be subject to this Privacy Notice. However, any information you submit or that is collected after this type of transfer may be subject to a new privacy policy adopted by the successor entity.

G. Potential Employers

If you use ISACA’s  Career Center services, the personal data you include in your profile will be shared with our Career Center site vendor and will be subject to the vendor’s privacy policies. When you provide information in the Career Center, your information may be accessible to potential employers or recruiters. We will only share personal data about you with potential employers or recruiters if you consent in advance to our sharing of this information.

H. With Your Consent

We may share information about you with other companies if you give us permission or direct us to share the information.

I. When You Post on Our Sites

If you post information on a blog or another part of our Sites, the information that you post may be seen by other visitors to our websites. We are not responsible for the information you choose to submit in these public areas.

6. HOW WE PROTECT YOUR PERSONAL DATA

Personal data is maintained on our servers or those of our service providers, and is accessible by authorized employees, representatives, and agents as necessary for the purposes described in this Privacy Notice.

We realize that individuals trust us to protect their personal data. We take reasonable measures to protect all personal data we may hold in order to prevent loss, misuse, unauthorized access, disclosure, alteration and destruction. In some areas of our platforms, we may use encryption technologies to enhance data privacy and help prevent loss, misuse, or alteration of the information under ISACA’s control.

While we attempt to protect your personal data in our possession, no method of transmission over the internet or security system is perfect, and we cannot promise that information about you will remain secure in all circumstances. We encourage you to use caution when disclosing information online. Often, you are in the best position to protect yourself online. You are responsible for protecting your login ID and password from third-party access, and for selecting passwords that are secure.

7. DATA RETENTION

We will retain the personal data we collect from you where we have a justifiable business need to do so and/or for as long as is needed to fulfil the purposes outlined in this Privacy Notice, unless a longer retention period is required or permitted by law (such as tax, legal, accounting or other purposes). When we have no justifiable business need to process your personal data, we will either delete or anonymize it, or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible. Please note that, if you wish to cancel your account or request that we no longer use your information to provide you services, we may still retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

8. YOUR CHOICES

Listed below are the choices we provide you in relation to the processing of your personal data. Individuals located in the European Economic Area (“EEA”), the United Kingdom or Switzerland at the time you provide your personal data, please see section 9 for more information about your rights.

A. Marketing Communications

If you receive commercial electronic communications from us, you can unsubscribe from the receipt of future commercial electronic communications from us by clicking on the “unsubscribe link” provided in such communications, or by going to your MyISACA Profile and the Unsubscribe Section and selecting your Opt-Out Preference.  Please note that even though you have opt-out of receiving marketing-related communications from us, we may still send you important administrative messages, and you cannot opt out from receiving these messages.

B. Subscriptions

You may manage your subscriptions by subscribing or unsubscribing at any time. Please navigate to your MyISACA Profile and the Unsubscribe Section and selecting your Opt-Out Preference to cancel such subscriptions.

C. Access and Correction

You have the right to review and correct personal data that we have collected from you. You may exercise this right by contacting us as indicated in the “How to Contact Us” section, or by going to the Privacy Rights Portal. In your request, please make clear what information you would like to have changed. For your protection, we may need to verify your identity before implementing your request. We will try to implement your request as soon as reasonably practicable. We reserve the right to refuse to act on a request that is manifestly unfounded or excessive (for example because it is repetitive) and/or to charge a fee that takes into account the administrative costs for providing the information or taking the action requested.

D. Cookies and Targeted Advertising

You may opt out of our use of cookies and similar technologies used on our Sites for various purposes such as targeted advertising. To do so, when you visit our Sites, go to To do so, when you visit our Sites, go to the “Cookies Setting” link in the website footer and use the cookie preference center to confirm your choice. Please see our Cookie Notice to learn more about cookies

E. California Residents

This section applies only to California residents.

  • You may request information concerning the categories of personal data (if any) we disclose to third parties or affiliates for their direct marketing purposes. To make such a request, please visit our Privacy Rights Portal.
  • If you are under the age of 18, and you have a registered account, you may request that we remove content or information that you posted on the Site or stored on our servers, by submitting a request in writing as indicated in the “How to Contact Us” section below, and clearly identifying the content or information that you wish to have removed, and providing sufficient information to allow us to locate the content or information to be removed.
  • Your browser may allow you to adjust your browser settings so that “do not track” requests are sent to the websites that you visit. However, we do not respond to “Do Not Track” (DNT) signals. To determine whether any of the third-party services it uses honor the “Do Not Track” requests, please read their privacy notices.

9. YOUR RIGHTS

Your rights may include:

  • Access and portability. You may ask us to confirm whether we are processing your personal data, provide you with details about such processing, and, in some limited circumstances, give you a copy of your personal data. You may ask us to provide your personal data in a structured, commonly used, machine-readable format, or you can ask to have it ported directly to another controller.
  • Erasure or deletion. You may ask us to delete the personal data that we hold about you.
  • Rectification or correction. You may ask us to correct any inaccurate or incomplete personal data that we hold about you.
  • Objection to processing. You may request that we stop processing your personal data for specific purposes including marketing and profiling.
  • Restriction of processing. You may request that we restrict the processing of your personal data in certain circumstances (for example, where you believe that the personal data we hold about you is not accurate or lawfully held).
  • Lodge a complaint to your local Data Protection Authority. You may have the right to lodge a complaint with your national Data Protection Authority or equivalent regulatory body. Contact details for data protection authorities in the European Economic Area are available here, and contact details for the United Kingdom’s ICO are available here.
  • Automated decision-making. We do not employ solely automated decision-making, as a matter of course, that results in automated decisions being taken (including profiling) that legally affect you or similarly significantly affect you. Automated decisions are decisions made automatically based on computer determinations (using software algorithms), without human review. If you are to be subjected to automated decision making, we will make it clear at the time and you have the right to contest the decision, to express your point of view, and to require a human review of the decision.

These rights are not absolute and are subject to conditions or limitations as specified in applicable laws. If you would like to exercise any of the above rights, please go to our Privacy Rights Portal. We will process your request in accordance with applicable privacy and data protection laws. To protect your privacy and security, we may take steps to verify your identity before complying with the request.

10. INTERNATIONAL TRANSFERS

When you access or use our Services, your personal data may be processed in the United States or any other country in which ISACA, our affiliates, or service providers maintain facilities. Such countries or jurisdictions may have data protection laws that are less protective than the laws of the jurisdiction in which you reside.

We will take all the steps reasonably necessary to ensure that your personal data is treated securely and in accordance with this Privacy Notice and no transfer of your personal data will take place to an organization or a country unless there are adequate controls in place. If you do not want your personal data transferred to or processed or maintained outside of the country or jurisdiction where you are located, you should not use our Services.

Individuals located in the European Economic Area (“EEA”), the United Kingdom or Switzerland at the time you access our Services, please see section 11, for information on how we transfer your personal data.

11. ADDITIONAL NOTICE FOR INDIVIDUALS LOCATED IN THE EEA, UNITED KINGDOM AND SWITZERLAND

This section only applies to individuals that access or use our Services while located in the European Economic Area, the United Kingdom or Switzerland (collectively “Europe”). We may ask you to identify which country you are located in when you use some of the Services or we may rely on your IP address to identify which country you are located in. When we rely on your IP address, we cannot apply the terms of this section to any individual that masks or otherwise hides their location information from us so as not to appear located in Europe. If any terms in this section conflict with other terms contained in this Notice, the terms in this section shall apply to users in Europe.

A. Data Controller, Data Protection Officer and UK Representative

The controller for the processing described in this Privacy Notice is: ISACA, 1700 E. Golf Road, Suite 400, Schaumburg, Illinois 60173, USA.

If you are located in Europe, you can contact our Data Protection Officer via our Privacy Rights Portal.

UK Data Subjects: As ISACA does not have a physical present in the UK, we have appointed DataRep as our UK representative in accordance with Art. 27, UK-GDPR. It you want to raise a question to ISACA or otherwise exercise your rights in respect of your personal data, you may do so by:

  • sending an email to DataRep at datarequest@datarep.com quoting “ISACA” in the subject line,
  • contacting us on our online webform at www.datarep.com/data-request, or
  • mailing your inquiry to DataRep at DataRep, BPM 335368, 372 Old Street, EC1V 9AU, London, United Kingdom.

Please note that when mailing inquiries, it is ESSENTIAL that you mark your letters for “DataRep” and not “ISACA” or your inquiry may not reach us. Please refer clearly to ISACA in your correspondence. On receiving your correspondence, we may verify your identity to ensure your personal data and information connected with it is not provided to anyone other than you. If you have any concerns over how DataRep will handle the personal data we will require to undertake our services. please refer to our privacy notice at www.datarep.com/privacy-policy.

B. Marketing

We will only contact individuals located in Europe by electronic means (including email or SMS) based on our legitimate interests, as permitted by applicable law or the individual’s consent. When we rely on legitimate interest, we will only send you information about our Services that are similar to those which were the subject of a previous sale or negotiations of a sale to you. If you do not want us to use your personal data in this way please click an unsubscribe link in your emails or going to your MyISACA Profile and the Unsubscribe Section and and submitting an opt-out request. You can object to direct marketing at any time and free of charge. Direct marketing includes any communications to you that are only based on advertising or promoting products and services.

C. Legal Bases for Processing

For individuals who are located in Europe at the time their personal data is collected, our legal bases for processing your information under the General Data Protection Regulation (“GDPR”) will depend on the specific context in the which the personal data is collected and the purposes for which it is used. When we process your personal data, depending on the context, we may rely on a variety of different legal bases to process, including: (i) to perform a contract with you (or to take steps at your request prior to entering into a contract with you); (ii) necessity for our legitimate interests; (iii) to comply with our legal obligations and/or (iv) your consent. Below is a list of how we use or disclose your personal data, as described above in Section 4 and 5, with the corresponding legal bases for processing.

Processing Activity Legal Bases for Processing
Section 4(E) For Security Reasons Section 4(J) To Maintain Legal and Regulatory Compliance
Section 5(E) When Sharing Helps Us Protect Safety and Lawful Interests 		Based on our legal obligations. Article 6(1) lit.(c) GDPR.
Section 4(A) To Provide and Maintain Our Services
Section 4(B) To Provide Customer Support and Respond to You
Section 4(I) To Enforce Our Terms, Agreements and Policies
Section 5(A) For Recognition
Section 5(B) When We Work with Service Providers
Section 5(D) Within Our Corporate Organization and with Our Local Chapters and Volunteers.
Section 5(G) Potential Employers 		Based on our contract with you or to take steps at your request prior to entering a contract. Article 6(1) lit.(b) GDPR.
Section 4(C) To Personalize Your Experience
Section 4(D) For Research and Development
Section 4(H) To Post Testimonials
Section 4(G) To Advise You of Other Services
Section 5(F) When We Work on Business Transactions 		Based on our legitimate interest to operate our business and not overridden by your data protection interests or fundamental rights and freedom. Article 6(1) lit.(f) GDPR.
Section 4(F) To Send You Marketing and Promotional Emails
Section 4(K) With Your Consent
Section 5(C) When We Work with Business Partners and Sponsors
Section 5(H) With Your Consent
Section 5(I) When You Post on Our Sites 		Based on your consent. Article 6(1) lit.(a) GDPR.


D. Transfers of Personal Data Outside the Europe

While ISACA has an establishment in Ireland, ISACA Europe Limited, our headquarters are located in the United States, and information we collect from you will be transferred, stored and processed in the United States.

We will protect your personal data in accordance with this Privacy Notice wherever it is processed and will take appropriate contractual or other steps to protect the relevant personal data in accordance with applicable laws. These steps include implementing the European Commission's Standard Contractual Clauses for transfers of personal data to our service providers and business partners located in countries that the EU views as not providing an adequate level of data protection. To the extent applicable, ISACA may also rely on derogations as set forth in Article 49, GDPR for the transfer and onward transfer of personal data in such situations.

12. ADDITIONAL NOTICE TO INDIVIDUALS IN CANADA

This Section provides additional information to individuals located in Canada at the time their personal data is collected by ISACA. You may request details about our privacy practices, access or correct your personal data, or make a complaint by contacting our privacy officer at Privacy Rights Portal.

If you are not satisfied with our response to your inquiry, you may contact the Office of the Privacy Commissioner of Canada: 1-800-282-1376 (toll-free) or priv.gc.ca.

13. ADDITIONAL NOTICE TO INDIVIDUALS IN AUSTRALIA

This Section provides additional information to individuals located in Australia at the time their personal data is collected by ISACA. You may request to correct or update any of your personal data in our files. We may provide you with the ability to update some or all of your personal data directly via our Privacy Rights Portal. If you request that your information be corrected, and we do not agree that it is incorrect, we may refuse to update that information. In such a scenario, we will provide written notice of our refusal to do so and upon your request, will place a statement of what you allege is correct where your personal data is kept and accessed. 

14. ADDITIONAL NOTICE TO INDIVIDUAL IN BRAZIL

This Section provides additional information to individuals located in Brazil at the time their personal data is collected by ISACA.

The controller for the processing described in this Privacy Notice is: ISACA, 1700 E. Golf Road, Suite 400, Schaumburg, Illinois 60173, USA.

We process your personal data on one or more of the following legal bases:

  • as necessary to enter into a contract with you, to perform our contractual obligations, to provide our Services, to respond to requests from you, or to provide customer support;
  • where we have a legitimate interest, as described in this Privacy Notice;
  • as necessary to comply with relevant law and legal obligations, including to respond to lawful requests and orders; or
  • with your consent.

You can also file a complaint with Brazil’s National Data Protection Authority (ANPD) through its official channels.

Transfers outside of Brazil. When we transfer your personal data outside Brazil, we do so in accordance with the terms of this Privacy Notice and applicable data protection law.

15. CHILDREN’S PRIVACY

We do not knowingly collect personal data from persons under the age of 18. If you are a parent of a child under 18, and you believe that your child has provided us with information about him or herself, please contact us via the information in the Contact section below.

16. CONTACT INFORMATION

If you have any questions or concerns about this Privacy Notice, please…

  • Visit our Privacy Rights Portal
  • Email the ISACA Data Protection Officer at: DPO@sz-xinda.net
  • Write to us at:
    ISACA
    Data Protection Officer
    1700 E. Golf Road, Suite 400
    Schaumburg, Illinois 60173, USA