INDEX 1. Purpose of the Privacy Policy 2. Definition of personal data 3. Identity of the Data Controller 4. Applicable laws and regulations 5. Principles applicable to the processing of personal data 6. Security measures 7. Purposes of processing 8. Lawfulness of processing 9. Recipients of your data 10. Data processing activities carried out 11. Personal data of minors 12. Origin and types of data processed 13. Rights of data subjects 14. Modification 1.- PURPOSE OF THE POLICY At Spain Startup and Investor Services S.L. (hereinafter, Spain Startup), we respect your privacy and protect your personal data. This policy details how we collect, use, and share your information in accordance with applicable data protection regulations, including the General Data Protection Regulation (GDPR). This privacy policy applies to the website http://www.southsummit.io. If you do not provide us with your personal data, your information will not be processed. We will inform you about the purposes of processing, the entities that may have access to your data, and your rights as a data subject. Some processing may be based on legal obligations, contracts, or legitimate interests, without requiring your express consent. If the website uses cookies, we will clearly notify you in our Cookie Policy, where you can find more information about the use of cookies and how to manage your preferences. This policy ensures transparency and is designed to let you know how to understand and exercise your rights. 2.- DEFINITION OF PERSONAL DATA Personal data: Personal data means any information relating to an identified or identifiable natural person ("Website User"). The following person shall be considered a person: 08.02.- SECOND LEVEL PRIVACY POLICY http://www.southsummit.io The term "identifiable person" refers to any person whose identity can be determined, directly or indirectly, by identifiers such as a name, an identification number, location data, an online identifier, or by elements of physical, physiological, genetic, psychological, economic, cultural or social identity. 3.- IDENTITY OF THE DATA CONTROLLER Who collects and processes your data? The Data Controller is: Spain Startup and Investor Services S.L. CIF B86685294. How can you contact us? - Postal and office address: Paseo de la Castellana n.º 70, segunda planta, 28046, Madrid (Madrid), Spain. - Registered office: Paseo de la Castellana n.º 70, segunda planta, 28046, Madrid (Madrid), Spain. - Email: privacy@southsummit.io - Phone: +34 915625784 Who can help you with our Data Protection Policy? At Spain Startup, we have a Data Protection Officer (DPO), whose role is to ensure compliance with current data protection regulations within our organization. If you have any questions or need help with the processing of your personal data, you can contact our DPO through the following means: - Auratech Legal - NIF B87984621 - Email: privacy@spain-startup.com - Phone: 911134963 4.- APPLICABLE LAWS AND REGULATIONS This Privacy and Data Protection Policy is developed based on the following data protection laws and regulations: - Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Hereinafter, GDPR. - Organic Law 3/2018, of 5 December, on Personal Data Protection and Guarantee of Digital Rights (hereinafter, LOPD/GDD). - Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (hereinafter, LSSICE). 5.- PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA At Spain Startup, we process personal data in accordance with the principles established in current legislation, ensuring that processing is carried out in compliance with the principles established in current legislation: - Lawful, fair, and transparent: We provide clear and accessible information on how we collect and use data. - Limited to specific purposes: Data is collected for legitimate purposes and not used for other purposes. - Data minimization: We only request strictly necessary data. - Accuracy: We keep data updated and correct inaccurate data. - Storage limitation: Data is stored only for the time necessary for the stated purposes. - Integrity and confidentiality: We apply appropriate security measures to protect data. - Proactive accountability: We take responsibility for complying with these principles. 6.- SECURITY MEASURES What do we do to guarantee the privacy of your data? At Spain Startup, we have implemented the necessary technical and organizational measures to ensure the security of the personal data we process. These measures are designed to prevent alteration, loss, unauthorized access, or improper processing of data, adapting to the state of technology and potential risks. Among the measures, we highlight: - Confidentiality: Only authorized persons can access the information. - Integrity: Information is kept accurate and protected against unauthorized modifications. - Availability: We ensure that data is accessible to authorized persons at all times. - Continuous evaluation: We periodically review and improve our security to adapt to new threats and technological advances. - Pseudonymization and encryption: We use these techniques to reinforce data protection, especially sensitive data. 7.- PURPOSES OF PROCESSING Why do we want to process your data? The following are the intended uses and purposes: Travel and accommodation booking management - South Summit. Coordination with partners and suppliers to manage bookings and discounts that facilitate event attendance. Provide exclusive information and offers on travel, accommodation, and transport to attendees. Promote exclusive agreements with partners related to travel and accommodation services. Personalized follow-up of requests received through the website. Startup Competition Evaluation Committee. Coordinate online discussion sessions to select finalist projects. Send emails with links to register on the platform and schedule sessions. Evaluate pre-selected projects through the evaluation platform. Manage committee members' access to the platform and startup data. Invite corporations, investment funds, and institutions to participate in the evaluation committee. Cookies, pixels, and tracking. Share information on social networks. "Favorite", "Like", +1 buttons and similar. Obtain statistical data on user navigation, identify problems, and analyze their preferences. Third-party video transmission and mapping. A feature or add-on provided by a third party establishes a direct connection between the user's browser and the third party's internet domains, allowing its download and execution. Co-organization of the South Summit 2025 event. Communication and marketing: Send information, updates, news, and promotional materials related to the event. This includes sending emails and other messages to keep attendees informed about event details and any important changes or developments. Event access control: Manage access for participants, volunteers, and speakers. This ensures that only authorized individuals can access certain areas of the event. Compliance with GDPR obligations: Manage requests to exercise rights under the GDPR and notify security breaches. This involves managing participant requests related to their personal data and notifying any security breaches to the competent authorities. Surveys and feedback: Collect opinions and suggestions from participants to improve future events. After the event, surveys will be sent to get feedback from attendees. About what they liked and what could be improved. Participant management: Facilitate participation in South Summit activities and sections. This includes coordinating the activities in which participants can take part and ensuring that everyone has the necessary information to participate actively. Registered user management: Facilitate e-commerce and business opportunities for partners. This includes allowing startups and other companies to interact and do business during the event and through the event platform. Event organization and management: Coordinate and execute all activities related to the planning and execution of the event. This includes ensuring that all parts of the event run smoothly, such as activity scheduling, speaker coordination, and general logistics. Registration and access control: Manage registrations, credentials, and event tickets. This means registering all attendees, ensuring they have the correct credentials, and controlling who enters and leaves the venue. Session transmission and recording: Live stream and record event presentations and activities. This allows those who cannot attend in person to watch presentations and activities online and makes recordings available for later viewing. Use of images: Record and stream event presentations and display them on the Web and social networks. This involves taking photos and videos of the event and sharing them online for promotion and coverage. Facility video surveillance: Ensure the safety of people, property, and facilities through video surveillance. This means security cameras will be used to monitor the event venue and ensure the protection of all attendees. Compliance with GDPR obligations. Process your data in order to respond to requests for the exercise of rights established by the General Data Protection Regulation (Article 5 of the GDPR) and, where appropriate, for the notification of personal data security breaches to the supervisory authority and data subjects (Articles 33 and 34 of the GDPR). Respond to citizens' requests in the exercise of rights established in the General Data Protection Regulation. Data protection and information privacy. Event access management - South Summit. Monitor venue capacity in real time to ensure safety and compliance with local regulations. Manage attendee lists to facilitate registration and resolve potential access issues. Collect attendance data for analysis and improvement of future event editions. Verify and validate attendee access to the event using QR codes or other registration systems. Event partners and content production management. Coordination of tasks and responsibilities in event production. Management of speaker relationships and content scheduling. Supervision of development and achievement of production objectives. Communications and newsletter management. Send informative newsletters about the South Summit ecosystem (events, speakers, startups, and opportunities). Generate business opportunities through contact between participants and partners. Promote events, conferences, and competitions organized by South Summit. Provide promotional information about South Summit services, activities, and offers and its partners. Conduct segmented campaigns based on specific interests or professional sectors. Web queries management - South Summit. Channel ideas, suggestions, and proposals to improve the organization's services and activities. Respond to requests received through web forms such as Become an Ambassador, Suggest a Speaker, Suggest Ideas, and Contact Us. Manage and record queries from users interested in collaborating or participating in South Summit activities. Provide support and information related to services and events organized by South Summit. South Summit participant management. Organization of South Summit as a global physical meeting in Madrid, connecting different global innovation hubs and connecting key national and international innovation players through physical networks and through the digital platform. South Summit becomes a 365 connection platform, with meetings throughout the year, both in-person and digital, to continue connecting key players in the innovation ecosystem and enhancing the best of both worlds. This omnichannel format will be developed both virtually and in-person as circumstances or the convenience of the chosen format for each section dictates. The personal data collected will be processed for the purpose of managing the relationship derived from this contract. Allow effective and active participation in South Summit sections and activities for those who meet South Summit requirements. Process the consideration for the services and activities that the participant will enjoy at South Summit. Reciprocal use of distinctive signs and trademarks owned by the participant and the company. Social media management - South Summit. Create and publish promotional, informative, and engaging content on social media. Identify trends and opportunities through interaction data analysis. Interact with followers through responses to comments, direct messages, and mentions. Monitor statistics and metrics to improve social media strategy and foster community participation. Promote South Summit activities, events, and services. Participation requests management - Partner with Us / Get Your Stand. Manage requests to collaborate as partners or exhibitors at the event. Inform companies about the types of stands, rates, and services available to participate in South Summit. Offer personalized attention and resolve doubts related to event participation. Register and follow up on received inquiries to convert them into commercial agreements. Registered user competition management. Facilitate registration and access for startups, partners, and investors to the Startup Competition platform. Manage startup registration in the competition and associated services. Provide technical support to users and resolve incidents during the registration and evaluation process. Facilitate contact between competition participants and South Summit partners to generate business opportunities. Promote user participation in future events and competitions organized by South Summit. Video surveillance management in offices and event facilities. Control access and prevent security incidents in all facilities. Ensure the safety of people, property, and infrastructure in South Summit offices and facilities. Provide security during the organization and development of events in temporary venues. Provide recordings to competent authorities in case of incidents or investigations. Volunteer management. Support in the accreditation, logistics, and venue access area. Assign tasks and schedules to volunteers during the event. Support startups, speakers, and investors in the Marketplace and in meetings. Facilitate communication with volunteers before, during, and after the event for organizational matters. Ensure occupational risk prevention for volunteers during their collaboration in the event. Provide information to visitors and coordinate workflows at the venue. Evaluation Jury Management - Startup Competition. Send invitations and coordinate the participation of jury members, indicating dates and sessions. Manage jury applications received through the "Become a Juror" form. Maintain communication with jury members to inform them about competition-related activities. Organize and facilitate the evaluations of the 100 selected startups through the South Summit platform. Integrated Agenda and Calendar Management - South Summit. Appointment and agenda control. Coordination and reminders of scheduled meetings within South Summit. Generation of personalized calendars based on preferences and profile. Management of personalized agendas for event participants. Organization of appointments and meetings between attendees, investors, startups, and exhibitors. Planning of selected activities in the event program. Integrated Attendee and Ticketing Management - South Summit. Control event access through digital systems (QR codes or equivalents). Comply with legal and tax obligations associated with ticket sales. Send operational event information (location, schedules, updates). Provide event participation statistics to improve future editions. Manage ticket purchases through the South Summit website. Process and respond to requests for special passes such as the Investor Pass or Press Pass. Integrated Event Management - South Summit App. South Summit event calendar. Direct messaging between all attendees. Exhibitors. List of companies with stands, as well as their contact information and the responsible person. Initiate video calls from the messaging section with people with whom a conversation has been opened. My Event. Events that each user has marked and meetings with other users. My QR. QR code that allows accreditation to access the event. Networking. List of all attendees to contact them. Speakers. Access to each speaker's profile, where you can connect with their social networks and companies. Start-Up Competition. List of participating companies in the competition, their contact information, and corporate videos. Possibility to open direct messages with the company. Integrated Speaker Management - South Summit. Coordinate schedules and plan speaker participation in the event. Respond to requests received through the "Become a Speaker" form on the website. Share necessary information to promote their interventions on social networks and other channels. Manage and formalize image, voice, and NDA contracts with speakers. Publish speaker profiles on the website and other South Summit promotional materials. South Summit uses images. Press and media accredited for event coverage. Recording and streaming of event presentations. Publication of images and videos of attendees, speakers, and participants on social networks, website, and South Summit promotional materials. Use of event visual content for the promotion of future editions of South Summit. How long do we keep your data? We use your data for the time strictly necessary to fulfill the purposes indicated above. Unless there is a legal obligation or requirement, the foreseen retention periods are: Travel and accommodation booking management - South Summit: For a period of 5 years from the last confirmation of interest. Data will be kept as long as there is a contractual or commercial relationship with the data subject or until they exercise their right to erasure. In case of consent withdrawal, data will be blocked and kept exclusively for the defense of legal or contractual claims, for the periods established by regulations. Startup Competition Evaluation Committee: As long as the commercial relationship is maintained. Data will be kept for the time necessary for the organization and management of the evaluation. After the commercial relationship ends, data will be kept for a minimum of six years in accordance with the Commercial Code and tax regulations. Evaluators' access to the platform will be enabled for a limited period of three weeks after the evaluation process ends. Cookies, pixel, and tracking: You must access our cookie policy to know the retention time of each cookie as well as the information that has been collected. Co-organization of the South Summit 2025 event. - Registration and contact data: Will be kept for 5 years from the last confirmation of interest. - Images and recordings: Will be kept according to the policies of the social media platforms used and for historical and promotional purposes of the event. - Transactional data: Will be kept for 5 years according to applicable tax and accounting regulations. - Video surveillance data: 1 month from the recording date. - Compliance with GDPR obligations: As long as its erasure is not requested by the data subject. - Access control: 5 years from the last confirmation of interest. - Participant management: 6 years according to the Commercial Code and tax regulations. - Registered user management: 6 years from the last confirmation of interest. - Compliance with GDPR obligations: As long as the data subject does not request its erasure. Personal data provided will be kept as long as the data subject does not request its erasure or when it is no longer necessary (including the need to keep it for the applicable limitation period) or relevant for the purpose for which it was collected or recorded. Event access management - South Summit: For a period of 5 years from the last confirmation of interest. Data will be processed and kept for the time necessary to fulfill the purposes of access control. Subsequently, it will be securely stored and blocked for a period of 5 years, unless the data subject requests its erasure or there is a legal obligation requiring its retention. Event partners and content production management: As long as the commercial or contractual relationship is maintained. Data will be kept as long as necessary to fulfill the purposes of processing, respecting the principles of minimization and storage limitation. Subsequently, it will be deleted or anonymized. Communications and newsletter management: As long as the data subject does not request its erasure. Data will be kept as long as the data subject maintains their interest in receiving communications. In case of inactivity or withdrawal of consent, data will be deleted within a maximum period of 1 year, unless legally required to be kept. Web queries management - South Summit: As long as the commercial or contractual relationship is maintained. Data will be kept as long as there is a contractual and/or commercial relationship with the data subject or until its erasure is requested. After the relationship ends, data will be blocked and remain available only for the exercise or defense of legal or contractual claims, during the applicable limitation period. Once these periods have passed, data will be securely deleted. South Summit participant management: For a period of 6 years from the last confirmation of interest. Once the relationship ends and is not linked to other matters, it is kept for a minimum of 6 years, in accordance with the Commercial Code and tax regulations. Social media management - South Summit: As long as the data subject does not request its erasure. Personal data will be processed as long as it is necessary or relevant for the indicated purposes. If the data subject requests its erasure, the data will be blocked in accordance with the GDPR, for a maximum period of three years, for its availability in case of legal requirements by judges, courts, or competent authorities. Statistics and metrics records will be kept anonymized for analysis and improvement of future strategies. Participation requests management - Partner with Us / Get Your Stand. Data will be kept as long as the data subject maintains their interest in participating in the event or until they request its deletion. In the event that the applicant becomes a client or partner, the data will be kept in accordance with the policies applicable to the commercial relationship. If no commercial relationship is established, the data will be deleted or anonymized within a maximum of one year after the last interaction, unless legally required to be kept. Registered user competition management: For a period of 6 years from the last confirmation of interest. Data will be processed until the user expresses their opposition to the processing, exercises their right to erasure or limitation thereof, or for the periods necessary to comply with legal obligations (e.g., tax or commercial). Data related to the registration and evaluation of startups will be kept for the time necessary for the competition and its subsequent promotion. Video surveillance management in offices and event facilities: For a period of 1 month from the last confirmation of interest. Recordings will be kept for a maximum of 1 month from their capture, unless they are necessary for the resolution of incidents by the competent authorities. In the event that a recording is necessary for the investigation or defense of legal rights, it may be blocked and kept for the legally established period. Volunteer management: For a period of 5 years from the last confirmation of interest. Data will be processed and kept for the time necessary for the purposes foreseen in event management. 5 years after the volunteer's last interaction or collaboration, the data will be securely deleted, unless there is a legal obligation to keep it. Evaluation Jury Management - Startup Competition: As long as the commercial relationship is maintained. Personal data of jury members will be processed as long as there is a contractual or collaborative relationship with South Summit. At the end of the relationship, data will be blocked and kept for a minimum of 6 years, in accordance with the Commercial Code and tax regulations. Data related to evaluations will be anonymized once organizational and legal purposes are met. Integrated Agenda and Calendar Management - South Summit: As long as the data subject does not request its erasure. Personal data will be kept for the duration of the event and for a maximum period of 2 years to maintain the commercial relationship with the data subject, unless its erasure is requested earlier or there is a legal obligation to keep it. Integrated Attendee and Ticketing Management - South Summit: For a period of 5 years from the last confirmation of interest. Data will be processed and kept as long as necessary for the foreseen purposes. If the data subject withdraws their consent, the data will be deleted within a maximum period of 1 year, unless legally required to be kept (e.g., tax regulations). Access records will be deleted at the end of the legal retention period of 5 years. Integrated Event Management - South Summit App: As long as the commercial relationship is maintained. Data will be kept as long as the user keeps their account active and does not request data erasure. Once the event ends, data will be deleted within a maximum period of 2 years, unless there is a legal obligation to keep it. Integrated Speaker Management - South Summit: As long as the commercial or contractual relationship is maintained. Data will be kept as long as there is a contractual and/or commercial relationship with the speaker. After the relationship ends, data will be kept for the periods required by tax and commercial regulations (minimum 6 years), and data related to the assignment of image and voice will be kept for the period specified in the contract signed with the speaker. South Summit uses images. Images and recordings will be kept as long as they are useful for the foreseen purposes (event promotion and future editions); on social networks and third-party platforms, images will be kept in accordance with the privacy policies of said platforms. Data subjects may exercise their right to erasure, cancellation, or limitation of processing to delete their visual data. 8.- LAWFULNESS OF PROCESSING Why do we process your data? The collection and processing of your data are always legitimized by one or more legal bases, which are detailed below: Travel and Accommodation Booking Management - South Summit - (Art. 6.1.a GDPR) Consent of the data subject - (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract. Startup Competition Evaluation Committee - (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract. - (Art. 6.1.a GDPR) Consent of the data subject. Cookies, pixels, and tracking - (Art. 6.1.a GDPR) Consent of the data subject. Co-organization of the South Summit 2025 event. - (Art. 6.1.a GDPR) Consent of the data subject - (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract. - (Art. 6.1.e GDPR) Performance of a public task or exercise of official authority vested in the Controller Compliance with GDPR obligations - Legal obligation for historical, statistical, or scientific research purposes. - GDPR: 6.1.c) Processing is necessary for compliance with a legal obligation to which the controller is subject. - Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations. Common Administrative Procedure Law. - General Data Protection Regulation. REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Event access management - South Summit - (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract. Event partners and content production management - (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract. Communications and newsletter management - (Art. 6.1.a GDPR) Consent of the data subject Website queries management - South Summit - Explicit consent of the data subject South Summit participant management - (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract. - (Art. 6.1.f GDPR) Legitimate interest of the controller or a third party. Social media management - South Summit. - Explicit consent of the data subject. - GDPR: 6.1.a) Consent of the data subject. The legal basis for sending information related to professional practice or professional interest and for providing volunteer services is the consent you provide, which you can withdraw at any time. Participation requests management - Partner with Us / Get Your Stand. - (Art. 6.1.a GDPR) Consent of the data subject Registered user competition management - (Art. 6.1.a GDPR) Consent of the data subject - (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract. Video surveillance management in offices and event facilities - Legitimate interest of the controller or third parties - GDPR: 6.1.f) Satisfaction of legitimate interests pursued by the controller. Volunteer management - Explicit consent of the data subject Evaluation Jury Management - Startup Competition - (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract. - (Art. 6.1.a GDPR) Consent of the data subject. Integrated Agenda and Calendar Management - South Summit - Explicit consent of the data subject - GDPR: 6.1.a) Consent of the data subject. The legal basis for sending information related to professional practice or professional interest and for providing volunteer services is the consent you provide, which you can withdraw at any time. - Existence of a contractual relationship with the data subject through a contract or pre-contract. - Legitimate interest of the Controller or third parties - GDPR: 6.1.e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Integrated Attendee and Ticketing Management - South Summit - (Art. 6.1.a GDPR) Consent of the data subject - (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract. Integrated Event Management - South Summit App - (Art. 6.1.a GDPR) Consent of the data subject - (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract. Integrated Speaker Management - South Summit - (Art. 6.1.a GDPR) Consent of the data subject - (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract. South Summit uses images. - (Art. 6.1.a GDPR) Consent of the data subject - (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract. 9.- RECIPIENTS OF YOUR DATA To whom do we disclose your data within the European Union? Occasionally, to comply with our legal obligations and our contractual commitment to you, we are obliged and need to transfer some of your data to certain categories of recipients, which we specify below: Travel and Accommodation Booking Management - South Summit. Data may be shared with authorized partners and suppliers for booking management and discount application, always under data processing agreements that comply with the GDPR. No additional transfers will be made unless legally mandatory. Startup Competition Evaluation Committee. TEAM TITO LIMITED. Company registration number: 566334. VAT number: IE3384527RH 64 Dame Street, Dublin, Ireland D02 RT72. Partner companies acting as a committee will have access to the South Summit platform to evaluate the Startups with the greatest potential. Cookies, pixel, and tracking: Advertising and direct marketing companies. Co-organization of the South Summit 2025 event. - Co-organizers: Data may be shared with IE University (INSTITUTO DE EMPRESA, S.L., IE UNIVERSITY and IE FOUNDATION) and South Summit for joint event management. - Providers: Security, marketing, technology, and logistics service providers. - Public administrations: When required by applicable legislation (Royal Household and Ministry of the Presidency). - State Security Forces and Corps: For the investigation of criminal offenses. - Participants and attendees: Through attendee lists and promotional event materials. - Social networks: Data will be transferred to platforms such as Meta and Instagram. - Collaborating companies: For event management and marketing. - Travel agencies: For accommodation and travel offers. Compliance with GDPR obligations: Public Administration with competence in the matter. In case of notification of security breaches: Spanish Data Protection Agency. Event Access Management - South Summit. Attendee data will not be transferred to third parties, except for legal obligation or the need to guarantee event security (e.g., local authorities). In case of contracting an external provider to manage the access system, data processing contracts complying with the GDPR will be signed. Communications and newsletter management. Data may be shared with South Summit partners for the promotion of related services or activities, always with the prior consent of the data subject. Technology providers responsible for newsletter sending platforms, under data processing agreements in accordance with the GDPR. Website queries management - South Summit. Data will not be transferred to third parties, except for legal obligation or express consent of the data subject to forward the query to South Summit collaborators or partners for resolution. South Summit participant management: Tax Administration; Banks, savings banks, and rural banks; Public administration with competence in the matter. Social media management - South Summit. Data may be shared with technology service providers and social media platforms such as Facebook, Instagram, LinkedIn, TikTok, and Twitter, in accordance with the privacy policies of said platforms. Registered user competition management. Data may be shared with South Summit partners, such as investment funds, innovation hubs, and corporations, to promote business opportunities, always with the prior consent of the data subject. Technology service providers responsible for platform maintenance and related tools, under data processing agreements in accordance with the GDPR. Video surveillance management in offices and event facilities. Images may be communicated, within the scope of imputation or investigation of criminal offenses, to the State Security Forces and Corps, judicial bodies, and the Public Prosecutor's Office. Volunteer Management: Social Security Agencies Evaluation Jury Management - Startup Competition. TEAM TITO LIMITED. Company number: 566334. VAT number: IE3384527RH 64 Dame Street, Dublin, Ireland D02 RT72. Integrated Agenda and Calendar Management - South Summit: South Summit business group entities. Agenda data may be shared with third parties (such as other attendees with whom the user arranges meetings) under the explicit consent of the data subject. Technology providers responsible for maintaining the agenda management platform, always under agreements that ensure compliance with the GDPR. Integrated Attendee and Ticketing Management - South Summit: Banks, savings banks, and rural banks. Data may be shared with providers responsible for ticket management, event access, or operational communication, always under data processing agreements in accordance with the GDPR. In compliance with legal regulations, data may be transferred to tax authorities for the generation of invoices and tax reports. Integrated Event Management - South Summit App: Public Administration with competence in the matter. Company that develops the application Swapcard Corporation. Integrated Speaker Management - South Summit. Data may be shared with design, communication, and marketing for the preparation of promotional materials related to the speakers. Technology providers in charge of platform management and planning, always under data processor agreements in accordance with the GDPR. South Summit uses images: Companies engaged in advertising or direct marketing. Images may be shared with media, social networks, and streaming platforms, always under the conditions of the privacy policies of such third parties. Integrated Attendee Management and Ticketing - South Summit - IE UNIVERSITY (CIF: G40155384) - South Summit attendees or other events - Identifying data (Name and surname) Do we make International Transfers of your data outside the European Union? In the context of our data processing processes, we may use external services that involve storage and/or processing of your data by organizations outside the European Union. This involves international transfers of your data. Communications and Newsletter Management - The Rocket Science Group LLC d/b/a Mailchimp - United States - Guaranteed level of protection: Adequate Guarantees - Category of warranties: Guarantees approved by the Control Authority. - Standard contractual clauses. 10.- DATA PROCESSING ACTIVITIES The data processing activities carried out through http://www.southsummit.io are described below, specifying: - Activity: Name of the data processing activity. - Purposes: Uses and processing carried out with the collected data. - Legal basis: Legal basis that legitimizes data processing. - Data processed: Types of data processed. - Origin: Origin of the data. - Retention: Data retention period. - Recipients: Third parties to whom data is transferred. - International transfers: Data transfers outside the European Union. 10.1 - PROCESSING ACTIVITIES These are data processing activities whose purposes are necessary for the provision of services. Compliance with GDPR obligations. Legal basis: Legal obligation for historical, statistical, or scientific research purposes (GDPR: 6.1.c). Processing necessary for compliance with a legal obligation to which the controller is subject. Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, General Data Protection Regulation. Purposes: Respond to citizens' requests in the exercise of rights established by the General Data Protection Regulation; Data protection and information privacy; Process your data in order to respond to requests in the exercise of rights established by the General Data Protection Regulation (Article 5 of the GDPR) and, where appropriate, for the notification of personal data security breaches to the supervisory authority and data subjects (Articles 33 and 34 of the GDPR). Categories of data and groups: Clients (identification data). Employees (identification data; job details). Origin of data: The data subject themselves or their legal representative. Category of recipients: In case of notification of security breaches: Spanish Data Protection Agency. International transfer: Not foreseen. Retention period: As long as its erasure is not requested by the data subject. Personal data provided will be kept as long as its erasure is not requested by the data subject or when the data is no longer necessary - including the need to keep it for the applicable limitation period - or relevant for the purpose for which it was collected or recorded. Event access management - South Summit Legal basis: (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract. Purposes: Monitor venue capacity in real time to ensure safety and compliance with local regulations; Manage attendee lists to facilitate registration and resolve potential access issues; Collect attendance data for analysis and improvement of future event editions; Verify and validate attendee access to the event using QR codes or other registration systems. Categories of data and groups: Volunteers (identification data). Speakers and presenters (identification information). South Summit attendees or other events (identification information). Origin of data: The data subject or their legal representative; Private entity; From the "Become a Speaker" form on the website; Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members. Category of recipients: Attendee data will not be disclosed to third parties, unless there is a legal obligation or it is necessary to guarantee event security (for example, local authorities). In case an external provider is contracted to manage the access system, data processing agreements complying with the GDPR will be signed. International transfer: Not foreseen. Retention period: For a period of 5 years from the last confirmation of interest. Data will be processed and kept for the time necessary to fulfill the purposes of access control. Subsequently, it will be securely stored and blocked for a period of 5 years, unless the data subject requests its erasure or there is a legal obligation requiring its retention. Security measures: - Organizational: - Definition of internal procedures for ticket management, access, and incident resolution. - Training for access staff on best practices in personal data management and data protection regulations. - Assignment of clear roles and responsibilities in access control organization. - Establishment of confidentiality agreements for staff or third parties managing attendee data. - Technical: - Ticket validation using encrypted QR codes, security, and precise identification. - Data encryption in transit (HTTPS) and at rest (AES-256) for information stored in access systems. - Multi-factor authentication system for employees with access to ticket management platforms. - Activity logging in the system to audit access and prevent misuse of data. - Periodic backups of data related to logins and accesses, stored on secure servers. - Physical: - Physical access control in registration areas and ticket control systems, including surveillance and security measures at the event site. - Secure storage of devices and documents related to access management. Event partners and content production management Legal basis: (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract. Purposes: Coordination of tasks and responsibilities in event production; Management of speaker relationships and content scheduling; Supervision of development and achievement of production objectives. Categories of data and groups: Registered users / South Summit app users (identification data). Clients (identification data). Employees (identification data). Speakers and presenters (identification information). South Summit attendees or other events (identification information; personal characteristics; employment details; economic, financial, and insurance details; commercial information; credit information). Registered user competition (identification information). Origin of data: The data subject or their legal representative; Private entity; From the "Become a Speaker" form on the website; Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members. Category of recipients: Not foreseen. International transfer: Not foreseen. Retention period: As long as the commercial or contractual relationship is maintained. Data will be kept as long as necessary to fulfill the purposes of processing, respecting the principles of minimization and storage limitation. Subsequently, it will be deleted or anonymized. Measures: - Information Security Policy (ISP): Implement and keep updated a security policy adapted to legal regulations and company needs. - Access control: Restricted access to personal data through multi-factor authentication (MFA) and role-based permissions. - Data encryption: Use of encryption during data transmission and storage (HTTPS, disk encryption). - Training and awareness: Periodic training for employees on best practices in data protection and information security. - Activity logging: Maintenance of a detailed log of data accesses and modifications. South Summit participant management Legal basis: (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract; (Art. 6.1.f GDPR) Legitimate interest of the Controller or third parties. Purposes: The personal data collected will be processed for the purpose of managing the relationship derived from this contract. Allow effective and active participation in South Summit sections and activities to which it conforms; Process the consideration for the services and activities that the participant will enjoy at South Summit; Reciprocal use of distinctive signs and trademarks owned by the participant and the company; Organization of South Summit as a global in-person meeting in Madrid, connecting different global innovation hubs and connecting key national and international innovation players through physical networks and through the digital platform. South Summit becomes a 365 connection platform, with meetings throughout the year, both in-person and digital, to continue connecting key players in the innovation ecosystem and enhancing the best of both worlds. This omnichannel format will be developed both virtually and in-person as circumstances or the convenience of the chosen format for each section dictates. Categories and groups of data: Clients (identification data). Origin of data: The data subject or their legal representative. Category of recipients: Administration. Tax Administration; Banks, banking entities, savings banks, and rural banks; public administration with competence in the matter. International transfer: Not foreseen. Retention period: For a period of 6 years from the last confirmation of interest. Once the relationship ends and is not linked to other matters, it is kept for a minimum of 6 years, in accordance with the Commercial Code and tax regulations. Security measures. Relevant security measures have been implemented to mitigate the existing risk. In any case, the security measures of Article 32 of the GDPR will apply: 1. The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services. 2. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. 3. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. 4. Pseudonymization and encryption of personal data. Video surveillance management in offices and event facilities Legal basis: Legitimate interest of the Controller or third parties (GDPR: 6.1.f) Satisfaction of legitimate interests pursued by the Controller). Purposes: Control access and prevent security incidents in all facilities; Ensure the safety of people, property, and infrastructure in South Summit offices and facilities; Provide security during the organization and development of events in temporary venues; Facilitate recordings to competent authorities in case of incidents or investigations. Categories of data and groups: Employees (identification data). Visitors (identification data). Origin of data: The data subject themselves or their legal representative. Category of recipients: Images may be communicated, within the scope of imputation or investigation of crimes, to the State Security Forces and Corps, Judicial Bodies, Public Prosecutor's Office, etc. International transfer: Not foreseen. Retention period: For a period of 1 month from the last confirmation of interest. Recordings will be kept for a maximum of 1 month from their capture, unless they are required for the resolution of incidents by the competent authorities. In the event that a recording is necessary for the investigation or defense of legal rights, it may be blocked and kept for the legally established period. Security measures: - Organizational: - Implementation of internal policies to regulate the use of video surveillance systems in offices and events, ensuring that access to recordings is exclusively for authorized personnel. - Visible signs in all monitored areas (offices and temporary event) informing data subjects about the existence of cameras and image processing in accordance with the GDPR. - Supervision by a designated person responsible to ensure that recordings are used only for security purposes. - Training of staff in charge on applicable regulations and proper use of video surveillance systems. - Technical: - Configuration of recording systems with secure and encrypted storage (AES-256). - Use of multi-factor authentication to access video surveillance, limiting access only to authorized personnel. - Scheduling for automatic deletion of recordings once the storage period (1 month) has expired. - Monitoring and auditing of access to video surveillance systems to ensure traceability. - Storage of recordings on secure servers, preferably with ISO 27001 certification, located within the EEA. - Physical: - Strategic installation of cameras in common areas, accesses, loading/unloading areas, and sensitive areas, avoiding image capture in private spaces (such as bathrooms or changing rooms). - Physical protection of recording devices through restricted access (security locks, physical surveillance). - Access control to monitored areas (offices and events) to minimize risks related to recordings. Travel and accommodation booking management - South Summit Legal basis: (Art. 6.1.a GDPR) Consent of the data subject; (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract. Purposes: Coordinate with partners and suppliers the management of bookings and discounts to facilitate event attendance; Provide exclusive information and offers on travel, accommodation, and transport to attendees; Promote exclusive agreements with partners related to travel and accommodation services; Personalized follow-up of requests received through the website. Categories of data and groups: E-commerce clients (identification data). People who access and contact via the web (identification data). Registered users/South Summit app users (identification data). Potential clients (identification data). South Summit attendees or other events (identification information; employment details). Registered user competition (identification information). Origin of data: The data subject or their legal representative; People who contact us through web forms such as Become an Ambassador, Suggest a Speaker, Suggest Ideas, and Contact Us; Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members. Category of recipients: Data may be shared with authorized partners and suppliers for booking management and discount application, always under data processing agreements that comply with the GDPR. No additional transfers will be made unless legally required. International transfer: Not foreseen. Retention period: For a period of 5 years from the last confirmation of interest. Data will be kept as long as there is a contractual or commercial relationship with the data subject or until they exercise their right to erasure. In case of consent withdrawal, data will be blocked and kept exclusively for the defense of legal or contractual claims, for the periods established by regulations. Security measures: - Organizational: - Implementation of internal policies that limit access to data only to authorized personnel and travel and accommodation management partners. - Obtaining explicit consent from the data subject during the registration process on the landing page. - Signing confidentiality agreements with partners and suppliers who manage personal data to ensure GDPR compliance. - Training for staff in charge on data protection regulations and best practices in personal data management. - Technical: - Data encryption in transit (HTTPS) and at rest (AES-256) for personal information sent through the landing page and during communications with partners. - Use of secure request management systems with multi-factor authentication. - Logging and auditing of access to personal data to ensure traceability and prevent misuse. - Automatic backups stored on secure servers with ISO 27001 certification. - Physical: - Storage of related physical documents (if applicable) in restricted areas with controlled access. - Control of physical access to devices used to manage requests. - Secure deletion of physical documents once processing purposes are met, through certified destruction. Startup Competition Evaluation Committee Legal basis: (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract; (Art. 6.1.a GDPR) Consent of the data subject. Purposes: Coordinate online discussion sessions to select finalist projects; Send emails with links to register on the platform and session schedule; Evaluate pre-selected projects through the evaluation platform; Manage committee members' access to the platform and startup data; Invite corporations, investors, and institutions to participate in the evaluation committee; Coordinate project evaluation through the evaluation platform. Categories of data and groups: Evaluation Committee (identification data; other categories). Origin of data: The data subject themselves or their legal representative; Private entity. Category of recipients: TEAM TITO LIMITED. Company number: 566334. VAT number: IE3384527RH 64 Dame Street, Dublin, Ireland D02 RT72. Partner companies acting as a committee will have access to the South Summit platform to evaluate the Startups with the greatest potential. International transfer: Not foreseen. Retention period: As long as the commercial relationship is maintained. Data will be kept for the time necessary for the organization and management of the evaluation process. Once the commercial relationship ends, data will be kept for a minimum of six years in accordance with the Commercial Code and tax regulations. Evaluators' access to the platform will be enabled for a limited period of three weeks after the evaluation process ends. Security measures: - Organizational: - Establishment of confidentiality agreements with evaluation committee members to ensure proper handling of participating startup data. - Periodic review of access to the evaluation platform to prevent unauthorized access. - Data classification and deletion policy after evaluation completion to ensure compliance with the minimization principle. - Specific training for platform managers and committee members on personal data processing and applicable regulations. - Technical: - Multi-factor authentication for access to the evaluation platform. - Data encryption in transit (HTTPS) and at rest (AES-256) to protect startup information and evaluations performed. - Activity logging on the platform to audit actions taken by evaluators. - Restriction of data access only to the authorized three-week period after evaluation sessions end. - Periodic data backup to prevent loss of key information during the evaluation process. - Physical: - Security in offices where information is accessed, including physical access controls (locked doors, surveillance). - Use of secure servers located in data centers with international certifications such as ISO 27001. Cookies, pixel, and tracking Legal basis: (Art. 6.1.a GDPR) Consent of the data subject. Purposes: Share information on social networks. "Favorite", "Like", "+1" buttons and similar; Obtain statistical data on user navigation, identify problems, and analyze their preferences; Third-party video and map transmission. A feature or add-on provided by a third party establishes a direct connection between the user's browser and the third party's internet domains, allowing its download and execution. Categories of data and groups: People who access and contact via the web (commercial information; other categories). Origin of data: The data subject or their legal representative; People who contact us through web forms such as "Become an Ambassador", "Suggest a Speaker", "Suggest Ideas", and "Contact Us". Category of recipients: Companies dedicated to advertising or direct marketing. International transfer: Not foreseen. Retention period: You must access our cookie policy to know the retention time of each cookie, as well as the information collected. Security measures: Relevant security measures have been implemented to mitigate the existing risk. In any case, the security measures of Article 32 of the GDPR will apply: 1. The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services. 2. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. 3. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. 4. Pseudonymization and encryption of personal data. Co-organization of the South Summit 2025 event. Legal basis: (Art. 6.1.a GDPR) Consent of the data subject; (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract; (Art. 6.1.e GDPR) Performance of a public task or exercise of official authority vested in the Controller. Purposes: Communication and marketing: To send event-related information, updates, news, and promotional materials. This includes sending emails and other messages to keep attendees informed about event details and any important changes or developments; Event access control: To manage access for participants, volunteers, and speakers. This ensures that only authorized individuals can access certain areas of the event; GDPR compliance: Manage requests to exercise rights under the GDPR and notify security breaches. This involves managing participant requests related to their personal data and notifying any security breaches to the relevant authorities; Surveys and feedback: Collect opinions and suggestions from participants to improve future events. After the event, surveys will be sent to get feedback from attendees on their preferences and improvements. Participant management: Facilitate participation in South Summit activities and sections. This includes coordinating the activities in which participants can take part and ensuring that everyone has the necessary information to participate actively. Registered user management: Facilitate e-commerce and business opportunities for partners. This includes allowing startups and other companies to interact and do business during the event and through the platform. Event organization and management: Coordinate and execute all activities related to the planning and execution of the event. This includes ensuring the proper development of all parts of the event, such as activity scheduling, speaker coordination, and general logistics. Registration and access control: Manage registrations, accreditations, and event tickets. This involves registering all attendees, ensuring they have the correct credentials, and controlling who enters and leaves the venue. Session transmission and recording: Live stream and record event presentations and activities. This allows those who cannot attend in person to watch presentations and activities online and makes recordings available for later viewing; Use of images: Record and stream event presentations, and display images on the web and social networks. This involves taking photos and videos of the event and sharing them online for promotion and coverage of the event; Facility video surveillance: Ensure the safety of people, property, and facilities through video surveillance. This means security cameras will be used to monitor the event site and ensure the protection of everyone present. Categories and groups of data: Registered users / South Summit app users (identification data; commercial information). Employees (identification data). Visitors (identification information). Volunteers (identification information; personal characteristics). Speakers and presenters (identification information; employment details; other categories). South Summit attendees or other events (identification information; personal characteristics; employment details; economic, financial, and insurance details; commercial information; credit information). Registered user competition (identification information). Origin of data: The data subject themselves or their legal representative; Private entity; From the "Become a Speaker" form on the website; Event attendees such as speakers, partners, investors, presenters, or startup members. Category of recipients: - Co-organizers: Data may be shared with IE University (INSTITUTO DE EMPRESA, S.L., IE UNIVERSITY and IE FOUNDATION) and South Summit for joint event management. - Service: Security, marketing, technology, and logistics companies. - Public administrations: When required by applicable legislation (Royal Household and Ministry of the Presidency). - Security Forces and Corps: For the investigation of crimes. - Participants and attendees: Through attendee lists and promotional event materials. - Social networks: Data will be transferred to platforms such as Meta and Instagram. - Collaborating companies: For event management and marketing. - Travel agencies: For accommodation and travel offers. International transfer: Not foreseen. Retention period: - Registration and contact data: Will be kept for 5 years from the last confirmation of interest. Images and recordings: Will be kept according to the policies of the social networks used and for historical and promotional purposes of the event. - Transactional data: Will be kept for 5 years according to applicable tax and accounting regulations. - Video surveillance data: 1 month from the recording date. - Compliance with GDPR obligations: As long as its erasure is not requested by the data subject. - Access control: 5 years from the last confirmation of interest. - Participant management: 6 years according to the Commercial Code and tax regulations. - Registered user management: 6 years from the last confirmation of interest. Security measures: In accordance with Article 32 of the GDPR and considering Article 83 of the GDPR, the following technical and organizational measures will be implemented to ensure a level of security appropriate to the risk: - Pseudonymization and encryption of personal data: Use of encryption techniques to protect data during transmission and storage. - Confidentiality, integrity, and availability: Implementation of access controls, firewalls, and intrusion detection systems to protect information. - Data restoration: Ability to quickly restore the availability and access to personal data in the event of a physical or technical incident. - Periodic evaluations: Continuous process of verification, evaluation, and assessment of the effectiveness of technical and organizational measures to ensure the security of processing. - Protection against unauthorized access: Use of multi-factor authentication and role-based access permissions. Communications and newsletters management Legal basis: (Art. 6.1.a GDPR) Consent of the data subject. Purposes: Send informative newsletters about the South Summit ecosystem (events, speakers, startups, and opportunities); Generate business opportunities through contact between participants and partners; Promote events, conferences, and competitions organized by South Summit; Provide promotional information about South Summit services, activities, and offers and its partners; Conduct segmented campaigns based on specific interests or professional sectors. Categories of data and groups: Subscribers (identification data). Origin of data: Data is collected when the subscriber enters their email address in our newsletter registration form on the website. Category of recipients: Data may be shared with South Summit partners for the promotion of related services or activities, always with the prior consent of the data subject. Technology providers responsible for newsletter sending platforms, under data processing agreements in accordance with the GDPR. International transfer: The Rocket Science Group LLC d/b/a Mailchimp - United States (Mass emailing platform) - Adequate Guarantees. Retention period: As long as its erasure is not requested by the data subject. Data will be kept as long as the data subject maintains their interest in receiving communications. In case of inactivity or withdrawal of consent, data will be deleted within a maximum period of 1 year, unless legally required to be kept. Security measures: - Organizational: - Implementation of a consent management system to verify and record explicit authorizations from data subjects. - Internal policies for secure and appropriate segmentation of distribution lists. - Periodic training for staff in charge of managing communications on applicable regulations and best practices in data protection. - Periodic internal audits to verify compliance with the GDPR and data use policies. - Technical: - Use of certified email marketing platforms that comply with the GDPR, such as Mailchimp or equivalents. - Data encryption in transit (HTTPS) and at rest (AES-256). - Multi-factor authentication for those responsible for accessing newsletter management platforms. - Access monitoring and activity logging to ensure traceability. - Configuration of automatic unsubscribe options in each communication sent. - Physical: - Restricted access to devices used for communications in South Summit offices. - Secure deletion of physical documents related to distribution through certified destruction. Website queries management - South Summit Legal basis: Explicit consent of the data subject. Purposes: Channel ideas, suggestions, and proposals to improve the organization's services and activities; Respond to requests received through web forms, such as Become an Ambassador, Suggest a Speaker, Suggest Ideas, and Contact Us; Manage and record queries from users interested in collaborating or participating in South Summit activities; Provide support and information related to services and events organized by South Summit. Categories of data and groups: People who access and contact via the web (identification data; employment details; other categories). Origin of data: The data subject themselves or their legal representative; People who contact us through web forms such as Become an Ambassador, Suggest a Speaker, Suggest Ideas, and Contact Us. Category of recipients: Data will not be transferred to third parties, except for legal obligation or express consent of the data subject to forward their query to South Summit collaborators or partners for resolution. International transfer: Not foreseen. Retention period: As long as the commercial or contractual relationship is maintained. Data will be kept as long as there is a contractual and/or commercial relationship with the data subject, or until its erasure is requested. After the relationship ends, data will be blocked and only available for the exercise or defense of legal or contractual claims, during the applicable limitation periods. Once these periods have passed, data will be securely deleted. Security measures: - Organizational: - Establishment of internal policies for the correct classification and processing of queries. - Periodic training of staff in charge on query management and compliance with data protection regulations. - Periodic supervision and auditing of the processing system to ensure the correct use of personal data. - Internal procedures for blocking and deleting data in accordance with established deadlines. - Technical: - Data encryption in transit (HTTPS) and at rest (AES-256) to protect information sent through forms. - Role-based authentication system and access permissions to ensure that only authorized personnel handle queries. - Implementation of incident detection and response systems to prevent unauthorized access or data leaks. - Activity logging in the system to audit actions taken on query data. - Physical: - Storage of servers in protected data centers with restricted access and physical security measures (ISO 27001 certifications). - Implementation of security measures in offices, such as limited access to devices that manage the query system. Social media management - South Summit Legal basis: Explicit consent of the data subject (GDPR: 6.1.a) Consent of the data subject). Purposes: Create and publish promotional, informative, and engaging content on social media; Identify trends and opportunities through interaction data analysis; Interact with followers through responses to comments, direct messages, and mentions; Monitor statistics and metrics to improve social media strategy and foster community participation; Promote South Summit activities, events, and services. Categories of data and groups: Followers (identification data). Origin of data: The data subject themselves or their legal representative. Category of recipients: Data may be shared with technology service providers and social media platforms such as Facebook, Instagram, LinkedIn, TikTok, and Twitter, depending on the privacy policies of said platforms. International transfer: Not foreseen. Retention period: As long as its erasure is not requested by the data subject. Personal data will be processed as long as it is necessary or relevant for the indicated purposes. If the data subject requests its erasure, the data will be blocked in accordance with the GDPR, for a maximum period of three years, for its availability in case of legal requirements by judges, courts, or competent authorities. Statistics and metrics records will be kept anonymized for analysis and improvement of future strategies. Security measures: - Organizational: - Implementation of internal policies to regulate the use of social media, ensuring compliance with the GDPR and personal data protection. - Training of staff in charge of social media management on best practices and data protection regulations. - Logging of accesses and roles assigned to the social media management team to prevent unauthorized access. - Internal monitoring and approval of publications to ensure that sensitive personal data is not included without prior consent. - Technical: - Use of certified tools for centralized social media management, with encryption in transit (HTTPS). - Restriction of access through multi-factor authentication on all social media accounts. - Monitoring of accesses and activities on platforms for traceability and detection of possible incidents. - Periodic backups of created content and statistics on secure servers with ISO 27001 certification. - Physical: - Physical access control to devices used to manage social media, including measures such as automatic locking and biometric authentication. - Secure storage of materials related to social media campaigns (images, videos, etc.) in restricted areas. Participation requests management - Partner with Us / Get Your Stand Legal basis: (Art. 6.1.a GDPR) Consent of the data subject. Purposes: Manage requests to collaborate as partners or exhibitors at the event; Inform companies about the types of stands, rates, and services available to participate in South Summit; Offer personalized attention and resolve doubts related to event participation; Register and follow up on received inquiries to convert them into commercial agreements. Categories of data and groups: Clients (identification data; job details; other categories). Potential (identification data; job details; other categories). Origin of data: The data subject themselves or their legal representative. Category of recipients: Not foreseen. International transfer: Not foreseen. Retention period: Data will be kept as long as the data subject maintains their interest in participating in the event or until they request its deletion. In the event that the applicant becomes a client or collaborator, the data will be kept in accordance with the policies applicable to the commercial relationship. If no commercial relationship is established, the data will be deleted or anonymized at the latest 1 year after the last interaction, unless legally required to be kept. Security measures: - Organizational: - Internal procedures to classify and prioritize requests according to their nature and commercial potential. - Definition of clear roles in the commercial team to manage requests and protect collected personal data. - Training for staff in charge on best practices in request management and personal data processing in accordance with the GDPR. - Periodic audits to ensure the correct application of security and traceability of handled requests. - Technical: - Use of a secure CRM system to record, manage, and track requests. - Data encryption in transit (HTTPS) and at rest (AES-256) for collected personal and commercial information. - Multi-factor authentication for access to the application management system. - Security backups stored on servers with ISO 27001 certification. - Logging and monitoring of activities performed in the CRM to prevent improper access or misuse of data. - Physical: - Secure storage of any physical documents generated in request management, with restricted access. - Physical access control to devices used to manage applications, including automatic locking and biometric authentication in South Summit offices. Registered user competition management Legal basis: (Art. 6.1.a GDPR) Consent of the data subject; (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract. Purposes: Facilitate registration and access for startups, partners, and investors to the Startup Competition platform; Manage startup registration in the competition and associated services; Provide technical support to users and resolve incidents during the registration and evaluation process; Enable contact between competition participants and South Summit partners to generate business opportunities; Promote user participation in future events and competitions organized by South Summit. Categories of data and groups: Registered user competition (identification data). Origin of data: The data subject themselves or their legal representative. Category of recipients: Data may be shared with South Summit partners, such as investment funds, innovation hubs, and corporations, to promote business opportunities, always with the prior consent of the data subject. Technology service providers responsible for platform maintenance and related tools, under data processing agreements in accordance with the GDPR. International transfer: Not foreseen. Retention period: For a period of 6 years from the last confirmation of interest. Data will be processed until the user expresses their opposition to the processing, exercises their right to erasure or limitation of processing, or for the periods necessary to comply with legal obligations (e.g., tax or commercial). Data related to the registration and evaluation of startups will be kept as long as necessary for the purpose of the competition and its subsequent promotion. Security measures: - Organizational: - Implementation of restricted access policies, ensuring that only authorized personnel have access to registered data. - Periodic audits of data processing to ensure compliance with regulations and prevent unauthorized access. - Continuous staff training on proper personal data management and legal obligations under the GDPR. - Use of a consent management system to verify and store explicit user authorizations. - Technical: - Data encryption in transit (HTTPS) and at rest (AES-256) for personal information. - Implementation of multi-factor authentication (MFA) for access to the registered user management platform. - Monitoring and logging of activities on the platform to detect improper access or security incidents. - Periodic backups and storage on servers with security certifications (ISO 27001). - Limiting access to sensitive data through role-based permissions. - Physical: - Storage of servers in data centers protected by physical security measures, such as 24/7 surveillance, biometric access controls, and electrical redundancy. - Secure deletion of physical documents related to registration and competition, through certified shredding. Volunteer management Legal basis: Explicit consent of the data subject. Purposes: Support in the accreditation, logistics, and venue access area; Assign tasks and schedules to volunteers during the event; Provide support to startups, speakers, and investors within the Marketplace framework and in meetings; Communication with volunteers before, during, and after the event for organizational matters; Ensure occupational risk prevention for volunteers during their collaboration in the event; Provide information to visitors and coordinate flows at the venue. Categories of data and groups: Volunteers (identification data; personal characteristics). Origin of data: The data subject themselves or their legal representative. Category of recipients: Social Security Agencies. International transfer: Not foreseen. Retention period: For a period of 5 years from the last confirmation of interest. Data will be processed and kept as long as necessary for the purposes foreseen in event management. 5 years after the volunteer's last interaction or collaboration, the data will be securely deleted, unless there is a legal obligation to keep it. Security measures: - Organizational: - Creation of specific internal policies for volunteer data management, limiting access only to authorized personnel. - Obtaining explicit consents during the volunteer registration process, detailing the specific purposes of their data processing. - Signing confidentiality agreements by volunteers in case of access to sensitive event information (startups, investors, etc.). - Training for the management team and volunteers on data protection regulations and their responsibilities during the event. - Technical: - Use of secure systems for volunteer data management, including digital platforms with multi-factor authentication and encryption (AES-256). - Data encryption in transit (HTTPS) to protect information exchange between systems. - Logging and auditing of access to the volunteer management system to ensure traceability. - Periodic backups of data, stored on servers with ISO 27001 certification. - Physical: - Storage of physical documents (such as signed agreements) in restricted access areas. - Control of access to devices and areas where volunteer personal data is managed. - Secure deletion of physical documents, through certified destruction, once processing purposes are met. Evaluation Jury Management - Startup Competition Legal basis: (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract; (Art. 6.1.a GDPR) Consent of the data subject. Purposes: Send invitations and coordinate the participation of jury members, indicating dates and sessions; Manage jury applications received through the "Become a Juror" form; Maintain communication with jury members to inform them about competition-related activities; Organize and facilitate the evaluations of the 100 selected startups through the South Summit platform. Categories of data and groups: Jury (identification data; other categories; job details). Origin of data: The data subject themselves or their legal representative; Private entity. Category of recipients: TEAM TITO LIMITED. Company number: 566334. VAT number: IE3384527RH 64 Dame Street, Dublin, Ireland D02 RT72. International transfer: Not foreseen. Retention period: As long as the commercial relationship is maintained. Personal data of jury members will be processed as long as there is a contractual or collaborative relationship with South Summit. At the end of the relationship, data will be blocked and kept for a minimum period of 6 years in accordance with the Commercial Code and tax regulations. Data related to evaluations will be anonymized once organizational and legal purposes are met. Security measures: - Organizational: - Internal procedures to ensure that only authorized personnel have access to jury information and evaluated startups. - Signing confidentiality agreements by jury members to protect information about evaluated projects. - Training for jury management staff on GDPR compliance and data processing obligations. - Logging and documentation of activities related to jury data processing, including invitations and evaluations. - Technical: - Use of secure and certified platforms for evaluation management and jury members' personal data. - Data encryption in transit (HTTPS) and at rest (AES-256). - Implementation of multi-factor authentication for access to project evaluation. - Monitoring and logging of accesses and activities performed on the platform to ensure traceability. - Daily backups of stored information, with quick recovery in case of incidents. - Physical: - Storage of any physical documents related to the jury in restricted access areas. - Use of access control systems in areas where jury and evaluated startup data is managed. - Secure deletion of physical documents through certified destruction. Integrated Agenda and Calendar Management - South Summit Legal basis: Explicit consent of the data subject (GDPR: 6.1.a) Consent of the data subject); Existence of a contractual relationship with the data subject through a contract or pre-contract; Legitimate interest of the Controller or third parties (GDPR: 6.1.e). Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Purposes: Appointment and agenda control; Coordination and reminder of scheduled meetings at South Summit; Generation of personalized calendars according to preferences and profile; Management of personalized agendas for event participants; Organization of appointments and meetings between attendees, investors, startups, and exhibitors; Planning of selected activities in the event program. Categories of data and groups: People who access and contact via the web (identification data). Clients (identification data). Employees (identification data). Origin of data: The data subject themselves or their legal representative; People who contact us through web forms such as Become an Ambassador, Suggest a Speaker, Suggest Ideas, and Contact Us. Category of recipients: Entities of the business group; Agenda data may be shared with third parties (such as other attendees with whom the user arranges meetings) under the explicit consent of the data subject. Technology providers responsible for maintaining the agenda management platform, always under agreements that ensure compliance with the GDPR. International transfer: Not foreseen. Retention period: As long as its erasure is not requested by the data subject. Personal data will be kept for the duration of the event and a maximum period of 2 years to maintain the commercial relationship with the data subject, unless its erasure is requested earlier or there is a legal obligation to keep it. Security measures: - Organizational: - Definition and application of role-based access policies to ensure that only authorized users access address book data. Periodic audits of agenda use and management to identify possible deficiencies or errors. Continuous staff training on security measures, data management, and GDPR compliance. Logging and documentation of all processing activities related to agenda management. - Technical: - Implementation of multi-factor authentication for access to the agenda management platform. End-to-end encryption of data in transit (HTTPS) and at rest (AES-256). Use of cloud servers with updated security certificates and compliance with standards such as ISO 27001. Constant monitoring of accesses and activities in the system to detect possible improper uses. Automatic backups to ensure data recovery in case of incidents. Physical access control in data centers hosting servers, including 24/7 surveillance, alarm systems, and biometric authentication. - "Clean desk" policies and secure deletion of physical documents related to event planning. Integrated Attendee and Ticketing Management - South Summit Legal basis: (Art. 6.1.a GDPR) Consent of the data subject; (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract. Purposes: Control event access through digital systems (QR codes or equivalents); Comply with legal and tax obligations associated with ticket sales; Send operational event information (location, schedules, updates); Provide event participation statistics to improve future editions; Manage ticket purchases through the South Summit website; Process and respond to requests for special passes such as the Investor Pass or Press Pass. Categories of data and groups: Speakers and presenters (identification information). South Summit attendees or other events (identification information; economic, financial, and insurance information; credit information; personal characteristics; employment details). Origin of data: The data subject themselves or their legal representative; Private entity; From the "Become a Speaker" form on the website; Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members. Category of recipients: Banks, savings banks, and rural banks; Data may be shared with providers responsible for ticket management, event access, or operational communication, always under data processing agreements in accordance with the GDPR. In compliance with legal regulations, data may be transferred to the Tax Agency for the generation of invoices and tax reports. IE UNIVERSITY (CIF: G40155384). International transfer: Not foreseen. Retention period: For a period of 5 years from the last confirmation of interest. Data will be processed and kept as long as necessary for the purposes for which it was collected. If the data subject withdraws their consent, the data will be deleted within a maximum period of 1 year, unless legally required to be kept (e.g., tax regulations). Access records will be deleted at the end of the legal retention period of 5 years. Security measures: - Organizational: - Definition of roles and access permissions in management systems to ensure that only authorized personnel have access to data. - Periodic audits to verify compliance with security policies and data protection regulations. - Continuous training for staff in charge on personal data management and GDPR regulations. - Logging of all operations performed in ticketing and attendee management systems. - Technical: - Use of secure and certified e-commerce platforms, compatible with the GDPR. - Data encryption in transit (HTTPS) and at rest (AES-256). - Implementation of multi-factor authentication for access to sales and access management platforms. - Monitoring of accesses and logging of activities in systems to ensure traceability of operations. - Periodic backup of data stored on certified servers with international standards such as ISO 27001. - Physical: - Storage of servers in protected data centers with restricted access, 24/7 surveillance, and biometric controls. - Physical access control to offices and devices where sensitive data related to attendees is processed. Integrated Event Management - South Summit App Legal basis: (Art. 6.1.a GDPR) Consent of the data subject; (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract. Purposes: Agenda. Calendar with South Summit events; Direct messaging between all event attendees. Exhibitors. List of companies with stands as well as their contact details and the responsible person. Video calls from the messaging section with people with whom a conversation has been opened; My Event. Events that each user has marked and meetings with other users; My QR. QR code that allows accreditation to access the event; Networking. List of all attendees to contact them. Speakers. Access to each speaker's profile to connect with their social networks and companies; Start-Up Competition. List of participating companies in the competition, their contact details, and corporate videos. Possibility to send direct messages to the company. Categories of data and groups: Registered users / South Summit app users (identification information; commercial information). South Summit attendees or other events (identification information; employment details; commercial information). Origin of data: The data subject themselves or their legal representative; Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members. Category of recipients: Public Administration with competence in the matter; Company that develops the application Swapcard Corporation. International transfer: Not foreseen. Retention period: As long as the commercial relationship is maintained. Data will be kept as long as the user keeps their account active and does not request data erasure. Once the event ends, data will be deleted within a maximum period of 2 years, unless there is a legal obligation to keep it. Security measures: - Organizational: - Access control through multi-factor authentication. - Specific staff training on data protection. - Periodic audits on application security. - Technical: - Data encryption in transit (HTTPS) and at rest. - Data pseudonymization to minimize risks. - Implementation of security incident detection and response systems. - Physical: - Security of physical servers where data is hosted. Integrated Speaker Management - South Summit Legal basis: (Art. 6.1.a GDPR) Consent of the data subject; (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract. Purposes: Coordinate schedules and plan speaker participation in the event; Respond to requests received from the "Become a Speaker" form on the website; Provide necessary information to promote their interventions on social networks and other channels; Manage and formalize image, voice, and NDA contracts with speakers; Publish speaker profiles on the website and other South Summit promotional materials. Categories of data and groups: Speakers and presenters (identification information; job details; other categories). Origin of data: The data subject themselves or their legal representative; Private entity; From the "Become a Speaker" form on the website. Category of recipients: Data may be shared with design, communication, and marketing teams for the preparation of promotional materials related to the speakers. Technology providers responsible for platform management and planning tools, always under data processing agreements in accordance with the GDPR. International transfer: Not foreseen. Retention period: As long as the commercial or contractual relationship is maintained. Data will be kept as long as there is a contractual and/or commercial relationship with the speaker. After the relationship ends, data will be kept for the periods required by tax and commercial regulations (minimum 6 years). Data related to the assignment of image and voice rights will be kept for the period specified in the contract signed with the speaker. Security measures: - Organizational: - Implementation of an internal procedure to manage the explicit consent of speakers at each stage (registration, use of image, voice, and data). - Creation of a restricted access protocol for personal and contractual data only to authorized personnel. - Signing confidentiality agreements (NDAs) with the organizing team and collaborators who have access to speaker information. - Periodic evaluations to ensure the correct application of protection measures and data processing. - Technical: - Encryption of personal data stored in management systems and contracts (AES-256). - Use of secure platforms for digital contract signing and sensitive document processing. - Multi-factor authentication for access to speaker management systems. - Monitoring of accesses and activities in the system to prevent improper use of information. - Periodic backups of speaker data to ensure recovery in case of incidents. - Physical: - Secure storage of physical documents (contracts and agreements) in restricted access areas with access control. - Use of servers in data centers with international certifications (ISO 27001) to ensure the physical security of the infrastructure. South Summit uses images. Legal basis: (Art. 6.1.a GDPR) Consent of the data subject; (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract. Purposes: Assignment to press and accredited media for event coverage; Recording and streaming of event presentations; Publication of images and videos of attendees, speakers, and participants on social networks, website, and South Summit promotional materials; Use of event visual content for the promotion of future editions of South Summit. Categories of data and groups: Speakers and presenters (identification data). South Summit attendees or other events (identification data). Origin of data: The data subject themselves or their legal representative; Private entity; From the "Become a Speaker" form on the website; Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members. Category of recipients: Companies dedicated to advertising or direct marketing; Images may be shared with media, social networks, and streaming platforms, always under the conditions of the privacy policies of such third parties. International transfer: Not foreseen. Retention period: Images and recordings will be kept as long as they are useful for the foreseen purposes (event promotion and future editions). On social networks and third-party platforms, images will be kept in accordance with the privacy policies of said platforms. Data subjects may exercise their right to erasure, cancellation, or limitation of processing to delete their visual data. Security measures: - Organizational: - Obtaining explicit consent from attendees, speakers, and participants through visible notices in recording areas and online registration to participate in the event. - Internal policies that limit access and use of images to authorized communications and marketing personnel. - Periodic training for the responsible team on regulations applicable to recording and use of images, including GDPR and image rights. - Documentation of agreements with photographers, videographers, and media participating in the event, ensuring compliance with data protection regulations. - Technical: - Encryption of images and videos stored in internal systems (AES-256). - Use of secure platforms for content management and publication (social networks, servers with SSL certificates). - Monitoring of access and activities related to image management to ensure traceability. Automatic backups and storage in controlled environments with ISO 27001 certification. - Physical data: Storage of any physical media (memory cards, hard drives) in secure and restricted access areas. Physical access control to image editing and management areas within South Summit facilities. 11.- PERSONAL DATA OF MINORS How do we manage minors' data? Minors under 14 years of age may not use the services offered through our website without the prior authorization of their parents, guardians, or legal representatives. These will be solely responsible for all actions carried out through the website by the minors under their charge, including the completion of online forms with their personal data and, where appropriate, the selection of the corresponding checkboxes. In accordance with the provisions of Article 8 of the GDPR and Article 7 of the LOPD/GDD, only persons over 14 years of age may consent to the lawful processing of their personal data by Spain Startup. 12.- ORIGIN AND TYPES OF DATA PROCESSED Where did we obtain your data? Travel and Accommodation Booking Management - South Summit - E-commerce clients: The data subject themselves or their legal representative. - People who access and contact via the web: The data subject themselves or their legal representative. People who contact us through web forms such as "Become an Ambassador", "Suggest a Speaker", "Suggest Ideas", and "Contact Us". - Registered Users / South Summit App Users: The data subject themselves or their legal representative. - Potential clients: The data subject themselves or their legal representative. - South Summit attendees or other events: The data subject themselves or their legal representative. Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members. - Registered user competition: The data subject themselves or their legal representative. Startup Competition Evaluation Committee - Evaluation Committee: The data subject themselves or their legal representative; Private entity. Cookies, pixel, and tracking - People who access and contact via the web: The data subject themselves or their legal representative. People who contact us through web forms such as Become an Ambassador, Suggest a Speaker, Suggest Ideas, and Contact Us. Co-organization of the South Summit 2025 event. - Registered Users / South Summit App Users: The data subject themselves or their legal representative. - Employees: The data subject themselves or their legal representative. - Visits: The data subject themselves or their legal representative. - Volunteers: The data subject themselves or their legal representative. - Speakers and presenters: The data subject themselves or their legal representative; Private entity. From the "Become a Speaker" form on the website. - South Summit attendees or other events: The data subject themselves or their legal representative. Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members. - Registered user competition: The data subject themselves or their legal representative. Compliance with GDPR obligations - Clients: The data subject themselves or their legal representative. - Employees: The data subject themselves or their legal representative. Event access management - South Summit - Volunteers: The data subject themselves or their legal representative. - Speakers and presenters: The data subject themselves or their legal representative; Private entity. From the form to become a speaker on the website. - South Summit attendees or other events: The data subject themselves or their legal representative. Event attendees such as speakers, partners, investors, presenters, or startup members. Event partners and content production management. - Registered Users / South Summit App Users: The data subject themselves or their legal representative. - Clients: The data subject themselves or their legal representative. - Employees: The data subject themselves or their legal representative. - Speakers and presenters: The data subject themselves or their legal representative; Private entity. From the "Become a Speaker" form on the website. - South Summit attendees or other events: The data subject themselves or their legal representative. Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members. - Registered user competition: The data subject themselves or their legal representative. Communications and newsletter management - Subscribers: The subscriber themselves or their legal representative. Data is captured when the subscriber enters their email address in our newsletter registration form on the website. Website queries management - South Summit - People who access and contact via the web: The data subject themselves or their legal representative. People who contact us through web forms such as Become an Ambassador, Suggest a Speaker, Suggest Ideas, and Contact Us. South Summit participant management - Clients: The data subject themselves or their legal representative. Social media management - South Summit - Followers: The data subject themselves or their legal representative. Participation requests management - Partner with Us / Get Your Stand - Clients: The data subject themselves or their legal representative. - Potential clients: The data subject themselves or their legal representative. Registered user competition management - Registered user competition: The data subject themselves or their legal representative. Video surveillance management in offices and event facilities - Employees: The data subject themselves or their legal representative. - Visits: The data subject or their legal representative. Volunteer management - Volunteers: The data subject themselves or their legal representative. Evaluation Jury Management - Startup Competition - Jury: The data subject or their legal representative; Private entity. Integrated Agenda and Calendar Management - South Summit - People who access and contact via the web: The data subject themselves or their legal representative. People who contact us through web forms such as Become an Ambassador, Suggest a Speaker, Suggest Ideas, and Contact Us. - Clients: The data subject themselves or their legal representative. - Employees: The data subject themselves or their legal representative. Integrated Attendee and Ticketing Management - South Summit - Speakers and presenters: The data subject themselves or their legal representative; Private entity. From the form to become a speaker on the website. - South Summit attendees or other events: The data subject themselves or their legal representative. Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members. Integrated Event Management - South Summit App - Registered Users / South Summit App Users: The data subject themselves or their legal representative. - South Summit attendees or other events: The data subject themselves or their legal representative. Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members. Integrated Speaker Management - South Summit - Speakers and presenters: The data subject themselves or their legal representative; Private entity. From the form to become a speaker on the website. South Summit uses images. - Speakers and presenters: The data subject themselves or their legal representative; Private entity. From the form, become a speaker on the website. - South Summit attendees or other events: The data subject themselves or their legal representative. Event attendees such as speakers, partners, investors, presenters, or startup members. What types of data do we collect and process about you? Travel and Accommodation Booking Management - South Summit E-commerce Clients - Identification data (email; postal address; NIF/NIE/Passport; name and surname; phone number). People who access and contact via the web - Identification data (email; name and surname; phone number). Registered Users / South Summit App Users - Identification data (email; name and surname; phone number). Potential clients - Identification data (email; postal address; NIF/NIE/Passport; name and surname; phone number). South Summit attendees or other events - Identification data (name and surname; phone; DNI/NIF/NIE/Passport). - Employment data (employer or company where you work). Registered user competition - Identification data (email; postal address; username). Evaluation Committee Startup Competition Evaluation Committee - Identification data (email; name and surname; phone number). - Other categories (contact information (relationship, position, company, email)). Cookies, pixel, and tracking People who access and contact via the web - Commercial information (data obtained through cookies, pixels, or similar instruments, if applicable). - Other categories (ID generated by Pixel or Cookie). Co-organization of the South Summit 2025 event. Registered Users / South Summit App Users - Identification data (email address; image; name and surname; phone; LinkedIn, Twitter, Instagram, and Facebook social media profiles). - Commercial information (activities and businesses; artistic, literary, scientific, or technical creations; confidential and/or copyrighted data and/or images; subscriptions to publications or media; data obtained through cookies, pixels, or similar instruments, if applicable; shipping address; direct messages from the South Summit App; video calls from the South Summit App). Employees - Identification data (email address). Visit - Identification data (image). Volunteers - Identification data (email address; postal address; NIF/NIE/Passport; Social Security/Mutual Society number; name and surname; phone number). - Personal characteristics (age; nationality; gender). Speakers and presenters - Identification data (email; image; name and surname; voice; country; LinkedIn social media profile). - Employment data (jobs; company or firm where you work). - Other categories (message). South Summit attendees or other events - Identification data (image; name and surname; phone; DNI/NIF/NIE/Passport; LinkedIn, Twitter, Instagram, and Facebook social media profiles; email). - Personal characteristics (date of birth; gender). - Employment data (company or firm where you work). - Economic, financial, and insurance (PayPal). - Commercial information (direct messages from the South Summit App; video calls from the South Summit App). - Credit information (bank details, debit or credit card details). Registered user competition - Identification data (email address; postal address; phone; username; company identification number/CIF; contact details of the company's legal representatives). Compliance with GDPR obligations Clients - Identification data (name and surname; postal address; NIF/NIE/Passport; email; phone). Employees - Identification data (name and surname; postal address; NIF/NIE/Passport; email; fingerprint; phone). - Job details (jobs). Event access management - South Summit Volunteers - Identification data (email; NIF/NIE/Passport; name and surname). Speakers and presenters - Identification data (email; image; name and surname). South Summit attendees or other events - Identification data (image; name and surname; DNI/NIF/NIE/Passport). Event partners and content production management Registered users / South Summit app users - Identification data (email; image; name and surname; phone; LinkedIn, Twitter, Instagram, and Facebook social media profiles). Clients - Identification data (email; address; NIF/NIE/Passport; name and surname; phone number; country). Employees - Identification data (email address; postal address; handwritten signature; name and surname; phone number). Speakers and presenters - Identification data (email address; image; name and surname; voice; country; LinkedIn social media profile). South Summit attendees or other events - Identification data (image; name and surname; phone; DNI/NIF/NIE/Passport; LinkedIn, Twitter, Instagram, and Facebook social media profiles; email). - Personal characteristics (date of birth; gender). - Employment data (employer or company where you work). - Economic, financial, and insurance (PayPal). - Commercial information (direct messages from the South Summit App; video calls from the South Summit App). - Credit information (bank details, debit or credit card details). Registered user competition - Identification data (email address; postal address; phone; username; company identification number/CIF; contact details of the company's legal representatives). Communications and newsletter management Subscribers - Identification data (name and surname; email; phone). Website queries management - South Summit People who access and contact via the website - Identification data (name and surname; email; phone; country). - Employment data (jobs; company or firm where you work). - Other categories (message). South Summit participant management Clients - Identification data (name and surname; postal address; email; phone). Social media management - South Summit Followers - Identification data (name and surname; email). Participation requests management - Partner with Us / Get Your Stand Clients - Identification data (country; name and surname; email). - Employment data (job or company where you work). - Other categories (message). Potential clients - Identification data (name and surname; phone; country; email). - Employment data (employer or company where you work). - Other categories (message). Registered user competition management Registered user competition - Identification data (email address; postal address; phone; username; company identification number/CIF; contact details of the company's legal representatives). Video surveillance management in offices and event facilities Employees - Identification data (image). Visit - Identification data (image). Volunteer management Volunteers - Identification data (email address; postal address; NIF/NIE/Passport; Social Security/Mutual Society number; name and surname; phone number). - Personal characteristics (age; nationality; gender). Evaluation Jury Management - Startup Competition Jury - Identification data (email address; name and surname; phone; country). - Other categories (contact details (relationship, position, email)). - Employment data (jobs; company or firm where you work). Integrated Agenda and Calendar Management - South Summit People who access and contact via the web - Identification data (name and surname; email address; phone number). Clients - Identification data (name and surname; email address; phone number). Employees - Identification data (name and surname; postal address; phone). Integrated Attendee and Ticketing Management - South Summit Speakers and presenters - Identification data (email; image; name and surname; voice). South Summit attendees or other events - Identification data (name and surname; image; phone; DNI/NIF/NIE/Passport). - Economic, financial, and insurance data (PayPal). - Credit information (bank details, debit or credit card details). - Personal characteristics (date of birth; gender). - Employment data (employer or company where you work). Integrated Event Management - Registered Users South Summit App / South Summit App Users - Identification data (email; image; name and surname; phone; LinkedIn, Twitter, Instagram, and Facebook social media profiles). - Commercial information (activities and business; direct messages from the South Summit App; video calls from the South Summit App). South Summit attendees or other events - Identification data (name and surname; image; LinkedIn, Twitter, Instagram, and Facebook social media profiles). - Employment data (company or firm where you work). - Commercial information (direct messages from the South Summit app; video calls from the South Summit app). Integrated Speaker Management: South Summit Speakers and Presenters - Identification data (email; name and surname; country; LinkedIn social media profile). - Employment data (jobs; company or firm where you work). - Other categories (message). South Summit uses images. Speakers and presenters - Identification data (image). South Summit attendees or other events - Identification data (image). 13.- RIGHTS OF DATA SUBJECTS What are your rights regarding your data? Data protection regulations grant you specific rights that you can exercise in relation to the processing of your data. These rights are personal and non-transferable, meaning that only you, as the data owner, can exercise them after verifying your identity. Your rights are described below: - Right of access: You can request confirmation of whether Spain Startup is processing your data and access information related to such processing. - Right to rectification: If your personal data is inaccurate or incomplete, you can request its correction. - Right to erasure ("right to be forgotten"): You can request the erasure of your data when it is no longer necessary for the purposes for which it was collected or if you withdraw your consent. - Right to restriction of processing: You can request the restriction of processing of your data, for example, while its accuracy is being verified or in other cases provided by law. - Right to data portability: You have the right to receive your data in a structured, commonly used, and machine-readable format, and to transmit it to another controller. - Right to object: You can object to the processing of your data for reasons related to your particular situation, or when processing is based on a legitimate interest. - Right not to be subject to automated decisions: You can request not to be subject to decisions based solely on automated processing of your data, including profiling. - Right to withdraw consent: You can withdraw your consent at any time, without affecting the lawfulness of processing based on prior consent. - Right to lodge a complaint: If you believe your rights have not been respected, you can lodge a complaint with the corresponding supervisory authority: Spanish Data Protection Agency info@aepd.es https://www.aepd.es To exercise any of these rights, you can contact Spain Startup using the contact information below: - Controller: Spain Startup and Investor Services S.L. - Address: Paseo de la Castellana Nº 70, first floor. 28046, Madrid (Madrid), Spain - Phone: +34 915625784 - Email: privacy@southsummit.io - Website: http://www.southsummit.io You can also exercise your rights with the Data Protection Officer: Email: rgpd@auratechlegal.es - Phone: 0034 911 134 963 How can you exercise your rights regarding your data? To exercise your rights of access, rectification, erasure, restriction or objection, portability, and withdrawal of your consent, you can do so by sending an email to these addresses: rgpd@auratechlegal.es / privacy@southsummit.io or a postal mail to: Paseo de la Castellana Nº 70, second floor. 28046, Madrid (Madrid), Spain. How can you lodge a complaint if you believe your rights are not being respected? If you believe that the processing of your personal data does not comply with data protection regulations, you have the right to lodge a complaint with the relevant Supervisory Authority in your country of residence or workplace. Depending on your location, you can contact the competent authority in your country. For example: - In Germany, you can contact Berliner Beauftragte für Datenschutz und Informationsfreiheit. - In France, the competent authority is the Commission Nationale de l'Informatique et des Libertés. (CNIL). The specific contact details for Spain are as follows: - Spanish Data Protection Agency C/ Jorge Juan, 6. 28001, Madrid (Madrid), Spain Email: info@aepd.es - Phone: 912663517 Web: https://www.aepd.es If you are unsure which authority applies to you or need information about other supervisory authorities, you can consult the article on Data Protection Supervisory Authorities, where you will find contact details and links according to your location. 14.- MODIFICATION AND INFORMATION PRINCIPLE This document ensures that you understand how we process your personal data. By using our website or our services, you confirm that you have been informed about the terms of our Privacy Policy, in accordance with the information principle established in Article 13 of the GDPR. The legal basis for the processing of your personal data is established in Article 6 of the GDPR and may include the performance of a contract, compliance with legal obligations, or legitimate interest, among others. This policy has been developed in collaboration with Auratech Legal, a firm specialized in data protection, and will be periodically reviewed to ensure its adequacy and compliance. Spain Startup reserves the right to modify this Privacy Policy based on legislative changes, jurisprudence, or directives from supervisory authorities. Any relevant modification affecting the purpose of processing, retention periods, or user rights will be explicitly communicated. Last updated: January 23, 2025