About GASA

1. Introduction
This Privacy Statement explains how Stichting Global Anti-Scam Alliance (“GASA”, “we”, “our”, “us”), processes personal data when you visit our website gasa.org or attend our events.

GASA is the controller for these processing activities within the meaning of the General Data Protection Regulation (“GDPR”) and determines the purposes and means of the processing of your personal data.
If you have any questions about this Privacy Statement or the way we process personal data, please contact us using the details in Section 10.

2. Changes to this Privacy Statement
As our Services and activities evolve, we may update this Privacy Statement from time to time. We encourage you to review it periodically so that you remain informed about how we process your personal data.

3. When do we process personal data?
We process personal data when you create an account or become a member, contact us with questions or feedback, subscribe to a newsletter, attend an (online) event, or visit our website (where cookies may be placed).

This Privacy Statement applies solely to processing activities for which GASA is the GDPR controller.

4. What personal data do we process, and for what purposes and legal bases?
Below we explain what types of personal data we process, why we process them, and on which GDPR legal basis (Article 6(1) GDPR) such processing relies.

If we intend to process personal data for a purpose other than the purpose for which the data were collected, we will inform you of this new purpose in advance and provide all additional information required under the GDPR.

4.1 Account
It is possible to create an account on our website. Using your account, you can benefit from the services we provide. We need this data to provide these services (execution of the agreement).

For this purpose, we process the following personal data:
• Name
• Job title
• Company name
• Country
• Relevant interests (topics and regions)
• Phone number
• E-mailadress
• IP-address

Legal basis for these processing activities are:
• Performance of a contract (art. 6(1)(b) GDPR), if you use the platform to make benefit from the services
• Legitimate interest (art. 6(1)(f) GDPR), namely improving the services

We store this data for 3 years after you last logged into your account. We keep some data longer if we are legally obligated to do so (e.g., because of the 7-year tax retention obligation).

4.2 Becoming a member
It is possible to become a member on our website. Using your membership, you can become part of our network and benefit from the services we provide.

For this purpose, we process the following personal data:
• Account data
• Name
• Company name
• Job title
• Contact details (e-mail address, phone number)
• IP address
• LinkedIn URL
• Other relevant information you decide to give us

Legal basis for these processing activities are:
• Performance of a contract (art. 6(1)(b) GDPR), if you use the platform to benefit from the services
• Legitimate interest (art. 6(1)(f) GDPR), namely improving the services

We store this data for 3 years after you last logged into your account. We keep some data longer if we are legally obligated to do so (e.g. because of the 7-year tax retention obligation).

4.3 Contact, support and feedback
When you contact us by email or through the website, we process the personal data you provide in order to respond to your question or feedback.
For this purpose, we process the following data:
• Name
• E-mail address
• Job title
• Company name
• Other information which may be included in your message.

Legal basis for these processing activities are:
• Performance of a contract (Art. 6(1)(b) GDPR), if your question relates to existing use of the Services.
• Legitimate interests (Art. 6(1)(f) GDPR), namely assisting users and improving the Services.

We store these contact moments with the personal data you provide for the purpose of carrying out the contract. We keep this information for as long as necessary for this contact or up to 2 years after we last had contact with you, because we want to make sure we have handled your question properly.

4.4 Newsletter
If you sign up for our newsletter, we process your email address on the basis of your explicit consent. We use your email address only to send you the newsletter and related updates. You may withdraw your consent at any time by unsubscribing, after which you will no longer receive these communications.

For this purpose, we process the following personal data:
• E-mail address

Legal bases for these processing activities are:
• Consent, where you subscribe to the newsletter (Art. 6(1)(a) GDPR);
• Legitimate interest, where we retain your email address on a non-mailing list to honor your request not to receive further messages and to prevent re-subscription errors (Art. 6(1)(f) GDPR).

If you unsubscribe, we will add your email address to a separate “non-mailing list” to ensure that you do not receive further newsletters or marketing messages from us. We retain this information for a limited period of two years maximum.

4.5 Events
We process personal data with regards to organizing our events, which includes registration, participation and facilitating contact between participants and sponsors.
For this purpose, we process the following data:
• Name
• E-mail address
• Job title
• Company name
• Phone number
• Country
• Registration data (e.g. application, attendance)

Legal basis for these processing activities is:
• Legitimate interest (art. 6(1)(f) GDPR), where the participants’ personal data is shared with sponsors, and where the processing is necessary for the registration, organization and participation in the event.

Depending on the set-up of the event, the applicable package or networking functionalities, we may share participants’ personal data with sponsors or other relevant parties. This may take place prior to the event (e.g. Participant lists) and/or after the event (e.g. attendee or lead data).

We store this data no longer than necessary for the organization and evaluation of the event, unless a longer retention period is required or justified (e.g. for administrative or follow-up purposes).

4.6 Reports
When you download reports or other content we created with our partners, you can be asked to provide your personal data via a form, which may be shared with the relevant sponsor(s).

For this purpose, we process the following data:
• Name
• E-mail address
• Job title
• Company name
• Phone number
• Country

Legal basis for these processing activities is:
• Legitimate interest (art. 6(1)(f)GDPR), where the user’s personal data is shared with the sponsor of the report.
We store this data no longer than necessary to facilitate the sharing of your data with the relevant sponsor. Once your data has been shared, the sponsor processes your data in accordance with its own privacy statement.

5. Sharing of personal data
We may share personal data with carefully selected third parties where this is necessary to operate the Services, to improve their functionality, or to address harmful activities. These third parties may include, for example:
• Third-party service providers such as email tools (e.g. Moosend), webinar platforms (e.g. StreamYard), automation (e.g. Zapier), and customer support (e.g. Helpscout)
• Hosting and analytics platforms (e.g. Google Analytics)
• Event partners, only with your explicit consent
• Sponsors, when you download one of our reports or other assets, which we have created together with Partner(s)
• Public authorities, where legally required

Some of these parties act as processors and process personal data only on our instructions. Others act as independent controllers, for example where they receive information under their own legal mandate (such as law-enforcement authorities) or where they determine their own purposes for processing.

All third parties who process personal data on our behalf are bound by a Data Processing Agreement (DPA) in compliance with Article 28 of the GDPR and equivalent laws.

6. Cookies and similar technologies
When you visit our website and use our Services, we may use essential cookies, analytical cookies and other optional cookies.
• Essential cookies are required for the website and Services to function and do not require consent.
• Analytical cookies are used to understand website use. Where implemented in a privacy-friendly manner (e.g., IP anonymization), they rely on our legitimate interest and otherwise on your consent.
• Optional / marketing cookies are only placed with your consent through the cookie banner.
You can adjust your cookie preferences at any time. A cookie table listing cookies and their purposes is included here.

7. International transfers
If we transfer personal data to countries outside the European Economic Area (“EEA”), we do so only in accordance with Chapter V of the GDPR. This means that such transfers will take place on the basis of:
• an adequacy decision issued by the European Commission (Article 45 GDPR); or
• appropriate safeguards, such as the European Commission’s Standard Contractual Clauses (Article 46 GDPR), supplemented where necessary with additional technical or organizational measures; or
• in limited circumstances, one of the derogations provided under Article 49 GDPR.
• where data is transferred to the US, we rely on the EU-U.S. Data Privacy Framework

You may contact us for more information about the safeguards applied to specific transfers or for access to copies of the relevant transfer mechanisms, where permitted by law.

8. Your rights under the GDPR
Under the GDPR, individuals have a number of rights in relation to their personal data. You have the following rights under the GDPR. These rights apply where the GDPR is applicable to the processing of your personal data. We respect these rights and will assist you in exercising them. Below is an overview of your rights, together with a short explanation of what each right entails.

8.1 Right of access
You have the right to request confirmation of whether we process your personal data, and if so, to receive a copy of those data. We will also provide information about the purposes of processing, the categories of personal data, the recipients of the data, the retention period, and your rights.

8.2 Right to rectification
If your personal data are inaccurate or incomplete, you have the right to request that we correct or complete them. Where possible, you can also update certain information yourself via your account settings.

8.3 Right to erasure ('right to be forgotten')
In certain circumstances, you have the right to request the deletion of your personal data. This right applies, for example, when data are no longer necessary for the purpose for which they were collected, when you withdraw consent, or where you have a valid objection to processing.

This right does not apply where data must be retained by law or where processing is necessary for our legitimate interests that outweigh your own rights and interests (for example, fraud prevention, cybersecurity or legal compliance).

8.4 Right to restriction of processing
You may request that we restrict the processing of your personal data. This can apply, for example, while we verify the accuracy of data you contest, when processing is unlawful but you prefer restriction over deletion, or when we no longer need the data but you require them for legal claims.

When processing is restricted, we will no longer use your data except where legally permitted (e.g. with your consent, for legal claims, or to protect the rights of others).

8.5 Right to data portability
You have the right to receive the personal data you provided to us in a structured, commonly used and machine-readable format, and to transmit those data to another organization. Where technically feasible, you may also request that we transfer the data directly to another controller.

8.6 Right to object
You may object to processing of your personal data where we rely on our legitimate interests (Article 6(1)(f) GDPR). We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or where processing is necessary for legal claims.

You may always object to the use of your personal data for direct marketing, including profiling related to such marketing. If we use such marketing (unlikely for GASA.org), we will stop immediately upon receiving your objection.

8.7 Right to withdraw consent
Where we process data on the basis of your consent (e.g. newsletters or optional cookies), you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

8.8 Exercising your rights
You may exercise any of the above rights by contacting us using the details set forth below. To protect your privacy, we may need to verify your identity before fulfilling your request. This may involve asking you to provide additional information that allows us to confirm the request is genuine.

We aim to respond to all requests within one month of receipt, in accordance with the GDPR. If a request is complex or you have made multiple requests, we may extend this period by up to two additional months, in which case we will inform you.

8.9 Supervisory authorities
If you are unhappy with how we process your personal data, we encourage you to contact us first. However, you also have the right to lodge a complaint with an EEA supervisory authority:
• If you are in the EEA, you may contact any relevant national EEA data protection authority.
• If you live outside the EEA, you may contact the Dutch supervisory authority.
The Dutch Data Protection Authority can be contacted via: https://autoriteitpersoonsgegevens.nl/

9. Contact us
If you have any questions about this Privacy Statement, the way we process personal data, or if you wish to exercise any of your rights under the GDPR, you may contact us using the details below. We aim to respond without undue delay and within the timeframes required by the GDPR.
• Stichting Global Anti-Scam Alliance
• Oder 20 Unit A6311
• 2491DC 's-Gravenhage, The Netherlands
• partner@gasa.org
• KvK (Dutch Chamber of Commerce): 52710041

Please include sufficient information for us to identify you and locate your data (for example, the email address associated with your account), so that we can handle your request efficiently and securely.

GASA has not appointed a Data Protection Officer, as we are not required to do so under the GDPR.

Privacy Policy