DETAILS OF OUR PRIVACY POLICY
INDEX
- 1. Purpose of the Privacy Policy
2. Definition of personal data
3. Identity of the Data Controller
4. Applicable laws and regulations
5. Principles applicable to the processing of personal data
6. Safety measures
7. Processing purposes
8. Legitimacy of the treatment
9. Recipients of your data
10. Data processing activities performed
11. Personal data of minors
12. Origin and types of data processed
13. Rights of interested parties
14. Modification
1.-POLICY OBJECTIVE
At Spain Startup and Investor Services S.L. (hereinafter, Spain Startup), we respect your privacy and
protect your personal data. This policy details how we collect, use and share your information in
accordance with applicable data protection regulations, including the General Data Protection
Regulation (GDPR).
This privacy policy applies to the website http://www.southsummit.io. If you do not provide us with
your personal data, no processing of your information will be carried out.
We will inform you about the purposes of the processing, the entities that may have access to your
data and your rights as data subject. Some processing may be based on legal obligations, contracts
or legitimate interests, without requiring your express consent.
If the website uses cookies, we will clearly notify you in our Cookie Policy, where you can learn more
about the use of cookies and how to manage your preferences.
This policy ensures transparency and is designed to make it clear to you how to know and exercise
your rights.
DEFINITION OF PERSONAL DATA
● Personal data: Personal data is any information relating to an identified or identifiable natural
person («Website user»). The following shall be considered as a person
08.02.- SECOND LEVEL PRIVACY POLICY
The term «identifiable person» refers to any person whose identity can be determined, directly
or indirectly, by means of identifiers such as a name, an identification number, location data,
an online identifier, or through elements of physical, physiological, genetic, psychological,
economic, cultural or social identity.
3.-IDENTITY OF THE DATA CONTROLLER
Who collects and processes your data?
The Data Controller is:
Spain Startup and Investor Services S.L CIF B86685294
How can you contact us?
● Postal and office address: Paseo de la Castellana Nº 70 second floor. 28046, Madrid
(Madrid), Spain.
● Registered office: Paseo de la Castellana Nº 70 second floor. 28046, Madrid (Madrid), Spain.
● Email: privacy@southsummit.io- Phone: +34 915625784
Who can help you with our Data Protection Policy?
In Spain Startup we have a Data Protection Officer (DPO), whose function is to ensure compliance
with current regulations on data protection within our organization. If you have any questions or need
assistance regarding the processing of your personal data, you can contact our DPO through the
following means:
● Auratech Legal – NIF B87984621
● Email: privacy@spain-startup.com- Phone: 911134963
4.- APPLICABLE LAWS AND REGULATIONS
This Privacy and Data Protection Policy is developed based on the following data protection laws and
regulations:
● Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and on the
free movement of such data. Hereinafter GDPR.
● Organic Law 3/2018 2018 of December 5on the Protection of Personal Data and Guarantee
of Digital Rights. Hereinafter LOPD/GDD.
● Law 34/20022002, of July 11, , on Information Society Services and Electronic Commerce.
Hereinafter LSSICE.
5.- PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA
At Spain Startup we process personal data in accordance with the principles established in the
current legislation, ensuring that the processing is carried out in accordance with the principles
established in the current legislation, ensuring that the processing is carried out in accordance with
the principles established in the current legislation:
● Lawful, fair and transparent: We report in a clear and accessible manner how data is
collected and used.
● Limited to specific purposes: Data are collected for legitimate purposes and are not used
for other purposes.
● Data minimization: We only request data that is strictly necessary.
● Accuracy: We keep data up to date and correct inaccurate data.
● Retention limitation: Data is retained only for as long as necessary for the stated purposes.
● Integrity and confidentiality: We apply appropriate security measures to protect data.
● Proactive responsibility: We assume responsibility for complying with and compliance with
these principles.
6.-SAFETY MEASURES
What do we do to ensure the privacy of your data?
At Spain Startup, we have implemented the necessary technical and organizational measures to
ensure the security of the personal data we process. These measures are designed to prevent
alteration, loss, unauthorized access or improper processing of data, adapting to the state of
technology and potential risks.
Among the measures we highlight:
● Confidentiality: Only authorized persons can access the information.
● Integrity: Information is kept accurate and protected against unauthorized modifications.
● Availability: We ensure that data is accessible to authorized persons at all times.
● Continuous assessment: We regularly review and improve our security to adapt to new
threats and technological advances.
● Pseudonymization and encryption: We use these techniques to strengthen data protection,
especially sensitive data.
7.- PURPOSES OF THE TREATMENT
Why do we want to process your data?
The following are the uses and purposes foreseen:
Travel and Lodging Reservation Management – South Summit
Coordinate with partners and suppliers to manage reservations and discounts to facilitate event
attendance.
Provide information and exclusive travel, lodging and transportation offers to event attendees
Promote exclusive agreements with partners related to travel and accommodation services.
Perform a personalized follow-up of the requests received through the web landing page.
Startup Competition Evaluation Committee
Coordinate online discussion sessions to select the finalist projects.
Send emails with links to register on the platform and scheduling of sessions
Evaluate pre-selected projects through the evaluation platform.
Manage committee members’ access to the platform and startup data.
Invite corporations, investment funds and institutions to participate in the evaluation committee.
Cookies, pixel and tracking
Sharing information on social networks. «Fav», «Like», +1″ and similar buttons.
Obtain statistical data on user navigation, identify problems and analyze user preferences.
Third-party video streaming and mapping. A feature or plug-in provided by a third party
establishes a direct connection between the user’s browser and Internet domains owned by the
third party, allowing the feature to be downloaded and executed.
Co-organization of the South Summit 2025 event.
Communication and marketing: Send event-related information, updates, news and promotional
materials. This includes sending emails and other messages to keep attendees informed about
event details and any important changes or developments.
Event access control: Manage access for participants, volunteers and speakers. This ensures
that only authorized people can enter certain areas of the event.
Compliance with GDPR obligations: Handling requests for exercising rights under the GDPR
and notifying security breaches. This involves handling participants’ requests related to their
personal data and notifying any security breach to the competent authorities.
Surveys and feedback: Collect opinions and suggestions from participants to improve future
events. After the event, surveys will be sent out to get feedback from attendees on what they
liked and what could be improved.
Participant management: Enabling participation in South Summit activities and sections. This
includes coordinating the activities in which participants can get involved and ensuring that
everyone has the necessary information to actively participate.
Registered user management: Facilitate e-commerce and business opportunities for partners.
This includes enabling startups and other companies to interact and do business during the
event and through the event platform.
Event organization and management: Coordinate and execute all activities related to the
planning and execution of the event. This includes ensuring that all parts of the event run
smoothly, such as scheduling of activities, coordination of speakers and overall logistics
Registration and access control: Manage registrations, badges and tickets to the event. This
means registering everyone who will attend the event, making sure they have the correct
credentials, and controlling who enters and leaves the venue.
Streaming and recording of sessions: Live stream and record presentations and event activities.
This allows people who cannot attend in person to view the presentations and activities online
and make the recordings available for later viewing.
Use of images: Record and stream the event’s presentations, and display images on the web
and social networks. This involves taking photos and videos of the event and sharing them
online for promotion and coverage of the event.
Video surveillance of facilities: Ensure the security of people, goods and facilities through video
surveillance. This means that security cameras will be used to monitor the event site and ensure
the protection of all those present.
Compliance with GDPR obligations
Process your data for the purpose of responding to requests in the exercise of the rights
established by the General Data Protection Regulation (art 5 GDPR) and, where appropriate, for
the notification of security breaches of personal data to the supervisory authority and data subjects
(articles 33 and 34 of the GDPR).
Respond to requests from citizens in the exercise of the rights established in the General Data
Protection Regulation.
Data protection and privacy of information
Event Access Management – South Summit
Monitor space capacity in real time to ensure safety and local regulatory compliance
Manage attendee lists to facilitate registration and resolve possible incidents during access.
Collect attendance data for analysis and improvement of future editions of the event.
Verify and validate attendee access to the event via QR codes or other registration systems
Event Partner Management and Content Production
Coordination of tasks and responsibilities in the production of events
Management of the relationship with speakers and the programming of
contents Supervision of the development and fulfillment of production
objectives
Communications and Newsletter Management
Send informative newsletters about the South Summit ecosystem (events, speakers, startups
and opportunities).
Generate business opportunities through contact between participants and partners Promote
events, conferences and competitions organized by South Summit.
Provide promotional information about services, activities and offers of South Summit and its
partners.
Conduct segmented campaigns according to specific interests or professional sectors.
Website Query Management – South Summit
Channel ideas, suggestions and proposals to improve the organization’s services and activities.
Respond to requests received through web forms such as Become an Ambassador, Suggest a
Speaker, Suggest Ideas and Contact Us.
Manage and register inquiries from users interested in collaborating or participating in South
Summit activities.
Provide support and information related to the services and events organized by South Summit.
South Summit participant management
Organization of South Summit as a global physical meeting in Madrid, connecting the different
poles of global innovation, and connecting the main actors of national and international innovation
with physical networking and through the digital platform. South Summit becomes a 365 connection
platform, with meetings throughout the year both face-to-face and digital to continue connecting the
key players in the innovation ecosystem and enhancing the best of both worlds. This omnichannel
format will be developed both virtually and in person as circumstances dictate or the convenience of
the format chosen for each section.
The personal data collected will be processed for the purpose of managing the relationship
arising from this contract.
Enable effective and active participation in South Summit’s sections and activities to those who
conform to the South Summit’s requirements.
Process the consideration for the services and activities that the participant will enjoy at South
Summit.
Reciprocal use of the distinctive signs and trademarks of which the participant and the company
are owners
Social Media Management – South Summit
Create and publish promotional, informational and engagement content on social networks
Identify trends and opportunities through analysis of interaction data Interact with followers
through replies to comments, direct messages and mentions
Monitor statistics and metrics to improve social media strategy and encourage community
engagement
Promote South Summit activities, events and services.
Management of Participation Requests – Partner with Us / Get Your Stand
Manage requests to collaborate as partners or exhibitors at the event.
Inform companies about the types of booths, rates and services available to participate in South
Summi.
Offer personalized attention and resolve doubts related to participation in the event.
Record and follow up on inquiries received to convert them into commercial agreements.
Management of registered users competition
Facilitate the registration and access of startups, partners and investors to the Startup Competition
platform.
Manage the registration of startups in the competition and associated services.
Provide technical support to users and resolve issues during the registration and evaluation
process.
Enable contact between competition participants and South Summit partners to generate business
opportunities.
Promote user participation in future events and competitions organized by South Summit.
Video Surveillance Management in Offices and Event Facilities
Control access and prevent security incidents at all facilities.
Ensure the safety of people, property and infrastructure at South Summit offices and facilities.
Provide security during the organization and development of events in temporary venues.
Provide recordings to the competent authorities in case of incidents or investigations.
Volunteer management
Support in the area of accreditation, logistics and access to the
venue Assign tasks and schedules to volunteers during the event.
Supporting startups, speakers and investors at the Marketplace and at meetings.
Facilitating communication with volunteers before, during and after the event for organizational
issues
Ensure occupational risk prevention for volunteers during their collaboration in the event.
Providing information to visitors and coordinating flows on the site
Evaluation Jury Management – Startup Competition
Send invitations and coordinate the participation of the jury members, indicating dates and sessions.
Manage jury applications received through the «Become a Jury» form.
Maintain communication with jury members to inform them of competition-related activities.
Organize and facilitate the evaluations of the 100 selected startups through the South Summit
platform.
Organize and facilitate the evaluations of the 100 selected startups through the South Summit
platform.
Integrated Agenda and Calendar Management – South Summit
Appointment and agenda control
Coordination and reminders of scheduled meetings within the South Summit Generation of
personalized calendars based on preferences and profile Management of personalized
agendas for event participants
Organization of appointments and meetings between attendees, investors, startups and
exhibitors Planning of selected activities in the event program
Integrated Attendee Management and Ticketing – South Summit
Control access to the event through digital systems (QR codes or equivalent) Comply
with legal and tax obligations associated with ticket sales Send operational information
about the event (location, schedules, updates) Provide statistics on event participation
to improve future editions Manage ticket purchases through the South Summit website
Process and respond to requests for special passes such as the Investor Pass or Press Pass.
Integrated Event Management – App South Summit
Agenda. Calendar of South Summit events.
Sending direct messages among all attendees.
Exhibitors. List of companies with booths as well as their contact information and the person in
charge.
Start video calls from the messages section with the people with whom a conversation is open.
My Event. Events that each user has marked and meetings with other users. My
QR. QR code that allows accreditation to access the event.
Networking. List of all attendees in order to contact them.
Speakers. Access to each Speaker’s profile where you can connect with their social networks and
companies.
Start Up competition. List of the companies participating in the competition, their contact information
and company videos. Possibility to open direct message with the company.
Integrated Speaker Management – South Summit
Coordinate schedules and plan the participation of speakers in the event.
Respond to requests received from the «Become a Speaker» form on the website.
estioning the necessary information to promote your interventions on social networks and other
channels
Manage and formalize image, voice and NDA contracts with speakers.
Publish speaker profiles on the web and other South Summit promotional materials
South Summit uses images.
Press and accredited media for the coverage of the event Recording and
streaming of the event’s presentations
Publication of images and videos of attendees, speakers and participants on South Summit’s
social networks, website and promotional materials.
Use of visual content of the event for the promotion of future editions of South Summit.
How long do we keep your data?
We use your data for the time strictly necessary to fulfill the purposes indicated above. Unless there is
a legal obligation or requirement, the expected retention periods are:
Travel and Accommodation Booking Management – South Summit : For a period of 5 years the
last confirmation of interest. The data will be kept for as long as there is a contractual or commercial
relationship with the data subject or until he/she exercises his/her right of deletion. In case of
revocation of consent, the data will be blocked and kept exclusively for the defense of legal or
contractual claims, for the periods established by the regulations Evaluation Committee Startup
Competition : As long as the business relationship is maintained. The data will be kept for the time
necessary for the organization and management of the evaluation . After the end of the business
relationship, the data will be kept for a minimum of six years in accordance with the Commercial Code
and tax and fiscal regulations. The evaluators’ access to the platform will be enabled for a limited
period of three weeks after the end of the evaluation process.
Cookies, pixel and tracking You should access our cookie policy to know the retention time of each
cookie as well as the information that has been collected.
Co-organization of the South Summit 2025 event. – Registration and contact details: Will
be kept for 5 years from the last confirmation of interest.
• Images and recordings: Will be retained according to the policies of the social media
platforms used and for historical and promotional purposes of the event.
• Transactional data: It will be kept for 5 years according to the applicable tax and
accounting regulations.
• Video surveillance data: 1 month from the date of recording.
• Compliance with RGPD obligations: As long as its deletion is not requested by the
interested party.
• Access control: 5 years from the last confirmation of interest.
• Management of participants: 6 years according to the Commercial Code and tax
regulations.
and fiscal.
• Management of registered users: 6 years from the last confirmation of interest.
Compliance with GDPR obligations: As long as their deletion is not requested by the data subject.
The personal data provided will be kept for as long as their deletion is not requested by the data
subject or when the data are no longer necessary – including the need to keep them for the applicable
statute of limitations – or relevant for the purpose for which they were collected or recorded.
Event Access Management – South Summit : For a period of 5 years from the last confirmation of
interest. The data will be processed and retained for as long as necessary to fulfill the purposes of
access control. Subsequently, they will be stored in a secure and blocked manner for a period of 5
years, unless the interested party requests their deletion or there is a legal obligation that requires
their conservation.
Event Partner Management and Content Production: As long as the commercial or contractual
relationship is maintained. The data will be kept as long as they are necessary to fulfill the purposes
of the treatment, respecting the principles of minimization and limitation of conservation.
Subsequently, they will be deleted or anonymized.
Management of Communications and Newsletters: As long as their deletion is not requested by
the interested party. The data will be kept as long as the interested party maintains his/her interest in
receiving communications. In case of inactivity or revocation of consent, the data will be deleted within
a maximum period of 1 year, unless legally required to be retained.
Management of Website Consultations – South Summit : As long as the commercial or contractual
relationship is maintained. The data will be kept as long as there is a contractual and/or commercial
relationship with the interested party, or as long as their deletion is not requested. After the
termination of the relationship, the data will be blocked and will remain available only for the exercise
or defense of legal or contractual claims, during the applicable statute of limitations. Once these
periods have expired, the data will be securely deleted.
Management of South Summit participants: For a period of 6 years from the last confirmation of
interest. Once the relationship is terminated and not linked to other issues, it is retained for a
minimum period of 6 years, in accordance with the Commercial Code and tax and fiscal regulations.
Gestión de Redes Sociales – South Summit: As long as their deletion is not requested by the
interested party. Personal data will be processed for as long as they are necessary or relevant for the
stated purposes. If the data subject requests deletion, the data will be blocked in accordance with the
GDPR, for a maximum period of three years, for their availability in case of legal requirements by
judges, courts or competent authorities. Statistics and metrics records will be kept anonymized for
analysis and improvement of future strategies.
Management of Participation Requests – Partner with Us / Get Your Stand The data will be
retained for as long as the interested party maintains their interest in participating in the event or until
they request its deletion. In the event that the applicant becomes a customer or partner, the data will
be retained in accordance with the policies applicable to the business relationship. If a business
relationship is not established, the data will be deleted or anonymized no later than 1 year after the
last interaction, unless legally required to be retained.
Management of registered users competition : For a period of 6 years from the last confirmation of
interest. The data will be processed until the user shows his opposition to the processing, exercises
his right to erasure or limitation of processing, or for the periods necessary to comply with legal
obligations (e.g. tax or commercial). Data related to the registration and evaluation of startups will be
retained as long as necessary for the purpose of the competition and its further promotion.
Management of Video Surveillance in Offices and Event Facilities: For a period of 1 month from
the last confirmation of interest. Recordings will be kept for a maximum period of 1 month from their
capture, unless they are required for the resolution of incidents by the competent authorities. In the
event that a recording is necessary for the investigation or defense of legal rights, it may be blocked
and retained for the legally established period.
Volunteer management: For a period of 5 years from the last confirmation of interest. The data will
be processed and retained as long as necessary for the purposes foreseen in the management of the
event. 5 years after the last interaction or collaboration of the volunteer, the data will be securely
deleted, unless there is a legal obligation to retain them.
Management of the Evaluation Jury – Startup Competition : As long as the business relationship is
maintained. The personal data of the jury members will be processed for as long as there is a
contractual or collaborative relationship with South Summit. At the end of the relationship, the data will
be blocked and kept for a minimum period of 6 years in accordance with the Commercial Code and
tax and fiscal regulations. The data related to the evaluations will be anonymized once the
organizational and legal purposes have been fulfilled.
Integral Management of Agenda and Calendar – South Summit: As long as its deletion is not
requested by the interested party. Personal data will be kept for the duration of the event and a
maximum period of 2 years to maintain the business relationship with the person concerned, unless
their deletion is requested earlier or there is a legal obligation to keep them.
Integrated Management of Attendees and Ticket Sales – South Summit : For a period of 5 years
from the last confirmation of interest. The data will be processed and kept for as long as they are
necessary for the purposes foreseen. If the data subject revokes his/her consent, the data will be
deleted within a maximum period of 1 year, unless legally required to be retained (e.g. tax
regulations). Access logs will be deleted at the end of the legal retention period of 5 years.
Gestión Integral de Eventos – App South Summit : As long as the business relationship is
maintained. The data will be kept as long as the user keeps his/her account active and does not
request the deletion of the data. Once the event is over, the data will be deleted within a maximum
period of 2 years, unless there is a legal obligation to keep it.
Integral Management of Speakers – South Summit : As long as the commercial or contractual
relationship is maintained. The data will be kept as long as there is a contractual and/or commercial
relationship with the speaker. After the termination of the relationship, the data will be kept for the
periods required tax and commercial regulations (minimum 6 years) and the data related to the
transfer of image and voice will be kept for the period specified in the contract signed with the
speaker.
South Summit use of images. The images and recordings will be kept for as long as they are useful
for the intended purposes (promotion of the event and future editions); in social networks and third
party platforms, the images will be kept in accordance with the privacy policies of such platforms.
Interested parties may exercise their right of deletion, cancellation or limitation of processing to
remove their visual data.
8.- LEGITIMACY OF THE TREATMENT
Why do we process your data?
The collection and processing of your data is always legitimized by one or more legal bases, which
are detailed below:
Travel and Lodging Reservation Management – South Summit
● (Art. 6.1.a RGPD) Data subject’s consent
● (Art. 6.1.b RGPD) Existence of a contractual relationship with the data subject by means of a
contract or pre-contract.
Startup Competition Evaluation Committee
● (Art. 6.1.b RGPD) Existence of a contractual relationship with the data subject by means of a
contract or pre-contract.
● (Art. 6.1.a RGPD) Data subject’s consent
Cookies, pixel and tracking
● (Art. 6.1.a RGPD) Data subject’s consent
Co-organization of the South Summit 2025 event.
● (Art. 6.1.a RGPD) Data subject’s consent
● (Art. 6.1.b RGPD) Existence of a contractual relationship with the data subject by means of a
contract or pre-contract.
● (Art. 6.1.e RGPD) Fulfillment of a public mission or exercise of public powers conferred to the
Controller
Compliance with GDPR obligations
● Legal obligation for historical, statistical or scientific research purposes.
○ RGPD: 6.1.c) Processing necessary for compliance with a legal obligation applicable
to the data controller.
○ Law 39/2015, of October 1, 2015, on the Common Administrative Procedure of Public
Administrations. Common Administrative Procedure Act.
○ General Data Protection Regulation. REGULATION (EU) 2016/679 OF THE
EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the
protection of individuals with regard to the processing of personal data and on the
free movement of such data and repealing Directive 95/46/EC (General Data
Protection Regulation.
Event Access Management – South Summit
● (Art. 6.1.b RGPD) Existence of a contractual relationship with the data subject by means of a
contract or pre-contract.
Event Partner Management & Content Production
● (Art. 6.1.b RGPD) Existence of a contractual relationship with the data subject by means of a
contract or pre-contract.
Communications and Newsletter Management
● (Art. 6.1.a RGPD) Data subject’s consent
Website Query Management – South Summit
● Explicit consent of the person concerned
South Summit participant management
● (Art. 6.1.b RGPD) Existence of a contractual relationship with the data subject by means of a
contract or pre-contract.
● (Art. 6.1.f RGPD) Legitimate interest of the Data Controller or third party
Social Media Management – South Summit
● Explicit consent of the person concerned
○ RGPD: 6.1.a) Consent of the data subject. . The legal basis for sending information
relating to professional practice or professional interest and for the provision of
voluntary services is the consent you provide, which you may withdraw at any time.
Management of Participation Requests – Partner with Us / Get Your Stand
● (Art. 6.1.a RGPD) Data subject’s consent
Management of registered users competition
● (Art. 6.1.a RGPD) Data subject’s consent
● (Art. 6.1.b RGPD) Existence of a contractual relationship with the data subject by means of a
contract or pre-contract.
Video Surveillance Management in Offices and Event Facilities
● Legitimate interest of the Data Controller or third parties
○ RGPD: 6.1.f) Satisfaction of legitimate interests pursued by the data controller.
Volunteer management
● Explicit consent of the person concerned
Evaluation Jury Management – Startup Competition
● (Art. 6.1.b RGPD) Existence of a contractual relationship with the data subject by means of a
contract or pre-contract.
● (Art. 6.1.a RGPD) Data subject’s consent
Integrated Agenda and Calendar Management – South Summit
● Explicit consent of the person concerned
○ RGPD: 6.1.a) Consent of the data subject. . The legal basis for sending information
relating to professional practice or professional interest and for the provision of
voluntary services is the consent you provide, which you may withdraw at any time.
● Existence of a contractual relationship with the interested party by means of a contract or precontract.
● Legitimate interest of the Data Controller or third parties
○ GDPR: 6.1.e) Processing necessary for the performance of a task carried out in the
public interest or in the exercise of official authority vested in the controller.
Integrated Attendee Management and Ticketing – South Summit
● (Art. 6.1.a RGPD) Data subject’s consent
● (Art. 6.1.b RGPD) Existence of a contractual relationship with the data subject by means of a
contract or pre-contract.
Integrated Event Management – App South Summit
● (Art. 6.1.a RGPD) Data subject’s consent
● (Art. 6.1.b RGPD) Existence of a contractual relationship with the data subject by means of a
contract or pre-contract.
Integrated Speaker Management – South Summit
● (Art. 6.1.a RGPD) Data subject’s consent
● (Art. 6.1.b RGPD) Existence of a contractual relationship with the data subject by means of a
contract or pre-contract.
South Summit uses images.
● (Art. 6.1.a RGPD) Data subject’s consent
● (Art. 6.1.b RGPD) Existence of a contractual relationship with the data subject by means of a
contract or pre-contract.
9.- RECIPIENTS OF YOUR DATA
To whom do we disclose your data within the European Union?
Occasionally, in order to comply with our legal obligations and our contractual commitment to you, we
are faced with the obligation and need to transfer some of your data to certain categories of
recipients, which we specify below:
Travel and Accommodation Booking Management – South Summit. The data may be shared with
authorized partners and suppliers for the management of reservations and the application of
discounts, always under data processor agreements that comply with the RGPD. No additional
transfers will be made unless legally required.
Startup Competition Evaluation Committee. TEAM TITO LIMITED. Company Number: 566334.
VAT Number: IE3384527RH 64 Dame Street, Dublin, Ireland D02 RT72 The partner companies
acting as a committee will have access to the South Summit platform in order to evaluate the
StartUps with the highest potential.
Cookies, pixel and tracking : Advertising and direct marketing companies
Co-organization of the South Summit 2025 event… – Co-organizers: Data may be shared
with IE University (INSTITUTO DE EMPRESA, S.L., IE UNIVERSITY and IE FOUNDATION) and
South Summit for the joint management of the event. – Providers Service providers:
Security, marketing, technology and logistics companies.- Public authorities: When required by
applicable legislation (royal house and ministry of the presidency).
• Law enforcement agencies: For the investigation of criminal offenses. – Participants
and attendees: Through lists of attendees and promotional materials from the
event. – Social networks: The data will be transferred to platforms such as Meta and Instagram. –
Collaborating companies: For the management of the event and marketing. –
Agencies of
travel: For accommodation and travel offers.
Compliance with GDPR obligations: Public Administration with competence in the matter. In the
case of notification of security breaches: Spanish Data Protection Agency.
Event Access Management – South Summit. Attendee data will not be disclosed to third parties,
unless there is a legal obligation or it is necessary to ensure the security of the event (e.g. local
authorities). In the event that an external provider is contracted to manage the access system, data
processor agreements that comply with the RGPD will be signed.
Communications and Newsletter Management. The data may be shared with South Summit
partners for the promotion of related services or activities, always under consent.
prior consent of the data subject. Technology providers in charge of the platforms for sending
newsletters, under data processor agreements in accordance with the RGPD.
Website Enquiry Management – South Summit. The data will not be disclosed to third parties,
except in case of legal obligation or in case of having the express consent of the interested party to
forward the query to collaborators or partners of South Summit for its resolution.
Management of South Summit participants: Tax Administration; Banks, savings banks and rural
banks; Public administration with competence in the matter.
Social Media Management – South Summit. Data may be shared with technology service providers
and social media platforms such as Facebook, Instagram, LinkedIn, TikTok and Twitter, according to
the privacy policies of those platforms.
Management of registered users competition. Data may be shared with South Summit partners,
such as investment funds, innovation hubs and corporations, to promote business opportunities,
always with the prior consent of the data subject. Technology service providers in charge of the
maintenance of the platform and related tools, under data processor agreements in accordance with
the GDPR.
Management of Video Surveillance in Offices and Event Facilities. The images may be
communicated, in the field of criminal charges or investigation of criminal offenses, to the State
Security Forces and Corps, Judicial Bodies, Public Prosecutor’s Office.
Volunteer Management: Social Security Agencies
Evaluation Jury Management – Startup Competition. TEAM TITO LIMITED. Company Number:
566334. VAT Number: IE3384527RH 64 Dame Street, Dublin, Ireland D02 RT72
Integrated Agenda and Calendar Management – South Summit: Entities of the South Summit
business group. The agenda data may be shared with third parties (such as other attendees with
whom the user arranges meetings) under the explicit consent of the interested party. Technology
providers in charge of maintaining the agenda management platform, always under agreements that
guarantee compliance with the RGPD.
Integrated Attendee Management and Ticket Sales – South Summit: Banks, savings banks and
rural banks. The data may be shared with suppliers in charge of ticket management, access to the
event or operational communication, always under data processor agreements in accordance with the
RGPD. In compliance with legal regulations, data may be transferred to tax authorities for the
generation of invoices and tax reports.
Integrated Event Management – App South Summit: Public Administration with competence in the
field . Company that develops the application Swapcard Corporation,
Integral Management of Speakers – South Summit. The data may be shared with design,
communication and marketing for the preparation of promotional materials related to the speakers.
Technology providers in charge of the management of the platform and planning , always under data
processor agreements in accordance with the RGPD.
South Summit use images..: Companies engaged in advertising or direct marketing . The images
may be shared with media, social networks and streaming platforms, always under the conditions of
the privacy policies of such third parties.
Integrated Attendee Management and Ticketing – South Summit
● IE UNIVERSITY (CIF: G40155384)
○ South Summit attendees or other events
■ Identifying data (Name and surname)
Do we make International Transfers of your data outside the European Union?
In the context of our data processing processes, we may use external services that involve storage
and/or processing of your data by organizations outside the European Union. This involves
international transfers of your data.
Communications and Newsletter Management
● The Rocket Science Group LLC d/b/a Mailchimp – United States
○ Guaranteed level of protection: Adequate Guarantees
○ Category of warranties: Guarantees approved by the Control Authority.
■ Standard contractual clauses.
10.- DATA PROCESSING ACTIVITIES
The data processing activities carried out through http://www.southsummit.io , are described
belowspecifying:
● Activity: Name of the data processing activity.
● Purposes: Uses and treatments carried out with the data collected.
● Legal basis: Legal basis that legitimizes the processing of data.
● Data processed: Types of data processed.
● Source: Data source.
● Retention: Data retention period.
● Recipients: Third parties to whom the data is transferred.
● International transfers: Data transfers outside the European Union.
10.1 -Treatment activities
These are those data processing activities whose purposes are necessary for the provision of
services. for the
provision of services.
Compliance with GDPR obligations
Legal basis Legal obligation for historical, statistical or scientific research purposes (GDPR: 6.1.c)
Processing necessary for compliance with a legal obligation applicable to the
controller., Law 39/2015, of October 1, of the Common Administrative
Procedure of Public Administrations, General Data Protection Regulation).
Purposes To deal with requests from citizens in the exercise of the rights established by
the General Data Protection Regulation; Data protection and privacy of
information; To process your data for the purpose of dealing with requests in
the exercise of the rights established by the General Data Protection
Regulation (art 5 GDPR) and, where appropriate, for the notification of security
breaches of personal data to the supervisory authority and data subjects
(articles 33 and 34 of the GDPR).
Categories
fro
m
data y
collectives
Customers (Identification data). Employees (Identifying data; Job details)
Data source The interested party or his legal representative
Category of
recipients
In the case of notification of security breaches: Spanish Data Protection
Agency.
International
transfer
Not foreseen
Deadline
fro
m
conservation
As long as their deletion is not requested by the data subject. The personal
data provided will be kept for as long as their deletion is not requested by the
data subject or when the data are no longer necessary – including the need to
keep them for the applicable statute of limitations – or relevant for the purpose
for which they were collected or recorded.
Event Access Management – South Summit
Legal basis (Art. 6.1.b RGPD) Existence of a contractual relationship with the data subject by
means of a contract or pre-contract.
Purposes Control the capacity of the spaces in real time to ensure security and
compliance with local regulations; Manage attendee lists to facilitate
registration and resolve possible incidents during access; Collect attendance
data for analysis and improvement of future editions of the event; Verify and
validate the access of attendees to the event through QR codes or other
registration systems.
Categories
fro
m
data y
collectives
Volunteers (Identification data). Speakers and speakers (Identifying
information). South Summit attendees or other events (Identifying
information).
Source of
data
The interested party or its legal representative; Private entity; From the
Become a Speaker form on the website; Attendees at the event as Speakers,
Partners, Investors, Speakers or Startup Members.
Category of
recipients
Attendee data will not be disclosed to third parties, unless there is a legal
obligation or it is necessary to ensure the security of the event (e.g. local
authorities). In the event that an external provider is contracted to manage the
access system, data processor agreements that comply with the GDPR will be
signed.
International
transfer
Not foreseen
Deadline
fro
m
conservation
For a period of 5 years from the last confirmation of interest. The data will be
processed and retained for as long as necessary to fulfill the purposes of
access control. Subsequently, they will be stored securely and blocked for a
period of 5 years, unless the interested party requests their deletion or there is
a legal obligation that requires their conservation.
Measures from
security -Organizational:
•Definition of internal procedures for ticket management, access and incident
resolution.
•Training for personnel in charge of access on good practices in the
management of personal data and data protection regulations.
•Assignment of clear roles and responsibilities in the access control
organization.
•Establishment of confidentiality agreements for staff or third parties handling
attendee data.
•Techniques:
•Validation of entries by means of encrypted QR codes, security and accurate
identification.
•Encryption of data in transit (HTTPS) and at rest (AES-256) to information
stored on access systems.
•Multifactor authentication system for employees with access to ticket
management platforms.
•Logging of activity in the system to audit access and prevent misuse of data.
•Regular backups of data related to logins and accesses, stored on secure
servers.
•Physical:
•Physical access control in registration areas and ticket control systems,
including surveillance and security measures at the event site.
•Secure storage of devices and documents related to access management.
Event Partner Management and Content Production
Legal basis (Art. 6.1.b RGPD) Existence of a contractual relationship with the data subject by
means of a contract or pre-contract.
Purposes Coordination of tasks and responsibilities in the production of events;
Management of the relationship with speakers and programming of contents;
Supervision of the development and fulfillment of production objectives.
Categories
fro
m
data y
collectives
Registered Users / South Summit App Users (Identification data).
Customers (Identifying data). Employees (Identifying data). Speakers and
speakers (Identifying information). South Summit attendees or other events
(Identifying information; Personal characteristics; Employment details;
Economic, financial and insurance details; Commercial information; Credit
information). Registered users competition (Identifying information)
Data source The interested party or its legal representative; Private entity; From the
Become a Speaker form on the website; Attendees at the event as Speakers,
Partners, Investors, Speakers or Startup Members.
Category of
recipients
Not foreseen
International
transfer
Not foreseen
Deadline
fro
m
conservation
As long as the commercial or contractual relationship is maintained. The data
will be kept as long as they are necessary to fulfill the purposes of the
treatment, respecting the principles of minimization and limitation of
conservation. Subsequently, they will be deleted or anonymized.
Measures
m
easures
•Information Security Policy (ISP): Implement and keep updated a security
policy adapted to legal regulations and the needs of the company.
•Access Control: Restricted access to personal data through multi-factor
authentication (MFA) and role-based permissions.
•Data Encryption: Use of encryption during data transmission and storage
(HTTPS, disk encryption).
•Training and Awareness: Regular training for employees on good practices
in data protection and information security.
•Activity Log: Maintenance of a detailed record of accesses and modifications
to data.
South Summit participant management
Legal basis (Art. 6.1.b RGPD) Existence of a contractual relationship with the data subject by
means of a contract or pre-contract; (Art. 6.1.f RGPD) Legitimate interest of the
Data Controller or of third parties
Purposes The personal data collected will be processed for the purpose of managing the
relationship derived from this contract.To allow effective and active participation
in the sections and activities of South Summit to which it conforms; To process
the consideration for the services and activities that the participant will enjoy at
South Summit; Reciprocal use of the distinctive signs and trademarks owned by
the participant and the company; Organization of South Summit as a global
physical meeting in Madrid, connecting the different poles of global innovation,
and connecting the main actors of national and international innovation with
physical networking and through the digital platform. South Summit becomes a
365 connection platform, with meetings throughout the year both face-to-face
and digital to continue connecting the key players in the innovation ecosystem
and enhancing the best of both worlds. This omnichannel format will be
developed both virtually and in person as circumstances dictate or the
convenience of the format chosen for each section.
Data
categories y
collectives
Customers (Identification data)
Data source The interested party or its legal representative
Category of
recipients
Administration Tax Administration; Banks, banks of banks, savings
banks and rural banks; public administration with competence in the matter.
International
transfer
Not foreseen
Deadline of
conservation
For a period of 6 years from the last confirmation of interest. Once the
relationship is terminated and not linked to other matters, it is retained for a
minimum period of 6 years, in accordance with the Commercial Code and tax
and fiscal regulations.
Measures of
security Relevant security measures have been implemented to mitigate the existing risk.
In any case, the security measures of Article 32 of the GDPR shall apply:
1. The ability to ensure the ongoing confidentiality, integrity, availability and
resilience of processing systems and services.
2. The ability to restore availability and access to personal data quickly in
the event of a physical or technical incident.
3. A process of regular verification, evaluation and assessment of the
effectiveness of technical and organizational measures to ensure the
security of processing.
4. Pseudonymization and encryption of personal data.
Video Surveillance Management in Offices and Event Facilities
Legal basis Legitimate interest of the Data Controller or third parties (GDPR: 6.1.f) Satisfaction
of legitimate interests pursued by the Data Controller)
Purposes To control access and prevent security incidents in all facilities; To ensure the
safety of people, property and infrastructure in South Summit offices and
facilities; To provide security during the organization and development of
events in temporary venues; To provide recordings to the competent
authorities in case of incidents or investigations.
Categories
fro
m
data y
collectives
Employees (Identification data). Visitors (Identification data)
Data source The interested party or its legal representative
Category of
recipients
The images may be communicated, within the scope of criminal charges or
investigation of criminal offenses, to the State Security Forces and Corps,
Judicial Bodies, Public Prosecutor’s Office, etc.
International
transfer
Not foreseen
Deadline
fro
m
conservation
For a period of 1 month from the last confirmation of interest. The recordings
will be kept for a maximum period of 1 month from their capture, unless they
are required for the resolution of incidents the competent authorities. In the
event that a recording is necessary for the investigation or defense of legal
rights, it may be blocked and retained for the legally established period of time.
Safety
measures
fro
m •Organizational:
•Implementation of internal policies to regulate the use of video surveillance
systems in offices and events, ensuring that access to recordings is
exclusively for authorized personnel.
•Visible signs in all monitored areas (offices and temporary event ) informing
data subjects about the existence of cameras and the processing of images in
accordance with the GDPR.
•Supervision by a designated manager to ensure that the recordings are used
for security purposes only.
•Training of personnel in charge on applicable regulations and the proper use
of video surveillance systems.
•Techniques:
•Configuration recording systems with secure storage and encryption (AES256).
•Use of multifactor authentication to access video surveillance , limiting
access to authorized personnel only.
•Programming for automatic deletion of recordings after the storage period (1
month) has expired.
•Monitoring and auditing of access to video surveillance systems to ensure
traceability.
•Storage of recordings on secure servers, preferably ISO 27001 certified,
located within the EEA.
•Physical:
•Strategic installation of cameras in common areas, accesses,
loading/unloading areas and sensitive areas, avoiding the capture of images in
private spaces (such as restrooms or locker rooms).
•Physical protection of recording devices by means of restricted access
(security locks, physical surveillance).
•Access control to monitored areas (offices and events) to minimize risks
related to recordings.
Travel and Lodging Reservation Management – South Summit
Legal basis (Art. 6.1.a RGPD) Consent of the data subject; (Art. 6.1.b RGPD) Existence of a
contractual relationship with the data subject through a contract or precontract.
Purposes Coordinate with partners and suppliers the management of reservations and
discounts to facilitate attendance to the event; Provide information and
exclusive travel, accommodation and transportation offers to event attendees;
Promote exclusive agreements with partners related to travel and
accommodation services; Perform a personalized follow-up of the requests
received through the web landing.
Categories
fro
m
data y
collectives
Ecommerce customers (Identifying data). People who access and contact
through the web (Identifying data). Registered users / South Summit App
users (Identifying data). Potential customers (Identifying data). South
Summit attendees or other events (Identifying information; Employment
details). Registered users competition (Identifying information)
Source of
data
The interested party or their legal representative; People who contact us
through the web forms such as Become an Ambassador, Suggest a Speaker,
Suggest Ideas, and Contact Us; Event attendees such as Speakers, Partners,
Investors, Speakers or Startup Members.
Category of
recipients
The data may be shared with authorized partners and suppliers for the
management of reservations and the application of discounts, always under
data processor agreements that comply with the RGPD. No additional
transfers will be made unless legally required.
International
transfer
Not foreseen
Deadline
fro
m
conservation
For a period of 5 years from the last confirmation of interest. The data will be
kept for as long as there is a contractual or commercial relationship with the
data subject or until he/she exercises his/her right of deletion. In case of
revocation of consent, the data will be blocked and kept exclusively for the
defense of legal or contractual claims, for the periods established by the
regulations.
Safety
measures
fro
m •Organizational:
•Implementation of internal policies that limit access to data to authorized
personnel and travel and accommodation management partners only.
•Obtaining the explicit consent of the interested party during the registration
process on the landing page.
•Signing confidentiality agreements with partners and suppliers that manage
personal data to ensure compliance with the GDPR.
•Training of the personnel in charge on data protection regulations and good
practices in the management of personal data.
•Techniques:
•Encryption of data in transit (HTTPS) and at rest (AES-256) to personal
information sent through the landing and during communications with partners.
•Use of secure request management systems with multifactor authentication.
•Logging and auditing of access to personal data to ensure traceability and
prevent misuse.
•Automatic backups stored on secure ISO 27001 certified servers.
•Physical:
•Storage of related physical documents (if applicable) in restricted areas with
controlled access.
•Control of physical access to the devices used to manage requests.
•Secure disposal of physical documents once the processing purposes have
been fulfilled, by means of certified shredding.
Startup Competition Evaluation Committee
Legal basis (Art. 6.1.b RGPD) Existence of a contractual relationship with the data subject by
means of a contract or pre-contract; (Art. 6.1.a RGPD) Consent of the data
subject
Purposes Coordinate online discussion sessions to select the finalist projects; Send
emails with the links to register on the platform and the schedule of sessions;
Evaluate the shortlisted projects through the evaluation platform; Manage the
access of the committee members to the platform and to the startups’ data;
Invite corporations, investment and institutions to participate in the evaluation
committee; Coordinate the evaluation of the projects through the evaluation
platform.
Categories
fro
m
data y
collectives
Evaluation Committee (Identifying data; Other categories)
Data source The interested party itself or its legal representative; Private entity
Category of
recipients
TEAM TITO LIMITED. Company Number: 566334. VAT Number:
IE3384527RH 64 Dame Street, Dublin, Ireland D02 RT72 The partner
companies acting as a committee will have access to the South Summit
platform in order to evaluate the StartUps with the highest potential.
International
transfer
Not foreseen
Deadline
fro
m
conservation
As long as the business relationship is maintained. The data will be retained
for the time necessary for the organization and management of the evaluation
process, after the end of the business relationship, the data will be retained for
a minimum of six years in accordance with the Commercial Code and tax and
fiscal regulations. The evaluators’ access to the platform will be enabled for a
limited period of three weeks after the end of the evaluation process.
Safety
measures
fro
m •Organizational:
•Establishment of confidentiality agreements with the members of the
evaluation committee to ensure the proper treatment of the data of
participating startups.
•Periodic review of access to the evaluation platform to prevent unauthorized
access.
•Data classification and disposal policy after completion of assessment to
ensure compliance with the minimization principle.
•Specific training for platform managers and committee members on the
processing of personal data and applicable regulations.
•Techniques:
•Multifactor authentication for access to the evaluation platform.
•Encryption of data in transit (HTTPS) and at rest (AES-256) to protect startup
information and evaluations performed.
•Activity log in the platform to audit the actions performed by the evaluators.
•Restriction of access to data only to the authorized period of three weeks after
the end of the evaluation sessions.
•Periodic data backup to prevent the loss of key information during the
evaluation process.
•Physical:
•Security in the offices where information is accessed, including physical
access controls (locked doors, surveillance).
•Use of secure servers located in data centers with international certifications
such as ISO 27001.
Cookies, pixel and tracking
Legal Basis (Art. 6.1.a RGPD) Data subject’s consent
Purposes Sharing information on social networks. «Fav», «Like», «+1» and similar buttons;
Obtain statistical data on users’ browsing, identify problems and analyze their
preferences; Transmission of video and maps from third parties. A function or
add-on provided by a third party establishes a direct connection between the
user’s browser and Internet domains owned by the third party, allowing the
function to be downloaded and executed.
Categories
fro
m
data y
collectives
Persons accessing and contacting through the web (Commercial
information; Other categories)
Data source The interested party or their legal representative; People who contact us
through the web forms such as Become an Ambassador, Suggest a Speaker,
Suggest Ideas, and Contact Us.
Category of
recipients
Companies engaged in advertising or direct marketing
International
transfer
Not foreseen
Deadline
fro
m
conservation
You should access our cookie policy to know the retention time of each cookie
as well as the information that has been collected.
Measures of
security Relevant security measures have been implemented to mitigate the existing
risk. In any case, the security measures of Article 32 of the GDPR shall apply:
1. The ability to ensure the ongoing confidentiality, integrity, availability
and resilience of processing systems and services.
2. The ability to restore availability and access to personal data quickly in
the event of a physical or technical incident.
3. A process of regular verification, evaluation and assessment of the
effectiveness of technical and organizational measures to ensure the
security of processing.
4. Pseudonymization and encryption of personal data.
Co-organization of the South Summit 2025 event.
Legal
basis
(Art. 6.1.a GDPR) Consent of the data subject; (Art. 6.1.b GDPR) Existence of a
contractual relationship with the data subject by means of a contract or precontract; (Art. 6.1.e GDPR) Performance of a public task or exercise of public
powers conferred on the Controller
Communication and marketing purposes: To send event-related information, updates, news and
promotional materials. This includes sending emails and other messages to keep
attendees informed about event details and any important changes or
developments; Event access control: To manage access for participants,
volunteers and speakers. This ensures that only authorized persons can enter
certain areas of the event; GDPR compliance: Handling requests to exercise
rights under the GDPR and notifying security breaches. This involves handling
participants’ requests related to their personal data and notifying any security
breaches to the relevant authorities; Surveys and feedback: Collect opinions and
suggestions from participants to improve future events. After the event, surveys
will be sent out to get feedback from attendees on what they liked and what
could be improved; Participant management: Enabling participation in South
Summit activities and sections. This includes coordinating the activities in which
participants can get involved and making sure everyone has the information they
need to actively participate; Registered user management: Facilitating ecommerce and business opportunities for partners. This includes enabling
startups and other companies to interact and do business during the event and
through the event platform; Event organization and management: Coordinate
and execute all activities related to the planning and execution of the event. This
includes making sure that all parts of the event run smoothly, such as scheduling
activities, coordinating speakers and general logistics; Registration and access
control: Manage registrations, accreditations and tickets to the event. This means
registering everyone who will be attending the event, making sure they have the
correct credentials, and controlling who enters and leaves the event venue;
Streaming and recording sessions: Live streaming and recording keynotes and
event activities. This allows people who cannot attend in person to view the
presentations and activities online and make the recordings available for later
viewing; Use of images: Record and stream the event presentations, and display
images on the web and social media. This involves taking photos and videos of
the event and sharing them online for promotion and coverage of the event;
Video surveillance of the facilities: Ensure the security of people, goods and
facilities through video surveillance. This means that security cameras will be
used to monitor the event site and ensure the protection of all those present.
Data
categories y
collectives
Registered Users / South Summit App Users (Identifying Data; Commercial
Information). Employees (Identifying data). Visitors (Identifying information).
Volunteers (Identifying information; Personal characteristics). Speakers and
speakers (Identifying information; Employment details; Other categories).
Attendees South Summit or other events (Identifying information; Personal
characteristics; Employment details; Economic, financial and insurance details;
Commercial information; Credit information). Registered users competition
(Identifying information)
Data source The interested party or its legal representative; Private entity; From the Become
a Speaker form on the website; Attendees at the event as Speakers, Partners,
Investors, Speakers or Startup Members.
Category of
recipients
• Co-organizers: The data may be shared with IE University
(INSTITUTO DE EMPRESA, S.L., IE UNIVERSIDAD and FUNDACIÓN
IE) and South Summit for the joint management of the event. – Service :
Security, marketing, technology and logistics companies. –
Public authorities: When required by applicable legislation (royal house
and ministry of the presidency). – Law enforcement
agencies: For the investigation of criminal offenses. –
Participants and attendees: Through attendee lists and event promotional
materials. – Social networks Social networks: The
data will be transferred to platforms such as
Meta and Instagram. – Collaborating companies: For the
management of the event and marketing. – Travel agencies
Travel agencies: For accommodation and travel
offers.
International
transfer
Not foreseen
Deadline of
conservation
• Registration and contact details: These will be kept for 5 years
from the last confirmation of interest. Images
and recordings: Will be retained according to the policies of the
social media platforms used and for historical and promotional purposes of the
event.<br /> <br /> – Images and recordings.
• Transactional data: Will be kept for 5 years according to the
applicable tax and accounting regulations.<br /> – Data of
video surveillance: 1 month from the date of recording.<br /> –
Compliance with RGPD obligations: As long as their deletion is not requested by
the data subject.<br /> <br /> – Access control: 5 years from the last
confirmation of interest.<br /> – Participant management: 6 years according to
the Code of Commerce and tax and fiscal regulations.<br /> <br /> –
Management of registered users: 6 years from the last
confirmation of interest.<br /> <br /> – Management of registered users: 6 years
from the last confirmation of interest.
Measures of
security In accordance with Article 32 of the RGPD and considering 83 RGPD, the
following technical and organizational measures will be implemented to ensure a
level of security appropriate to the risk:
•Pseudonymization and encryption of personal data: Use of encryption
techniques to protect data during transmission and storage.
•Confidentiality, integrity and availability: Implementation of access controls,
firewalls and intrusion detection systems to protect information.
•Data restoration: Ability to quickly restore availability and access to personal
data in the event of a physical or technical incident.
•Regular evaluations: Continuous process of verification, evaluation and
assessment of the effectiveness of technical and organizational measures to
ensure the security of processing.
•Protection against unauthorized access: use of multifactor authentication and
role-based access permissions
Communications and Newsletter Management
Legal Basis (Art. 6.1.a RGPD) Data subject’s consent
Purposes Send informative newsletters about the South Summit ecosystem (events,
speakers, startups and opportunities); Generate business opportunities
through contact between participants and partners; Promote events,
conferences and competitions organized by South Summit; Provide
promotional information about services, activities and offers of South Summit
and its partners; Carry out segmented campaigns according to specific
interests or professional sectors.
Categories
fro
m
data y
collectives
Subscribers (Identification data)
Data source The data is collected when the subscriber enters his/her e-mail address in the
registration form of our newsletter on the website.
Category of
recipients
The data may be shared with South Summit partners for the promotion of
services or related activities, always with the prior consent of the data subject.
Technology providers in charge of the newsletter delivery platforms, under
data processor agreements in accordance with the GDPR.
International
transfer
The Rocket Science Group LLC d/b/a Mailchimp – United States (Mass
emailing platform) – Adequate Warranties
Deadline
fro
m
conservation
As long as their deletion is not requested by the interested party. The data will
be kept as long as the interested party maintains his/her interest in receiving
communications. In case of inactivity or revocation of consent, the data will be
deleted within a maximum period of 1 year, unless legally required to be
retained.
Measures from
security -Organizational:
•Implementation of a consent management system to verify and record the
explicit authorizations of the interested parties.
•Internal policies for safe and appropriate segmentation of distribution lists.
•Periodic training for personnel in charge of managing communications on
applicable regulations and good data protection practices.
•Regular internal audits to verify compliance with GDPR and data use policies.
•Techniques:
•Use of certified and RGPD-compliant email marketing platforms, such as
Mailchimp or equivalent.
•Encryption of data in transit (HTTPS) and at rest (AES-256).
•Multifactor authentication for those responsible for accessing the newsletter
management platforms.
•Access monitoring and activity logging to ensure traceability.
•Configuration of automated unsubscribe options in each communication sent.
•Physical:
•Restricted access to devices used for communications at South Summit
offices.
•Secure disposal of physical documents related to distribution through certified
shredding.
Query Management Website – South Summit
Legal basis Explicit consent of the data subject
Purposes To channel ideas, suggestions and proposals to improve the services and
activities of the organization; To respond to requests received through web
forms, such as Become an Ambassador, Suggest a Speaker, Suggest Ideas
and Contact Us; To manage and register inquiries from users interested in
collaborating or participating in South Summit activities; To provide support
and information related to the services and events organized by South Summit.
Categories
fro
m
data y
collectives
Persons accessing and contacting through the web (Identifying data;
Employment details; Other categories)
Data source The interested party or their legal representative; People who contact us
through the web forms such as Become an Ambassador, Suggest a Speaker,
Suggest Ideas, and Contact Us.
Category of
recipients
The data will not be disclosed to third parties, except in case of legal obligation
or in case of having the express consent of the interested party to forward your
query to collaborators or partners of South Summit for resolution.
International
transfer
Not foreseen
Deadline
fro
m
conservation
As long as the commercial or contractual relationship is maintained. The data
will be kept for as long as there is a contractual and/or commercial relationship
with the data subject, or as long as their deletion is not requested. After the
termination of the relationship, the data will be blocked and will remain
available only for the exercise or defense of legal or contractual claims, during
the applicable statute of limitations. Once these periods have expired, the data
will be securely deleted.
Safety
measures
fro
m •Organizational:
•Establishment of internal policies for the correct classification and treatment of
queries.
•Periodic training of the personnel in charge on query management and
compliance with data protection regulations.
•Regular monitoring and auditing of the processing system to ensure the
correct use of personal data.
•Internal procedures for blocking and deleting data in accordance with
established deadlines.
•Techniques:
•Encryption of data in transit (HTTPS) and at rest (AES-256) to protect the
information sent through the forms.
•Role-based authentication and access permissions system to ensure that only
authorized personnel handle queries.
•Implementation of incident detection and response systems to prevent
unauthorized access or data leaks.
•Activity log in the system to audit actions taken on query data.
•Physical:
•Storage of servers in protected data centers with restricted access and
physical security measures (ISO 27001 certifications).
•Implementation of security measures in the offices, such as limited access to
devices that manage the consultation system.
Social Media Management – South Summit
Legal basis Explicit consent of the data subject (RGPD: 6.1.a) Consent of the data subject. )
Purposes Create and publish promotional, informational and engagement content on
social networks; Identify trends and opportunities through the analysis of
interaction data; Interact with followers through responses to comments, direct
messages and mentions; Monitor statistics and metrics to improve social
media strategy and encourage community participation; Promote South
Summit’s activities, events and services.
Categories
fro
m
data y
collectives
Followers (Identifying data)
Data source The interested party or its legal representative
Category of
recipients
Data may be shared with technology service providers and social media
platforms such as Facebook, Instagram, LinkedIn, TikTok and Twitter,
depending on the privacy policies of those platforms.
International
transfer
Not foreseen
Deadline
fro
m
conservation
As long as their deletion is not requested by the interested party. Personal data
will be processed for as long as they are necessary or relevant for the stated
purposes. If the data subject requests deletion, the data will be blocked in
accordance with the GDPR, for a maximum period of three years, for their
availability in case of legal requirements by judges, courts or competent
authorities. Statistics and metrics records will be kept anonymized for analysis
and improvement of future strategies.
Safety
measures
fro
m •Organizational:
•Implementation of internal policies to regulate the use of social networks,
ensuring compliance with the GDPR and personal data protection.
•Training of personnel in charge of managing social networks on best practices
and data protection regulations.
•Registration of access and roles assigned to the team in charge of managing
social networks to prevent unauthorized access.
•Internal monitoring and approval of publications to ensure that sensitive
personal data is not included without prior consent.
•Techniques:
•Use of certified tools for centralized management of social networks, with
encryption in transit (HTTPS).
•Access restriction through multi-factor authentication on all social network
accounts.
•Monitoring of access and activities on the platforms to traceability and detect
possible incidents.
•Regular backups of created content and statistics on secure ISO 27001
certified servers.
•Physical:
•Control of physical access to devices used to manage social networks,
including measures such as automatic blocking and biometric authentication.
•Secure storage of materials related to social media campaigns (images,
videos, etc.) in restricted areas.
Management of Participation Requests – Partner with Us / Get Your Stand
Legal basis (Art. 6.1.a RGPD) Consent of the interested party
Purposes To manage requests to collaborate as partners or exhibitors in the event; To
inform companies about the types of stands, rates and services available to
participate in South Summi; To offer personalized attention and resolve doubts
related to participation in the event; To register and follow up on inquiries
received in order to convert them into commercial agreements.
Categories
fro
m
data y
collectives
Customers ( identifying data; Job details; Other categories).
Potential (Identifying data; Job details; Other categories)
Data source The interested party or its legal representative
Category of
recipients
Not foreseen
International
transfer
Not foreseen
Deadline
fro
m
conservation
The data will be kept for as long as the interested party maintains his/her
interest in participating in the event or until he/she requests its deletion. In the
event that the applicant becomes a customer or collaborator, the data will be
retained in accordance with the policies applicable to the business relationship.
If a business relationship is not established, the data will be deleted or
anonymized no later than 1 year after the last interaction, unless legally
required to be retained.
Safety
measures
fro
m •Organizational:
•Internal procedures to classify and prioritize requests according to their nature
and commercial potential.
•Definition of clear roles in the commercial team to manage requests and
protect the personal data collected.
•Training to the personnel in charge on good practices in the handling of
requests and the processing of personal data in accordance with the GDPR.
•Regular audits to ensure the correct application of security and the traceability
of requests handled.
•Techniques:
•Use of a secure CRM system to record, manage and track requests.
•Encryption of data in transit (HTTPS) and at rest (AES-256) to personal and
business information collected.
•Multifactor authentication for access to the application management system.
•Copies of backup backups stored on servers
ISO 27001 certified servers.
•Logging and monitoring of activities performed in the CRM to prevent
improper access or misuse of data.
•Physical:
•Secure storage of any physical documents generated in the management of
requests, with restricted access.
•Physical access control to devices used to manage applications, including
automatic locking and biometric authentication at South Summit offices.
Management of registered users competition
Legal basis (Art. 6.1.a RGPD) Consent of the data subject; (Art. 6.1.b RGPD) Existence of
a contractual relationship with the data subject through a contract or precontract.
Purposes Facilitate the registration and access of startups, partners and investors to the
Startup Competition platform; Manage the registration of startups in the
competition and associated services; Provide technical support to users and
resolve incidents during the registration and evaluation process; Enable
contact between competition participants and South Summit partners to
generate business opportunities; Promote the participation of users in future
events and competitions organized by South Summit.
Categories of
data y
collectives
Registered users competition (Identification data)
Data source The interested party or its legal representative
Category of
recipients
Data may be shared with South Summit partners, such as investment funds,
innovation hubs and corporations, to promote business opportunities, always
with the prior consent of the data subject. Technology service providers in
charge of the maintenance of the platform and related tools, under data
processor agreements in accordance with the GDPR.
International
transfer
Not foreseen
Deadline
fro
m
conservation
For a period of 6 years from the last confirmation of interest. The data will be
processed until the user shows his opposition to the processing, exercises his
right to erasure or limitation of processing, or for the periods necessary to
comply with legal obligations (e.g. tax or commercial). Data related to the
registration and evaluation of startups will be retained as long as necessary for
the purpose of the competition and its further promotion.
Safety
measures
fro
m •Organizational:
•Implementation of restricted access policies, ensuring that only authorized
personnel have access to the recorded data.
•Periodic audits of data processing to ensure compliance with regulations and
prevent unauthorized access.
•Ongoing staff training on the proper management of personal data and legal
obligations under the GDPR.
•Use of a consent management system to verify and store explicit user
authorizations.
•Techniques:
•Encryption of data in transit (HTTPS) and at rest (AES-256) to personal
information.
•Implementation of multi-factor authentication (MFA) for access to the
registered user management platform.
•Monitoring and logging of activities on the platform to detect improper access
or security incidents.
•Periodic backups and storage in servers with security certifications (ISO
27001).
•Limiting access to sensitive data through role-based permissions.
•Physical:
•Storage of servers in data centers protected by physical security measures,
such as 24/7 surveillance, biometric access controls and electrical redundancy.
•Secure disposal of physical documents related to registration and competition,
through certified shredding.
Volunteer management
Legal basis Explicit consent of the data subject
Purposes Support in the area of accreditations, logistics and access to the venue; Assign
tasks and schedules to volunteers during the event; Provide support to
startups, speakers and investors in the framework of the Marketplace and in
meetings; communication with volunteers before, during and after the event for
organizational issues; Ensure occupational risk prevention for volunteers
during their collaboration in the event; Provide information to visitors and
coordinate flows in the venue.
Categories
fro
m
data y
collectives
Volunteers (Identification data; Personal characteristics)
Data source The interested party or his legal representative
Category of
recipients
Social Security Agencies
International
transfer
Not foreseen
Deadline
fro
m
conservation
For a period of 5 years from the last confirmation of interest. The data will be
processed and kept for as long as they are necessary for the purposes
foreseen in the management of the event. 5 years after the last interaction or
collaboration of the volunteer, the data will be securely deleted, unless there is
a legal obligation to keep them.
Safety
measures
fro
m •Organizational:
•Creation of specific internal policies for the management of volunteer data,
limiting access to authorized personnel only.
•Obtaining explicit consents during the volunteer registration process, detailing
the specific purposes of the processing of their data.
•Signing of confidentiality agreements by volunteers in case of access to
sensitive information of the event (startups, investors, etc.).
•Training for the management team and volunteers on data protection
regulations and their responsibilities during the event.
•Techniques:
•Use of secure systems for volunteer data management, including digital
platforms with multi-factor authentication and encryption (AES-256).
•Encryption of data in transit (HTTPS) to protect information exchange
between systems.
•Logging and auditing of access to the volunteer management system to
ensure traceability.
•Periodic backups of data, stored on ISO 27001 certified servers.
•Physical:
•Storage of physical documents (such as signed agreements) in restricted
access areas.
•Access control to devices and areas where volunteers’ personal data is
managed.
•Secure disposal of physical documents, through certified shredding, once the
processing purposes have been fulfilled.
Evaluation Jury Management – Startup Competition
Legal basis (Art. 6.1.b RGPD) Existence of a contractual relationship with the data subject by
means of a contract or pre-contract; (Art. 6.1.a RGPD) Consent of the data
subject
Purposes Send invitations and coordinate the participation of jury members, indicating
dates and sessions; Manage jury registration requests received through the
«Become a Jury» form; Maintain communication with jury members to inform
them about activities related to the competition; Organize and facilitate the
evaluations of the 100 selected startups through the South Summit platform;
Organize and facilitate the evaluations of the 100 selected startups through the
South Summit platform.
Categories of
data y
collectives
Jury (Identifying data; Other categories; Job details)
Data source The interested party itself or its legal representative; Private entity
Category of
recipients
TEAM TITO LIMITED. Company Number: 566334. VAT Number: IE3384527RH
64 Dame Street, Dublin, Ireland D02 RT72
International
transfer
Not foreseen
Deadline
fro
m
conservation
As long as the business relationship is maintained. The personal data of the
jury members will be processed as long as there is a contractual or
collaborative relationship with South Summit. At the end of the relationship, the
data will be blocked and kept for a minimum period of 6 years in accordance
with the Commercial Code and tax and fiscal regulations. The data related to
the evaluations will be anonymized once the organizational and legal purposes
have been fulfilled.
Safety
measures
fro
m •Organizational:
•Internal procedures to ensure that only authorized personnel have access to
the information of jurors and evaluated startups.
•Signing of confidentiality agreements by jury members to protect information
about the projects evaluated.
•Training for jury management staff on GDPR compliance and obligations
related to data processing.
•Recording and documenting activities related to the processing of juror data,
including invitations and evaluations.
•Techniques:
•Use of secure and certified platforms for the management of evaluations and
jurors’ personal data.
•Encryption of data in transit (HTTPS) and at rest (AES-256).
•Implementation of multifactor authentication for access to the project
evaluation .
•Monitoring and logging of access and activities performed on the platform to
ensure traceability.
•Daily backups of stored information, with fast recovery in case of incidents.
•Physical:
•Storage of any physical documents related to the jury in restricted access
areas.
•Use of access control systems in the areas where data from the jury and the
evaluated startups are managed.
•Secure disposal of physical documents through certified shredding.
Comprehensive Agenda and Schedule Management – South Summit
Legal basis Explicit consent of the data subject (GDPR: 6.1.a) Consent of the data subject. );
Existence of a contractual relationship with the data subject by contract or precontract; Legitimate interest of the Controller or third parties (GDPR: 6.1.e)
Processing necessary for the performance of a task carried out in the public
interest or in the exercise of official authority vested in the controller).
Purposes Appointment and agenda control; Coordination and reminder of scheduled
meetings within the South Summit; Generation of personalized calendars
based on preferences and profile; Management of personalized agendas of
event participants; Organization of appointments and meetings between
attendees, investors, startups and exhibitors; Planning of selected activities in
the event program.
Categories
fro
m
data y
collectives
Persons accessing and contacting through the web (Identification data).
Customers (Identification data). Employees (Identification data)
Source of
data
The interested party or their legal representative; People who contact us
through the web forms such as Become an Ambassador, Suggest a Speaker,
Suggest Ideas, and Contact Us.
Category of
recipients
Entities of the corporate group; The agenda data may be shared with third
parties (such as other attendees with whom the user agrees meetings) under
the explicit consent of the person concerned. Technology providers in charge
of maintaining the agenda management platform, always under agreements
that ensure compliance with the RGPD.
International
transfer
Not foreseen
Deadline
fro
m
conservation
As long as their deletion is not requested by the interested party. Personal
data will be kept for the duration of the event and a maximum period of 2 years
to maintain the business relationship with the person concerned, unless their
deletion is requested earlier or there is a legal obligation to keep them.
Safety
measures
fro
m •Organizational:
•Definition and enforcement of role-based access policies to ensure that only
authorized users access the address book data.
•Regular audits of the use and management of the agenda to identify possible
gaps or errors.
•Ongoing staff training on security measures, data management and GDPR
compliance.
•Recording and documentation of all processing activities related to diary
management.
•Techniques:
•Implementation of multifactor authentication for access to the agenda
management platform.
•End-to-end encryption of data in transit (HTTPS) and at rest (AES-256).
•Use of cloud servers with up-to-date security certificates and compliance with
standards such as ISO 27001.
•Constant monitoring of access and activities in the system to detect possible
misuse.
•Automatic backups to ensure data recovery in case of incidents.
•Physical:
•Physical access control in the data centers that house the servers, including
24/7 surveillance, alarm systems and biometric authentication.
•Clean desk» policies and secure disposal of physical documents related to
event planning.
Integrated Attendee Management and Ticketing – South Summit
Legal basis (Art. 6.1.a RGPD) Consent of the data subject; (Art. 6.1.b RGPD) Existence of
a contractual relationship with the data subject through a contract or precontract.
Purposes To control access to the event through digital systems (QR codes or
equivalent; To comply with legal and fiscal obligations associated with ticket
sales; To send operational information about the event (location, schedules,
updates); To provide statistics on participation in the event to improve future
editions; To manage the purchase of tickets through the South Summit
website; To process and respond to requests for special passes such as the
Investor Pass or Press Pass.
Categories
fro
m
data y
collectives
Speaker and speakers (Identifying information). South Summit attendees or
other events (Identifying information; Economic, financial and insurance
information; Credit information; Personal characteristics; Employment details).
Data source The interested party or its legal representative; Private entity; From the
Become a Speaker form on the website; Attendees at the event as Speakers,
Partners, Investors, Speakers or Startup Members.
Category of
recipients
Banks, savings banks and rural banks; Data may be shared with suppliers in
charge of ticket management, access to the event or operational
communication, always under processor agreements in accordance with the
RGPD. In compliance with legal regulations, data may be transferred to tax
authorities for the generation of invoices and tax reports.
IE UNIVERSITY (CIF: G40155384);
International
transfer
Not foreseen
Deadline
fro
m
conservation
For a period of 5 years from the last confirmation of interest. The data will be
processed and kept for as long as they are necessary for the purposes for
which they were collected. If the data subject revokes his/her consent, the data
will be deleted within a maximum period of 1 year, unless legally required to be
retained (e.g. tax regulations). Access logs will be deleted at the end of the
legal retention period of 5 years.
Safety
measures
fro
m •Organizational:
•Definition of roles and access permissions in management systems to ensure
that only authorized personnel have access to data.
•Regular audits to verify compliance with security policies and data protection
regulations.
•Continuous training to the personnel in charge on personal data management
and GDPR regulations.
•Logging of all operations performed in the ticketing and attendant
management systems.
•Techniques:
•Use of secure and certified e-commerce platforms, compatible with the RGPD.
•Encryption of data in transit (HTTPS) and at rest (AES-256).
•Implementation of multifactor authentication to access sales and access
management platforms.
•Monitoring of access and logging of activities in the systems to ensure
traceability of operations.
•Periodic backup of data stored on servers certified with international
standards such as ISO 27001.
•Physical:
•Storage of servers in data centers protected by restricted access, 24/7
surveillance and biometric controls.
•Physical access control to offices and devices where sensitive data related to
attendees is processed.
Integrated Event Management – App South Summit
Legal basis (Art. 6.1.a RGPD) Consent of the data subject; (Art. 6.1.b RGPD) Existence of a
contractual relationship with the data subject through a contract or pre-contract.
Purposes Agenda. Calendar with the South Summit events; Sending direct messages
between all the attendees to the event. Exhibitors. List of companies with
booths as well as their contact information and the person in charge. Video calls
from the messages section with the people with whom a conversation has been
opened; My Event. Events that each user has marked and meetings with other
users; My QR. QR code that allows the accreditation to access the event;
Networking. List of all attendees to be able to contact them. Speakers. Access
to the profile of each Speaker where you can connect with their RRSS and
companies; Start Up competition. List of the companies participating in the
competition, their contact details and company videos. Possibility to open direct
message with the company.
Categories of
data y
collectives
Registered users / South Summit App users (Identifying information;
Commercial information). South Summit attendees or other events
(Identifying information; Employment details; Commercial information).
Data source The interested party itself or its legal representative; Attendees to the event as
Speakers, Partners, Investors, Speakers or Startup Members.
Category of
recipients
Public administration with competence in the matter; Company that develops the
Swapcard Corporation application,
International
transfer
Not foreseen
Deadline of
conservation
As long as the business relationship is maintained. The data will be kept as long
as the user keeps his account active and does not request the deletion of the
data. Once the event is over, the data will be deleted within a maximum period
of 2 years, unless there is a legal obligation to keep it.
Measures from
security -Organizational:
•Access control through multifactor authentication.
•Specific training for personnel in data protection.
•Periodic audits on application security.
•Techniques:
•Data encryption in transit (HTTPS) and at rest.
•Pseudonymization of data to minimize risks.
•Implementation of security incident detection and response systems.
•Physical:
•Security of the physical servers where the data is hosted.
Integrated Speaker Management – South Summit
Legal basis (Art. 6.1.a RGPD) Consent of the data subject; (Art. 6.1.b RGPD) Existence of a
contractual relationship with the data subject through a contract or precontract.
Purposes Coordinate schedules and plan the participation of speakers in the event;
Respond to requests received from the «Become a Speaker» form on the
website; Provide the necessary information to promote their interventions on
social networks and other channels; Manage and formalize image, voice and
NDA contracts with speakers; Publish speakers’ profiles on the website and
other South Summit promotional materials.
Categories
fro
m
data y
collectives
Speaker and Speakers (Identifying information; Job details; Other categories)
Data source The interested party or its legal representative; Private entity; From the Become
a Speaker form on the website
Category of
recipients
Data may be shared with design, communication and marketing teams for the
preparation of promotional materials related to the speakers. Technology
providers in charge of the management of the platform and planning tools,
always under data processor agreements in accordance with the GDPR.
International
transfer
Not foreseen
Deadline
fro
m
conservation
As long as the commercial or contractual relationship is maintained. The data
will be kept as long as there is a contractual and/or commercial relationship
with the speaker. After the termination of the relationship, the data will be kept
for the periods required by tax and commercial regulations (minimum 6
years).data related to the transfer of image and voice rights will be kept for the
period specified in the contract signed with the speaker.
Measures from
security -Organizational:
•Implementation of an internal procedure to manage the explicit consent of
speakers at each stage (registration, use of image, voice and data).
•Creation of a protocol for restricted access to personal and contract data to
authorized personnel only.
•Signing of confidentiality agreements (NDA) with the organizing team and
collaborators who have access to the speakers’ information.
•Periodic evaluations to ensure the correct application of data protection and
data processing measures.
•Techniques:
•Encryption of personal data stored in management systems and contracts
(AES-256).
•Use of secure platforms for the digital signature of contracts and the
processing of sensitive documents.
•Multifactor authentication for access to speaker management systems.
•Monitoring of access and activities in the system to prevent improper use of
information.
•Periodic backups of speakers’ data to ensure recovery in the event of
incidents.
•Physical:
•Secure storage of physical documents (contracts and agreements) in
restricted areas with access control.
•Use of servers in data centers with international certifications (ISO 27001) to
guarantee the physical security of the infrastructure.
South Summit uses images.
Legal basis (Art. 6.1.a RGPD) Consent of the data subject; (Art. 6.1.b RGPD) Existence of a
contractual relationship with the data subject through a contract or precontract.
Purposes Assignment to the press and accredited media for coverage of the event;
Recording and streaming of the event’s presentations; Publication of images
and videos of attendees, speakers and participants on South Summit’s social
networks, website and promotional materials; Use visual content of the event
for the promotion of future editions of South Summit.
Categories
fro
m
data y
collectives
Speakers and speakers (Identifying information). South Summit attendees or
other events (Identifying data).
Source of
data
The interested party or its legal representative; Private entity; From the
Become a Speaker form on the website; Attendees at the event as Speakers,
Partners, Investors, Speakers or Startup Members.
Category of
recipients
Companies dedicated to advertising or direct marketing; Images may be
shared with media, social networks and streaming , always under the
conditions of the privacy policies of such third parties.
International
transfer
Not foreseen
Deadline
fro
m
conservation
The images and recordings will be kept as long as they are useful for the
intended purposes (promotion of the event and future editions).<br />On social
networks and third party platforms, the images will be kept in accordance with
the privacy policies of such platforms. Interested parties may exercise their
right of deletion, cancellation or limitation of treatment to remove their visual
data.<br />
Safety
measures
fro
m •Organizational:
•Obtaining the explicit consent of attendees, speakers and participants
through visible notices in the recording areas, and online registration to
participate in the event.
•Internal policies limiting access to and use of images to authorized
communications and marketing personnel.
•Periodic training for the team in charge on the regulations applicable to the
recording and use of images, including the RGPD and image rights.
•Documentation of agreements with photographers, cameramen and media
participating in the event, ensuring compliance with data protection
regulations.
•Techniques:
•Encryption of images and videos stored in internal systems (AES-256).
•Use of secure platforms for content management and publication (RRSS,
servers with SSL certificates).
•Monitoring of access and activities related to image management to ensure
traceability.
•Automatic backups and storage in controlled environments with ISO 27001
certification.
•Physical:
•Storage of any physical media (memory cards, hard disks) in secure and
restricted access areas.
•Control of physical access to the editing and image management areas within
the South Summit facilities.
11.- DATA OF MINORS
How do we handle the data of minors?
Minors under 14 years of age may not use the services offered through our website without the prior
authorization of their parents, guardians or legal representatives. These will be solely responsible for
all actions performed through the website by minors in their care, including the completion of online
forms with the personal data of minors and, where appropriate, the selection of the corresponding
checkboxes.
In accordance with the provisions of Article 8 of the RGPD and Article 7 of the LOPD/GDD, only
persons over 14 years of age may consent to the lawful processing of their personal data by Spain
Startup.
12.-PROVENANCE AND TYPES OF DATA PROCESSED
Where did we obtain your data?
Travel and Lodging Reservation Management – South Summit
● Ecommerce customers: The interested party or its legal representative.
● Persons accessing and contacting through the web: The interested party or their legal
representative. People who contact us through the web forms such as Become an
Ambassador, Suggest a Speaker, Suggest Ideas, and Contact Us.
● Registered Users / South Summit App Users: The interested party or his/her legal
representative.
● Potential: The interested party himself or his legal representative.
● South Summit attendees or other events: The interested party itself or its legal
representative. Attendees at the event as Speakers, Partners, Investors, Speakers or Startup
Members.
● Registered users competition: The interested party himself or his legal representative.
Startup Competition Evaluation Committee
● Evaluation committee: The interested party itself or its legal representative ; Private entity.
Cookies, pixel and tracking
● Persons accessing and contacting through the web: The interested party or their legal
representative. People who contact us through the web forms such as Become an
Ambassador, Suggest a Speaker, Suggest Ideas, and Contact Us.
Co-organization of the South Summit 2025 event.
● Registered Users / South Summit App Users: The interested party or his/her legal
representative.
● Employees: The interested party or its legal representative
● Visits: The interested party or his legal representative
● Volunteers: The interested party himself or his legal representative.
● Speaker and speakers: The interested party or its legal representative; Private entity. From
the form become a Speaker on the web site.
● South Summit attendees or other events: The interested party itself or its legal
representative. Attendees at the event as Speakers, Partners, Investors, Speakers or Startup
Members.
● Registered users competition: The interested party himself or his legal representative.
Compliance with GDPR obligations
● Clients: The interested party itself or its legal representative
● Employees: The interested party or its legal representative
Event Access Management – South Summit
● Volunteers: The interested party himself or his legal representative.
● Speaker and speakers: The interested party or its legal representative; Private entity. From
the form become a Speaker on the web site.
● South Summit attendees or other events: The interested party itself or its legal
representative. Attendees at the event as Speakers, Partners, Investors, Speakers or Startup
Members.
Event Partner Management & Content Production
● Registered Users / South Summit App Users: The interested party or his/her legal
representative.
● Clients: The interested party itself or its legal representative
● Employees: The interested party or its legal representative
● Speaker and speakers: The interested party or its legal representative; Private entity. From
the form become a Speaker on the web site.
● South Summit attendees or other events: The interested party itself or its legal
representative. Attendees at the event as Speakers, Partners, Investors, Speakers or Startup
Members.
● Registered users competition: The interested party himself or his legal representative.
Communications and Newsletter Management
● Subscribers: The subscriber himself or his legal representative. The data is captured when
the subscriber enters his email address in the registration form of our newsletter on the
website.
Website Query Management – South Summit
● Persons accessing and contacting through the web: The interested party or their legal
representative. People who contact us through the web forms such as Become an
Ambassador, Suggest a Speaker, Suggest Ideas, and Contact Us.
South Summit participant management
● Clients: The interested party itself or its legal representative
Social Media Management – South Summit
● Followers: The interested party himself or his legal representative.
Management of Participation Requests – Partner with Us / Get Your Stand
● Clients: The interested party itself or its legal representative
● Potential: The interested party himself or his legal representative.
Management of registered users competition
● Registered users competition: The interested party himself or his legal representative.
Video Surveillance Management in Offices and Event Facilities
● Employees: The interested party or his legal representative
● Visits: The interested party or his legal representative
Volunteer management
● Volunteers: The interested party himself or his legal representative.
Evaluation Jury Management – Startup Competition
● Jury: The interested party or its legal representative; Private entity
Integrated Agenda and Calendar Management – South Summit
● Persons accessing and contacting through the web: The interested party or their legal
representative. People who contact us through the web forms such as Become an
Ambassador, Suggest a Speaker, Suggest Ideas, and Contact Us.
● Clients: The interested party itself or its legal representative
● Employees: The interested party or his legal representative
Integrated Attendee Management and Ticketing – South Summit
● Speaker and speakers: The interested party or its legal representative; Private entity. From
the form become a Speaker on the web site.
● South Summit attendees or other events: The interested party itself or its legal
representative. Attendees at the event as Speakers, Partners, Investors, Speakers or Startup
Members.
Integrated Event Management – App South Summit
● Registered Users / South Summit App Users: The interested party or his/her legal
representative.
● South Summit attendees or other events: The interested party itself or its legal
representative. Attendees at the event as Speakers, Partners, Investors, Speakers or Startup
Members.
Integrated Speaker Management – South Summit
● Speaker and speakers: The interested party or its legal representative; Private entity. From
the form become a Speaker on the web site.
South Summit uses images.
● Speaker and speakers: The interested party or its legal representative; Private entity. From
the form become a Speaker on the web site.
● South Summit attendees or other events: The interested party itself or its legal
representative. Attendees at the event as Speakers, Partners, Investors, Speakers or Startup
Members.
What types of data do we collect and process about you?
Travel and Lodging Reservation Management – South Summit
Ecommerce Customers
● Identification data (e-mail address; postal address; NIF / NIE / Passport; name and
surname; phone number)
People accessing and contacting via the web
● Identification data (E-mail address; Name and surname; Telephone number)
Registered Users / South Summit App Users
● Identification data (E-mail address; Name and surname; Telephone number)
Potentials
● Identification data (e-mail address; postal address; NIF / NIE / Passport; name and
surname; phone number)
South Summit attendees or other events
● Identification data (Name and surname; Telephone; DNI / NIF / NIE / NIE / Passport)
● Employment details (Employer or company where you work)
Registered users competition
● Identifying data (E-mail address; Mailing address; User name)
Evaluation Committee Startup
Competition Evaluation Committee
● Identification data (E-mail address; Name and surname; Telephone number)
● Other categories (Contact information (relationship, position, company, email))
Cookies, pixel and tracking
People accessing and contacting via the web
● Commercial information (Data obtained through cookies, pixels or similar instruments, if
applicable).
● Other categories (ID generated by Pixel or Cookie)
Co-organization of the South Summit 2025 event.
Registered Users / South Summit App Users
● Identifying data (Email address; Image; Name and surname; Telephone; Profile on social
networks LinkedIn, Twitter, Instagram and Facebook.)
● Commercial information (Activities and businesses; Artistic, literary, scientific or technical
creations; Confidential and/or copyrighted data and/or images; Subscriptions to publications
or media; Data obtained through cookies, pixels or similar instruments, if any; Shipping
address; Direct messages from the South Summit App; Video calls from the South Summit
App).
Employees
● Identification data (E-mail address)
Visit
● Identification data (Image)
Volunteers
● Identification data (e-mail address; mailing address; NIF / NIE / Passport; Social Security /
Mutuality number; name and surname; telephone number)
● Personal characteristics (age; nationality; sex)
Speaker and speakers
● Identifying data (e-mail address; Image; Name and surname; Voice; Country; LinkedIn
social network profile)
● Employment details (Jobs; Company or firm where you work)
● Other categories (Message)
South Summit attendees or other events
● Identification data (Image; Name and surname; Telephone; DNI / NIF / NIE / Passport;
Profile on social networks LinkedIn, Twitter, Instagram and Facebook; Email).
● Personal characteristics (Date of birth; Sex)
● Employment details (Employer or company where you work)
● Economic, financial and insurance (PayPal)
● Commercial information (Direct messages from the South Summit App; Video calls from the
South Summit App).
● Credit information (Bank, debit or credit card information).
Registered users competition
● Identification data (e-mail address; postal address; telephone; user name; company
identification number/CIF; contact data of legal representatives of the company).
Compliance with GDPR obligations
Customers
● Identification data (Name and surname; Mailing address; NIF / NIE / Passport; E-mail
address; Telephone)
Employees
● Identification data (Name and surname; Mailing address; NIF / NIE / Passport; E-mail
address; Fingerprint; Telephone)
● Job Details (Jobs)
Event Access Management – South Summit
Volunteers
● Identification data (e-mail address; NIF / NIE / Passport; Name and surname)
Speaker and speakers
● Identifying data (E-mail address; Image; Name and surname)
South Summit attendees or other events
● Identification data (Image; Name and surname; DNI / NIF / NIE / NIE / Passport)
Event Partner Management & Content Production
Registered Users / South Summit App Users
● Identifying data (Email address; Image; Name and surname; Telephone; Profile on social
networks LinkedIn, Twitter, Instagram and Facebook.)
Customers
● Identification data (e-mail address; postal address; NIF / NIE / Passport; name and
surname; telephone number; country)
Employees
● Identifying data (E-mail address; Mailing address; Handwritten signature; Name and
surname; Telephone number)
Speaker and speakers
● Identifying data (e-mail address; Image; Name and surname; Voice; Country; LinkedIn
social network profile)
South Summit attendees or other events
● Identification data (Image; Name and surname; Telephone; DNI / NIF / NIE / Passport;
Profile on social networks LinkedIn, Twitter, Instagram and Facebook; Email).
● Personal characteristics (Date of birth; Sex)
● Employment details (Employer or company where you work)
● Economic, financial and insurance (PayPal)
● Commercial information (Direct messages from the South Summit App; Video calls from the
South Summit App).
● Credit information (Bank, debit or credit card information).
Registered users competition
● Identification data (e-mail address; postal address; telephone; user name; company
identification number/CIF; contact data of legal representatives of the company).
Communications and Newsletter Management
Subscribers
● Identification data (Name and surname; E-mail address; Telephone number)
Inquiry Management Website – South Summit
People accessing and contacting through the
website
● Identification data (Name and surname; E-mail address; Telephone; Country)
● Employment details (Jobs; Company or firm where you work)
● Other categories (Message)
Participant management South Summit
Clients
● Identification data (Name and surname; Mailing address; E-mail address; Telephone
number)
Social Media Management – South Summit Followers
● Identification data (Name and surname; E-mail address)
Management of Participation Requests – Partner with Us / Get Your Stand
Clients
● Identifying data (Country; Name and surname; E-mail address)
● Employment details (Employer or company where you work)
● Other categories (Message)
Potentials
● Identification data (Name and surname; Telephone; Country; E-mail)
● Employment details (Employer or company where you work)
● Other categories (Message)
Management of registered users competition
Registered users competition
● Identification data (e-mail address; postal address; telephone; user name; company
identification number/CIF; contact data of legal representatives of the company).
Management of Video Surveillance in Offices and Employee Events
Facilities
● Identification data (Image)
Visit
● Identification data (Image)
Volunteer management
Volunteers
● Identification data (e-mail address; mailing address; NIF / NIE / Passport; Social Security /
Mutuality number; name and surname; telephone number)
● Personal characteristics (age; nationality; sex)
Management of the Evaluation Jury – Startup Competition
Jury
● Identifying data (E-mail address; Name and surname; Telephone; Country)
● Other categories (Contact information (relationship, position, , email))
● Employment details (Jobs; Company or firm where you work)
Integrated Agenda and Calendar Management – South Summit
People accessing and contacting through the website
● Identification data (Name and surname; E-mail address; Telephone number)
Customers
● Identification data (Name and surname; E-mail address; Telephone number)
Employees
● Identification data (Name and surname; Mailing address; Telephone number)
Integrated Attendee Management and Ticketing – South Summit
Speaker and Speakers
● Identifying data (E-mail address; Image; Name and surname; Voice)
South Summit attendees or other events
● Identification data (Name and surname; Image; Phone; DNI / NIF / NIE / Passport)
● Economic, financial and insurance (PayPal)
● Credit information (Bank, debit or credit card information).
● Personal characteristics (Date of birth; Sex)
● Employment details (Employer or company where you work)
Integrated Event Management – South Summit App
Registered Users / South Summit App Users
● Identifying data (Email address; Image; Name and surname; Telephone; Profile on social
networks LinkedIn, Twitter, Instagram and Facebook.)
● Business information (Activities and business; Direct messages from the South Summit
App; Video calls from the South Summit App).
South Summit attendees or other events
● Identification data (Name and surname; Image; Profile on social networks LinkedIn, Twitter,
Instagram and Facebook).
● Employment details (Employer or company where you work)
● Commercial information (Direct messages from the South Summit App; Video calls from the
South Summit App).
Integrated Speaker Management – South Summit
Speaker and Speakers
● Identifying data (e-mail address; first and last name; country; LinkedIn social network profile)
● Employment details (Jobs; Company or firm where you work)
● Other categories (Message)
South Summit uses images.
Speakers and speakers
● Identification data (Image)
South Summit attendees or other events
● Identification data (Image)
13- RIGHTS OF INTERESTED PARTIES
What are your rights regarding your data?
Data protection regulations give you specific rights that you can exercise in relation to the processing
of your data. These rights are personal and non-transferable, which means that only you, as the data
subject, can exercise them after verification of your identity.
Your rights are described below:
•Right of access: You can request confirmation of whether Spain Startup is processing your data and
access information related to its processing.
•Right of rectification: If your personal data is inaccurate or incomplete, you may request its
correction.
•Right to erasure («right to be forgotten»): You may request deletion of your data when it is no
longer necessary for the purposes for which it was collected, or if you withdraw your consent.
•Right to limitation of processing: You may request the limitation of the processing of your data, for
example, while its accuracy is being verified or in other cases provided for by law.
•Right to data portability: You have the right to receive your data in a structured, commonly used
and machine-readable format and to transmit it to another data controller.
•Right to object: You may object to the processing of your data on grounds relating to your particular
situation, or when the processing is based on a legitimate interest.
•Right not to be subject to automated decisions: You may request not to be subject to decisions
based solely on automated processing of your data, including profiling.
•Right to withdraw consent: You may withdraw your consent at any time, without affecting the
lawfulness of the processing based on the prior consent.
•Right to file a complaint: If you consider that your rights have not been respected, you may file a
complaint with the corresponding supervisory authority: Spanish Data Protection info@aepd.es
https://www.aepd.es
To exercise any of these rights, you may contact Spain Startup using the contact information below:
● Responsible: Spain Startup and Investor Services S.L.
● Address: Paseo de la Castellana Nº 70 piso primero . 28046, Madrid (Madrid), Spain
● Phone: +34 915625784
● E-mailprivacy@southsummit.io
● Website: http://www.southsummit.io
You can also exercise your rights with the Data Protection Officer:
Email: rgpd@auratechlegal.es – Phone: 0034 911 134 963
How can you exercise your rights in relation to your data?
To exercise your rights of access, rectification, deletion, limitation or opposition, portability and
withdrawal of your consent, you can do so by sending an email to these
addresses:rgpd@auratechlegal.es /privacy@southsummit.io or a postal mail to : Paseo de la
Castellana Nº 70 second floor . 28046, Madrid (Madrid), Spain.
How can you file a complaint if you feel your rights are not being respected?
If you believe that the processing of your personal data does not comply with data protection
regulations, you have the right to lodge a complaint with the relevant Supervisory Authority in your
country of residence or place of business.
Depending on your location, you can contact the competent authority in your country. For example:
•In Germany, you can contact the Berliner Beauftragte für Datenschutz und Informationsfreiheit.
•In France, the competent authority is the Commission Nationale de l’Informatique et des Libertés.
(CNIL).
Specific contact details for Spain are as follows:
● Spanish Data Protection Agency
C/ Jorge Juan, 6. 28001, Madrid (Madrid), Spain Email:
info@aepd.es- Telephone: 912663517
Web: https://www.aepd.es
If you are not sure which authority applies to you or need information on other supervisory authorities,
you can consult the article on Data Protection Supervisory Authorities, where you will find contact
details and links according to your location.
14.-MODIFICATION AND INFORMATION PRINCIPLE
This document ensures that you understand how we treat your personal data. By using our website or
services, you confirm that you have been informed about the terms of our Privacy , in accordance with
the information principle set out in Article 13 of the GDPR. The lawful bases for processing your
personal data are set out in Article 6 of the GDPR, and may include the performance of a contract,
compliance with legal obligations or legitimate interest, among others.
This policy has been developed with the collaboration of Auratech Legal, a firm specializing in data
protection, and will be reviewed periodically to ensure its adequacy and compliance.
Spain Startup reserves the right to modify this Privacy Policy according to changes in legislation,
jurisprudence or directives from the supervisory authorities. Any relevant modification that affects the
purposes of processing, storage periods or user rights will be communicated explicitly.