Privacy Policy

1. Introduction

Meridional Events S.L. (“we”, “us”, “our”) is committed to protecting the privacy and personal data of its clients, event participants and website users.

This Privacy Policy explains how we collect, use, disclose and protect personal data when you:

• visit our website www.meridionalevents.com (the “Website”), or
• participate in any event organised or coordinated by us, whether directly or on behalf of your company or employer.

2. Legal framework

This Privacy Policy complies with:

• Regulation (EU) 2016/679, General Data Protection Regulation (GDPR),
• Ley Orgánica 3/2018, on the Protection of Personal Data and guarantee of digital rights (LOPDGDD), and
• other applicable provisions of Spanish civil, commercial and constitutional law.

In the event of any discrepancy, the Spanish version shall prevail as the legally binding text.

3. Data Controller

• Meridional Events S.L.
• NIF: B75679035
• Registered address: Calle Pelayo, Málaga, Spain
• Email: privacy@meridionalevents.com
• Website: www.meridionalevents.com

4. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person.
• Special Categories of Data: Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.
• Processing: Any operation performed on personal data (collection, storage, use, disclosure, erasure, etc.).
• Data Subject: The person whose data are processed.
• Controller: The entity which determines the purposes and means of the processing.
• Processor: The entity which processes personal data on behalf of the Controller.

5. Personal data we collect

We may collect and process:

• Identification data and data necessary for accommodation and nominal access: First name, surname, sex, nationality, date of birth, type and number of identification document (DNI, NIE, TIE or passport, as applicable), together with any other data required by applicable regulations or necessary for the management of bookings, check-in, documentary registration, access control or related services.
• Contact data: Email, telephone number, address.
• Professional data: Company, position, professional contact details.
• Event logistics data: Travel data, accommodation data, rooming lists, schedules, activities, transfers and all other operational information necessary for the organisation and execution of the event.
• Billing and payment data: Billing data, NIF/VAT number, banking/payment information.
• Health data (optional): Allergies, intolerances, chronic conditions, mobility needs or insurance data — provided directly by you or by your employer for event logistics and safety purposes.
• Emergency contact: Name and telephone number of the designated person.
• Media: Photographs and videos taken during events.
• Communications: Emails and messages exchanged with us.
• Technical data: IP address, browser details, device information and browsing behaviour (see section 15).

Sources of the data: (i) directly from you by means of electronic forms (including event registration forms) or communications, and/or (ii) from your employer or client company for the purpose of organising and executing the event.

6. Legal basis for processing

Purpose of processing

Category of data

Legal basis

Event coordination and logistics

Identification, contact, professional, travel/accommodation data

Performance of a contract (art. 6.1.b GDPR)

Health and safety

Health data

Explicit consent of the data subject (art. 9.2.a GDPR) for the logistical, dietary, travel and safety management of the event; and, in emergency situations, vital interests (art. 9.2.c GDPR).

Billing and payments

Financial and tax data

Legal obligation (art. 6.1.c)

Communications with participants

Contact data

Legitimate interest (art. 6.1.f) or performance of a contract (art. 6.1.b) where strictly necessary

Marketing communications

Contact data

Consent (art. 6.1.a)

Photography and video

Images and audiovisual material

Legitimate interest (art. 6.1.f)

Quality control and reporting

General event data

Legitimate interest (art. 6.1.f)

Where health data are provided by a client company, that company (as Controller) is the party required to have a valid legal basis in place (normally explicit consent or, in emergencies, vital interests). Meridional Events S.L. processes such data exclusively in order to guarantee safety at the event and does not use them for any other purpose.

In such cases, Meridional Events S.L. does not independently verify the legal basis obtained by the client company and processes such data within the applicable contractual framework, in accordance with the instructions received and, where applicable, pursuant to the corresponding data processing agreement.

Where processing is based on legitimate interest, Meridional Events S.L. has carried out the balancing test in order to ensure that such interest does not override the rights and freedoms of data subjects (art. 6.1.f GDPR). Under no circumstances do we use Special Categories of Data for profiling or marketing.

7. Use and disclosure of data

Your data may be processed for:

• event coordination and logistics,
• health and safety,
• communication and administration,
• legal compliance (tax, insurance and security),
• internal reporting and quality control,
• marketing (only with your prior consent).

Data may be disclosed, strictly on a need-to-know basis, to:

• hotels, restaurants, venues/sites, transport providers, museums, monuments and other third parties necessary for the event,
• insurers or emergency services where necessary,
• tax authorities or other public authorities where required by law.

The foregoing is without prejudice to the provisions specifically applicable to Special Categories of Data under section 7.1, which shall in all cases be governed by their enhanced regime of confidentiality and restricted disclosure.

All disclosures are limited to the minimum data necessary for the intended purpose and are subject to obligations of confidentiality and security. We do not sell personal data.

7.1 Processing of health data and emergency situations

Health data which the participant voluntarily decides to provide in the registration form (such as allergies, intolerances, accessibility requirements or other relevant medical information) shall be processed exclusively for the purpose of safeguarding the participant’s wellbeing and safety during the event.

With the participant’s explicit consent, certain strictly necessary health data (including, inter alia, food allergies, medical needs during travel, accessibility requirements, requirements for the storage or transport of medication, medical equipment or other medical conditions relevant to the proper organisation and safety of the event) may be disclosed to third parties directly involved in the organisation of the event, such as catering companies, hotels, airlines, logistics providers or other event organisers, exclusively in order to ensure proper planning, safety and care of the participant.

Such disclosure shall in all cases be limited to the minimum data strictly necessary, shall not be general or systematic in nature, and shall be subject to obligations of confidentiality and security. Under no circumstances shall such data be used for purposes other than those expressly consented to.

Such data shall be handled confidentially by Meridional Events S.L. and shall not be disclosed to third parties, including the participant’s employer or representatives of the participant’s company, save in the following cases:

• where a medical emergency situation or other circumstance arises which entails a real risk to the participant’s physical integrity or health;
• where such disclosure is indispensable in order to facilitate urgent medical assistance, activate emergency protocols or inform a responsible person from the participant’s company on the participant’s behalf.

In such cases, the legal basis for processing shall be the vital interests of the data subject pursuant to articles 6.1.d and 9.2.c of Regulation (EU) 2016/679 (GDPR).

No preventive or systematic disclosure of such data shall take place to third parties outside the cases described in this section, nor without the participant’s explicit consent or a medical emergency situation.

8. Role of the client company

Depending on the circumstances, Meridional Events S.L. may act as:

• Controller, where we collect data directly from participants; or
• Processor, where we receive data from the client company solely for the execution of the event.

Where we act as Processor, the data processing agreement (art. 28 GDPR) forms part of the contract with the client by incorporation by reference, and the client company (Controller) is the party required to guarantee that it has a valid legal basis — especially when sharing Special Categories of Data — with us.

In the context of registration forms managed through third-party platforms, Meridional Events S.L. adopts measures to ensure that access to health data is restricted to authorised personnel and segregated from ordinary logistical information flows.

9. Photography and audiovisual material

During certain events, photographs and videos may be taken for documentation, internal reporting and, where appropriate, promotional use, in accordance with the applicable legal basis and in a proportionate manner.

Legal basis: legitimate interest, consent or any other legal basis applicable according to the context of capture and use of the images. In all cases, the images shall be used proportionately and never in a context capable of prejudicing the rights of the participants.

If you appear in an image or video and wish to request its removal, please write to: privacy@meridionalevents.com. We shall process your request promptly in accordance with article 17 GDPR.

Where it is not reasonably possible to obtain prior consent, images shall be captured as general scenes in which individuals are not the principal element, in accordance with the AEPD’s criterion on legitimate interest.

10. International data transfers

If data are transferred to or stored outside the EEA, we ensure appropriate safeguards by means of:

• an adequacy decision of the European Commission, or
• Standard Contractual Clauses (SCCs) or other recognised safeguards.

Where providers are located outside the EEA — for example, certain Google or Microsoft services hosted in the United States — Meridional Events S.L. ensures that the transfers are governed by the European Commission’s SCCs.

In particular, the collection and management of event participant data may be carried out through tools such as Google Forms, Google Workspace and Microsoft Office 365, used by Meridional Events S.L. as collaborative working and secure storage platforms.

Such providers act as processors and offer GDPR-compliant contractual commitments, including the application of Standard Contractual Clauses (SCCs) where data may be processed outside the European Economic Area.

Where technically possible, Meridional Events S.L. has configured such services so as to prioritise the storage and processing of data within the European Union.

11. Your rights

You may exercise the following rights: access, rectification, erasure (“right to be forgotten”), restriction of processing or objection thereto, portability, and withdrawal of consent (without retroactive effect on processing previously carried out lawfully).

Please send your request to privacy@meridionalevents.com, attaching a copy of your identity document for verification purposes. We shall respond within one month, extendable by up to two months where necessary (art. 12.3 GDPR).

If you consider that your rights have been infringed, you may lodge a complaint with the Agencia Española de Protección de Datos (AEPD) – www.aepd.es

12. Retention periods

Retention periods are defined in accordance with the principles of necessity and proportionality (art. 5.1.e GDPR).

• Event data and internal analysis: for the time necessary for evaluation, quality control, operational follow-up and service improvement and, as a general criterion, up to 24 months after the end of the event, unless they must be retained for a longer period by legal obligation or for the defence of claims. Where possible, such data shall be retained in aggregated, anonymised or pseudonymised form.
• Participant identification and contact data: up to 4–6 years after the last event or interaction, unless it is necessary to retain them for a longer period for compliance with legal obligations or the defence of potential claims.
• Medical and insurance data: up to 90 days after the end of the event, in accordance with the information provided in the registration form, and thereafter secure deletion or anonymisation, unless otherwise required by law.
• Billing and tax data: for the periods legally required (usually up to 10 years).
• Communications (emails and messages): up to 24 months from the last interaction, unless longer retention is necessary for legal defence purposes.
• Technical records and logs: up to 12 months, unless required for the investigation of security incidents.
• Multimedia files: for the time necessary for the purpose for which they were captured and, where applicable, for so long as they remain suitable and relevant for such purpose, without prejudice to the data subject’s right to request their removal where appropriate.

13. Data security and breach notification

We apply technical and organisational measures, including encrypted storage, secure servers, role-based access control, continuous monitoring and staff training. In the event of a personal data breach, we shall notify the AEPD within a maximum of 72 hours and the data subjects where appropriate (arts. 33–34 GDPR).

14. Protection of minors

Our services are not directed at minors under 14 years of age. We do not knowingly collect or process data from minors below this threshold in accordance with article 7 of the LOPDGDD. If such data have been collected by mistake, we shall proceed to erase them immediately.

15. Cookies and third-party services

Our Website uses cookies for functional and analytical purposes. Non-essential cookies shall only be used with your consent through the cookie banner. You may manage or withdraw your consent at any time and adjust your preferences from your browser.

We may use third-party providers (e.g., Google Analytics, Google Workspace, Microsoft 365/Azure) subject to GDPR-compliant agreements. For any hosting outside the EEA, we apply SCCs or other equivalent safeguards (see section 10).

Details on cookie types, purposes, storage periods and providers are set out in our Cookie Policy.

Where such third-party services involve the processing of personal data for event management purposes, they shall act as processors pursuant to GDPR-compatible agreements.

16. Email communications

Emails issued by Meridional Events S.L. may contain confidential information. If you receive one in error, please notify us and delete the message. You may unsubscribe from marketing communications at any time.

17. Updates to this policy

This policy may be updated periodically. Material changes shall be announced on the Website or by email. Meridional Events S.L. acts in accordance with the principles of lawfulness, fairness, transparency, data minimisation, integrity/confidentiality and accountability, in compliance with articles 5 and 24 GDPR.

Automated decision-making and profiling: We do not carry out automated decision-making producing legal or similarly significant effects, nor marketing profiling based on Special Categories of Data.

18. Contact and supervisory authority

Contact:

Meridional Events S.L. – Calle Pelayo, Málaga, Spain

Supervisory authority: Agencia Española de Protección de Datos (AEPD) – C/ Jorge Juan, 6 – 28001 Madrid – www.aepd.es