In general, we may collect information and data that you provide to us over the Website, but we may also gather information and data on you through the Website when you make use of our services, when you send us emails, when you register for or attend any events which we host/promote, or when you interact with ZWL representatives. This is described in Section 3 below.
Any personal data which we collect will be processed in a lawful, fair and transparent manner. To this end, and as further described below, ZWL takes into consideration internationally recognized principles governing the processing of personal data, such as the principles of purpose limitation, storage limitation, data minimization, data quality and confidentiality.
Personal and Organizational Data Processed
When you use the Website or the Services, ZWL will collect and process information regarding you (as an individual) which allows you to be identified either by itself, or together with other information that has been collected. ZWL may also be able to collect and process information regarding other persons in this same manner, if you choose to provide such information to ZWL.
This information may be classified as “Personal Data” or “Organizational Data” and can be collected by ZWL both when you choose to provide it (e.g., when you fill out a form to download a research working paper, or request other Services provided by ZWL over the Website or otherwise) or simply by analyzing your behavior on the Website or the Services that you request. Personal and Organizational Data that can be processed by ZWL through the Website or in connection with the Services are as follows:
Name, Contact Details and other Organizational Data
In various sections of the Website, you will be asked to submit information about yourself, such as your name, e-mail address, phone number, billing address and the name and details of your affiliate organization. This is the case, for example, when you participate in one of ZWL’s threat modeling surveys, when you download certain research reports or when you create an account on the Website (where available).
In addition, whenever you communicate with ZWL via forms available on the Website (such as the “Contact Us” form provided for Membership inquiries), or by means of the contact details displayed in the “Contact” section of the Website, or when you visit us at events, ZWL may collect additional information on you if you choose to provide such data.
Special Categories of Organizational Data
Certain areas of the Website include free text fields, where you can write messages to ZWL, or otherwise allow you to post various types of content on the Website, which may contain Personal Data.
Where these fields are completely free, they may be used to (inadvertently or not) disclose more sensitive categories of Organizational Data, such as data revealing your security footprint, approaches and self-labeled vulnerabilities. The content you provide in these fields may also (inadvertently or not) include other types of sensitive information relating to your Organization.
ZWL asks that you do not disclose any Sensitive Organizational Data on the Website, unless you consider this to be strictly necessary. ZWL requires your explicit consent to process this sort of Personal and Organizational Data (which can be provided, e.g., by declaring that you “explicitly consent to the processing of special categories of Personal and Organizational data, as necessary to comply with my request” in messages you send to ZWL).
The Website’s operation involves the use of computer systems and software procedures, which collect information about the Website’s users as part of their routine operation, also known as browsing data. While ZWL does not collect this information in order to link it to specific users, it is still possible to identify those users either directly via that information, or by using other information collected – as such, this information must also be considered Personal and Organizational Data.
These data are used to compile statistical information on the use of the Website, ensure its correct operation and identify any faults and/or abuse of the Website. Save for this last purpose, these data are not kept for more than 7 business days.
Definitions, Characteristics, and Application of Standards
Cookies are small text files that may be sent to and registered on your computer by the websites you visit, to then be re-sent to those same sites when you visit them again. It is thanks to cookies that those websites can “remember” your actions and preferences (e.g., login data, language, font size, other display settings, etc.), so that you do not need to configure them again when you visit the website at a later time, or when you change pages within a website.
When browsing a website, you may also receive cookies from websites or web servers other than the website being visited (i.e., “third-party cookies”).
According to the law that may be applicable to you, your consent may not always be necessary for cookies to be used on a website. In particular, “technical cookies” – i.e. cookies that are only used to send messages through an electronic communications network, or that are needed to provide services you request – typically do not require this consent. This includes browsing or session cookies (used to allow users to login) and function cookies (used to remember choices made by a user when accessing the website, such as language or products selected for purchase).
Types of Cookies used by the Website
The Website uses the following types of Cookies:
Browsing or session cookies, which are strictly necessary for the Website’s operation, and/or to allow you to use the Website’s content and Services.
Function cookies, which are used to activate specific Website functions and to configure the Website according to your choices (e.g., language), in order to improve your experience.
Analytics cookies, which allow ZWL to understand how users make use of the Website, and to track traffic to and from the Website.
ZWL also uses third-party cookies – i.e. cookies from websites / web servers other than the Website, owned by third parties. These third parties will either act as independent data controllers from ZWL regarding their own cookies (using the data they collect for their own purposes and under terms defined by them) or as data processors for ZWL (processing personal data on our behalf). For further information on how these third parties may use your information, please refer to their privacy policies:
ZWL uses Google Analytics on the Website. This is a tool developed by Google and used to collect information that permits evaluation of the use of the Website, analysis of your behavior and improvement of your experience with the Website. You can obtain more information about how to opt out of Google Analytics at: https://tools.google.com/dlpage/gaoptout.
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category “Necessary”.
You can also block or delete cookies used on the Website via your browser options. Your cookie preferences will be reset if different browsers are used to access the Website. For more information on how to set the preferences for cookies via your browser, please refer to the following instructions:
CAUTION: If you block or delete technical and/or function cookies used by the Website, the Website may become impossible to browse, certain services or functions of the Website may become unavailable or other malfunctions may occur. In this case, you may have to modify or manually enter some information or preferences each time you visit the Website.
Purposes of Processing
ZWL intends to use your Personal and Organizational Data, collected through the Website, for the following purposes:
For future marketing, promotional and publicity purposes, including over e-mail or over the phone, regarding ZWL’s products and services, as well as those of selected third parties (sponsors and ZWL corporate members) (“Marketing”);
For compliance with laws that require us to collect and/or further process certain kinds of Personal and Organizational Data (“Compliance”);
For development and administration of the Website or our Services, in particular by use of data analytics regarding how you and other users make use of the Website, as well as the information and feedback you provide, in order to improve ZWL’s offerings and to troubleshoot any technical issues which may arise in connection with the use of the Website or Services (“Analytics”);
To prevent and detect any misuse of the Website or Services, or any fraudulent activities carried out through the Website or Services (“Misuse/Fraud”).
Grounds for Processing and Mandatory / Discretionary Nature of Processing
The grounds on which the ZWL relies on to process your Personal Data, according to the purposes identified in Section 3, are as follows:
Service Provision – processing for these purposes is necessary to provide the Services and, therefore, is necessary to address a request made by you, to perform a contract entered into with you or to take steps prior to entering into a contract with you. It is not mandatory for you to give ZWL your Personal Data for these purposes. However, if you do not, ZWL will not be able to provide certain Services to you over the Website or otherwise.
Marketing – processing for these purposes is based on your consent. It is not mandatory for you to give consent to ZWL for use of your Personal Data for these purposes, and you will suffer no consequence if you choose not to give it (aside from not being able to receive further marketing communications from ZWL). Any consent given may also be withdrawn at a later stage (please see Section 8 for more information).
Compliance – processing for this purpose is necessary for ZWL to comply with its legal obligations. When you provide any Personal Data to ZWL, ZWL must process it in accordance with the laws applicable to it, which may include retaining and reporting your Personal Data to official authorities for compliance with tax, customs or other legal obligations.
Analytics – processing for this purpose is based on ZWL’s interest in understanding the performance of Services provided over the Website and improving the Website accordingly, with the aim to provide a better user experience, as well as to troubleshoot any technical issues which users may encounter on the Website.
Misuse/Fraud – processing for this purpose is based on ZWL’s interest in preventing and detecting fraudulent activities or misuse of the Website (for example, for criminal purposes).
Recipients of Personal and Organizational Data
Your Personal and Organizational Data may be shared with the following list of persons / entities (“Recipients”):
Sponsors and selected ZWL Corporate Members, where you provide consent for your Personal and Organizational Data to be used for third-party marketing purposes;
Persons, companies or professional firms providing ZWL with advice and consultancy regarding information security matters related to the provision of the Services;
Entities engaged in order to provide the Services (e.g., hosting providers or email platform providers, event organizers);
Persons authorized to perform technical maintenance (including maintenance of network equipment and electronic communications networks);
Persons authorized by ZWL to process Personal and Organizational Data needed to carry out activities strictly related to the provision of the Services, who have undertaken an obligation of confidentiality or who are subject to an appropriate legal obligation of confidentiality (e.g., employees or contractors working for ZWL);
Other entities within ZWL for internal administrative purposes, including the processing of Personal and Organizational Data on users making inquiries; and Public entities, bodies or authorities to whom your Personal and Organizational Data may be disclosed in accordance with applicable law or binding orders of such entities, bodies or authorities.
Transfers of Personal Data
Considering our worldwide presence and global business operations, your Personal and Organizational Data may be transferred to Recipients located in several different countries. ZWL implements appropriate safeguards to ensure the lawfulness and security of these Personal Data transfers, such as by relying on adequacy decisions from the European Commission, Standard Contractual Clauses adopted by the European Commission, and/or other safeguards or conditions considered adequate to the relevant transfer. More information on these transfers is available upon written request to ZWL at the following address: email@example.com
Retention of Personal and Organizational Data
Personal and Organizational Data processed for Service Provision will be kept by ZWL for the period deemed strictly necessary to fulfill such purposes – in any case, as this Personal and Organizational Data is processed for the provision of the Services, ZWL may continue to store this Personal and Organizational Data for a longer period, as may be necessary to protect our interests with respect to potential liability related to the provision of the Services.
Personal and Organizational Data processed for Marketing will be kept by ZWL from the moment you give consent (if any) until it is withdrawn. When you withdraw your consent, your Personal Data will no longer be used for these purposes, although it may still be kept by ZWL, as it may be necessary to protect our interests related to potential liability related to this processing.
Personal and Organizational Data processed for Compliance will be kept by ZWL for the period required by the specific legal obligation or by the applicable law.
Personal and Organizational Data processed for preventing Misuse/Fraud, as well as for Analytics will be kept by ZWL for as long as deemed strictly necessary to fulfill the purposes for which it was collected, unless you validly object to the processing of your Personal Data for these purposes (please see Section 8 for further information).
Data Subjects’ Rights
As a data subject, you are entitled at any time to exercise the rights listed below before ZWL. Your rights include the possibility to:
Access your Personal and Organizational Data being processed by ZWL (and/or a copy of that Personal and Organizational Data), as well as information on the processing of your Personal Data;
Correct or update your Personal and Organizational Data processed by ZWL, where it may be inaccurate or incomplete;
Request erasure of your Personal and Organizational Data being processed by ZWL, where you feel that the processing is unnecessary or otherwise unlawful;
Request the restriction of the processing of your Personal and Organizational Data, where you feel that the Personal Data processed is inaccurate, unnecessary or unlawfully processed, or where you have objected to the processing;
Exercise your right to portability, the right to obtain a copy of your Personal and Organizational Data provided to ZWL, in a structured, commonly used and machine-readable format, as well as the transmission of that Personal Data to another data controller;
Object to the processing of your Personal and Organizational Data, based on relevant grounds related to your particular situation, which you believe must prevent ZWL from processing your Personal and Organizational Data (for Misuse/Fraud or Analytics);
Withdraw your consent to processing (for Marketing).
Please note that most of the Personal and Organizational Data you provide to us can be changed at any time, including your email preferences, by accessing, where applicable, your user profile created on the Website.
You can also withdraw consent for Marketing (for communications received via email) by selecting the appropriate link included at the bottom of every marketing email message you receive. The same applies to communications you may receive from us by subscribing to the ZWL Mailing List.
Aside from the above-mentioned means, you can always exercise your data subject rights described above by sending a written request to us at the following address: firstname.lastname@example.org.
In any case, please note that, as a data subject, you are entitled to file a complaint with the competent supervisory authorities for the protection of Personal and Organizational Data if you believe that the processing of your Personal and Organizational Data carried out through the Website is unlawful.
Rights of California Residents
California requires operators of websites or similar services to make certain disclosures to users who reside in California regarding their rights, specifically:
Shine the Light
Under California law, a business that has an established business relationship with an individual, and has, within the immediately preceding calendar year, disclosed personal data that is primarily used for personal, family or household purposes to a third party for the third party’s direct marketing purposes, upon request disclose to its California users the identity of any such third party, along with the type of personal data that has been/is disclosed.
You can contact us and our Office of Data Protection at email@example.com. Please note that, under California law, businesses are only required to respond to a user’s request once during any calendar year.
Some browsers give individuals the ability to communicate that they wish not to be tracked while browsing the Internet. California law requires that we disclose to users how we treat do-not-track requests. The Internet industry has not yet agreed on a definition of what “Do Not Track” means, how compliance with “Do Not Track” would be measured or evaluated, or a common approach to responding to a “Do Not Track” signal. Due to the lack of guidance, we have not yet developed features that would recognize or respond to browser-initiated Do Not Track signals in response to California law.
In the meantime, there are technical means to prevent some of the tracking, if any. See the Section on “Cookie Settings” for more information.