Policies

Event Sponsorships and Data Protection Addendums

Last updated: October 11, 2018

Introduction

This page describes data privacy matters relevant to sponsors of The Linux Foundation’s events. In particular, it addresses questions that may arise regarding the Data Protection Addendum (DPA) in our Event Sponsorship Agreement.

The intended audience for this page is procurement and legal teams for our event sponsors. This page is not intended as legal advice, but is instead meant to help clarify our purposes for including the DPA. If you have more general questions about our data privacy practices, please see our Privacy Policy at https://www.linuxfoundation.org/privacy/.

Personal Data and Linux Foundation Event Sponsors

One of the primary benefits that companies and organizations receive by sponsoring Linux Foundation events is the ability to connect with thousands of attendees who may be interested in your offerings and technologies.

As a sponsor of an LF event, you will typically be provided with a badge scanning device for use at the event. This will enable you to scan the attendance badges of attendees who permit you to do so. When you scan an attendee’s badge, a portion of their contact information will be made available to you. This process is explicitly described in our Privacy Policy at https://www.linuxfoundation.org/privacy/, as well as on the registration forms that individuals review and accept when registering to attend an LF event.

GDPR and the Data Protection Addendum

The attendees who allow you to scan their badges, and whose contact information you would then receive, may include individuals who reside in the European Union. As a result, we are required to take into account the requirements of the General Data Protection Regulation (GDPR) in sharing this data with you.

The Data Protection Addendum (DPA) to our Event Sponsorship Agreement is intended to be narrowly tailored to enable this sharing. It is a short, lightweight set of terms that specify how the parties will protect attendees’ data when the LF shares it with sponsors.

Can a sponsor use its own DPA instead?

We occasionally receive requests from sponsors who wish to use their own form of DPA. While we understand the desire to use contract documents you are familiar with, the issue is that sponsors’ own DPA forms usually do not suitably cover the sharing of data that occurs here.

A company’s form DPA that they use with their vendors is typically designed to protect data that they share with their own service providers. In GDPR terms, the company is the “controller” of that data, and the service provider they share it with is their “processor.” Their form DPA for vendors will contain terms appropriate to this arrangement.

By contrast, that form DPA for a company’s vendors does not work in the event sponsorship context. The sponsor is not sharing data with The Linux Foundation. Instead, it is receiving data regarding the attendees who allow you to scan their badges. In GDPR terms, the sponsor and the LF are each acting as separate “controllers” of the data that gets shared. Because of this, the “controller to processor” terms in a company’s form DPA for vendors will rarely be suitable for the flow of data in this specific context.

What if I’m Privacy Shield certified?

Some for-profit companies are self-certified under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (Privacy Shield). Being Privacy Shield certified is helpful, in that it provides one mechanism to handle cross-border transfers of data. However, GDPR requirements go beyond just cross-border transfers and Privacy Shield.

In our DPA for event sponsorships, if your company is listed on the Privacy Shield list, then we can remove from the DPA provisions that refer to the Standard Contractual Clauses (sometimes referred to as the “EU Model Clauses”). Like Privacy Shield, the Standard Contractual Clauses provide a mechanism and framework for cross-border transfers of data. If you are Privacy Shield certified, then incorporating the Standard Contractual Clauses is not required. However, the balance of the DPA is still necessary to be signed, as it lays out a handful of other provisions that are needed for appropriate protection of shared data — regardless of what mechanism is used to address cross-border transfers.

Questions

If you have further questions about the DPA in our Event Sponsorship Agreements, please reach out to your contact on The Linux Foundation’s events team. They would be happy to put your legal counsel in touch with a member of our legal and privacy team who can help answer any additional questions.