Privacy Notice for Residents of the European Economic Area
Posted: September 7, 2018
Effective Date: September 7, 2018
National Retail Federation, Inc. (“NRF”) (collectively, “we,” “our,” or “us”) provides this privacy notice to describe how we process the personal data of individuals in the European Economic Area (EEA) who visit our websites (“Site”), or otherwise interact with us.
Collection of Personal Data
We collect information you provide to us when visiting our Site, becoming a member of NRF, or otherwise interacting with us, including your name, address, telephone number, email address, and payment information. If you serve as a speaker at our events, we collect your social media or blog usernames or URLs, as well as photograph and biography. For employees of member companies, exhibitors and sponsors, we collect information related to your employment, from you or your employer, including the company name, address, phone number, and your title. If you post your resume to or apply for a position through the NRF job board, we collect information related to your posting and application including your name, contact information, educational and professional history, and status as a veteran.
We also collect information relating to your interactions with our Site, including the operating system, browser, country, IP address, date and time of visit, pages visited and other activities on the Site, and whether you visit our Site through a mobile device or PC.
The provision of personal data is sometimes required by law and at other times is a result of a contractual requirement. You may be required to provide personal data, for example in a case where we sign a contract with you, including in connection with NRF membership or your contractual commitment as a speaker or exhibitor, and the non-provision of personal data could, in certain circumstances, prevent a transaction from concluding.
Processing of Personal Data
We process your personal data for the following purposes:
- To organize events, including to promote events and send communications regarding event registration and participation;
- To facilitate attendance at events, including engaging speakers and exhibitors, or helping to provide housing and other event services;
- For membership purposes, such as to provide information related to your employer’s membership or account;
- To provide communications to which you subscribe or are relevant to you;
- To publish data on job boards;
- To administer testing;
- To promote NRF and NRF Foundation services;
- To deliver publications;
- To respond to your inquiries;
- For fundraising purposes, including to process financial donations;
- For business purposes, such as analytics, research, marketing, recruitment, and operational purposes;
- To comply with the law; and/or
- As otherwise disclosed at the time personal data is collected.
We do not use automatic decision-making or engage in profiling.
Where we intend to use or otherwise process your personal data for a purpose other than the purpose for which it was collected, we will provide you with information regarding the purpose for the processing, as well as other relevant information, prior to processing your personal data for the new purpose.
Lawful Basis for Processing
On certain occasions, we process your personal data when it is necessary for the performance of a contract to which you are a party, such as to provide services or payment to you. We may also process your personal data to respond to your inquiries concerning our services.
On other occasions, we process your personal data where required by law. We may also process your personal data if necessary to protect your interests or the interests of a third party.
Additionally, we process your personal data when necessary to do so for direct marketing purposes, to help operate our Site or other online properties, and to provide membership benefits and these interests are not overridden by your data protection rights.
If the processing of personal data is necessary and there is no statutory basis for such processing, we will generally endeavor to ensure that consent has been obtained from you. You have the right to withdraw your consent to processing of personal data at any time.
If you wish to exercise the right to withdraw consent, contact National Retail Federation at GDPR.Request@nrf.com.
Sharing of Personal Data
In addition to receiving personal data from you, NRF receives personal data from its members and partners. We share personal data we collect with the following third parties:
- With third parties that perform services on our behalf, including data storage providers, technology vendors, email service providers, marketing and advertising providers, and service providers used to assist with our events and activities;
- With other NRF members, including through committees and forums used to connect members such as NRF Connect and the job board;
- With exhibitors and sponsors of our events regarding their attendance or participation in our events;
- With your consent; and/or
- As otherwise disclosed at the time of data collection or sharing.
You have a right to the following:
- To request access to the personal data we hold about you;
- To request that we rectify or erase your personal data;
- To request that we restrict or block the processing of your personal data;
- Under certain circumstances, to receive personal data about you that we store and transmit to another without hindrance from us, including requesting that we provide your personal data directly to another, i.e., a right to data portability; and
- Where we previously obtained your consent, to withdraw consent to processing your personal data.
All requests will be dealt with at the earliest opportunity. To exercise these rights, contact us at GDPR.Request@nrf.com. See the “Contact” section. Please be aware that we may be unable to afford these rights to you under certain circumstances, such as if we are legally prevented from doing so.
Additionally, you have the right to lodge a complaint against us. To do so, contact the supervisory authority in your country of residence.
International Transfers of Personal Data
Please be aware that the personal data we collect may be transferred to and maintained on servers or databases located outside your state, province, country, or other jurisdiction, where the privacy laws may not be as protective as those in your location. If you are located outside of the United States, please be advised that we process and store personal data in the United States. NRF may transfer personal data pursuant to your consent or when it is necessary for the fulfillment of a contract or the initiation of a contract. In other cases, NRF relies on third parties who have self-certified to the EU-U.S. Privacy Shield Framework or who have executed standard contractual clauses.
We will process and store your personal data only for the period necessary to achieve the business and/or legal purposes of the storage (such as for tax reporting and recordkeeping), or as permitted by law. The criteria used to determine the period of storage of personal data is the respective statutory retention period or the time necessary to achieve the business purposes for which the personal data was collected. After expiration of that period, the corresponding data is routinely deleted, as long as it is no longer necessary for the fulfillment of a contract or the initiation of a contract.
If you have questions, comments or concerns about this privacy notice, please contact us, in our role as data controller, at:
National Retail Federation
1101 New York Ave NW
Washington, DC 20005
Email: National Retail Federation at GDPR.Request@nrf.com
Attention: VP, Associate General Counsel
Changes to this Privacy Notice
If we make any material changes to this Privacy Notice or the way we use, share or collect personal data, we will notify you by revising the “Effective Date” at the top of this Privacy Notice. Any changes we make to our Privacy Notice in the future will be posted on this page. Please check back frequently to see any updates or changes to this Privacy Notice.