Privacy Policy

European Stroke Organisation (ESO)

Master privacy policy scope: eso-stroke.org and linked ESO digital services

We are pleased that you are visiting our website. The protection and security of your personal information when using our website is very important to us. We would therefore like to inform you which of your personal data we collect when you visit our website, for what purposes it is used, on which legal basis it is processed and what rights you have.

This privacy policy applies to the websites and digital services operated by or on behalf of the European Stroke Organisation (ESO), including eso-stroke.org, the podcast area, ESO membership and account services, ESO conference/event registration flows, eSTEP learning platform access, HotelMap hotel booking links and ESO Certification services, unless a separate privacy notice is provided for a specific service or platform.

Scope of this privacy policy and linked ESO digital services

ESO operates and links to several digital services. To avoid fragmented privacy information, this policy is intended to act as the master privacy notice for the ESO digital ecosystem where ESO determines the purposes and means of processing, or where ESO provides the relevant service via processors or instructed service providers.

This policy currently covers or references the following areas:

• eso-stroke.org, including the main website, contact page, membership pages, newsletter links, events calendar and general website content;
• eso-stroke.org/podcast and embedded podcast functionality, including Libsyn where used;
• ESO membership and personal account services, including booking.congrex.com and My ESO/profile.congrex.com where used for account creation, membership administration or event registration;
• ESO conference, meeting and event registration flows using the same or connected Congrex account infrastructure;
• ESO conference abstract submission, reviewer management and scientific programme workflows where conducted through connected ESO/Congrex conference systems;
• HotelMap hotel booking links or booking interfaces offered in connection with ESO conferences or events;
• ESO Stroke Education Platform (eSTEP), including TalentLMS-related ESO learning platform pages and OpenID Connect login using ESO credentials;
• ESO Certification, including eso-certification.org, certification applications, login/registration areas and the European Certification Database, where ESO is responsible for the processing;
• other ESO-related domains or projects such StrokeInsights, as an ESO service provided within the ESO website environment.
• Where a linked platform is operated by an independent third-party controller, the third party’s own privacy information applies in addition.

Who is responsible and how do I contact you?

Controller

Responsible for the processing of personal data within the meaning of the Swiss Federal Act on Data Protection (FADP) and, where applicable, the EU General Data Protection Regulation (GDPR):

European Stroke Organisation

Reinacherstrasse 131
CH-4053 Basel
Switzerland

Phone: +41 61 686 77 77
E-mail: esoinfo@eso-stroke.org

What is this about?

This privacy policy fulfils our transparency duties under the Swiss FADP and, where applicable, under the GDPR. Personal data means all information relating to an identified or identifiable natural person, for example your name, address, telephone number, date of birth, e-mail address, IP address, device information or user behaviour when visiting a website.

Processing means any operation in connection with personal data, such as collection, storage, use, transmission, disclosure, deletion or anonymisation. Within the scope of the GDPR, each processing activity requires a legal basis and a defined purpose.

We delete personal data as soon as the purpose of the processing has been achieved and no statutory retention period, contractual obligation or legitimate interest requires further storage. Specific retention periods or criteria are described in the relevant processing sections below.

Data collection on our website – summary

Cookies and similar technologies

Our website uses cookies and similar technologies such as local storage or session storage. Some are technically necessary to operate the website and store your cookie preferences. Others are used for analytics, marketing, embedded media, social media functions or advertising measurement. Non-essential cookies are only activated if you have given your consent in the cookie banner.

Server log files

When you visit our website, technical information is automatically transmitted by your browser and temporarily processed in server log files. This may include your IP address, date and time of access, requested file or URL, referrer URL, browser type and version, host name of the accessing device and, where applicable, operating system and access provider. This processing is necessary for website delivery, security, troubleshooting and system stability.

Contact form

If you contact us via the contact form, we process the data entered into the form in order to respond to your request and handle any follow-up communication. The active contact form collects first name, surname/name, e-mail address, your message and, optionally, your phone number.

Newsletter and alerts

If you subscribe to newsletters or updates via links on our website, you may be redirected to an external Mailchimp/list-manage.com form. The exact data requested and consent wording are shown in the respective subscription process.

Membership, account and event registration

If you create an ESO membership account, access My ESO, register for an ESO conference or use related account functions, personal account, membership, booking, payment, invoice and participation data may be processed via Congrex-operated or Congrex-supported systems.

Learning, certification and hotel booking services

If you access eSTEP, apply for ESO Certification or use HotelMap, additional processing takes place in the respective platform context. These services are described in dedicated sections below.

Who receives my data?

We only disclose personal data to third parties if this is necessary for the stated purposes, legally permitted and covered by an appropriate legal basis. Recipients may include technical service providers, hosting providers, web agencies, consent management providers, communication service providers, learning platform provider, analytics and marketing providers, embedded media providers, registration and booking platform providers, payment service providers, legal advisers, auditors, authorities or courts where required by law.

Where service providers process personal data on our behalf, they act as processors and must process the data only according to our instructions. Where external providers act as independent controllers, their own privacy information applies in addition.

If personal data is disclosed to countries outside Switzerland, the EU/EEA or another country with an adequate level of data protection, we rely on appropriate safeguards where required, such as standard contractual clauses, adequacy decisions, recognised data protection frameworks or your explicit consent.

Do you use cookies?

Yes. We use the consent management tool CCM19 provided by Papoo Software & Media GmbH to manage cookie and tracking preferences. The tool stores your consent status locally so that your selection can be respected on future visits. According to the technical review, non-essential cookies are blocked before consent.

You can change or withdraw your consent at any time with effect for the future via the cookie settings on our website. You can also configure your browser to reject cookies or delete cookies automatically. Disabling cookies may restrict some website functions.

Detailed and up-to-date cookie information is provided in the cookie settings / Cookie Notice of this website or on the consent manager of the website.

What rights do I have?

As a data subject, you have the following rights, subject to the legal requirements and limitations under the Swiss FADP and, where applicable, the GDPR:

• Access to information about the personal data stored about you and to meaningful information on the details of the processing;
• Correction of inaccurate or incomplete personal data;
• Deletion of personal data, unless processing is still required for legal, contractual or legitimate reasons;
• Restriction of processing, where the legal requirements are met;
• Data portability, insofar as the processing is based on consent or contract and carried out by automated means;
• Objection to processing based on public interest or legitimate interests, including objection to direct marketing;
• Withdrawal of consent with effect for the future, where processing is based on consent;
• Complaint to a competent data protection supervisory authority. In Switzerland, you may contact the Federal Data Protection and Information Commissioner (FDPIC). Under the GDPR, you may generally contact the supervisory authority of your habitual residence, workplace or the place of the alleged infringement.

How will my data be processed in detail?

In the following sections we inform you about the individual processing operations, their scope and purpose, the legal basis, the obligation to provide data and the respective retention period. Automated decision-making, including profiling with legal or similarly significant effects, does not take place..

Provision of the website and hosting

Type and scope of processing

Our website is operated using the open-source content management system WordPress. The website is hosted and technically operated using external hosting and infrastructure service providers. The hosting environment may be adjusted from time to time in order to ensure secure, stable and reliable operation of the website. No CDN is currently used.

When you visit the website, your browser automatically transmits technical data to the webserver. This may include your IP address, date and time of access, requested URL, referrer URL, browser type and version, host name of the accessing device and, where applicable, operating system and access provider. This data may be stored in server log files.

Server log data is processed for the technical delivery of the website, system security, troubleshooting, prevention of misuse and ensuring stable operation.

Purpose and legal basis

The processing is necessary to make the website available, ensure secure and stable operation, troubleshoot errors, prevent misuse and support technical maintenance. The legal basis is our legitimate interest under Art. 6(1)(f) GDPR. Where processing is required to fulfil statutory obligations, Art. 6(1)(c) GDPR may also apply.

Storage period

Server log data (including IP address, requested URL, date/time and user-agent) is stored only for as long as necessary for technical operations and IT-security purposes; as a rule, access logs are retained for a maximum of 30 days, after which they are deleted or anonymised, unless longer storage is required to investigate a specific security incident or to fulfil a legal obligation.

Website maintenance and WordPress backend access

The website is technically maintained by an external web agency, Büro Bayer. WordPress updates are carried out by the web agency. The WordPress backend uses username/e-mail and password authentication. Backend access may allow authorised users to maintain website content and settings. According to the technical review, no general admin activity log is available, but content changes are recorded with the username and date of modification. Access is restricted to authorised users and should be reviewed periodically.

The legal basis for this processing is our legitimate interest in maintaining a secure, functional and up-to-date website pursuant to Art. 6(1)(f) GDPR.

Consent management with CCM19

We use CCM19, provided by Papoo Software & Media GmbH, to manage cookie and tracking preferences. CCM19 processes technical information such as the date and time of page access, a random ID and your consent status. The consent information is stored locally for approximately one year. Processing takes place in Germany according to the technical review.

The legal basis is our legitimate interest in documenting and respecting cookie preferences and, where required, fulfilling consent-related obligations under Art. 6(1)(c) and Art. 6(1)(f) GDPR. Consent to non-essential services is based on Art. 6(1)(a) GDPR.

Contact form

Type and scope of processing

You may contact us using the contact form at https://eso-stroke.org/contact/. The form is provided via the self-hosted WordPress plugin Contact Form 7. The following data is collected: first name, surname/name, e-mail address, message and, optionally, phone number. The message field is a free text field. The contact form uses a local math captcha to protect against spam. The captcha is processed on the webserver and does not require transmission to an external CAPTCHA provider. The submitted form data is sent by e-mail to esoinfo@eso-stroke.org. According to the technical review, the form itself does not store submissions in the WordPress backend.

Please note that the WordPress SMTP plugin used for sending e-mails may store local e-mail logs. According to the technical review, Post SMTP can store the last 250 e-mail log entries locally, including sender e-mail, recipient e-mail, subject, headers and content. Post SMTP is configured to retain at most the last 50 outgoing email log entries, which are automatically rotated. Logs are accessible only to authorised website administrators and are used solely for troubleshooting delivery problems.

Purpose and legal basis

The data is processed to receive, handle, and answer your request. The legal basis is our legitimate interest in effective communication pursuant to Art. 6(1)(f) GDPR. If your request relates to a contract or pre-contractual measures, processing may additionally be based on Art. 6(1)(b) GDPR.

Storage period

Contact requests are stored for as long as necessary to process and document the request, unless statutory retention obligations or legal claims require longer storage. E-mail log retention is limited according to the configured SMTP log settings.

Voting forms and surveys, where active

The technical review identified an inactive form called “ESJ Visual Abstracts Vote” at https://eso-stroke.org/esj-visual-abstracts-vote/. The form is intended for user voting and collects ratings through radio buttons. No names, contact details, free text or attachments are intended to be collected. If such forms are activated, the votes may be stored on the WordPress webserver and exported manually for evaluation.

The legal basis for processing non-personal or anonymous ratings does not fall under data protection law. If personal data is processed in connection with a voting or survey form, the legal basis is our legitimate interest in conducting the respective vote or survey pursuant to Art. 6(1)(f) GDPR, unless consent or another legal basis is required. The retention period for active voting forms must be defined before activation.

Newsletter subscription via Mailchimp / list-manage.com

Our website may link to newsletter subscription forms hosted via list-manage.com, a domain used by Mailchimp. Mailchimp is operated by The Rocket Science Group LLC, an Intuit company, USA. When you subscribe to a newsletter, the data requested in the subscription form, usually your e-mail address and any optional information provided, is processed for the purpose of sending newsletters and managing subscriptions.

The processing is based on your consent pursuant to Art. 6(1)(a) GDPR. You may withdraw your consent at any time with effect for the future by using the unsubscribe link in the newsletter or by contacting us. Mailchimp may process data in the USA or other countries where it or its sub processors operate.

Subscription data is stored until you withdraw your consent or unsubscribe, unless longer retention is required to document consent or comply with legal obligations. Subscriptions follow a double opt-in process: after entering your e-mail address, you receive a confirmation e-mail with a verification link. Subscription only becomes effective once you confirm. The consent of wording, time stamp, and IP address are documented in Mailchimp for the purpose of demonstrating consent.

ESO membership and personal account (booking.congrex.com / My ESO)

Type and scope of processing

If you apply for ESO membership or create a personal account via the membership area of the website, you are redirected to the Congrex booking and account platform, for example booking.congrex.com. Existing members may also access their account via My ESO/profile.congrex.com. The account is password-protected and may be used for ESO membership administration as well as, where applicable, for later conference or event registrations.

Upon registration, you receive access to a personal account. Depending on the functions used, this account may include, among other things:

• your personal information and contact details;
• membership status, membership category and membership history;
• documents or confirmations related to your membership or bookings;
• events, favourites, discussions or similar account-based functions, where available;
• booking, invoice and payment-related information;
• communication preferences, including newsletter or alert preferences, where selected.

Certain mandatory information is required to create and manage the account. This generally includes your e-mail address, first and last name, and a password of your choice. Depending on the membership category, reduction eligibility or services selected, we may also process additional information such as country of residence, professional role, organisation/institution, affiliation with a national or organisational member, year or date of birth, fellow status, AHP/nurse status, WSO joint membership selection, and any supporting information that is necessary to verify the selected membership category or reduction.

The registration process follows a double opt-in procedure. After submitting your details, you receive an e-mail asking you to confirm your registration by clicking on a verification link. The account is activated only after successful confirmation.

Please ensure that you use a valid e-mail address that you can access during the relevant membership period, conference or event, as the same e-mail address may be required to log in to ESO services or event platforms.

Purpose and legal basis

We process this data to create and manage your personal account, administer your ESO membership, verify membership categories and reductions, provide access to member benefits, enable participation in ESO services, events and conferences, process payments and invoices, communicate with you about your membership or bookings, and comply with statutory retention and accounting obligations.

The legal basis is Art. 6(1)(b) GDPR for the establishment and performance of the membership or event participation contract, Art. 6(1)(c) GDPR where processing is necessary to comply with legal obligations, and Art. 6(1)(f) GDPR for our legitimate interest in secure account management, fraud prevention, documentation and smooth operation of ESO membership and event services. Where optional newsletter subscriptions, marketing communications or optional partner memberships are selected, processing is based on your consent pursuant to Art. 6(1)(a) GDPR.

Please avoid submitting sensitive personal data unless this is expressly requested and necessary for the selected membership category, reduction or service. If supporting documents are required, we process them only for the purpose of verification and administration.

Third parties and payment processing

For account creation, membership administration and related bookings, personal data may be processed via Congrex systems and technical service providers involved in operating the account and booking platform. Where payments are processed, the necessary payment or transaction data is transmitted to the selected payment service provider. We do not access or store full payment card details. Please refer to the privacy information of the relevant payment provider for further details.

Where you choose optional services provided by third parties, such as joint membership options or external platforms, the respective provider may act as an independent controller for its own processing activities. In such cases, please also refer to the privacy information of the relevant third-party provider.

Storage period

Your account and membership data are stored for as long as your account or membership remains active and as long as necessary for the purposes described above. Booking, invoice, payment and accounting-related records may be retained for the applicable statutory retention periods. Verification documents, where collected, are retained only for as long as necessary for verification, documentation and legal purposes.

You may delete your account where the respective account settings provide this function. Unless legal retention obligations, contractual documentation needs or legitimate interests prevent deletion, we will delete or anonymise the associated personal data after account deletion. It is your responsibility to back up any information you wish to retain before deleting your account. Once an account is closed, we reserve the right to irreversibly delete stored data.

Conference and event registration using the same account

Where ESO conferences, meetings or educational events require a personal account, the same or a connected Congrex account may be used for registration, authentication and account management. Depending on the event setup, registration may be available for individuals or groups.

Depending on the event and registration category, we may process personal and contact details, professional information, ESO membership status, registration category, selected ticket types, workshops or social events, discount code information, participant-type information, registration responses to event-specific questions, uploaded documents where required for a participant category or reduced rate, visa invitation letter information where requested, badge and certificate information, invoice details, payment status, participation confirmations and any information you voluntarily provide during the registration process.

Where an event offers visa invitation letters, proof uploads, group registration, certificates or other registration-specific functions, the corresponding data is processed only to provide the requested service, verify eligibility, document registration or support secure conference operations.

The purposes are to manage your registration and participation, provide access to on-site, hybrid or digital event services, issue invoices, receipts and confirmations, process payments, answer participant enquiries, create badges and certificates, support visa-related documentation where requested, generate registration statistics, manage on-site registration processes and, where applicable, carry out post-event data exchange required for conference administration.

The legal basis is Art. 6(1)(b) GDPR for event participation and related contractual or pre-contractual measures, Art. 6(1)(c) GDPR for legal retention and accounting obligations, and Art. 6(1)(f) GDPR for secure account administration, fraud prevention, documentation, statistical conference reporting and operational event management.

Depending on the event setup, data may be shared with internal departments, technical platform providers, payment service providers, event partners, accommodation providers, onsite registration teams or authorities where legally required or necessary to provide the requested service. Further event-specific privacy information may be provided during the registration process or on the relevant event platform.

Registration and event-related records are retained for as long as necessary to administer the event, answer follow-up queries, meet legal retention obligations, defend legal claims and document the contractual relationship. Specific retention periods may depend on the event setup and applicable statutory requirements.

*DP note: The ESOC Core PCO contract confirms a broader event-registration scope, including individual and group registration, custom registration questions, participant types, uploads, ticket types, discount codes, certificates, visa invitation letters, payment handling, registration statistics, post-event data exchange and on-site registration processes. Confirm the actual active fields, upload requirements, visa-letter data, post-event data exchange recipients and retention rules per event before final publication.

Abstract submission, review process and scientific programme management

For certain ESO conferences, abstracts and related scientific programme materials may be submitted and administered through dedicated conference systems. This may include regular abstract submission, late-breaking abstract submission and invited-speaker submission processes.

Depending on the role and process, we may process author and co-author identification and contact details, institutional affiliations, abstract titles and content, submission metadata, correspondence with authors, reviewer identification and contact details, reviewer availability and topic preferences, review assignments and review results, notification letters, and information submitted in connection with travel grant or special session requests where those functions are offered.

The purposes of the processing are to receive and administer submissions, organise the scientific review process, communicate with authors and reviewers, support programme selection, prepare publication-related materials, coordinate the final online programme and ensure the secure and orderly operation of the abstract and reviewer process.

The legal basis is Art. 6(1)(b) GDPR insofar as the processing is necessary to administer submissions, participation requests or related conference services, and Art. 6(1)(f) GDPR for our legitimate interest in organising a scientifically robust review and programme process. Where processing is required to comply with legal or accounting obligations, Art. 6(1)(c) GDPR may also apply.

Where an abstract is accepted for presentation, inclusion in conference materials or publication-related processing, the relevant submission terms and conference information provided during the submission process apply in addition.

Abstract, reviewer and programme-related data is retained for as long as necessary to manage the submission, review, programme and publication-related processes, document conference decisions, answer follow-up questions, meet contractual or legal obligations and defend legal claims.

*DP note: Confirm the actual abstract management system(s), exact submission and reviewer fields, publication logic for abstracts/author data, travel grant and special session request fields, reviewer access model, retention periods and whether a separate event-specific privacy notice is required.

ESO Stroke Education Platform (eSTEP)

Type and scope of processing

The ESO Stroke Education Platform (“eSTEP”) is an ESO learning platform for stroke education and professional development. The eSTEP information page on eso-stroke.org links to TalentLMS-related platform pages, including estepplatform.talentlms.com and related catalogue, stroke education, industry corner and institutional corner pages.

Access to eSTEP is generally linked to ESO membership. Users log in using their ESO login details via OpenID Connect. In this context, personal data from your ESO account may be used to authenticate you and provide access to the learning platform.

Depending on your use of eSTEP, the following personal data may be processed:

• personal identification and contact data, such as name and e-mail address;
• ESO membership and account information required to verify access rights;
• login and authentication data, including OpenID Connect-related authentication information;
• learning and usage data, such as accessed courses, viewed content, course progress, completed learning activities, certificates, test results, catalogue searches or similar platform interactions, where these functions are used;
• technical data, such as IP address, browser information, device data, access times and log data.

Purpose and legal basis

The purpose of the processing is to provide ESO members with access to educational content, manage user authentication, enable the use of learning materials, document completed educational activities where applicable, improve the educational offering, provide technical support and ensure the secure operation of the platform.

The legal basis is Art. 6(1)(b) GDPR insofar as the processing is necessary to provide membership-related educational services. In addition, processing may be based on Art. 6(1)(f) GDPR, based on our legitimate interest in providing secure access to educational content, managing the platform and improving the user experience. Where optional features, analytics, cookies or additional communications require consent, the processing is based on Art. 6(1)(a) GDPR.

Third parties, platform provider and transfers

The eSTEP platform is technically provided through TalentLMS / Epignosis and related platform domains. Personal data may therefore be processed by these providers for platform operation, hosting, user authentication, technical support, security, course delivery and learning management. Where personal data is transferred to countries outside Switzerland, the EU or the EEA, appropriate safeguards must be in place, such as standard contractual clauses, an adequacy mechanism or another recognised transfer mechanism.

Storage period

Personal data processed in connection with eSTEP is stored for as long as your ESO membership, account or platform access remains active and as long as necessary for the purposes described above. Learning records, certificates or completion data may be retained for as long as necessary to document educational activities, provide certificates or meet legal, contractual or legitimate documentation needs.

Events calendar

The website uses the WordPress plugin Events Manager to publish events in the event calendar. According to the technical review, the booking management function is currently not used on the core website, and no user registration or booking data is requested through this plugin.

If booking or registration functions are activated in the future, this privacy policy must be updated before go-live and the processing must be assessed separately.

External event registration, education and other platforms

The ESO website links to several external or related systems used for membership, account management, conference registration, education, certification, hotel booking, newsletters, and other services. These systems may be operated by ESO, Congrex, event partners or third-party providers and may be subject to additional or platform-specific privacy information.

Where ESO determines the purposes and means of processing, this master privacy policy should describe the relevant processing activity. Where a third-party provider acts as an independent controller, that provider’s own privacy information applies in addition.

ESO Certification (eso-certification.org)

Type and scope of processing

ESO Certification is operated under the separate domain eso-certification.org. The certification website includes information on ESO Stroke Unit and Stroke Centre certification, application information, application forms, online certification application, auditor-related functions, login/registration areas and a European Certification Database searchable by city or country.

Depending on the function used, the certification process may involve personal data relating to applicants, institutional contact persons, auditors, login users, correspondence partners and persons involved in the certification process. This may include name, contact details, professional role, institution/organisation, login credentials, application data, uploaded documents, communication content, audit or certification-related information, and technical log data.

The European Certification Database may also display information about certified institutions or centres.

Purpose and legal basis

The purposes of processing are to enable certification applications, manage login and user access, communicate with applicants and auditors, assess certification requirements, document certification decisions, maintain auditor or application records, publish certification information where appropriate, and operate the certification website securely.

The legal basis is Art. 6(1)(b) GDPR where processing is necessary for certification-related contractual or pre-contractual measures, Art. 6(1)(f) GDPR for our legitimate interest in administering and documenting the certification programme, ensuring quality standards in stroke care, operating the certification website securely and maintaining a public certification database where appropriate, and Art. 6(1)(c) GDPR where legal obligations apply. Consent may be required for optional communications, cookies or publication of personal contact details where no other legal basis applies.

Storage period

Certification-related data is stored for as long as necessary to handle the application, perform the certification process, document the certification decision, manage re-certification or audit cycles, defend legal claims and comply with retention obligations. Public database entries are stored for as long as the certification status remains valid or publication remains necessary for the stated purpose.

Stroke Insights (strokeinsights.org)

StrokeInsights is an ESO service provided within the ESO website environment. The service is used to publish ESO-related educational, scientific or communication content.

When you access StrokeInsights pages, technical data may be processed to provide the website, ensure secure and stable operation, display content and embedded media, and measure website usage where you have given consent.

Depending on the content provided, StrokeInsights may use cookies, analytics and embedded media services, such as Google Analytics, Google Tag Manager, Google Ads Conversion Tracking, Meta Pixel, YouTube or Vimeo. Non-essential cookies and tracking technologies are only activated after your consent.

The legal basis for technically necessary processing is our legitimate interest in operating a secure and functional website pursuant to Art. 6(1)(f) GDPR. Analytics, marketing and embedded media services requiring consent are used on the basis of your consent pursuant to Art. 6(1)(a) GDPR.

Accommodation management and HotelMap hotel booking service

For certain ESO conferences or events, accommodation options may be offered through HotelMap or another web-based booking management system connected to the conference accommodation process. The accommodation service may include hotel recommendations, room-block management, booking support, room allocation, booking confirmations, changes or cancellations, payment-related processing, and coordination with hotels.

Where HotelMap is used, HotelMap.com Limited, London, United Kingdom, provides the hotel booking interface. When you open or interact with the booking interface, technical data such as IP address, device and browser information, location data used for hotel-venue distance calculations, and website usage data may be processed by HotelMap.

If you make a hotel booking, the relevant booking flow may involve personal data such as name, e-mail address, phone number, company where provided, stay dates, room preferences, accessibility or other special requirements where voluntarily provided, booking confirmations, changes or cancellations, customer-support correspondence, rooming-list information and payment or invoice-related status information.

The legal basis for providing accommodation access and administering accommodation-related conference services is Art. 6(1)(b) GDPR where processing is necessary for the requested booking or related contractual measures, and Art. 6(1)(f) GDPR for our legitimate interest in offering practical conference accommodation support and ensuring smooth accommodation management. Where cookies or similar technologies are used, the legal basis is your consent pursuant to Art. 6(1)(a) GDPR.

Accommodation-related records are retained for as long as necessary for booking support, reconciliation, reporting, legal retention obligations and the defence of legal claims. Provider-specific retention periods may apply to HotelMap, hotels, and payment providers.

For complete details about how HotelMap handles your data, please see their Privacy Notice.

Social media presences

We maintain presences on social media platforms, including Facebook, Instagram, X, LinkedIn, Bluesky and YouTube, to provide information about ESO, our activities and services, and to communicate with users. If you contact us through social media, we process your username, profile information made publicly available to us, message content, comments and any other information you provide in order to respond to your request.

The legal basis is our legitimate interest in providing communication and information channels pursuant to Art. 6(1)(f) GDPR. If you have given consent to the respective social network, processing by the social network may additionally be based on your consent.

The social networks process personal data independently and may use cookies, pixels and similar technologies for analytics, personalised content and advertising. We only receive aggregated statistics and cannot identify individual users from these statistics. Data subject rights are most effectively exercised directly with the relevant social media provider, although you may also contact us.

Platform	Provider	Privacy information
Facebook / Instagram	Meta Platforms Ireland Limited / Meta Platforms, Inc.	https://www.facebook.com/privacy/policy and https://privacycenter.instagram.com/policy
X	X Internet Unlimited Company / X Corp. / X Switzerland GmbH	https://x.com/en/privacy
LinkedIn	LinkedIn Ireland Unlimited Company / LinkedIn Corporation	https://www.linkedin.com/legal/privacy-policy
YouTube	Google Ireland Limited / Google LLC	https://policies.google.com/privacy
Bluesky	Bluesky Social PBC / Bluesky PBLLC	https://bsky.social/about/support/privacy-policy

Changes to this privacy policy

We may update this privacy policy from time to time, for example if the website, services, tools, legal requirements or processing activities change. The version published on the website applies.