Chapter Privacy Policy


This Privacy Notice is only for the ISACA Luxembourg Chapter (hereafter ISACA LU) and does not cover the privacy practices of Information Systems Audit and Control Association Inc (hereafter “ISACA Inc”) , which is a separate legal entity that has its own privacy notice at: 

Who are we?

ISACA LU is an independent chapter and affiliate of ISACA Inc, engaged in the promotion of the education of its members for the improvement and development of their capabilities relating to the auditing of, management consulting in, or direct management of the fields of IT governance, IS audit, security, control and assurance.

Our data privacy representatives can be contacted directly at

What Personal Data We Collect And Legal Basis For Processing

Personal data we collect from/process on you

Personal data type Source
Membership details (ISACA number, name, email, dates of exam passed exams, payment status, certification status, etc) ISACA Inc
Event registration details including name and membership number (member/non-member/affiliate of ISACA LU) ISACA LU and Partner Event Registration
Name, personal contact details, query information Queries from members/non members

Personal data shared by ISACA International

Personal information received from ISACA Inc is used by ISACA LU to meet its objective as an affiliate and provide membership services to its members. Your personal data is used to provide the following services:

  • Maintain your record of registration for attending ISACA LU events and share it with event venue host/provider to print and issue attendee badges for security, health and safety.
  • Keep you informed of future ISACA LU and partner educational events (including events, certification courses, etc.)
  • Send you Newsletter and track the IP address to the demographic analysis of the geographical location of constituents. 
  • Contact you to participate in the relevant surveys and research initiatives supported by ISACA LU.
  • Contact you to participate in ISACA LU Annual General Meeting (applicable to fully paid up members of ISACA International and ISACA LU).

Personal Data shared with SECURITYMADEIN.LU

For the execution of its operations, ISACAL LU works with SECURITYMADEIN.LU which hosts data within their data centres located in Luxembourg. Data shared or processed on behalf of ISACA LU includes meeting minutes from board meetings and limited billing data (name, email, address, ISACA membership number, company name) for trainings or no-show fee’s (for in-person events). For more information on how this partner processes your personal information, please consult their privacy policy.

Personal Data collected by Cvent

ISACA LU only collects the registration information that you provide when you register to attend ISACA LU in-person and on-line educational events.

This event registration information is used by ISACA LU and its service providers and venue hosts to provide services including:

  • Issue event ticket,
  • authenticate on arrival / on-line registration,
  • provide with a name badge,
  • record evidence of entry and attendance to the event to ensure compliance with CPE, security, health and safety requirements.

If you are an ISACA member, your name, ISACA membership number and duration of attendance to the event might be passed on to ISACA Inc to update your central CPE records. For audit purposes, the information collected during this registration will be retained by ISACA LU for a maximum of five (5) years.

If you are not an ISACA member, your registration data collected by the ISACA LU will be erased within one (1) year of the event.

If you are a member of a partner organisation, by virtue of which you are entitled to attend an ISACA event free of charge, we may pass on your event registration details to the participating Partner organisation.

For any queries on how Cvent processes or use your personal information please consult the Cvent Privacy Policy (Privacy Policy).

Partners holding an event that you attended

If you are a member of ISACA LU attending our partner events, participating partner may share your registration details, including ISACA Membership number, which we in turn might pass on to ISACA Inc to update your central CPE records. For audit purposes, the information collected during this registration will be retained by the ISACA LU for a maximum of five (5) years.

Our legal basis for processing the personal data

Due to ISACA LU’s affiliation with ISACA Inc, we are legally required to process member (subjects) data to provide membership services under its by-laws (affiliation agreement) with ISACA Inc. ISACA Inc is responsible for managing the consent directly. Please note that if you are a fully paid up member of ISACA Inc and/or ISACA LU then please contact ISACA International to withdraw your consent for processing of personal data by ISACA LU. You can withdraw consent directly by using the ISACA Inc Data Subject Access Portal.

Any legal obligation that ISACA LU is required to meet under Luxembourgish legislation;

You can choose to ‘opt out’ of email communications by clicking the ‘unsubscribe’ link at the bottom of our emails communication.

If you wish to change your contact details or preferences please contact ISACA International.


ISACA LU employs a risk based variety of technical and organisational measures to keep personal data safe and to prevent unauthorised access to, or use or disclosure of it.

ISACA LU respect your personal data and will never sell your personal data to third parties.

International Transfers

ISACA LU may use service providers or partners who are based in non-EU countries. In such cases ISACA LU will inform members and ISACA International list of sub-processors based in non-EU countries.

ISACA LU currently uses the following named organisations based in third country (non EU) as service providers and share the minimal amount of personal information to provide services to you outlined in previous sections.

3rd country (non EU) / international organisation Method to safeguards your personal data Retrieve a copy of the safeguards in place here:
Cvent Standard Contract Clauses Cvent Standard Contract Clauses
Google Inc. Model Contract Clauses Google Model Contract Clauses
Mailchimp Standard Contract Clauses Mailchimp Privacy Policy TRUSTe
GoToMeetings (LogMeIn) Standard Contract Clauses LogMeIn Standard Contract Clauses
Zoom Standard Contract Clauses Zoom Standard Contractual Clauses
Other Chapters for joint events Specific chapter privacy policy Varies based on partner chapter.

Retention Period

ISACA LU will continue to process personal data of members whilst they are fully paid up members of ISACA Inc and ISACA LU.

For information collected as part of event registration (via Cvent) process data for up to one (1) year and will store the personal data for up to five (5) years. We remove most information provided to us by members as soon as memberships are ceased, and data will cycle out of long-term backups up to six months later. We store logs of outbound emails for up to twelve (12) months after the email is sent for the purposes of handling abuse complaints and compliance monitoring.

We will continue to store limited information about our members (including transaction records and events “no show” billing) for ten (10) years plus the current calendar year for accounting, audit, record keeping and administrative purposes.

If we consider there is a need to store records for longer (for example, the transaction has been the subject of a dispute or claim) then we will retain the data for as long as is necessary.

Your Right As A Data Subject

You have a number of rights in relation to your personal information under data protection laws. In relation to certain rights, we may ask you for information to confirm your identity and, where applicable, to help us search for your personal information. Except in rare cases, we will respond to you within 30 days after we have received your request. At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:

  • Right of access – you have the right to request a copy of the information that we hold about you.
  • Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete. 
  • Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
  • Right to restrict processing – where certain conditions apply to have a right to restrict the processing.
  • Right of portability – you have the right to have the data we hold about you transferred to another organisation.
  • Right to object – you have the right to object to certain types of processing such as direct marketing.
  • Right to object to automated processing, including profiling. You also have the right to be subject to the legal effects of automated processing or profiling.
  • Right to judicial review: in the event that ISACA LU refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined in section below.

All of the above requests will be forwarded on should there be a third party involved in the processing of your personal data.

Please note that since most of your personal data is shared to ISACA LU by ISACA Inc, we would suggest that you raise as well your queries with ISACA Inc to exercise your subject rights.

Modifications To This Privacy Notice

We keep our privacy notice under regular review. From time to time, ISACA LU may need to update or modify this Privacy Notice, to reflect changes in our business practices, data collection practices or organization. We reserve the right to amend this Privacy Notice at any time, for any reason, without notice to you, other than the posting of the amended Privacy Notice on the Sites, or, if you have provided your email address to us, sending you an email notifying you of the amended Privacy Notice.

Questions or Concerns

If you have any questions or concerns about this Privacy Notice, please contact ISACA’s LU privacy team at: 

Complaining to the Luxembourg Data Protection Regulator

You have the right to complain to the “Commission Nationale pour la Protection de Données” (CNPD) if you are concerned about the way we have processed your personal information. Please visit the CNPD website for further details.