ExhibitCast is a web-based, virtual exhibit experience provided by Catalyst Exhibits. Catalyst Exhibits designs, builds and maintains these web-based experiences for many of our client organizations. For some clients, our work entails processing data collected by our clients’ ExhibitCast websites (eg via form submissions, cookies and analytics).
You may have been given a link to this page from one of our client’s ExhibitCast webpages as part of their compliance with the General Data Protection Regulation (GDPR), which requires them to list who processes the data they control. This page provides information about how we process that data, which may include personal data about you. For the purposes of GDPR, we are a Data Processor for our clients, who are the Data Controllers.
We process data on behalf of our clients in order to carry out the work they contract us to do (eg designing, building and maintaining their ExhibitCast webpage).
What personal data is collected, how it is processed, and where it is stored
Under GDPR, organizations are prohibited from transferring personal data outwith the UK, European Economic Area or Switzerland, to third countries and international organizations, except where the European Commission has determined that an adequate level of protections are afforded to individuals. The US government has a certification scheme called Privacy Shield, which provides assurance that such protections are in place.
We host our clients’ websites on servers in the US managed by BlueHost which is registered with Privacy Shield. Backups of data from these websites are stored in encrypted form which is covered by Privacy Shield compliance.
A variety of third-party plugins and analytics services are in use on our clients’ ExhibitCast websites. Some of these collect personal data (eg through cookies). We check the GDPR compliance of these companies and services and make adjustments where necessary to ensure compliance. Depending on client this may or may not include:
Some of our clients’ ExhibitCast websites include contact forms, where website users can submit data to contact our clients and use their services. The data entered by users into these forms is often personal data. In most cases, Catalyst Exhibits will securely pass-through this data without storing or tracking personal information. When necessary, Catalyst Exhibits may assist some clients with submissions directly. In that case, the data held on-site or off-site (on BlueHost servers) is protected against theft by strong encryption.
For comparison, you can view the information about cookies and personal data is collected by our own website.
We identify and delete personal data in our possession which is controlled by our client organizations, when it is no longer needed for the performance of our contract with the client organization.
Personal data for use in a one-off short-term contract (many ExhibitCast websites) is deleted soon after completion of the contract.
When deleting personal data, we take steps to delete all copies beyond reasonable possibility of restoration, including copies on backups. Digital data is deleted securely by overwriting it, and data on paper physically destroyed.
If you wish to make a Subject Access Request about data we process on behalf of one of our client organizations, the request should be addressed to that organization (the Data Controller).
What would happen in the event of a personal data security breach
If we become aware of a personal data breach involving data we process for one of our client organizations, we will notify the client organization without undue delay. As the Data Controller, our client organization is then responsible for following its own data breach procedures and informing the Information Commissioner Office and those affected by the breach where necessary. As a Data Processor, we have a role in assisting our client with the subsequent investigation and remedial work.