Cloud Security Alliance, with registered offices at 151 Ellis Street, Suite #201, Bellingham, WA 98225 USA (the “CSA”), is committed to protecting the privacy of individuals on which the CSA may receive personal information, due to their affiliation with a CSA Corporate Member. As such, this Privacy Policy has been written in order to allow you to understand the CSA’s policy regarding your privacy, as well as how your personal information will be handled in connection with the relationship between the CSA and the Corporate Member you are affiliated with.

This Privacy Policy will also provide you with information so that you are able to consent to the processing of your personal data in an explicit and informed manner, where appropriate.

1. Data controller and Data Protection Office

The CSA, as identified at the start of this Information Notice, is the data controller regarding all personal data processing carried out in connection with Chapters.


To get in touch with the CSA’s Data Protection Officer, please contact:


2. Personal Data processed

In the course of a relationship between the CSA and a Chapter, the CSA will be provided information on individuals affiliated with the Chapter (e.g., contact persons, representatives).

This information may allow those individuals to be identified either by itself, or together with other information which the CSA has access to. Where this is the case, this information may be classified as “Personal Data”.

The Personal Data which may be processed by the CSA, in connection with the Chapter, are your name, job title, professional contact details (e.g., e-mail address, phone number) and other information which may be provided by you in the context of communications had between yourself and the CSA (such as information included in e-mails exchanged, including your e-mail signature).

The CSA will not collect or process special categories of Personal Data, such as information revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data related to you or data concerning your health, sex life or sexual orientation. If you provide these data to the CSA, then the CSA may process them, based on your explicit consent, to the extent that this is deemed strictly necessary to meet the purposes described below.


3. Personal Data processing purposes

The CSA intends to use your Personal Data for the following purposes:

  • To communicate with your Chapter, in order to manage the contractual relationship between the CSA and the Corporate Member and allow for the provision of services (“Chapter relationship”);

  • For future marketing, promotional and publicity purposes, including to carry out direct marketing, market research and surveys, via e-mail, regarding the CSA’s products and services (“Marketing”);

  • For compliance with laws which impose upon the CSA the collection and/or further processing of certain kinds of Personal Data (“Compliance”).


4. Grounds for processing and mandatory / discretionary nature of processing

The CSA’s legal bases for processing your Personal Data, according to the purposes identified in Section 3, are as follows:

  • Corporate Membership: Processing for these purposes is necessary to provide the services requested by your Corporate Member. Given that your Personal Data is used, for this purpose, due to the fact that you have been identified as a person of contact and/or representative of a Corporate Member, the CSA has a legitimate interest in processing your Personal Data, in order to meet its contractual obligations and exercise its rights under the agreement entered into with your Corporate Member.

  • Marketing: Processing for these purposes is based on your consent. It is not mandatory for you to give consent to the CSA for use of your Personal Data for these purposes, and you will suffer no consequence if you choose not to give it (aside from not being able to receive further marketing communications from CSA). Any consent given may also be withdrawn at a later stage (please see Section 8 for more information).

  • Compliance: processing for this purpose is necessary for the CSA to comply with its legal obligations. When you provide any Personal Data to the CSA, the CSA must process it in accordance with the laws applicable to it, which may include retaining and reporting your Personal Data to official authorities for compliance with tax, customs or other legal obligations.


5. Recipients of Personal Data

Your Personal Data may be shared with the following list of persons / entities (“Recipients”):

  • Companies, entities or professional firms engaged by the CSA in order to assist in the provision of services to Corporate Members or the management of contractual relationships with Corporate Members, which typically act as data processors on behalf of the CSA;

  • Persons authorised by the CSA to process Personal Data needed to carry out activities strictly related to interactions with Corporate Members, who have undertaken an obligation of confidentiality or are subject to an appropriate legal obligation of confidentiality (e.g., employees of the CSA);

  • Other companies within the CSA’s Group for internal administrative purposes, including the processing of clients' or employees' Personal Data; and

  • Public entities, bodies or authorities to whom your Personal Data may be disclosed, in accordance with the applicable law or binding orders of those entities, bodies or authorities;


6. Transfer of Personal Data

Considering the CSA’s worldwide presence and business operations, your Personal Data may be transferred to Recipients located in several different countries. The CSA implements appropriate safeguards to ensure the lawfulness and security of these Personal Data transfers, such as by relying on adequacy decisions from the European Commission, standard data protection clauses adopted by the European Commission, or other safeguards or conditions considered adequate to the transfer at hand.

More information on these transfers is available upon written request to the CSA at the following address:

7. Retention of Personal Data

Personal Data processed for Service Provision will be kept by the CSA for the period deemed strictly necessary to fulfill such purposes – in any case, as these Personal Data are processed for the service provision, the CSA may continue to store this Personal Data for a longer period, as may be necessary to protect the CSA’s interests related to potential liability related to the provision of those services.

Personal Data processed for Marketing will be kept by the CSA from the moment you give consent until it is withdrawn. Where it is not withdrawn, consent will be renewed at fixed intervals. Once consent is withdrawn (or not given, following a renewal), Personal Data will no longer be used for these purposes, although it may still be kept by the CSA, in particular as may be necessary to protect the CSA’s interests related to potential liability related to this processing.

Personal Data processed for Compliance will be kept by the CSA for the period required by the specific legal obligation or by the applicable law.

8. Data subjects’ rights

As a data subject, you are entitled to exercise the following rights before the CSA, at any time:

  • Access your Personal Data being processed by the CSA (and/or a copy of that Personal Data), as well as information on the processing of your Personal Data;

  • Correct or update your Personal Data processed by the CSA, where it may be inaccurate or incomplete;

  • Request erasure of your Personal Data being processed by the CSA, where you feel that the processing is unnecessary or otherwise unlawful;

  • Request the restriction of the processing of your Personal Data, where you feel that the Personal Data processed is inaccurate, unnecessary or unlawfully processed, or where you have objected to the processing;

  • Exercise your right to portability: the right to obtain a copy of your Personal Data provided to the CSA, in a structured, commonly used and machine-readable format, as well as the transmission of that Personal Data to another data controller;

  • Withdraw your consent to processing (for Marketing).



To exercise any of the abovementioned rights, you may send a written request to the CSA at:

You can also withdraw consent for Marketing (for communications received via e-mail) by selecting the appropriate link included at the bottom of every marketing e-mail message received.

In any case, please note that, as a data subject, you are entitled to file a complaint with the competent supervisory authorities for the protection of Personal Data, if you believe that the processing of your Personal Data carried out by the CSA is unlawful.