InfraXmedia (Holdings) Ltd, the parent company of a network of media and events firms, has released a comprehensive update to its Data Protection and Privacy Policy. The new policy, which took effect on April 25, 2025, is designed to align with evolving data protection regulations across the United Kingdom, the European Economic Area, Switzerland, the United States, Canada, and Latin America. The document replaces earlier versions and reinforces the company's commitment to transparency and robust data handling practices.

Scope of the Policy

The policy applies to all entities within the InfraXmedia group, which includes companies operating in the B2B media and events sector. InfraXmedia (Holdings) Ltd, registered in England with company number 14354660 and trading from 32-38 Saffron Hill, London, serves as the lead data controller for the entire group. The policy is binding on all member companies and covers any personal data processed in connection with customer relationships, marketing activities, event registrations, website visits, and employment or contracting arrangements.

Under the updated framework, the company pledges to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any subsequent amendments. For operations outside the UK, InfraXmedia also adheres to the EU GDPR and equivalent local laws in jurisdictions such as Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and Brazil's Lei Geral de Proteção de Dados (LGPD). This multi-jurisdictional approach reflects the global nature of InfraXmedia's audience and business partners.

Types of Personal Data Collected

The policy identifies several categories of data subjects and the information collected from each. For customers and business partners, InfraXmedia gathers names, email addresses, phone numbers, job titles, company names, countries, and business addresses. In certain jurisdictions, additional verification may be required, including copies of passports or residence cards. For marketing and events registrants, the company collects contact details alongside preferences and professional interests. Website visitors have their IP addresses, browser types, device information, and cookies recorded, as detailed in a separate Cookie Policy. Employees and contractors submit data relevant to their employment or contractual obligations, with separate internal policies governing that processing.

This data is obtained through online forms, registration pages, subscription portals, and direct interactions at events. The company states that by entering details into any form provided, individuals consent to InfraXmedia using that information to deliver the requested services.

Legal Bases for Processing

InfraXmedia processes personal data under three primary lawful bases: contractual necessity, legitimate interest, and consent. Contractual necessity covers processing required to fulfill obligations such as event attendance, subscription delivery, or service provision. Legitimate interest is used for business activities like marketing, event management, media services, and analytics. The company asserts that it carefully balances its interests against the rights and freedoms of data subjects, ensuring no disproportionate impact occurs.

Consent is employed where legally required, such as for certain marketing communications in jurisdictions that demand opt-in permission. The policy emphasizes that relying on legitimate interest rather than consent places an extra responsibility on InfraXmedia to protect individuals' rights. It guarantees that it will do so through ongoing assessments and internal reviews.

Marketing Communications and Opt-Out

A significant portion of the policy addresses marketing contacts. Under UK GDPR, InfraXmedia can send marketing emails to corporate email addresses of employees at limited companies, public limited companies, incorporated partnerships, trusts, foundations, and public sector institutions without prior consent, provided the processing is based on legitimate interest. The company notes that it must still consider the impact on the data subject and offers a clear opt-out mechanism: an unsubscribe link in every marketing email and an email address for direct requests.

The Telephone Preference Service (TPS) and Mailing Preference Service (MPS) are also referenced. If an individual is registered on either service but subsequently submits personal data via an InfraXmedia website, the company assumes that submission constitutes temporary consent to receive marketing. However, it stresses that individuals may opt out at any time by contacting . This flexibility underscores the company's efforts to balance regulatory compliance with user autonomy.

Data Sharing and International Transfers

InfraXmedia discloses that it may share personal data with other companies within its group, including its holding company and subsidiaries. It will also share data when compelled by law, for crime prevention or detection, or for tax assessment. In the event of a business sale or asset purchase, data may be confidentially disclosed to prospective buyers or sellers.

For events, webinars, and digital downloads, attendee data is shared with sponsoring third parties listed at the time of registration. Speakers who answer questions during digital broadcasts may also receive questioner details. The company maintains a public list of sponsors at its partner page and insists that data is not shared or sold outside these conditions. Partners may be located in regions with different data protection standards. To safeguard data, InfraXmedia employs adequacy decisions from the UK or EU, Standard Contractual Clauses (SCCs), the U.S. Data Privacy Framework (DPF), and separate data protection agreements. This layered approach ensures that even when data crosses borders, it remains protected under equivalent standards.

Rights of Access and Data Retention

Individuals have the right to access their personal data and verify the lawfulness of processing. Subject access requests are free of charge unless they are manifestly unfounded or excessive, in which case a reasonable fee based on administrative costs may be charged, or the request may be refused. Responses are typically provided within one month, extendable to two months for complex requests with an explanation. Incorrect data can be corrected by contacting the data team.

Data is retained only as long as necessary for the purposes for which it was collected. For audit and tax compliance, the policy sets a maximum retention period of six years, longer if legislation demands. When data is no longer needed, it is securely erased or disposed of without delay.

Security and Storage

All personal data is stored on secure servers provided by InfraXmedia's IT system suppliers. The company has implemented technical and organizational measures to prevent unauthorized access, alteration, disclosure, or destruction. Access to internal servers is restricted to specialized IT personnel. Despite these precautions, the company acknowledges that internet transmissions are not completely secure and that users transmit data at their own risk.

Cookies and IP Addresses

The policy briefly mentions that cookies are used to provide a personalized browsing experience. IP addresses, operating systems, and browser types are collected for system administration and aggregate reporting to advertisers. This statistical data does not identify individuals. Users are directed to a separate Cookie Policy for more detailed information about cookie usage and management.

Contact and Complaints

Questions or comments about the policy can be directed to the data team via email or postal mail addressed to the Data Controller at InfraXmedia (Holdings) Ltd, 32-38 Saffron Hill, London EC1N 8FH. Complaints can also be raised with the UK Information Commissioner's Office (ICO) through its helpline, website, or postal address. The ICO's website provides full details on how to make a complaint.

InfraXmedia's updated privacy policy arrives amid heightened regulatory scrutiny in the UK and EU. The ICO has increased enforcement actions against organizations that fail to demonstrate accountability, particularly regarding legitimate interest justifications and international data transfers. By explicitly outlining its reliance on SCCs and the U.S. Data Privacy Framework, InfraXmedia positions itself to withstand potential challenges. The policy also reflects broader industry trends, such as the growing use of behavioral analytics and heatmapping services, which are mentioned as tools to improve user experience. The company states that such services capture de-identified data and that it contractsually prohibits third parties from selling that data. This proactive stance may reassure users concerned about data monetization, while also aligning with the ICO's guidance on transparency in analytics.

Implications for Data Subjects

For individuals who interact with InfraXmedia's brands, the updated policy offers clearer insights into how their information is used and shared. The explicit mention of sponsor data sharing for events and webinars is particularly noteworthy, as it gives attendees the opportunity to make informed decisions before registering. The ability to view the list of sponsors at the time of registration empowers users to choose whether their data will be passed to specific third parties. Similarly, the opt-out process for marketing communications is straightforward, though the reliance on legitimate interest for corporate emails means some users may receive messages without having explicitly signed up. InfraXmedia's commitment to balancing interests and offering an easy unsubscribe method should help mitigate annoyance.

Employees and contractors, who are subject to separate internal policies, are not directly covered by this version, but the policy signals that the company takes data protection seriously across all operations. The emphasis on security measures and breach prevention will likely be welcomed by business partners who entrust InfraXmedia with sensitive information.

Broader Context of Data Protection

The release of this policy comes at a time when data protection authorities worldwide are pushing for greater accountability. The UK government has proposed reforms to the UK GDPR that could alter the balance between legitimate interest and consent, while the EU is implementing the Data Act and revising the ePrivacy Regulation. InfraXmedia's decision to self-certify under the U.S. Data Privacy Framework indicates a forward-looking approach, as the framework's long-term viability remains subject to periodic review. By including references to multiple legal transfer mechanisms, the company protects itself against disruptions should any one mechanism be invalidated by courts, as happened with the previous Privacy Shield.

The policy's structure is consistent with best practices recommended by the ICO, including clear sections on lawful bases, data subject rights, and international transfers. It avoids overly complex legal jargon, making it accessible to a general audience while still satisfying regulatory requirements. The inclusion of specific examples, such as image management at events and session replay analytics, helps users understand practical applications of the principles.

Overall, InfraXmedia's updated Data Protection and Privacy Policy represents a thorough and transparent effort to comply with multiple legal frameworks while accommodating the needs of a global business. Users who review it will gain a solid understanding of their rights and the company's obligations. The policy is effective immediately and supersedes all previous versions. InfraXmedia recommends that users revisit this page whenever they submit personal information to any of its websites, as future updates may occur with or without prior notice.

Source: Datacenterdynamics News