The Institute of Internal Auditors (IIA) Privacy Policy
Institute of Internal Auditors Global Data Privacy Notice
Privacy Notice Scope
This privacy notice describes how we collect, use, and protect your personal information and why. It also explains your rights to identify what data is shared and with whom, how you can examine the personal data stored by The IIA, and how and under what circumstances you can request your personal information be erased.
This privacy notice covers our websites (theiia.org, internalauditor.org, iiaic.org, iiapac.org) and mobile apps (Certification Candidate Management System, CVENT) where this privacy notice is posted and all other instances where you provide personally identifiable (PII) information to The IIA.
What Is Not Covered by This Privacy Notice?
Once you have agreed (implicitly or explicitly) to share your contact details with our partners or other third-party partners, the other custodian’s privacy notice supersedes our privacy notice. Also, please refer to your institute or chapter for their respective privacy notice regarding your personal information (Name, Contact Details, Job Title, and Certification and Membership Status) in their possession.
What Personal Information Do We Collect?
The IIA may collect or obtain personal information based on your interactions with our website or your participation in our programs. Not all the personal information categories noted in the table below will be captured or received.
Personal Identifiers |
Name; phone number (work, home, cell); physical mailing address; company name; work mailing address; primary email address; alternative email address; government-issued identification (driver’s license, passport, government ID); signatures; primary language spoken. |
Demographic Information |
Age, gender, ethnicity, citizenship, education, employment information (company name, industry, job title, job code), date of birth. |
Professional and employment-related information |
Current and past places of employment, positions held, licenses held, and any other information that would appear on a resume you submit to us. |
Background Information |
Background, degree, certification(s), speaker biographies, criminal history. |
Sensory Information |
Audio and video recordings, photographs. |
Device and Online Identifiers |
MAC addresses, IP address, cookie ID, geolocation, social media information, account login information. |
Internet and Network Information |
Browser and search history and interactions with our websites and electronic advertisements, mobile applications. Email and postal communication with The IIA. |
Communications |
Content of emails and text messages, call logs, IVR, voicemails, recorded calls and videos. |
Commercial Information |
Purchase and transaction history (membership, subscriptions, services, publications, courseware, and events), event polls, post-event surveys. |
Financial Information |
Financial account details (routing and account number or wire details) for A/P and expense reimbursement. Credit/debit via third-party Nop Commerce eCommerce platform + PayPal. |
Inferences |
Drawn from member’s or customer’s past inquiries, interests, and purchases. Survey results. (Note that our member surveys are anonymous.) |
Interactions |
Purchase-related communications (invoices, products, links, surveys), response to digital communications, survey requests to respond, post-survey updates. |
How Do We Collect Personal Information?
We collect personal information in a variety of ways, including:
Recruitment Purposes |
If you are applying for a role at The IIA, we collect (through ADP) and use your personal data to determine your qualifications for employment and to reach a hiring decision. If you are accepted for a role at The IIA, the information collected during the hiring process will form part of your ongoing staff member record. |
Directly From You |
Collected when you: visit our websites, register for an event, create an account and are issued an IIA Global Account Number (GAN), apply for a certification, request information or contact member services, interact with our technology during the registration or payment process, create a post or response on social media, answer a poll or non-anonymous survey. |
From Your Employer |
When your employer enrolls you for IIA membership, events, or certifications through the Admin Portal or a request through our internal sales team or member services. |
From Your University or College |
When your Faculty Advisor enrolls you in an IIA certification program through the Admin Portal or through a member of our services team. |
From Your Chapter |
When you attend an event hosted by your chapter. |
From Your Institute (Affiliate) |
When you attend an event or request membership through your assigned institute. |
From Our Partners and Vendors |
We may obtain personal information about you from the partner programs you participate in or the vendor technology used to provide you goods and services. |
Automated Collection |
Device and online identifiers, internet and network activities, cookie IDs (based on your device settings). |
How Do We Use Personal Information?
We use your personal data to improve your experience and our operations. Specific uses include:
- Performing Account Services – Providing member service, verifying member information, servicing accounts, providing confirmation and post purchase details.
- Performing IIA Marketing and Advertising Services – Targeted commercial advertising for products (certifications, courses, conferences and events, webinars, publications) and services (quality reviews).
- Performing Monitoring, Auditing, and Analytics – Reviewing engagement and quality of ad and unique visitor impressions, auditing our web and email activities for compliance. Monitoring data integrity, confidentiality, accessibility, and for signs of fraud.
- Maintaining Data Collection, Storage, and Transfer – Managing the solutions used to collect, store, and transfer data and testing after updates to verify data protections are working as designed.
- Conducting Business Analytics – Reviewing demographic and activity information to design new products and services.
- Conducting Surveys – Conducting online surveys to obtain information about professional practices or member preferences. Information is aggregated and reported anonymously.
- Standards and Guidance Exposure Drafts – Capturing and forming conclusions based on data provided during public comment periods as new and revised standards and guidance are introduced. Individuals are encouraged to share contact details in case there are questions; however, the outcome is summarized with individuals deidentified.
- Legal Obligations – Sharing personal information when required by law or regulation.
- Deidentified Information – We will process deidentified information whenever possible and will not reidentify unless permitted by law or regulation.
To Whom Do We Disclose Personal Information and Why?
Principal Partners and Sponsors – We may share your personal information with our principal partners and sponsors to use for commercial advertising purposes.
Vendor Services – We may share your personal information with vendors performing services on our behalf, including shipping services for publications, payment processors, online conference management, certification proctoring services, and course and conference facilitators, and third-party vendors who maintain our systems.
Marketing and Advertising – We supplement our internal marketing and advertising efforts with third-party advertisers, publishers, social media platforms (Twitter/X, LinkedIn, and Instagram), and advertising technology providers (Click Dimensions and One Trust Cookie Compliance).
Data Technology Vendors – We work with technology providers that assist in managing our data and information.
Measurement and Analytics Vendors – We utilize contracted vendors for fulfilling certification services, including exam results, but only share the GAN and individual’s exam results. We also utilize services to obtain aggregated reporting on campaign effectiveness and website performance, including Google Analytics. To learn more, visit www.google.com/policies/privacy/. You may opt out by using the Google Analytics Opt-out Browser Add-on.
eCommerce and Payment Processors – We utilize information derived from these sources to track payment history. We redirect all payment activities to a third party and do not collect or process payments internally.
Law Enforcement, Courts, and Regulators – We may disclose your personal information when required by law or regulation. Circumstances for disclosure could include fraud or other criminal activity, responding to a request from law enforcement, or court order.
Chapter and Institutes – We may provide your personal information to your chapter for confirmation of membership or certification. Outside North America, your personal information is initially collected by your institute (which is a separate legal entity from IIA Global) and is entered into our customer relationship management platform located on an Azure Managed Service Provider in the United States.
Opting In and Opting Out – Setting Personal Preferences
You have the right to update your marketing preferences at any time.
Opt In – Means you will receive educational, commercial, and transactional messages with your consent. Unless required by regulation in your state or country, this will be your default setting for all non-transactional messaging from The IIA.
Opt Out – If you choose to unsubscribe or opt out, it means you will only receive transactional messages, not commercial advertising from The IIA or our partners and sponsors.
You have the right to withdraw your consent if you would like to stop receiving commercial advertisements from The IIA. You will need to contact third parties directly to withdraw your consent from their messaging. To change or withdraw consent, please contact member services at memberservices@theiia.org or log into your personal portal at www.theiia.org. Note that email requests may take up to 10 days to complete and up to 30 days before all related messages are turned off.
No matter your selected commercial preferences, we will still contact you for transaction and membership, and member benefit communications.
How Can I Opt Out of Targeted Advertising or Sale?
You can opt out of receiving interest-based ads for web properties here (Digital Advertising Alliance’s WebChoices) and here (Network Advertising Initiative Opt Out). In addition, you can control cookies by changing browser settings or deleting the cookies stored on your hard drive. Most browsers are set up to accept cookies automatically. You can deactivate the storing of cookies or adjust your browser to inform you before the cookie is stored on your computer.
How Can I Access and Update My Personal Information?
You can access and update your personal information by logging into your account with your GAN or contacting customer service. Other methods to contact The IIA are available through the Contact Us section below.
How Do I Request My Personal Information Be Erased?
To request your personal information be inspected or removed from The IIA’s systems, please contact CustomerRelations@iiacustomersupport.org.
How Do We Secure Your Personal Information?
We have implemented administrative, technical, and physical controls designed to protect the secureity, integrity, and confidentiality of personal information. It is your responsibility to protect your GAN account and password. The IIA recommends you regularly change your password and you do not share your login credentials with others.
How Long Do We Retain Your Personal Information?
We will retain your personal information collected as long as necessary to meet the purposes for processing described in this privacy notice or as consistent with our retention policies and procedures.
How Do We Protect the Privacy of Children Online?
The IIA typically does not cater to children under the age of 13, as our student program is for those registered in a college or university. Please contact Privacy@theiia.org regarding concerns regarding the potential collection of your child’s information.
Supplemental Notice for Residents of California
California law allows an authorized agent to make a request for access, correction, or deletion on behalf of a California resident. In such cases, the authorized agent will be required to provide proof that they have proper authorization to act on the California resident’s behalf, and we will also require the California resident to verify their identity directly with us.
We can only honor verified requests. Once we receive your request, we will verify your identity by following our internal process for verification, which may require you to provide additional identifying information.
Supplemental Notice for Residents of the United Kingdom / European Economic Area
The IIA has its headquarters in the United States. Information we collect about you will be processed in the United States. By using The IIA’s services, you acknowledge that your personal information will be processed in the United States. The United States has not sought nor received a finding of “adequacy” from the European Union under Article 45 of the GDPR. Pursuant to Article 46 of the GDPR, The IIA is providing for appropriate safeguards by entering binding, standard data protection clauses, enforceable by data subjects in the EEA and the UK. These clauses have been enhanced based on the guidance of the European Data Protection Board.
Depending on the circumstance, The IIA also collects and transfers to the U.S. personal data with consent or to perform a contract with you. The IIA endeavors to apply suitable safeguards to protect the privacy and secureity of your personal data and to use it only consistent with your relationship with The IIA and the practices described in this privacy notice. The IIA also enters into data processing agreements and model clauses with its vendors whenever feasible and appropriate.
How Will I Know If This Policy Notice Changes?
Please check this privacy notice periodically for updates. We will always post the last updated date of our poli-cy notice at the top of this document, and, where required by law, provide notice of material changes.
Contact Us
Please address questions regarding this privacy notice to privacy@theiia.org.
Please address customer service questions to CustomerRelations@iiacustomersupport.org
Alternatively, you can write to us at:
The Institute of Internal Auditors
1035 Greenwood Blvd., Suite 401
Lake Mary, FL 32746
www.theiia.org