The GDPR and Eventix
What is the GDPR and what does it entail?
This new privacy law is implemented by the European Union and will come into force on 25 May 2018. The purpose behind the GDPR is to protect the personal data of visitors even more. Or in other words, it ensures that consumers will gain more control over what is done with their data.
From 25 May 2018, you as organiser must ask explicit permission to request certain data of visitors when the requested data is not directly relevant when organising an event.
In addition, your visitors as a person have more rights with respect to how their personal data is handled. For example, visitors can indicate that they want to collect data about themselves, or that they want to be forgotten by you as an organisation. The latter means that all data about this visitor will be removed or anonymised.
Which measures will Eventix take as a result of the GDPR?
Together with an event organisation, Eventix in charge in the eyes of the GDPR. As ‘controller’ of the personal data, we must, of course, comply with the GDPR. Therefore, there are a few steps that we have taken to ensure that we and you as organiser comply with the new rules.
Processor agreements: as ‘Controller’ we are obliged to have a processor agreement with all parties that help Eventix with offering our ticket service. Here we agree with each other how our partners will deal with the data of ticket buyers.
Registration of processing activities: Pursuant to the GDPR we are obliged to keep a processing register. This register keeps track of, among other things, the personal data, the processing purposes and the recipients of personal data. You can read here which information is exactly included.
Personal data at Eventix
When you create an event with us you come across the header ‘Visitor information’ when you go to tickets. Visitor information means the data we request from your visitors when buying tickets via the ticket shop. These are fields that must be filled in during the ordering process, such as name, email and age. The answers from these visitors are personal data. We have a number of questions you can set by default, but you can also add these manually. (In this manual we will discuss in more detail how you set up visitor information).
Under the GDPR you are no longer allowed to collect information about your visitors without a valid reason. Here you can find which seven reasons justify requesting personal data. It is logical that we ask a visitor for a mail address, but as an organiser you must ask yourself, for example, whether it is necessary to request the residence of your visitor(s). When you request this, but this is not necessary for organising your event, you must ask the visitor for permission to use this data, whereby you indicate why you request this anyway.
What will change for you as an organisation?
As indicated by the above, a few things will change under the GDPR. We want to prevent that you must take drastic measures as a result thereof. As you know automation is one of our priorities. We also pursue this aim in our implementation of the GDPR.
We ensure that general terms and conditions are automatically added to your shop by default as from 25 May. If you have already included your own general terms and conditions with us, we will leave them as they are and nothing will change. When this is not the case, we will organise this for you. The terms and conditions that we impose on the visitor on behalf of your organisation automatically synchronise with the ‘Visitor information’ that is requested in your ticket shop.
We will take care of most things, but there are a few steps that you must take yourself to keep the risk of misuse of personal data as low as possible:
Make sure you have reliable people in your team: Personal data is becoming a fragile subject that you must handle very carefully. Therefore select people from your organisation who you trust 100% when it concerns access to personal data.
Indicate the purpose: Clearly indicate the relevance of data for which it is used. Make it transparent that the data you collect is relevant for a marketing campaign, for example. This also applies to cookies.
Think before you print: It may be that you have an attendance list for your event that is printed. Printing a tangible attendance list increases the risk of losing data and this could end up with people who can use or misuse this. It is more secure to collect this data digitally because you can secure digital files by anonymising or encrypting these with a pin code, for example.
Report a data breach within 72 hours: An accident is always around the corner, for example, a non-encrypted laptop can be stolen from a car. If you detect a data breach, you are obliged to report this to the Dutch Data Protection Authority within 72 hours. We have a document you can use to make a quick and complete notification to the Dutch Data Protection Authority.
If certain things change in future, we'll let you know straight away. If you have any questions or like to give feedback, please contact us via the chat or firstname.lastname@example.org.