GDPR

General Data Protection Regulation (GDPR)

Introduction

Besides being compliant when the new General Data Protection Regulation (GDPR) comes into force on May 25, 2018, we believe the new law is a strong resource to protect all EU citizen in regards to their data privacy. So Snafflz has been extensively working on features to help our clients who are impacted by this new law and taking measures to ensure maximum transparency over the way we store and handle data.

As a data controller and data processor, Snafflz has the obligation to process the event attendee information provided by our clients, the event professionals. For instance, when an event professional creates a registration page and collects data from potential guests, this is stored by us in order to be accessible to the event professional. In this operation personal data is protected according to the various terms of the GDPR.

How are we protecting your data?

An all encompassing set of different actions was taken in order to ensure compliance with the new regulation, as described in our FAQ. Please take a look at the details and check which scopes concern your event and your guest data. We reaffirm our commitment to security, privacy and transparency and will never sell or transmit any personal data without your consent.

Important: the Frequently Asked Questions were designed to help our clients acknowledging the scope of the GDPR in concern with their use of the Snafflz application. It is not an official page or represents warranties or legal representation from us. We recommend all clients to get professional advice regarding how the GDPR may affect their organization and procedures.

FAQ

What is GDPR?

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a European Union law regulation on data protection and privacy for all individuals within the European Union. It is intended to harmonize data protection laws throughout the European Union (EU) member states by applying a binding single data protection law. But it also addresses the export of personal data outside the EU.

What is the main goal of the new law?

The GDPR aims to give control to citizens over the personal information they share to companies online.

What changes with GDPR?

The GDPR regulates how companies approach handling the data of individuals (also named data subjects). We at Snafflz see it as big step towards privacy as a standard, as companies are now required to obtain personal data only with the informed permission of individuals.

Who it applies to?

Organizations within the EU are affected by the GDPR, and all companies processing and holding personal data of EU data subjects. If you offer goods or services to, or monitor the behavior of, EU data subjects, then you are subjected to the GDPR no matter your organization size.

Does it apply to organizations outside the EU?

Yes, if the organizations offer goods or services to individuals in the EU.

What are the roles established by the new regulations?

GDPR classifies users and data processors in order to clarify and organize roles. These are:
- data subject. The individual person whose personal data(*) is stored and actually the data itself.
- data controller. Who was given the data subject, who stores this personal data for some reason.
- data processor. Who might not be in direct contact with the person, but handles and process the data on behalf of the data controller.

* Personal data is any information relating to an identified or identifiable natural person.

How is Snafflz compliant?

As our service as event management solution involves the storing and processing data of event invitees and attendees for our clients, Snafflz has different roles towards users as explained in detail below. We have performed extensive reviews to take the necessary steps and creating the tools that improve the protection of personal data within and beyond the borders of the European Union.

In regards to our direct clients, we are data controllers because we collect personal information required for sign up and login (name, email etc) in order to make the service accessible. We also have a role as a joint-data controller, because we handle registration pages, where we collect data of potential event attendees on behalf of our clients through our system. In this case we share the data controller role with our clients. And we are data processors in regards to the guests that are added or imported to guest lists by our clients.

To protect this,
- we have raised our encryption systems and ensured that all third parties we work with are also compliant to GDPR (you can read more about third party data handling on this FAQ).
- we have added a privacy consent statement to ensure that any potential guest does not grant information nescient of agreeing with the terms and privacy policy of our client.
If a client wishes to delete the user account or registrants, we assure that the most sensitive personal information is permanently erased from our database servers. We never sell or transmit any client data.

What measures have been taken?

- Further encryption of personal data to assure impeccable security.
- Creation of new tools to enhance transparency and support our clients, such as a privacy consent statement on registration pages so users can confirm that they are aware with the event professional's terms and privacy policy.
- Faster time between users' request to delete data and its complete process.
- Terms & Privacy Policy update to reflect changes.
- Adjustment of internal processes to answer GDPR-related request quickly.

Does Snafflz employ third party companies as service providers?

We may employ third party companies and individuals to facilitate our Service, to provide the Service on our behalf, to perform Service-related services and/or to assist us in analyzing how our Service is used. These third parties only perform specific tasks on our behalf and are obligated not to disclose or use your information for any other purpose. These third party services are all compliant to the GDPR and include:

- Chargebee a subscription billing software to allow automatically renewed payments.
- Stripe and PayPal as our payment gateways.
- Sendgrid as the email delivery platform.
- Facebook to allow sign ups or logins via the platform.
- Apple to allow sign ups or logins via Apple ID.
- Magex as our server hosting provider.

What do you need to know as a client?

If an event professional requests any personal data from potential or actual event attendees it is the event professional's responsibility to protect this information. Thus, all Snafflz clients should be compliant with the GDPR as they act as data controllers of every person sharing information with them via the platform. Snafflz created tools to help our clients being compliant, such as a privacy consent statement on the registration page as we see it as a priority to support our clients managing the protection of personal guest data.

I need further details about Snafflz and the GDPR or other data protection issues.

If you have any question that is not covered in this FAQ, please contact us at support@snafflz.com. We'll be happy to assist.