Personal information - your customers trust you!
Your customers and participants trust you with their personal information in order to receive great experiences, whether it is a small meeting, a company kickoff or a large conference. With the General Data Protection Regulation (GDPR) which came into force on May 25, 2018, the goal is to give each individual more control of their own personal information. Be sure that we are taking processing of personal information extremely seriously, and we want to offer tips on how you can do it too. You should not rely on this document for your GDPR compliance, but confer with legal counsel to make sure your usage of Qondor is GDPR compliant. Anyways, here are some important points you need to consider.
All links in this document points to a neat online version created by Intersoft Consulting for readability: https://gdpr-info.eu/.
The actual official EU page conserning GDPR can be found at http://eur-lex.europa.eu. (where it is translated to multiple languages).
Data Processing Agreement
Your company needs to have a Data Processing Agreement with us. The Data Processing Agreement describes how we process personal information as data processors, and how our relation with you (the data controllers) are.
What is considered personal information?
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
So, all information collected on participants in Qondor is considered personal information.
Information to participants
Be sure to inform all participants how you use their personal information, how long you will be using it and who you will share the information with upon registration. Be sure to read GDPR Article 13 and Article 14 about the information required to your participants. It is also important to consider which information should be visible on booking confirmations.
Many project managers are sending participants lists in unprotected Excel spreadsheets to suppliers. Spreadsheets with attendee information will not explicitly be forbidden after GDPR comes into effect, but it will be much harder to:
track every copy of each list, who has access to it and where it is stored
ensure that the personal data is deleted after the project is over
ensure that all lists have updated and accurate personal information (Article 5)
enforce data limitation, one master list to all suppliers will probably include too much information on each one
We have added functionality for secure attendee list sharing, which is explained here.
Legal basis for processing personal information
You need a legal basis for processing personal information, which can be
necessary for the performance of a contract with your customer (i.e. you are selling a conference ticket or receiving a name list for flight information)
based on attendees' explicit consent. Be aware that participants' consent may be withdrawn at any time, and if withdrawn you need to stop processing their data. Read more on Article 7.
Any other legal basis expressed in Article 6 (Lawfulness of processing).
It is important that you do not collect personal information that you do not need from the attendees (Article 5).
Invitations and import of attendees
When you are importing participants in Qondor (for invitations or name reporting), be aware that you may be a data processor to your customer and not a data controller. Be sure to include information on how invited participants can unsubscribe to the invitation if applicable.
How long do you need to store the personal information?
Consider the scenarios for how long you need to store the data. Before May 25, 2018, Qondor introduced retention policy settings for automatic anonymisation of participant's personal data on closed projects.
We have increased security options for users, and we never give out account information nor do we provide users with passwords.
Access / Portability
All information on a participant can be exported to a machine readable format (Excel). All prior versions of bookings are available as PDF documents, and you are able to extract a transaction overview in case of payments. Use 'Participant search' on your homepage to find participants. Read more on Access in Arcticle 15 and on Portability in Article 20.
Participants can either modify their own personal information or a Project Manager may do it upon request. For Customer/Supplier contact persons a Project Manager can modify their information from the Customer/Supplier sections in Qondor by search on contact persons.
Right to be forgotten
According to Article 17 a data subject has the right to be forgotten. If you need to completely erase a data subject in Qondor, you need to email the request to firstname.lastname@example.org. As erasure of data is a one way street, we need to make sure that the request is from an office admin role or above.