GDPR
What is GDPR?
The General Data Protection Regulation (“GDPR”) came into effect in Europe on 25 May 2018. GDPR provides citizens of the EU with additional data protection measures, designed to protect individuals’ rights and freedoms. If an organisation collects, transmits, hosts, analyzes or processes the personal data of EU citizens, they are required to comply with GDPR.
When an organisation collects, uses or transfers personal information for its own purposes, that organisation is deemed to be a "controller" of that information and is therefore primarily responsible for meeting the legal requirements under data protection law.
When an organization processes information on behalf of a third party (for example, Customer data processed by TryBooking on behalf of its Event Organisers), that organization is deemed to be a "processor" of the information.
Is TryBooking a ‘Controller’ or ‘Processor’?
Under GDPR, TryBooking is considered to be both a Data Controller and a Data Processor. Where Event Organisers create an account with TryBooking, TryBooking becomes a data controller over the personal data the Event Organiser provides in the process of setting up their account. TryBooking will also be the data controller over the personal data provided by Customers, Visitors and Subscribers in the use of TryBooking services.
Event Organisers are also considered to be Data Controllers when collecting information from Customers.
In providing ticketing and registration services to Event Organisers, TryBooking acts as a data processor for a Customer’s personal data. This includes facilitating emails to the Customer on behalf of the Event Organiser, processing payments or providing event reports and tools to Event Organisers to monitor their sales. In this case, the relevant controller of the personal information (i.e., the Event Organiser) will be jointly responsible for meeting the legal requirements.
What is TryBooking doing to comply with GDPR?
TryBooking is committed to complying with GDPR and relevant data protection laws. We have investigated the requirements of GDPR, and are working towards making our products and features compliant before the regulation comes into effect on 25 May 2018. We have also undertaken the commitment to reassess our policies and terms of service to ensure that we comply and can continue providing a high level of service to our Users.
Compliance with GDPR requires a partnership between TryBooking and our Event Organisers in their use of our service. As Event Organisers are also classified as Data Controllers under GDPR, we are providing the tools and guidance in order to help Event Organisers comply with the regulation as well.
Here is a brief summary of the changes we are putting in place before 25 May 2018 to ensure our compliance:
- Improved transparency - we have updated our Privacy Policy, Website Terms of Use, Event Organiser Terms and Conditions and Customer Terms and Conditions to be more transparent and clearly state how and when we use your personal data. We have also updated our Cookie Policy to explain how we create a more personalised experience for both Event Organisers and ticket buyers.
- Tools & features - we have created new tools to allow Customers and Event Organisers to access, request and delete the information TryBooking holds about them. This includes our Edit a Booking feature which allows rectification of data, the Account Deletion tool for Event Organisers, Data Deletion tool for Customers, and the ability for Customers to access the data they provided during bookings. These tools will be available from 25 May 2018.
- Data protection by design and by default - we are ensuring that our services collect, store and process data in ways that prioritise data protection and privacy. Our systems have been reviewed and designed to restrict the amount of personal data collected, reduce the period of data retention to a maximum of 4 years and ensure we have features in place such as the ability to obfuscate data, to further protect our users’ personal data.
- Consent - we have changed the consent requirements for EU users, so they actively opt-in to give consent for the processing of their data. Event Organisers will be able to withdraw consent on the dashboard, and Customers will be able to withdraw consent online on our Withdraw Consent page as of 25 May 2018. Please note if a customer withdraws consent or requests that TryBooking delete their data, their booking data will be replaced with "Customer withdrawn consent".
- Ensuring legal transfers of data - we are ensuring our partner companies comply with the required standards of data protection in order to facilitate legal and secure transfers of data within the company group.
- Security - we have added additional security measures to our platform and have reviewed our agreements with our sub-processors to ensure that they comply with GDPR.
How can Event Organisers prepare for GDPR?
As both TryBooking and Event Organisers are subject to GDPR, we have prepared a Data Processing Addendum (“DPA”) that outlines the legal relationship between the Event Organiser (as the data controller) and TryBooking (as the data processor). The DPA is incorporated in our Event Organiser Terms and Conditions.
The changes TryBooking has implemented will make it easier for Event Organisers to comply with GDPR. TryBooking encourages Event Organisers to prepare for GDPR by reviewing their privacy and data security processes, and ensuring that they have a set of terms and conditions to apply to their events on TryBooking. See our Learning Centre for information on how to create a set of terms and conditions.
If an Event Organiser wants to export the Customer data and use it for direct marketing purposes, they must ensure that the Customer has given permission to be contacted for that purpose. Please note that customers are required to consent to direct marketing - this cannot be a condition listed in the event terms and conditions.
There also needs to be an unsubscribe feature in all marketing communications, to allow Customers to withdraw consent.
In regards to data security, TryBooking will work together with the Event Organiser in the event that we discover a data breach pursuant to the DPA and our data breach policy.
Individual Rights
GDPR outlines certain rights that individuals in terms of their personal data.
These include:
- The right to have personal data erased
- The right to have personal data rectified
- The right to access the personal data they provided to TryBooking during bookings
- The right to request TryBooking transmits the personal data it holds about them to another source
- The right to restrict the processing of their data
- The right to not be subject to automated decision making and profiling (TryBooking does not have this feature)
Individuals also have the right to object to processing of their personal data. In these instances, the controller shall no longer process the data unless they can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. For example, if TryBooking suspected the data subject of fraud, the company could deny the request to stop processing the data.
In regards to direct marketing, Event Organisers and Subscribers can withdraw their consent at any time by clicking the ‘unsubscribe’ link in our emails. Alternatively, Event Organisers and Subscribers may contact info@trybooking.com to request to be manually unsubscribed.
To access the personal data you have provided to TryBooking during bookings please go to our Request Data page.
In order to exercise your rights under GDPR, please contact privacy@trybooking.com.
Deleting Data
As of 25 May 2018, Event Organisers will have the option to request to close their account and withdraw consent for the processing of their personal data within the account dashboard.
Customers will be able to exercise this right using our Data Deletion tool as of 25 May, 2018
In the event that a Customer requests the deletion of their data, an Event Organiser may see obfuscated personal data for a particular attendee, however, the anonymised financial data associated with the attendee will remain as part of the event.
As a Customer, you understand that even if TryBooking deletes or obfuscates your personal data upon request (or pursuant to this policy), your personal data may still be available in the database of the Event Organiser if the Event Organiser exported your data from TryBooking prior to this action being taken. Pursuant to our Privacy Policy, Event Organisers are not bound to treat your information in accordance with TryBooking’s policies and as a Customer, you agree that we are not responsible for their actions. It is therefore advised that Customers seek this clarification from the Event Organiser directly, and instruct them to remove the personal data from their database. This interaction is beyond the scope of TryBooking’s legal obligations and rests between the Customer and the Event Organiser (as the Data Controller).
If an attendee asks an Event Organiser directly to remove their personal data from our system, please forward the request to privacy@trybooking.com.
Further information
For more information please contact our Data Protection Officer at privacy@trybooking.com.