How TryBooking protects your Privacy

You have probably received a plethora of emails over the last few weeks from Facebook, Twitter and the clothing companies you forgot you subscribed to.

All of these emails have one thing in common - updated Privacy Policies and a renewed commitment to protecting your data. 

With the General Data Protection Regulation (GDPR) coming into effect in Europe on 25 May 2018, companies that service European citizens are rushing to ensure that they are compliant with the most stringent data protection laws to date. 

What is different about GDPR? 
Unlike previous data protection laws, GDPR introduces new definitions for data controllers and processors, as well as heavy penalties for ">organisations who don’t comply.

GDPR was designed to provide citizens of the EU with additional data protection measures to protect individuals’ rights and freedoms.

If an organisation collects, transmits, hosts, analyzes or processes the personal data of EU citizens, they are required to comply with GDPR. 
 

What are ‘controllers’ and ‘processors’? 
When an organisation collects, uses or transfers personal information for its own purposes, that organisation is deemed to be a ‘controller’ of that information and is therefore primarily responsible for meeting the legal requirements under data protection law. 

When an organization processes information on behalf of a third party (for example, Customer data processed by TryBooking on behalf of its Event Organisers), that organization is deemed to be a ‘processor’ of the information. 

Is TryBooking a controller or processor?
Under GDPR, TryBooking is considered to be both a data controller and a data processor - depending on the circumstances. 

Where Event Organisers create an account with TryBooking, TryBooking becomes a data controller over the personal data the Event Organiser provides in the process of setting up their account. TryBooking will also be the data controller over the personal data provided by Customers, Visitors and Subscribers in the use of TryBooking services. 

Event Organisers are also considered to be data controllers when collecting information from Customers.

In providing ticketing and registration services to Event Organisers, TryBooking acts as a data processor for a Customer’s personal data. This includes facilitating emails to the Customer on behalf of the Event Organiser, processing payments or providing event reports and tools to Event Organisers to monitor their sales. In this case, the relevant controller of the personal information (i.e., the Event Organiser) will be jointly responsible for meeting the legal requirements.

What is TryBooking doing to prepare for GDPR?
Here is a summary of the changes we are putting in place before 25 May 2018 to ensure our compliance:

• Improved transparency - we have updated our Privacy Policy, Website Terms of Use, Event Organiser Terms and Conditions, and Customer Terms and Conditions to be more transparent and clearly state how and when we use personal data. We have also updated our Cookie Policy to explain how we create a more personalised experience for both Event Organisers and ticket buyers. 
   
• Tools & features - We have created new tools to allow Customers and Event Organisers to access, request and delete the information TryBooking holds about them. This includes our Edit a Booking feature which allows rectification of data, the Account Deletion tool for Event Organisers, Data Deletion tool for Customers, and the ability for Customers to access the data they have provided to TryBooking. These tools will be available on 25 May 2018. For more information please see the GDPR page. 
   
• Data protection by design and by default - we are ensuring that our services collect, store and process data in ways that prioritise data protection and privacy. Our systems have been reviewed and designed to restrict the amount of personal data collected, reduce the period of data retention to a maximum of 4 years and ensure we have features in place such as the ability to obfuscate data, to further protect our users’ personal data.
   
• Consent - we have changed the consent requirements for EU users, so they actively opt-in to give consent for the processing of their data. Event Organisers can withdraw consent in the Account Status section of the dashboard, and Customers will be able to withdraw consent online from the 25 May 2018. Please note if a customer withdraws consent or requests that TryBooking delete their data, their booking data will be replaced with "Customer withdrawn consent". 
   
• Ensuring legal transfers of data - we are ensuring our partner companies comply with the required standards of data protection in order to facilitate legal and secure transfers of data within the company group. 
   
• Security - we have added additional security measures to our platform and have reviewed our agreements with our sub-processors to ensure that they comply with GDPR.  

How can Event Organisers prepare for GDPR?
The changes TryBooking has implemented will make it easier for Event Organisers to comply with GDPR. 

Event Organisers can prepare for GDPR by reviewing their privacy and data security processes, and ensuring that they have a set of terms and conditions to apply to their events on TryBooking. See our Learning Centre for information on how to create a set of terms and conditions

Direct marketing
If an Event Organiser wants to export the Customer data and use it for direct marketing purposes, they must ensure that the Customer has given permission to be contacted for that purpose. Please note that customers are required to consent to direct marketing - this cannot be a condition listed in the event terms and conditions. The field “permission to contact” needs to be part of the data report and will indicate to the Event Organiser whether or not the ticket buyer has consented to receiving direct marketing. It is the Event Organiser’s responsibility to check this field and only add individuals who have selected “yes” to their database. 

There also needs to be an unsubscribe feature in all marketing communications, to allow Customers to withdraw consent. 

Data security
In regards to data security, TryBooking has a comprehensive data breach policy in place which includes notifying Customers where required in the event of a serious data breach. TryBooking will work together with the Event Organiser in the event that we discover a data breach pursuant to the Data Processing Addendum and our data breach policy.

The TryBooking Team

Note, this article provides a resource and does not constitute legal advice: we encourage you to speak to a legal practitioner with the right expertise to learn how GDPR may affect your organization.

Events made easy

The TryBooking Team