GDPR
What is GDPR?
The General Data Protection Regulation (“GDPR”) came into effect in Europe on 25 May 2018. GDPR provided citizens of the UK and EU with additional data protection measures, designed to protect individuals’ rights and freedoms. The UK left the EU on 31 January 2020. The transition period that was in place – during which nothing changed – ended on 31 December 2020 and the United Kingdom General Data Protection Regulation (“UK GDPR”) replaced the GDPR. If an organisation is based in the UK they are required to comply with the UK GDPR.
When an organisation collects, uses or transfers personal information for its own purposes, that organisation is deemed to be a "controller" of that information and is therefore primarily responsible for meeting the legal requirements under data protection law.
When an organisation processes information on behalf of a third party (for example, Customer data processed by TryBooking on behalf of its Event Organisers), that organisation is deemed to be a "processor" of the information.
Is TryBooking a ‘Controller’ or ‘Processor’?
Under the UK GDPR, TryBooking is considered to be both a Data Controller and a Data Processor. Where Event Organisers create an account with TryBooking, TryBooking becomes a data controller over the personal data the Event Organiser provides in the process of setting up their account. TryBooking will also be the data controller over the personal data provided by Customers, Visitors and Subscribers in the use of TryBooking services.
Event Organisers are also considered to be Data Controllers when collecting information from Customers.
In providing ticketing and registration services to Event Organisers, TryBooking acts as a data processor for a Customer’s personal data. This includes facilitating emails to the Customer on behalf of the Event Organiser, processing payments or providing event reports and tools to Event Organisers to monitor their sales. In this case, the relevant controller of the personal information (i.e., the Event Organiser) is responsible for meeting the legal requirements.
How does TryBooking comply with the UK GDPR?
TryBooking is fully committed to complying with the UK GDPR and relevant data protection and information security protocols.
Compliance with the UK GDPR requires a partnership between TryBooking and our Event Organisers in their use of our service.
As Event Organisers are also classified as Data Controllers under the UK GDPR, we provide the tools and guidance in order to help Event Organisers comply with the regulation as well. This can be found in our Data Processing Addendum.
Here is a brief summary:
- Transparency - Privacy Policy, Website Terms of Use, Event Organiser Terms and Conditions and Customer Terms and Conditions are more transparent and clearly state how and when we use your personal data. Our Cookie Policy explains how we create a more personalised experience for both Event Organisers and ticket buyers.
- Tools & features - we have tools to allow Customers and Event Organisers to access, request and delete the information TryBooking holds about them. This includes our Edit a Booking feature which allows rectification of data, the Account Deletion tool for Event Organisers, Data Deletion tool for Customers, and the ability for Customers to access the data they provided during bookings.
- Data protection by design and by default - we ensure that our services collect, store and process data in ways that prioritise data protection and privacy. Our systems are designed to restrict the amount of personal data collected, reduce the period of data retention to a maximum of 4 years and ensure we have features in place such as the ability to obfuscate data, to further protect our users’ personal data.
- Consent - users have to actively opt-in to give consent for the processing of their data. Event Organisers are be able to withdraw consent on the dashboard, and Customers are able to withdraw consent online on our Withdraw Consent page. Please note if a customer withdraws consent or requests that TryBooking delete their data, their booking data will be replaced with "Customer withdrawn consent".
- Ensuring legal transfers of data - we ensure our partner companies comply with the required standards of data protection in order to facilitate legal and secure transfers of data within the company group.
- Security - we have added additional security measures to our platform and have reviewed our agreements with our sub-processors to ensure that they comply with UK GDPR.
How can Event Organisers be UK GDPR Compliant?
As both TryBooking and Event Organisers are subject to UK GDPR, we have a Data Processing Addendum (“DPA”) that outlines the legal relationship between the Event Organiser (as the data controller) and TryBooking (as the data processor). The DPA is incorporated in our Event Organiser Terms and Conditions.
TryBooking makes it easier for Event Organisers to comply with UK GDPR. We encourage Event Organisers to be UK GDPR compliant by reviewing their privacy and data security processes, and ensuring that they have a set of terms and conditions to apply to their events on TryBooking. See our Learning Centre for information on how to create a set of terms and conditions.
If an Event Organiser wants to export the Customer data and use it for direct marketing purposes, they must have a lawful basis to do so.
There also needs to be an unsubscribe feature in all marketing communications, to allow Customers to prevent direct marketing.
In regards to data security, TryBooking will work together with the Event Organiser in the event that we discover a data breach pursuant to the DPA and our data breach policy.
Individual Rights
The UK GDPR outlines certain rights that individuals in terms of their personal data.
These include:
- The right to have personal data erased
- The right to have personal data rectified
- The right to access the personal data they provided to TryBooking during bookings
- The right to request TryBooking transmits the personal data it holds about them to another source
- The right to restrict the processing of their data
- The right to not be subject to automated decision making and profiling (TryBooking does not have this feature)
Individuals also have the right to object to processing of their personal data. In these instances, the controller shall no longer process the data unless they can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. For example, if TryBooking suspected the data subject of fraud, the company could deny the request to stop processing the data.
In regards to direct marketing, Event Organisers and Subscribers can withdraw their consent at any time by clicking the ‘unsubscribe’ link in our emails. Alternatively, Event Organisers and Subscribers may unsubscribe via their Account Dashboard, or contact hello@trybooking.co.uk to request to be manually unsubscribed.
To access the personal data you have provided to TryBooking during bookings please go to our Request Data page.
In order to exercise your rights under the UK GDPR, please contact hello@trybooking.co.uk.
Deleting Data
Event Organisers have the option to close their account and withdraw consent for the processing of their personal data from within the account dashboard.
Customers can exercise this right using our Data Deletion tool.
In the event that a Customer requests the deletion of their data, an Event Organiser may see that an attendee has requested that their personal data be deleted, however, the anonymised financial data associated with the attendee will remain as part of the event.
As a Customer, you understand that even if TryBooking deletes or obfuscates your personal data upon request (or pursuant to this policy), your personal data may still be available in the database of the Event Organiser if the Event Organiser exported your data from TryBooking prior to this action being taken. Pursuant to our Privacy Policy, Event Organisers are not bound to treat your information in accordance with TryBooking’s policies and as a Customer, you agree that we are not responsible for their actions. It is therefore advised that Customers seek this clarification from the Event Organiser directly, and instruct them to remove the personal data from their database. This interaction is beyond the scope of TryBooking’s legal obligations and rests between the Customer and the Event Organiser (as the Data Controller).
If an attendee asks an Event Organiser directly to remove their personal data from our system, please forward the request to hello@trybooking.co.uk.
Further information
For more information please contact our Data Protection Officer at privacy@trybooking.co.uk.