“GDPR” is short for General Data Protection Regulation and it is designed to streamline and improve data privacy laws across Europe. It came into effect on May 25, 2018.
Very briefly, GDPR says that companies (like Billetto) must take specific steps to securely store any personal data they process on EU citizens and to use this data for lawful reasons.
GDPR also gives consumers more control over how their personal data is used by others.
Who does it apply to?
Anyone who has anything to do with the personal data of EU citizens. If you’re an EU citizen or handle the personal data of EU citizens, GDPR applies to you.
GDPR is certainly not the first-ever regulation protecting people’s data. So what exactly is different now? In short:
- EU citizens…
- ...have new rights to access the data that companies store on them.
- ...can ask companies to correct, update, or delete that data.
- ...must take extra steps to store and manage personal data more securely.
- ...inform specific authorities (like the ICO) in case of a data breach.
- ...get people’s clear consent for processing certain data about them.
- ...pay fines if they fail to do any of the above.
What is Billetto doing?
- We’ve taken extra steps to protect the personal data we collect and use;
- We’ve put in place processes to make sure Billetto organisers and our service partners comply with GDPR;
- We’re working on upgrades and tools to help event organisers on Billetto better fulfill their obligations under GDPR. Things like better consent forms, the ability to easily upload own privacy and refund policies, and so on;
- We’ve built a "My Data" page to make it super easy for anyone to see exactly what data we store and to delete it if they wish;
- We’ve updated a whole lot of legal documents.
Billetto’s role in processing data
GDPR defines two “roles” when it comes to the handling of personal data:
- Data Controller decides how and for what purpose personal data is collected and used;
- Data Processor processes the data on behalf of the Data Controller.
Where Billetto collects personal data from organisers and attendees who register for our services, we are the Data Controller. We may use such data for analysis, improving our platform, and providing event recommendations.
Where Billetto collects data on behalf of the organiser, such as when they ask additional questions during ticket purchase, we are the Data Processor.
Because we may process the same data for our own and organisers’ needs, we may have a dual role (and different obligations) as both the Data Controller and Data Processor.
What should event organisers do?
If you’re using Billetto to create and manage events, you need to know a few things.
You are a Data Controller
In situations where you decide what data to collect about your attendees and how to use it, you are the Data Controller. In those cases, Billetto is the Data Processor. We collect and process that data on your behalf.
As the Data Controller, you must comply with GDPR when collecting and using such data. More specifically you should follow these principles:
2. Purpose limitation. Only use that data for its stated purpose and nothing else.
3. Data minimization. Don’t collect more data than you absolutely need.
4. Accuracy. Make sure this data stays accurate and respond to any customer requests to change or delete it.
5. Storage limitation. Don’t store this data after it’s served its purpose.
6. Integrity & confidentiality. Handle this data securely and prevent it from being misused.
What rights do event attendees have?
EU citizens using Billetto to attend events have the right to ask Billetto (or the organiser) to:
- Show you the personal data we store about you;
- Correct any wrong data about you;
- “Forget” you by deleting the personal data we store.
Billetto and event organisers must show you this data latest one month after your initial request. If you’re a registered user, you can also visit the "My Data" page to instantly see some of the data we store and delete that data directly.
We’ve written the above to help everyone using Billetto better understand the impact of GDPR. It’s purely for information and can’t be considered legal advice. We encourage everyone to work with and consult legal professionals to make sure you understand and comply with GDPR.