Please note: This blog is from 2018.

The GDPR is a new bill of legislation intended to protect personal data. We understand that you will likely have questions about how this new legislation will affect you and your ticket sales. In this blog, we answer how we deal with it.

Our GDPR

It’s likely that you have come across the term GDPR in recent weeks or months. The term GDPR stands for General Data Protection Regulation. Although the GDPR is largely based on the current Dutch Personal Data Protection Act, there will be a number of important changes.

In this blog you’ll read about four important points:

• What is the GDPR and what does it mean?
• What measures is Eventix taking in light of the GDPR?
• Personal data at Eventix.
• What will change for you as an organization?

What is the GDPR and what does it mean?

This new privacy law has been introduced by the European Union and will apply from 25 May 2018. The aim behind the GDPR is to provide greater protection for visitors' personal data. Or rather, it ensures that consumers have more control over what is done with their data.

As an event organiser, you will have to request explicit permission to retrieve certain visitor data after 25 May 2018. You must request permission if the data retrieved is not directly relevant to the organisation of an event.

In addition, your visitors as individuals will have more rights when it comes to how their personal data is handled. For example, visitors can indicate that they want to collect information about themselves, or that they want you to delete their information. The latter means that all data about this visitor will need to be deleted or anonymised.

What measures is Eventix taking as a result of the GDPR?

Eventix and its event organisers are data controllers in the eyes of the GDPR. As a 'data controller' of personal data, we obviously have to comply with the GDPR. Therefore there are a number of steps we have taken to ensure we and our organisers are compliant with the new rules.

• Update General Terms and Conditions and External Privacy Policy: We are publishing new and updated general terms and conditions as well as an updated privacy statement that complies with the GDPR. This means that we explicitly state what we will do with the personal data and what our role as the processor is in the collection of personal data.
• Processing agreements: As 'data controller' we are obliged to have a processing agreement with all parties that help Eventix in offering our ticket service. Herein we agree on how our partners must handle the data of ticket buyers.
• Registration of processing: Under the GDPR we are obliged to keep a processing register. In this register, among other things, the personal data, the processing purposes and the recipients of personal data are recorded.
• Internal privacy policy: The internal privacy policy provides our staff with clear instructions regarding the processing of personal data. Among other things, it discusses some basic principles of data processing, the capacity of Eventix in different processes and the handling of specific 'special' personal data. This way, all staff knows what the policy is when it comes to data integrity and security.

Personal data at Eventix

When you create your event with us, you’ll find the header 'Visitor Information' under tickets. Visitor information is the information we ask from your ticket buyers when they purchase tickets through the ticket shop. These are the fields that need to be filled in during the ordering process, such as name, email, and age. The answers visitors give are personal data. We have some default questions and fields that you can use, but you can also add your own manually. Under the GDPR you are no longer allowed to collect information about your visitors without a valid reason. It is logical to ask a visitor for an email address, but you as an organiser should ask yourself whether it’s necessary to ask your ticket buyers for their address. If you ask for this data, but it isn’t strictly necessary for the organisation of your event, you will need to ask the visitor for permission to use this data and explain why you are asking for it in the first place.

What will change for you as an organisation?

As you will have been able to conclude from the above, a number of things will change under the GDPR. We want to prevent you from having to take any drastic measures as a result. As automation is one of our spearheads, we want to pursue this goal in our implementation of the GDPR. As such, we’ll ensure that standard general terms and conditions are automatically added to your shop from 25 May. If you already have your own general terms and conditions, we’ll leave them as they are and nothing will change. If you do not yet have them, we’ll take care of that. The terms and conditions we set on behalf of your organisation will automatically synchronise with the 'Visitor Information' requested in your ticket shop.

There are still some steps you’ll need to take to minimise the risk of personal data being misused:

1. Make sure you have reliable people on your team: Personal data is a fragile subject that should be handled with care. Therefore choose people from your organisation whom you trust 100% when it comes to access to personal data.
2. State the purpose: Clearly state the relevance of the collected data and what it is being used for. Clearly state that the data you are collecting is relevant to, for example, a marketing campaign. This also applies to cookies.
3. Think before you print: You may have an attendance list for your event that is printed. Printing a tangible attendance list increases the risk that data gets lost and reaches people who can use or abuse it. If you collect this data digitally, it’s safer, because you can secure digital files by making them anonymous or by encrypting them with a pin code, for example.
4. Report a data breach within 72 hours: An accident can happen easily; an unencrypted laptop can be stolen from the backseat of a car. If you realise that a data breach has occurred, you are obliged to report this to the Dutch Data Protection Authority within 72 hours. We have a document that allows you to quickly make a full report to the Authority for the Protection of Personal Data.

We will inform you immediately of any developments, should anything change in the future. If you have any questions or feedback, please contact us via chat or info@eventix.io.