This guide explains how the various features of EasySignup help you to comply with the General Data Protection Regulation, also known as GDPR.
When you create events and receive registrations with EasySignup, you are the Data Controller for the information attendees enter into the system when signing up for an event.
As Data Controller you are responsible for ensuring that the rights of the attendees are respected.
The data protection regulation provides a set of rights to persons registering data. We call the registered persons for "attendees" because it will often be persons attending your events, which are registered in EasySignup.
In the following, we go through a number of the rights of the attendees and how you manage these rights with EasySignup.
2.1 Right to be informed
Attendees must receive information about the processing of their personal data, e.g. purpose and legal basis of the processing, legitimate rights, recipients of data, time of storage etc.
EasySignup has made a set of registration terms that attendees must accept before they can make a final registration for your events.
However, EasySignup does not know the purpose and legal basis for your processing of special categories of personal data (sensitive personal data), other recipients of data, the time limit for deletion of data etc. Hence, it is possible either to change the registration terms by changing some of the features in the system or by entering additional text in the registration terms.
You can insert or change the following information:
In addition, EasySignup have changed the following features as they do not meet the new requirements for protection of personal data:
Distribution of attendee lists to persons who have registered for an event
We have included in the registration terms that you can distribute a list of attendees to persons who have registered for the event if "legitimate interests in accordance to a concrete assessment is being held".
This means that if you assess that it is in the interest of the attendees that you distribute a list of attendees, you can do so without obtaining consent.
Remember, it should be in favour of the attendees that you distribute the list.
Otherwise, we recommend that you obtain consent to distribute the list of attendees.
2.2 Right to access personal data
Attendees are always entitled to obtain confirmation as to how personal data is being processed, e.g. the purpose of the processing, categories of personal data, recipients etc.
When the system has been set up correctly, the registration terms should include the necessary information for the attendees, when they wish to make use of their right to access their personal data.
You can resend the confirmation e-mail to the attendees. The e-mail contains a link to the registration terms and the consent given by the attendee when registering. Here is a guide to resend the confirmation e-mail.
You can also export data about the attendee to a spreadsheet. Here is a guide to export attendee information.
Export the data for every event the person has registered for and delete data of no relevance, i.e. data about the other attendees.
We will make an easier way to do this in the longer term.
2.3 Right to rectification
The attendees have the right to obtain rectification of inaccurate personal data concerning themselves. Attendees may be able to rectify the information themselves through a link in their confirmation e-mail - if you have allowed it. Here is a guide to allow attendees to change their registration.
If you have not allowed attendees to change their registration you can edit the information in the EasySignup dashboard and resend an updated confirmation. Here is a guide to editing attendee information in the dashboard.
2.4 Right to deletion
The attendees have the right to obtain deletion of personal data under certain circumstances. A feature to deletion of personal data is under development.
2.5 Right to data portability (Delivery of data in a commonly used format)
The attendees have the right to receive their personal data in a structured, commonly used and machine-readable format under certain circumstances.
If an attendee wishes to make use of the right to data portability, it can be done by exporting the attendee information in a spreadsheet as described under "2.2 Right to access personal data" above.
It is generally required that necessary technical and organisational measures are taken to ensure and to prove that processing of personal data is in accordance with the General Data Protection Regulation (GDPR).
The Danish Data Protection Agency (Datatilsynet) has mentioned several times that only persons with a work-related need should be able to access personal data (work-related access).
This means that you must continuously ensure that only people (users) who have a need can access personal data.
You must also be able to prove that the work-related access is obeyed.
EasySignup find it difficult to document who has access to the personal data in the dashboard if login information is shared between multiple persons. Hence, we recommend that each person has their own personal username and password. Then you can document who has access to the data in the system.
Additionally, it is possible to give users different rights in the system, which has a lot of benefits.
Need help finding out how many users you need, please feel free to contact our advisor Jacob.
|+45 70 40 40 65|
Mette Jellesen and Jacob Thomsen
Support and Communication