What is Personal Information?

Are contact details that are considered B2B e.g. Business emails, billing information etc… considered PII?

Yes, business and personal email addresses would be considered personal data and is covered under the GDPR. Any individual piece of personal data or combination of data that could be used to identify an individual is considered personal data and is covered under GDPR.

    Why is dietary requirements classed as PII?

    Dietary information is considered personal information and therefore is regulated within GDPR. This could also indicate health (eg. lactose intolerant) or religious beliefs (eg. Halal) and so should be considered sensitive data in some cases.

    Personal Information is defined as: Any information which "relates to a living individual who can be identified either (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller". GDPR explicitly cites certain categories of online data as constituting Personal Data, for example, online identifiers and device identifiers.

    Sensitive personal data is defined as: Any "Personal Data consisting of information as to (a) the racial or ethnic origin of the Data Subject, (b) his political opinions, (c) his religious beliefs or other beliefs of a similar nature, (d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992), (e) his physical or mental health or condition, (f) his sexual life, (g) the commission or alleged commission by him of any offense, or (h) any proceedings for any offense committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings."

    Genetic and biometric data are new forms of sensitive personal data. Genetic data means "personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question". Biometric data means "personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

    Are photographs PII?

    Simply yes, if there is a person in the photograph and they can be identified. How you deal with it depends on your legitimate business use.

    Can you specifically ask if someone is male or female?

    Gender is considered sensitive personal data under GDPR. If you have a legitimate business interest in requesting this information, our system will allow you to do that.

      What exactly determines the location of the person? Listed address? Citizenship?

      GDPR applies to EU citizens, not location. Interestingly, ones IP address is considered personal information under GDPR.

      What is a Data Controller vs Data Processor?

      If I'm using a company like Cvent, am I considered a processor of the data they capture for my company in their system or am I considered a controller?

      You are the controller.

      Data Controller means: a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. An organization can be considered a Data Controller, and when you use Cvent software to capture and process personal data for your events you are the Data Controller.

      Data Processor, in relation to personal data, means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller. Cvent in this case would be a Data Processor.

      Is Data Processor responsible for ensuring the data handler has followed GDPR?

      No. The Data Controller is responsible for ensuring the collection, usage and storing of data is GDPR compliant. Data Processors can provide controllers with tools to substantiate that controllers are compliant with GDPR.

      Will Cvent be considered a Data Processor or Data Controller?

      You are engaging Cvent to provide technology products and solutions to market and execute your events. Cvent, as a product company, is a Data Processor not a Data Controller for the purposes of your use of our products for your meetings and events.

      Sharing Data

      Is emailing a spreadsheet with personal data considered violating GDPR? Is the sender responsible for how the recipient protects the data once it's sent?

      It is not necessarily a violation based on how its sent out or simply because you send by email. You will be responsible for the security of that personal data, and you should password protect the file, use encryption or some other secure file transfer solution to keep it safe.

      Is sharing member data with other members within a network a vulnerability even if across borders?

      So long as the members are notified of such use and such use is considered a legitimate business use.

      Employee Data

      What is the scope of GDPR as it pertains to working with a business entity who supply their employees with a corporate phone, email, etc. does this fall under the same regulation since everything is technically owned by the company?

      Yes, any individual piece of information or any combination of data that can be used to personally identify an EU citizen falls under GDPR. It is typically covered in the contract term between you and the other company.

      Do these requirements (for registration forms and data collection) apply to events produced for, and attended by, internal employees to a company?

      Yes, it does. It does not just apply to externally facing events. GDPR applies to all entities processing the personal data of individuals residing in the EU. To be clear, it applies to you if you hold events in the EU or your market to EU residents. Meaning, if you have employees who are EU residents or EU citizens, then GDPR applies.

      Breaches and Enforcements

      How are breaches discovered?

      Regulators are able to walk into any business and request that they prove a business is handling requests and that systems are compliant based on the regulations. We understand the two most common ways - regulators can knock on your door or someone can complain about your processes.

        How will Cvent handle any Breaches?

        In the event of a confirmed data breach pertaining to your personal information, Cvent will contact the individual outlined in your contract or by email to the Administrator identified within your account within 72 hours.

          How would this be imposed outside the EU?

          The company may have assets in the EU. Or the DPAs can set up blocks.

          Depending on your scope of business in Europe, you may need to appoint a representative in Europe, this is who a regulator may contact if there is a breach.

          The regulations are based on EU Citizens, not just businesses in the EU. You may have EU citizens coming to your events or hotel and you wouldn't even know it. This regulation is meant to protect the rights of EU citizens.

          GDPR outside the EU

          To the extend GDPR does not make process uniform, you will need to comply with the regulations of each member state. For example, do not calls lists.

            Does GDPR protect citizens or residents of EU? What if that information is not disclosed to the company who is collecting private data?

            GDPR applies to EU citizens. You do your best attempt to determine it. Cvent is putting technology in place for all users and attendees regardless of where the person is.

            GDPR and Marketing

            How does this apply to social media?

            GDPR applies to how you collect, store and use the personal data of EU citizens, through any measure, including social media.

              If I don't have EU citizens attending my events, how does GDPR impact my event?

              It applies if you are marketing to EU citizens, not only if they are attending, but if you don't market to EU citizens and they don't attend your events then GDPR does not apply.

                Yes

                Do we have to include the Opt-Out option in all of our emails after 25th May?

                As a best practice, we believe that an opt-out link should be included in your marketing emails.

                Hotel Guests

                I am not sure this webinar is for US Hotels using Cvent, this is based on Europe am I correct?

                It's not a matter of where the hotel is, but it's specific to the individuals that are coming to your hotel. Are you specifically targeting EU citizens? It depends on how much contact you have, but if you market to or have EU citizens staying at your property then you must comply with GDPR.

                So we cannot collect any sort of data (even if it's not private) from say, a school group?

                Collecting data on children is highly regulated and therefore you should connect with your legal counsel for more information. The regulations specify the age requirements for consent and permission to collect information from the child or their parent or guardian.

                Cvent and GDPR

                How is Cvent going to be complying with GDPR guidelines?

                Working with our legal consultants, we have identified a number of processes, options, and configuration settings that our clients will find useful to ensure that they are compliant. We are developing additional tools to help facilitate your compliance.

                  When will Cvent be GDPR compliant for planners currently collecting data for post May 25th conferences?

                  Cvent systems currently permits you to request consent, provide data access to the subjects, to delete data, to post your privacy policy, and send opt-in emails and opt-out links to your attendees. Please work with your Cvent Customer Service rep to learn more.

                    How is Cvent implementing the transparency of data approvals for each registration?

                    Cvent is giving you the tools and a platform that will allow you to expose what you feel necessary to your registrants.

                    We have very flexible platforms, with lots of options to customize your registration page and capture consents.

                    I assume you are storing data outside Europe - how is this addressed under GDPR?

                    Our data is stored in the United States and we transfer data from Europe to the US pursuant to the EU-US Privacy Shield, which Cvent was certified for and verified by a 3rd party called TrustArc in Oct 2017. This process satisfies the cross-border transfer regulations of the GDPR.

                    Consent

                    Explicit consent will depend on what the data is being used for and what industry you are in. Please consult your legal counsel on what is best for your organization.

                    The regulations require the following for obtaining consent:

                    • Consent must be freely given, specific, informed and unambiguous, obtained by a clear statement or by a clear affirmative action signifying agreement to processing.
                    • You must obtain separate consents for different processing activities
                    • Forced consent mechanisms are not valid – no pre-ticked boxes or implied consent if no response
                    • You must obtain explicit consent for any sensitive data you want to collect

                    If you hold an event in a certain country, does the fact that the registrant consents that his data will be sent to, say, a hotel in that country, negate the need to have a Standard Contract Clause in place with the hotel?

                    The contractual relationship between you, the planner, and the hotel will need appropriate contract terms, which may include standard contract clauses. We are building our Passkey and other Hospitality Cloud solutions to be able to obtain explicit consent to the registrant that their information will be sent outside the EEA. You may need to include what information is sent and what it is being used for in a notice.

                    Controllers need to ask consent for purposes of the use of data when the purposes go beyond what the individual is providing that information for originally. For example, if you plan to market to these individuals outside of the event they are registering for, then consent would be needed.

                      Controllers need to ask consent for purposes of the use of data when the purposes go beyond what the individual is providing that information for originally. If you plan to share that information with your sponsors or exhibitors or other attendees, then it is recommended that you ask for explicit consent for each use of the data outside of its original purpose.

                        Controllers need to ask consent for purposes of the use of data when the purposes go beyond what the individual is providing that information for originally. For example, if you plan to market to these individuals outside of the event they are registering for, then consent would be needed.

                          I allow my attendees to invite their guests, but we require to collect that information in advance. How does that work if someone is filling out information for another person?

                          As a best practice, we believe that you include in your Privacy notice what you plan on doing with guest information and ensure that you also have consent-type questions for the Guest data as well. With the guests, you have to make an assumption that the primary registrant is getting consent from their guest prior to adding them to their registration. That being said, it wouldn’t hurt to add text underneath the guest details area that says something like “I affirm that I have the consent to provide my guests information” and ask for consent with your other consents at the beginning. If you generally email market to all of your attendees, including guests, you will also want to include a separate consent to ensure you know if you can email market to the guests.

                            Clients can leverage address book consent fields to collect consent and configure an email to be sent to registrants with the link back that takes them to the Contact profile page where they can update the consent field.

                              Yes, you can make consent questions required.

                              We believe that it is a best practice to allow participants to opt-in or consent at the time of registration for their personal data be shared with other attendees or on your website.

                              Cvent Event Management and GDPR

                              Yes, the new consent-type fields will be available in all versions of the Event Management tool.

                                All the new GDPR enhancements will be made available in early May, prior to when GDPR goes into affect.

                                  Any Cvent product that provides public websites accessible by our customers contacts and attendees will support the cookie banner overlay. Examples include Event Registration websites, Inquisium web surveys, Exhibitor and Speaker Portals.

                                  Yes, Event Management will support localized cookie banners on 25th May.

                                  When will all the enhancements Cvent is making to its products be made available?

                                  We’ll be rolling out GDPR functionality in phases for Event Management, starting with features such as Cookie Banner enhancements coming in late April. Consent fields and related audit functionality have a target release date of 11th May. Right to be Forgotten an Data Request forms will be available the week prior to 25th May.

                                  Contact Database

                                  Storing data is equivalent to processing someone’s data. Under GDPR there are 6 reasons to process an individual personal data. The three relevant to storing that information in your marketing database are; 1) Contractual relationship, 2) legitimate business purposes, or 3) consent. Obviously if you have a contractual relationship with someone, you can keep it. If you have recorded consent, you can keep it. Legitimate business interest varies by specific member state in the EU. For instance, in the UK, direct marketing is a legitimate business interest so you should be able to keep the contact info for a UK resident if you are marketing to them and providing them an opportunity to opt-out from your marketing. For all other countries you should check their specific definitions of legitimate business interest.​

                                    Storing data is equivalent to processing someone’s data. Under GDPR there are 6 reasons to process an individual personal data. The three relevant to storing that information in your marketing database are; 1) Contractual relationship, 2) legitimate business purposes, or 3) consent. Obviously if you have a contractual relationship with someone, you can keep it. If you have recorded consent, you can keep it. Legitimate business interest varies by specific member state in the EU. For instance, in the UK, direct marketing is a legitimate business interest so you should be able to keep the contact info for a UK resident if you are marketing to them and providing them an opportunity to opt-out from your marketing. For all other countries you should check their specific definitions of legitimate business interest.

                                    General

                                    Is there anything that needs to be sent to any EU organization to show that we are using a GDPR certified meeting registration platform?

                                    GDPR does not have this as a requirement.

                                      Does GDPR apply to any type of organizations? Like non-profits, associations, schools, etc.

                                      Yes, it does. It does not just apply to externally facing events. GDPR applies to all entities processing the personal data of individuals residing in the EU. To be clear, it applies to you if you hold events in the EU or your market to EU residents.

                                      Privacy Policy

                                      Do I have to display my own privacy policy? Does Cvent have to display their privacy policy?

                                      GDPR and the Privacy Shield principals require that Controllers and Processors are transparent on how they are processing personal information. The most common method to provide this transparency is to link your Privacy Policy, which describes how personal information is processed. Our system is configured to permit our clients to display their Privacy Policy in addition to ours (if required). Since both you, the data controller, and Cvent the data processor, are processing attendee data, we believe it is the best practice to provide both Privacy Policies.

                                      Event Check-In

                                      With all the data privacy concerns, can you recommend a safe and secure way to check people into an event?

                                      We believe one of the safest ways to check people in is via Cvent's OnArrival product solution. Cvent leverages industry leading security measures to ensure personal data is processed and stored in the safest and most secure manner, including encrypting data in transport and at rest. Leveraging technologies solutions such as OnArrival we believe is much superior to traditional methodologies such as leaving name badges with personal data on tables or sheets of paper with personal data on them.

                                      Right to be forgotten

                                      My attendees are invited to event by their company. If they ask to be forgotten do we have to check with company first or is it the right of the individual?

                                      Ultimately, the controller needs to process the Right to be Forgotten request. Therefore, the company should be notified if they are the controller otherwise we do not believe this is required.