Dietary information is considered personal information and therefore is regulated within GDPR. This could also indicate health (eg. lactose intolerant) or religious beliefs (eg. Halal) and so should be considered sensitive data in some cases.
Personal Information is defined as: Any information which relates to a living individual who can be identified either (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller". GDPR explicitly cites certain categories of online data as constituting Personal Data, for example, online identifiers and device identifiers.
Sensitive personal data is defined as: Any "Personal Data consisting of information as to (a) the racial or ethnic origin of the Data Subject, (b) his political opinions, (c) his religious beliefs or other beliefs of a similar nature, (d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992), (e) his physical or mental health or condition, (f) his sexual life, (g) the commission or alleged commission by him of any offence, or (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings."
Genetic and biometric data are new forms of sensitive personal data. Genetic data means "personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question". Biometric data means "personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
You are the controller.
Data Controller means: a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. An organisation can be considered a Data Controller, and when you use Cvent software to capture and process personal data for your events you are the Data Controller.
Data Processor, in relation to personal data, means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller. Cvent in this case would be a Data Processor.
No. The Data Controller is responsible for ensuring the collection, usage and storing of data is GDPR compliant. Data Processors can provide controllers with tools to substantiate that controllers are compliant with GDPR.
It is not necessarily a violation based on how its sent out or simply because you send by email. You will be responsible for the security of that personal data, and you should password protect the file, use encryption or some other secure file transfer solution to keep it safe.
So long as the members are notified of such use and such use is considered a legitimate business use.
Yes, any individual piece of information or any combination of data that can be used to personally identify an EU citizen falls under GDPR. It is typically covered in the contract term between you and the other company.
Regulators are able to walk into any business and request that they prove a business is handling requests and that systems are compliant based on the regulations. We understand the two most common ways - regulators can knock on your door or someone can complain about your processes.
The company may have assets in the EU. Or the DPAs can set up blocks.
Depending on your scope of business in Europe, you may need to appoint a representative in Europe, this is who a regulator may contact if there is a breach.
The regulations are based on EU Citizens, not just businesses in the EU. You may have EU citizens coming to your events or hotel and you wouldn't even know it. This regulation is meant to protect the rights of EU citizens.
To the extend GDPR does not make process uniform, you will need to comply with the regulations of each member state. For example, do not calls lists.
GDPR applies to EU citizens. You do your best attempt to determine it. Cvent is putting technology in place for all users and attendees regardless of where the person is.
GDPR applies to how you collect, store and use the personal data of EU citizens, through any measure, including social media.
It applies if you are marketing to EU citizens, not only if they are attending, but if you don't market to EU citizens and they don't attend your events then GDPR does not apply.
It's not a matter of where the hotel is, but it's specific to the individuals that are coming to your hotel. Are you specifically targeting EU citizens? It depends on how much contact you have, but if you market to or have EU citizens staying at your property then you must comply with GDPR.
Collecting data on children is highly regulated and therefore you should connect with your legal counsel for more information. The regulations specify the age requirements for consent and permission to collect information from the child or their parent or guardian.
Working with our legal consultants, we have identified a number of processes, options, and configuration settings that our clients will find useful to ensure that they are compliant. We are developing additional tools to help facilitate your compliance.
Cvent is giving you the tools and a platform that will allow you to expose what you feel necessary to your registrants.
We have very flexible platforms, with lots of options to customise your registration page and capture consents.
Explicit consent will depend on what the data is being used for and what industry you are in. Please consult your legal counsel on what is best for your organisation.
The regulations require the following for obtaining consent:
The contractual relationship between you, the planner, and the hotel will need appropriate contract terms, which may include standard contract clauses. We are building our Passkey and other Hospitality Cloud solutions to be able to obtain explicit consent to the registrant that their information will be sent outside the EEA. You may need to include what information is sent and what it is being used for in a notice.
While GDPR may look like a daunting challenge, you can turn it into an opportunity. By ensuring you have the right event management technology in place to adhere to the new regulations, you can be a standard bearer in your industry for the protection of personal information. That's something to be proud of - and something that will set your brand apart!
Cvent provides this material for informational purposes only. The material provided herein is general and in summary form and is not intended to be comprehensive. Further, it is not intended to be legal advice and should not be construed as such. Nothing herein should be relied upon or used without consulting a lawyer, data protection officer or other professional advisor who will consider your specific circumstances, possible changes to applicable laws, rules and regulations, and other legal and privacy issues. Receipt of this material does not establish an attorney-client relationship.