GDPR (General Data Protection Regulation)
We are actively preparing our business and compliance processes for the GDPR to take effect, and this guide is intended to help our customers do the same. Please note that this guide is for informational purposes only, and should not be relied upon as legal advice. We encourage you to work with legal and other professional counsel to determine precisely how the GDPR might apply to your organization.
What is the GDPR?
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.
Key Changes with GDPR? How are obligations changing?
While the GDPR preserves many principles established by the Directive, it introduces several important and ambitious changes. Here are a few that we believe are particularly relevant to DJ Event Planner and our customers:
1. Expansion of scope: As mentioned above, the GDPR applies to all organizations established in the EU or processing data of EU citizens, thus introducing the concept of extraterritoriality, and broadening the scope of EU data protection law well beyond the borders of just the EU.
2. Expansion of definitions of personal and sensitive data, as described above.
3. Expansion of individual rights: EU citizens will have several important new rights under the GDPR, including the right to be forgotten, the right to object, the right to rectification, the right of access, and the right of portability. You must ensure that you can accommodate these rights if you are processing the personal data of EU citizens.
• Right to be forgotten:
An individual may request that an organization delete all data on that individual without undue delay.
• Right to object:
An individual may prohibit certain data uses.
• Right to rectification:
Individuals may request that incomplete data be completed or that incorrect data be corrected.
• Right of access:
Individuals have the right to know what data about them is being processed and how.
• Right of portability:
Individuals may request that personal data held by one organization be transported to another.
4. Stricter consent requirements: Consent is one of the fundamental aspects of the GDPR, and organizations must ensure that consent is obtained in accordance with the GDPR’s strict new requirements. You will need to obtain consent from your clients and contacts for every usage of their personal data, unless you can rely on a separate legal basis, such as those found in number 5 below. The surest route to compliance is to obtain
explicit consent. Keep in mind that:
• Consent must be specific to distinct purposes.
• Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use and management of their personal data.
• Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent.
5. Stricter processing requirements: Individuals have the right to receive “fair and transparent” information about the processing of their personal data, including:
• Contact details for the data controller.
• Purpose of the data: This should be as specific (“purpose limitation”) and minimized (“data minimization”) as possible. You should carefully consider what data you are collecting and why, and be able to validate that to a regulator.
• Retention period: This should be as short as possible (“storage limitation”).
• Legal basis: You cannot process personal data just because you want to. You must have a “legal basis” for doing so, such as where the processing is necessary to the performance of a contract, an individual has consented, or the processing is in the organization’s "legitimate interest.”
There are many other principles and requirements introduced by the GDPR, so it is important to review the GDPR in its entirety to ensure that you have a full understanding of its requirements and how they may apply to you.
Consent: Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
When does it come into effect?
The GDPR will officially be enforceable beginning on May 25, 2018.
Who does it affect?
The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
What is considered “personal data”?
Per the GDPR, personal data is any information relating to an
identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. Consider the extremely broad reach of that definition. Personal data includes not only data that is commonly considered to be 6 personal in nature (e.g., social security numbers, names, physical addresses, email addresses),
but also data such as IP addresses, behavioral data, location data, biometric data, financial information, and much more. This means that, for DJ Event Planner users, at least a majority of the information that you collect about your clients and contacts will be considered personal data under the GDPR. It’s also important to note that even personal data that has been “pseudonymized” can be considered personal data if the pseudonym can be linked to any particular individual.
Sensitive personal data, such as health information or information that reveals a person’s racial or ethnic origin, will require even greater protection. You should not store data of this nature within your DJ Event Planner account.
What does it mean to “process” data?
Per the GDPR, processing is “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by
automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Basically, if you are collecting, managing, using or storing any personal data of EU citizens, you are processing EU personal data within the meaning prescribed by the GDPR. This means, for example, that if any of your DJ Event Planner information contains the email address, name, or other personal data of any EU citizen, then you are processing EU personal data under the GDPR.
Does it matter whether you are a controller or a processor?
If you access personal data, you do so as either a controller or a processor, and there are different requirements and obligations depending on which category you are in. A controller is the organization that determines the purposes and means of processing personal data. A controller
also determines the specific personal data that is collected from a data subject for processing. A processor is the organization that processes the data on behalf of the controller. The GDPR has not changed the fundamental definitions of controller and processor, but it has expanded the responsibilities of each party.
Controllers will retain primary responsibility for data protection (including, for example, the obligation to report data breaches to data protection authorities); however, the GDPR does place some direct responsibilities on the processor, as well. Accordingly, it is important to understand whether you are acting as a controller or a processor, and to familiarize yourself with your responsibilities accordingly.
In the context of the DJ Event Planner application and our related services, in the majority of circumstances, our customers are acting as the controller. Our customers, for example, decide what information from their contacts or clients is entered into their DJ Event Planner account; directly into DJ Event Planner, through the customizable website tool integrations.
Stricter Consent and Processing Requirements:
You must lawfully obtain and process email addresses and other personal data from your clients and contacts.
• The personal data of your clients and contacts may be collected and transferred to DJ Event Planner by manually entering the data or by use of the DJ Event Planner website tools and embedded forms made available in our application and customized by you. These forms are one of the most important DJ Event Planner tools you can use as it relates to your GDPR compliance.
• You should carefully design each of these forms to make sure that language in the body and/or footer is clear, specific, and covers all possible reasons for using the information being solicited. Be very specific about the intended use of the information you are collecting.
• While the information you collect via these forms and website tools is presumably being transferred to DJ Event Planner, it is your responsibility to ensure that you obtain consent from your customers and contacts to add their information to DJ Event Planner for processing, so you should ensure that all of your pop-up windows, forms, etc. include language that provides this consent.
• We suggest using a tick box opt-in with the use of website tools. Note that this may not be the default setting.
• The ability of your clients and contacts to withdraw consent or change preferences should be easily accessible. DJ Event Planner’s Contact Us Form within the client portal can help with this.
• An “unsubscribe” option is recommended to be included in the footer of every email sent through DJ Event Planner. This allows any email recipient to easily unsubscribe from your DJ Event Planner account, thereby helping you comply with your GDPR obligations when a subscriber withdraws his or her consent to receive emails.
• You clients also have the option to update their Contact Information within the client portal giving them the ability to easily update their profile details within your DJ Event Planner account, helping you meet the GDPR’s
right of access requirement.
• Make sure that you are frequently updating any information stored within your DJ Event Planner account that relates to your clients or contacts, such as name and contact information, when requested to do so by a client or contact.
• You should also ensure that you are keeping accurate records, especially of your clients’ and contacts’ consent permitting you to send them marketing emails, store and use their personal data, and any other processing activities which you are undertaking. DJ Event Planner can help you obtain proof of consent and will store a record of your clients’/contacts’ consent in your DJ Event Planner account. When you use a DJ Event Planner website tool to obtain personal information for your account, DJ Event Planner has added a tick box for consent and will record the Name/Date/IP Address associated with who completes and submits the form, providing you with easy-to-access proof of consent.
• Keep in mind that any consent you obtain from your clients and contacts must comply with the GDPR requirements, irrespective of when that consent was obtained. However, Recital 171 of the GDPR indicates that you may continue to rely on any existing consent which meets the GDPR standards for consent. This means that it is not necessary to re-request consent from your clients or contacts when the GDPR goes into effect so long as you met all of the requirements of the GDPR when you initially obtained consent. We recommend consulting with local counsel to determine if consents obtained prior to the GDPR comply with its requirements, or whether you should instead contact your clients and contacts to re-request consent in accordance with the GDPR requirements, or rely on a different lawful basis for your processing under the GDPR.
• You should review any DJ Event Planner integrations that you are using (or plan to use), to ensure that you have adequately disclosed potential data processing activities associated with your use of those services to your clients and contacts. For example: Name, Mailing Address, Home Phone, Mobile Phone, Billing Information, Username and Password, SMS number, etc.
• Your website may set a DJ Event Planner cookie which allows you to track certain activities of your clients, employees, and planner only clients. You should ensure that you implement an appropriate cookie notice and consent mechanism with respect to your use of these cookies.
• You should review the privacy statement and practices applicable to your organization and ensure that they provide proper notice that the personal data of your clients or contacts will be entered into DJ Event Planner. For example, you may want to consider updating your privacy statement to include language that specifically identifies DJ Event Planner as one of your processors and delineates the applicable processing activities performed by DJ Event Planner, such as the collection (e.g., via website tools and planning forms) and storage of personal data (e.g., within your DJ Event Planner account in order to allow you to create contact details, create an event tied to the contact, use event lists, send emails, and provide specific services for their event), and the transfer of personal data to DJ Event Planner.
DJ Event Planner is acting as a processor by performing certain tasks for our customers, example: scheduled emails.
Do data processors need 'explicit' or 'unambiguous' data subject consent - and what is the difference?
The conditions for consent have been strengthened, as companies will no longer be able to utilize long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent - meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data - in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.
Do you need to comply with the GDPR?
You should consult with legal and other professional counsel regarding the full scope of your compliance obligations. Generally speaking, however,
if you are an organization that is organized in the EU or one that is processing the personal data of EU citizens, the GDPR will apply to you.
Even if all that you are doing is collecting or storing email addresses, if those email addresses belong to EU citizens, the GDPR likely applies to you.
What happens if you do not comply?
Non-compliance with the GDPR can result in enormous financial penalties. Sanctions for non-compliance can be as high as 20 Million Euros or 4% of global annual turnover, whichever is higher.
Will DJ Event Planner comply with GDPR?
DJ Event Planner’s GDPR preparation have been ongoing, and as part of this process we are reviewing (and updating where necessary) our internal processes, procedures, data systems, and documentation to ensure that we are ready when the GDPR goes into effect. While much of our preparation is happening behind the scenes, we are also working on a number of initiatives that will be visible to our users. We are, among other things:
• Updating our Data Processing Agreement within our Terms of Service to meet the requirements of the GDPR in order to permit you to continue to lawfully transfer EU personal data to DJ Event Planner and permit DJ Event Planner to continue to lawfully receive and process that data;
• Analyzing all of our current features and templates to determine whether any improvements or additions can be made to make them more efficient for those users subject to the GDPR;
In addition, we will be prepared to address any requests made by our users related to their expanded individual rights under the GDPR:
• Right to be forgotten:
You may terminate your DJ Event Planner account at any time, in which case
we will permanently delete your account and all data associated with it. This data will NOT be recoverable.
• Right to object:
You may opt out of inclusion of your data in the djfinder search engine.
• Right to rectification
: You may access and update your DJ Event Planner account settings at any
time to correct or complete your account information. You may also contact DJ Event Planner at any time to access, correct, amend or delete information that we hold about you.
• Right of access
have specific questions about particular data, you can contact us for further information at any time.
• Right of portability
: We will export your account data to a third party at any time upon your request.
In order to assist you with any requests you may receive with regards to the expanded individual rights under the GDPR, DJ Event Planner is working to have additional reporting features available.
Does the GDPR say anything about cross-border data transfers?
Yes, the GDPR contains provisions that address the transfer of personal data from EU member states to third-party countries, such as the United States. The GDPR’s provisions regarding cross-border data transfers, however, do not radically differ from the provisions in place under the Directive. The GDPR, like the Directive, does not contain any specific requirement that the
personal data of EU citizens be stored only in EU member states. Rather, the GDPR requires that certain conditions be met before personal data is transferred outside the EU, identifying a number of different legal grounds that organizations can rely on to perform cross-border data transfers.
One legal ground for transferring personal data set out in the GDPR is an “adequacy decision.” An adequacy decision is a decision by the European Commission that an adequate level of protection exists for the personal data in the country, territory, or organization where it is being transferred. The Privacy Shield framework constitutes one such example of an adequacy
decision. DJ Event Planner is currently applying for certification under the Privacy Shield framework. We are committed to treating all personal data received from EU member countries in accordance with the Privacy Shield framework’s applicable principles already.
What does this mean for you? Generally speaking, it means we expect that DJ Event Planner’s EU customers will be able to continue to rely on DJ Event Planner’s Privacy Shield certification in order to transfer their lawfully obtained personal data to DJ Event Planner under the GDPR.
How can DJ Event Planner assist in your GDPR compliance efforts?
You should start your compliance efforts now, if you haven’t already. It is never too early to review your organization’s data privacy and security practices, and there are several ways in which DJ Event Planner can help.
Expansion of Individual Rights:
DJ Event Planner can help you promptly respond to requests from your
clients or contacts pursuant to their expanded individual rights under the GDPR.
• Right to be forgotten
: You may delete individual clients upon their request at any time.
Log into DJ Event Planner > Clients > Select Client > Full View > Delete
. In addition, you may contact DJ Event Planner, via your support options, on behalf of your clients to request deletion of their data from DJ Event Planner.
• Right to object
: You may opt out of the search engine database (not applicable to those outside the US)
• Right to rectification
: You may access and update your client/contacts within your
DJ Event planner account to correct or complete client/contact information upon their request at any time.
Unless it is prohibited by law, we will remove any Personal Information about an individual, either you (our user) or a client, from our
servers at your or their request. There is no charge for an individual to access or update their Personal Information."
• Right of access
• Right of portability
: You may run reports for selected information within DJ Event Planner at any time by accessing your DJ Event Planner account.
If you have specific questions about the GDPR and your use of DJ Event Planner, you can contact us directly.