On May 25, 2018, the European Union's (EU) General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) comes into effect. The GDPR protects European Union data subjects' fundamental right to privacy and the protection of personal data. It introduces robust requirements that will raise and harmonize standards for data protection, security, and compliance.
Pursuant to Article 28 of the GDPR, Wiretouch Ltd t/a Qflow has certain obligations as a Data Processor engaged by our customers to process their event attendee data, some of which may contain personal data protected by the various provisions of GDPR. Qflow has been working with its customers to answer their questions about how we plan to be in compliance after the GDPR becomes enforceable.
Rest assured that we are working diligently in the background on our compliance efforts to make sure we are ready. In fact, we are excited about the GDPR and its efforts to achieve the following:
In short, Qflow will be compliant with GDPR when it comes into force on May 25, 2018.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a new European privacy law that is in effect and due to become enforceable on May 25, 2018. The GDPR will replace the EU Data Protection Directive, also known as Directive 95/46/EC, and is intended to harmonize data protection throughout the European Union (EU) by applying a single data protection law that is binding throughout each member state.
Who does the GDPR apply to?
The GDPR applies to all organizations established in the EU and to organizations, whether or not established in the EU, that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information relating to an identified or identifiable natural person.
What has Qflow been doing in preparation for the GDPR?
Qflow currently does not independently maintain, host or transmit customer data. Such data resides with Microsoft Azure secure cloud services platform. All Microsoft Azure services are GDPR ready. Microsoft Azure continually maintains a high bar for security and compliance across all of their global operations. Their industry-leading security provides the foundation for their long list of internationally recognized certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1 and others.
Microsoft Azure also helps customers meet local security standards such as BSI's Common Cloud Computing Controls Catalogue (C5), which is important in Germany. Microsoft Azure also complies with the CISPE Data Protection Code of Conduct for Data Protection in the Cloud.
We are careful with any data we collect, whether it is protected by GDPR or otherwise. We only collect and keep what we have to and then only for as long as our customers need the data. Our cautious practices are reflected in our commitments to the privacy and security of the data that you entrust to us. We believe that GDPR is a great step in the right direction and we are happy to do what it takes for us to be compliant and to help you comply as well.
We already have tools that let you control your event attendee data so you can comply with GDPR and our Customer Success team is always available to help you as well. Here are some of the things we have in place and are currently working on:
Tools for responding to ‘erase or export’ requests
GDPR wants you to give people the ‘right to be forgotten’. Erase their personal data if they ask, but only if it doesn’t compromise freedom of expression or the ability to research. Qflow does not use our client’s attendee information in any way other than to allow the event organizer to check in the attendee to their event using our software platform. We never share attendee information with any third party and Qflow allows for the deletion of attendee data by customers on demand, using the Qflow Management Console.
You can always delete any event attendee’s information from the Qflow platform and when it is gone, it is gone – we don’t keep a copy after you delete it.
Updates to our privacy policy and terms of service
We’ve made some minor changes to our privacy policy and terms of service. If you are an attendee of one of our client’s events, you are subject to the Terms of Use and Privacy Policy of the individual event organizer. Qflow does not use our client’s attendee information in any way other than to allow the event organizer to check in the attendee to their event using our software platform. We never share attendee information with any third party and we allow our clients the ability to delete attendee data following their event.
Whom should I contact if I have questions regarding GDPR and Qflow?
We recommend that customers with questions regarding data protection or Qflow and GDPR contact their Qflow Customer Success Manager. Alternatively, you can send an email to support@qflow.co.uk