User manual details

07 Manage data GDPR compliant in yve

Manage data in yve in compliance to the EU General Data Protection Regulation (GDPR).
Checklist for the GDPR
As part of the GDPR, some changes have been made that make it necessary for you, as the person responsible, to take data protection measures. The GDPR now has a greater reach, more rights for those affected, stricter rules for data processing and much higher sentences than the provisions of the BDSG before. To make it easier for you to prepare for compliance with the GDPR regulations for your use of yve, we have put together a non-binding checklist and example for you.
 
Privacy statement
You should write an easily understandable privacy statement according to GDPR . A reference to the privacy policy of yve is not enough, because you are the person responsible for the data processing. We have listed an example below.
 
The following contents should be included
  a. Which data is collected for what purpose?
  b. How is the data handled and what is the duration of storage?
  c. That you use yve as a data processor
  d. Own measures for data security
  e. A statement on the rights of those affected
  f. How affected people can contact you
 
Data processing contract
Since you use yve as your data processor, you are obliged under GDPR to conclude a data processing contract with us. For this we have sent you a questionnaire, which you can conclude in electronic format with us. Without data processing contract you are not allowed to process personal data with yve.
 
Lawfullness of processing
The GDPR is basically a prohibition regulation with reservation of permission, i. everything is forbidden, which is not expressly allowed. This applies in particular to the lawfulness of the processing.
 
The following conditions constitute lawful processing under GDPR:
  a. Consent for the purposes of data processing has been granted
  b. The processing serves the fulfillment of a contract or preliminary contract
  c. There is a legal obligation / public interest in processing
  d. There is a legitimate interest of the person responsible, which outweighs the protection interest of the person concerned. This is especially the case when
      i. The affected is a customer or employee and
      ii. Direct mailing for similar products (see § 7 Abs. 3 UWG) is conducted
 
You should therefore check whether you need any consent at all. If so, the consent has to be voluntary, not linked to any other conditions and it must also be recallable. I should therefore not be a mandatory field. You should therefore seperate between
  1. Data given by a participant to attend a specific event (i.g. data required for participating in the event)
  2. The right to invite the participant to other events afterwards or to contact him.
The legal situation is in dispute here, there are opinions that you need for a public registration for an event no consent for point 1, since the sign up form itself is a consent - then a reference to your privacy policy would be enough. The example below for consent covers point 1 and 2. Please ask your data protection officer how this is seen in your company.
 
The documentation of the proof can be done in electronic format. In yve you can choose the option 'Show consent form' in the questionnaire. Then the consent form described under "Account -> Consent" is displayed. You can adjust the explanation by clicking on the text of the explanation in the questionnaire. Please enter your contact information for privacy.

There are a total of 5 fields that you can use, depending on how detailed you want to query. The fields can be inserted via the 'Merge Tag' button (only once each time), they appear in the detail report ('Event -> Report -> Detail Report'):
  • DSGVO / GDPR: this field is intended for the GDPR consent
  • Contact by Email: if you request special contact channels, use this field for email contact
  • Contact by Phone: If you request special contact channels, use this field for phone contact
  • Contact by Print: if you request special contact channels, use this field for postal contact
  • Compliance: if you have an additional compliance questions, use this field
You can have an e-mail log sent to you if the participant submits the questionnaire or signes up. To do this, enter the destination email address under 'Event -> E-Mails -> Sender -> Participants Log E-Mail'. The email contains all data of the participant, his anonymized IP address and the answers of his questionnaire. This e-mail can be saved as proof of the participant activity.
 
If you use the community, you can set under 'Event -> Edit Registration -> Community Members -> Participants with Opt in'. A question in the questionnaire will be activated, if the participant agrees to be listed in the community as a member. If this option is active, only members who have given this consent will be shown.

For public registrations, you should also select the option 'Record data, then verify email' for security, otherwise you will not be sure if the owner of the specified email has given your consent. You can activate under 'Event -> Websites -> Public Registration -> Terms' that consent to the terms will be requested at the time of the registration.
 
Data protection processes
You need to set up processes that allow you to safeguard all rights of those affected.
 
These are as follows:
 
Duty to provide information (privacy policy)
To do this, insert your privacy policy as text or link to the event website and questionnaire.
 
Obtain consent for data processing
In yve you can choose the option 'Show terms' in the questionnaire (see above).
 
Provide information about the data processing
This is described in the privacy policy, and is visible in the participant's profile (only with Navbar turned on). The person concerned can directly contact you with a question.
 
Correct the data by those affected
The affected person can correct his profile himself (only with Navbar switched on) and you can change his data via 'Contacts'.
 
Delete the data
We do not have an automatic feature built-in because you have to decide whether to erase the data or if there are more important reasons than consent (see above) to keep the data. The person concerned can contact you directly. You can then delete his data via, Contacts -> <Name of contact> '.
 
Restrict the processing of the data
You can put an 'unsubscribe' link in your emails with the merge tag 'Contact unsubscribe' in yve. This link automatically blocks after clicking the email address of the person concerned so that you can no longer send active emails to him. Afterwards the participant will see the website 'unsubscribe newsletter', which you can change under 'Event -> Websites -> unsubscribe newsletter'. You can also set or cancel this block manually via, Contacts -> <Name of contact> -> Email -> Unsubscribed at '.
 
Transfer the data to a transport medium
You can find the contact under Contacts and create an Excel report with its data via 'Contacts -> Reports'.
 
Accept cancellation of consent to data processing
In yve you can choose the option 'Show consent form' in the questionnaire (see above). The affected person can withhold consent by deselecting the checkbox. The person concerned can also contact you directly and make the change under 'Event -> Participants -> Questionnaire'.
 
Further measures may be necessary, such as create a list of processing activities, commit employees to data protection or provide a data protection officer. We have here limited our explanations to the essential measures for the use of yve, our list and example makes no claim to completeness and is without guarantee. Please contact your data protection officer to coordinate your privacy policy.
 
Example of privacy policy and declaration of consent
"We would like to invite you via email and letter to our events. For this purpose we collect and process personal data about you. Your personal data will not be disclosed to third parties. Your personal data will not be stored longer than necessary to achieve the aforementioned purposes. To process your data we use the online service yve event tool from the service provider Buckow Enterprise Solutions GmbH (see privacy policy https://www.yve-tool.de/en/privacy). All data is secured against loss, destruction, access, modification and dissemination through technical and organizational measures.
 
The processing of your personal data for the aforementioned purpose is based on your consent. You have the right at any time to revoke this consent or to object to the processing. You have the right at any time to obtain information about your personal data, the right to rectify or delete them, the right to limit their processing and the right to transfer data. To contact us regarding privacy, you are welcome to contact us using the contact information below:

<Contact for data protection>
 
I agree that my personal information will be used for this purpose."