General Data Protection Regulation

Last updated: May 24, 2018

The GDPR is the European Union’s new data protection law that unifies the different privacy legislation across EU member states. The purpose of the regulation is to strengthen the privacy rights of individuals in regards to how their personal data is being collected, processed, and used.

What changes does the GDPR introduce?

The GDPR replaces the current EU Data Protection Directive (Directive 95/46/EC). While many of the concepts outlined in the new framework are based on the current directive, the GDPR also introduces several new implications. First, there are now higher fines for noncompliance. Additionally, compliance is required by organizations located outside of Europe and by B2B service providers.

To whom does the GDPR apply?

Any organization, no matter its location, must comply with the GDPR in order to offer products or services to, or monitor the data of EU residents. This includes organizations located outside of the EU that may have customers who are EU residents. Additionally, the regulation applies to B2B service providers that process data on behalf of organizations.

Working together towards compliance

The GDPR replaces the current EU Data Protection Directive (Directive 95/46/EC). While many of the concepts outlined in the new framework are based on the current directive, the GDPR also introduces several new implications. First, there are now higher fines for noncompliance. Additionally, compliance is required by organizations located outside of Europe and by B2B service providers.

Our compliance with the GDPR

Boomset welcomes the progress brought forth by the GDPR. As a data processor, we work closely with privacy experts to ensure our security and privacy programs meet the standards outlined in the GDPR. Upon signing up to our platform, users agree to our Data Processing Addendum. The DPA is our contractual obligation to process data in a GDPR compliant manner.

Data protection by design

Data protection is a key consideration right from the early stages of the development lifecycle. We ensure that all our features are fully secure and all data processed by Boomset is encrypted at rest and in transit.

Boomset currently does not independently maintain, host or transmit customer data. Such data resides with Amazon Web Services (“AWS”) secure cloud services platform. All AWS Services are GDPR ready. AWS continually maintains a high bar for security and compliance across all of their global operations. Their industry-leading security provides the foundation for their long list of internationally recognized certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1 and others. AWS also helps customers meet local security standards such as BSI's Common Cloud Computing Controls Catalogue (C5), which is important in Germany. AWS also complies with the CISPE Data Protection Code of Conduct for Data Protection in the Cloud.

We are careful with any data we collect, whether it is protected by GDPR or otherwise. We only collect and keep what we have to and then only for as long as our customers need the data. Our cautious practices are reflected in our commitments to the privacy and security of the data that you entrust to us.

We already have tools that let you control your event attendee data so you can comply with GDPR and our Customer Success team is always available to help you as well. 

Data protection by default

Data protection is our default mode of operation. We only collect and store data required to provide our service. GDPR wants you to give people the ‘right to be forgotten’. Erase their personal data if they ask, but only if it doesn’t compromise freedom of expression or the ability to research. Boomset does not use our client’s attendee information in any way other than to allow the event organizer to check in the attendee to their event using our software platform. We never share attendee information with any third party and Boomset allows for the deletion of attendee data by customers on demand, using the Boomset Management Console. 

If a user deletes their Boomset account, we remove all their data from our systems within 180 30 days of deletion.

Compliance officers

Boomset has designated an internal Data Protection Officer (DPO) to oversee compliance. Additionally, we have nominated BBB, an experienced privacy consultancy, to represent Boomset in the EU for any privacy disputes.

Data protection impact assessments

Our application is audited internally and externally on an ongoing basis to identify potential privacy flaws and exposures. Additionally, we perform impact assessments for any new features that may potentially affect the data flow of our application.

Lawful basis for processing

Boomset obtains consent from users who agree to a Master Service Agreement, Data Processing Addendum, and Privacy Policy when signing up to our platform. Users can withdraw consent at any time by deleting their account. If you have specific security requirements, contact us for a custom agreement.

Accountability

We hold ourselves accountable to the highest standards by providing visibility to our security program. We recommend that customers with questions regarding data protection or Boomset and GDPR contact their Boomset Customer Success Manager. Alternatively, you can send an email to privacy@boomset.com

Data subject rights

Boomset has enacted policies to protect users’ rights. We allow Boomset users to opt-out of our notifications, and are ready to respond to any data access requests from our users. If you are an attendee of one of our client’s events, you are subject to the Terms of Use and Privacy Policy of the individual event organizer. Boomset does not use our client’s attendee information in any way other than to allow the event organizer to check in the attendee to their event using our software platform. We never share attendee information with any third party and we allow our clients the ability to delete attendee data following their event.

Data breach notifications

We do our very best to protect your data, though the unexpected could happen. In such cases, we are committed to always being fully transparent and notifying the supervisory authority and all affected parties according to the GDPR requirements.