General Data Protection Regulation
What is GDPR?
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union.
Who is involved with GDPR?
There are three main parties to the GDPR when collecting information on Treadstone 71.
First would be the individual providing their personal identifying information. Hereafter referred to as 'Data Subject'.
Second is Treadstone 71, aka the Consulting Company.
As Treadstone 71 collects student data for the use of setting up classes to manage registration for our training, we are determining what data is collected, how it is used, how long it is retained, and what access to the data the registrant is allowed.
Does GDPR really affect me?
Treadstone 71 does not provide legal advice as to whether or not the data you control on Treadstone 71 falls under the purview of GDPR (ie, "in-scope").
Treadstone 71 does provide the following information to assist you in determining for yourself if your data collection/retention is in-scope of GDPR and if so, how you meet what is required of you by GDPR.
First, GDPR does not use wording concerning 'citizen' or 'resident' when referencing a Data Subject. Depending on the situation, GDPR can apply to *any* person as a Data Subject.
Three significant points to consider if GDPR applies for a given Data Subject are the following:
- establishment of the Data Controller inside the EU
- establishment of the Data Processor inside the EU
- establishment of the Data Subject inside the EU, and as marketed too, was known as being in the EU by the Data Controller
Treadstone 71 is entirely US based. Thus (b) alone does not result in GDPR in-scope data yet the collection of data used for training is stored by a third party for registration purposes.
We use a US based Data Controller to collect and process data, while marketing their event to individuals in the US (or anywhere outside the EU), would find their data to not be GDPR in-scope.
The right to be informed.
The Data Subject must have readily transparent access to information describing how their personal data is used, stored and retained.
The right of access
The Data Subject has the right to receive all personal data held by you concerning the Data Subject within 30 days of request.
The right to rectification
The Data Subject has the right to have their personal data updated. Treadstone 71 provides the tools through training registration partners PlanetReg and Teachable to allow for update of Data Subject data.
Either the Data Subject updates their own data via the 'edit' button on online confirmation headers.
Or you, the Data Collector, can update the Data Subject data via Registrant Review/Update Registration Information.
The right to be forgotten
The Data Subject has the right to have their personal data deleted.
Both registrant and event level 'data delete' functions are currently being developed to make this process simpler.
In the meantime, Treadstone 71 allows for full update of all Standard and Custom Questions where personally identifying information might be stored.
These fields can be updated to reflect no data, thus affecting a 'delete' of Data Subject data.
The right to restrict processing
The Data Subject has the right to have their personal data no longer be processed.
As the only Data Subject personal data processing occurring on Treadstone 71 post registration is for email purposes, this primarily would involve no emails being sent via the automated Treadstone 71 systems and also your own contact of them via email/mail/phone.
Treadstone 71 is targeting the partner services for an 'opt-out of processing' option.
Currently, updating the Data Subject email address to prevent contact via email would suffice.
The right to data portability
The Data Subject has the right to access their data in a format readily usable for other purposes.
Currently, you can download all data, including the Data Subject personal data, on a registrant via CSV file and provide that to them.
To simplify this for you, Treadstone 71 is developing a 'download' button that will allow the registrant to do so themselves from the confirmation page.
The right to object
The Data Subject has the right to have you stop processing on their data for the purpose of direct marketing. Treadstone Treadstone 71 is targeting the partner services for an 'opt-out of processing' option.
Aside from these defined 'rights' there are some additional aspects to GDPR that affect the data you collect on Treadstone 71.
Concerning the consent to process data by the Data Subject, GDPR Article 6 (1) provides the following six legal grounds for processing:
- the data subject has given consent to the processing of their personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
The vast majority of Data Subject personal information input on Treadstone 71 would be covered by (a), as the Data Subject registers for an event, providing their personal data as part of the registration process for the purpose of event registration. This consent does not cover other marketing related contact, more on that below.
As the needs and uses of data varies widely between events, you may determine it necessary to add some specific language in the Registration Information/Details sections of Setup/2.Layout concerning the data you are collecting.
(f) brings forth the instance when the Data Subject is a child (Child Data Subject).
Specific requirements across districts can vary when dealing with Child Data Subject data, of which the GDPR is only a part.
We suggest you collect personally identifying information of a child only when absolutely necessary.
If it is necessary to do so, at minimum, couple the collection of this data with a parental/guardian consent via a required Custom Question (Setup/3.Questions) or utilize the Waiver feature in this manner (Setup/3.Questions).
Consent for marketing
Processing Data Subject data for the purpose of marketing requires explicit consent if GDPR in-scope.
GDPR requires consent to receive marketing to be ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’
Thus an 'opt-in' checkbox that is not required to be checked and not pre-checked must be offered if you plan on using the Data Subject personal data in non-event-required marketing.
A Custom Question (Setup/3.Questions) can readily meet this requirement if worded correctly.
Note, the emails sent to registrants per the built-in partner registrant contact system (confirmation, reminder, follow- up survey) fall under Article 6(1)(a), as a specific purpose for the registration process for an event.
Treadstone 71 operates a secure data collection and storage system for what little data we collect. All data is collected on TLS secured pages on a secure dedicated server physically residing in the USA and is stored on a secure server physically residing in the USA.