zkipster is GDPR compliant
From day one, zkipster has been built around a strong commitment to privacy, security, and protecting sensitive event and guest data.
We fully support our users complying with regulation (EU) 2016/679, also known as the General Data Protection Regulation (GDPR), that entered into effect on May 25, 2018 and repealed Directive 95/46/EC. We’ve been busy taking steps to make the transition as smooth as possible for zkipster users who are impacted by this transformative new law.
Please note that this page is provided as a resource to understand the scope of the GDPR in relation to using zkipster. It does not constitute legal advice, representations, or warranties of zkipster. We encourage you to seek professional legal advice if you have questions about how the GDPR may affect your organization and procedures.
How zkipster operates as a data processor
Under the GDPR, there are in particular two types of entities that might process personal data:
- Data controllers are individuals or entities that determine the purpose and means of the processing of personal data of EU citizens, and must therefore be compliant with the GDPR and ensure any third-parties to which they transmit or otherwise make available personal data are also compliant.
- Data processors are third-parties who process personal data on behalf of data controllers, and must in particular implement appropriate technical and organizational security measures that meet the requirements of the GDPR.
In this system under the applicability of the GDPR, zkipster is a data processor, and zkipster users (e.g. event professionals) are data controllers.
As a data processor, we’ve taken various initiatives to ensure zkipster’s compliance with the GDPR’s requirements (to the extent applicable) with respect to the scope of services stated in our terms and conditions (e.g. event management, online invitation, guest list, seating, event check-in, or related service of zkipster) which include among others:
- Ensure that all persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- Take and implement all appropriate technical and organizational security measures to permanently protect the confidentiality, integrity, availability and capacity of personal data and respective processing systems and services
- Respond in a timely manner to requests to access, correct, return, or delete personal data
- Report security breaches impacting personal data in accordance with GDPR timeframes
- Demonstrate compliance with the GDPR
As a result of diligent internal reviews, zkipster has taken additional measures to support its users in complying with the GDPR. We act only on instructions by users (data controllers) and demonstrate full compliance with obligations across internal entities, subsidiaries, and hosting or cloud providers. Users of zkipster can at any time permanently delete guest data they have uploaded to zkipster.
What you need to do as a user
In order for us as data processors to provide (to the extent applicable) GDPR compliance referred to above, we operate under the assumption that you as a data controller do the following:
- Obtain personal data of EU citizens with valid permission, as set forth by the GDPR only, including explicit and informed consent
- Act in compliance with the GDPR’s rules and any other applicable data protection or information privacy laws and regulations
- Agree to have zkipster act as data processor on your (the data controller’s) behalf
Following these steps allows us to operate together under compliance with the GDPR (to the extent applicable), and provide you the same high standard of service you have come to expect.
Frequently asked questions
What is the GDPR and how does it work?
The General Data Protection Regulation, or GDPR, is a European Union law regulation on data protection and privacy and thereby an important new data privacy law that enters into effect on May 25, 2018.
The law aims to protect the personal data of citizens of the European Union and change how companies approach handling the data of individuals (data subjects). It is a major shift toward privacy by default, basically by requiring companies to obtain personal data only with the informed permission of individuals.
It also aims to empower EU regulators in enforcing that companies store, control, and use personal data only with valid consent of the individual. Through the GDPR, individuals are given e.g. the power to ask for the removal of their personal records at any point. Companies that are not compliant with the GDPR can get fined up to 4% of their global revenue.
To whom does the GDPR apply?
The GDPR may apply to individuals or entities that are established in the EU as well as certain individuals or entities established outside the EU that are processing the personal data of EU citizens.
Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with EU data protection law. Personal data is any information relating to an identifiable natural person (e.g. names or contact details).
Is zkipster compliant under the GDPR?
zkipster understands its role as data processor and supports the protection of personal data within and beyond the borders of the European Union.
We have undertaken extensive reviews in light of this regulation. Among the steps we have taken are to update our terms of service, move data centers within the European Union, and adopt internal processes to respond swiftly to GDPR-related requests.
Why is zkipster a data processor instead of a data controller?
Unlike other event management software companies, zkipster does not determine the purposes and means of the processing of personal data exclusively on behalf of the data controllers (users like e.g. event professionals). Therefore zkipster does not qualify as a data controller.
Under the GDPR, do you foresee any restrictions in the way organizations use zkipster?
The scope of the zkipster services offering remains the same under the GDPR.
zkipster offers guest list management software to manage invitations, seating, check-in, and more. Being compliant with the GDPR shall not prevent you from or restrict you in using the services of zkipster.
That being said, organizations using zkipster should fully understand their GDPR obligations as a data controller in order to ensure compliance.
What type of data can users process with zkipster?
Successfully using zkipster does not only require entering a certain limited kind and extent of data. While it is technically possible to process extensive amounts of personal data, in view of the GDPR requirements, we strongly recommend limiting the personal data entered to what is needed for your events and for zkipster providing the relevant services to you.
What is the minimum required data to use zkipster?
The exact nature or category of data that needs to be uploaded to the zkipster platform varies based on your needs as a zkipster user and data controller. As a user, you have full control over your data that you upload to your zkipster account, and can remove any data you upload at any time.
From the platform perspective, the minimum data required is very basic: to upload a guest list, the only data needed by zkipster is guest first and last name, and a total number of guests.
How does zkipster handle data subject access requests?
zkipster has established internal processes to act swiftly upon requests. Although data subjects (in other words, any individual whose personal data you control as data controller) cannot inquire directly with a data processor, we will notify you in a timely manner should we receive a request from one of your data subjects.
How can zkipster users delete data provided for processing?
Data processed on the zkipster cloud can be deleted at any time without impacting the continuous usage of the service. Users can delete guest data within the zkipster network at any time, and we are able to assist with such requests in a timely manner.
Is this data being stored on European servers and does the data leave the EU?
The GDPR does not specifically demand that personal data of EU citizens is stored on European-based servers. However, zkipster’s data centers are located in the Netherlands, and to eliminate any concerns, all service data is hosted within the European Union exclusively.
Nevertheless, in order to perform the services, zkipster may transfer personal data to third countries which provide for an adequate level of protection as stipulated by the GDPR.
Furthermore, for the same purpose, zkipster may transfer personal data to third countries which do – according to the GDPR and the respective authorities – not provide for an adequate level of protection (e.g. to subsidiaries in the US or in Hong Kong). However, for the latter case, zkipster has established safeguards (transborder dataflow agreements) with regard to the protection of personal data as provided by the GDPR.
Does zkipster comply with the minimum security requirements and safeguards under the GDPR?
Yes, one of our core operations is taking appropriate technical and organizational measures to comply with rigorous security standards, including those stated by the GDPR.
We test against security threats to ensure the safety of user data. On a regular basis, zkipster employs third-party security experts to perform penetration tests on applications and the organization itself. Our security-certified hosting partner, Microsoft Azure, adheres to stringent security best practices.
What zkipster features and services support user compliance with the GDPR?
It is our understanding that all zkipster features as defined under the scope of services can be used in compliance with the GDPR. However, the adherence to the GDPR requirements in your function as a data controller is your own responsibility.
zkipster takes active measures to support users in protecting personal data and continues to build features and services in line with data protection and information security laws and our focus on strong security and privacy measures.
Does zkipster plan to add 'opt in/opt out' features for invitations templates?
It is your responsibility as data controller to manage guest consent, and zkipster as a data processor should not be the collection method or repository of that consent information. We do not plan to create an opt-out feature for guests of users within the zkipster platform for that reason.
Does zkipster sign additional terms or agreements requested by clients in relation to the GDPR?
On standard plans as listed on our pricing page, we do not sign anything in addition to the standard zkipster terms and conditions.
Any non-standard terms, such as additional compliance requests, are only considered under our Enterprise plan. You will need to request a quote for an Enterprise plan to initiate the process.
What if I have questions that aren't covered here about zkipster and the GDPR?
Please contact, either through your regular point of contact if you have one or our contact page, and we will be more than happy to assist you.