zkipster is ready for the GDPR
From day one, zkipster has been built around a strong commitment to privacy, security, and protecting sensitive event and guest data.
We fully support our users complying with regulation (EU) 2016/679, also known as the General Data Protection Regulation (GDPR), entering effect on May 25, 2018 and repealing Directive 95/46/EC. We’ve been busy taking steps to make the transition as smooth as possible for zkipster users who are impacted by this transformative new law.
Please note that this page is provided as a resource to understand the scope of the GDPR in relation to using zkipster. It does not constitute legal advice, representations, or warranties of zkipster. We encourage you to seek professional legal advice if you have questions about how the GDPR may affect your organization and procedures.
How zkipster operates as a data processor
Under the GDPR, there are in particular two types of entities that might process personal data:
- Data controllers are individuals or entities that determine the purpose and means of the processing of personal data of EU citizens, and must therefore be compliant with the GDPR and ensure any third-parties to which they transmit or otherwise make available personal data are also compliant.
- Data processors are third-parties who process personal data on behalf of data controllers, and must in particular implement appropriate technical and organizational security measures that meet the requirements of the GDPR.
In this system under the applicability of the GDPR, zkipster is a data processor, and zkipster users (e.g. event professionals) are data controllers.
As a data processor, we’ve taken various initiatives to ensure zkipster’s compliance with the GDPR’s requirements (to the extent applicable) with respect to the scope of services stated in our terms and conditions (e.g. event management, online invitation, guest list, seating, event check-in, or related service of zkipster) which include among others:
- Ensure that all persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- Take and implement all appropriate technical and organizational security measures to permanently protect the confidentiality, integrity, availability and capacity of personal data and respective processing systems and services
- Respond in a timely manner to requests to access, correct, return, or delete personal data
- Report security breaches impacting personal data in accordance with GDPR timeframes
- Demonstrate compliance with the GDPR
As a result of diligent internal reviews, zkipster has taken additional measures to support its users in complying with the GDPR. We act only on instructions by users (data controllers) and demonstrate full compliance with obligations across internal entities, subsidiaries, and hosting or cloud providers.
What you need to do as a user
In order for us as data processors to provide (to the extent applicable) GDPR compliance referred to above, we operate under the assumption that you as a data controller do the following:
- Obtain personal data of EU citizens with valid permission, as set forth by the GDPR only, including explicit and informed consent
- Act in compliance with the GDPR’s rules and any other applicable data protection or information privacy laws and regulations
- Agree to have zkipster act as data processor on your (the data controller’s) behalf
Following these steps allows us to operate together under compliance with the GDPR (to the extent applicable), and provide you the same high standard of service you have come to expect.
Frequently asked questions
What is the GDPR and how does it work?
The General Data Protection Regulation, or GDPR, is a European Union law regulation on data protection and privacy and thereby an important new data privacy law that enters into effect on May 25, 2018.
The law aims to protect the personal data of citizens of the European Union and change how companies approach handling the data of individuals (data subjects). It is a major shift toward privacy by default, basically by requiring companies to obtain personal data only with the informed permission of individuals.
It also aims to empower EU regulators in enforcing that companies store, control, and use personal data only with valid consent of the individual. Through the GDPR, individuals are given e.g. the power to ask for the removal of their personal records at any point. Companies that are not compliant with the GDPR can get fined up to 4% of their global revenue.
To whom does the GDPR apply?
The GDPR may apply to individuals or entities that are established in the EU as well as certain individuals or entities established outside the EU that are processing the personal data of EU citizens.
Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with EU data protection law. Personal data is any information relating to an identifiable natural person (e.g. names or contact details).
Is zkipster compliant under the GDPR?
zkipster understands its role as data processor and supports the protection of personal data within and beyond the borders of the European Union.
We have undertaken extensive reviews in light of this regulation. Among the steps we have taken are to update our terms of service and adopt internal processes to respond swiftly to GDPR-related requests.
Why is zkipster a data processor instead of a data controller?
Unlike other event management software companies, zkipster does not determine the purposes and means of the processing of personal data exclusively on behalf of the data controllers (users like e.g. event professionals). Therefore zkipster does not qualify as a data controller.
Under the GDPR, do you foresee any restrictions in the way organizations use zkipster?
The scope of the zkipster services offering remains the same under the GDPR.
zkipster offers guest list management software to manage invitations, seating, check-in, and more. Being compliant with the GDPR shall not prevent you from or restrict you in using the services of zkipster.
That being said, organizations using zkipster should fully understand their GDPR obligations as a data controller in order to ensure compliance.
What type of data can users process with zkipster?
Successfully using zkipster does not only require entering a certain limited kind and extent of data. While it is technically possible to process extensive amounts of personal data, in view of the GDPR requirements, we strongly recommend limiting the personal data entered to what is needed for your events and for zkipster providing the relevant services to you.
How does zkipster handle data subject access requests?
zkipster has established internal processes to act swiftly upon requests. Although data subjects (in other words, any individual whose personal data you control as data controller) cannot inquire directly with a data processor, we will notify you in a timely manner should we receive a request from one of your data subjects.
How can zkipster users delete data provided for processing?
Data processed on the zkipster cloud can be deleted at any time without impacting the continuous usage of the service. Users can delete guest data within the zkipster network at any time, and we are able to assist with such requests in a timely manner.
Does zkipster comply with the minimum security requirements and safeguards under the GDPR?
Yes, one of our core operations is taking appropriate technical and organizational measures to comply with rigorous security standards, including those stated by the GDPR.
We test against security threats to ensure the safety of user data. On a regular basis, zkipster employs third-party security experts to perform penetration tests on applications and the organization itself. Our security-certified hosting partner, Microsoft Azure, adheres to stringent security best practices.
What zkipster features and services support user compliance with the GDPR?
It is our understanding that all zkipster features as defined under the scope of services can be used in compliance with the GDPR. However, the adherence to the GDPR requirements in your function as a data controller is your own responsibility.
zkipster takes active measures to support users in protecting personal data and continues to build features and services in line with data protection and information security laws and our focus on strong security and privacy measures.
What if I have questions that aren’t covered here about zkipster and the GDPR?
Please contact, either through your regular point of contact if you have one or our contact page, and we will be more than happy to assist you.