Data Protection

Data Protection

What is the GDPR?

The General Data Protection Regulation is regulation created by the EU on data protection and privacy for all individuals within the European Union.

Why do I need to know about the GDPR?

While the GDPR is an EU regulation, it applies to any organization or event that has any EU citizen’s data. Even local SQLSaturdays happening in the US or Asia often have EU speakers or visiting EU attendees. In order to ensure organizers that may be processing data of EU citizens are adhering to the principles and best practices of GDPR, we are applying the standards of GDPR to all PASS SQLSaturday events.

What does “processing” mean?

Processing is defined by the GDPR as: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. For SQLSaturdays, PASS is considered a controller, and a processor. PASS is a processor because data is stored and accessed using the online admin tools created by PASS. As an Organizer, you are also considered a processor, as you act upon the data that is collected through the SQLSaturday admin portal. Examples of processing as an organizer:

  • Emailing registrants of the event,
  • Reviewing and scheduling speakers based on abstract submissions, etc.

What does “controller” mean?

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. This is PASS. PASS controls and maintains the online admin tools that are granted to Organizers and outlines how the data collected can be used, i.e., emailing registrants about the event, accessing speaker abstracts in order to select and schedule speakers, etc. Controllers are responsible for, and must be able to demonstrate compliance with the GDPR.

If PASS is responsible for compliance with GDPR, do SQLSaturday organizers have any obligations to maintain GDPR compliance?

The short answer is, yes. The GDPR does outline obligations that processors have in maintaining data privacy and protection of any data that they process. If processors breach these obligations, they could be held liable for compensation.

What are these obligations that SQLSaturday Organizers need to comply to?

The obligations that SQLSaturday Organizers are under are outlined in the Licensing Agreement and Data Protection Policy for SQLSaturdays. The key points are:

  • SQLSaturday Organizers will only process data as outlined by PASS
  • SQLSaturday Organizers will not engage other processors (third parties) without the express consent of PASS. Express consent means processors must obtain a written statement of consent by PASS.  
  • SQLSaturday Organizers and anyone they authorize to process the personal data of registrants must be committed to confidentiality
  • SQLSaturday Organizers must report any breach of personal data as soon as they become aware in order to work with the controller (PASS) to appropriately report the data breach.

Why can’t I access event admin portals from past events?

In order to ensure data compliance is being maintained, access to past event portals must be limited and processing of registrant data concluded one (1) year following the event date of the SQLSaturday.

Can I expect changes to the SQLSaturday admin online tools?

We have been making some updates to the SQLSaturday event portal to ensure ongoing GDPR compliance: Some of the recent updates include:

  • Clearer language around sponsor opt-ins for registrants, including the information that will be shared with sponsors. As an organizer, it is important that you share only the information outlined by this opt-in with sponsors, and only the information of those registrants that have explicitly opted-in to have this information shared. This information includes:
    • Name
    • Email
    • Job Title
    • Job Function
    • Industry
  • Clearer language on the message center, outlining the expectation of PASS that the portal will only be used to contact registrants, SQLSaturday sponsors, volunteers or speakers, and not abused for personal means, or to contact lists of people that have not indicated interest in the event.
  • Update the Privacy Policy and Terms of Use
  • Added a cookie pop-up notification to allow visitors to the site to set their own preferences

Compliance is an ongoing effort and if at any time PASS feels like a tool or function needs to be restricted or removed to ensure compliance, we will do so. We will do our best to communicate any changes in advance to ensure minimal disruption to the organization of your event.

What if someone emails me, or comes up to me at my event asks to be erased or to have the right to be forgotten?

If someone contacts you and requests to have their data erased, please email governance@pass.org. PASS will assist organizers with ensuring the individual’s data is erased from the database, after first taking reasonable steps to confirm the identity of the person making the request. PASS will ensure that the personal data of the individual making the request is no longer processed using the PASS SQLSaturday online admin tools. If PASS is unable to delete Customer Data for technical reasons, PASS will apply measures to ensure that Customer Data is blocked from any further Processing. You are solely responsible to protect the privacy of any data in your possession that you have collected and processed from the PASS website. As an organizer and processor, if you breach these obligations, you could be held liable for compensation.

What about personal data collected for Precons?

Any precon events and associated data fall firmly outside of the PASS SQLSaturday agreement.

Back to Top cage-aids
cage-aids
cage-aids
cage-aids