Be sure every single customer wants to hear from you.

For the purposes of GDPR, contacts of yours with whom your organisation communicates are called ‘data subjects’ and your company is the ‘controller’ of that data. If you’re an AttendZen customer, then AttendZen acts as the ‘processor’ of that data on your behalf.

You need to have a legal reason to use a data subject’s personal information. That reason could be consent (the subject opted in) with notice (you told them what they were opting in to), performance of a contract (eg they are your customer and you want to send them a bill), or what the GDPR calls ‘legitimate interest’ (eg they are a customer, and you want to send them information related to similar products or services).

You need the ability to track that reason (also known as ‘lawful basis’) for a given contact.

When you enable GDPR tools in AttendZen, all your contact record cards will automatically include a multiselect property (dropdown) to track lawful basis. If you set GDPR tools to ‘enforced’, it will not be possible for you to save a new contact record without setting a lawful basis.

One type of lawful basis of processing is consent with proper notice.

In order for a data subject to grant consent under GDPR, a few things need to happen:

The data subject needs to be told what they’re opting into. That’s called ‘notice.’

The data subject needs to affirmatively opt-in. The action of their filling out a form alone cannot implicitly opt them into everything your company sends.

The consent needs to be granular, meaning it needs to cover the various ways you process and use the data subject’s personal information (e.g. marketing email or sales calls). You must log auditable evidence of what the data subject consented to, what they were told (notice), and when they consented.

There are essentially four ways in which the personal information of data subjects can be brought into the AttendZen platform:

• bulk importation of existing contact data (an AttendZen user uploads their contacts to the platform as a CSV or Excel file)
• manually adding a contact to the CRM (an AttendZen user inputs someone’s contact information into a new record card)
• registration (someone registers to attend an event organised by an AttendZen user)
• mailing list sign-up (someone enters their name and email address into a sign-up box on the event website of an AttendZen user).

When a user imports multiple existing contact records into the AttendZen platform, they are given the option either to add the lawful basis property for each contact in the CSV, or to set a single lawful basis for all data subjects (individual contacts) in the upload.

When a user manually adds a new contact record to the CRM, they are given the option select a legal basis for that contact. If GDPR tools are set to enforced, the record cannot be saved unless a legal basis is selected.

When an individual registers for an event they are invited to opt-in to giving their consent to be contacted by the AttendZen client organising the event regarding other events and related services (non-essential to the specific event for which they are registering).

When an individual signs up to join the mailing list of an AttendZen client (via a sign-up form on an event website), they do so via a double opt-in process whereby, having supplied their name and email information, the individual then receives a confirmation email from our system, inviting them to confirm that they wish to opt-in to joining the mailing list.

AttendZen clients are also able to link out to additional notice provisions (like privacy notices), using hyperlinks in our registration forms.

Once the data subject submits their information, we store a copy of the notice that subject was provided, information about which consent they provided, and the timestamp of the interaction.

A data subject needs the ability to see what they’ve signed up for, and to withdraw their consent (or object to how you’re processing their data) at any time.

In AttendZen, a data subject can unsubscribe from emails sent to them by any of our clients, at any time. Unsubscribe links are included in all marketing email communications sent out via the AttendZen platform. If an AttendZen client receives a withdrawal of consent directly from a data subject, they are able to unsubscribe that data subject and to modify the lawful basis contact property mentioned above.

A data subject has the right to request that you delete all the personal data you have about them. The GDPR requires the permanent removal of the subject’s contact from your database, including email tracking history, call records, form submissions and more.

In most cases, you’ll need to respond to their request within 30 days. The right to deletion is not absolute, and can depend on the context of the request, so it doesn’t always apply.

When a user deletes a contact via the platform, that contact will immediately be ‘soft-deleted’ – meaning that the contact will no longer be visible in the back-end and will no longer receive marketing communications from the AttendZen client. 30 days after a contact is soft-deleted, their record will automatically be ‘hard-deleted’ – meaning that it is permanently destroyed and cannot be restored by us from back-ups.

AttendZen clients can request the immediate permanent removal of a data subject by contacting their account manager who will execute the GDPR delete from their account and confirm in writing when it’s done.

Just as they can request that you delete their data, a data subject can request access to the personal data you hold about them. Personal data is anything identifiable, like name and email address. If a subject requests access, you (as the controller) need to provide a copy of the data, in some cases in machine-readable format (e.g. CSV or XLS).

The data subject can also request to see and verify the legal basis of processing (see above).

AttendZen enables you to grant any access request by easily exporting the data subject’s contact record into a machine-readable format. Engagement data such as CRM tasks, notes, and calls that aren’t provided in the contact record export will be supplied upon request to our client’s account manager.

Just as they can ask to delete or access their data, a data subject can ask your company to modify their personal data if it’s inaccurate or incomplete. If and when they do, you need to be able to accommodate that modification request.

In AttendZen, when a data subject asks you to modify their information, you can do so from within their contact record.

The CCPA applies to any for-profit entity doing business in California that collects and controls the processing of a consumer’s personal information and also satisfies any one of the following thresholds:

• exceeds $25 million gross revenue annually,
• handles the personal information of 50,000 or more California consumers, households, or devices annually, or
• derives more than 50% of annual revenue from selling consumers' personal information.

For the purposes of CCPA, organisations that fall within the scope of the Act are called ‘businesses’ and are responsible for the control of the consumer data they collect. If you’re an AttendZen customer, then AttendZen is considered a ‘service provider’ under the CCPA, because it handles the personal data or personal information of its clients’ end users on behalf of its clients.

AttendZen does not ‘sell’ our customers’ personal information as currently defined under the CCPA, meaning that we also do not rent, disclose, release, transfer, make available or otherwise communicate that personal information to any third party for monetary or other valuable consideration. We may share aggregated and/or anonymised information regarding use of our service(s) – which is not considered personal information under the CCPA – with third parties to help us develop and improve those services and provide our customers with more relevant content and service offerings as detailed in our customer agreements.

If an AttendZen client (event organiser) currently sells, or may sell, personal information of its customers, and falls within the scope of the CCPA, that client must inform its customers (including event attendees, sign-ups to mailing lists and website visitors) of this fact, and provide the option for its customers to opt-out of having their personal information sold.