The European Unions new data privacy law, the General Data Protection Regulation (GDPR), will come into effect on May 25, 2018 and will apply not only to our EU-based clients but to all of our clients who have EU contacts. To help our clients understand the GDPR and how it applies to them we have compiled a list of questions and answers which can be found in our Knowledge Base by clicking here: http://www.x-cd.com/help?smodid=131
We encourage you to read through the Q&A's but to summarize quickly:
The standard language in our license agreement, which is signed between ourselves and our clients, reads:
X-CD acknowledges that this Agreement creates a confidential relationship between X-CD and Client and that all data collected, by the Client including, but not limited to registrant details, submitter names, email addresses, all personal information, membership profiles, abstracts, proposals, PowerPoints, PDFs, zip files, videos, or any other files or information is confidential in nature (“Data”). All such Data shall be the sole property of Client, and the Client shall own all rights, title, and interest in the Data, whether such Data resides on equipment owned by X-CD or not.
We then go on to agree that we will:
“(a) keep all Data in strict confidence; (b) not disclose Data to any third parties or to any of its employees not having a legitimate need to possess such Data and such employee will be bound to a confidentiality agreement or non-disclosure agreement with Client; and (c) will not use any Data for a purpose other than its intended purpose. The terms and conditions related to confidential Data in this Agreement shall survive the termination of this Agreement”.
In other words we do not (and will not even after the term of the agreement expires) provide our clients data to a third party without consent.
X-CD is certified by Trustwave who have reviewed our policies, procedures, and technical systems that store, process and/or transmit cardholder data. The certificate is up to date and confirms that we have performed the required procedures to validate compliance with the PCI DSS. In additon, all client sites run with an extended validation SSL certificate, capable of up to 256-bit encryption, to comply with the strongest identity authentication standard available today. Furthermore all user login passwords are encrypted so as to render them unreadable and useless should there be a data breach. In the very rare event that a data breach occurs we will notify all clients within the required GDPR timeline of 72 hours of our becoming of aware of such breach.
3. Mandatory Opt-in
To protect all clients, in anticipation of the GDPR coming into force we have implemented a mandatory opt-in clause that must be accepted by all contacts (e.g. speakers, authors, chairs, track chairs, session chairs, reviewers, attendees, members or applicants to become members, etc.). All such contacts must agree to the following terms and conditions in their initial contact form, prior to submitting any data, personal or otherwise:
This agreement is between myself (the "Contact") and the following parties - XXX (the "Organization" or "Data Controller"), their conference manager XXX (the "Conference Manager") and their conference and association management software providers, X-CD Technologies Inc. (the "Data Processor"), collectively referred to as the "Parties".
I understand that I will be submitting personal information to the Organization for the purpose of:
i. participating in Organization conferences as a speaker, author, co-author, reviewer, chair, track chair or session chair; and/or
ii. attending the Organizations conferences as an attendee; and/or
iii. becoming a member of the Organization
I recognize that when I submit my personal information I become a Contact in the Organization database and the Organization will have the right to retain my personal information, which may include, without limitation, my name, email, contact information, company or institution, job title, abstracts and or proposals, research papers, PPTs, videos, handouts, photos, or other information or documents which the organization may ask for from time to time ("Data") .
I acknowledge that no data transmission or storage system is 100% secure and yet understanding this I consent to submit this Data and become a Contact of my own free will. I understand that at any time I may withdraw my consent and upon doing so, all of my personal identifiable information will be deleted by the Data Controller from all servers, databases and records, however any Data published prior to the withdrawal of consent, whether online, in mobile apps, print or other media will remain as published.
I further agree that I will not initiate any legal action against any Parties associated with the transmission and storage of Data including the Data Processor, Data Controller (as defined in the EU General Data Protection Regulations), the Conference Managers or data storage facility, for any accidental loss, destruction, alteration or unauthorized disclosure such Data.
4. Withdrawal of Consent:
All contacts will be able to withdraw their consent by way of notice to the Client (‘Controller’ as defined by the GDPR). Our clients always have and will continue to have the tools to remove contact data from the system database.
5. Collection of Sensitive Data:
To avoid GDPR sanctions we strongly urge our clients to avoid collecting sensitive data. If for some reason you have sensitive data in your database DELETE IT and in future DO NOT ASK your contacts for data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, national identification numbers, passport numbers, credit card numbers (unless using our secure registration modules), biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation or data leading to discrimination, identity theft or fraud, financial loss, damage to the reputation. This is not the full list so if you have concerns about the data you are collecting consult your legal counsel.
Again for more information we encourage you to review the GDPR Q&A in our Knowledge Base http://www.x-cd.com/help?smodid=131