The European Union’s General Data Protection Regulation (GDPR) took effect on May 25, 2018 and affected SpotMe’s and our customers’ business operations. More information on GDPR can be found on http://europa.eu/dataprotection.
As compliance with data protection legislation is crucial for SpotMe’s and our customers’ businesses, SpotMe has taken the following steps with regard to the data processing operations SpotMe carries out in light of the changing privacy legislation framework:
- A GDPR-compliant Privacy Notice is the default notice for all SpotMe Live Event Apps, SpotMe Hybrid and Virtual Apps, and SpotMe Engagement Apps powered by the SpotMe Enterprise Engagement Platform ; As reflected under the SpotMe Privacy Notice, SpotMe customers have the capacity of “data controllers” and SpotMe has the capacity of “data processor” (within the meaning ascribed to these terms under GDPR);Privacy Notices can be amended or customized by clients on a per-app (if the container is owned by the client) and/or per-workspace basis.
- Data Protection Officer appointed by SpotMe; SpotMe Data Protection Officer can be contacted on firstname.lastname@example.org
- Detailed Data Breach Notification Policy, Regulatory Request Procedure and other privacy-related policies and procedures compliant with the GDPR requirements;
- App functionalities allowing the obtainment of opt-in-based consent for processing of each user’s personal data in accordance with SpotMe default or client’s customized Privacy Notice;
- App functionalities allowing each user to have access to SpotMe default or client’s customized Privacy Notice at any time from inside our mobile app (in accordance with the relevant guidance of the European Data Protection Board);
- App functionalities allowing displaying of customers’ customized statements (e.g. information on data subjects rights under GDPR, acknowledgement of the App Privacy Notice, consent to the processing of personal data) on the app activation screen;
- Maintenance of up-to-date records of SpotMe data processing activities;
- Privacy awareness training for SpotMe staff;
- Collaboration between SpotMe privacy team and SpotMe engineering team supporting the privacy-by-design concept;
- Technical and operational processes in place to ensure data subjects’ rights under GDPR can be met, e.g. right to be forgotten or full workspace deletion (ensured through remote data wipe options & certified data deletion option);
- Implemented Technical and Organizational Measures in line with the GDPR requirements for the purposes of assuring the security of the data processing activities carried out by SpotMe on behalf of its customers;
- Data hosting in the jurisdiction of client’s choice: European Union, United States, and Singapore.
All above assertions are the subject of specific controls contained in the SpotMe SOC2 report (Report on SpotMe Holding SA Description of its SpotMe Enterprise Engagement Platform System and on the Suitability of the Design of Controls Relevant to the Security, Availability, Confidentiality and Privacy Principles.) Please contact us on email@example.com for more information on GDPR or, if you are a SpotMe client, to request a copy of the SpotMe SOC2 report.
If you are a SpotMe client, you do need to undertake the following two steps to implement GDPR for your apps:
- Configure a Privacy Notice with opt-in consent for your apps
- Execute a Data Processing Agreement (DPA)
You can set setup and manage your app Privacy Notice and opt-in consent using the App Manager Legal Document module in Backstage by following our step-by-step guide. If you do not have a Privacy Notice, we do recommend using our GDPR-ready Privacy Notice template. Please do not forget to insert the contact details of your Data Protection Officer, as this is a requirement under GDPR.
Please contact your SpotMe account manager if you require any assistance.
Data Processing Agreement (DPA)
In fulfillment of the initiated GDPR implementation, effective March 31, 2018, SpotMe bundled a GDPR-compliant Data Processing Addendum with its Contractual Documents; For any service agreement entered into prior to March 31, 2018 and where applicable, SpotMe worked with its customers to enter into a separate GDPR-compliant Data Processing Addendum. The execution of such Addendum is for the mutual benefit of both SpotMe and its customers and would contribute to our successful partnership.
Your legal team may request a Data Processing Agreement (DPA) for SpotMe processing activities. A pre-signed DPA can be requested from your SpotMe account manager.
Privacy Shield Ruling by the European Court of Justice
On July 16, 2020 the Court of Justice of the EU adopted a Decision pursuant to which Commission Implementing Decision (EU) 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield was declared invalid, whereas Commission Decision 2010/87/EU on standard contractual clauses (SCCs) for the transfer of personal data to processors established in third countries should be considered valid.
The ECJ’s judgement already has a serious impact on personal data processing rules. Following the decision, the US government declared that they would continue to administer the Privacy Shield Framework program but it is likely to turn to SCCs as an alternative transfer mechanism. In any case, Privacy Shield certified companies should consider other ways to transfer personal data to the US, as the certification held is no longer a valid ground for such transfers.
In the light of the above, SpotMe took the necessary steps to ensure that all personal data transfers to the US are covered by a valid transfer mechanism and executed SCCs with all of its Customers and Sub-Processors based in the US. Pursuant to SpotMe’s intra-group Data Processing Agreement, personal data transfers between SpotMe’s affiliates established in third countries are also covered by SCCs. Thus, SpotMe ensured full compliance in the first instance with most recent personal data processing legal provisions.
SpotMe follows up closely the developments of personal data transfer requirements and is ready to take action in the event further changes to the above-mentioned regulations occur.
If you are an existing customer, and you are using a standard SpotMe Data Processing Agreement, you do not need to take any action at this stage. If SpotMe has reasons to believe that your current data processing agreements require an update, you will be contacted by your Account Manager. Likewise, if you have reasons to believe that your current Data Processing Agreements require an update, please contact your Account Manager.
GDPR In a Nutshell
To learn tips for GDPR see CEO, Pierre Metrailler join the conversation at the Event Tech Live 2017.
This webpage, our Privacy Notice as well as the app functionalities relating therewith which are customized to reflect the specifics of the processing operations associated with our mobile app in the light of the applicable data protection legislation are not intended as a substitute for legal advice and any use thereof by our customers is voluntary, based on customers’ sole free and informed discretion. The aforesaid webpage, Notice and app functionalities are instead made available for the purposes of facilitating the use of SpotMe services by our customers. SpotMe makes no assurances regarding the information contained in this Notice. SpotMe expressly disclaims any warranties, liabilities or damages associated with or arising, directly or indirectly, out of the use of either this webpage, the aforesaid Notice or any app functionalities relating therewith, such as giving of opt-in-based consent by app users to processing of users’ data in accordance with the Privacy Notice, withdrawal of such consent, etc.