We comply with GDPR.
What does that mean?

Quick guide for event organisers and attendees

It’s official: Billetto is GDPR compliant. You might wonder what that means, exactly. Let’s look at the most important bits.



What is GDPR?


GDPR” is short for General Data Protection Regulation and it is designed to streamline and improve data privacy laws across Europe. It comes into effect on May 25, 2018.


Very briefly, GDPR says that companies (like Billetto) must take specific steps to securely store any personal data they process on EU citizens and to use this data for lawful reasons.


GDPR also gives consumers more control over how their personal data is used by others.



Who does it apply to?


Just about anyone who has anything to do with personal data of EU citizens. If you’re an EU citizen or handle personal data of EU citizens, GDPR applies to you. Simple, right?



What’s changed?


Now, GDPR is certainly not the first ever regulation protecting people’s data. So what exactly is different now? In short:


  • EU citizens…
    • ...have new rights to access the data that companies store on them.
    • ...can ask companies to correct, update, or delete that data.

  • Companies…
    • ...must take extra steps to store and manage personal data more securely.
    • ...inform specific authorities (like the ICO) in case of a data breach.
    • ...get people’s clear consent for processing certain data about them.
    • ...pay fines if they fail to do any of the above.


What is Billetto doing?


Here’s how we make sure to comply:


  1. We’ve taken extra steps to protect the personal data we collect and use.
  2. We’ve put in place processes to make sure Billetto event organisers and our service partners comply with GDPR.
  3. We’re working on upgrades and tools to help event organisers on Billetto better fulfil their obligations under GDPR. Things like better consent forms, ability to easily upload own privacy and refund policies, and so on.
  4. We’ve built a "My Data" page to make it super easy for anyone to see exactly what data we have on them...and to delete it, if they wish.
  5. We’ve updated a whole lot of legal docs.

Billetto’s role in processing data


GDPR defines two “roles” when it comes to handling of personal data:


  • Data Controller decides how and for what purpose personal data is collected and used.
  • Data Processor processes the data on behalf of the Data Controller.

Where Billetto collects personal data from organisers and attendees who register for our services, we are the Data Controller. We may use such data for analysis, improving our platform, and providing event recommendations.


Where Billetto collects data on behalf of the organiser, such as when they ask additional questions during ticket purchase, we are the Data Processor.


Because we may process the same data for our own and organisers’ needs, we may have a dual role (and different obligations) as both the Data Controller and Data Processor.



What should event organisers do?


If you’re using Billetto to create and manage events, you need to know a few things.


You are a Data Controller

In situations where you decide what data to collect about your attendees and how to use it, you are the Data Controller. In those cases, Billetto is the Data Processor. We collect and process that data on your behalf.


As the Data Controller, you must comply with GDPR when collecting and using such data. More specifically...


The 6 data protection principles

Data you collect from attendees via Billetto should follow these principles:


1. Lawfulness, fairness, and transparency. Make sure you have a legal basis for collecting this data (such as getting a clear, informed consent from the person). Be very clear about what data you collect and why (write this into your privacy policy, for example).


2. Purpose limitation. Only use that data for its stated purpose and nothing else.


3. Data minimisation. Don’t collect more data than you absolutely need.


4. Accuracy. Make sure this data stays accurate and respond to any customer requests to change or delete it.


5. Storage limitation. Don’t store this data after it’s served its purpose.


6. Integrity & confidentiality. Handle this data securely and prevent it from being misused.



What rights do event attendees have?


EU citizens using Billetto to attend events have the right to ask Billetto (or the organiser) to:


  • Show you the personal data we store on you.
  • Correct any wrong data about you.
  • “Forget” you by deleting the personal data we store.

Billetto and event organisers must show you this data latest one month after your initial request. If you’re a registered user, you can also visit the "My Data" page to instantly see some of the data we store and delete that data directly.



Disclaimer (or the “We’re not lawyers” bit)


We’ve written the above to help everyone using Billetto better understand the impact of GDPR. It’s purely for information and can’t be considered legal advice. We encourage everyone to work with and consult legal professionals to make sure you understand and comply with GDPR.