Seats2meet Data Protection: your data, you are in control
Frequently Asked Questions for Operators
- As an Operator in the Seats2meet network, what is my legal status according to the GDPR?
Seats2Meet International B.V. and you as Operator are the Joint-Controllers of the personal data that your customers share on the seats2meet.com platform. This means you need to understand your legal oblibations as a Controller as defined in the GDPR. For more detailed information, refer to this section of the GDPR guide provided by the UK Information Commissioners Office. Please contact us at [email protected] for your support questions.
- Does my location need to sign a separate data processing agreement with Seats2meet International?
No, the conditions as defined in the Roles & Responsibilities that you have accepted during the onboarding of your location cover all required legal agreements.
- I do not yet have a written policy for processing and protecting personal data, is a standard available that I can adapt to the requirements of my location?
We can provide you with a basic standard that you can implement and adapt to your specific needs. This standard is evolving as a part of a continuous improvement effort. The most up to date version can be provided upon request to [email protected].
- My location resides outside of the European Economic Area, what are the legal requirements to comply with the GDPR?
In addition to accepting the Roles & Responsibilities that apply to ALL locations, you need to sign an additional Data Transfer Agreement. We have made it simple to meet this additional requirement, please go to this section to see what you need to do.
- How should my location respond when clients exert their indivual rights (right to be informed, retification, erasure, etc.)?
* For processing activities outside of the seats2meet platform, make sure that all client requests with their regards to their individual rights can be met within the legally required response time of 30 days.
* In the seats2meet.com software, all individual rights for data subjects are served from the passport function. All information on record can be audited and amended here. In case users wish to exert their right to erasure, they can delete their account at their discretion.
- What are the rules for publishing photography / video / social media that feature our employees and guests?
* As a location you are responsible for setting and communicating the ‘houserules’ for photography and filming activities.
* In case of events hosted at your location: the event organisers (clients) are responsible for the media that are created on behalf of their organisation. The client is responsible for obtaining and managing the required consent from event participants.
* In case you create or commision photos and videos that feature people for marketing purposes you may request them to sign this Quitclaim [Dutch].
- During events, are we allowed to distribute a list of participants?
The handling of personal data of event participants is the responsibility of the event organiser. The organiser can only disitrbute these personal data if the participants have given their explicit consent (upon registration) to the event organiser.
- We monitor (parts) of our location with security camera(s). What are our legal obligations?
* Ensure that responsible personnel has a clear common understanding of the goals (purpose) of the monitoring activities.
* Ensure that camera monitoring is essential for meeting these goals.
* Ensure that the implemented montoring solution meets GDPR requiments, including the applied retention period for stored footage.
* Clearly communicate your monitoring activities in the affected area(s) of your location with a clearly visible sign.
* For detailed guidelines please refer to Gedetailleerde beschrijving van de regels [Dutch] by the Dutch data protection authority.
- I operate a location that based in the Netherlands, what are the minimum retention periods for meeting legal obligations?
* Wet op de Rijksbelastingen: Salarisafspraken en arbeidsvoorwaarden – 7 jaar
* Uitvoering Loonbelasting: Loonbelasting en indentiteitsbewijzen – 5 jaar
* Wet op de Rijksbelastingen: Debiteuren- en crediteurenadministratie – 7 jaar
- My location provides freelancers/contractors that work on our behalf access to the personal data, for which we are a personal data Controller. Do they need to enter into a data processing agreement with us?
We strongly recommend that you instruct all employees and contractors with regard to responsible processing of personal data. However, there is no legal requirement for entering into a data processing agreement. For more background refer to this posting by Arnoud Engelfriet [Dutch].
- When an organisation resides at my location and works with the Seats2meet platform for bookings, do we need to provide a separate processor agreement for these activities?