+  ConfTool Support Forum
|-+  Use of ConfTool
| |-+  General Questions
| | |-+  General information regarding the General Data Protection Regulation (GDPR)

Topic: General information regarding the General Data Protection Regulation (GDPR)  (Read 4372 times)

(A German version of this article is available.)


As a software provider, we cannot provide any legal advice regarding the General Data Protection Regulation, but we hope that we can give you a short overview of the topic in the following forum entry. Therefore, our statements are only hints and without guarantee. You can get detailed information about this topic by consulting with legal counsel.


In short
We comply with the requirements of the GDPR on our website and in our event management system ConfTool Pro. The use of the system and the data is under the responsibility of the event organizers. Therefore, regarding the use of our system ConfTool Pro, the GDPR addresses mainly you as the organizers of the event. As organizer, you are the responsible operator of the system. ConfTool GmbH acts as data processor for the purposes of GDPR Article 28.


What WE do
  • We make sure that all personal data is transmitted only encrypted.
  • We use two-factor authentication for administrative access. This is also available to you as the organizer in the security settings. We recommend using it for all users with access to personal data.
  • Every event has a separate database, user data are not referenced between events. By doing this, the data separation principle is considered.
  • We delete all data of your event from our server after the hosting contract ends.
  • Our local devices like PCs, laptops and backup media use only encrypted hard drives for all data.
  • Our servers are scanned regularly by COMODO for security vulnerabilities in accordance with PCI compliance.
  • We have corresponding security, privacy and backup concepts. We gladly provide the corresponding document on request.


What YOU should do
  • Important: Every operator of a website or a web-based system that processes personal data has to publish an easily comprehensible GDPR privacy statement. We recommend publishing it on your website. There are several tools that can help you, for example:
    https://dsgvo-muster-datenschutzerklaerung.dg-datenschutz.de/?lang=en
    You can enable the link to the privacy statement in ConfTool at:
    Overview > Settings > Main Setup.
    There you can also find a pre-formulated privacy statement, which we provide without guarantee, as we cannot provide legal advice.
    Please see attached picture no. 1.
  • Important: The organizers have to ask their users if they agree to storing and processing their data. You can find a corresponding function regarding the consent for data processing in ConfTool Pro at:
    Overview > Settings > Main Setup
    We recommend that you enable it (it is enabled as default for all new installations since January 2018) and to update the wording corresponding to your requirements.
    Please see attached picture no. 2.
  • If you have already many users in the database and want to make sure that they all see and confirm the data privacy agreement the next time they log in, please go to:
    Overview > Settings > Settings for User Registration > Main Settings for User Registration
    and set the option “Text Mandatory Fields at Login” to “Always…”
    Please see attached picture no. 3.
  • If you want to transfer any user data from one event to the next, please consider this during the registration process, as you will need the users’ permission for this, too. Transferring data from one event to the next could be contrary to the principle of limitation and data minimization as long as there are no serious reasons for the transfer.
  • Generally, all organizations that store and process personal data must create a list or "directory of processing activities" in which they record all processes that process personal data. The affected and responsible persons must be named in this directory. The directory is not public and is used for internal quality control.
  • We recommend concluding an agreement about “commissioned data processing” with all service providers who come into contact with personal data on your behalf. The contract confirms that the provider processes the data "in accordance with the instructions of the controller". Signing such an agreement is also advisable with ConfTool GmbH, as well as with other service providers like accountants, e-mail providers and anyone who comes into contact with personal data on your behalf. We usually send a corresponding agreement together with our offer. If you haven’t received it, please send us an e-mail and we’ll send you the agreement.
  • Minimize the data recorded in ConfTool to the required information. In particular, recording the dates of birth, religious affiliations, or passport numbers will lead to significantly increased data protection requirements for you.
  • Make sure that you store all data securely so that third parties cannot get access to the data stored on your devices (PCs, laptops etc.). It is required to limit access to all workstations with passwords and to use encryption for all mobile devices (laptops, flash drives etc.). Do not send personal data unencrypted (via e-mail, on unencrypted flash drives etc.).
  • Delete personal data that is no longer required and make sure that third parties cannot get access to the information (e.g. by using a shredder for old printouts).
  • If more than 10 people are regularly involved in data processing in your organization, you must name a data protection officer and report him/her to the responsible authority of your area/country. The data protection officer will monitor your privacy measures and also serve as a link to your clients and the authorities.