When handling personal information, such as the contact details for your customers, you need to remain compliant with the General Data Protection Regulation. Failure to do so could result in a large fine. As customer data is jointly owned by Skiddle, we may also terminate your data sharing agreement if you are found to be breaching the GDPR.
The act has 6 principles, here we'll explain briefly how these may apply to you to make things easier:
1. Processed lawfully, fairly and in a transparent manner
Customers are purchasing tickets from you (or registering for an event) and during this process they consent to sharing their contact information, directly with you. Your obligations are to ensure that once you have access to this data, you use it lawfully - the main requirement is to ensure you do not share it with any third parties without their consent.
2. Collected for specified, explicit and legitimate purposes
You must only use this data in connection with the purpose you collected it for (eg to promote and run your events). You should not, therefore, sell the data or use it for another unrelated business.
3. Adequate, relevant, and limited to what is necessary
We only collect the basic contact information, which is relevant to the order being placed.
4. Accurate and, where necessary, kept up-to-date
Data is input by the customer themselves, which should ensure it is accurate at time of purchase. After you have downloaded customer data, you should have a method to allow customers to update their details in your own system should they wish (eg your mailing list).
5. Retained only for as long as necessary
If you stop running events or no longer need the data, you should delete the data you have collected. If a customer asks for their data to be deleted, you should do so.
6. Processed in an appropriate manner to maintain security
You should never allow access to customer data to third parties. You must keep the data secure, this includes when in transit. Do not send customer data over email unless it is strongly encrypted and protected by password. Never upload customer data to a third party website without using HTTPS secure connection. Do not leave data on laptops or mobile phones without password protection.
Be careful about where you store your data (eg in the cloud) as countries outside of the EU may not comply with the required data protection standards. You should check where your mailing list provider is situated.
Please note, we are not legal advisors, please always seek advice from a solicitor or legal professional if you are unsure of your legal obligations.