March 23, 2018

GDPR Compliancy

BadgerScan supports your compliance with General Data Protection Regulation (GDPR). If you are part of an organization collecting contact information from European Economic Area (EEA) residents at an event, you may have a responsibility to protect this data according to GDPR regulations.  To be GDPR compliant you must:

  • Obtain your new contact’s legally valid consent to use their data according to a clear and complete list of how their data will be used, which you must provide. Include any sharing of data, and use of personal data for personalization of advertisements or other services.
  • Clearly identify each party that may collect, receive, or use your new contacts’ personal data as a consequence of your use of their data. You must also provide contacts with prominent and easily accessible information about that party’s use of their personal data.

When seeking consent you must:

  • retain records of consent given by end users; and
  • provide end users with clear instructions for revocation of consent.

Third-Party Compliance

Unlike most other lead capture solutions, BadgerScan does not collect or process any contact data obtained via the App, which greatly simplifies your GDPR compliancy as an event organizer or exhibitor. Contact data goes directly from the event organizer, to the physical attendee badge, to an exhibitor’s mobile device. The data is never in the hands of a 3rd party. We are able to provide BadgerScan free-of-charge to anyone who wishes to use it because we don’t have any back-end software, servers, or data to maintain. We actually have no idea if BadgerScan is being used unless we are contacted directly by an event organizer or attendee to tell us about it.

Obtaining Consent

When an attendee at an event offers their badge for you to scan with BadgerScan, you must also obtain their consent for your organization to store or process their data.

You may launch a web-based consent form from within BadgerScan that will be pre-filled with your new customer’s contact data. The consent form may be a web page designed and hosted by your organization (if this form already exists for your organization, it may just need a small code adjustment to work with BadgerScan), or you may select a 3rd party solution. One suggestion is JotForm.com, which allows you to collect a signature on your form and can deliver the signed consent form to you as a PDF. Alternatively, you can use Google Forms, which is entirely free to use. For more information on using a web-based consent form with BadgerScan, see our instructions for creating a survey.

Guidelines for Creating a Consent Form

Consent forms should follow these guidelines as outlined by the ICO.

  • Unbundled: Consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
  • Active opt-in: Pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (e.g. a binary choice given equal prominence).
  • Granular: Give granular options to consent separately for different types of processing wherever appropriate.
  • Named: Name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
  • Easy to withdraw: Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.

Retention and Deletion of Data

After an event, you can easily remove the contact data collected on your mobile device by selecting the menu option “Delete all contacts”.

Further Questions / Concerns

If  you have any questions or have a suggestion on how we can better support your journey to GDPR compliance, please send us an email (support @ badgerscan.org). For some light reading, check out the WP29 Consent Guidelines.