Effective date: May 25, 2018. Last Updated: August 22, 2018
GDPR stands for General Data Protection Regulation. For European individuals, GDPR expands their data privacy rights and gives them more power to control their data. For companies that process the personal data of European individuals, GDPR requires compliance with a new set of regulations.
The GDPR applies on all personal data that is handled within the borders of the EU, or relates to individuals in EU – no matter where the organization handling the data is located.
The main aim of the GDPR is to unify and simplify the regulatory environment and to strengthen the data protection of individuals in the same way across the EU.
For individuals this means increased control over their personal data, and to businesses active in Europe the GDPR comes with additional requirements on how to handle personal data. Even though some things change, a lot of things stay the same.
Membermeister is a software-as-a-service provider which helps small businesses stay on top of their admin by automating and improving common tasks such as the management of their customer data, invoice creation, payment reconciliation, communications with customers and more.
In addition to our own compliance, we are committed to offering services to our customers to help them comply with their GDPR requirements. It should however be noted that the usage of membermeister alone does not provide GDPR compliance in itself but it helps membermeister customers to become GDPR compliant. This means that if you are currently trying to decide on a service such as membermeister then you should ask them - in addition to the question if their business is GDPR compliant - how their product helps you with your GDPR compliance. As far as membermeister is concerned we hope this page will answer these questions.
Our ambition is to build great products that benefit our customers and theirs. To do that, personal data is required not only to provide our core services and fulfil legal obligations but also to remove unnecessary repetitive steps and allow for personalisation providing a smoooth user experience. For example - on a simple level - we will try and pre-fill form fields intelligently where it makes sense or inject someone's name into an email to personalise it.
At membermeister we treat personal data with the utmost of care and where needed adapt our products, systems, and processes to the standards outlined in the GDPR. Beyond the introduction of GDPR we will keep enhancing our services even further with our customers’ privacy in mind.
In order to provide this service to our customers we store their details as well as their customers' details, including some related information as well as some personal details such as medical conditions. We keep this data as secure as we possibly can while also weighing up the benefits of having - for example - someone's allergy details at hand versus the option of not knowing this information at all. The GDPR, whilst welcome from a privacy point of view, will not override other legislation and obligations that our customers. This may include safekeeping obligations, health and safety requirements as well as accounting and record keeping requirements and other legal obligations.
At membermeister we welcome the GDPR. Long before it was introduced our customers appreciated our knowledge of data security and privacy matters and we will take this opportunity and deepen the privacy features within our products and services.
It is important that you are aware of how we handle your personal information. There are different scenarios where we need to store your information. Typical examples are:
- We might need to follow up with you by email after you have contacted us
- We will send you an invoice relating to your business activities with you
- If you use membermeister as a customer of one of our merchants we will store your details in our customers' account so they can provide you with their services or contact you
Depending on the technical setup between membermeister and the merchant you are dealing with, we will need to pass on some of data collected by us. This could be for the simple reason to provide the merchant with your email address so that they know how to contact you. In many casses you would have provided this data to the merchant directly on a previous occasion.
We collect personal information with great consideration for your privacy. We will never pass your data on to third parties without your explicit consent unless we are required to do so by law.
A common misconception is that you require consent if you want to contact someone or store their personal details. This is not correct. You do need to have a legal basis to process an EU citizen's personal data, but consent is only one of several such bases. In most cases, membermeister customers already have an ongoing business relationship with the people whose personal data they store and as such they have a contractual basis for contacting them. In other cases the legitimate interest clause of the GDPR can take effect and this allows you to contact your existing customers with relevant information about matters in which they may have a legitimate interest. As an example, it is generally fine to send your dance school student the dance school newsletter even if they haven't given you explicit consent. That's because it is reasonable to assume that they have an interest in the content because they take dance lessons with you.
If you do need consent then that requires a written record of when and how someone agreed to let you process their personal data. Consent must also be unambiguous and involve a clear affirmative action. This means clear language and no pre-checked consent boxes.
We keep your data as long as needed to fulfil the purpose for which it was collected, for instance to fulfill our contractual obligations towards you or pursue our legitimate interests until there is no longer any legal requirements or rights for us to keep the data. Typically this means that - if you are a membermeister customer - until you close your account with us or - if you are a customer of one of our merchants - until they decide to delete your data. Each membermeister customer will have their own GDPR compliance requirements and obligations and you should contact them for more details about that.
We handle your personal data with the utmost care and make sure to store it safely and securely. We always strive to process your data within the EU/EEA. The data may however in certain situations be transferred to, and processed in, a destination outside of the EU/EEA by a supplier or subcontractor. We will take all reasonable contractual, legal, technical, and organisational measures to ensure that your data is treated securely and with an adequate level of protection compared to and in line with at least the level of protection offered within the EU/EEA. For example we make sure that our suppliers are themselves GDPR compliant.
Through our own research and the advice of GDPR consultants we have come to the conclusion that we (membermeister) and you (our customer) have a dual controllership for the data we handle. Since you and membermeister typically only process personal data for our own respective purposes, and not on behalf of the other part, there is no need for a Data Processing Agreement. In fact membermeister doesn't consider itself as a processor as we do not 'work' with your data, meaning we do not analyse it, transform it or - yes - process it in any way. You are providing your own and your customers' data to us for safekeeping and for the pruposes of convenience, for examplel so that you can send messages to them. This is not dissimilar from storing customer details in GMail or Apple Contacts. In other words both you as our customer and we as in membermeister work together in a business activity that requires processing the same personal data. We are not sharing the same pool of personal data for different and distinct purposes.
Our status under GDPR could therefore be called a dual controllership, not to be mixed up with a joint controllership. A dual controllership means that each of us is a separate and individual responsible data controller for our respective data processing activities (if any) relating to our mutual customer. None of us is processing any customer data on behalf of each other. This will not change with GDPR.
That said we will continue to evaluate our position and role under GDPR and if new evidence comes to light that means that our status needs to change then we will update this document accordingly.
Membermeister helps you meet the data portability requirements under the GDPR. You can, at any time, export your customer data in .csv format from your account and import it into other systems. The same applies to your invoice and payment data. If there's anything else you need then simply contact us and we can usually run a custom export for you.
We will also, on request, provide you with the data we store about you and will delete it in its entirety if you ask us to do so.