Overview of GDPR and DoubleDutch

The European Union will enforce the General Data Protection Regulation (GDPR) starting on May 25, 2018 to strengthen the security and privacy of personal data of E.U. residents. We have been hard at work over the last year building tools and creating processes in accordance to the GDPR. Below we explain our initiatives and methods to ensure compliance with the GDPR for ourselves and for our customers.


  1. Our Commitment to Privacy and Security
  2. What Does GDPR Mean for You?
  3. Data Portability and Management Tools
  4. International Data Transfers
  5. Other Resources

1. Our Commitment to Privacy and Security

We’re working across all regions to ensure DoubleDutch’s products and contractual commitments are in line so customers can prepare themselves before May 25, 2018. Measures include – but are not limited to – the following:

  • Continued investment in security infrastructure
  • Updated contractual terms in place
  • Ensure continued support of international data transfers by maintaining our Privacy Shield certification, and by executing Standard Contractual Clauses through our updated Data Processing Addendum
  • Product offerings that include processes for data portability and data management

2. What Does GDPR Mean for You?

The Data Controller
GDPR Definition: The term “data controller” means a person or entity that (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.

What does it mean?
The Data Controller is you –  the DoubleDutch customer or the event organizer. Whether you are a corporation, event organizer, or an association, etc., you own the data and the responsibility of your customers’ data, regardless of the technology you use to handle it.

The Data Processor
GDPR Definition: The term “data processor”, in relation to personal data, means any person (other than an employee of the data controller) or entity that processes personal data on behalf of the data controller.

“Processing”, in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including—collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

What does it mean?
The data processor is DoubleDutch. While both parties must align on compliance, the burden of compliance rests with the controller. To manage this burden, the data controller is responsible for building procedures with their data processor to ensure compliance.

The role of the processor is to assist the controller in this regard, as a controller will often have a GDPR compliance process that involves multiple data processors.


3. Data Portability and Management Tools

To comply with the GDPR requirements pertaining to personally identifiable information (PII) redaction and removal, DoubleDutch has developed processes and internal tooling to accommodate requests.

Redaction Process

All GDPR customer requests will be executed within 30 days of receipt. If the individual requests that their data be purged and that data was also shared with third parties (ex. Exhibitors), then those companies will also be notified of the deletion request.

Steps to take for redaction requests:

  1. User must contact DoubleDutch via customer support or email (contact email available in Privacy Policy).
  2. A ticket is logged, which issues a confirmation email to the user to verify their identity per the email address on file.
  3. The user is asked to confirm their identity and specify their privacy request. User requests can be for one or more of the following:

• Record of PII collected

• Correction of PII

• PII deletion

• How PII is being used

Removal Process

Unless otherwise agreed in a written agreement with DoubleDutch, Event PII data will be purged upon written Customer request within sixty (60) days following the termination or expiration of the agreement. Customers may also submit written data removal requests during the term of their current agreement.

  • Following a request, prior to the data redaction, an email will be sent to the organizer for the event(s) informing them which data will be removed. Once the event organizer confirms, DoubleDutch will proceed with the redaction, and the data will not be recoverable.
  • For mid-contract requests, organizer data (including login credentials) will not be purged to allow the event organizers to continue to access the Content Management System (CMS).
  • For mid-contract requests, PII will be purged, but not event data – organizers will still be able to duplicate events in the
    CMS and access reporting (but with PII redacted).

4. International Data Transfers

To comply with E.U. data protection laws concerning international data transfer, DoubleDutch is certified under the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield.

These frameworks were created to establish a way for companies to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.

In addition, we offer standard Model Clauses, also known as Standard Contractual Clauses, to meet adequacy and security requirements for our customers who operate in the E.U.

5. Other Resources

• E.U.-U.S. Privacy Shield

• Privacy Policy

• End User License Agreement (EULA)

• Customer Terms of Service (U.S.)

• Customer Terms of Service (EMEA)