pretix and GDPR
If there's one topic keeping everyone busy across all industries right now, it's the new EU legislation on data privacy. With this blog post, we want to tell you how we're handling GDPR and how it affects you if you use our services.
Please note that this blog post is not legal advice. If you need to be sure, please consult a legal expert in your country of residence.
A bit of history
To oversimplify, privacy was the main reason to create pretix in the first place. Raphael started developing pretix in September 2014, after being a volunteer on the organizing team of a German IT-security conference for two years. When running an IT-security conference with a focus on privacy-related topics, you are in a bad position to use a ticketing provider who resides in a country with different legislation and unclear use of data – it just looks (and is) very inconsistent. Additionally, the conference is running on a tight budget, so we've been basically left with self-hosted ticket shop options.
At the time, the available solutions for self-hosted ticket shops were more than unsatisfactory, even for a small conference. We tried out two different options in 2013 and 2014, and then pretix was created.
With that bit of history, it is clear why privacy was very important to us right from the start. To follow through on that, the first step is obviously to avoid collecting data. You don't need to protect data you don't have. With pretix, it's possible to create a ticket shop that only requires an email address to buy a ticket. With pluggable payment providers you can implement payment in cash, which leaves you with as little data as absolutely possible.
Speaking of pretix Hosted, we're hosting in German datacenters, operated by German companies. We haven't ever stored any IP adresses of our users, and we employ encryption on every connection, even between our own servers. When something goes wrong, we're transparent about it. We've also put together a new page listing our data security efforts.
We don't use automated individual decision-making or profiling in any of our operations.
If you're running your event with pretix Hosted, rest assured that we deeply believe that your data is yours. We won't ever contact your customers or give their data to anyone else without your approval.
We've been doing most of this for a long time, but GDPR is an opportunity to formalize many of these things and talk about them. It has also been an opportunity for us to implement some features that we wanted to have for a long time but never got around to do so.
We're happy that the European Union is working to improve privacy standards. However, GDPR has the side-effect of creating overly complex and extensive bureaucracy and in many cases, it is yet unclear how many of it's articles will be construed in practice.
In terms of GDPR, for most data (such as all information on ticket buyers), you as the event organizer act as the data controller. This means, you're responsible that the data is used in a way that is compliant with law. We are a data processor working with the data on your behalf.
At the same time, we are the controller for some other data, such as your user account to access the backend or any emails sent to or from us.
On the surface, this is nothing new. Germany's former privacy law (BDSG) had a similar construct and with some customers, we had signed Data Processing Agreements before. As your processor, we do everything we can to make it easy for you to stay compliant with GDPR.
Make sure to check how things are with your other data processors, which might include your payment providers.
Data Processing Agreement
To make this short and sweet, we've worked with our lawyers to prepare a template contract. If you log in into pretix.eu and go to the settings of your organizer account, you will see a new tab called "Data protection". On this page, you can download a contract that is pre-filled with your name and address and pre-signed by us. You can print it out, sign it and re-upload a scan on the same page to make the contract come into effect. In case you're wondering, Art. 28 (9) specifically allows electronic forms for this type of contract.
If you had a data processing agreement with us based on old German privacy law, we ask you to go through the same process to renew it.
If you only use your attendee's data to process the ticket sales and enable their attendance, you're fine based on Art. 6 GDPR (1) b since you need to process the data to fulfil the sales contract. However, if you ever want to use the data for something else, such as sending them marketing emails later or such as giving their data to any of your partners, you will need to get their consent.
Keep in mind that, when the processing is not absolutely necessary for fulfilling the contract, the consent needs to be optional, i.e. all marketing usage of data needs to be opt-in.
pretix allows for three ways to collect constent:
You can use our "Questions" feature to add both optional and required yes/no-questions to all your products. This will also show up in your exports, so you can filter your data by these answers before you use it for other purposes.
In your event settings, you can find the "Confirmation text" settings. If you enter a text there, this will be presented on the order confirmation page and the user will be required to check a box next to this text in order to proceed with the sale. Starting with pretix 1.16 (or the current version on pretix Hosted), this will also be permanently documented to the order's activity log.
If you use the "Pages" plugin, you can configure that the contents of a certain page need to be confirmed. This will lead to the same type of required confirmation as the setting above.
In any case, you need to inform people about how you process their data, who you share it with and for how long. On pretix Hosted, we automatically add a privacy information page to your shop with information on how we process the data and where pretix transmits it, but we can't know what you do with the data outside of pretix. We recommend using the "Pages" plugin to add your own privacy statement visibly to the shop.
Rights of the data subject
GDPR grants each individual a number of rights on their data. It is your job to fulfil them, but it's our job to make this easy for you. Here's how!
Right of access
Every person you store data about has a right to know what you store, why, who you share it with and for what timeframe. Obviously, we can know only a small part of that, since we don't know what you do with the data outside of pretix. To make your life easier, we've added a tool to the "Data protection" tab in your organizer settings that allows you to generate a detailed PDF report with all data that is stored on our systems for a specific person, identified by their email address.
Alternatively, you can refer them to our privacy page where we've added a self-service data report tool that reports on all data stored on our systems.
This is currently only available on pretix Hosted, since it requires insight and adaptions to the exact plugins installed. If you're a pretix Enterprise customer and interested in this feature, please get in touch!
Right to erasure
Art. 17 (1) GDPR tells you that you need to delete all data that you stored about someone on their request.
We therefore think that in most cases it is neither necessary nor advisable to delete individual ticket data from pretix and we have therefore not added functionality for a moment. If someone requests you to delete their data, we recommend to delete it from all other storages that you work with and tell them that you need to keep it in your shop system for reasons of financial auditability (Art. 17 (3)b GDPR). Do also tell them how long you will keep it there.
However, since it's your decision in the end what data you trust us with and we feel uncomfortable forcing you to trust us with your data for longer than you want, we have added a feature that we call the data shredder in our most recent release.
If your event is over for more than 60 days, you can use the data shredder to remove all personal data from our servers regarding that event. You can either choose all data or just some categories (e.g. delete question answers and e-mail addresses, but keep invoices). You can then first export the data to store it in a safe place and then delete it from our server. This does not delete any orders and does not change any numbers, but it effectively anonymizes the data. Using the pretix database, one will no longer be able to assign orders to individual persons.
On pretix Hosted, the data will still be in our backups, but we keep them in a separate storage and automatically delete them after a maximum of 3 months.
Right of rectification
If a person you store data about comes to you with a request to rectify inaccurate data, you can do so easily through the pretix backend interface.
Right to restriction of processing
Art. 18 GDPR grants a right for the subject to request a restriction of processing of data under particular preconditions. In this case, you may only need to store the data but do not process it in any other way. Since pretix doesn't to much with the data by itself except storing it, it's up to you to make sure you don't process the data any further in this case.
Right to data portability
Art. 20 GDPR grants a version of the right to access (see above) that entitles a person to request their data from you in a machine-readable format to transfer them to another controller. Since you are probably the only entity that is offering ticket sales for your event, we believe this case is hightly unlikely/irrelevant for the scope of ticket sales. Should it occur, we advise to use our API or one of our many export formats to obtain a file from which you can extract an individual's data in a machine-readable format. If that's too technical for you, just contact us at firstname.lastname@example.org if the case arises.
Changes to our terms of service
We've changed our terms of services slightly to account for the changes imposed by GDPR. In essence, only the following has changed:
We're making clear that you're the controller and we're the processor.
We're making clear that you have a right to sign a Data Processing Agreement with us.
This change will turn effective for new customers immediately and for current customers six weeks after they received notification about this. As part of our efforts to be a transparent company, we've now published our terms of service on GitHub together with their source, enabling you to compare their changes easily.