[Updated 03/23/2020] Whova is compliant with EU-US Privacy Shield
We comply with the EU-US Privacy Shield regarding the collection, use, and retention of personal information transferred from the EU and Switzerland.
If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.
As participating in the Privacy Shield, we are subject to the jurisdiction and enforcement powers of the US Federal Trade Commission. We may be liable for the onward transfer of personal data to a third-party agent, as described in the Privacy Shield Principles. Under certain circumstances, we may be required to disclose personal information to public authorities, for law enforcement purposes. To learn more about the Privacy Shield framework please visit: https://www.privacyshield.gov/
If you have European attendees at your event, you are subject to a new European Union law, the General Data Protection Regulation (GDPR). This law protects the privacy of Europeans and enforces responsible stewardship of EU residents’ data. Like many other companies, Whova is preparing for the GDPR when it comes into effect in May 2018.
We assure you that we are taking the GDPR requirements very seriously and are working on this to ensure that our customers will be fully GDPR compliant. We believe that our current company practices are very respectful of our users’ privacy and applicable privacy laws, but we are using this occasion to prepare for GDPR as another opportunity to ensure that we do even better.
Whova’s GDPR readiness status and plans
- Consent – Active consent must be given by European attendees in order to store their data. European attendees must explicitly agree to storage of their data as opposed to submitting a form where a “yes” agreement is pre-selected.
For GDPR compliance, Whova’s product team is adding an active consent form in the app to get app users’ approval for Whova’s use of their sign-up information (e.g. email address, name). Whova mainly uses the information to authenticate their identity by comparing it with the registrant list you upload to the Whova dashboard. In that way, we can protect your event information on the app (e.g., session discussion, attendee comments, photos, etc.) from strangers.Regarding the registrant list you upload to Whova for the app, if you use a third party registration system, you will need to check the vendor’s GDPR compliance when you collect the registrant information with their service. If you use both Whova registration and the app, you don’t need to worry. We will provide an active consent form on the registration webpage.
- Data Editing and Deletion – Whova already has the ability to allow attendees to edit or delete their personal data. If your attendees want to edit their profiles shown on the app (e.g., affiliation, headshot), they can do so by themselves through the app. They can also decide whether to go invisible to others or remain visible for networking by changing their profile visibility setting. If they want to remove personal data completely from the Whova system, they can directly contact us. We can find, isolate, and purge attendee data from the system if needed. If your attendee asks you to remove their personal data, you can simply forward the request to us (support@whova.com) and our support team may reach out to the user directly to confirm the request.
- Security – Whova already uses state of the art, high-security cloud systems hosted by Amazon Web Services (AWS), the strongest industry-standard cryptographic protocol, SSL, and the most secure payment processor that complies with PCI DSS. We will continue to ensure that our security practices are always first class with cutting-edge technology. Please find the details here.
- Breach Notification – In a case where we are a data processor over attendees’ personal data accessed in an unauthorized manner, we will notify you and the attendees within 72 hours of such incident.
- Vendors – We’re reviewing our vendors and sub-processors to make sure that each meets the new requirements of the GDPR. We will continue the evaluation.
- Legal updates – We are introducing some changes to our legal terms (e.g. Terms of Use, Privacy Policy and Data Processing Agreement) to enable Whova and its customers to comply with GDPR requirements, including clearly describing how personal data is being used. We will notify you of these changes through our websites and emails.
We are confident of our ability to ensure that we can comply with GDPR by the deadline in May 2018. If you have any specific questions regarding the GDPR requirements and how this may impact your use of Whova, please feel free to let us know and our GDPR team will respond.