GDPR and membermeister

Here we explain what data we collect, why we collect it, how we use and what we do to protect it as well as your choices with regard to your data.

Effective date: May 25, 2018. Last Updated: June 19, 2020

What is GDPR

GDPR stands for General Data Protection Regulation. For European individuals, GDPR expands their data privacy rights and gives them more power to control their data. For companies that process the personal data of European individuals, GDPR requires compliance with a new set of regulations. The GDPR applies on all personal data that is handled within the borders of the EU, or relates to individuals in EU – no matter where the organization handling the data is located. The main aim of the GDPR is to unify and simplify the regulatory environment and to strengthen the data protection of individuals in the same way across the EU. For individuals this means increased control over their personal data, and to businesses active in Europe the GDPR comes with additional requirements on how to handle personal data. Even though some things change, a lot of things stay the same.

Membermeister's view on GDPR

Our ambition is to build great products that benefit our customers and theirs. To do that, personal data is required not only to provide our core services and fulfil legal obligations but also to remove unnecessary repetitive steps and allow for personalisation providing a smoooth user experience. For example - on a simple level - we will try and pre-fill form fields intelligently where it makes sense or inject someone's name into an email to personalise it. At membermeister we treat personal data with the utmost of care and where needed adapt our products, systems, and processes to the standards outlined in the GDPR. Beyond the introduction of GDPR we will keep enhancing our services even further with our customers’ privacy in mind.

Your data - what information we collect

In order to provide this service to our customers we store their details as well as their customers' details, including some related information as well as some personal details such as medical conditions. We keep this data as secure as we possibly can while also weighing up the benefits of having - for example - someone's allergy details at hand versus the option of not knowing this information at all. The GDPR, whilst welcome from a privacy point of view, will not override other legislation and obligations that our customers. This may include safekeeping obligations, health and safety requirements as well as accounting and record keeping requirements and other legal obligations.

You may directly or indirectly give us information about yourself in a variety of ways. Typical examples are: - You visit our website and register an interest in our product - You use one of our customers' registration forms, in this case we store your details in our customer's account - You contact us We always make sure to collect personal information with the utmost consideration for your privacy. For more detail on how we respect your privacy, please read our Privacy Policy. If you want to know how your information is treated, check out What do we do with your information?

What do we do with your information?

It is important that you are aware of how we handle your personal information. There are different scenarios where we need to store your information. Typical examples are:

- We might need to follow up with you by email after you have contacted us
- We will send you an invoice relating to your business activities with you
- If you use membermeister as a customer of one of our merchants we will store your details in our customers' account so they can provide you with their services or contact you

Depending on the technical setup between membermeister and the merchant you are dealing with, we will need to pass on some of data collected by us. This could be for the simple reason to provide the merchant with your email address so that they know how to contact you. In many cases you would have provided this data to the merchant directly on a previous occasion.
We collect personal information with great consideration for your privacy. We will never pass your data on to third parties without your explicit consent unless we are required to do so by law.

About consent

A common misconception is that you require consent if you want to contact someone or store their personal details. This is not correct. You do need to have a legal basis to process an EU citizen's personal data, but consent is only one of several such bases. In most cases, membermeister customers already have an ongoing business relationship with the people whose personal data they store and as such they have a contractual basis for contacting them. In other cases the legitimate interest clause of the GDPR can take effect and this allows you to contact your existing customers with relevant information about matters in which they may have a legitimate interest. As an example, it is generally fine to send your dance school student the dance school newsletter even if they haven't given you explicit consent. That's because it is reasonable to assume that they have an interest in the content because they take dance lessons with you.

If you do need consent then that requires a written record of when and how someone agreed to let you process their personal data. Consent must also be unambiguous and involve a clear affirmative action. This means clear language and no pre-checked consent boxes.

How long we store your data

We keep your data as long as needed to fulfil the purpose for which it was collected, for instance to fulfill our contractual obligations towards you or pursue our legitimate interests until there is no longer any legal requirements or rights for us to keep the data. Typically this means that - if you are a membermeister customer - until you close your account with us or - if you are a customer of one of our merchants - until they decide to delete your data. Each membermeister customer will have their own GDPR compliance requirements and obligations and you should contact them for more details about that.

Further information

Please refer to our data processing terms below for a detailed background on our GDPR related activities.

Data Processing Terms

  1. Definitions

    1. In these Data Processing Terms the following definitions apply:
      applicable law means applicable law of the United Kingdom (or of a part of the United Kingdom);
      Controller has the meaning given in applicable Data Protection Laws from time to time;
      Data Protection Laws means, as binding on either party or the Services:
      1. the GDPR;
      2. the Data Protection Act 2018;
      3. any laws which implement or supplement any such laws; and
      4. any laws that replace, extend, re-enact, consolidate or amend any of the foregoing;
      Data Subject has the meaning given in applicable Data Protection Laws from time to time;
      GDPR means the General Data Protection Regulation, Regulation (EU) 2016/679, as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or of a part of the United Kingdom from time to time);
      International Organisation has the meaning given in applicable Data Protection Laws from time to time;
      Personal Data has the meaning given in applicable Data Protection Laws from time to time;
      Personal Data Breach has the meaning given in applicable Data Protection Laws from time to time;
      processing has the meaning given in applicable Data Protection Laws from time to time (and related expressions, including process, processed and processes shall be construed accordingly);
      Processor has the meaning given in applicable Data Protection Laws from time to time;
      Protected Data means Personal Data received from or on behalf of You in connection with the performance of Our obligations under these Data Processing Terms;
      Services means the web services, services delivered through membermeister accounts, any associated software, and other services related thereto provided to You by Us in accordance with this agreement and with the characteristics and features as described at from time to time;
      Sub-Processor means any Processor engaged by Us (or by any other Sub-Processor) for carrying out any processing activities in respect of the Protected Data on Your behalf;
      Us/We means Membermeister Ltd (Co. No. 08405687) whose registered address is at 20-22 Wenlock Road, London, England, N1 7GU; and
      You/Your means the business customer paying for a licence to use the Services
  2. Your compliance with Data Protection Laws

    1. The parties agree that You are a Controller and that We are a Processor for the purposes of processing Protected Data pursuant to this Agreement. You shall, at all times, comply with all Data Protection Laws in connection with the processing of Protected Data. You shall ensure all instructions given by You to Us in respect of Protected Data (including these Terms) shall at all times be in accordance with all Data Protection Laws. Nothing in these Terms relieves You of any responsibilities or liabilities under any Data Protection Laws.
    2. These Data Processing Terms also apply to the situation where You process Protected Data on behalf of another Controller and We act as Your sub-processor.
  3. Our compliance with Data Protection Laws

    1. We shall process Protected Data in compliance with the obligations placed on Us under Data Protection Laws and these Data Processing Terms.
  4. Indemnity

    1. You shall indemnify Us and keep Us indemnified against all losses, claims, damages, liabilities, fines, sanctions, interest, penalties, costs, charges, expenses, compensation paid to Data Subjects, demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or not arising from any investigation by, or imposed by, a supervisory authority) arising out of or in connection with any breach by You of Your obligations under these Data Processing Terms.
  5. Instructions

    1. We shall only process (and shall ensure that Our personnel only process) the Protected Data in accordance with Your instructions as updated from time to time in writing unless otherwise required by applicable law (in which case We shall inform You of that legal requirement before processing, unless applicable law prevents Us doing so on important grounds of public interest).
    2. If We believe that any instruction received by Us from You is likely to infringe the Data Protection Laws We shall inform You and be entitled to cease to provide the relevant Services until the parties have agreed appropriate amended instructions which are not infringing. The Charges payable to Us shall not be discounted or set-off as a result of any resulting delay or non-performance of any obligation due to Our ceasing to provide the Services in these circumstances.
  6. Security

    1. We shall implement and maintain the technical and organisational measures necessary to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access.
    2. During the period in which We process any Protected Data, You shall undertake a documented assessment at least every 12 months of whether the security measures implemented in accordance with these Data Processing Terms are sufficient (taking into account the state of technical development and the nature of processing) to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access. You shall notify Us within 10 days of full details of the assessment and its outcome and of any additional measures You believe are required as a result of the assessment. We shall not be obliged to implement any further or alternative security measures except as agreed as a binding variation of these Data Processing Terms.
  7. Sub-processing and personnel

    1. We shall:
      1. not permit any processing of Protected Data by any Sub-Processor without Your prior specific written authorisation;
      2. prior to any Sub-Processor carrying out any processing activities in respect of the Protected Data, ensure such Sub-Processor is appointed under a binding written contract containing materially the same obligations as under these Data Processing Terms (including those relating to sufficient guarantees to implement appropriate technical and organisational measures) and ensure such Sub-Processor complies with all such obligations; and
      3. ensure that all natural persons authorised by Us or any Sub-Processor to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential.
    2. You shall reply to any communication from Us requesting any specific authorisation of a Sub-Processor promptly and in any event within 10 Business Days of request from time to time. You shall not unreasonably withhold, delay or condition any such authorisation
  8. Assistance

    1. We shall (at Your cost and expense) assist You in ensuring compliance with Your obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to Us.
    2. We shall (at Your cost and expense) and taking into account the nature of the processing, assist You (by appropriate technical and organisational measures), insofar as this is possible, for the fulfilment of Your obligations to respond to requests for exercising the Data Subjects' rights under Chapter III of the GDPR in respect of any Protected Data.
    3. We shall at Your cost and expense refer to You all requests We receive for exercising any Data Subjects' rights under Chapter III of the GDPR which relate to any Protected Data. It shall be Your responsibility to reply to all such requests as required by applicable law.
  9. International transfers

    1. We shall not process and/or transfer, or otherwise directly or indirectly disclose, any Protected Data in or to any country or territory outside the United Kingdom or to any International Organisation without Your prior written authorisation except where required by applicable law.
  10. Audits and processing

    1. We shall, in accordance with Data Protection Laws, make available to You on request such information that is in Our possession or control as is necessary to demonstrate Our compliance with the obligations placed on Us under these Data Processing Terms and to demonstrate compliance with the obligations on each party imposed by Article 28 of the GDPR, and allow for and contribute to audits, including inspections, by You (or another auditor mandated by You) for this purpose (subject to a maximum of one audit request in any 12 month period).
  11. Breach

    1. We shall notify You without undue delay and in writing on becoming aware of any Personal Data Breach in respect of any Protected Data.
  12. Deletion/return

    1. At the end of the provision of the Services relating to the processing of Protected Data (the Processing End Date), at Your cost and expense and Your option, We shall either return all of the Protected Data to You or securely dispose of the Protected Data (and thereafter promptly delete all existing copies of it) except to the extent that any applicable law requires Us to store such Protected Data. To the extent You have not notified Us within 10 Business Days of the Processing End Date that You require the return of any Protected Data We are irrevocably authorised to securely dispose of the Protected Data at Your cost and expense.
    2. On Your request We shall confirm in writing whether or not We has complied with Our obligations to dispose of the Protected Data under these Data Processing Terms.
  13. Survival

    1. These Data Processing Terms shall survive termination or expiry of any agreement for the provision of Services until the later of:
      1. the termination or expiry of these Data Processing Terms; or
      2. the return or secure deletion or disposal of the last of the Protected Data in Our (or any of Our Sub-Processor's) possession or control in accordance with these Data Processing Terms.