EntryThingy - digital call for entries, entry management and jurying software for art, photography and video exhibitions, festivals, fairs and competitions

General Data Protection Regulation (GDPR) compliance

From https://gdpr.eu/checklist

What information we process and who has access to it

Purposes of the processing

Enable the call for artists entry and jurying process for art organizations and artists.

What kind of data we process

User profile including email address, password for logging in, name, address, phone number, website artist statement and resume.
Entry applications with responses to different questions regarding the entry such as description of work, entry category, requested booth size etc.
Images of artwork and associated metadata such as title, medium, price, dimensions.
Jury points for ranking entries / artwork entered into a call
Entry and piece status to determine which artists / artwork are accepted / not accepted

Who has access to it in our organization

While we use encryption to protect sensitive information transmitted online, we also protect your information offline. Only employees who need the information to perform a specific job (e.g, customer service) are granted access to personally identifiable information. The computers/servers on which we store personally identifiable information are kept in a secure environment. Hard drives and passwords are encrypted.

Third parties that have access

Art organizations hosting the calls have access to profile and application data from entrants that apply to their calls.

What we're doing to protect the data

Data is encrypted using SSL between clients and our servers. Data is stored on secure MySQL servers on AWS EC2 instances.
Images or stored securely on AWS S3.
Local backups are stored on drives encrypted with Microsoft BitLocker. Passwords are encrypted again using Keepass.

When we delete data

User profiles are automatically deleted after a time of non-use.
Calls are deleted when the organizations hosting the calls delete them. We keep backups of deleted calls for one year after the deadline date of the call.

Justification for our data processing activities

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

Privacy Policy

Our privacy policy explains how the data is processed, who has access to it, and how we're keeping it safe at https://www.entrythingy.com/privacy.html

Data protection

Data protection is something we consider whenever we do anything with other people's personal data. We make sure any processing of personal data adheres to the data protection principles outlined in GDPR Article 5. Technical measures include encryption, and organizational measures like limiting the amount of personal data we collect or deleting data we no longer need. This is something we are always aware of.

Encryption

We use SSL encryption for all transfers of data between client software and our servers. Local backup drives are encrypted. Passwords are hashed in the database.

Internal security policy

We have a security policy that ensures our team members are knowledgeable about data security. It includes guidance about email security, passwords, two-factor authentication and device encryption.

Data protection impact assessments

We do not believe that this is required - see https://gdpr.eu/article-35-impact-assessment/

Data breach

If there's a data breach and personal data is exposed, we will notify the supervisory authority in our jurisdiction within 72 hours.

Responsibility for ensuring GDPR compliance across organization

Our CEO is accountable for GDPR compliance. This person is empowered to evaluate data protection policies and the implementation of those policies.

GDPR of 3rd parties

We use Amazon's AWS for all of our cloud services. See https://aws.amazon.com/compliance/gdpr-center/

Privacy rights

Users can login here https://www.entrythingy.com/login.html and view their data through ?My Profile? - entrants can review their entries here https://www.entrythingy.com/artists
Users can update their profile information at any time as stated above.
Users can request that their personal information be deleted by emailing hello@entrythingy.com
Users can ask us via email to stop processing their data, remove their profile information and entries.
Users can request a copy of their data via email.
We do not make decisions about people based on automated processes.