General Data Protection Regulation (GDPR) compliance
What information we process and who has access to it
Purposes of the processing
Enable the call for artists entry and jurying process for art organizations and artists.
What kind of data we process
Who has access to it in our organization
- User profile including email address, password for logging in, name, address, phone number, website artist statement and resume.
- Entry applications with responses to different questions regarding the entry such as description of work, entry category, requested booth size etc.
- Images of artwork and associated metadata such as title, medium, price, dimensions.
- Jury points for ranking entries / artwork entered into a call
- Entry and piece status to determine which artists / artwork are accepted / not accepted
While we use encryption to protect sensitive information transmitted online, we also protect your information offline. Only employees who need the information to perform a specific job (e.g, customer service) are granted access to personally identifiable information.
The computers/servers on which we store personally identifiable information are kept in a secure environment. Hard drives and passwords are encrypted.
Third parties that have access
Art organizations hosting the calls have access to profile and application data from entrants that apply to their calls.
What we're doing to protect the data
When we delete data
- Data is encrypted using SSL between clients and our servers. Data is stored on secure MySQL servers on AWS EC2 instances.
- Images or stored securely on AWS S3.
- Local backups are stored on drives encrypted with Microsoft BitLocker. Passwords are encrypted again using Keepass.
Justification for our data processing activities
- User profiles are automatically deleted after a time of non-use.
- Calls are deleted when the organizations hosting the calls delete them. We keep backups of deleted calls for one year after the deadline date of the call.
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
Data protection is something we consider whenever we do anything with other people's personal data. We make sure any processing of personal data adheres to the data protection principles outlined in GDPR Article 5.
Technical measures include encryption, and organizational measures like limiting the amount of personal data we collect or deleting data we no longer need. This is something we are always aware of.
We use SSL encryption for all transfers of data between client software and our servers. Local backup drives are encrypted. Passwords are hashed in the database.
Internal security policy
We have a security policy that ensures our team members are knowledgeable about data security. It includes guidance about email security, passwords, two-factor authentication and device encryption.
Data protection impact assessments
We do not believe that this is required - see https://gdpr.eu/article-35-impact-assessment/
If there's a data breach and personal data is exposed, we will notify the supervisory authority in our jurisdiction within 72 hours.
Responsibility for ensuring GDPR compliance across organization
Our CEO is accountable for GDPR compliance. This person is empowered to evaluate data protection policies and the implementation of those policies.
GDPR of 3rd parties
We use Amazon's AWS for all of our cloud services. See https://aws.amazon.com/compliance/gdpr-center/
- Users can login here https://www.entrythingy.com/login.html and view their data through ?My Profile? - entrants can review their entries here https://www.entrythingy.com/artists
- Users can update their profile information at any time as stated above.
- Users can request that their personal information be deleted by emailing email@example.com
- Users can ask us via email to stop processing their data, remove their profile information and entries.
- Users can request a copy of their data via email.
- We do not make decisions about people based on automated processes.