Virtual meetings – how to keep your data safe

In the era of the epidemic threat, virtual meetings have strongly increased in popularity. The growth of this form of organising training and conferences has created new challenges for agencies and their clients regarding the security of personal data and the preparation of events in a way that complies with RODO regulations.

The source of the popularity of virtual and hybrid meetings is mainly due to the bans and legal restrictions imposed by the government in connection with the pandemic. Participants of such events quickly appreciated the comfort and security that comes with this form of meetings and it should be assumed that they will remain a leading trend for good. Therefore, it is worth analysing what conditions should be met in order to organise an online event with respect for the principles of data protection and privacy of its participants.

Basic principles

Any business that uses personal data in its operations is subject to obligations under the RODO. The most important ones include:

• Organising the activity in such a way that all personal data has a legal basis for processing (e.g. contract, consent, legal obligation) and that the amount of collected data and operations performed on it does not exceed the necessary minimum.
• Organise technical data security measures – at least at the level of market standards, adequately to the amount of data held and their “sensitivity”.
• Conducting organisational and formal activities – e.g. concluding agreements concerning RODO with clients and subcontractors, granting authorisations and providing instructions to employees, creating internal documentation describing data security measures and procedures (e.g. granting rights to databases, in case of a data security incident, in connection with transfer and disposal of documents and IT equipment with personal data).
• Providing relevant information to the persons whose personal data are processed. The simplest solution to the above problems seems to be the purchase of “RODO packages” on the Internet, the price of which starts from several hundred PLN. As part of such a purchase, we will receive a set of documents together with basic information that should be completed and implemented. Such a package often also contains guidelines for the IT specialist on how the data should be secured in technical terms. At the same time, it should be remembered that such an attractive offer also has its weak sides. For a few hundred zlotys you will get a template that you have to understand, supplement and sometimes modify on your own, as it will not fully reflect the specifics of your business. However, for a micro-entrepreneur, it is an option worth considering – at a low cost and with a bit of self-denial a sole trader or a small company can implement the RODO at a decent level with the use of such templates. Smaller mistakes will probably not be avoided, but the legal risk associated with this should still be significantly lower compared to entities that still do not accept the entry into force of RODO. On the other hand, if the scale of the company’s activity is larger or data processing plays an important role in it, it is strongly recommended to involve a lawyer in the implementation of RODO and allow him/her to cooperate with an IT specialist or a company providing IT services. Only in this way will we receive a guarantee that the safeguards, processes, documentation, and information on data processing are adequate to the technical solutions used and the business activities undertaken. This will allow you to avoid possible fines of up to €20 million or 4% of last year’s revenue.

Online events

When organising an online event, in addition to the standard RODO challenges and obligations described above, we should take the following considerations into account:

• Registration for an online event is usually via forms on the website. Please note that the form should be accompanied by an appropriate RODO note, which also includes a reference to the privacy policy or terms and conditions where the participant can read the full information about the processing of personal data. The participant should be able to easily understand which data required in the form is mandatory and which is voluntary and for what exact purposes it will be used by the organiser. If on the occasion of signing up for an event, we want to build our marketing base (e.g. newsletter), the option of expressing clear and voluntary consent to such activities should be made available to participants. We must also not forget to regulate the issue of cookies on the website, as these files enable the collection of information about users and are closely related to the processing of personal data.
• Online events involve sharing (and sometimes capturing) the images of speakers and participants. This issue should be regulated in detail in an agreement or the event regulations, as the image is one of the categories of personal data. We should bear in mind the regulations concerning the use of images for promotional and informational purposes, if such activities are envisaged.
• It is important to recognise that the purchaser of a ticket and the participant in an event are usually different people. Moreover, if the purchaser is a company, it often acts through an employee whose contact details may be included on the form (e.g. accountant, assistant). In practice, data of as many as three categories of persons may be provided for the purposes of purchasing a ticket and attending an event. Our information, regarding the processing of personal data, should be tailored to each of them. We should also remember that consents given by one of these individuals do not cover the others.
• Personal data should not be kept longer without a specific, legitimate need. We should therefore consider at the planning stage of an event which data we need for accounting purposes or to deal with complaints, and which we can keep for longer, thanks to the consent given by participants. Other data for which we are unable to identify a reason for retention should be deleted immediately.
• Organising an online event usually involves collecting a wide range of personal data. Name, surname, place of employment, position, address, login and password, email address, telephone number, bank account number, image – to name but a few. A possible leak of such data could cause serious problems for the participants and expose the organiser to high sanctions. This is why we should approach the subject of technical data security with complete professionalism. If our organisation does not have an expert in this field, we should seek help from a reliable company with experience and references. If it turns out that the data leak was caused by unreliable security methods, the chance of avoiding punishment for violating data protection legislation will be slim.
• Several parties are usually involved in conducting an online meeting. These include clients, sponsors, organisers (one or more), companies responsible for technical and marketing support. These entities are obliged to conclude appropriate agreements (with the content depending on their function in the processing of personal data), and the persons whose data are collected should be informed which companies have access to the database and for what reason.

The scope of obligations related to securing data at an online event is wide, and their execution is often challenging. However, for those organising these types of meetings, it is a necessity. In an era of growing general awareness of the importance of privacy, a professional approach to the subject of data protection should be considered a market standard and a natural necessity in the MICE industry.

Article appeared in Think Mice magazine –https://www.thinkmice.pl/news/prawo/3330-wirtualne-spotkania-jak-zadbac-o-bezpieczenstwo-danych

Author: Bartosz Mysiak, attorney at law, personal data protection practice, LSW Leśnodorski, Ślusarek i Wspólnicy.

He specialises in intellectual property law, new technology law, media and advertising law, consumer rights and personal data protection.