Who is the controller of the data collected in connection with events held on your platform?
The Customer is the controller of Event Content: You, our customer, are the owner and controller of all your event content such as recordings of events, materials you stream during the event, attendee chat transcripts, etc. (“Event Content”). Hopin is the processor (or service provider in the US) for your Event Content. Given that your Event Content may also embed the personal data of your speakers and attendees, you will be solely responsible for securing consent, contractual agreement, or establishing a lawful basis for processing that embedded personal data. You are also responsible for data subject requests relating to Event Content. Hopin, as your processor, will act on your instructions for handling your data subject requests to help remove or anonymize the personal data of the data subject. Note, however, that we are unable to remove or obscure faces and voices from your Event Content because they are embedded in your recording.
Both Customer and Hopin are Controllers of Attendee Data: Both Hopin, and you, as our customer, are each independent controllers of any registration and signup data (“Account Data”). For example, when an attendee registers for the event directly through Hopin’s sign-up platform (with Hopin branding), then Hopin is the controller of the signup and event registration data. When you download a list of attendees for an Event, then you are the controller of that list of attendees. Each of us is separately responsible for meeting any legal requirements with any individual who signs up for an account and registers for an event, regardless of whether that happens through the Hopin signup platform, or other integrated ticketing platform. The exception to the above is any profile and event data that the registrant gives us independent of your event, for which Hopin remains the controller.
Can you sign our DPA instead of Hopin’s?
Unfortunately, no. The Hopin DPA is specific to Hopin's data handling constructs, services, and privacy practices. Non-Hopin DPAs are often not complete enough to contemplate the data handling constructs discussed above.
You can review our DPA online by visiting https://hopin.com/dpa. When you purchase a subscription with Hopin, the DPA is automatically incorporated by reference into the Platform Terms and deemed signed by both parties.
Note, we comply with GDPR and CCPA. The Hopin DPA includes the standard contractual clauses (SCCs) to comply with GDPR, UK, and Swiss data transfer adequacy requirements.
We are a US based company. If you store our US user data in Ireland, does that automatically make us subject to GDPR?
No. This is a common misconception. If your company is not currently subject to GDPR, simply using Hopin as an EU processor does not make you subject to GDPR. The European Data Protection Board released guidelines to clarify this to overcome the obviously undesirable effect of discouraging non-EU companies from doing business with EU companies.
Your company may be subject to GDPR for other reasons (you target EU users, you have an established presence in the EU) so please consult your legal counsel.
Read the European Data Protection Board’s full guidance. Specifically see Section 1(d) on Page 12. For your convenience, here are excerpts and an example from that guidance (emphasis added).
That is to say, a “non-EU” controller . . . will not become subject to the GDPR simply because it chooses to use a processor in the Union. By instructing a processor in the Union, the controller not subject to GDPR is not carrying out processing “in the context of the activities of the processor in the Union” . . . However, even though the data controller is not established in the Union and is not subject to the provisions of the GDPR as per Article 3(2), the data processor, as it is established in the Union, will be subject to the relevant provisions of the GDPR as per Article 3(1).
Example 7: A Mexican retail company enters into a contract with a processor established in Spain for the processing of personal data relating to the Mexican company’s clients. The Mexican company offers and directs its services exclusively to the Mexican market and its processing concerns exclusively data subjects located outside the Union. In this case, the Mexican retail company does not target persons on the territory of the Union through the offering of goods or services, nor it does monitor the behaviour of person on the territory of the Union. The processing by the data controller, established outside the Union, is therefore not subject to the GDPR as per Article 3(2). The provisions of the GDPR do not apply to the data controller by virtue of Art 3(1) as it is not processing personal data in the context of the activities of an establishment in the Union. The data processor is established in Spain and therefore its processing will fall within the scope of the GDPR by virtue of Art 3(1). The processor will be required to comply with the processor obligations imposed by the regulation for any processing carried out in the context of its activities.”
What about Brexit?
While the details of post Brexit data transfer from the UK to the EU are still being finalized, we are all in an effective grace period, which means that the EU has delayed data transfer restrictions at least until April (and this could be extended). After that time, if the UK has received an adequacy determination, no additional steps for transfers from the EU to the UK will be required. Alternatively, we can use the standard contractual clauses approved by the European Commission (“EC”) for data from the EU to the UK. The links to the current standard contractual clauses that are published by the EC are incorporated by reference into our DPA, so that any updates approved by the EC will automatically apply to you and Hopin.
For the opposite direction of transfer from UK to EU, there has been no practical change from before Brexit. The UK has issued guidance that UK companies like Hopin can continue to send personal data to EU countries which are still deemed adequate.
For data transfer from UK to non-EU/EEA countries, the UK has advised that the standard contract clauses approved by the European Commission are adequate from the UK perspective.
Where will our data be stored?
Visit https://hopin.com/security for a full breakdown by data type.
Question: How does Hopin handle our Customer’s data subject requests?
For data that is in Hopin’s possession or control, and not yours, send an email to us at [email protected] with “DATA REQUEST” in the subject line. Please include your company name, the data subject’s email address, and specific instructions on how to handle the request with respect to data over which we are a processor.