Data protection compliance for European users

I have already discussed this issue in General Discussions but just wanted to formally place it in the Wishlist.

This is the gist of current EU legislation on transfer of data outside the EU :

"Transfers may be made to any country or territory in respect of which the Commission has made a ‘positive finding of adequacy’. . . .The Commission has so far recognized Andorra, Argentina, Australia, Canada (commercial organisations), Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Uruguay and the US Department of Commerce's Safe Harbour Privacy Principles as providing adequate protection . . .

If the transfer is to the United States of America, has the US recipient of the data signed up to the US Department of Commerce Safe Harbor Scheme?"

See this link for full text : http://ec.europa.eu/justice/data-protection/document/international-transfers/adequacy/index_en.htm#h2-1 ) I know this cannot be achieved quickly but hope that WA can put it on the Roadmap as it's a worry for all European WA users.

11 votes

Biz55 shared this idea · Nov 8, 2014 · Report… · Admin →

Resolved ·

AdminKatya Tyukina (Director of Product Management, Wild Apricot by Personify) responded · May 28, 2018

We’ve updated our Terms of Use and Privacy Policy.
https://www.wildapricot.com/termsofuse
https://www.wildapricot.com/privacypolicy

We added detailed explanations to our Privacy Policy regarding the information we collect, why we collect it, what we do with it, and how we make sure that information stays safe and private.
We added information about users in the EU so they understand their rights under the new EU GDPR.
We have incorporated a Data Processing Addendum (DPA) into our Terms of Use.

If you have any questions related to GDPR, please send them to privacy @ wildapricot.com email.

All information about GDPR is presented on our website: wildapricot.com/gdpr

Show previous admin responses (4)

Work in progress ·

AdminKatya Tyukina (Director of Product Management, Wild Apricot by Personify) responded · Mar 19, 2018

Hi,

We published an article ‘Making your Wild Apricot site GDPR-compliant’ on our help site: https://gethelp.wildapricot.com/en/articles/1580

There are several changes released with version 6.0:

The new Email template, that you could use for collecting consent from existing contacts or for Privacy Policy update notifications.
Ability to export the list of registrations for each contact. It will help to download personal data if it was collected in the registrations too.
Ability to collect consent on Waitlist registration form if only Name and email are collecting from waitlisters.

We are still working on:

Ability to collect consent during the checkout process for our Online store

If you have any comments or questions please use this thread or reply me directly by email.

All information about GDPR status is presented on our website: https://www.wildapricot.com/gdpr

Katya Tyukina
Product Owner @ Wild Apricot

Work in progress ·

Team Membership responded · Feb 27, 2018

Hi, Wild Apricot published the GDPR status update not long ago. https://www.wildapricot.com/gdpr

Among many items, we announced that we are implementing required changes on Wild Apricot. I want to share with you some specific details what we are working on product and what we already have to meet the GDPR requirements.

What is already in the product:

Managing consent:
- You can create the custom ‘Rules and terms’ field with the link to your Privacy Policy (document or page) for collecting consent. As you must collect it from all your users who provide personal data we recommend creating the required custom field on Common database form. So it will be presented on all website forms (application, registration, subscription, etc.). You can create as many fields as many types of consents you need to gather. https://wildapricot.elevio.help/en/articles/149#rules
- Also, you can search contacts by this field to create the list of people who didn’t give the consent and email them or for updating their profiles
Individual (Data subject) rights and processing requests
- You can create the form like ‘Contact us’ and receive requests from your contacts (for example data access or to be forgotten) by email. All these requests will be logged in the Email log for further processing. Or just include your contact email into you Privacy Policy content. https://wildapricot.elevio.help/en/articles/1565
- Right to access: you can export all personal information of contact and send it back by email. All contacts data could be exported in the Wild Apricot. https://wildapricot.elevio.help/en/articles/110
- Right to erasure: If you receive such request you can delete the contact so all their personal data will be deleted from the database, including registrations and donations. https://wildapricot.elevio.help/en/articles/151

What we are working on:

The Privacy Policy page template. To help you start with structure and ‘how-to’ tips, not with the blank page.
The new Email template(s), that you could use for collecting consent from existing contacts or for Privacy Policy update notifications.
Ability to export the list of registrations for each contact. It will help to download personal data if it was collected in the registrations too.
Ability to collect consent on Waitlist registration form if only Name and email are collecting from waitlisters. Now you can’t do this.
Ability to collect consent during the checkout process for our new Online store feature.
… and list of ‘How to’ articles and instructions

All these changes will be released before the May 25th.

Also, we are considering the feature ‘Allow members to cancel their membership’ as part of our development. But this one could be released later than May. https://forums.wildapricot.com/forums/308932/suggestions/32983651

If you have any comments, questions or suggestions please use this thread or reply me directly by email.

Katya, Astra crew @ Wild Apricot

Evgeny Zaritovskiy responded · Mar 7, 2017

Currently, all data of Wild Apricot customer accounts are stored in US – for now, we have no plans to provide different locations depending on customer’s location.

Dmitry Buterin responded · Jul 12, 2015

An error occurred while saving the comment

Michael Lewington commented · April 30, 2018 10:45 AM · Report

We are in the UK and use Wild Apricot for our club membership which hold a significant amount of personal data . The AWS is Privacy Shield compliant however as the 25 May approaches we are required by the Information Commissioners office in the UK to confirm that Wild Apricot as an organisation are part of the Privacy Shield Scheme. This scheme has been agreed between the EU and US as meeting the necessary data protection standards. Safe Harbour does not. To date I have not seen any confirmation.

Submitting...
Norman Beveridge commented · January 13, 2018 5:39 AM · Report

Great suggestion, this would be extremely helpful

Submitting...
Sarah commented · January 12, 2018 7:09 AM · Report

So I found this response by Wild Apricot "Wild Apricot sites are compliant with the European Union’s Data Protection Directive. That’s because Wild Apricot sites are hosted on Amazon Web Services (AWS), which is certified under the Privacy Shield Network, a framework designed by the US Department of Commerce and the European Commission to allow the US companies to host European sites while complying with the EU’s data protection requirements." But my husband who works in IT Security said this is a false statement. AWC may have some knowledge of the data, but Wild Apricot has the explicit charge of the data. I hope we find more information out soon.

Submitting...
Mike Felton commented · January 11, 2018 4:33 PM · Report

Sorry - I was a bit premature - the introduction date is 25 MAY (not March)

Submitting...
Mike Felton commented · January 11, 2018 4:28 PM · Report

GDPR (General Data Protection Regulation) compliance.

This European regulation comes into force 25 March 2018. A legal requirement is that consent must be obtained for email communications and it must be OPT-IN (i.e. a preticked box is absolutely not allowed).

I see that an opt-in function was introduced in 2017 designed for the Canadian CASL regulation but the introduction of that has apparently been put on hold.

However the GDPR *IS* coming into force on 25th MARCH!
The email opt-in function will enable us to comply with the consent but it would be good to have a consent request email template soon (similar to the CASL version).
Please??

Submitting...
Will Ton commented · October 19, 2017 7:11 AM · Report

Meaningful progress to full EU Data Protection - Regional data separation is possible via AWS. You can put our data in a separate region.

Submitting...
Anaida Dibra commented · July 18, 2017 8:36 AM · Report

I think the reply from WA rather misses the point which is not just about location, but also overall compliance. Firstly there is no reassurance as to whether WA has indeed signed up to the US Safe Harbour, which was the original question if I have correctly understood it, but secondly there is no reassurance re whether WA has plans to ensure that it is compliant with EU law before 2018 implementation, which is rather critical for those of us based there.

Submitting...
Susannah Haan commented · February 20, 2017 3:54 PM · Report

Commercial organisations in Canada are also recognised - see http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm
However, EU data protection law is changing from 2018, so we would need reassurance that Wild Apricot would be in conformity when the legislation comes into force. We have already had some corporate sponsors asking for personal data not to be transferred outside the EU in order to avoid any problems with the legislation.

Submitting...
Will commented · August 31, 2016 11:23 AM · Report

Im surprised there are so few comments on this.
Wild Apricot stated that: "we do not have much control over which country exactly the servers are ultimately located" so it has terrified most of my board members.

Submitting...