The EU General Data Protection Regulation (GDPR) will set a new standard for how companies use and protect EU citizens’ data. It will take effect on 25th May 2018.

At HotspotSystem, we’ve been working hard to prepare for GDPR, to ensure that we fulfil its obligations and maintain our transparency about wi-fi users and how we use data. 

Here’s an overview of GDPR, and how we are preparing for it:

What’s GDPR?   

The EU General Data Protection Regulation (“GDPR”) is a new comprehensive data protection law that comes into effect on May 25, 2018. It will replace existing EU Data Protection law to strengthen the protection of “personal data” and the rights of the individual. It will be a single set of rules which govern the processing and monitoring of EU data.

Does it affect me? 

If you hold or process the data of any person in the EU, the GDPR will apply to you, whether you’re based in the EU or not. 

If you are operating the service on behalf of your client (you are a reseller), you also operate as a data processor, as long as your customer is the one to make all the decisions about personal data and how it is processed.  You can also be a joint data controller. You need to establish an agreement between you and your customer that clearly defines your roles and responsibilities as a data processor or joint data controller and you should review and update the privacy policy accordingly.

How is HotspotSystem preparing for GDPR?

Updated Service Agreement

Our Universal Service Agreement has been updated to ensure that Hotspot Operators handling user's data in accordance of laws and regulations. See section #6, "Privacy and Data Protection" and "7. Compliance with Laws". You can download and sign it from here. You can also download and sign our Data Processing Agreement.

Updated Privacy Policy

We've made a significant update to Privacy Policy for Wi-Fi users which is available for them on the splash pages. You can also review it here

In terms of our role when our Hotspot Operators are using our services directly (not reselling it), HotspotSystem operates as a Data Processor, while our Hotspot Operators operate as a Data Controller. The user of the Wi-Fi hotspots must be made aware of the role of HotspotSystem and our Hotspot Operators. So the version which will be available on the splash pages will also include the company data of Hotspot Operators to comply with laws.

In case you are a Reseller, you can add your partner data on the Secondary Operators page so we can add them automatically as Data Controllers in the Privacy Policy. 

It is also possible to edit the Privacy Policy (under Customize > Skins menu), but you need be sure that you include our company as Data Processor and it is essential to review your own privacy policy and make sure it reflects GDPR needs and benefits. For example if you are using Mailchimp to send out emails, you also need to include Mailchimp as a data processor.

Collecting Consent

The main legal basis for collecting and processing your users’ personal data is the consent. It is your responsibility to make sure you configure the service in compliance with GDPR and we are here to help you in this process.

The Privacy Policy has to be accepted explicitly and Acceptance checkboxes cannot be pre-checked

Under Modify Hotspot Data > Data Capture, "Accept Terms" is now "Accept Terms & Privacy". Make sure that it is checked.

If you are using a custom skin, make sure that you change the useragreement_accept in the message file to reflect that change. 

We have modified this tag the following way:

I ACCEPT the terms of the <a href='{AGREEMENT_URL}' target='_blank'>User Agreement</a> and <a href='{PRIVACY_URL}' target='_blank'>Privacy Policy</a>.

where the PRIVACY_URL dynamic tag is the link to the Privacy Policy.

We have also added the Accept terms & Privacy checkbox to the main custom skin, where it was only visible with the Skip Social option. Users now have to click on the Accept checkbox even if they are logging in via a Social Network. (this change will be live within a few days)

If you have modified the main_social.inc.html template, you need to revert it back to the original and make the changes again, or you can ask for help from us.

Also, if you are using the "Subscribe to Newsletter" option, make sure that it is not pre-checked in your skin (in case you have customized it). It comes unchecked in default skins so those are compliant.

Identify the users

Visitors should be identifiable as they have the right to reach you out with subject access requests, asking to retrieve the data you hold about them or to delete their personal data. To that extent, it is important to collect enough data about users to permit their identification, for example, their email, social network or phone number. Also, be sure that you only ask for data which is essential for the service you offer. For example asking users about their hometown while not using this data in accordance of the service you are offering is not compliant with GDPR.

You can do all the necessary adjustments under Modify Hotspot Data > Data Capture function.

Who can access your data

At the time of writing, only the Managing Directors and the dev ops team have direct access to the servers and databases. Other technical and support staff have access to your account and client data for troubleshooting and support reasons only.

As part of the upcoming update, we are releasing a feature that, by default, will block direct access to your account to HotspotSystem. When you have a support request for our team, and we need to inspect your operator account, you can allow us to do so by checking a new option on the System Preferences menu.

How long the data is stored

Collected data is kept for 24 months after the user do not login in to any venue, managed by us or until it is no longer needed for the compatible purposes for which it was collected. Compatible purposes include those that reasonably serve Hotspot Operator relations, compliance and legal considerations, auditing, security and fraud prevention, preserving or defending HOTSPOTSYSTEM’s legal rights, or other purposes consistent with the expectations of a reasonable person given the context of the collection. 

We will flag these data after they reach the end of the retention period, and delete them automatically on a monthly basis.

We're developing new functions

According to GDPR, individuals have a “right of access” to the information a company holds on them and if requested the firm must supply the individual with their data within one month. At HotspotSystem we’re going one step further by providing users with ongoing access to all personal data captured after signing up for WiFi. 

Wi-Fi Users will be able to identify themselves on the User Portal by providing their e-mail address. We send them a magic link which provides access to all collected data and they can also request a removal. Therefore it is important to capture at least an e-mail address from users so they can verify their identity.

In summary: what you need to do?

  • Review and Update your company’s and customer support contacts and also your Secondary Operator's data if needed  to make sure the end users know who is controlling their data and how to contact you
  • Review and update your Privacy Policy
  • Make sure your configuration of login options is compliant with the new rules
  • Inform your users about the Privacy Policy changes
  • Download and sign our Data Processing Agreement
Did this answer your question?