NP Entertainment Support

Search




Table of Contents
GDPR for Membership Management
Introduction
Overview
GDPR Mode
GDRP Approval States
GDPR Agreement
Membership Setup
Usage
Member and membership creation
Limitation Setup
Member Data Anonymization
Setup for automation
Automation
Manual Member Anonymization
Changes to the Privacy Policy
Manual Mode
Renewed subscriptions
Guardians and Dependents



GDPR for Membership Management

Introduction


General Data Protection Regulation (GDPR): GDPR provides European users with a robust set of rights regarding the collection, use, and onward transfer of their personal information.  These include the right, under certain circumstances, to:

  • Access their personal information;
  • Correct inaccurate personal information;
  • Request erasure of their personal information without undue delay;
  • Request the restricted processing of their personal information;
  • Receive the personal information that they have provided us with, in a structured, commonly used and machine-readable format and you have the right to transmit that information to another controller without hindrance or ask us to do so;
  • To object to the processing of their personal information;

This document will address some of these topics from a general system point-of-view.

Overview

GDPR Mode

Each membership can operate under its own compliance mode.
The member management module can operate in 4 different modes when it comes to GDPR compliance:

  • Not Applicable, as the name suggests, GDPR is not managed by the membership module, or if does not apply;
  • Implied, the GDPR Approval Status will be set to Accepted. Member Approval is managed elsewhere and is required;
  • Required, the GDPR Approval is verified and managed by the Member Management module. Members must accept term of service to become members;
  • Consent, the GDPR Approval is verified and managed by the Member Management module. Member can reject the terms and have their data processed differently, but still retain some or all other services;

The difference in "Required" and "Consent" is subtle. GDPR dictates that the users' right should be conveyed in a simple, clear and understandable way. This may not be optimal in a POS where the line will grow. The "Consent" mode allows the Approval state "Pending" – member needs to make a choice but have not yet done so.
This allows the cashier to directing the member away from the POS to a kiosk where member can review the privacy policy without blocking the POS from other customers.
Limitation to service can be setup to handle the lack of answer (approval state Pending) or member not accepting the terms (approval state Rejected). See Membership Limitations for setup.

GDRP Approval States

The members' choice regarding the privacy policy is stored in the GDPR Consent Log table. The approval state may be one of the following:

  • Pending – when member needs to give consent and have not yet done so;
  • Accepted – member has accepted the terms;
  • Rejected – member has rejected the terms;
  • Delegated to Guardian – member has delegated the consent to the member designated as guardian;

GDPR Agreement

The GDPR Agreement represent the privacy policy and can exist in different versions (GDPR Agreement Version). The GDPR Agreement can be different for different Memberships.
When a members is added to a membership, member must make an active choice regarding the privacy policy. Depending on setup, that choice will have impact on how member can use the membership and how data might be processed.
Members' choice is recorded in GDPR Consent Log

Membership Setup

On the Membership Setup table, the appropriate GDPR Mode is selected and the GDPR Agreement Number (ie privacy policy) associated with the type of membership.

Usage

Member and membership creation

On member creation page, the new field GDPR Approval is displayed. It is editable when GDPR Mode is either "Required" or "Consent".



Individual members within the same membership have their own GDPR Approval State


The GDPR Approval fields is a flowfield and the drilldown reveals the consent log.

Limitation Setup

The failure of not yet approving the terms or not accepting them, can be used in the Membership Limitation Setup to hinder the access a member card would normally grant.



The fictional member Lina above would get the following message when swiping the member card in the POS (and self-check-in).



The normal Limitation setup applies, so you can configure for example 2 successful swipes before you are denied, or only warn / notify.

Member Data Anonymization

Members have the rights to be forgotten. Member data must be removed after the agreed amount of time or on direct request from the member. The GDPR Agreement represent the privacy policy in affect for the membership. Each version has its own set of parameters.

Setup for automation

The field "Anonymize After" date formula controls the amount of time that needs to pass after a membership has expired in order for the automatic anonymization process the member.

The following rules apply for member data anonymization:

  • Membership must be expired. (you can cancel an ongoing membership in the "Membership Alteration Journal";
  • Automatic anonymization will occur when:
    • The codeunit 6151121 "MM GDPR Management" is scheduled to run by task queue;
    • Member Approval state affects the date formula applied on membership "Valid Until Date":
      • "Anonymize After" is selected from the version of GDPR Agreement member has accepted
      • If member did not accept any version, the "Anonymize After" is selected from agreement.
    • Members with approval state "Delegated to Guardian" will get the date formula from the guardian of the membership.

Automation

To automate member anonymization, the codeunit 6151121 "MM GDPR Management" is scheduled to run by task queue.

Manual Member Anonymization

A member may at any time request to be forgotten or anonymized. A member can be manually be anonymized via the "Member Anonymization" action on the member card.


Rules apply and the membership may need to be terminated prior to anonymization.




Changes to the Privacy Policy

When the privacy policy changes, we need to add a new version to the GDPR Agreement. That itself does not trigger anything.

Manual Mode

In order to have all members attached to the agreement give their consent, you need to push the action button "Push Consent Request". This will add a line in the log for each member with status Pending.

  • Next time member visits, the Limitation Setup can inform the member that he needs to concede to the new terms
  • On web the member will also need to concede to the new terms.

Renewed subscriptions

If there is a new version of the GDPR Agreement at the time when membership timeframe changes (Renew, Upgrade, Extend) and that member has not been made aware of the new version (via manual mode above), a new consent request is automatically pushed to the member.

Guardians and Dependents

GDPR defines a child as 16 or below when it comes to the GDPR terms. Local legislation may overrule this to define an adult as 13 or above. Children are more protected under the new terms in GDPR.
In Member Management dependents are not allowed to approve the terms in GDPR themselves and must delegate that right to a guardian.
When a guardian is added to a membership, all non-guardians of the membership will be become dependents. The GDRP Approval State for a dependent will be "Delegated to Guardian"