What is GDPR?

General Data Protection Regulation.

On May 25, 2018, a European privacy regulation called The General Data Protection Regulation (GDPR) came into effect. It provides EU citizens with greater control over their personal data and assurances that their information is being securely protected. The GDPR is the EU’s way of giving individuals more power over their data and less power to the organizations that collect and use such data for monetary gain.

This applies only to music groups in the UK and EU. Note that since Brexit, the UK continues to follow and endorse the GDPR guidelines. Although not the same regulations, they're deemed 'essentially equivalent'. For more details see the Brexit question below.

According to the GDPR directive, personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.

GDPR defines 3 roles:

  1. Data Controller: The organization that collects data from EU residents, which in our case is the music group.
  2. Data Processor: The organization that processes data on behalf of the data controller, i.e. Muzodo.
  3. Data Subject: The person, i.e. the music group member.

GDPR has 2 main objectives:

  1. Consent to the use of personal data.
  2. Secure handling of data.

Consent

As it pertains to music groups within the context of Muzodo, members have the right:
  1. To access: Individuals have the right to request access to their personal data and to ask how their data is used after it has been gathered.
  2. To be forgotten: Members may withdraw their consent at any time. If members leave the group or withdraw their consent to the use of their personal data, then they have the right to have their data deleted.
  3. To be notified: If there has been a data breach which compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.

Data Handling and Storage

Muzodo data is securely handled and stored in Europe on our servers in the UK and Germany.

Data Security

GDPR includes the concept of "privacy by design". Organisations must review their processes to ensure all data handling aspects are compliant. Muzodo was built from the ground up with security in mind.

Personal Data and Cookies

Muzodo uses personal details to personalize communication and manage member interactions efficiently. For example, when a member is added to a group, the platform may store their name, email address, phone number, emergency contact details and communication preferences. This information allows Muzodo to send relevant updates, reminders, or service notifications while ensuring the groups can quickly access member records.

Further, group administrators may create custom member fields to store additional member information relevant to their group.

To comply with General Data Protection Regulation, Muzodo processes only the data necessary for service delivery, securely stores personal information, and ensures users can access, update, or request deletion of their data. Muzodo also supports consent management, helping organizations meet GDPR requirements for transparency, lawful processing, and user data rights.

For more details on privacy and cookie management, see our Privacy Policy.

3rd Party Services

A GDPR requirement is that all 3rd party services (companies providing service to us) are either GDPR compliant or, for companies based in the US, certified under the EU-US Privacy Shield. Muzodo uses the following companies to supply service to you, all of which satisfy these requirements.

Mobile app

Muzodo has an app in the Google Playstore (for Android) and the Apple Appstore (for iOS). We do not send any personal details to these platforms. Once the app is installed on your device, the app gets your event details directly from our servers. As per standard practice, to send you notifications we use the push services provided by these platforms. This requires a unique ID that they provide and associate to your device. Note that any app that sends you notifications (email, Facebook, Whatsapp, etc) uses the same service.

Penalties

There are tough penalties for those companies and organizations who don’t comply with GDPR fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater.

After Brexit, does this still apply to music groups in the UK?

Prior to Brexit, the UK Government indicated it would implement equivalent or alternative legal mechanisms. The expectation was that any such legislation would largely follow the GDPR, given the support previously provided to the GDPR by the ICO and UK Government as an effective privacy standard.

The UK continues to follow and endorse the GDPR guidelines. Although not the same regulations, the UK and EU regulations are deemed 'essentially equivalent' which is expected to last until 27 June 2025. For more details see Overview – Data Protection and the EU hosted on the ICO's website.

What are music group administrator responsibilities?

Music group administrators are the "data controllers" and have the obligation to ensure their members' data is collected and processed in a manner consistent with the GDPR regulation. They must ensure the systems (processors), whether formal systems, or storing member data on their computers, that they comply with the regulation.

Does my music group need to appoint a Data Protection Officer (DPO)?

No. DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.


See: GDPR blog by Superoffice

See: Wikipedia - General Data Protection Regulation

See: ICO (for groups in the UK)