Wedissimo Documentation

Appearance

GDPR Implementation Checklist

Related Documents

Overview: Couples + Vendors = Double Compliance Requirements

Key Challenge: As a two-sided marketplace, Wedissimo processes personal data for both couples (customers) and vendors (service providers). Each group has different data processing needs and GDPR rights.

Data Processing Roles

  • Wedissimo: Data Controller for all user data
  • Couples: Data Subjects (wedding planning, booking services)
  • Vendors: Data Subjects + Business Users (professional profiles, client management)

MANDATORY Requirements (Risk of Fines)

A. User Rights (Must be Available Within 30 Days of Request)

1. Right to Access (Article 15) - SEMI-AUTOMATED

Implementation: Separate API endpoints for couples and vendors

Couple Data Export Includes:

  • Profile information (names, wedding date, preferences)
  • Booking history and payment records
  • Messages with vendors
  • Reviews and ratings given
  • Search history and saved vendors
  • Privacy settings and consent records

Vendor Data Export Includes:

  • Business profile (company details, services, pricing)
  • Customer communications and booking records
  • Reviews received and responses
  • Financial data (earnings, commission history)
  • Availability calendar and booking management
  • Marketing preferences and analytics data

Manual Process Required:

  • Admin review for complex cross-user data requests
  • Identity verification (especially important for business accounts)
  • Response SLA: 30 days (legal maximum), target 7 days

2. Right to Rectification (Article 16) - AUTOMATED

Implementation: User profile edit functionality Manual Process Required: None (user self-service)

  • Response SLA: Immediate via user dashboard

3. Right to Erasure/Deletion (Article 17) - SEMI-AUTOMATED

Implementation: Soft delete with business logic checks

Couple Deletion Challenges:

  • Cannot delete if active bookings exist
  • Must preserve booking records for vendor tax/legal purposes
  • Reviews may be anonymized rather than deleted (impacts other vendors)
  • Payment records retention for dispute/refund purposes

Vendor Deletion Challenges:

  • Cannot delete if active bookings with couples
  • Business records retention for tax compliance (7 years)
  • Reviews and ratings from couples (may need anonymization)
  • Commission and payout records (legal/tax retention)
  • Historical booking data affects couple's records

Manual Process Required:

  • Cross-reference active bookings between couples and vendors
  • Review deletion requests with ongoing business relationships
  • Handle complex data interdependencies
  • Verify tax/legal retention requirements for business data
  • Response SLA: 30 days maximum

4. Right to Object to Marketing (Article 21) - AUTOMATED

Implementation: Unsubscribe links and preference center Manual Process Required: None

  • Response SLA: Immediate

5. Data Portability (Article 20) - AUTOMATED

Implementation: JSON/CSV export functionality Manual Process Required: Identity verification only

  • Response SLA: 30 days maximum

B. Consent Management (Article 7) - MANDATORY

  • Cookie consent banner (analytics/marketing cookies)
  • Marketing email opt-in at registration
  • WhatsApp booking notifications (separate consent)
  • Wedding planning newsletter opt-in
  • Vendor contact sharing consent (when requesting quotes)
  • Review/rating sharing consent (public display)
  • Social media integration consent (if applicable)
  • Cookie consent banner (analytics/marketing cookies)
  • Business marketing email opt-in at registration
  • WhatsApp business notifications (booking alerts, reminders)
  • Vendor newsletter and platform updates opt-in
  • Customer contact details processing (for booked services)
  • Financial data processing for commission/payouts
  • Business profile public display consent
  • Review/rating response consent (public display)
  • Analytics and performance tracking consent (business insights)

Manual Processes Required

  • Maintain separate consent records for couples vs vendors
  • Handle consent conflicts (e.g., couple wants deletion, vendor needs booking record)
  • Regular audit of consent mechanisms (quarterly review)
  • Update consent forms when adding new data uses
  • Manage cross-platform consent (e.g., video call recordings)

Must Have (Risk of Fines)

  1. Privacy Policy - Manual creation, annual review

    • Data types collected
    • Purpose of processing
    • Legal basis for each processing activity
    • Data retention periods
    • User rights explanation
    • Contact information for data queries

  2. Data Processing Agreements (DPAs) - Manual process Required with:

    • Stripe Connect (payment processing)
    • Google Cloud (hosting/storage)
    • Twilio (WhatsApp/SMS)
    • SendGrid/SendLayer (email)
    • Fireflies.ai (transcription)
    • Google Meet (video calls)

    Manual Process: Legal review and signing of DPAs with each vendor

  3. Cookie Policy - Manual creation

    • List all cookies used
    • Purpose of each cookie
    • Expiration times
    • Third-party cookies disclosure

D. Data Breach Notification - MANDATORY

Manual Process Required

  • 72-hour notification rule to supervisory authority
  • Create incident response plan document
  • Designate data breach response team
  • Template for breach notifications
  • Log of all breaches (even minor ones)

Implementation Priority: HIGH - Heavy fines for non-compliance

E. Security Measures (Article 32) - MANDATORY BUT FLEXIBLE

Minimum Required (Not Optional)

  • HTTPS for all data transmission (standard)
  • Access controls (role-based permissions)
  • Regular security updates
  • Password requirements (basic security)
  • Encryption of sensitive data (selective approach is fine)
  • Two-factor authentication (good practice)
  • Security audit logs (helpful for compliance)

GOOD PRACTICE (Not Legally Required)

Optional Enhancements

  1. Privacy by Design

    • Data minimization beyond requirements
    • Advanced pseudonymization
    • Privacy Impact Assessments for all features

  2. Enhanced Security

    • Full encryption of all personal data
    • Advanced threat monitoring
    • Penetration testing

  3. Proactive Compliance

    • Privacy dashboard for users
    • Automated compliance reporting
    • Real-time consent management

Implementation Priority Matrix

Automated Systems Needed:

  • [ ] Couple data export API (profile, bookings, messages, reviews)
  • [ ] Vendor data export API (business profile, earnings, customer data, reviews)
  • [ ] Role-specific profile edit functionality (couples vs vendors)
  • [ ] Dual marketing unsubscribe systems (couple vs vendor communications)
  • [ ] Cookie consent banner (same for both user types)
  • [ ] Separate consent logging systems (couple consent vs vendor consent)
  • [ ] Cross-user data dependency checks (booking relationships)

Manual Processes to Establish:

  • [ ] Data breach response plan (couple data vs vendor business data)
  • [ ] Privacy policy covering both user types
  • [ ] DPA execution with all third-party vendors/services
  • [ ] Complex deletion request review process (cross-user dependencies)
  • [ ] Vendor business data retention policies (tax/legal compliance)

Phase 2: Operational Compliance (Week 3)

Semi-Automated Systems:

  • [ ] Account deletion with business logic checks
  • [ ] Data retention automation
  • [ ] Audit log system for data access

Manual Processes:

  • [ ] Quarterly consent audit schedule
  • [ ] Annual privacy policy review process
  • [ ] Vendor DPA renewal tracking

Phase 3: Enhanced Compliance (Post-Launch)

Nice to Have:

  • [ ] Advanced analytics anonymization
  • [ ] Privacy impact assessments
  • [ ] Enhanced security measures

Critical Manual Processes That MUST Be in Place

1. Data Subject Request Handling

Team Required: Customer service + Legal/Compliance officer Process:

  • Receive request via email/form (separate queues for couples vs vendors)
  • Verify identity (manual check - higher bar for business accounts)
  • Determine user type and data scope
  • Check for cross-dependencies (couples ↔ vendors)
  • Log request with timestamp and user type
  • Process within 30 days
  • Handle conflicts between user rights (e.g., couple deletion vs vendor record retention)
  • Document completion and any retention justifications

2. Data Breach Response

Team Required: CTO + Legal + Customer Service Manager Process:

  • Detect and contain breach
  • Assess scope and impact
  • Notify authorities within 72 hours if required
  • Notify affected users if high risk
  • Document everything

3. Vendor Management

Responsible: Legal/Operations Manager Process:

  • Maintain list of all data processors
  • Ensure valid DPAs for each
  • Annual review of vendor compliance
  • Update DPAs when services change

4. Consent and Policy Updates

Responsible: Legal/Compliance Officer Process:

  • Quarterly review of consent mechanisms
  • Annual privacy policy review
  • Update notices for new data uses
  • Re-obtain consent when necessary

Fine Avoidance Checklist

High Risk Areas (Potential 4% of Global Turnover)

  • No privacy policy or inadequate policy
  • No consent for marketing communications
  • Ignoring data subject requests
  • No data breach notification process
  • No DPAs with data processors

Medium Risk Areas (Potential 2% of Global Turnover)

  • Delayed response to data requests (>30 days)
  • Poor consent management
  • Inadequate security measures
  • No data retention policy

Low Risk Areas (Warnings/Lower Fines)

  • Missing some consent timestamps
  • Incomplete audit logs
  • Minor privacy policy omissions

Quick Compliance Status Check

Must Have NOW

  • [ ] Privacy Policy published and accessible
  • [ ] Cookie consent banner active
  • [ ] Marketing consent checkboxes in place
  • [ ] Unsubscribe links in all marketing emails
  • [ ] Process for handling data requests
  • [ ] Data breach response plan

Must Have BEFORE Processing Personal Data

  • [ ] DPAs signed with all vendors
  • [ ] User rights endpoints functional
  • [ ] Consent logging active
  • [ ] Data retention policies defined
  • [ ] Security measures implemented

Can Implement Post-Launch

  • [ ] Enhanced audit logging
  • [ ] Advanced anonymization
  • [ ] Privacy impact assessments
  • [ ] Automated compliance reporting

Red Flags That Need Immediate Attention

  1. No privacy policy covering both user types → Create immediately
  2. No consent for couple/vendor marketing → Stop all marketing until fixed
  3. No data breach plan for business data → Create before go-live
  4. No DPAs with third-party services → Cannot use services without DPAs
  5. No process for complex cross-user data requests → Set up manual process minimum
  6. No vendor business data retention policy → Legal/tax compliance risk
  7. No process for conflicting user rights → Cannot handle couple/vendor disputes

Estimated Compliance Effort

Developer Time Required

  • Couple user rights APIs: 2-3 days
  • Vendor user rights APIs: 3-4 days (more complex business data)
  • Cross-user dependency checks: 2-3 days
  • Dual consent management: 3-4 days
  • Selective encryption (both user types): 3-4 days
  • Audit logging (separate tracking): 2-3 days
  • Total: ~15-21 developer days (increased complexity for two-sided marketplace)

Non-Developer Time Required

  • Privacy policy drafting: 1-2 days (legal)
  • DPA negotiations: 3-5 days (legal/ops)
  • Process documentation: 2-3 days (ops)
  • Staff training: 1 day
  • Total: ~7-11 days

Ongoing Time Commitment

  • Data request handling (couples + vendors): 4-6 hours/week
  • Cross-user conflict resolution: 1-2 hours/week
  • Consent audits (both user types): 6 hours/quarter
  • Policy reviews (covering both sides): 12 hours/year
  • Third-party vendor management: 2 hours/month
  • Business data retention compliance: 1 hour/month
  • Total: ~5-8 hours/week average

Minimum Viable GDPR Compliance for Two-Sided Marketplace

To avoid fines, Wedissimo MUST have:

  1. Legal Documents (Covering Both User Types)

    • Privacy Policy explaining couple vs vendor data processing
    • Cookie Policy (same for both user types)
    • DPAs with all third-party services (manual signing)

  2. Dual User Rights System

    • Couple data export (bookings, messages, reviews, preferences)
    • Vendor data export (business profile, earnings, customer communications)
    • Role-specific profile editing (automated)
    • Complex deletion process handling cross-user dependencies (semi-automated)
    • Separate marketing opt-out systems (automated)

  3. Consent Management (Both User Types)

    • Cookie banner (automated - same for both)
    • Couple marketing consent (wedding newsletters, vendor communications)
    • Vendor marketing consent (business updates, customer contact processing)
    • Consent logs tracking user type and purpose (automated)

  4. Security Basics

    • HTTPS (standard)
    • Role-based access controls (couples vs vendors)
    • Basic authentication (automated)

  5. Manual Processes (Complex Due to Two-Sided Nature)

    • Data request handling for both user types
    • Cross-user conflict resolution (couple wants deletion, vendor needs records)
    • Data breach response plan for business data vs personal data
    • Regular compliance reviews covering both sides of marketplace

  6. Additional Two-Sided Marketplace Requirements

    • Business data retention policies (vendor tax/legal compliance)
    • Cross-user data dependency tracking
    • Separate audit trails for couple vs vendor actions
    • Conflict resolution procedures for competing user rights

With these in place, Wedissimo will meet GDPR legal requirements for both couples and vendors while maintaining marketplace functionality and handling the complex data relationships inherent in a two-sided marketplace.

Wedissimo API Documentation

Copyright © 2025 Wedissimo