Wedissimo Documentation

Appearance

GDPR Master Strategy

Related Documents

Executive Summary

This document provides a comprehensive GDPR compliance strategy specifically for Wedissimo's two-sided wedding marketplace. It combines practical legal requirements, technical implementation details, and business-focused compliance measures that balance regulatory obligations with marketplace functionality.

Key Challenge: As a two-sided marketplace processing data for both couples (customers) and vendors (service providers), Wedissimo faces complex compliance requirements including cross-user data dependencies, business data retention obligations, and conflicting user rights scenarios.

Critical Compliance Insight

GDPR Reality Check: Article 32 requires "appropriate technical and organizational measures" - NOT encryption of all personal data. For a marketplace platform, searchable functionality is a legitimate business need that justifies keeping search-related data unencrypted with proper access controls.

MANDATORY REQUIREMENTS (Risk of €20M+ Fines)

A. User Rights Implementation (Must Function Within 30 Days)

1. Right to Access (Article 15) - SEMI-AUTOMATED

Two-Sided Implementation Requirements:

Couple Data Export Must Include:

  • Profile information (names, wedding date, venue preferences)
  • Complete booking history and payment records
  • All messages and communications with vendors
  • Reviews and ratings given to vendors
  • Search history and saved vendor preferences
  • Privacy settings and all consent records
  • Wedding planning timeline and notes

Vendor Data Export Must Include:

  • Complete business profile (company details, services, pricing)
  • All customer communications and booking records
  • Reviews received and response history
  • Financial data (earnings, commission history, tax records)
  • Availability calendar and booking management data
  • Marketing preferences and business analytics data
  • Customer contact details (for active bookings only)

Manual Process Required:

  • Admin review for complex cross-user data requests
  • Enhanced identity verification (especially for business accounts)
  • Cross-reference booking dependencies before data release
  • Legal SLA: 30 days maximum (target: 7 days)

2. Right to Rectification (Article 16) - AUTOMATED

Implementation: Role-specific profile editing with business logic

  • Couples: Wedding details, preferences, contact information
  • Vendors: Business details, services, availability, pricing
  • Response SLA: Immediate via user dashboard

3. Right to Erasure (Article 17) - SEMI-AUTOMATED

Complex Two-Sided Challenges:

Couple Deletion Constraints:

  • Cannot delete if active future bookings exist
  • Must preserve anonymized booking records for vendor tax/legal compliance
  • Reviews may be anonymized rather than deleted (impacts vendor ratings)
  • Payment records retained for 7 years (legal/tax requirements)

Vendor Deletion Constraints:

  • Cannot delete if active bookings with couples exist
  • Business records must be retained for 7 years (UK tax compliance)
  • Customer communications may need retention for dispute resolution
  • Commission and payout records have legal retention requirements
  • Reviews from couples create cross-user dependencies

Manual Process Required:

  • Cross-reference all active bookings between couples and vendors
  • Legal review of business data retention requirements
  • Conflict resolution for competing deletion/retention needs
  • Response SLA: 30 days maximum

4. Right to Object & Data Portability (Articles 20-21) - AUTOMATED

Implementation:

  • Marketing opt-out systems (separate for couples/vendors)
  • JSON/CSV export functionality for all personal data
  • Identity verification for sensitive business data exports
  • Response SLA: Immediate (opt-out) / 30 days (portability)

B. Consent Management (Article 7) - MANDATORY

Couples - Required Consents:

  • Essential cookies (functionality) - implied consent via usage
  • Analytics/marketing cookies - explicit opt-in
  • Wedding planning newsletter - separate checkbox
  • WhatsApp booking notifications - separate consent
  • Vendor contact sharing (when requesting quotes) - explicit consent
  • Review/rating public display - separate consent
  • Social media integration (if used) - explicit consent

Vendors - Required Consents:

  • Essential cookies (functionality) - implied consent via usage
  • Analytics/marketing cookies - explicit opt-in
  • Business newsletter and platform updates - separate consent
  • WhatsApp business notifications - separate consent
  • Customer contact details processing - explicit consent for each booking
  • Financial data processing for commissions - explicit consent
  • Business profile public display - explicit consent
  • Performance analytics and insights - separate consent

Consent Withdrawal Requirements:

  • Must be as easy as giving consent
  • One-click unsubscribe links in all communications
  • Granular preference center for different consent types
  • Immediate processing of withdrawal requests

1. Updated Privacy Policy (High Priority)

Must Include:

  • Separate sections for couple vs vendor data processing
  • Specific Article 6 GDPR legal basis for each processing activity
  • Detailed data retention schedules by data category
  • Step-by-step user rights process with timescales
  • Complete list of third-party data processors with purpose
  • Cross-user data dependency explanations
  • International data transfer safeguards
  • Contact information for data protection queries

2. Data Processing Agreements (DPAs) - MANDATORY

Required with ALL third-party services:

  • Stripe Connect (payment processing)
  • Google Cloud Platform (hosting/storage)
  • Twilio (WhatsApp/SMS communications)
  • SendGrid/SendLayer (email communications)
  • Fireflies.ai (transcription services)
  • Google Meet (video call integration)
  • Any other service processing personal data

Manual Process: Legal review and signed agreements with each processor

3. Cookie Policy & Data Breach Response Plan

Cookie Policy Must List:

  • All cookies used (essential, analytics, marketing)
  • Purpose and duration of each cookie
  • Third-party cookies and their purposes
  • How users can manage cookie preferences

Data Breach Response Plan Must Include:

  • 72-hour notification process to supervisory authority
  • User notification procedures for high-risk breaches
  • Incident response team assignments
  • Breach documentation templates
  • Business vs personal data breach handling differences

D. Technical Security Measures (Article 32) - MANDATORY

Minimum Required Security (Not Optional)

  • HTTPS for all data transmission (standard implementation)
  • Role-based access controls (couples vs vendors vs admin)
  • Regular security updates and vulnerability patching
  • Strong password requirements and authentication
  • Audit logging for all personal data access

Smart Data Protection Strategy

Selective Encryption Approach:

  • Encrypt: Sensitive contact details, financial information, private communications
  • Keep Unencrypted: Business names, service categories, pricing ranges, descriptions, wedding preferences
  • Justification: GDPR Article 32 allows "appropriate measures" - searchable marketplace data can remain unencrypted with proper access controls

Detailed technical implementation examples in GDPR-strategy.md.

Implementation Priority Matrix

Automated Systems Required:

  • [ ] Couple Data Export API: Profile, bookings, messages, reviews, search history
  • [ ] Vendor Data Export API: Business profile, earnings, customer data, reviews
  • [ ] Cross-User Dependency System: Check booking relationships before deletion
  • [ ] Granular Consent Management: Separate consent tracking for different purposes
  • [ ] Role-Specific Profile Editing: Different interfaces for couples vs vendors
  • [ ] Marketing Unsubscribe System: Separate systems for couple vs vendor communications

Manual Processes to Establish:

  • [ ] Updated Privacy Policy: Covering both user types with specific legal basis
  • [ ] DPA Collection: Signed agreements with all third-party processors
  • [ ] Data Breach Response Plan: Including business data vs personal data procedures
  • [ ] Complex Deletion Review Process: Handle cross-user dependencies
  • [ ] Vendor Business Data Retention Policies: 7-year tax/legal compliance

Phase 2: Advanced Data Protection (Week 3)

Semi-Automated Systems:

  • [ ] Selective Encryption Implementation: Sensitive data only, preserve search functionality
  • [ ] Automated Data Retention: Scheduled deletion based on retention policies
  • [ ] Audit Log System: Complete tracking of all data access and changes
  • [ ] Consent Withdrawal Processing: Immediate automated processing

Enhanced Manual Processes:

  • [ ] Quarterly Consent Audits: Review all consent mechanisms
  • [ ] Annual Privacy Policy Reviews: Update for new features/regulations
  • [ ] Vendor DPA Renewal Tracking: Maintain current agreements

Phase 3: Continuous Compliance (Post-Launch)

Monitoring and Optimization:

  • [ ] Privacy-Preserving Analytics: Use aggregated/anonymized data only
  • [ ] Security Monitoring: Alert on unusual data access patterns
  • [ ] Regular Compliance Reviews: Quarterly assessment of all procedures
  • [ ] Staff Training Programs: Ongoing GDPR awareness and procedures

Critical Manual Processes

1. Data Subject Request Handling

Team Required: Customer Service + Legal/Compliance Officer + Technical Support

Process Flow:

  1. Request Reception: Separate intake queues for couples vs vendors
  2. Identity Verification: Enhanced verification for business accounts
  3. Request Categorization: Determine user type and data scope
  4. Cross-Dependency Check: Identify any booking/business relationships
  5. Legal Review: Assess retention requirements vs deletion requests
  6. Technical Processing: Execute request via automated systems where possible
  7. Conflict Resolution: Handle competing rights (couple deletion vs vendor retention)
  8. Response Delivery: Provide requested data/confirmation within 30 days
  9. Documentation: Log all decisions and justifications

2. Data Breach Response

72-Hour Response Team: CTO + Legal Officer + Customer Service Manager

Response Protocol:

  1. Detection & Containment: Immediate system security measures
  2. Impact Assessment: Determine scope (couples, vendors, or both)
  3. Risk Evaluation: Assess potential harm to affected individuals
  4. Authority Notification: Report to ICO within 72 hours if required
  5. User Communication: Contact affected users if high risk identified
  6. Remediation: Implement fixes and improved security measures
  7. Documentation: Complete incident record for compliance audit

3. Consent and Policy Management

Responsible: Legal/Compliance Officer + Marketing Manager

Ongoing Duties:

  • Quarterly Reviews: Audit all consent collection mechanisms
  • Policy Updates: Annual privacy policy review and updates
  • New Feature Assessment: Privacy impact assessment for new data uses
  • Consent Renewal: Re-obtain consent when processing purposes change
  • Training Delivery: Staff training on consent handling procedures

Financial Risk vs. Compliance Investment

Non-Compliance Risk Assessment

Maximum Potential Fines:

  • €20 million OR 4% of global annual turnover (whichever is higher)
  • High-Risk Scenarios:
    • Unable to fulfill data subject requests = Direct Article 15-22 violation
    • No valid legal basis documentation = Article 6 violation
    • Missing DPAs with processors = Article 28 violation
    • Data breach without proper notification = Article 33-34 violation

Probability Assessment: HIGH risk if technical systems cannot fulfill basic GDPR requests

Compliance Investment Required

Development Costs:

  • Couple user rights APIs: 3-4 developer days
  • Vendor user rights APIs: 4-5 developer days (more complex)
  • Cross-user dependency system: 3-4 developer days
  • Consent management system: 4-5 developer days
  • Selective encryption implementation: 3-4 developer days
  • Audit logging and monitoring: 3-4 developer days
  • Total Development: ~20-26 developer days (£20,000-£35,000)

Legal and Administrative Costs:

  • Privacy policy professional rewrite: £3,000-£5,000
  • DPA negotiations with all processors: £2,000-£3,000
  • Legal compliance review: £2,000-£3,000
  • Staff training and process documentation: £1,000-£2,000
  • Total Legal/Admin: £8,000-£13,000

Total Investment: £28,000-£48,000 to avoid potential £20M+ fine

ROI Calculation: 400-700x return on investment

Immediate Action Items

This Week (Critical Priority):

  1. Privacy Policy Emergency Update: Add basic GDPR rights contact process
  2. DPA Initiation: Contact all third-party services for agreement signing
  3. Consent Audit: Review all current consent collection mechanisms
  4. Data Retention Definition: Publish clear retention schedules

Next 2 Weeks (High Priority):

  1. Technical Scoping: Define user rights API requirements
  2. Two-Sided Policy Rewrite: Complete privacy policy covering both user types
  3. Manual Process Documentation: Create procedures for data requests
  4. Staff Training: Brief customer service team on GDPR request handling

Before Go-Live (Essential):

  1. All User Rights Systems Functional: Export, deletion, consent management
  2. All DPAs Signed: Every third-party processor covered
  3. Complete Policy Suite: Privacy policy, cookie policy, terms updated
  4. Breach Response Plan: Team trained and procedures tested

Success Metrics and Compliance KPIs

  • User Rights Response Time: 100% within 30 days (target: <7 days)
  • Data Export Completeness: 100% accurate and complete exports
  • Consent Processing: Immediate automated withdrawal processing
  • DPA Coverage: 100% of processors covered by valid agreements
  • Breach Response: 100% compliance with 72-hour notification rule

Business Performance Metrics

  • Search Functionality: No degradation from selective encryption strategy
  • User Experience: Seamless privacy controls integration
  • Vendor Matching: Maintained accuracy with unencrypted business data
  • Platform Performance: <2 second page load times preserved

Risk Management Metrics

  • Security Incidents: Zero data breaches due to GDPR compliance measures
  • Legal Challenges: Zero GDPR-related complaints or enforcement actions
  • Audit Results: 100% compliance in annual privacy audits

Data Retention Schedule

Automated Deletion Timelines

Data CategoryRetention PeriodDeletion ProcessBusiness Justification
User ProfilesAccount lifetime + 30 daysAutomatedGrace period for reactivation
Booking Records7 yearsManual reviewUK tax/legal compliance
Payment Data7 yearsAutomatedFinancial regulations
Messages/Communications1 year post-weddingAutomatedDispute resolution period
Marketing DataUntil consent withdrawnImmediateLegal requirement
Analytics Data2 years (anonymized)AutomatedBusiness insights retention
Audit Logs6 yearsAutomatedCompliance audit requirements
Reviews (anonymized)IndefiniteN/APlatform trust and reputation

Third-Party Processor Management

Current Service Dependencies

ServiceData ProcessedPurposeData LocationSafeguards Required
Stripe ConnectPayment data, customer detailsPayment processingGlobalAdequacy decision
Google CloudAll application dataHosting/storageEU/UK regionsData residency
TwilioPhone numbers, messagesWhatsApp/SMSUSStandard Contractual Clauses
SendGrid/SendLayerEmail addressesEmail deliveryUS/EUStandard Contractual Clauses
Fireflies.aiCall recordings, transcriptsTranscriptionUSStandard Contractual Clauses
Google MeetVideo call dataVideo conferencingGlobalGoogle DPA

Conclusion

This master strategy provides Wedissimo with a comprehensive, practical approach to GDPR compliance that:

  1. Meets All Legal Requirements: Covers every mandatory GDPR article with specific implementation
  2. Preserves Marketplace Functionality: Smart data protection maintains search and matching capabilities
  3. Addresses Two-Sided Complexity: Handles complex cross-user data relationships and business requirements
  4. Minimizes Business Risk: Clear procedures reduce likelihood of violations and fines
  5. Enables Scalable Growth: Foundation supports future marketplace expansion

Implementation Success Factors:

  • Selective encryption preserves core search functionality
  • Automated systems handle routine compliance tasks
  • Manual processes address complex two-sided marketplace scenarios
  • Comprehensive documentation supports audit and legal requirements
  • Ongoing monitoring ensures continuous compliance

With this strategy implemented, Wedissimo will achieve full GDPR compliance while maintaining its competitive marketplace advantages and growth potential.

Wedissimo API Documentation

Copyright © 2025 Wedissimo