Early 2017, we received the final text of the new European Union’s General Data Protection Regulation (GDPR). In the following months, we studied the text, created policies, hired a DPO and introduced the new ‘GDPR working methods’ to our own AppSaloon team. As a result, we are excited to announce that we are GDPR compliant, and so are all of our subprocessors.
What does this mean for our clients?
We ensure our clients that all of their personal data will be processed fairly and lawfully in accordance to individuals’ rights. Personal data will not be processed unless the individual whose details are processed has consented to this happening.
Storage of personal data
- Regarding personal data printed on paper: these documents are kept in a safe place during the day.
- All paper documents with personal data are stored in a closed dresser at the end of the day, and are never left unattended at any time during the day.
- Printed data are shredded immediately when they are no longer needed.
- Data stored on a computer are protected by fingerprint and strong passwords that change frequently.
- All off our employees use ‘1Password’ for storing and generating passwords.
- Cloud applications can only be used if they are approved by the DPO and if the subprocessor is GDPR compliant.
- Data are backed up regularly in accordance with our back-up procedures.
- Data are never directly stored on mobile devices such as laptops, tablets or smartphones unless permission has been granted by the person whose personal data are being stored.
- All servers storing sensitive data are approved and protected by security software and a strong firewall.
- Only data requested by the client are stored in our database. This request will be confirmed in writing before personal data are stored.
Use of personal data
- When working with personal data, all AppSaloon employees are obliged to block the screen(s) of their computer when leaving their desk.
- Personal data are not being shared informally, nor via e-mail, unless the data are encrypted.
- Sending personal data through Slack is possible, but is limited to the minimum, unless the client is participating in the Slack channel.
- Data are encrypted before they are transmitted electronically.
- Personal data are never transferred outside the European Union unless otherwise agreed and approved by the client and the data officer.
- Employees can keep copies of personal data, such as database and uploads, on their work laptop for the duration of the project.
Keeping personal data up-to-date
- Keeping data up-to-date is the responsibility of all employees who process personal data to ensure that personal data are as accurate and up-to-date as possible.
- Data are stored in as few places as possible.
- Data are being updated if inaccuracies are detected. For example, when a client can no longer be reached on their phone number as saved in database, this number will be removed from our database and CRM.
- As soon as a data breach is suspected at AppSaloon, the employee who suspects the breach will inform the DO immediately.
- The DO informs the DPO and the IT department.
- Together they form the “Incident Response Team (IRT)”.
- The IRT investigates whether the incident is a data breach or not.
- If a data breach took place, an action plan is drawn up and the breach is be reported to the Data Protection Authority.
- These actions will take place within a time span of 72 hours.
- In case a data breach occurs at one of our subprocessors, they need to inform the DO immediately in line with the contractual agreements.
- As soon as this report comes in, the DO informs the DPO and the IRT is called to draw up an action plan.
- Subsequently, they will check whether AppSaloon acts as controller or as processor.
- If AppSaloon acts as controller, the DPO will provide the necessary notifications to the Data Protection Authority within 72 hours.
- In case of a data breach, we inform our client(s) within the shortest possible term.
We take compliance with our data protection policy very seriously. Failure to comply puts both our clients and our organisation at risk.