How we respect GDPR as data processor

Data security

We guarantee data security adopting security measures that are adequate to the risk, as the article 32 of the GDPR commands: we guarantee privacy on treatments (binding our employees to privacy) and we adopted policies on personal data violations to alert the data controller without unjustified delay about all data violations we might discover. Lastly, once the services are over, according to instructions received by the controller, we allow him to export or delete all data from our system and we won’t save any copy.

Alert, assist and advise the controller

We collaborate with the data controller alerting, assisting and advising him on our system functioning; We’ll provide assistance to the titolare to allow him to handle requests related to the practice of the rights of the person concerned and, keeping in mind the nature of the processing and information we have, we’ll help the controller to guarantee conformity with the security requirements of the processing, the data violation notification and the evaluations on data protection impact.

Privacy by design and by default

Being aware of the duties that weigh on the controller with regards to privacy by design and privacy by default, in accordance with the article 25 of the Regulations, and the instrumentality that characterizes the role of the processor, so that the processing satisfies GDPR requirements and guarantees the protection of the rights of the person concerned. Specifically:

• from the designing phase of our system, we apply adequate technical and organizational measures to effectively realize the data protection principles as the minimization, and integrate the required warrantees in the processing to satisfy requirements of the Regulations and protect rights of the people concerned (privacy by design);
• we apply adequate technical and organizational measures to guarantee that only personal data required for each specific purpose of the processing are processed by default setting (privacy by default). For example:
  • we make available the possibility to manage and delete every type of data;
  • we allow to set complex passwords that match high security requirements;
  • we allow to set an expiration date on passwords;
  • we allow to create users with customized authorizations;
  • we allow to display and edit all data related to the contacts;
  • we allow to display all data collected in interviews completed by the users;
  • we allow to set customized privacy texts with acceptance flag.

Read more on characteristics and certifications of our OnCloud infrastructure.

Are we obliged to nominate a data protection officer (RPD or DPO)?

We’re not obliged to nominate a DPO: the nomination is mandatory in three hypothetic scenarios:

• the processing is performed by a public authority or a public institution;
• the main activity, made on behalf of the controller, involves the regular and systematic large-scale monitoring of the people concerned;
• the main activity, made on behalf of the controller, involves large-scale sensitive data (particular categories of personal data) or juridical data (data related to penal sentences or crimes).

The recommendation to better define the compulsoriness of DPO nomination are deducted from the Guideline on data protection officer (RPD or DPO) published by the Working Party Article 29 that, at paragraph 2.2, addresses the nomination of the DPO by the processor, giving a few examples. As our main activity is not represented by large-scale processing like those described above, we’re not subjected to nomination obligation.

We’re available to subscribe agreements on data processing

We’re available to provide or subscribe agreements that include (in writing):

• the content and the duration of the service that the controller will perform on behalf of the processor;
• the nature and scope of the processing;
• the personal data type processed on behalf of the controller;
• the categories of people concerned;
• the duties and rights of the data controller;
• the duties and rights of the data processor, as established by the article 28 of the Regulations.

We own records of processing activities

As established by the Regulations, we own records of processing activities that we make on behalf of the controller. The records in writing include:

• name and contact data of each data controller for whom the data processor operates;
• the categories of processing done on behalf of every data controller;
• when applicable, personal data transmission to third country or to an international organization, and the documentation of adequate warrantees they’re based on;
• a general description of technical and organizational security measures of the article 32, paragraph 1 of the Regulations.

Obligations of the processor to nominate a sub-processor

We’re aware that the data processor can nominate another data processor only upon written authorization of the data controller. We communicate data of our sub-processor when the agreement on processing is subscribed that will include the proxy for the following nominations. We impose to the sub-processor, through an agreement, the same obligations for data processing included in the contracted subscribed between the data controller and the data processor.

Data violation

The violation of personal data is a security violation that implicates the accidental or illegal destruction, loss, modification, un-authorized disclosure or access to personal data transmitted, stored or processed in any way. If we acknowledge a violation, we would inform the data controller with no unjustified delay. We adopted a company policy that allow us to assist the data controller in guaranteeing conformity of processing to rules that preside over their security, including those related to personal data violation.

Role of the processor on impact assessment

The controller is the one that has to make the impact assessment on data protection in accordance with Article 35 RGPD and the related responsibility weighs on him and it cannot be transferred on the processor. However we give assistance to the controller in conducting DPIA providing all needed information, as established in the processing agreement.