Customers
User information
 Loading ...
Show article in Knowledge Base

 GDPR ‑ Common questions and answers Export knowledge base Export     SubscribeSubscribe      Show article info

Below you will find a collection of questions related to GDPR and short answers to them. Please note that there is a lot of information available on this topic online and we have only collected the most relevant and frequently asked questions below.

 

If you have any other question related to GDPR and VisionFlow not answered here, please let us know by sending an email to support@visionflow.com

 

General questions

When did the GDPR regulation come into effect?

On the 25th May 2018

 

Does GDPR apply to my organization?

 

Probably yes, if your organization is located in an EU country or if you do business with an EU country it applies to you.

Is VisionFlow GDPR compliant?

Yes,  VisionFlow is very secure and we take data privacy seriously. Also, VisionFlow and Visionera's internal routines and policies are be fully GDPR compliant.

 

There is functionality available in the system that you and your organization can use to ensure GDPR compliance, such as "the right to be forgotten", "the right to data portability", "the right to be informed" and "the right of access". For example, there is a quick function for anonymizing one or many users at the same time in the system.

 

Also, all servers are located within EU and no data is processed outside the EU. 

Is VisionFlow Schrems II compliant?

Yes,  see above.

What is a data controller?

This is the organization that determines the purposes, conditions and means of the processing of personal data, i.e. your organization.

What is a data processor?

A processor processes personal data on behalf of the controller, so if you are using the cloud version of VisionFlow then this is us.

What is a data subject?

A natural person.

What does personal data mean?

According to GDPR: "Personal data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;" (See article 4)

 

This can be anything, for example:  a name, a photo, an email address, posts on social networking websites, medical information, or an IP address.

 

More information about this can be found here for example....

What does data processing actually mean?

Processing of personal data according to GDPR is very broadly defined. Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

Note that processing not only includes storing of data in a database (or files) and processing of that data data in a system such as VisionFlow but also includes data presented in a graphical user interface for a person outside your organization (such as our support staff) also during a screen-sharing session, it also includes transmission of data, screen dumps or configuration files and log files if they contain personal/user information.

Do we need to sign a Data Processor Agreement (DPA) for VisionFlow?

YES, if you are using the cloud version of VisionFlow, you will need to sign a DPA with us. A standard signed DPA can be requested by contacting our support team here: support@visionflow.com

 

YES, if you are using the on-premise installed version of VisionFlow, and you have purchased any add-on services, such as maintenance or remote hosting services. 

 

YES, if you are using our private cloud version, with dedicated servers. 

 

RECOMMENDED, if you are using the installed on-premise version of VisionFlow it is recommended to sign a DPR with us for proactive reasons since it may be needed in the future. One example where it is needed, is if we you require technical support from us that require access to your servers. So while it is not necessary right away it needs to be signed before we are given access to your servers. 

Where can I read the GDPR regulation? 

You can download it here...

What user information can I store about a person?

For data processing to be OK under the GDPR. It is important that you determine your lawful basis for processing personal data and document this.

 

You can read more about this here...

 

Do we always need consent to store personal information?

There are several cases where you are allowed to store personal without consent, for example:

  • If you have or are about to sign an agreement with a person, for example employment agreement, rental agreements, purchase agreements and the like
  • If you by the law in your country must store information about the person, for example for accounting or financial transactions
  • If data processing is necessary to protect the vital interests of a data subject or another person
  • If the processing is necessary for the exercise of government and public authorities
  • If your organization have a legitimate interest to process personal data, for example for marketing purposes

 

You can read more about this in article 6.1 

 

How long can I store and keep personal information?

GDPR states that personal data must not be kept longer than necessary for the purposes for which the personal data is processed (See article 5). This is vague and depends on your organization. 

 

For example, if data is captured and processed for customer service, marketing or sales, it can be justified that you are allowed to store the data as long as the person can be considered a customer. Different research initiatives have concluded that 90% of individuals make a repeat purchase within 3-6 years. Naturally this varies depending on the products or services that you provide, but you should be able to keep the data at least this long since there is a high probability that the customer will buy from you again. 

 

Is data processed outside the EU?

 

For the cloud/saas version of VisionFlow all servers are located within the EU. This means that no data is transferred or processed outside EU and all sub-processors used comply with GDPR. More information about these sub-processors are available here and in the DPA signed by our customers. 

 

According to GDPR it is not permitted to transfer and process personal data to countries outside the EU unless there is a decision from the European Commission that a certain country outside the EU/EEA ensures an adequate level of protection. 

 

Cloud Act och Privacy Shield

 

As a part of the "Schrems II" act that the Court of Justice of the European Union (CJEU) published on 16 July 2020. The EU-US Privacy Shield for data sharing was struck down by the European Court of Justice on the grounds it did not provide adequate protections to EU citizens on government snooping, i.e. it is not allowed to use US based cloud services for EU based companies. 

 

The CLOUD act is a United States federal law that is not compatible with GDPR which is an EU law. This means that US based SAAS/cloud based software can not be used by companies in the EU. 

 

The Privacy shield was a framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States, it was declared invalid on 16 July 2020.

 

For VisionFlow customers the Cloud Act och Privacy Shield are not relevant since all servers for VisionFlow are located within EU. This means that no data is processed outside the EU to comply with both GDPR and Schrems II. 

 

Technical questions

Where is the data stored?

All data for the cloud version of VisionFlow is stored within EU, in Stockholm to be exact. If you are running the installed on-premise version of the system you can decide where the data should be stored yourself.

When sending and receiving emails in the system, are they encrypted?

All emails sent out from the system are encrypted during data transfer using a standard protocol called SMTPS. If you use the email ticket system to we recommend that you also use encryption, i.e. with the protocols IMAPS or POP3S.  

How can I manage individuals requests for erasure ("right to be forgotten")?

When person request that all data about to them be removed from the system you will need to comply within a reasonable time. You first have one month to respond to a request (read more here). Under normal circumstances you need to remove the data about that user from VisionFlow and other systems (if applicable).

 

Please note that, in many circumstances, you do not need to remove data about a person, or just some data, as long as it is justified to store that data. You can find some good examples and guidelines here:

 

To remove data about users in VisionFlow you first need to first remove the issues/tickets  for the user in your projects/workspaces. More information about this is available here...

 

After the issues/tickets have been removed, you can remove the user itself. To do this you need to open user in the "General" --> "Users" section and then click delete. 

How can I handle individuals requests for "right of access" i.e. so called "subject access requests" ("SAR")?

Individuals will have the right to know what information you store about them. This means that you would need to be able to provide them with all that information if they request it from you. 

 

The easiest way to provide this information for the user is to provide them access to the support center (if you are using that module). This means that they would be able to see and review all issues and user related information that you provide them with. User data stored directly on the user object is available in the user profile.

 

Another way to send them all information for review, for example if you don't have the support center module enabled, is to export all data and send it to them.  You can do this in the "General" --> "Users" section) and then export all issues/tickets for them in excel format, or if you prefer to send it to them in a more readable format you can do it from the General --> Search section by choosing the "Full content with history included".

How can I handle individuals requests for "right to data portability"? 

This means that it should be easy for anyone to retain personal data in a structured and portable format to be used for their own purpose, for example i they want to move from one service to another.  To send all information about a person you need to export the user's data (in the "General" --> "Users" section) and then export all issues/tickets for them (in the General --> Search) section.

What new functionality will be available in VisionFlow related to GDPR?

There is be new functionality available in the system to make it easier for you to handle "right to be forgotten" requests. This means you will be able to select many users and delete them in a batch, with all related data. 

 

Also there are functionality available where you can anonymize users, this means that the name and all personal fields will be blanked out from the user and their issues/tickets. This will make it easier for you to keep important data in the issues/ticket but remove personal information from them. Read more about this functionality in this Knowledge base article.

 

In addition to this we have developed a new indexing engine that will make it easier for you to search for documents related to a specific person or documents where he/she is mentioned, so that you can more easily review these.

 

You can read more about these functions here...

Can I limit access to certain personal (user) data fields?

Yes, you can limit access to fields on users/persons for certain user groups by creating "user views". If you want, you can also make it possible for end-users/customers (support users) to see and edit field in the support center portal. See here for more information about this...

What happens if there is a data breach?

If there is a data breach we will report this incident to you as a customer as soon as possible (within 72 hours maximum). In turn, you may need to report this to your data subjects or data controllers (if you are a processor), without undue delay (within 72 hours). If there is a major/severe data breach we will also inform the necessary supervisory authority.

Have your system been audited by third party organizations?

Yes, our system and services have been audited by independent organizations and some customers and received the best marks. One such organization is the Swedish Techlaw, which is a law firm that has done the audit as its role as Data Protection Officer for one of out biggest clients. 

Do we have the right to audit your system and services?

Yes, as part of the Data Processing Agreement that we recommend you to sign when using our system, there is a clause that gives you the "Right to Audit". This is a process that normally take a bit of time and we charge for this work per hour, so we normally not recommend this unless it is absolutely required.

Instead we recommend that you first read through the information available in our knowledge base that normally answer all questions included in such an audit. On addition to this KB article that gives answers to most questions about GDP we also recommend the following KB articles:

 

Also, if you want we can also provide you with an example of a security audit performed in the past. If you can't find answers to the questions you have then you are also welcome to send us your questions to our support team an we'll answer them for you.


User comments
 Loading ...