Your solution for implementing GDPR
The d.velop GDPR compliance center
GDPR: How it affects you
The aim of the new General Data Protection Regulation (GDPR) is to improve the protection of personal data, increase accountability for violations of data privacy and ensure a standardized data protection standard throughout the EU. The regulation came into force on May 24, 2016. However, companies had until May 25, 2018 to meet all the requirements of GDPR.
This obligation poses major challenges for companies and organizations that work with personal data. We help you to master them in two steps. With expert knowledge, concrete recommendations for action and our own software product to support you in implementing GDPR.
form a plan!
Find over 30 pages of assitance for implementing GDPR. Includes infographics and checklists.
The d.velop GDPR compliance center is the ideal tool for implementing the General Data Protection Regulation in your company.
Your solution: the d.velop GDPR compliance center
Our d.velop GDPR compliance center offers you a solution for meeting the requirements of GDPR in the most effective way possible. You can use this software solution as a guide for ensuring your work is GDPR-compliant. The d.velop GDPR compliance center is a support tool for the analysis and documentation tasks involved in fulfilling GDPR accountability obligations (DSGVO).
Through the GDPR Dashboard (the image on the right), users get a central access point into the application and an overview of all the important key figures for each processing activity, IT service and provider. The solution also lets you allocate the work involved in the implementation process to the responsible specialist departments.
Questionnaires with predefined content simplify process analysis by guiding the person in charge through the stocktaking of information relevant to data protection.
The dashboard with all the key figures for processing activities provides transparency and serves as an entry point for distributed processing.
Predefined and flexible filing structures and documprent templates let you meet accountability and documentation obligations in digital form.
All the advantages at a glance
- Transparent oversight over the status of processing activities at all times
- Centrally maintain data protection-related documentation in digital form
- Content-based support for the analysis process through GDPR surveys made by the experts
- Simplification of the evaluation process with derivable risks and measures
- Question catalogs that can be flexibly adapted to the context of your company
- Reporting with a digital processing catalog at the push of a button
- Dashboard for visualizing core information while also serving as a portal for distributed processing
- On-premise or cloud-based solution that can be implemented rapidly
FAQ: How to use d.velop products compliant with GDPR.
As to the certifications of the d.velop software for document management (“DMS” or “ECM”), we first of all assure that the software as such enables audit-proof archiving of documents, emails and other contents in accordance with the legal requirements to ensure compliance with the requirements under tax law and commercial law. The d.velop software is insofar certified according to the PS880 and ISAE3000 standards. Based on these commercial and tax law certifications, the customer, where required with the assistance of d.velop, is to prepare procedure documentation in accordance with the specific configuration of the d.velop solution chosen from time to time; this documentation then needs to be certified by an auditor. On this basis, the tax offices acknowledge audit-proof archiving in accordance with the requirements of the GOBD (“Grundsätze zur ordnungsmäßigen Führung und Aufbewahrung von Büchern, Aufzeichnungen und Unterlagen in elektronischer Form sowie zum Datenzugriff”: generally accepted principles of proper accounting and keeping of books, records and documents in electronic form and of data access).
The GDPR, especially Art. 42 GDPR, provides for the possibility to obtain certification under the GDPR or to be awarded a data protection seal as appropriate means for controllers (=customers using d.velop software) and processors acting on behalf (= this may be d.velop where data is processed on behalf according to Art. 28 GDPR, for instance, when the d.velop cloud is used) to demonstrate compliance with the GDPR. However, no such certifications have been introduced by the responsible accreditation bodies by now. d.velop AG will check the possibilities for certification of its software products as soon as appropriate certifications are available. The same applies to the elaboration of, and the commitment to, so-called “Codes of Conduct” according to Art. 40 GDPR. For the time being, in the light of the restriction under Art. 42 GDPR providing for a certification option only for controllers resp. for such an option being dependent on the scope of data processing on behalf, it cannot yet be foreseen in default of appropriate requirements imposed by the supervisory authorities whether and to what extent mere software-related certifications under the GDPR will be established resp. whether the supervisory authorities will, for instance, introduce such certifications to evidence compliance with data protection regulations by design.
Is d.velop AG (as producer) obliged to provide a data protection impact assessment (DPIA) for its programs and then specifically tailor this DPIA to its end customers?
First of all, we would like to give you some brief explanation as to what is understood by a data protection impact assessment (DPIA). Pursuant to Art. 35 GDPR, a data protection impact assessment is a procedure
- which describes the processing,
- which assesses the necessity and proportionality of the processing and
- which assesses and controls the risks to the rights and freedoms of the data subjects,by
- risk assessment and
- definition of counter-measures
The assessment of impact of the processing operations on the protection of personal data consists of (at least):
- a systematic description of the processing and its purposes
- an assessment of the necessity and proportionality in relation to the purposes
- an assessment of the risks to the rights and freedoms of the data subjects
- safeguards and remedial measures intended to address the risks, and which ensure data protection and furnish proof of compliance with the GDPR (including Art. 32).
Obligation to carry out a data protection impact assessment exists where there are high risks to the rights and freedoms of natural persons:
- due to the specific mode, scope, context and purposes of the processing
- in particular where new technologies are used
- the views of the data subjects and their representatives have to be sought where required
- a review to assess whether processing is performed in accordance with the data protection impact assessment must be carried out where required.
As a rule, the responsibility for carrying out the DPIA lies with the controller. The obligation to carry out the DPIA is imposed on the controller; this can already be seen from the wording of Art. 35 subs. 1 sentence 1 GDPR: “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.” No such obligation to carry out a DPIA is imposed on the processor as regards the processing operations actually carried out by it (support & maintenance) in the context of the services it renders in the capacity as processor acting on behalf.
However, to be able to carry out a DPIA according to the requirements of Art. 35 GDPR with respect to certain software products, the controller usually depends on information provided by the processor, also as regards the software product which the controller has delivered. Based on number 83 and 95 of the Recitals to the GDPR, the processor is therefore obliged to assist the controller, where necessary and upon request, in carrying out the DPIA. d.velop AG is of course ready and willing to render appropriate advice to comply with the said obligation to assist the controller once d.velop AG has been commissioned to carry out data processing on behalf. As to the mere software product, this constitutes a voluntary service.
d.velop AG will shortly provide abstract information how and on which basis a DPIA can be carried out in relation to d.3ecm and what options are available in general to take measures under d.3ecm to ensure risk minimization.
It is the responsibility of the controller itself to decide whether or not a DPIA must be carried out for a certain d.3 configuration forming part of a process in a processing operation. In this respect, d.velop AG can at best render support and assistance with respect to the configuration measures to be taken.
d.3ecm provides multiple options for the user to configure the system in accordance with data protection requirements. This includes for instance the concept for allocation of responsibilities and the authorization concept, the erasure of documents and meta data after expiry of the storage period defined by the customer as well as the possibility to encrypt communication between the various d.3ecm components or when d.3ecm is accessed or when documents are stored or archived in d.3ecm.
The question whether and how the requirements under the GDPR are implemented within d.3ecm essentially depends on the processing activities carried out with d.3ecm and on how d.3ecm is configured by the user. The GDPR does not address the software producer (i.e. d.velop AG) but the one who processes personal data by means of the software (the user – or, in terms of data protection law, “the controller”). d.velop can support and assist the user in configuring d.3ecm such that it is in conformity with data protection law. However, the user is itself responsible for satisfying the existing requirements.
The following functions must be activated in d.3ecm to enable erasure of information or personal data in terms of the GDPR from the d.3 server:
ALLOW_DELETE_FROM_RELEASE must be activated to enable an authorized user to delete all documents.
DELETE_DOCS_ELAPSED_SEC_STORAGE must be activated to adopt deletion into the storage manager.
RECYCLE_STORAGE_PERIOD must be set to a lower value where logical deletion takes place early in physical respect. With the standard settings, physical deletion takes place after 365 days only.
Deletion in the storage systems is not the responsibility of d.velop AG but that of the respective user of d.3. It must be considered from time to time whether and how data can be deleted from the storage systems. Where required, the back-up/archiving strategies must be adjusted if they do not allow different storage periods or if they do not allow individual data to be deleted.
We do not make any recommendations regarding the storage system to be chosen. The customer is only required to ensure the ability to erase documents of data subjects within four 4 weeks where the customer cannot rely on a legal basis for storage of the data. This means that, when the customer only administers, and archives on secondary storages, documents which the customer is obliged to retain, the customer is not obliged to erase them before the legal retention period has expired. If, however, the customer stores or archives documents which the customer is not obliged to retain, the customer must be able to erase them. In this case, the customer must either choose a system which renders erasure possible or store the documents only in the d.3ecm documents tree and not on the secondary storage.
Compliance with data protection and information security is of overriding importance throughout d.velop AG as a whole. Therefore, d.velop AG of course has initiated appropriate measures in the context of its internal GDPR implementation project to ensure adequate compliance with the GDPR requirements to be implemented by 25 May 2018. In addition to the internal implementation of the GDPR, d.velop elaborates and provides manuals, practical advice and concepts for its customers to demonstrate that also after 25 May 2018 the d.velop software can be used in conformity with the GDPR. The d.velop software, depending on the configuration chosen from time to time, already now is in principle capable of satisfying the existing data protection requirements by design (implementation of concepts for allocation of responsibilities and authorization concepts, marking of personal data, storage and erasure – implementation of erasure concepts).
If and to the extent that the use of d.velop software relates to the processing of personal data (“pd”) of your employees or customers, such processing should always be documented in the d.velop software; the options required for this are available. Only structured storage of pd enables proper implementation of the data subjects’ rights under Art. 12 et seq. GDPR. This is the only way for you to ensure efficient handling of requests by the data subjects (employees, customers, consumers etc.) for information/ access or erasure of their pd or the data subjects’ objections to the processing of their pd. When you introduce your d.velop software for processing activities, you can best implement this by describing in detail the d.velop software and its specific implementation in the light of the requirements of Art. 30 GDPR (records of processing activities and consideration of the requirements to ensure security of processing according to Art. 32 GDPR). d.velop AG will shortly release a product called “d.velop GDPR compliance center” which can help you prepare records of processing activities for all your processing activities including those which are not carried out by means of the d.velop software.
Based on these records of processing activities, a data storage and erasure concept needs to be developed. This concept is meant to structure and define by the various datasets concerned which specific storage periods apply to a certain document or email. There are, for instance, certain commercial letters in terms of § 147 subs. 1, 3 AO (Abgabenordnung – German Tax Code) that are subject to a storage period of 6 years (commercial and business letters), other documents are subject to a storage period of 10 years (books and records, inventories, annual financial statements, annual/ management reports, opening balance sheet and the instructions required for their understanding as well as other organizational documents). When preparing the erasure concept, you can for instance rely on DIN 66398 or other market-usual standards.
To ensure audit-proof archiving in terms of commercial and tax law, documents, emails and other contents are stored in the storage systems in an audit-proof way, based on the PS880 resp. ISAE3000 standard for which d.velop AG has obtained a certification, too. Apart from that, you will presumably have prepared a so-called “procedure documentation” already because such a documentation – which needs to be confirmed by an auditor – is required for the tax authorities to acknowledge audit-proof archiving. This documentation, too, can help you develop the erasure concept.
Where, for instance, a data subject asserts his/her right to erasure under Art. 17 GDPR when he/she has left your company, you have to consider whether you are actually obliged to erase the data. This will in particular be the case when you are no longer entitled to retain a document, email or other contents because the applicable storage period has expired. In this case, storage of the data has been contrary to data protection law already since the time when the storage period expired – presumably already before the data subject has requested erasure. When the storage period has expired and there is no statutory or contractual storage period in terms of § 35 subs. 3 BDSG (Bundesdatenschutzgesetz – German Federal Data Protection Act (new version)) either (Please note: The BDSG (new version) concretizes, among other things, the rights of the data subjects under the GDPR), you are even obliged to erase contents that are stored in an audit-proof manner. If, however, the storage period has not expired yet, you are entitled to continue storage until expiry of the storage period and you have to inform the data subject to that effect. To prevent an unlawful situation from arising in connection with non-satisfaction of the data subjects’ rights, you should provide for automatic erasure to take place when a certain condition occurs (“storage period has expired”) regardless of any specific request (“data subject requests erasure”). The d.velop software enables the implementation of such erasure concepts.
Processing must be restricted in the cases listed in Art. 18 subs. 1 GDPR. Art. 18 subs. 2 GDPR provides that, where the processing has been restricted, “such personal data” that is concerned by the restriction “shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State”.
It is thus necessary to mark the data concerned by the restriction in the way that the person in charge of the processing is able realize that the data in question is subject to restriction (e.g. by coloured marking) or that the data is technically “blocked” such that further processing is impossible or is only possible with special authorization until the time when the restriction is lifted.
For such purpose, d.3ecm provides the “blocked” flag which is visualized by a prohibition sign. Moreover, it is possible to completely or partially restrict access to such data by the user. It is, for instance, possible to configure the system such that there actually is a hit in a search, but the user cannot see or access this document.
In the ecspand / SharePoint environment, you would transfer this data to a SiteCollection where no processing takes place and where restricted processing is ensured by an appropriate authorization concept (policies).
Art. 19 GDPR imposes on the controller the obligation to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data is/ has been disclosed. To enable d.3ecm to support this, it is first of all necessary to make sure that it is documented in d.3ecm to whom, i.e. to which recipients (Art. 4 no. 9 GDPR), the data was disclosed.
This could be done by a separate d.3ecm system which then needs to be configured (including the work flows) such that it can process requests from data subjects. This means that all requests relating to erasure, rectification or restriction would be controlled and documented by this system but also all activities not performed within a d.3ecm system would be controlled and documented there, too. Moreover, this d.3ecm system would have to be configured such that the documents are deleted automatically after 12 months resp. on 31 December of the next year.
Do you have any questions about GDPR?
We are happy to answer your questions on the subject of the General Data Protection Regulation.