As of the 25th of May 2018, the General Data Protection Regulation (“GDPR”) is applicable in the Netherlands. The GDPR will have a direct effect in the Netherlands and the Dutch Data Protection Act (Wet bescherming persoonsgegevens) will to a great extent be repealed by the Dutch legislator. The GDPR imposes rights for the data subject and obligations for the controller and processor.
The full text of the GDPR can be found here.
We would like to inform you about how Blanco takes into account this new legislation.
General principles relating to processing of personal data
Under the GDPR, in general personal data shall be:
processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with the GDPR, not be considered to be incompatible with the initial purposes (‘purpose limitation’);
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
Of course, a lot of these obligations have to be taken care of by the controller (you), but Blanco will help you to comply with your obligations.
With this memo we only intend to inform you about how Blanco deals with obligations of the processor under GDPR, and we do not intend to advise you about your own obligations.
Please check http://ec.europa.eu/justice/data-protection for more information about privacy, rules and regulations and obligations that are applicable to you as data controller.
Lawfulness of processing
Processing shall be lawful only if and to the extent that (for example):
• the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
• processing is necessary for compliance with a legal obligation to which the controller is subject.
You, as a data controller, need to make sure that you have a legal right to collect data from the data subject.
For information: because the information the Blanco software obtains from the client is necessary for entering into a contract/the performance of a contract between you and the client, this legal requirement is met. Extra information about the lawfulness of the processing could be included in the privacy-statement at your website or in (an annex) of your contract.
Blanco, as a data processor, only processes the personal data of your clients on your behalf and will not use the data in any other way.
Transparency
The GDPR sets clear rules regarding the provision of information regarding collecting personal data and access to personal information. Because you are the controller, you should inform the data subject about the information you process and the rights the data subject has.
Rectification, erasure and restriction of processing
The data subject shall have the right to obtain from the controller (without undue delay) the rectification, erasure and/or restriction of processing of personal data concerning him or her. You can use the Blanco tools to correct data and erase the data if requested or obliged.
Since Blanco is the data processor, we will not determine ourselves which data must be adjusted or removed. Also, we will only respond to requests of you and not of your clients directly.
Right to data portability
In certain cases, the data subject has the right to receive the personal data concerning him or her which he or she provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
Blanco tries to support you as much as possible regarding data portability. All data gathered by the Blanco tools is portable in multiple ways. Please see the relevant tool for details on data exchange and data export (for example CSV, PDF, API, etc.)
Appropriate technical and organisational measures
A controller needs to implement appropriate technical and organisational measures, which are designed to implement data-protection principles in an effective manner. Not only a controller has to implement such measures itself, it also needs to make sure that, where processing is to be carried out by a processor on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures.
Blanco has taken the following technical and organisation measures regarding data protection:
Technical
Control of data carriers:
Blanco develops and deploys its software only in the cloud. All data is stored in the cloud and no other data carriers are used to store or transfer data. Access to the cloud is limited and strictly secured.
Amazon Web Services Inc
Blanco uses the cloud-services of Amazon Web Services Inc (AWS). AWS is located in the US and is a EU-US Privacy Shield participant. For more information, please refer to https://aws.amazon.com/compliance/eu-us-privacy-shield-faq/
The data is stored in the Frankfurt-region. AWS is responsible for securing the physical access to their datacenters and network. They have measures in places for network security, DDoS mitigation, Encryption, Identity and Access Control, etc. Details can be found at https://aws.amazon.com/security/
Blanco has concluded additional agreements with AWS:
- Data Processing Addendum, regarding the processing of personal data
- Financial Services Addendum, regarding and right to examine for DNB/AFM
Blanco had conducted an extensive cloud risk assessment (using the template of DNB). On request, this assessment can be sent to you, so that you can use the input for your own cloud (outsourcing) risk assessment.
Blanco
On top of AWS infrastructure Blanco builds its software. Blanco makes sure that datasources are only available to specific services with granular IAM controls. Only business logic can directly access data. The business logic is set behind an gateway or API that prevents direct access. Only with correct credentials of tokens the data can be retrieved. Blanco has specific roles and permissions in place to have different types of users in the system. Blanco provides all the tools needed by you to have a secure environment for your data. Blanco never gives access to data to a third party, but we provide you with the tooling to open your data to third parties or end-clients if wanted.
Our development process prevents malicious or unsecure code in production by making use of an industry-standard development process with a full auditable workflow containing of creating tasks, version control of code, peer reviews, controlled staging through different environments. With automated and manual tests, we perform the needed quality assurance before every line of code is promoted to the development environment.
On top of the backup and uptime guarantee of AWS, Blanco implemented its own backup & restore and high-availability setup mechanisms.
You
We provide you with the credentials with multi-factor authentication for the first admin user. From there you can provide access to colleagues, agents or third parties from within the configuration of the system. It is up to you to provide access to others.
Your clients
Your clients are responsible for keeping their handed-out credentials, their multi-factor devices and to not let others have access to their data through portals and other solutions.
Organisational
Employees
If Blanco intends to employ someone then HR executes the following comprehensive pre-employment checks:
1. All relevant information is requested from the prospective candidate, such as a copy of identity card/passport, a copy of the relevant certificate(s)/diplomas, the Curriculum Vitae, etc;
2. If possible, the prospective candidate must apply for a Certificate of Good Conduct (verklaring omtrent gedrag) and submit the certificate to Blanco; and
3. Blanco performs a PEP- and sanction check on all employees.
Periodically, an in-employment screening will be conducted.
Control of access:
Blanco has implemented an access control policy and access controls. Only employees who need access to perform Blanco’s obligations regarding you get access to relevant systems and document folders. Whenever an employee resigns, the access rights to systems and information of Blanco will be withdrawn.
Assessment of third-party service providers
Blanco implemented data security guidelines regarding outsourcing and third-party compliance. Prior to outsourcing or allowing third party access to Blanco’s non-public information or systems, Blanco conducts an assessment of the third-party service provider.
Contracts and confidentiality agreements
Whenever Blanco makes use of third parties or provides information to third parties, it will enter into a contract and/or a confidentiality agreement. Blanco ensures that all relevant provisions regarding the processing of personal data are included in the agreement.
Sub-processor
According to GDPR, the processor shall not engage another processor without prior specific or general written authorisation of the controller. Blanco obtains a general written authorisation in the licence and hosting agreement and informs you about these sub-processors in the support portal and/or product manual.
Blanco only transfers data to a sub-processor in a third country when this third country ensures an adequate level of protection. Also, Blanco will always conclude a data processing agreement with all (sub-)processors.
Data breach
Despite all measures that Blanco implemented to protect the data, a data breach may occur. Blanco will inform you without undue delay as soon as we become aware of an infringement in relation to personal data. You are responsible for (potential) reporting the infringement to the relevant regulator and/or the person(s) involved.