In this article, you can find information related to how Servitly manages the privacy of its customers and end users in compliance with GDPR.
This includes internal controls, agreements between parties, and technical controls.
Internal Procedures
The internal procedures put in place by Servitly to manage data privacy are described below.
Privacy by Design
To ensure the privacy of the data recorded within the DPS, we at Servitly have adopted the principle of privacy "by design" when developing new features. Where "new technologies" or new ways of transmitting/managing/viewing data are going to be used, a Data Protection Impact Analysis (DPIA) is performed to identify possible issues in advance.
DPIA is a process for systematically considering the potential impact that a feature or technology might have on privacy, so that we can identify potential privacy issues before they arise, allowing us to find a way to mitigate them before releasing new features.
Data Privacy Officer
Even though we do not handle sensitive data, given the large number of users registered in our DPS applications and the large amount of personal data handled, in accordance with GDPR regulations, we have appointed a data protection officer (DPO) to oversee that any new implemented functionality or introduced technology complies with the regulations.
Contracts & Privacy Documentation
The GDPR focuses on transparency and fairness, Data Controllers and Processors must review their privacy notices, privacy statements, and any internal data policies to ensure that they meet the requirements of the GDPR.
Servitly as a Data Processor of the Client, who is the Data Controller, requires that a Data Protection Agreement (DPA) be entered into between the Client and Servitly or the third-party System Integrator, if any.
Accountability
Servitly's own staff are also trained and kept up-to-date on privacy matters, as well as having signed a code of conduct and confidentiality if they become aware of Servitly's customer data.
Reporting Breaches
In the event of a data breach, Servitly agrees to notify the Data Controller within 72 hours of becoming aware of the breach, unless the data has been anonymized or encrypted. If it is not possible to inform the Data Controller in time, Servitly will notify the data subjects if the breach may cause serious harm to the data subject, such as identity theft or breach of confidentiality.
Scope
The GDPR also applies to non-EU companies that market their products to people in the EU. This means that even if the location is outside the EU but controls or processes data of EU citizens, the GDPR is still applied.
Access to DPS Applications
The features offered by the DPS application to be GDPR-compliant are described below.
Consent
All users accessing a Servitly-configured DPS application must accept at first login Terms of Service, Privacy Policy, and Cookie Policy.
It is the responsibility of the company to which the DPS belongs to define the Terms of Service and Privacy Policy documents so that:
- are GDPR-compliant;
- are clear and well formatted;
- leave no doubt about what can and cannot be done by accessing the DPS;
- leave no doubt about which kind of data are managed and why;
- state clearly who the Data Controller and Data Processor are;
Rights for Individuals
Through the DPS interface, any registered user can:
- unsubscribe at any time, and delete all his/her personal data accordingly;
- change personal data at any time;
- request the download of personal data in a portable format.
In the alternative, a request can be issued to the supplier contact endpoint reported in the Privacy Policy agreement. The supplier agrees to respond in a timeframe appropriate to the type of request.
Cloud
How security and privacy is ensured on the cloud side.
Security
Refer to the Security Overview article for more information about DPS applications security.
Data Storage
To grant GDPR compliance, all the data belonging to European accounts are stored in European data centers.
Provider |
Region |
Datacenter |
Availability Zones |
Amazon EC2 |
UE |
Ireland |
eu-west-1a, eu-west-1b, eu-west-1c |
Microsoft Azure |
UE |
Frankfurt |
Germany West Central (az-1) |
GDRP Compliance
For a complete overview of how the cloud providers deal with the GDPR compliance, visit these pages:
- AWS https://aws.amazon.com/compliance/gdpr-center/
- Azure https://www.microsoft.com/it-it/trust-center/privacy/gdpr-overview
Comments
0 comments
Article is closed for comments.