GDPR

General Data Protection Regulation (GDPR)

Security of information and privacy are our most important assets. It is in our greatest interest that you have confidence in how we handle your personal information and all data in your database. This is possible only when our software works accurately and securely, our internal processes and policy are correct and when our colleagues handle (business) data correctly.

On 25 May 2018, any company that processes personal data of European citizens must comply with the General Data Protection Regulation (“GDPR”). Your company will also have to deal with this.

What is the GDPR?

Here are the major changes that are mentioned in this new legislation:

Expanded territorial reach
Companies that are based outside of the EU, but targeting customers that are in the EU will be subject to the GDPR which is not the case now.

Consent
Consent of personal data must be freely given, specific, informed and unambiguous. Consent is not freely given if a person is unable to freely refuse consent without detriment.

Accountability and privacy by default
The GDPR has placed great emphasis on the accountability for data controllers to demonstrate data compliance. They will be required to maintain certain documentation, conduct impact assessment reports for riskier processing and employ data protection practices by default – such as data minimisation.

Notification of a data breach
Data controllers must notify the Data Protection Authorities as quickly as possible, where applicable within 72 hours of the data breach discovery.

Sanctions
This new legislation allows the Data protection Authorities to impose higher fines – up to 4% of annual worldwide turnover. The maximum fines can be applied for discrepancies related to international data transfers or breach of processing principles, such as conditions for consent. Other violations can be fined up to 2% of annual worldwide turnover.

Role of data processors
Data processors will now have direct obligations to implement technical and organisation measures to ensure data protection, this could include appointing a Data Protection Officer if needed.

One stop shop
This legislation will be applicable in all EU states without the need of implementing national legislation. Having a single set of rules will benefit businesses as they will not need to comply with multiple authorities, streamlining the process and saving an estimate of €2.3 billion a year.

Removal of notification requirement
Some data controllers will be glad to hear that the requirement of notifying or seeking approval from a Data Protection Authority is going to be removed in many circumstances. This decision is made to save funds and time. Instead of notification the new directive requires data controllers to put in place appropriate practices for large scale processing in the form of new technology.

Right to be forgotten
This change is one of the most useful changes for the average person managing their data protection risks. A person will be able to require their data to be deleted when there is no legitimate reason for an organisation to retain it. Following this is requested the organisation must also take appropriate steps to inform any third party that might have any links or copies of the data and request them to delete it.

SpinOffice CRM and the GDPR

We offer a Data Processing Agreement

When using SpinOffice CRM, our organization (Mulberry Garden B.V.) is the ‘processor’ of your data. In accordance with the upcoming GDPR legislation, it is required to conclude a ‘data processing agreement’ with all your processors. The data processing agreement is an agreement between the controller (you as the customer) and the processor (we), which specifies how the processor must deal with the personal data.

GDPR Compliance Checklist

Use the checklist from IT Governance, it highlights the essential steps you need to take to prepare for the GDPR and demonstrate compliance.

For more general information about the GDPR, visit the EU GDPR Portal (www.eugdpr.org).

The responsibility for having a processing agreement lies with the controller, but we as a processor have drawn up an agreement already for you. If you wish to receive this agreement, please contact us. After we received the signed agreement, we sign it as well and send it back to you in digital form.

Two-step verification on login

In view of the GDPR we have upgraded our security with the introduction of two-factor authentication for SpinOffice CRM. This feature enables secure access to your account and ensures safety of your data and resources that reside in your SpinOffice account.

When you log in to your average social networking site or app, you typically enter your username/email and password to access your account. This may be the single step taken by the website/app to verify your identity and grant access to your account. This is known as one-factor authentication. When you add another factor to this password-only authentication system, it is known as two-factor authentication (2FA). In such a setup, you are required to provide an additional piece of information to verify your identity.

2FA ensures that even if one of the factors have been compromised or leaked, the other factor keeps hackers/criminals from breaking into your account, thereby minimizing the risk of data theft.

Frequently asked questions from our customers regarding the GDPR and SpinOffice CRM

How is the security of the CRM system guaranteed?

We takes adequate organizational and technological measures to ensure the security and confidentiality of your personal information.

We use Amazon Web Services (AWS) to host the application servers that are needed to run SpinOffice CRM. All client databases, email messages and files are securely saved and managed on AWS. The data centers that we use are located within the EU and our network is a private network to whom nobody else has access. Our virtual private network spans over two AWS data centers within one availability zone. This allows us to host our servers it two separate data centers. In case of a problem in one data center, the other one will pickup the load and users can continue to work.

Our databases are encrypted by a company key and any file that is stored in SpinOffice is stored encrypted.

What about the backups?

Without having to do anything, we automatically make an external backup of your database according to a daily schedule. This backup contains all messages, files and contacts in your database. With a cloud backup your data is safely stored externally, this eliminates dangers such as fire and theft, hazards to which local backups are exposed to.

In addition to the daily backup of your database, versions of files are continuously stored. SpinOffice keeps snapshots of all changes made to files in your SpinOffice database within the past 5 days. After that, we move your document to a backup server for the next 100 days.

For how long are deleted items from the database stored in a backup?

When a user has deleted data from the database, we keep the data in the background for 30 days. This period is used to restore incorrectly deleted files at the request of the customer. After 30 days, all deleted data are automatically deleted.

Email messages that are deleted remain in the deleted folder for 90 days, after which they are permanently deleted from our server.

How will data leaks be reported?

As mentioned in the Data Processing Agreement between the controller (you as the customer) and the processor (we), without unreasonable delay and no later than 24 hours after discovery, the processor shall noti-fy the controller of a data breach via email to the controller’s contact person.

SpinOffice is committed to cooperate with the controller to meet all the legal requirements in relation to the reporting to the Dutch Data Protection Authority. SpinOffice shall keep the controller informed of the progress of the internal investigation and the developments with regard to the data breach, and will keep the controller informed on the recently implemented security measures.

Which settings does SpinOffice CRM have so that the organization can comply with the GDPR Act?

See the points above the frequently asked questions.

We will continue to inform you about steps that needs to be taken to better comply with this new legislation. Compliance with the GDPR legislation is not only having data processor agreements but also requires attention for internal processes within your own organization.

For more details on how we guarantee the security of information and privacy, please refer to the applicable SpinOffice terms and conditions. And, of course, you may always contact us for a personal explanation.