General Data Protection Regulation (GDPR) in Astrow
|
GDPR message in Astrow Web
|
The General Data Protection Regulation is effective from May 25, 2018. The European Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
Definitions
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In the context of the GDPR and the Cloud Services (Astrow Cloud & other cloud services), the Customer carries the responsibilities associated with the Controller, as defined by the GDPR Regulation.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. In the context of a) GDPR and the Cloud Services, both Parties carry the responsibilities associated with the Processor as defined by the GDPR Regulation, and b) GDPR and distribution of the Products, the Customer also carries the responsibilities associated with the Processor as defined by the GDPR Regulation.
General
The Data Protection Agency requests of each Processor a detailed register that holds extensive description of all processing activities. With regards to the Astrow platform, Amano has created this register based on template documents that are made available by the Data Protection Agency.
As a Processor, Amano and its distributors enable the Controller to act in accordance with the protection of natural persons with regard to the processing of personal data and on the free movement of such data. In order to do so, Amano interprets and summarizes the GDPR Regulation as follows:
It’s a natural person’s right 1. to get easy access to his/her personal data 2. to get personal data in user friendly format 3. to rectify/delete his/her personal data and to be forgotten 4. to get informed on the stored data and procedures involved with storing, rectifying, requesting, deleting this data 5. to get notified if his/her personal data has been hacked.
For each of these individual rights, Amano provides documentation on the proper procedures in order to enable end-users to comply with the GDPR. Further developments of procedures and tools must serve the sole purpose of increasing comfort and ease of applying the above mentioned 5 rights.
Astrow is implementing a set of functions to enable customers to easily comply with GDPR:
1. Employee curriculum: Easy access to personal data
Within Astrow, the employee can request all the stored personal data by the HR of the system. Astrow already provides a report that includes all the information in a easily readable document. This report will be available directly from the Employees list.
Employees can gain access to their curriculum through the ESS module. All personal information is made available in a user-friendly, clear and understandable way to the employee. The Employees list will be available only in the web interface. From this interface, it is possible for the employee to get immediately a report in the HTML format. From the *.html a *.pdf document can be generated from any browser.
All report requests will be logged in a separate GDPR-log inside Astrow.
2. Information formats: Get personal data in user friendly format
At this moment the Astrow Cloud application allows for obtaining reports in HTML format. From the *.html a *.pdf document can be generated from any browser. These need to be generated by an hr user or manager.
With the Employees curriculum, the required data will be made available in all standard web browsers. From the employee curriculum, the data subject will gain the possibility of obtaining a report on his/her personal information in one of the above mentioned formats.
3. Employee curriculum requests: Rectify/delete personal data and be forgotten
All personal data inside Astrow Cloud can be changed by the HR of the system, without causing any technical problems. The badge number of an employee is not seen as personal information, and changing this parameter will cause issues in the system.
Within the Employees curriculum, employees will have the opportunity of creating “data change requests” concerning the personal data that is processed. Changing the current data will result automatically in a change request, which is sent to the HR. The HR can approve the request, which will a. automatically update the personal data and b. trigger an email to the employee back, informing him/her that the changes are processed.
All data change requests will be logged in a separate GDPR-log inside Astrow.
4. Notification for informing employees: Get informed
Whenever the personal data is stored or changed by the HR, the employee should be informed of this storage or change. Amano will therefore push notifications to the HR, to inform him/her that the required informative documents should be handed over to the employee. This notification will be twofold: 1. A popup message will be generated each time the HR saves new/changed data in the Astrow Cloud solution. This popup message can be confirmed immediately. 2. A notification, including creation date, will be generated and made available in the dashboard of the HR. This notification will remain active until the HR confirms, including the date, that the employee has received the required informative documents.
In the case any of the following conditions arise: I. Using biometric readers; II. Storing information on a person below the age of 16 years; III. Storing religious or philosophical beliefs; IV. Storing data concerning health; the message will inform the HR that he/she should also get consent from the employee to process this kind of data. The process of twofold notification remains the same.
These actions and dates are logged in a separate GDPR-log inside Astrow.
Amano points out that it is the responsibility of the Controller (Customer) to inform the employees about the information that is processed!
5. Hack notification: Get notified is personal data has been hacked
For Astrow Cloud, based on the input Amano receives from the Amano hosting partner, Amano will inform the HR of each affected customer about an eventual hacking that took place successfully. As far as possible, Amano will also inform the HR which data was hacked.
These notifications will be sent from the central Astrow Cloud Management platform, and all concerned Astrow Cloud Customers will receive this information. The notification is sent without undue delay.
For local installation of Astrow, it is responsibility of the customer to notify users that their information was hacked.