How will GDPR affect your Visiolink solutions

2017-10-26 10:46:45 UTC

The “General Data Protection Regulation” (GDPR) is a new regulation that was adopted by the European Union after almost four years of negotiation, and it will come into force as of May 25th, 2018.

With it comes major changes to ensure a higher level of data protection for residents in the EU. GDPR will affect all EU countries as well as establishments based outside of EU if they process or collect personal data of EU residents. 

These changes are going to affect all our ePaper platforms, and we are hard at work to ensure full compliance for your Visiolink solutions.

 

Why is this important?

If an organisation fails to live up to the regulations, they risk being fined up to €20.000.000 or 4% of annual worldwide turnover (whichever is greater). Besides fines, a supervisory authority can decide to make an organisation cease all collecting and processing of data if regulations are not upheld.

At this moment, none of the live apps are compliant with the upcoming regulation. Visiolink has prepared the two actions that needs to be taken in order to ensure that your solution is GDPR-compliant; A “Data Processing Agreement” (DPA) and an update with features necessary to make your apps compliant for when GDPR come into force.

 

What is a “Data Processing Agreement”?

GDPR emphasizes the importance of signing a “Data Processing Agreement” (DPA). A DPA is juridically required for our customers to provide Visiolink with personal data from the build-in trackers and log-in data, and is juridically required for Visiolink to process this data. Our customers will serve as “Data Controllers” for both the log-in-data and tracking-data, and Visiolink will be “Data Processors”. The DPA has specific contractual requirements.

As “Data Processors”, Visiolink will, among other things, be required to notify our customers – “Data Controllers” - of any data breach on our side which may compromise personal data of users. Expanding on this, there is a lot of security measures for, e.g. where personal data is stored, which the “Controller” as well as the “Processor” has to follow. All customers will be contacted concerning the DPA.

 

What needs to be updated in your apps?

Information about Log-in-data

GDPR tightens the rules about the processing of the data that we store from the users. For Visiolink customers, storing log-in data will not require a more explicit type of consent, since the process of this information is necessary in order to give the user access to the content in the apps:

Article 6 – Lawfulness of processing

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

…(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.   

How this will be implemented in your app:

We’ll provide information about the processing of users’ log-in-data in the Privacy Policy/Info. Since log-in-data is necessary to fulfil a contract the user has agreed upon - Article 6.1(b) - it will be sufficient to disclose the collecting and processing of log-in-data in the Privacy Policy/Info setting.

 

Information about Tracking-data

GDPR brings new regulations for how explicit you must be about the data, you are tracking on your users. The regulation distinguishes between general tracking and tracking that ‘profiles’ the user.

The tracking in your apps is considered ‘profiling’ as the tracking and analysing of usage patterns are used for profiling the user.

Putting the information in the Privacy Policy settings isn’t sufficient as this kind of tracking will require a more explicit disclosure.

Article 21 – Right to object

1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

How this will be implemented in your app:

We’re going to implement a Pop-up Screen that appears the very first time the user opens the app upon instalment. This will provide the user with information about what type of tracking the apps uses, and where the tracking can be disabled (the ‘Opt-out Function’).

 

Implementation of Opt-out Function

GDPR imposes a right of the user to withdraw his or her consent at any time, which is the equivalent to disabling tracking.

Article 7 – Conditions for consent

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

 

How this will be implemented in your app:

The pop-up screen discloses exactly where in the app tracking can be disabled, as well as informing the user of the tracking.

The ‘Opt-out Function’ is going to be a check box that by default is checked (meaning tracking is enabled), and can be found under the ‘Settings’ menu on Android and iOS, and in the ‘Help’ menu on Desktop.

When a user deactivates tracking, there won’t be collected any user data nor anonymous data from that user on the particular device on which the deactivation was made. If the user uses multiple devices, he or she will have to disable tracking on each of the devices, just as they will be exposed to the pop-up screen on each device, when they install the app and open it for the first time. 

Deactivation won’t affect data generated by the user prior to the action.

Should the user decide to enable the tracking again, the data will start generating the same way it did before. In regards of the period in which tracking was switched off, it will look as if the user hasn’t used the app during this period. 

What will happen next?

1.Customers need to book an update of their Visiolink solution whether it’s iOS, Android, Desktop or any combination of the three. The update will implement a Pop-up Screen, an Opt-out Function and general changes to the Privacy Policy. All apps upgraded after December 4th 2017 will contain the new functionality. Book your upgrades now to ensure GDPR compliance for before May 2018.

2.It is crucial that our customers sign a “Data Processing Agreement” (DPA) with Visiolink. We will contact each customer with further information.

Disclaimer

This article provides general information on how GDPR are going to affect our customers and should not be taken as legal advice. All our customers are responsible for ensuring their own compliance with GPDR as well as other relevant regulations. Customers who have different interpretations on any regulations, any additions or questions should contact Visiolink Customer Care as soon as possible on support@visiolink.com.

If you want to book an update, you should also do it through our Customer Care team. They will be happy to assist you.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments