All companies are at the moment in the process of documenting all systems that handle or contain personal data as part of complying with the GDPR. To help our customers through this process, we have collected all the questions that we are frequently asked. Feel free to copy our answers and use them in the documentation of your ePaper. This article will be updated frequently.
Do you send a Data Processing Agreement to your customers?
GDPR emphasizes the importance of signing a “Data Processing Agreement” (DPA). A DPA is juridically required for our customers to provide Visiolink with personal data from the build-in trackers and log-in data, and is juridically required for Visiolink to process this data. Our customers will serve as “Data Controllers” for both the log-in-data and tracking-data, and Visiolink will be “Data Processors”. During March 2018 all our customers will receive a DPA from Visiolink that must be signed by both parties.
How is deletion of personal data implemented?
When a user opens a newspaper or magazine in a Visiolink solution, the user is validated through a secure server connection and user credentials are anonymized. The anonymized user credentials are stored in a server log for a maximum of 30 days. Server logs are deleted and cannot be recovered.
How is tracking performed by Google Analytics handled?
As a default, all Visiolink solutions are tracked in Google Analytics. Google thereby works as a sub-controller, which is covered in the Data Processing Agreement. Furthermore, you must sign a separate agreement with Google that is accessed through your Google Analytics account. Read more in this blogpost that also covers User Tracking: https://blog.visiolink.com/gdpr-and-google-analytics-how-you-can-continues-with-user-tracking
Where are data stored and who can access data?
Server logs are stored in Denmark and can only be accessed by Visiolink employees granted the required access to fulfill their designated role. Server logs can also be accessed by the sub-controller DLX (covered by the Data Processing Agreement)
How is personal data of one individual deleted upon request?
Any user has the right to be forgotten. Visiolink will upon request from the customer (data controller) erase any data that can identify a single user.