Getting ready for GDPR

Any business area which involves personal data will be impacted by General Data Protection Regulation (GDPR). That is why, it is important for organizations to understand the impact of GDPR on their business and their duties.

Introduction

What is GDPR

GDPR (General Data Protection Regulation) is a EU regulation that aims to extend the rights of individuals to better control and protect the use of their personal data. GDPR was adopted in 2016 and will be enforced on May 25th, 2018. GDPR is applicable to all businesses and organizations and poses a new opportunity to improve consumer trust through risk-based personal data management. The regulation applies to organizations that process personal data both on the territory of the EU but also outside of the EU that operate with private data of EU citizens.

Protect personal data

In the fast-changing digital age, personal data like for example a name and surname, an email address, an Internet Protocol (IP) address, a cookie ID or any information that relates to an individual must be protected. Under GDPR, citizens have a number of rights that give them more control over their personal data. In order to fulfill these rights, it is necessary to provide for the users clear and understandable information about processing data, as well as regarding what data are processed and why.

GDPR vs explicit consent to the processing of personal data

GDPR emphasizes explicit consent of the data subject to the processing of personal data. However, there are some exceptions to this rule. According to GDPR, consent is not required if the processing is necessary for the purposes of the “legitimate interests” of the controller or for the “performance of a contract”. This might also include processing data to ensure security in a building. Please note that we recommend our Clients to get counsel from a legal expert before applying the notion of legitimate interests.

Publishing your terms & conditions

In order to comply with GDPR our Clients, acting as data controllers, need to inform users about their rights. Our software allows Clients to edit and publish their privacy policy and terms & conditions documents. You can keep a separate version of the document for each language enabled in the application. The Client may receive an example of the terms & conditions along with suggestions from Velis sales representative. If you decide to publish the document, all users will be asked to accept its content upon their next login.

Editing the content of consent to the processing of personal data

Singu Guestbook software also enables you to edit the exact content of the consent to the processing of personal data (in each available language). Upon next login users will either have to give their consent or stop using the application. According to GDPR requirements, the consent has to meet certain requirements to be valid. Our software includes examples of the consent that you can then further modify to match your needs and policies.

Technical and organizational data security

Since our software is a cloud-based solution, Velis is the processor of all personal data stored in it. As a data controller, you should perform a risk analysis and decide if the processor meets certain requirements. By choosing Velis Real Estate Tech, you can stay assured that the appropriate technical and organizational measures are enforced.

In 2014 Velis has implemented the ISO 27001:2013 norm, an internationally recognized standard for information security management systems. Annual audits show the company's compliance with 114 securities in 14 areas, including: physical security, access control systems and applications, cryptography, backups, software supervision, vulnerability management, systems development and maintenance, security in software development and support processes, management of information security incidents, compliance with legal and contractual requirements. Implemented security covers various areas of the company's operations, including software production and service, web hosting services, network construction and maintenance, hardware supplies, and other IT services.

Technical measures required by GDPR are guaranteed by appropriate software development processes, internal security audits and trainings, as well as audits performed by external companies, specializing in IT security and conducting penetration tests

Data processing contract

According to GDPR, processing of personal data should be governed by a contract that is binding for the processor and sets out such elements as type of personal data, purpose of the processing, and rights of the data controller. Velis terms and regulations already include such provisions to ensure GDPR compliance. For existing customers, with whom we have been working before GDPR was introduced an addendum to the original contract should be signed.

Data minimization

GDPR makes sure that the personal data should be limited to what is necessary in relation to the purpose for which they are processed (data minimization). Each data controller must consider which data from the user is necessary in order to achieve a specific goal. It is important to keep in mind that it is the data controller who has to prove that this requirement is met.

Singu Guestbook allows you to personalize what data should be collected regarding the guests entering the premises. You can edit the set information for each tenant / type of guest separately to enable more advanced flows and higher level of compliance.

Editing content of consent in the self-service station

Singu Guestbook allows you to edit the content of consent to the processing of personal data visible in the self-service station during the registration process. Consequently, the guest who enters the building is informed of his or her rights as well as about who is the administrator of their data. Thanks to that, the guest is also aware of the purpose of processing data. It is possible to customize this authorization to Client’s needs. Due to GDPR regulations, only necessary data must be collected, processed and used by the administrator of personal data to achieve the specific goal.

Editing content of consent during pre-booking

Singu Guestbook ensures that during the pre-booking process also the host inviting guests gives consent to processing of their data.

Pseudonymization and the right to be forgotten

To strengthen the rights of people whose data are processed, GDPR asks organizations to implement psudonymization techniques and ensure the right to data erasure. Singu Guestbook allows you to implement the necessary retention policies. by defining the number of days after which the personal data of the guests is deleted. You can set separate policy for each building and even for each tenant in the building. This way, in conformance with GDPR, “the data can no longer be attributed to a specific data subject without the use of additional information.”

The system will continue to record statistics regarding the number of guests' registered entrances/exits to a given tenant. On the other hand, personal data such as for example name, surname and e-mail address will be completely deleted.

Parking management system recommendations

Velis Real Estate Tech suggests installing a plate located at the entrance to the parking lot informing who is the administrator of personal data and where to seek additional information. Moreover, in order to meet the requirements of GDPR, it is worthwhile to have parking regulations. In such document, it should be clearly presented what is the goal of data processing, for how long the data will be processed and what are the rights of each individuals. At the Client’s request, Velis Real Estate Tech can provide an example of the content of such records regarding what should be included.
Please remember that the you as the Client act as the data controller, whereas Velis Real Estate Tech is the processor of the data. Consequently, it is the Client’s responsibility to implement a personal data protection policy in accordance with GDPR requirements. That is the reason why we suggest to have your measures and settings audited by a reputable legal counsellor for compliance with GDPR requirements.