General Data

Protection Regulation

Frequently asked questions

What does “data processing” mean?

Data processing means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means (collection, organisation, consultation, use, storage, alteration, destruction…). Merely storing data in a computer is considered to be processing.

 

Who must comply with this legislation?

All companies that process personal data and which either reside in the European Union or whose services are aimed at EU citizens. The legislation divides them into two categories, depending on the role that they carry out:

  1. Data controllers, when they are capable of taking decisions regarding which data will be processed, for which purposes and with which resources.
  2. Data processors, when they simply process data on behalf of a third party (the controller), for example to provide it with a service.

 

Are Protecmedia’s applications and solutions sufficient to comply with GDPR’s obligations?

Our software is designed to allow compliance with the obligations laid down in the GDPR and to facilitate the security and protection of personal data. Nevertheless, no software is sufficient, on its own, to comply with the GDPR as a whole. Compliance is an obligation of data controllers and processors, who must apply the appropriate technical and organisation measures to guarantee and be able to show that the processing is in line with the Regulation. The choice of software used is a necessary measure, but not in itself sufficient.

 

Does Protecmedia have GDPR certification?

Although the GDPR foresees the establishment of certification mechanisms, together with data protection seals and marks, these are not mandatory and currently there is no official scheme approved to certify compliance with the Regulation.

In Spain, the only certification system related to the GDPR is the one set up by the AEPD (Spanish Data Protection Agency) and ENAC (National Certification Agency) to certify that the DPO (data protection officials) meet the professional qualifications and the knowledge required to hold this position.

 

What is a “data protection official”?

Whether due to its size or the risks arising from the data processing that they carry out, certain companies must have a professional who advises them about compliance with the GDPR, ensures that the legislation is being respected and acts as a link to the Spanish Data Protection Agency. This professional is called “a data protection officer or “DPO” and, given the complexity of the Regulation, he or she must have specialist knowledge of law and privacy.

At Protecmedia we have the support of an external company that advises us and supervises the implementation of the appropriate measures to improve compliance with the GDPR, but we are not obliged to contract a DPO.

 

What are “data protection impact assessments” (DPIAs)?

These are detailed studies that must be carried out by companies when they process data that involve a high risk to the rights and freedoms of data subjects, in order to mitigate these risks and verify the viability of the intended processing.

After carrying out an analysis of the risks in relation to our products and our clients, we have concluded that we do not require DPIAs, since all the data processing that we undertake is medium-low risk. That said, some of our clients may have to carry out a DPIA; if so, Protecmedia will offer them its full cooperation.

 

What are the PCI DSS rules?

The PCI DSS (Payment Card Industry Data Security Standard) rules were established by the most important payment (credit and debit) cards to guarantee security in the processing of data in these payment methods, something which is also essential to comply with the security measures by the GDPR.

 

What implications do the PCI DSS rules have for Protecmedia products?

These rules exclusively affect Protecmedia’s software that manages payment cards, that is Ad-on-Line, Shipo and ITER Web CMS.

Our products comply with these rules in the following manner:

  • They never store the CVC/CVV security codes of the payment cards in our systems.
  • By default, card numbers and expiry dates are always blocked in the user interface. Only somebody with the adequate privileges and access levels can view this information.
  • On the database the information regarding the card numbers and the expiry date is encrypted (algorithm AES-256).

 

In particular, in ITER Web CMS, even when its characteristics and functionalities are used to start and carry out a transaction by bank payment card, data related to the card used are never stored.

 

What responsibility does Protecmedia have to its clients?

As technology providers, we work to ensure that our software allows our clients to comply with their data protection obligations and, as the legislation requires, we do so right from the outset, at the design stage.

That said, our clients, as the data controllers, are free to configure our software as they wish, in line with their personal data processing policies.

 

As service providers (in certain cases), Protecmedia may act as the data processor, always on behalf of our clients, who are the data controllers.

It should be noted that data controllers can only hire data processors who can show that they comply with the GDPR, since otherwise they could be fined. It is therefore important that Protecmedia complies with the Regulation.

As data processors, our main obligation is to follow the instructions laid down by our clients for the processing of their data. Moreover, the GDPR imposes other obligations on us, in terms of confidentiality, information security, sub-contracting etc.

Ⓒ 2018 | All rights reserved

General Data

Protection Regulation

Frequently asked questions

What does “data processing” mean?

Data processing means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means (collection, organisation, consultation, use, storage, alteration, destruction…). Merely storing data in a computer is considered to be processing.

 

Who must comply with this legislation?

All companies that process personal data and which either reside in the European Union or whose services are aimed at EU citizens. The legislation divides them into two categories, depending on the role that they carry out:

  1. Data controllers, when they are capable of taking decisions regarding which data will be processed, for which purposes and with which resources.
  2. Data processors, when they simply process data on behalf of a third party (the controller), for example to provide it with a service.

 

Are Protecmedia’s applications and solutions sufficient to comply with GDPR’s obligations?

Our software is designed to allow compliance with the obligations laid down in the GDPR and to facilitate the security and protection of personal data. Nevertheless, no software is sufficient, on its own, to comply with the GDPR as a whole. Compliance is an obligation of data controllers and processors, who must apply the appropriate technical and organisation measures to guarantee and be able to show that the processing is in line with the Regulation. The choice of software used is a necessary measure, but not in itself sufficient.

 

Does Protecmedia have GDPR certification?

Although the GDPR foresees the establishment of certification mechanisms, together with data protection seals and marks, these are not mandatory and currently there is no official scheme approved to certify compliance with the Regulation.

In Spain, the only certification system related to the GDPR is the one set up by the AEPD (Spanish Data Protection Agency) and ENAC (National Certification Agency) to certify that the DPO (data protection officials) meet the professional qualifications and the knowledge required to hold this position.

 

What is a “data protection official”?

Whether due to its size or the risks arising from the data processing that they carry out, certain companies must have a professional who advises them about compliance with the GDPR, ensures that the legislation is being respected and acts as a link to the Spanish Data Protection Agency. This professional is called “a data protection officer or “DPO” and, given the complexity of the Regulation, he or she must have specialist knowledge of law and privacy.

At Protecmedia we have the support of an external company that advises us and supervises the implementation of the appropriate measures to improve compliance with the GDPR, but we are not obliged to contract a DPO.

 

What are “data protection impact assessments” (DPIAs)?

These are detailed studies that must be carried out by companies when they process data that involve a high risk to the rights and freedoms of data subjects, in order to mitigate these risks and verify the viability of the intended processing.

After carrying out an analysis of the risks in relation to our products and our clients, we have concluded that we do not require DPIAs, since all the data processing that we undertake is medium-low risk. That said, some of our clients may have to carry out a DPIA; if so, Protecmedia will offer them its full cooperation.

 

What are the PCI DSS rules?

The PCI DSS (Payment Card Industry Data Security Standard) rules were established by the most important payment (credit and debit) cards to guarantee security in the processing of data in these payment methods, something which is also essential to comply with the security measures by the GDPR.

 

What implications do the PCI DSS rules have for Protecmedia products?

These rules exclusively affect Protecmedia’s software that manages payment cards, that is Ad-on-Line, Shipo and ITER Web CMS.

Our products comply with these rules in the following manner:

  • They never store the CVC/CVV security codes of the payment cards in our systems.
  • By default, card numbers and expiry dates are always blocked in the user interface. Only somebody with the adequate privileges and access levels can view this information.
  • On the database the information regarding the card numbers and the expiry date is encrypted (algorithm AES-256).

 

In particular, in ITER Web CMS, even when its characteristics and functionalities are used to start and carry out a transaction by bank payment card, data related to the card used are never stored.

 

What responsibility does Protecmedia have to its clients?

As technology providers, we work to ensure that our software allows our clients to comply with their data protection obligations and, as the legislation requires, we do so right from the outset, at the design stage.

That said, our clients, as the data controllers, are free to configure our software as they wish, in line with their personal data processing policies.

 

As service providers (in certain cases), Protecmedia may act as the data processor, always on behalf of our clients, who are the data controllers.

It should be noted that data controllers can only hire data processors who can show that they comply with the GDPR, since otherwise they could be fined. It is therefore important that Protecmedia complies with the Regulation.

As data processors, our main obligation is to follow the instructions laid down by our clients for the processing of their data. Moreover, the GDPR imposes other obligations on us, in terms of confidentiality, information security, sub-contracting etc.

RGPD

General Data

Protection Regulation

Frequently asked questions

What does “data processing” mean?

Data processing means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means (collection, organisation, consultation, use, storage, alteration, destruction…). Merely storing data in a computer is considered to be processing.

 

Who must comply with this legislation?

All companies that process personal data and which either reside in the European Union or whose services are aimed at EU citizens. The legislation divides them into two categories, depending on the role that they carry out:

  1. Data controllers, when they are capable of taking decisions regarding which data will be processed, for which purposes and with which resources.
  2. Data processors, when they simply process data on behalf of a third party (the controller), for example to provide it with a service.

 

Are Protecmedia’s applications and solutions sufficient to comply with GDPR’s obligations?

Our software is designed to allow compliance with the obligations laid down in the GDPR and to facilitate the security and protection of personal data. Nevertheless, no software is sufficient, on its own, to comply with the GDPR as a whole. Compliance is an obligation of data controllers and processors, who must apply the appropriate technical and organisation measures to guarantee and be able to show that the processing is in line with the Regulation. The choice of software used is a necessary measure, but not in itself sufficient.

 

Does Protecmedia have GDPR certification?

Although the GDPR foresees the establishment of certification mechanisms, together with data protection seals and marks, these are not mandatory and currently there is no official scheme approved to certify compliance with the Regulation.

In Spain, the only certification system related to the GDPR is the one set up by the AEPD (Spanish Data Protection Agency) and ENAC (National Certification Agency) to certify that the DPO (data protection officials) meet the professional qualifications and the knowledge required to hold this position.

 

What is a “data protection official”?

Whether due to its size or the risks arising from the data processing that they carry out, certain companies must have a professional who advises them about compliance with the GDPR, ensures that the legislation is being respected and acts as a link to the Spanish Data Protection Agency. This professional is called “a data protection officer or “DPO” and, given the complexity of the Regulation, he or she must have specialist knowledge of law and privacy.

At Protecmedia we have the support of an external company that advises us and supervises the implementation of the appropriate measures to improve compliance with the GDPR, but we are not obliged to contract a DPO.

 

What are “data protection impact assessments” (DPIAs)?

These are detailed studies that must be carried out by companies when they process data that involve a high risk to the rights and freedoms of data subjects, in order to mitigate these risks and verify the viability of the intended processing.

After carrying out an analysis of the risks in relation to our products and our clients, we have concluded that we do not require DPIAs, since all the data processing that we undertake is medium-low risk. That said, some of our clients may have to carry out a DPIA; if so, Protecmedia will offer them its full cooperation.

 

What are the PCI DSS rules?

The PCI DSS (Payment Card Industry Data Security Standard) rules were established by the most important payment (credit and debit) cards to guarantee security in the processing of data in these payment methods, something which is also essential to comply with the security measures by the GDPR.

 

What implications do the PCI DSS rules have for Protecmedia products?

These rules exclusively affect Protecmedia’s software that manages payment cards, that is Ad-on-Line, Shipo and ITER Web CMS.

Our products comply with these rules in the following manner:

  • They never store the CVC/CVV security codes of the payment cards in our systems.
  • By default, card numbers and expiry dates are always blocked in the user interface. Only somebody with the adequate privileges and access levels can view this information.
  • On the database the information regarding the card numbers and the expiry date is encrypted (algorithm AES-256).

 

In particular, in ITER Web CMS, even when its characteristics and functionalities are used to start and carry out a transaction by bank payment card, data related to the card used are never stored.

 

What responsibility does Protecmedia have to its clients?

As technology providers, we work to ensure that our software allows our clients to comply with their data protection obligations and, as the legislation requires, we do so right from the outset, at the design stage.

That said, our clients, as the data controllers, are free to configure our software as they wish, in line with their personal data processing policies.

 

As service providers (in certain cases), Protecmedia may act as the data processor, always on behalf of our clients, who are the data controllers.

It should be noted that data controllers can only hire data processors who can show that they comply with the GDPR, since otherwise they could be fined. It is therefore important that Protecmedia complies with the Regulation.

As data processors, our main obligation is to follow the instructions laid down by our clients for the processing of their data. Moreover, the GDPR imposes other obligations on us, in terms of confidentiality, information security, sub-contracting etc.

Ⓒ 2018 | All rights reserved