General Data

Protection Regulation

The GDPR and computer applications

Our software is designed to allow compliance with the obligations laid down in the GDPR and facilitate the security and protection of personal data. However, no software is sufficient, in itself, to comply with the GDPR as a whole. Compliance is an obligation of data controllers and processors, which must apply appropriate technical and organisational measures to guarantee and be able to show that the processing is in line with the Regulation. The choice of software used is a necessary measure, but not in itself sufficient.

 

Milenium Cross Media (general name covering all Protecmedia’s applications) complies with the following rights contained in the GDPR:

 

 

Right of access and portability. The data subject can contact our clients directly and request his or her data in a standard format. Our tools have the necessary mechanisms to carry out this exportation.

 

Right of rectification. The tool makes it possible to modify the data subject’s rights, where so requested.

 

Right to object. When the intention is to use the stored data as the subject matter of marketing campaigns or actions, we have mechanisms that allow the data subject’s consent or opposition to receiving communications (of whatever type) to be registered.

 

Right of restriction on processing. The “inactive” status of a natural person’s data limits the actions that can be carried out with that person in our applications, thereby complying with this right. The inactive status is reversible; it can be changed to active by a system administrator.

 

Right of erasure. The identifiable personal data of natural persons may be anonymised when their processing is no longer necessary and the legal periods for their storage have expired. This allows the right of erasure to be complied with while keeping the aggregate unidentifiable data.

 

With respect to the computer applications that manage data, one of the main changes introduced by the GDPR are the fundamental concepts of Privacy by Design and Privacy by Default

 

 

Privacy by Design and by Default

 

Privacy by Design

This concept means that data protection is borne in mind when defining the technical and functional specifications of a software tool or a computer system. The goal is simple: to use applications that allow companies to comply with the GDP in a simple manner and reduce human errors. Measures such as data encryption or the generation and storage of logs come within this definition.

 

Privacy by default

This concept involves configuring the software tools or the computer systems in such a way that, by default, they offer the maximum privacy guarantees available. Amongst other measures, this means limiting the fields of predefined forms, reducing the storage periods to those that are strictly necessary or restricting access to data to those who genuinely require it.

 

Implementation in Milenium Cross Media

 

Protecmedia develops and markets software solutions that allow the collection and management of personal data and is committed to respecting this fundamental right from the outset through the very design of our software. Our clients’ system administrators have mechanisms to carry out the necessary configurations, in order to comply with the obligations arising under the GDPR.

Some of the specific measures that we make available to our clients to comply with these principles, depending on the application in question, are:

 

  • All the applications make it possible to configure secure connections, based on the security policies defined by the data controllers.
  • Access to the applications or the databases of Protecmedia’s products is protected with a username and password.
  • The access passwords are encrypted in the database.
  • Access to the specific functionalities of each application are limited by the access levels and permissions granted to each user, both individually and as part of profiles and user groups. No user has, by default, any permit or access at the time of being created. The definition of these profiles and groups, as well as the assignment of access levels and permissions, is ultimately the data controller’s decision.
  • Access to the operations history is reserved to users with the corresponding privilege, granted by the data controller.
  • To maximise the inviolability of the data in the event of unauthorised access, some data (register of users, payment cards, bank accounts, …) are stored in encrypted form and blocked out in the interface for unauthorised users.
  • Minimisation of data: the personal data stored in our systems are the only ones necessary for the development of the contractual relation between the data subject and our clients.
  • Depending on the application, the storage period for personal data coincides with the time during which the user’s account remains active. When the account is eliminated following an express request by the user, the personal data are blocked for a year in an offline repository (they cannot be accessed except following an express request by our client). In addition, this repository is encrypted.
  • Storage periods and the right of erasure: the applications currently contain mechanisms that make it possible to establish a flow through which the data subject’s inactive data are not accessible, via interface, to users who do not have the adequate access level.
  • Individual or mass anonymisation of the data of natural persons whose processing is no longer necessary.
  • Transparency: in those applications which are necessary, in the client file there is a field to indicate that the client has been informed of the privacy policy in force, registering in the system the date and time of the notification.

Ⓒ 2018 | All rights reserved

The GDPR and computer applications

General Data

Protection Regulation

Ⓒ 2018 | All rights reserved

RGPD

General Data

Protection Regulation

The GDPR and computer applications

Our software is designed to allow compliance with the obligations laid down in the GDPR and facilitate the security and protection of personal data. However, no software is sufficient, in itself, to comply with the GDPR as a whole. Compliance is an obligation of data controllers and processors, which must apply appropriate technical and organisational measures to guarantee and be able to show that the processing is in line with the Regulation. The choice of software used is a necessary measure, but not in itself sufficient.

 

Milenium Cross Media (general name covering all Protecmedia’s applications) complies with the following rights contained in the GDPR:

 

 

Right of access and portability. The data subject can contact our clients directly and request his or her data in a standard format. Our tools have the necessary mechanisms to carry out this exportation.

 

Right of rectification. The tool makes it possible to modify the data subject’s rights, where so requested.

 

Right to object. When the intention is to use the stored data as the subject matter of marketing campaigns or actions, we have mechanisms that allow the data subject’s consent or opposition to receiving communications (of whatever type) to be registered.

 

Right of restriction on processing. The “inactive” status of a natural person’s data limits the actions that can be carried out with that person in our applications, thereby complying with this right. The inactive status is reversible; it can be changed to active by a system administrator.

 

Right of erasure. The identifiable personal data of natural persons may be anonymised when their processing is no longer necessary and the legal periods for their storage have expired. This allows the right of erasure to be complied with while keeping the aggregate unidentifiable data.

 

With respect to the computer applications that manage data, one of the main changes introduced by the GDPR are the fundamental concepts of Privacy by Design and Privacy by Default

 

 

Privacy by Design and by Default

 

Privacy by Design

This concept means that data protection is borne in mind when defining the technical and functional specifications of a software tool or a computer system. The goal is simple: to use applications that allow companies to comply with the GDP in a simple manner and reduce human errors. Measures such as data encryption or the generation and storage of logs come within this definition.

 

Privacy by default

This concept involves configuring the software tools or the computer systems in such a way that, by default, they offer the maximum privacy guarantees available. Amongst other measures, this means limiting the fields of predefined forms, reducing the storage periods to those that are strictly necessary or restricting access to data to those who genuinely require it.

 

Implementation in Milenium Cross Media

 

Protecmedia develops and markets software solutions that allow the collection and management of personal data and is committed to respecting this fundamental right from the outset through the very design of our software. Our clients’ system administrators have mechanisms to carry out the necessary configurations, in order to comply with the obligations arising under the GDPR.

Some of the specific measures that we make available to our clients to comply with these principles, depending on the application in question, are:

 

  • All the applications make it possible to configure secure connections, based on the security policies defined by the data controllers.
  • Access to the applications or the databases of Protecmedia’s products is protected with a username and password.
  • The access passwords are encrypted in the database.
  • Access to the specific functionalities of each application are limited by the access levels and permissions granted to each user, both individually and as part of profiles and user groups. No user has, by default, any permit or access at the time of being created. The definition of these profiles and groups, as well as the assignment of access levels and permissions, is ultimately the data controller’s decision.
  • Access to the operations history is reserved to users with the corresponding privilege, granted by the data controller.
  • To maximise the inviolability of the data in the event of unauthorised access, some data (register of users, payment cards, bank accounts, …) are stored in encrypted form and blocked out in the interface for unauthorised users.
  • Minimisation of data: the personal data stored in our systems are the only ones necessary for the development of the contractual relation between the data subject and our clients.
  • Depending on the application, the storage period for personal data coincides with the time during which the user’s account remains active. When the account is eliminated following an express request by the user, the personal data are blocked for a year in an offline repository (they cannot be accessed except following an express request by our client). In addition, this repository is encrypted.
  • Storage periods and the right of erasure: the applications currently contain mechanisms that make it possible to establish a flow through which the data subject’s inactive data are not accessible, via interface, to users who do not have the adequate access level.
  • Individual or mass anonymisation of the data of natural persons whose processing is no longer necessary.
  • Transparency: in those applications which are necessary, in the client file there is a field to indicate that the client has been informed of the privacy policy in force, registering in the system the date and time of the notification.

Ⓒ 2018 | All rights reserved