Opentracker is a GDPR Completed company

GDPR Compliancy

Committing To Compliance

Starting from 25 May 2018, GDPR (General Data Protection Regulation) will be made effective—and any organization not in compliance with the new regulation could face fines. But it’s not as scary as it sounds. At Opentracker, we dedicated ourselves to adhering fully with GDPR, prior to its enforcement date. And we’ve modified our product based on the principles of Privacy by Design.

We adhere to the 173 recitals stated here and have implemented the 99 articles found here.

You’ll find the overview below, and you can request a (free, signed) Data Processing Agreement here

By default Opentracker will not register any personal identifiable information for targeting individuals and is GDPR compliant, and this is our continued effort. 

If you have implemented custom features or are unsure if you have added non-GDPR compliant features, please request a € 395 one-time fee for a GDPR-compliant quick-scan analysis.

What is GDPR (and why should I care)?

General Data Protection Regulation (GDPR) was passed by the EU Parliament in April of 2016. Replacing the Data Protection Directive from the 90s, it’s the biggest legislative change in data Privacy regulation to take place the last 20 years.

In a gist, GDPR was created to standardize data Privacy laws throughout Europe—and to put greater protection on the data Privacy of EU citizens. The big changes are:

  • A Change in legislative Scope: Now, all controllers and processors in the EU are subject to GDPR—even if the data they’re accessing is processed outside of the EU. The reverse is also true. If you’re a company processing the data of EU citizens (either to offer goods and services, or to monitor behavior taking place in the EU)—it doesn’t matter where you’re based, or where you’re processing the data. You still have to comply with GDPR.
  • Greater Penalties for noncompliance: The maximum fine for noncompliance with GDPR is up to 4% of annual global turnover, or 20 million euros—depending on which is greater.
  • Strengthened Conditions for Consent: No more legalese. Consent has to be given in an easy, accessible way before processing a persons data. You also have to disclose the purpose for that data processing, and make it as easy to withdraw consent as to give it.

A full list of the key GDPR changes can be found on the EU GDPR website here

We also have an example of a pages that explains how to implement a GDPR compliant opt-out form.

Who does GDPR affect?

Just about anyone dealing with data. If your business is based in the EU, or you ever process the data of citizens from the EU—you’ll want to make sure you’re doing everything you can to comply with GDPR.

What is Opentracker doing to ensure GDPR compliance?

We’re glad you’ve asked! The chart below breaks down the new GDPR Privacy standards per article, and how we’ve worked to respond to them. We’ll update this table as more knowledge pertaining to the GDPR compliance arrises.

Art. in GDPRSummaryActions to be taken – Progress
Articles 1-4General Provisions, Scope and DefinitionsOpentracker has read the general provisions and definitions as well as the scope of this new legislation. COMPLETED
Article 5

new Data Protection Principles have been introduced:

  1. Lawfulness, fairness and transparency
  2. Purpose limitations
  3. Data minimisation
  4. Accuracy
  5. Storage limitations
  6. Integrity and confidentiality

Opentracker has raised awareness and made sure that key decision makers are aware that the law is changing and identified areas that could cause compliance problems under the GDPR. COMPLETED

Opentracker employees who handle personal data of other employees or customers have received training in order to ensure that they handle changes in accordance with GDPR. Opentracker keeps a record of training and provides update and refresher training on an annual basis. COMPLETED

Through this, Opentracker defined new Policies and Procedures, the most common are:

  1. Generic Policy Framework
  2. Data Management Policy
  3. General Data Protection Policy
  4. Data Classification Procedure
  5. Staff Data Protection Training Policy
  6. Data Access Request Procedure
  7. Personal Data Breach Escalation Policy
  8. Emergency Management Plan

COMPLETED

Article 6

Lawfulness of processing: conditions that must be satisfied for the processing of personal data to be lawful.

  1. Consent from individual
  2. Contract with individual
  3. Compliance with a legal obligation
  4. ital interests
  5. Public task
  6. Legitimate interest

Opentracker has:

  1. An audit of the use of personal data to assess what lawful processing ground(s) it currently relies on and whether they remain valid under the GDPR
  2. Trained staff so that they are aware of legal processing grounds.

COMPLETED

Article 7

New legislation around the consent of the individual for the organization to hold his/her personal data. Several aspects need to be addressed:

  1. Unbundled
  2. Actie opt-in
  3. Granular
  4. Named
  5. Easy to withdraw
  6. Documented
  7. No imbalance in the relationship

Our main plan has been to review methods for seeking, obtaining and recording consent to ensure compliance.

Opentracker will implement explicit and affirmative consent through check boxes and clear Privacy policies. Opentracker works together with lawyers to craft policies and terms based on your needs and data processing.

In addition, Opentracker will track all the actions that users take, from the signup to account deletion, and ensure that each step complies with new laws of consent.

Finally, Opentracker has these questions to answer when the new consent is applied:

    1. Was the consent freely given?

Is the consent presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language?

  1. Can Opentracker demonstrate that the data subject gave their consent?
  2. Does the data subject have the ability to withdraw their consent?

COMPLETED

Article 8Same as article 7 but for children’s data consent in relation to information society servicesCreate and implement new practices for (i) verifying the age of individuals and (ii) obtaining parental or guardian consent when processing the data of children. IN COMPLETED
Article 9 Sensitive Personal Data which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, health-related information (physical or mental), sexual orientation.

Opentracker does not keep such data. Data that people enter into Opentracker app cannot later be used to discriminate against them due to their identity, expression or behavior, thereby restricting the enjoyment of their rights.

In the future, in case it is needed, Opentracker will only keep special category data for as long as it needs it, once it is no longer needed will securely remove it from its systems in an auditable way. COMPLETED

Article 10 Sensitive Personal Data relating to criminal convictions and offenses or related security measures.Opentracker does not keep such data. COMPLETED
Article 11Processing which does not require identification: A controller that cannot identify the data subject is absovled from having to respond in detail to a data subject’s requests — except to tell the data subject (“if possible” to do so) that it cannot comply due to lack of identification.Opentracker will examine every data subject’s request with respect. However in cases where Opentracker can prove that the data subject cannot be identified, data subject’s rights will be limited. COMPLETED
Articles 12-14Privacy Notices must be given at the time that the data is obtained from the data subject, or if the data was received from a third party, within a reasonable period after obtaining the data but at the latest within one month.During data collection, e.g. user registration, Privacy Notices must exist and be clear. COMPLETED
Articles 15-23

Expanded individual’s’ Rights:

  1. access their information;
  2. have inaccuracies corrected;
  3. have information erased;
  4. prevent direct marketing;
  5. prevent automated decision making and profiling;
  6. data portability.

Opentracker will enable employees and customers to request their personal data processed by Opentracker. COMPLETED

Trained personnel will respond to requests within the 1 month timeframe. COMPLETED

Article 24Definition of a ControllerOpentracker acts as a controller and will comply with all corresponding regulations. COMPLETED
Article 25Data Protection by design and by default

Several guidelines will be applied during the software development circle:

  1. Training ( developers will be trained on Privacy and Security aspects)
  2. Design (all data oriented and process oriented design requirements will be driven by GDPR)
  3. Coding ( developers will use approved tools and frameworks, disable unsafe functions and modules, and regularly carry out static code analysis and code review)
  4. Testing (test whether data protection and security requirements are implemented properly will be conducted)
  5. Before every release, an Incident Response Plan will be established, and a full security review of the software will be carried out. Release will then be approved and all relevant data from the entire development process will be archived.
  6. Maintenance (Opentracker should be prepared to respond to incidents, personal data breaches, faults and attacks, and be capable of issuing updates, guidelines, and information to users and those affected by the software)

COMPLETED

Article 28Definition of a ProcessorOpentracker acts as a processor and will comply with all corresponding GDPR regulations. COMPLETED
Article 30Record keeping all personal data processing activities shall be recorded.Article 30 says that these requirements don’t apply to organizations of under 250 employees, in addition Opentracker Experiences also does not manage personal data. COMPLETED
Articles 33-34Data breachesOpentracker will ensure that there are procedures in place to detect, investigate and report on personal data breaches within 72 hours of becoming aware of it. COMPLETED
Articles 35-36

Privacy Impact Assessment (PIA): If you are using “new technologies” which process personal data which is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall carry out an assessment of the protection of personal data.

Prior Consultation: Data controllers should consult the supervisory authority eery time a PIA identifies an inherently high risk processing activity.

Not strictly necessary as the type of processing Opentracker does is unlikely to result in a high risk, but Opentracker will put a simple PIA in place anyway COMPLETED
Articles 37-39Appointment of DPOs: Public authorities and large businesses will be required to appoint a Data Protection Officer to oversee compliance.Opentracker won’t need to appoint a DPO (since it it not a large company), but a trained team will be responsible for data protection matters as part of their role. COMPLETED
Articles 40-43Codes of Conducts and Certifications: GDPR endorses the use of approved codes of conduct and certification mechanisms to demonstrate that you comply.

Opentracker will find the appropriate Codes of Conducts and Certifications and comply with them. The most “popular” are:

  1. ISO 27001 (Information Security Management)
  2. ISO 27017 (Cloud Security)
  3. ISO 27018 (Cloud Privacy )
  4. SSAE16 / ISAE 3402 (SOC 2/3)
  5. PCI-DSS
  6. ISO 9001 (Quality Management)
  7. https://cispe.cloud/code-of-conduct/

COMPLETED

Articles 44-50Cross-border data transfer: As a general rule, transfers of personal data to countries outside the EEA may take place if these countries are deemed to ensure an “adequate” level of data protection. A current list of “approved countries” is available here.Opentracker Experiences does not know any cross-border data transfer from to or from outside EEA borders in its infrastructure. COMPLETED
Articles 51-59Independent Supervisory AuthoritiesOpentracker has read these articles. COMPLETED
Articles 60-76Cooperation and ConsistencyOpentracker has read these articles. COMPLETED
Articles 77-84Remedies, Liability, and SanctionsOpentracker has read these articles. COMPLETED
Articles 85-91Provisions relating to specific data processing situationsOpentracker has read these articles. COMPLETED
Articles 92-93Delegated Acts and Implementing ActsOpentracker has read these articles. COMPLETED
Articles 94-99Final ProvisionsOpentracker has read these articles. COMPLETED

Let’s make it official

If you’re looking to document your GDPR compliance efforts, we can help. Opentracker’s DPA (Data Processing Agreement) outlines our obligations (as a data processor), and yours while using our tool (as a controller). Get it signed for free here.

Have questions about how Opentracker’s actions, and GDPR, will affect your business? Contact us at: support@opentracker.com