GDPR
Effective May 25, 2018 The General Data Protection Regulation (GDPR) will be applied in Europe. OOTI is fully committed to being compliant prior to the date GDPR goes into effect. We promise to safeguard your data. This new regulation creates consistent data protection rules across Europe. It applies to companies that are based in the EU and global companies that process personal data about individuals in the EU.
While many of the principles build on current EU data protection rules, the GDPR has a wider scope, more prescriptive standards and substantial fines. For example, it requires a higher standard of consent for using some types of data, and broadens individuals' rights with respect to accessing and porting their data. It also establishes significant enforcement powers, allowing a company's supervisory authority to seek fines of up to 4% of global annual revenue for certain violations.
OUR GDPR COMPLIANCE PRACTICES ARE SUPPORTED BY 3 PRINCIPLES:
Value: Deliver business value by optimizing service efficiency with secure and scalable systems for collecting, storing and processing data.
Collaboration: Increase customer and partner awareness on regulation requirements, ensuring consistent application of data protection measures.
Continuity: Drive business performance through continuous improvement, best practices and innovation.
SOME ASPECTS OF THE GDPR PROGRAM AT OOTI:
Transparency
Our Privacy Policy will remain the single consolidated place that maps out the ways in which we process people's personal data, but we'll also provide education through consent experiences for new and existing users, and in-product notifications.
Control
We'll continue to provide people with control over how their data is used. We'll also provide refreshers for people as they use OOTI through our email newsletter communication.
Accountability
At OOTI, there exists an established Privacy Policy created with support from our leadership. Our leaders commit to support and provide guidelines for data protection compliance through a framework of standard policies and procedures. OOTI defines metrics for monitoring and governing health of the Privacy Notice which is independently run under the direct control of the Data Protection Officer (DPO).
KEY LEGAL BASES
Under GDPR, there are a number of grounds to legitimise the processing of personal data. Below, we've outlined the most relevant legal bases under the GDPR.
Basis Requirements and product implications:
Contractual necessity
- Data processed must be necessary for the Service and defined in the contract with the individual .
Consent
- Requires a freely given, specific, informed and unambiguous consent by clear affirmative action
- People have a right to withdraw consent, which must be brought to their attention
- Must be from a person over the age of consent specified in that Member State, otherwise given by or authorised by a parent/guardian
- Explicit consent is required for some processing (e.g., special categories of personal data)
Legitimate interests
- A business or third party must have legitimate interests which are not overridden by individuals' rights or interests.
- Data processing must be paused if an objection is raised by an individual
OOTI AS DATA CONTROLLER VS DATA PROCESSOR
Data controller
You are the data controller when you decide the "purposes" and "means" of any processing of personal data.
Similar to what's already in place for data protection law today, data controllers will have to adopt compliance measures to cover how data is collected, what it is being used for, how long it is being retained for and ensure that people have a right to access the data held about them.
Data processor
You are the data processor when you process personal data on behalf of a data controller. Certain obligations now apply directly to data processors, and controllers must bind them to certain contractual commitments to ensure that data is processed safely and legally.
While OOTI operates the majority of its services as a data controller, there are some instances in which we operate as a data processor when working with businesses and other third parties. When OOTI is processing data as a data processor acting on your behalf, your business needs to have your own legal basis to process and share the data with us. Examples include:
- Stripe (credit card payment processing)
- Site Usage analytics (google analytics and clicky)
Meeting compliance requires investments in time, effort, cost and expertise. The solution lies in being part of cloud or SaaS ecosystem, that is already operating on a secure model for data management. This provides a safe environment to manage and process your data, and also accommodate efforts required to keep pace with changing policies.
DATA HOUSING
Your data is housed with Amazon Web Services (AWS) on their servers in Europe.
These data centers are equipped with inverters and generators, video surveillance systems and motion detection. Their access is strictly controlled and limited to authorized persons with RFID badges.
In addition, OOTI hosts your data in your country of practice when it is technically possible and when you are interested in RGPD standards. So, if you exercise:
OOTI's physical infrastructure is hosted and managed in Amazon's secure data centers and uses AWS (Amazon Web Service) technology on servers in Europe. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon's data center operations have been accredited under:
ISO 27001
SOC 1 et SOC 2 / SSAE 16 / ISAE 3402 (anciennement SAS 70 Type II)
PCI niveau 1
FISMA Modéré
Sarbanes-Oxley (SOX)
For more information : https://aws.amazon.com/security
PCI
We use the Stripe compliant payment processor for encryption and processing of credit card payments. OOTI's infrastructure provider is PCI Level 1 compliant.
For more information : https://stripe.com/docs/security/stripe
Data security
Redundancy. Your data is replicated to other geographically remote data centers. In case of failure of one of them, access to your data automatically switches to another server and allows you to always have access to your data.
Backups. Your data is backed up once a day. These backups are kept for 3 months in case of need of data restoration.
Encryption. Data passing between your terminal and our servers is encrypted using certificates:
Let's Encrypt Authority X3 avec une clé 2048-bit RSA.
May 15, 2018, 8 a.m.