PUL/GDPR

PUL / GDPR

How we work with and comply with GDPR

PUL (Personal Data Act) has existed for a long time. What is new is the law on GDPR. What is happening is that the requirements and rules are being tightened and that more companies are covered by the new requirements. Now it is not only those who handle personal data who are covered.

Notyfile handles personal data for and on behalf of its customers. This means that Notyfile processes the data and the customers act as data collectors. This means that the customer controls the data and is responsible for e.g. how long the data is stored, processed in one of its operations and in some cases obtain consent.

We have internally reviewed which employees will have access to different types of information. This has been regulated, since before, with confidentiality agreements and in some cases now restructuring.

How do we ensure that we and our customers comply with the new requirements?

We have adapted the system to the requirements GDPR places on us as a storage party. We have implemented technical and organizational adaptations for, deletion of data, modification of data and if something should be disclosed.
We have been working on this long before GDPR became relevant and most of it was already in place. We have now updated and secured the management of passwords, encryption, internal access, backup etc. We have been working on this all along but now also adapted for GDPR.

How we built and are building the portal

The law on GDPR states that a company may not distribute personal data to unauthorized persons, save longer than necessary or share personal data if it is not relevant or has permission.
Notyfile has documentation on how all data is stored, where it is stored and for how long.

We encourage our users to review what information they save and whether it is relevant. You have the right, as a user, to store personal data for at least 1 year and possibly longer in the case of, for example, warranty matters or situations that require a longer relationship with the customer.

This can be a sales process where a commitment period expires, you have the opportunity to contact the customer again after a while to continue the business relationship. You as a user also have the right to decide who in your organization has the right to change/read different things.

Move data and be deleted

As an individual, you now have the right to be removed from the company's register, to a certain extent. The individual who has access to Notyfile's portal also has the right to delete data whenever he wishes. An end customer or third party person also has the option to be removed from our database at any time.
We have customized the application in such a way that when a user wants to delete data, it is first deleted from the portal and after 1 month and completely removed from the database. If a user/individual wants to be completely deleted from the database immediately, this is possible.
We have placed the entire database in one and the same place, which makes deletion, changes possible to perform quickly. The documentation also becomes clear and this means that we meet the requirements for GDPR.

Third parties and transfer of data

Even before GDPR became known, we worked hard on data security and data management. We have a clear structure for how this is handled and clear documentation.
All data is stored on Google Cloud Platform (GCP), which in turn complies with the requirements in Europe.

Notyfile uses and transmits information received from Google APIs to other app and follows Google API Services User Policy, including the limited use requirements.

If you want to read more about how our third-party systems work with GDPR, you can read here:

GCP (Google) https://privacy.google.com/businesses/compliance/#?modal_active=none
writes https://scrive.com/terms

User Tracking

We use Leadoo's user tracking to follow how our users move on our web pages and combine this data with user information such as collected via chat interactions. Leadoo uses etag tracking which is technically different from cookie tracking but which is covered by the same legislation. Read more about Leadoo Marketing Technologies Ltd's privacy policy (https://leadoo.com/privacy-policy/) for more information about what information is saved and what your rights are. Leadoo acts as Processor and we ourselves as Controller in GDPR terms. You can stop tracking by clearing your browser's cache. For more information on Leadoo's GDPR policy, check out https://leadoo.com/privacy-policy-processor