General Data Protection Regulation (GDPR)
The GDPR is an EU regulation which is in force starting May 2018.
The GDPR applies to Upvise as an organisation located outside of the EU which offers good or services to EU data subjects and holds the personal data of data subjects residing in the European Union.
Upvise collects and stores the following personal data from its users: name, email, and optionally company name and country, for the sole purpose of hosting user application data in separate differentiated accounts in its cloud servers.
Upvise does not carry out any processing on the personal data that requires regular and systematic monitoring of its users.
Upvise is compliant to the GDPR regulation. The following sections provide details on how Upvise addresses the GDPR requirements.
Right of access
Upvise will provide its users, upon request, a copy of their actual personal data stored in its servers, free of charge, in an electronic format.
Upvise users can also obtain written confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.
Right to erasure
Upvise users have the right to request erasure of personal data related to them. Upvise will, upon request, erase a user's personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
Right to data portability
Users can export all the data uploaded into their Upvise account in a 'commonly used and machine readable format' and the users can then transmit that data to another organization.
Data protection by design and by default
Data protection is designed into the development of business processes for Upvise products and services. Upvise uses pseudonymisation to transform personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information.
User account information (email and password) is encrypted, to render the original data unintelligible and the process cannot be reversed without access to the correct decryption key, which is kept separately from the pseudonymised data.
In the event of a data breach, Upvise is under a legal obligation to notify the Supervisory Authority without undue delay. The reporting of a data breach is not subject to any de minimis standard and will be reported to the Supervisory Authority within 72 hours after having become aware of the data breach. Individuals will be notified if adverse impact is determined.
Data Protection Officer (DPO)
Upvise is not an organization that engages in large scale systematic monitoring of data subjects, or large scale processing of sensitive personal data. As such Upvise is not required to appoint a DPO.
Effective date: 22/01/2018
More information on the GDPR: https://www.eugdpr.org/