Projectino s.r.o. takes personal data protection seriously. European regulation known as general Data Protection Regulation (GDPR) brings a number of challenges to all organizations and became one of the most resonated business topics.
Our mission is to provide RedmineX clients and basically all Project community with a reliable software which allows fulfilling all duties of Data Processors efficiently.
This document shall provide answers to:
- I am Data Processor, how can I get GDPR compliant with RedmineX
- I am using RedmineX cloud, is this service compliant with GDPR?
- I need to know if Projectino s.r.o. has all security process in place.
Projectino s.r.o. is a manufacturer of RedmineX.
Data Controller – the entity that determines the purposes, conditions, and means of the processing of personal data. For the purpose of this document, it is your organization.
Data Processor - the entity that processes data on behalf of the Data Controller; in this document:
- Cloud clients of RedmineX: Projectino s.r.o. is the Data Processor and data are processed in our cloud services based on rules setup by you, Data Processor, in your RedmineX cloud application.
- Own server users of RedmineX: Projectino s.r.o. is not a Data Processor. But RedmineX will help you to organize your data properly.
RedmineX is an application which may or may not be used to process data by Data Controller.
Projectino s.r.o. as a manufacturer of RedmineX introduces updates of RedmineX in order to help Data Controllers to fulfill their duties coming out of the GDPR regulation.
At the same time, for our cloud clients, this document brings information about Projectino s.r.o. as Data Processor.
Also, Projectino s.r.o. declares, that by the effective date of GDPR all processes, contracts, suppliers, data access and others will be fully compliant with GDPR requirements
3. RedmineX For All Data Controllers
Following description and features will be deployed/updated until the end of April 2018.
RedmineX brings following features to increase data security and specific demand of GDPR to Data Controllers.
- Extended Password policy enforcement
- Definition to use minimum length, usage of big letters, numbers and special characters in the password
- Time limit for password validity and password repetition control
- Auto sign-off user after a period of time
- Recently added a feature to re-enter your password once manipulating with user roles and privileges
- GDPR specific features:
- Right to be Forgotten: Deleting the Contact is a traditional feature but it may disturb data consistency, reports etc. as there is a possibility to have Contact linked to projects, Tasks, CRM and other entities. Also, it would corrupt data about your customer profiling. Contact Anonymization would allow deleting data from contact which would allow identifying the person, but anonymous data about client’s services, task and other will stay.
- Right to Access: A specific button which would export Contact details in automated readable format (XML) would fulfill your obligation to provide personal information what data you collect.
- Limited data visibility – it is a critical requirement of GDPR asking Data Controllers to limit access to personal data only to those people they need to have access. RedmineX brings couple approaches to this problem:
- A limitation to access contacts in general.
- A limitation to access Contacts only for specific Contact type. Typically, everyone can access Contacts with type Company (companies are not subject to GDPR) and limit access to Contacts with type Personal only to selected users. So the user without the permission may see that there is a contact linked (see the name alone) but cannot see any other data which may allow the personal identification.
- Custom filed visibility – certain data can be restricted to be seen only by
- a) User / list of users
- b) User group / list of user groups
- c) User type / list of user types
- User action audits
- RedmineX provides complete logs about user actions including View action.
- Now RedmineX brings a feature to manage the logs in order to fulfill your internal process.
- Limited data visibility – it is a critical requirement of GDPR asking Data Controllers to limit access to personal data only to those.
How to become GDPR compliant step by step
- Identify what Personal Data you collect in RedmineX.
- Make internal regulation that all personal data needs to be filled in Custom fields, not native fields of RedmineX. But recommended approach is to make a decision that all personal data has to be stored on Contacts only.
- If you like to use Anonymization, Right to Forget you shall have a regulation that all personal data has to be on Contacts.
- Identify what data are subject to erasure for Anonymization – you can do it in Contact’s custom filed settings.
- Decide what users of RedmineX need access to Contacts and limit access by Contact type.
- If you need all users to access all contact, but some shall see limited data set, just set the custom field visibility.
- Identify what custom fields outside Contacts needs to be protected and set data visibility accordingly.
- Increase password policy enforcement of RedmineX.
- Right to forgot:
- We recommend defining a Project Template which would formalize all steps to delete personal data from all systems in great details. Once a request comes you can simply document that all steps were done according to your internal process.
- Create regulation for how long you need to keep user action audit data (logs) and configure accordingly in RedmineX.
4. RedmineX In Cloud
Projectino s.r.o. provides RedmineX as a service in the cloud. For cloud clients, Projectino s.r.o. acts as Data Processor. As a Data Processor we fulfill GDPR requirements thanks to following:
- Projectino s.r.o. implemented technical and process measures to limit potential access to data only to an exception and requested occasions.
- If you are an EU organization, it is guaranteed that your RedmineX instance (and so data and their backups at disaster recovery sites) are stored within the EU.
- Projectino s.r.o. uses only verified Data Centers with high-end security and all relevant ISO certifications. Details can be provided upon request.
- Regular backups, https for browsers, SSH-2 encryption is used for the backup transfer. Firewall limited to HTTPS and other regular settings are meeting GDPR requirements.
- Security can be further increased with Private Cloud service where individual security can be extended by an individual configuration of the dedicated server (HW).
- Projectino s.r.o. Is a UK company but the GDPR regulation was implemented in all aspects of an organization and for all products and services.
5. Projectino And Your Personal Data
Projectino s.r.o. is a manufacturer of Project Management platform. Projectino s.r.o. is business to business commercial organization. It means that all data collected serves to support Projectino s.r.o.’s business and services for organizations.
As per GDPR regulation, there are data of individuals collected as well and those are considered as data under the protection of GDPR.
5.1. Personal Data Collected
- Name and surname
- Position at the company
- Achieved trainings and certifications gained for products of Projectino s.r.o.
- History related to visiting of Projectino s.r.o. product pages.
- IP Address
5.2. Purpose Of Data Collection, Processing, And Profiling
Projectino s.r.o. collects data for following purposes:
- Setup a commercial co-operation with organizations. And for that purpose, Projectino s.r.o. may collect data about contact persons in such organizations.
- Provide service for existing customers (organization and for that purpose Projectino s.r.o. may collect data about contact persons in such organizations.
- Inform customers and potential customers about new features functions, releases and other messages of both informational and marketing character.
- All information collected about individuals are gathered through contact forms.
- Projectino s.r.o. does not possess or use data about individuals from external sources.
Data combination and profiling:
- Projectino s.r.o. does not profile any individuals, all data collected serves only as a contact information within an organization.
- Projectino s.r.o. profiles organizations for marketing and business purposes. Not subject to these analyses.
- Projectino s.r.o. combines all data in the own information system (RedmineX) on Entity Contact or Entity CRM. Any other system uses only data fragments and hence are not considered as data under GDPR.