Data protection and privacy
In May 2018 the GDPR entered into force, thus forcing all EU companies focus on ensuring safe and responsible handling of personal data. We at HTML24 see this as a great change towards transparency and higher amounts of control for individuals in regards to their personal data.
The General Data Protection Regulation (GDPR) is EU’s initiative to protect its citizens’ personal data. It entered into force on May 25 2018. At first glance, GDPR might seem to generate an excessive amount of extra work for companies in order for them to comply to all these new rules, but the purpose of the GDPR is to ensure that the organization gets a better overview of the personal data being processed by the companies, as well as the purposes and legal basis for this processing.
That being said, the GDPR is nothing less than a jungle of rules. It’s complex, huge and a hassle. Many companies have a hard time grasping the scope of the new GDPR. This inspired us to create a simple overview of how we comply with the applicable data protection regulation, specifically after the introduction of GDPR and the new Danish Data Protection Act. This should make it easier for you, as a customer of HTML24, to understand and be comfortable with our approach.
Below, you’ll find a walkthrough of the important areas of how we handle data processing at HTML24.
When entering into an agreement with HTML24, which entails processing of personal data, you must accept the terms of our Data Processing Agreement, which may be found here [LINK].
The document containing the entire GDPR in full length can be found here: https://gdpr-info.eu/ and the guidelines from the Danish Data Protection Agency (Datatilsynet) can be found here https://www.datatilsynet.dk/generelt-om-databeskyttelse/vejledninger-og-skabeloner/.
As an HTML24 customer
HTML24 will always aim to develop according to GDPR standards (i.e. to comply with the “privacy by design”-requirement) and best practices for our customers, and to do our best to inform and help all customers to make the right decisions for their projects.
Our way of working with data can be divided into three areas
- Personal data handled on behalf of customers (E.g. when we host a website, run an integration or similar)
- Personal data about potential and existing customers, handled by us.
- Situations where we are asked for advice from customers on how they may consider data, security, GDPR and similar topics when buying a project or service from HTML24.
In the paragraphs below, you can read more about how we deal with #1 and #2 from the above list.
When it comes to #3 (Projects, where we’re hired as a contractor) and we are asked to give advice on security, regulation, GDPR or similar, you can expect us to always do our utmost to fulfil the task. We are, however, not able to provide legal counsel or to be liable for any damages or repercussions that might follow from a project, we’re building for a customer in accordance with the customer’s specifications and instructions, and we always recommend seeking legal counsel if a customer has questions relating to implementation of the GDPR, but we will of course contribute with technical input.
The responsibility for complying with relevant legislation is always the customer’s.
Data storage, services and products
HTML24 uses a Danish hosting company, Curanet A/S, as a subcontractor for most hosting services. Curanet’s servers are located in Denmark, meaning that HTML24’s customer data is placed and processed within the EU and HTML24 has entered into a data processing agreement (a DPA) with Curanet in order to ensure that they comply with the GDPR whenever processing personal data on our behalf.
Exchange of data services
HTML24 uses various systems integrations to exchange data on behalf of our customers and also for supporting internal business processes. HTML24 keeps an overview of the systems involved in these integrations and ensures that the data flow between them is handled via a secure connection. When it comes to online systems HTML24, as a minimum, ensures that the integrated systems communicate via HTTPS, which is a transfer protocol encrypted by Secure Sockets Layer (SSL).
HTML24 uses KOEBT, an integration platform used to exchange data between different systems, to handle most integrations. KOEBT is software that we have designed with privacy in mind and we strive to ensure that the data processed by the platform is secure.
Overview of HTML24’s products and services
Below is an overview of the most commonly products and services offered by HTML24.
|Product / service
||HTML24 offers hosting of their customer’s websites. HTML24’s servers are managed by a subcontractor – Curanet.
||HTML24 offers an integration platform called “KOEBT” which handles the exchange of data between various systems.
||HTML24 offers fixed maintenance agreements in order to keep customer’s website up to date and secure by minimizing potential security vulnerabilities.
|Critical support agreement
||HTML24 offers critical support agreements to customer’s with business-critical solutions that require quick reaction times. Through such agreements, HTML24 provides security and ensures business continuity for their customer’s.
|Administration of third-party software and services
||HTML24 offers administration of third-party software and services related to the customer’s websites. This includes plugins, systems such as UniLogin, backup services and others.
||HTML24 offers security optimization packages aimed at protection of customer’s solutions and any data associated with that. This is a recurring service where HTML24 regularly checks on the state of security of customer’s solutions.
HTML24 uses a number of systems to support internal business processes and value creation for our customers. Some of the systems are acquired from third-party providers. The systems that HTML24 uses to store data include, but are not limited to:
||E-mail service & document cloud storage
||Customer relationship management
||Communication & project management
||Secure password storage
||Project management & invoicing
Our data processing agreement can be found here. Below, we’ve made a brief summary of how we handle data processing.
The data processing agreement is a part of out Terms and conditions, which can be found here.
Processing of personal data
When you start a project with HTML24, you agree to us processing your and your customers’ data when necessary. HTML24 will only process the personal data, you are responsible for in accordance with your instructions.
At HTML24, the tasks are delegated to employees who are responsible for personal data while working on a project.
The level of security is specified in the Data Processing Agreement.
Storage and deletion of personal data
At HTML24, we ensure that personal data processed on behalf of the customer and is stored in a physically and digitally safe environment.
We ensure that any medium where personal data is kept is encrypted, password protected, protected from physical harm and theft by storing such mediums (e.g. servers) securely in locked rooms .
At HTML24, we further ensure that storage of personal data only takes place for as long as the personal data is relevant and necessary in accordance with the Data Processing Agreement in order to the perform the actions requested by our customer.
Further, all personal data processed by HTML24 is secured by our backup-solution.
Access to personal data
Only employees whose tasks include processing of personal data have access to personal data.
We ensure that personal data is not disclosed or transferred to any third parties outside of HTML24. The employees at HTML24 are obliged to comply with rules on non-disclosure in relation to third parties as well as other HTML24 employees who have no work-related reason to know of the personal data.
All customers have the right to transfer all their data in a machine readable format (e.g. excel, .txt etc.) to another system if they so wish. Upon request, we will transfer all relevant data (that is not owned by HTML24) from our platforms to the customer.
Right to be forgotten
At HTML24 it is always possible to use your right to be forgotten. Simply contact us on email@example.com if you are interested in having all data deleted.
The programs used at HTML24 for deletion of personal data are carried out safely that ensure sufficient overwriting of the deleted data.
Privacy by design
The systems used at HTML24 handles personal data securely. This means that all exchange of data are encrypted.
For instance, often developes data integration solutions through KOEBT (our integration platform) and to ensure security for our customers, data routed between the systems via KOEBT are encrypted.
HTML24 will help you as much as possible in ensuring that the data is handled correctly and securely in all systems, but the customer is ultimately responsible for the design of and access to the system, as HTML24 comply with the customer’s specifications.
In the majority of the cases, HTML24 acts merely as the data processor for our customers in accordance with the Data Processing Agreement. Therefore, it is HTML24’s customers’ responsibility, as data controller, to carry out a risk assessment when the data processing is likely to result in a high risk to the rights and freedoms of natural persons. In some instances, a customer may be obligated to performing an impact assessment cf. art 35 of the GDPR, if the customer processes special categories of personal data (sensitive personal data) on a large scale.
If a customer is uncertain whether an impact assessment is necessary, we strongly advise that a legal expert is consulted.
In situations, where HTML24 is the data controller, HTML24 carries out a risk assessment in order to identify possible risks and establish necessary precautions aimed at personal data protection.
In case of a data breach, it is mandatory to inform the national personal data authority (Datatilsynet in Denmark) within 72 hours of becoming aware of the breach if the data breach entails a risk for the data subjects (e.g. your customers, employees, others) affected by the data breach. Further, the data subjects must also be informed directly without undue delay if at all possible, if a data breach results in risks that are not insubstantial for the data subject.
If HTML24 discovers a data breach, HTML24 will notify the relevant customers as fast as possible with as much relevant information as possible in order for you to assess the impact of the data breach for the data subjects.
SSL security and encryption
All systems used by HTML24 run SSL to ensure secured and encrypted communication.
Secure communication from a web browser to a system is something you need to be aware of in your role as data controller. SSL (Secure Socket Layer) is shown as a little padlock in the browser when you visit websites secured with SSL. Without SSL, the padlock will be shown with a red line over, and the user will be shown a warning. HTML24 will, if SSL has been bought, make sure to set up SSL, but you should ensure that all your other systems also use SSL as the weakest link in the chain decide the level of security in your set-up.
You are always welcome to contact us if you have any questions, concerns or thoughts in regards to data protection, regulation, GDPR or similar topics. We are here to help.
Feel free to contact us on firstname.lastname@example.org.