GDPR – Records Management Policy of Datadat GmbH for the ‘Lunda’ crowdfunding platform
1.1. This policy, together with the associated standards, applies to the management of all documents and records, in all technical or physical formats or media, created or received by the Datadat GmbH in the conduct of its business activities on the ‘Lunda’ crowdfunding platform. It applies to all staff, contractors, consultants and third parties who are given access to our documents and records and information processing facilities.
1.2. Datadat GmbH is committed to maintaining the confidentiality of its information and ensuring that all records within Datadat GmbH are only accessible by the appropriate individuals. In line with the requirements of the General Data Protection Regulation (GDPR), Datadat GmbH also has a responsibility to ensure that all records are only kept for as long as is necessary to fulfil the purpose(s) for which they were intended.
1.3. Datadat GmbH has created this policy to outline how records are stored, accessed, monitored, retained and disposed of, in order to meet its statutory requirements. This policy applies to all records created, received, maintained or processed by staff of Datadat GmbH in undertaking its functions on ‘Lunda’.
1.4. Records are defined as all documents which facilitate the business carried out by Datadat GmbH and are retained for a period of time which has been defined, in order to provide evidence of its transactions and activities. Documentation may be processed in electronic format, hard copies are only printed and held if it is required under law, by a Client of Datadat GmbH acting as data processor of a given data or by the data subject.
1.5. This document complies with the requirements set out in the GDPR. The retention periods outlined in this policy are good practice guidelines, and the decision making process of Datadat GmbH should ensure that specific requirements for setting shorter retention periods are considered when implementing these timeframes by the controller of the given data.
2. Legal framework
2.1. This policy has due regard to legislation including, but not limited to, the following:
General Data Protection Regulation (2016)
Personal Data Protection Act of Austria (Datenschutzgesetz, 1999)
2.2. This policy will be implemented in accordance with the following policies and procedures:
- Security and Complience Policy for the ‘Lunda’ crowdfunding platform
- terms and conditions of Datadat products
3.1. Datadat GmbH as a whole has a responsibility for maintaining its records and recordkeeping systems in line with statutory requirements.
3.2. The Managing Partner holds overall responsibility for this policy and for ensuring it is implemented correctly.
3.3. The Data Protection Officer (hereinafter: DPO) supports the management of records.
3.4. The Managing Partner is responsible for promoting compliance with this policy and reviewing the policy on an annual basis, in conjunction with the DPO.
3.5. The Managing Partner is responsible for ensuring that all records are stored securely, in accordance with the retention periods outlined in this policy, and are disposed of correctly.
3.6. All staff members are responsible for ensuring that any records for which they are responsible are accurate, maintained securely and disposed of correctly, in line with the provisions of this policy.
3.7. The Managing Partner is responsible for ensuring that any contracts held with third parties who process personal identifiable information (considered as data processors or subprocessors as outlined in the GDPR) are compliant with the GDPR.
4. Management of personal data as a data processor
4.1. Datadat GmbH operates ‘Lunda’ crowdfunding platform to provide IT solutions for political fundraising campaigns as a data processor. ‘Lunda’ is an opt-in only tool facilitating the communication of the client organisations (political parties, politicians, NGO’s, advocacy groups, hereinafter referred as Clients) with private individuals who had freely given their consent for the use of the product. The rights and duties of the controller are exercised by the Clients without any limitations.
4.2. The following information is stored by Datadat GmbH as processor via ‘Lunda’:
- the messages sent and received by the data subject via ‘Lunda’,
- e-mail address,
- phone number,
- ZIP code,
- donation withdrawal information: contact details (such as name and email address) of the beneficiary, zip code, country, phone number (for purposes of multi-factor authentication and to send you important messages), further donation withdrawal related information if the relevant tax and donation regulations require their procession (tax identification number, registration number, address, etc.), and any information the beneficiary choose to provide,
- donation information: contact details (such as name and email address) of the donor, zip code, country, phone number (for purposes of multi-factor authentication and to send you important messages), further donation related information if the relevant tax and donation regulations require their procession (tax identification number, address, etc.), and information the donor choose to provide.
4.3 Datadat GmbH will comply with its Clients instructions unless EU or EU Member State law to which Datadat GmbH is subject requires other processing of Customer Personal Data, in which case Datadat GmbH will inform its Client (unless that law prohibits Datadat from doing so on important grounds of public interest). Client instructions are to be given in written form, normally by the electronic means used for the communication between the parties.
4.4. Datadat GmbH gives direct access for Clients to individual records containing personal data, as well as the right to delete those records without any further actions of Datadat GmbH. In this case, anonymized user related data might appear for operational reasons in the logs and backups for an additional maximum length of 15 months before they get ultimately wiped out.
5. Retention of personal data as a data processor
5.1. The retention periods for individual records processed by Datadat GmbH via products under point 4.1. and the action that will be taken after the retention period are based on a system of double opt-in. Names and messages sent and received by the data subject via the products are deleted automatically on the basis of the withdrawal of consent given for the use of the products by the data subject. E-mail addresses, phone numbers and ZIP codes are deleted automatically either by the withdrawal of consent given for the use of the products by the data subject or by the withdrawal of the separate consent given for the use of these contact data by the data subject. The data is nevertheless automatically deleted in a three year period after the last interaction via the products by the data subject.
5.2. Electronic copies of any information and files will be destroyed in line with the retention periods above.
6. Storing and protecting personal data
6.1. The DPO will undertake a risk analysis to identify which records are vital to Datadat GmbH’s management and these records will be stored in the most secure manner.
6.2. Datadat GmbH assures the operation of an effective back up system to ensure that all data can still be accessed in the event of a security breach, e.g. malware or ransomware attack and prevent any loss or theft of data for the purpose of compliance with the principle of integrity and confidentiality under the GDPR and business continuity. Backups of personal data must be made on a regular basis. Backed-up information will be stored off the premises, using a backup service which is operated by a provider who is compliant with the GDPR. Datadat GmbH has a system restore protocol in place.
6.3. Datadat GmbH provides 24/7 DevOps support for its Clients and a constant monitoring of the proper functioning of its products and infrastructure. Datadat GmbH runs integrity and load test of its systems to ensure safe functioning.
6.4. Datadat GmbH maintains secure user identification methods for its Clients.
6.5. Confidential paper records are kept in a locked filing cabinet, drawer or safe, with restricted access only to those personnel who require access to fulfil their delegated duties in accordance with their job role. Confidential paper records including records containing personal information are not left unattended or in clear view when held in a location with general access.
6.6. Digital data is coded, encrypted or password-protected, both on a local hard drive and on a network drive that is regularly backed-up off-site.
6.7. Data is not saved on removable storage.
6.8. Unecripted memory sticks and are not used to hold personal information.
6.9. All electronic devices (including portable devices) used by Datadat GmbH are password-protected to protect the information on the device in case of theft. Datadat GmbH staff members must enable electronic devices to allow the remote blocking or deletion of data in case of theft.
6.10. Datadat GmbH staff members do not use non-encrypted personal laptops, computers, phones or other electronic devices for business purposes which involve the downloading or storing of personal identifiable or confidential data.
6.11. All members of staff are provided with their own secure login and password, and every computer regularly prompts users to change their password.
6.12. Emails containing sensitive, personal or confidential information are encrypted or password-protected to ensure that only the recipient is able to access the information. The password will be shared with the recipient in a secure and appropriate format.
6.13. Data stored on encrypted hard drives or USBs must not be stored on or downloaded to personal devices.
6.14. All documents which are accessed by members of the staff externally to their premise via a portable electronic device must be done so utilising services designated by Datadat GmbH. Personal accounts must not be used to access Datadat GmbH data.
6.15. All staff members apply a ‘clear desk policy’ to avoid unauthorised access to physical records containing sensitive, confidential or personal information. All confidential information will be stored in a securely locked filing cabinet, drawer or safe with restricted access.
6.16. Personal data must not be stored on the hard drive of any device unless it is running appropriate encryption software.
6.17. Data must be subject to a robust password protection regime. Password sharing is not permitted.
6.18. Computers must be locked when not staffed to prevent unauthorised access.
6.19. Under no circumstances are visitors allowed access to confidential or personal information. Visitors accessing areas containing sensitive information are supervised at all times.
6.20. The physical security of Datadat GmbH’s offices and storage systems, and access to them, is reviewed termly (and documented) by the person with responsibility for sites in conjunction with the DPO. If an increased risk in vandalism, burglary or theft is identified, this will be reported to the Managing Partner and extra measures to secure data storage will be put in place. Data Protection Impact Assessments are undertaken where required.
6.21. Archive rooms should be lockable and secure, and be able to maintain restricted access.
6.22. All members of Datadat GmbH’s staff are obliged to sign a non-disclosure agreement before given access to personal data. Datadat GmbH takes its duties under the GDPR seriously and any unauthorised disclosure may result in disciplinary and criminal action.
6.23. The DPO is responsible for supporting continuity and recovery measures are in place to ensure the security of protected data.
7. Subprocession security
7.1. Before onboarding subprocessors, Datadat GmbH conducts an audit of the security and privacy practices of subprocessors to ensure subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. The subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms to fulfill the obligations under GDPR.
7.2. Datadat GmbH uses the Google Cloud Platform service to store and access personal data provided by data processor/subprocessor Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). The Data Processing and Security Terms of the firms are available at: https://cloud.google.com/terms/data-processing-terms
7.3. Datadat GmbH also uses the Cloud Functions for Firebase, the Firebase Realtime Database, the Cloud Storage for Firebase services to store and access personal data provided by data processor/subprocessor Google. Google Cloud Platform, which hosts datad.at, undergoes regular independent audits for a range of standards including ISO 27001, ISO 27017, ISO 27018, SOC 2, SOC 3, CSA STAR, EU-U.S. Privacy Shield, HIPAA, and PCI DSS.
7.8. Datadat GmbH requires subprocessors to use full disk encryption for data storage during data processing based on the Google Cloud Platform to guarantee that the data never reaches the cloud in an unencrypted state during network transmission.
- Accessing information
8.1. Datadat GmbH is transparent with data subjects as a data controller, the information we hold and how it can be accessed.
8.2. Datadat GmbH as a data processor provides its Clients all the relevant information to enable them to act as a transparent data controller.
9.1. Datadat GmbH stores data in a multi-tenant environment on the servers of the cloud service providers under point 7.2 and 7.3. Datadat GmbH also logically isolates the Client’s data.
9.2. Datadat GmbH keeps a continuous and verifiable log file on all the operations performed upon the processed personal data.
10. Data incidents
10.1 If Datadat GmbH becomes aware of a Data Incident, Datadat GmbH will: (a) notify the Client of the Data Incident promptly and without undue delay after becoming aware of the Data Incident; and (b) promptly take reasonable steps to minimize harm and secure Customer Data.
10.2 Notifications made pursuant to this section will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Datadat GmbH recommends Client take to address the Data Incident.
10.3 Notification(s) of any Data Incident(s) will be delivered by e-mail or at Datadat GmbH’s discretion, by direct communication (for example, by phone call or an in-person meeting).
10.4 Datadat GmbH will not assess the contents of Customer Data to identify information subject to any specific legal requirements. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Data Incident(s).
10.5 Any notification of or response to a Data Incident under this Section 7.2 (Data Incidents) will not be construed as an acknowledgement by Datadat GmbH or any of its data processors/subprocessors of any fault or liability with respect to the Data Incident.
11. Information audit
11.1. Datadat GmbH will conduct an information audit on a regular basis against all information held by it to ensure that they are correctly managed in accordance with the GDPR.
11.2. The information audit may be completed in a number of ways, including, but not limited to interviews with staff members with key responsibilities to identify information and information flows, questionnaires to key staff members to identify information and information flows.
11.3. The DPO is responsible for completing the information audit.
11.4. Datadat GmbH cooperates with its Clients with all their audits and monitoring activities aiming for the compliance with GDPR.
12. Disposal of data
12.1. All records containing personal information or information must be disposed of in a way which ensures they are unreadable or unreconstructable. Paper records must be shredded using a cross cut shredder, CDs/DVD should be cut into small pieces and hard drives must be wiped according to the nature of the data stored on them.
12.2. In case of opt-out performed by the data subject, the relevant personal data must also be deleted from the log file under point 9.2, with the exception of the case a statutory regulation, the Client or the data subject required it otherwise in accordance with the GDPR.
13. Monitoring and review
13.1. This policy will be reviewed on an annual basis by the Managing Partner in conjunction with the DPO – the next scheduled review date for this policy is November 2022.
13.2. Any changes made to this policy will be communicated to all members of staff.