Product: GDPR-sovelluskirjasto

Last edited 01.09.2023

MET-1-1.1 Who gave the information?

Manufacturer/service provider

MET-1-2.1. Brief introduction of the product

Sovelluskirjasto.fi / GDPR-library EU is Due Diligence tool for software buyers. We offer you as a software vendor possibility to maintain gdpr-information of your product in the library.

MET-1-3.1 Introduction page (if any)

1-5 categories describing the product.

System management and support programs, Data management and processing

GEN-1-3.1 Is there an age limit for users in the service?

No

GEN-1-5.1 Country of manufacture/home country of the service provider

Suomi

GEN-1-6.1 ISO certifications

Blank/not answered

GEN-1-7.1 Is there a mobile app for the service?

Blank/not answered

GEN-1-8.1 License type

Named user

GEN-1-9.1 Is virtualization possible?

No

GEN-2-1.1 Service-specific Privacy Notice (if any)

GEN-2-2.1 Data security description of the service (if any)

Blank/not answered

GEN-2-3.1 Contact information of the data protection officer

Blank/not answered

GEN-2-4.1 Are there advertisements or links to commercial services in the service?

No

GEN-2-5.1 Does the service use cookies for which users' consent is asked?

No

UMA-1-1.1 Is the service used with personal usernames?

Yes

UMA-1-2.1 Are there at least two user levels in the user management of the service: administrator and end user?

No
Additional information
Customers who have signed an agreement get basic user rights to the service.

UMA-1-3.1 Can access rights be limited according to the employees' job duties, taking into account the rights of different user groups?

No
Additional information
There is no need to limit users' access rights in the service.

UMA-1-4.1 What options does the service have to integrate user management into the organization's centralized user registry and single sign-on (SSO)?

Blank/not answered
Additional information
SSO integration is coming later.

UMA-1-5.1 Is it possible to log in with usernames of other service providers?

No

UMA-1-6.1 Can multi-factor authentication (MFA) be used for logging in?

No

UMA-1-7.1 Is strong user authentication possible?

No

UMA-2-1.1 Are comprehensive log data about the activities of all logged-in users saved?

Yes

UMA-2-2.1 Is every access to personal data saved in a log?

Yes

TDP-1-1.1 What kind of integrations (interfaces) are involved in the system and how are they protected from outsiders?

The service has a REST API. Use of the interface requires the conclusion of an agreement and a customer-specific password. An encrypted network connection is used for data transfer.

TDP-2-1.1 Does all personal data processing in the service take place in such a way that the network connection is encrypted and the user or the parties to the data transfer are verified?

Yes

TDP-2-2.1 Is it possible to use the service so that all personal data is stored only in encrypted form?

No

TDP-3-1.1 Is the data content of the service backed up at least once a day and is it possible to restore the backup quickly if necessary?

Yes

TDP-4-2.1 Can multi-factor authentication (MFA) be required on all users at login?

No

TDP-5-1.1 Are security updates for software components related to the service installed regularly without any delay?

Yes

TDP-5-2.1 Has data security been audited by an external party? If so, by whom?

No

TDP-5-3.1 Are regular data security and vulnerability tests performed on the service?

Yes
Additional information
The data security of the server is regularly monitored.

DPR-1-2.1 What role does the service provider give itself in terms of data security?

For the role of controller

DPR-1-4.1 Is it possible to make the name of the client organization and a link to its own privacy notice visible to users in the service?

No

DPR-1-5.1 Does the service provider have access to personal data stored by the client organization?

Yes
Additional information
The service provider creates user accounts for the customer's employees and manages them.

DPR-1-6.1 Does use of the service generate a register of which the service provider is a joint controller with the client organization?

No

DPR-1-7.1 Is a personal data register of users generated for the service provider of which it is the controller?

Yes
Additional information
The service provider creates user accounts for the customer's employees and manages them.

DPR-1-8.1 Does the service provider have, for each sub-processor, an up-to-date list of sub-processors of personal data, which shows the name, location, processing purpose and possible grounds for transfer outside the EU/EEA area?

Yes

DPR-1-9.1 Link to the list of sub-processors (if any)

Blank/not answered

DPR-1-10.1 Does the service provider or one of its sub-processors process personal data outside the EU/EEA area?

Yes
Additional information
In Macedonian co-operation firm

DPR-1-11.1 If personal data is processed outside the EU/EEA area, on what grounds is personal data transferred?

Standard clauses adopted by the Commission (Article 46:2(c) and Article 46:2(d))
Additional information
Personal data is primarily processed within the EU/EEA area only. Personal data may, however, be transferred outside the EU/EEA especially if a services provider we use is located outside the EU/EEA.

If personal data were to be transferred outside the EU/EEA to a country that is not included in the EU Commission's decision on an adequate level of data protection, we will make sure that the processing, transfer and storage of your data is carried out on the grounds required by law and with adequate protection mechanisms, such as using the standard contract clauses confirmed by the EU Commission.

DPR-1-12.1 Can personal data be transferred to non-secure third countries such as the United States?

No

DPR-2-1.1 What personal data does the service provider process?

Company name (employer)
Name of the person
Email address
Username and password
Log history of data entries and edits in the service, mainly: (1) who entered/edited data, (2) entries/edits made, (3) time stamp – this data is collected to ensure reliability of data in the service
Customary contact and billing details required for billing and invoicing paid services
Customary correspondence with users

DPR-2-2.1 Is the service also intended for processing special personal data (e.g. health data)?

No

DPR-2-3.1 Can the required and optional fields related to users be defined by the administrator?

Yes

DPR-2-4.1 Does the service provider provide users with comprehensive information about the processing of personal data in the service?

Yes

DPR-2-5.1 Does the service provider process personal data in accordance with data protection legislation?

Yes

DPR-2-6.1 What procedures are in place to ensure that data is not used for other purposes?

Blank/not answered

DPR-2-7.1 Does the service have a function for pseudonymizing personal data?

No

DPR-2-10.1 Is there profiling, scoring or evaluation of people in the functions of the service?

No

DPR-2-11.1 Are users' location data processed?

No

DPR-2-12.1 Can the service define the retention periods of personal data or its criteria?

No
Additional information
The customer must inform the service provider when the data of its employees must be deleted.

DPR-2-13.1 Can users' personal data be anonymized instead of deleted?

No

DPR-3-1.1 Has the service provider identified, in its privacy policy, all personal data that is clearly related to the use of the service?

Yes

DPR-4-1.1 Does the service provider guarantee that the rights of the data subjects are realized in accordance with the EU General Data Protection Regulation (GDPR)?

Yes
Additional information
The service provider uses personal data of the customer's employees only in accordance with the agreement and GDPR.

DPR-4-4.1 How and when are personal data deleted?

The customer must inform the service provider when the data of its employees must be deleted.

DPA-1-1.1 Is it possible to enter into a data processing agreement agreement (DPA) with the service provider?

No

DPA-1-2.1 Link to standard template for a DPA agreement (if available)

Blank/not answered

DPA-1-3.1 Is the personal data to be processed specified in the DPA?

Not answered

DPA-1-4.1 Are the purposes of personal data processing specified in the DPA?

Not answered

DPA-1-5.1 In connection with the DPA, is it possible to give instructions that the service provider must taken into account when processing personal data?

Not answered

DPA-1-6.1 Does the DPA stipulate that the service provider is responsible for the confidentiality obligation of its employees?

Not answered

DPA-1-7.1 Does the DPA stipulate that the service provider allows monitoring and auditing by the controller?

Not answered

DPA-1-8.1 Does the service provider have a designated contact person for data protection issues?

Not answered

DPA-1-9.1 Is deletion of data defined in the DPA?

Not answered

DPA-2-1.1 If sub-processors are used in the processing of personal data, is compliance with the EU's General Data Protection Regulation (GDPR) and the implementation of sufficient protective measures ensured in the contract?

Not answered

DPA-2.2.1 Sub-processors under the DPA agreement or a link to the list of sub-processors (if any)

Blank/not answered

DPA-3-1.1. The service provider undertakes to report all data security breaches without any delay

Not answered

DPA-4-1.1 Does the processor or any of its sub-processors process personal data outside the EEA?

No
Additional information
There is no DPA agreement for the service

DPA-4-2.1 If personal data is processed outside the EEA, on what grounds is personal data transferred?

Not answered

DPA-4-3.1 If the EU Commission's Standard Contractual Clauses (SCC) are used as the grounds for the transfer of personal data, which standard clauses are they?

Not answered

DPA-4-4.1 Can personal data be disclosed to the authorities of a third country?

No

DPA-4-5.1 If data is transferred outside the EU/EEA area, does the service provider have documentation that helps in assessing the effects of data transfer (transfer impact assessment, TIA)?

Not answered

DPA-4-6.1 If data is transferred outside the EU/EEA area, what additional protection measures are used?

Blank/not answered
Check invalid fields