Product: GDPR-sovelluskirjasto

Vaihda suomenkieliseen lomakkeeseen
Last edited 03.12.2024

MET-1-1.1 Who gave the information?

Manufacturer/service provider

MET-1-2.1 Brief introduction of the product

Sovelluskirjasto.fi / GDPR-library EU is Due Diligence tool for software buyers. We offer you as a software vendor possibility to maintain gdpr-information of your product in the library. Platform includes also a DPIA-tool for the customers.

MET-1-3.1 Introduction page (if any)

https://sovelluskirjasto.fi
Additional information

1-5 categories describing the product.

Platform solutions portals publishing services and wikis, System management and support programs, Data management and processing

GEN-1-3.1 Is there an age limit for users in the service?

No

GEN-1-5.1 Country of manufacture/home country of the service provider

Suomi
Server is located in Germany.

GEN-1-6.1 ISO certifications

Empty/not answered

GEN-1-7.1 Is there a mobile app for the service?

Empty/not answered
Additional information
No

GEN-1-8.1 License type

Named user

GEN-1-9.1 Is virtualization possible?

No

GEN-2-1.1 Service-specific Privacy Notice (if any)

https://www.sovelluskirjasto.fi/en/privacy-policy/

GEN-2-2.1 Data security description of the service (if any)

Empty/not answered

GEN-2-3.1 Contact information of the data protection officer

Empty/not answered

GEN-2-4.1 Are there advertisements or links to commercial services on the platform?

No

GEN-2-5.1 Does the service use cookies for which users' consent is asked?

No

UMA-1-1.1 Is the service used with personal usernames?

Yes

UMA-1-2.1 Are there at least two user levels in the user management of the service: administrator and end user?

Yes
Additional information
Customers who have signed an agreement get adminstrator or basic user rights to the service.

UMA-1-3.1 Can access rights be limited according to the employees' job duties, taking into account the rights of different user groups?

Yes
Additional information
There is possibility to limit users' access rights to the DPIA-tool.

UMA-1-4.1 What options does the service have to integrate user management into the organization's centralized user registry and single sign-on (SSO)?

Empty/not answered
Additional information
SSO integration is coming later.

UMA-1-5.1 Is it possible to log in with usernames of other service providers?

No

UMA-1-6.1 Can multi-factor authentication (MFA) be used for logging in?

No

UMA-1-7.1 Is strong user authentication possible?

No

UMA-1-8.1 Is it possible for the service to have guest users or non-logged-in users from outside the customer organization?

Yes
Additional information
The customer can invite users outside the service to participate in the DPIA process. They get the right to modify or review an individual DPIA. They have no other rights.

UMA-2-1.1 Are comprehensive log data about the activities of all logged-in users saved?

Yes
Additional information
The log information is only visible to those responsible for application development. The customer receives the log information related to their use by requesting it.

UMA-2-2.1 Is every access to personal data saved in a log?

Yes

UMA-2-3.1 Are the service logs protected from unauthorized viewing and deletion?

Yes

UMA-2-4.1 How long are log data retained, and how are they deleted?

Lokit säilytetään siihen asti kunnes käyttäjä on poistettu.

TDP-1-1.1 What kind of integrations (interfaces) are involved in the system and how are they protected from outsiders?

The service has a REST API. Use of the interface requires the conclusion of an agreement and a customer-specific password. An encrypted network connection is used for data transfer.

TDP-1-2.1 How are the transfers of personal data through interfaces to sub-processors and possible disclosures to other parties logged?

Empty/not answered

TDP-2-1.1 Does all personal data processing in the service take place in such a way that the network connection is encrypted and the user or the parties to the data transfer are verified?

Yes

TDP-2-2.1 Is it possible to use the service so that all personal data is stored only in encrypted form?

No

TDP-2-3.1 Has the service's security taken into account independent remote access?

Not answered

TDP-3-1.1 Is the data content of the service backed up at least once a day and is it possible to restore the backup quickly if necessary?

Yes

TDP-3-2.1 Is the backup restoration process documented and tested?

Not answered

TDP-4-2.1 Can multi-factor authentication (MFA) be required on all users at login?

No

TDP-5-1.1 Are security updates for software components related to the service installed regularly without any delay?

Yes

TDP-5-2.1 Has data security been audited by an external party? If so, by whom?

No

TDP-5-3.1 Are regular data security and vulnerability tests performed on the service?

Yes
Additional information
The data security of the server is regularly monitored.

TDP-5-5.1 How have the GDPR requirements, risk-based approach and data protection by default, been taken into account in the system design and its functions?

Empty/not answered

TDP-5-6.1 Does the service provider have procedures for detecting, reporting, and investigating data breaches?

Not answered

DPR-1-1.1 What are the purposes of processing personal data?

The name and e-mail information of the service users are collected to create user IDs.
Käyttäjän nimi ja sähköpostiosoite tarvitaan käyttäjätunnusten luomista varten.

DPR-1-2.1 What role does the service provider give itself in terms of data security?

For the role of controller and processor
Additional information
Service provider is the controller of the GDPR Library itself.
Regarding the DPIA-tool, service provider position itself as a data processor.

DPR-1-3.1 Do end users need to give consent for the processing of personal data related to the service?

Not answered

DPR-1-4.1 Is it possible to make the name of the client organization and a link to its own privacy notice visible to users in the service?

No

DPR-1-5.1 Does the service provider have access to personal data stored by the client organization?

Yes
Additional information
The service provider creates user accounts for the software vendor's and customer's employees and manages them (controller).
As a data processor, the service provider has access to the data to be entered into the DPIA tool.

DPR-1-6.1 Does use of the service generate a register of which the service provider is a joint controller with the client organization?

No

DPR-1-8.1 Does the service provider have an up-to-date list of personal data sub-processors, including each sub-processor's name, location, processing purpose, and any transfer basis outside the EU/EEA?

Yes

DPR-1-9.1 Link to the list of sub-processors (if any)

Empty/not answered
Additional information
As a sub-processor acts:
* Innowise Oy (VAT 1919750-1), DPA has been signed.
* AtWise LLC (VAT 4024020507382), DPA has been signed, DPIA data is not shared.

* Ilona IT is itself the data controller for the GDPR application library, and then AtWise and Innowise are the processors.
* Client is the data controller for the data of the DPIA tool and then Ilona IT is the personal data processor and only Innowise is the sub-processor. AtWise does not have access rights to the content and data of the DPIA tool, and therefore does not act as a sub-processor in that respect.

DPR-1-10.1 Does the service provider or any of its sub-processors process personal data outside the EU/EEA?

Yes
Additional information
In Macedonian co-operation firm AtWise LLC (VAT: 4024020507382), DPA has been signed, DPIA data is not shared.

DPR-1-11.1 If personal data is processed outside the EU/EEA area, on what grounds is personal data transferred?

Standard clauses adopted by the Commission (Article 46:2(c) and Article 46:2(d))
Additional information
Personal data is primarily processed within the EU/EEA area only. Personal data may, however, be transferred outside the EU/EEA especially if a services provider we use is located outside the EU/EEA.

If personal data were to be transferred outside the EU/EEA to a country that is not included in the EU Commission's decision on an adequate level of data protection, we will make sure that the processing, transfer and storage of your data is carried out on the grounds required by law and with adequate protection mechanisms, such as using the standard contract clauses confirmed by the EU Commission.

DPR-1-12.2 Can personal data be transferred to third countries that are not considered safe?

No

DPR-1-13.1 In which countries are the service provider's servers located?

Germany

DPR-2-1.1 What personal data does the service provider process?

Company name (employer)
Name of the person
Email address
Username and password

Log history of data entries and edits in the service, mainly: (1) who entered/edited data, (2) entries/edits made, (3) time stamp – this data is collected to ensure reliability of data in the service
Customary contact and billing details required for billing and invoicing paid services
Customary correspondence with users
Possibly information entered by the customer into the DPIA-tool.

DPR-2-2.1 Is the service also intended for processing special personal data (e.g. health data)?

No

DPR-2-3.1 Can the required and optional fields related to users be defined by the administrator?

Yes

DPR-2-4.1 Does the service provider provide users with comprehensive information about the processing of personal data in the service?

Yes

DPR-2-6.1 What procedures are in place to ensure that data is not used for other purposes?

DPA:s with sub-processors and customers

DPR-2-7.1 Does the service have a function for pseudonymizing personal data?

No

DPR-2-8.1 Can users be asked for separate consents for the processing of certain personal data (e.g., personal identification number or special personal data)?

No
Additional information
Personal identification number or special personal data are not collected.

DPR-2-9.1 Is data processed on a large scale in the service?

No

DPR-2-10.1 Can the service's functions involve profiling, scoring, or evaluating individuals?

No

DPR-2-11.1 Can the service involve the processing of location data?

No

DPR-2-12.1 Can the service define the retention periods for personal data or the criteria for determining them?

No
Additional information
The customer must inform the service provider when the data of its employees must be deleted. When the contract ends the data will be deleted automatically.
When a user or customer organization is deleted, any log file associated with the user is also deleted (administrators).

DPR-2-13.1 Can users' personal data be anonymized instead of deleted?

No

DPR-3-3.1 Is the scope and duration of personal data processing proportional to the intended benefits?

Yes

DPR-4-2.1 Can users see all the data stored about them?

No
Additional information
The user cannot directly see the log data stored about their activity.

DPR-4-3.1 Can users download or transfer the data they have stored to another service, or import data from another system?

No
Additional information
The amount of personal data is minimal.

DPR-4-4.1 How and when are personal data deleted?

The customer must inform the service provider when the data of its employees must be deleted during the contract. When the contract ends the data will be deleted automatically.
When a user or customer organization is deleted, any log file associated with the user is also deleted (administrators).

DPR-4-5.1 If a data subject exercises their right to restrict the processing of their personal data, what technical means are used to ensure the implementation of the restriction?

The registered person can request the deletion of their user ID and refuse customer communication.

DPR-5-1.1 How is the accuracy of the processed personal data ensured?

If the person himself/ herself informs the service provider or the regularly sent customer letter is returned to the service provider, the reason will be checked and, if necessary, the person will be removed from the user register or the information will be changed.

DPR-6-1.1 Are automated decisions made in the service, and if so, on what basis?

No

DPR-6-2.1 How are data subjects informed about automated decision-making?

Empty/not answered

DPR-6-3.1 How are the conclusions related to the data subject that are based on automated decision-making described to them?

Empty/not answered

DPA-1-1.1 Is it possible to enter into a data processing agreement (DPA) with the service provider?

Yes; only one standard DPA

DPA-1-2.1 Link to standard template for a DPA agreement (if available)

https://ilonait.adobeconnect.com/dpa_fi/
Additional information
DPA in Finnish. Ask the English version: soili@ilonait.fi

DPA-1-3.1 Are the personal data to be processed defined in the DPA (Data Processing Agreement)?

Yes

DPA-1-4.1 Are the purposes of personal data processing defined in the DPA (Data Processing Agreement)?

Yes

DPA-1-5.1 Can instructions be provided in conjunction with the DPA (Data Processing Agreement) that the service provider must take into account when processing personal data?

No

DPA-1-6.1 Does the DPA (Data Processing Agreement) stipulate that the service provider ensures confidentiality obligations for its employees?

Yes

DPA-1-7.1 Does the DPA (Data Processing Agreement) stipulate that the service provider allows for monitoring and auditing by the data controller?

Yes

DPA-1-8.1 Does the service provider have a designated contact person for data protection issues?

Yes
Additional information
soili@ilonait.fi

DPA-1-9.1 Is data deletion defined in the DPA (Data Processing Agreement)?

Yes

DPA-1-10.1 Does the service provider use users' personal data for purposes other than the functions and maintenance of the service?

No

DPA-2-1.1 Is compliance with the EU General Data Protection Regulation (GDPR) and the implementation of adequate safeguards ensured in the DPA (Data Processing Agreement) in situations where sub-processors are used for personal data processing?

Yes
Additional information
DPA is signed.

DPA-2-2.1 Sub-processors in accordance with the DPA (Data Processing Agreement) or a link to the list of sub-processors (if available).

As a sub-processor acts:
* Innowise Oy (VAT 1919750-1), DPA has been signed.
* AtWise LLC (VAT 4024020507382), DPA has been signed, DPIA data is not shared.

* Ilona IT is itself the data controller for the GDPR application library, and then AtWise and Innowise are the processors.
* Client is the data controller for the data of the DPIA tool and then Ilona IT is the personal data processor and only Innowise is the sub-processor. AtWise does not have access rights to the content and data of the DPIA tool, and therefore does not act as a sub-processor in that respect.

DPA-2-3.1 Does the service provider comply with the requirements of the General Data Protection Regulation (GDPR) regarding changes to sub-processors?

Yes

DPA-3-1.1 Does the service provider commit to promptly notifying of any data breaches?

Yes

DPA-3-2.1 Does the service provider have a procedure mentioned in the contract for reporting data breaches?

Yes

DPA-3-3.1 Does the service provider commit to promptly fulfilling requests related to personal data?

Yes

DPA-4-1.1 Does the processor or any of its sub-processors process personal data outside the EU/EEA?

Yes
Additional information
DPA is signed.

DPA-4-2.1 If personal data is processed outside the EU/EEA, on what basis are the data transfers made?

Standard clauses adopted by the Commission (Article 46:2(c) and Article 46:2(d))

DPA-4-3.1 If the EU Commission's Standard Contractual Clauses (SCC) are used as the grounds for the transfer of personal data, which standard clauses are they?

Transfer of personal data from controller to processor

DPA-4-4.1 Can personal data be disclosed to the authorities of a third country?

No

DPA-4-5.1 Does the service provider have documentation to assist with the transfer impact assessment (TIA) when data is transferred outside the EU/EEA?

Yes
Additional information
Organizational protective measures: e.g. limiting the persons who have access to the data and minimizing the data, i.e. not sharing or processing more data than is necessary. DPIA-data is not shared outside EU.

Contract-based: written contracts, in which e.g. conditions regarding confidentiality and information security obligations, to which the contracting party must commit.

DPA-4-6.1 If data is transferred outside the EU/EEA area, what additional protection measures are used?

Organizational protective measures: e.g. limiting the persons who have access to the data and minimizing the data, i.e. not sharing or processing more data than is necessary.
Contract-based: written contracts, in which e.g. conditions regarding confidentiality and information security obligations, to which the contracting party must commit.
Check invalid fields