Product: GDPR-sovelluskirjasto

Vaihda suomenkieliseen lomakkeeseen
Last edited 28.04.2024

MET-1-1.1 Who gave the information?

Manufacturer/service provider

MET-1-2.1. Brief introduction of the product

Sovelluskirjasto.fi / GDPR-library EU is Due Diligence tool for software buyers. We offer you as a software vendor possibility to maintain gdpr-information of your product in the library. Platform includes also a DPIA-tool for the customers.

MET-1-3.1 Introduction page (if any)

https://sovelluskirjasto.fi
Additional information

1-5 categories describing the product.

Platform solutions portals publishing services and wikis, System management and support programs, Data management and processing

GEN-1-3.1 Is there an age limit for users in the service?

No

GEN-1-5.1 Country of manufacture/home country of the service provider

Suomi

GEN-1-6.1 ISO certifications

Empty/not answered

GEN-1-7.1 Is there a mobile app for the service?

Empty/not answered

GEN-1-8.1 License type

Named user

GEN-1-9.1 Is virtualization possible?

No

GEN-2-1.1 Service-specific Privacy Notice (if any)

https://www.sovelluskirjasto.fi/en/privacy-policy/

GEN-2-2.1 Data security description of the service (if any)

Empty/not answered

GEN-2-3.1 Contact information of the data protection officer

Empty/not answered

GEN-2-4.1 Are there advertisements or links to commercial services in the service?

No

GEN-2-5.1 Does the service use cookies for which users' consent is asked?

No

UMA-1-1.1 Is the service used with personal usernames?

Yes

UMA-1-2.1 Are there at least two user levels in the user management of the service: administrator and end user?

Yes
Additional information
Customers who have signed an agreement get adminstrator or basic user rights to the service.

UMA-1-3.1 Can access rights be limited according to the employees' job duties, taking into account the rights of different user groups?

Yes
Additional information
There is possibility to limit users' access rights to the DPIA-tool.

UMA-1-4.1 What options does the service have to integrate user management into the organization's centralized user registry and single sign-on (SSO)?

Empty/not answered
Additional information
SSO integration is coming later.

UMA-1-5.1 Is it possible to log in with usernames of other service providers?

No

UMA-1-6.1 Can multi-factor authentication (MFA) be used for logging in?

No

UMA-1-7.1 Is strong user authentication possible?

No

UMA-2-1.1 Are comprehensive log data about the activities of all logged-in users saved?

Yes

UMA-2-2.1 Is every access to personal data saved in a log?

Yes

TDP-1-1.1 What kind of integrations (interfaces) are involved in the system and how are they protected from outsiders?

The service has a REST API. Use of the interface requires the conclusion of an agreement and a customer-specific password. An encrypted network connection is used for data transfer.

TDP-2-1.1 Does all personal data processing in the service take place in such a way that the network connection is encrypted and the user or the parties to the data transfer are verified?

Yes

TDP-2-2.1 Is it possible to use the service so that all personal data is stored only in encrypted form?

No

TDP-3-1.1 Is the data content of the service backed up at least once a day and is it possible to restore the backup quickly if necessary?

Yes

TDP-4-2.1 Can multi-factor authentication (MFA) be required on all users at login?

No

TDP-5-1.1 Are security updates for software components related to the service installed regularly without any delay?

Yes

TDP-5-2.1 Has data security been audited by an external party? If so, by whom?

No

TDP-5-3.1 Are regular data security and vulnerability tests performed on the service?

Yes
Additional information
The data security of the server is regularly monitored.

DPR-1-2.1 What role does the service provider give itself in terms of data security?

For the role of controller and processor
Additional information
Service provider is the controller of the GDPR Library itself.
Regarding the DPIA-tool, service provider position itself as a data processor.

DPR-1-4.1 Is it possible to make the name of the client organization and a link to its own privacy notice visible to users in the service?

No

DPR-1-5.1 Does the service provider have access to personal data stored by the client organization?

Yes
Additional information
The service provider creates user accounts for the customer's employees and manages them.
As a data processor service provider has access to t

DPR-1-6.1 Does use of the service generate a register of which the service provider is a joint controller with the client organization?

No

DPR-1-7.1 Is a personal data register of users generated for the service provider of which it is the controller?

Yes
Additional information
The service provider creates user accounts for the customer's employees and manages them.

DPR-1-8.1 Does the service provider have, for each sub-processor, an up-to-date list of sub-processors of personal data, which shows the name, location, processing purpose and possible grounds for transfer outside the EU/EEA area?

Yes

DPR-1-9.1 Link to the list of sub-processors (if any)

Empty/not answered
Additional information
As a sub-processor acts:
* Innowise Oy (VAT 1919750-1), DPA has been signed.
* AtWise LLC (VAT 4024020507382), DPA has been signed, DPIA data is not shared.

* Ilona IT is itself the data controller for the GDPR application library, and then AtWise and Innowise are the processors.
* Client is the data controller for the data of the DPIA tool and then Ilona IT is the personal data processor and only Innowise is the sub-processor. AtWise does not have access rights to the content and data of the DPIA tool, and therefore does not act as a sub-processor in that respect.

DPR-1-10.1 Does the service provider or one of its sub-processors process personal data outside the EU/EEA area?

Yes
Additional information
In Macedonian co-operation firm AtWise LLC (VAT: 4024020507382), DPA has been signed, DPIA data is not shared.

DPR-1-11.1 If personal data is processed outside the EU/EEA area, on what grounds is personal data transferred?

Standard clauses adopted by the Commission (Article 46:2(c) and Article 46:2(d))
Additional information
Personal data is primarily processed within the EU/EEA area only. Personal data may, however, be transferred outside the EU/EEA especially if a services provider we use is located outside the EU/EEA.

If personal data were to be transferred outside the EU/EEA to a country that is not included in the EU Commission's decision on an adequate level of data protection, we will make sure that the processing, transfer and storage of your data is carried out on the grounds required by law and with adequate protection mechanisms, such as using the standard contract clauses confirmed by the EU Commission.

DPR-1-12.1 Can personal data be transferred to non-secure third countries such as the United States?

No

DPR-2-1.1 What personal data does the service provider process?

Company name (employer)
Name of the person
Email address
Username and password
Log history of data entries and edits in the service, mainly: (1) who entered/edited data, (2) entries/edits made, (3) time stamp – this data is collected to ensure reliability of data in the service
Customary contact and billing details required for billing and invoicing paid services
Customary correspondence with users
Possibly information entered by the customer into the DPIA-tool.

DPR-2-2.1 Is the service also intended for processing special personal data (e.g. health data)?

No

DPR-2-3.1 Can the required and optional fields related to users be defined by the administrator?

Yes

DPR-2-4.1 Does the service provider provide users with comprehensive information about the processing of personal data in the service?

Yes

DPR-2-5.1 Does the service provider process personal data in accordance with data protection legislation?

Yes

DPR-2-6.1 What procedures are in place to ensure that data is not used for other purposes?

DPA:s with sub-processors and customers

DPR-2-7.1 Does the service have a function for pseudonymizing personal data?

No

DPR-2-10.1 Is there profiling, scoring or evaluation of people in the functions of the service?

No

DPR-2-11.1 Are users' location data processed?

No

DPR-2-12.1 Can the service define the retention periods of personal data or its criteria?

No
Additional information
The customer must inform the service provider when the data of its employees must be deleted.

DPR-2-13.1 Can users' personal data be anonymized instead of deleted?

No

DPR-3-1.1 Has the service provider identified, in its privacy policy, all personal data that is clearly related to the use of the service?

Yes

DPR-4-1.1 Does the service provider guarantee that the rights of the data subjects are realized in accordance with the EU General Data Protection Regulation (GDPR)?

Yes
Additional information
The service provider uses personal data of the customer's employees only in accordance with the agreement and GDPR.

DPR-4-4.1 How and when are personal data deleted?

The customer must inform the service provider when the data of its employees must be deleted during the contract. When the contract ends the data will be deleted automatically.

DPA-1-1.1 Is it possible to enter into a data processing agreement agreement (DPA) with the service provider?

Yes; only one standard DPA

DPA-1-2.1 Link to standard template for a DPA agreement (if available)

https://ilonait.adobeconnect.com/dpa_fi/
Additional information
DPA in Finnish. Ask the English version: soili@ilonait.fi

DPA-1-3.1 Is the personal data to be processed specified in the DPA?

Yes

DPA-1-4.1 Are the purposes of personal data processing specified in the DPA?

Yes

DPA-1-5.1 In connection with the DPA, is it possible to give instructions that the service provider must taken into account when processing personal data?

No

DPA-1-6.1 Does the DPA stipulate that the service provider is responsible for the confidentiality obligation of its employees?

Yes

DPA-1-7.1 Does the DPA stipulate that the service provider allows monitoring and auditing by the controller?

Yes

DPA-1-8.1 Does the service provider have a designated contact person for data protection issues?

Yes
Additional information
soili@ilonait.fi

DPA-1-9.1 Is deletion of data defined in the DPA?

Yes

DPA-2-1.1 If sub-processors are used in the processing of personal data, is compliance with the EU's General Data Protection Regulation (GDPR) and the implementation of sufficient protective measures ensured in the contract?

Yes
Additional information
DPA is signed.

DPA-2-2.1 Sub-processors under the DPA agreement or a link to the list of sub-processors (if any)

As a sub-processor acts:
* Innowise Oy (VAT 1919750-1), DPA has been signed.
* AtWise LLC (VAT 4024020507382), DPA has been signed, DPIA data is not shared.

* Ilona IT is itself the data controller for the GDPR application library, and then AtWise and Innowise are the processors.
* Client is the data controller for the data of the DPIA tool and then Ilona IT is the personal data processor and only Innowise is the sub-processor. AtWise does not have access rights to the content and data of the DPIA tool, and therefore does not act as a sub-processor in that respect.

DPA-3-1.1. The service provider undertakes to report all data security breaches without any delay

Yes

DPA-4-1.1 Does the processor or any of its sub-processors process personal data outside the EEA?

Yes
Additional information
DPA is signed.

DPA-4-2.1 If personal data is processed outside the EEA, on what grounds is personal data transferred?

Standard clauses adopted by the Commission (Article 46:2(c) and Article 46:2(d))

DPA-4-3.1 If the EU Commission's Standard Contractual Clauses (SCC) are used as the grounds for the transfer of personal data, which standard clauses are they?

answer specification option for key Modul 2 and/ or modul 3 not found

DPA-4-4.1 Can personal data be disclosed to the authorities of a third country?

No

DPA-4-5.1 If data is transferred outside the EU/EEA area, does the service provider have documentation that helps in assessing the effects of data transfer (transfer impact assessment, TIA)?

Yes
Additional information
Organizational protective measures: e.g. limiting the persons who have access to the data and minimizing the data, i.e. not sharing or processing more data than is necessary. DPIA-data is not shared outside EU.

Contract-based: written contracts, in which e.g. conditions regarding confidentiality and information security obligations, to which the contracting party must commit.

DPA-4-6.1 If data is transferred outside the EU/EEA area, what additional protection measures are used?

Organizational protective measures: e.g. limiting the persons who have access to the data and minimizing the data, i.e. not sharing or processing more data than is necessary. Contract-based: written contracts, in which e.g. conditions regarding confidentiality and information security obligations, to which the contracting party must commit.
Check invalid fields