Unlocator and GDPR
The European Union General Data Protection Regulation (GDPR) is a regulation, which is set to consolidate EU member state data privacy regulations. In this article we will describe how Unlocator works with compliance in relation to the GDPR.
The 12 Steps to Compliance
Basically the GDPR regulations can be boiled down to a 12 step process. Every company marketing its service to customers in the EU has to be in compliance.
Unlocator works with a range of providers and we have performed an audit of the services, partners and providers that we use in order to ensure compliance and analyse data flow. You can see a complete list here.
As a first step it’s important to make sure that all employees on the Unlocator team are aware of the GDPR and what it means for every day workflow and data handling. We have made sure that the whole team has an understanding of the GDPR and requirements.
Access to user data is limited to the personal, which needs access to perform their tasks. Access control and 2 factor authentication are some of the methods used to ensure control of the user data.
2. The Information we Hold
When using the Unlocator service we ask for certain information from you in order to supply our service.
The data is transmitted via our infrastructure and relevant partners. At any time can you download a copy of your data by logging in to your profile and navigating to your profile.
When you create an account with us we ask for your email. This is the basis and unique identifier for your account. If granted we will also use this email for sending emails about the Unlocator service and marketing offers.
If you contact the support team we will also use your email in order to look up your account info and supply you with the best customer support experience possible. We also use the email to prevent abuse of our system.
This is optional and is not required for using the Unlocator service. However, if you use the affiliate link in your account and wish to have your commission paid out we will need your full name for accounting purposes.
When creating a paid subscription we will need your full address in order to create a VAT compliant invoice. We also need the address if you wish to have a payout from the affiliate system.
Credit Card Information
When making a purchase you need to supply your credit card information. This information is not stored by us but by our PCI compliant payment gateways.
We don’t have access to the full card information and it never touches our servers.
When signing up and using the Unlocator website and API we will record your IP address. This is vital for providing the Unlocator service. We use the IP both for authentication but also to prevent abuse of our service and apply the correct VAT charges for our invoice. Lastly the IP address is a helpfull tool when providing you with support.
We don’t store logs on the individual accounts. We keep a log at a personal identifiable level which is purged at a 24 hour interval. The purpose of this log is to look at abuse patterns from malicious usage of the service.
Cookies and Tracking
3. Communicating privacy information
4. Individuals’ rights
All Unlocators users have the right to have GDPR enforced.
- Right of access: At any time can you log in to your account to see the information we have stored.
- Right of rectification: If you need any info updated you can either do so from your customer profile or contact us directly.
- Right of erasure: If you wish to be deleted you can do so from your profile. All your information will be deleted instantly apart from the following info:
- The IP used for registration. This is in order to protect our system from abuse. The registration IP is kept for 30 days.
- Invoice data. The invoice includes your email, address and if supplied your name. We have to keep this record for 5 years in order to be in compliance with Danish VAT regulations.
- Right to data portability: You can contact us at any time to have your data exported. However, since the very limited data we store is accessible directly from the customer panel you can do so more efficiently by logging in to your account.
- Right not to be subject to automated decision-making including profiling: We don’t do personal profiling of our customers. We differentiate between trial user and paying customers in order to help the users getting started with using the Unlocator service.
5. Subject access requests
We reply to all requests as soon as possible - usually 1-2 days. The limit set out by the GDPR is 1 month.
6. Lawful basis for processing personal data
We don’t market the product Unlocator towards children. The Unlocator service is an advanced technical platform directed at adult individuals looking for security and privacy. As a result, we have not deemed it relevant to control the age of users signing up for services.
9. Data breaches
We closely monitor and system usage and access in order to protect the privacy of our users and records.
Here are just a few of the steps we take to ensure data security:
- We use firewalls and traffic analysis to protect against attacks
- Access from non authorized sources are denied
- We monitor security issues in all layers of our applications and patch accordingly
- We use 2-Factor-Authentication in places where sensitive data is stored
- We isolate data based on sensitivity
10. Data Protection by Design and Data Protection Impact Assessments
By default our applications and backend are designed with data protection in mind.
Our sys admins holds certificates on several security related subjects.
11. Data Protection Officers
Since Unlocators sole purpose is not the processing of Personal Identifiable Information we have not assigned a Data Protection Officer. That does not mean that we don't protect your data. It simply means that since we don't collect nor process what is known as Sensitive Personal Identifying Information.
We offer our service world wide including every EU member state. Unlocator is run by Linkwork ApS, which is incorporated in Denmark.
Center Boulevard 5
2300 Copenhagen, Denmark