As a service provider, Molnix acts as a processor in terms of GDPR. Although we are not carrying out data handling by ourself, Molnix is still deemed to be a processor because we provide cloud services for personnel management.
What are the requirements set for a processor? In this post I will concentrate in the first paragraph of the article 28 of the Regulation. To quote article 28, “the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
From the very beginning Molnix has invested in high quality and high security technical solutions. Because of that our solution clearly exceed the requirements of the Regulation. The data is always encrypted (both in transfer and at rest). Storage is duplicated and distributed, access rights are monitored etc. etc. In addition to this the physical premises are under constant surveillance, access protected, professionally built data centers. The physical part of the protection is usually relatively easy to provide. The real challenge is to provide a software architecture and systematic processes which guarantee the safety of the handling of the personal data.
Molnix RPM has been designed to provide data protection by design and by default (article 25 of GDPR). Because of the flexible structure of the database and easy customization of the solution, our customers need to collect only the data they really need. We execute erasure of the outdated data promptly, according to in advance prescribed processes. That is actually one of the key points of the Regulation.
We have developed internal and external processes which are required in order to be able to comply with the Regulation. These processes need to be customized only a little every time when we start providing the service. Our systematic and documented processes help our customers to do their part of the job. According to the Regulation the controller has always the responsibility of the personal data processing to the supervisory authority. Because of that it will be of great help if the processor has its’ own processes under control and is able to help the controller to comply with the Regulation. In fact, we are happy to provide best practice models that fit to the typical usage scenarios where RPM is deployed.