The FAQ below aims to answer the most common questions in regards to the GDPR.
The GDPR stands for the General Data Protection Regulation. It has come into force on May 25th 2018 and replaced the Data Protection Directive 95/46/EC. It is a new set of rules designed to give EU citizens more control over their personal data. The regulation contains provisions and requirements for the processing of personal data. Not only will organizations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it will be obliged to protect it from misuse as well as to respect the rights of the data subjects.
The GDPR applies to any organization operating within the EU or processing data within the EU and any organization processing personal data belonging to persons from the EU. Since Presspage stores all their data, and thus also all the personal data, in Germany, the GDPR applies to your relation with Presspage, even though you yourself are not located in the EU.
The answer to this question is twofold. First part is the personal data that is processed by Presspage to execute the agreement between you and Presspage. To execute this agreement, Presspage processes personal information of your users to create an account within our platform. We are responsible for the way we process this data and, when doing so, to be compliant with the GDPR. This responsibility comes with the task to notify you what data we process and how we do this. This information can be found in our Privacy Statement.
The second part of the answer is about all personal data that is uploaded on our platform by you. Since we process this data on behalf of you, in the wording of the GDPR, Presspage is the processor and you are the controller. The controller remains responsible and determines the purposes for and the means of the processing of the personal data. The GDPR requires to sign a data processing agreement where there is a controller-processor relationship.
For this reason, we are unable to give you a pre-made text that you can add to your privacy policy. After all, as a controller you control how the data is to be used, how long the retention period is, which specific data gets collected and so on. As a processor we only provide the tools that allow you to control this data.
All data that is stored in / uploaded on the Presspage platform by you, is data that is being processed by Presspage on behalf of you. When this data is personal data, it falls within the scope of the GDPR, and Presspage is the processor and you are the controller (as stated in the GDPR). Whenever such a relationship exists, the GDPR requires both parties to sign a data processing agreement (dpa), listing the obligations when processing these data.
Within the newsroom, I do not upload any personal data. Why do I still need to sign a data processing agreement (dpa)?
It is correct that in principle the articles and content are not considered to be personal data and thus do not fall within the scope of the GDPR. But when the article contains any information from which a data subject can be deduced (e.g. contact information, email address, phone number), this is considered personal information and a dpa is required.
The same goes for when our Contact Information module is used. With this module, personal information is uploaded, which is processed in our platform for you. As you can see, processing personal information is easily done, which is why we require to sign a dpa.
I am making use of Presspage Mail, do I need to sign a data processing agreement (dpa)?
With Presspage Mail there is no big difference, only the fact that we can say with full certainty that personal information is being processed by Presspage on your behalf (think of all the contact details uploaded in this section). So, yes, a DPA needs to be signed.
It is important to inform the visitors of your newsroom about these widgets and how they work. These third parties place cookies themselves to be able to share content from the newsroom on social media networks. The visitor should be given the opportunity to decline these cookies, but if they do then these functionalities will not work (accordingly). All data that is collected via these cookies, is stored according to the privacy policies of the relevant third parties.
We have included this information in our cookie notification (please see the article about ‘cookies’ for more information), but it remains your responsibility to notify the visitors about these third party cookies.
We can start with answering this question by stating that Presspage is bound by the provisions of the GDPR.
Among other things, the GDPR has adopted provisions about actions to be taken in the case of personal data breach, the minimum requirements in securing/protection the personal data. In short, this means we have to notify you with undue delay about any data breaches and take all reasonable measures to prevent or limit (further) violation of the GDPR, we have to safeguard a level of security attuned to the risk that complies with the requirements under the GDPR.
The following security measures are adopted by Presspage:
- Personal data is only processed for the agreed purposes
- Personal data in Presspage’s database is encrypted at rest and in transit.
- Personal data can be accessed using username and password. There is a password policy in place, in which
- passwords must at least:
- Be 10 characters long
- and meet 3 of the following requirements:
- Contain at least 1 uppercase letter
- Contain at least 1 lowercase letter
- Contain at least 1 number
- Contain at least 1 special character
- passwords need changing every ninety (90) days.
- passwords must at least:
- Real-time protection anti-virus, anti-malware and anti-spyware software.
- Automatic software updates
- Employees are obligated in writing not to use information/data for other purposes
- A non-disclosure agreement is signed.