After 2018-05-25 it's mandatory for companies with customers within the EU to comply with the General Data Protection Regulation (GDPR)

It is up to the company who is data responsible (you) to document compliance but as a service to you as a customer we have chosen to present you with the following assistance

  • A contract that documents your compliance when using KeepTrack services
  • Changes to our services in order to ensure compliance
  • A short list of headlines and bullet points to get you started on your own work with the GDPR

The only change you will see in our services is the Terms of Sale (TOS) will be more visible to your customers as they have to actively comply to these. It's in your own interest you see to it that your TOS are fully updated prior to May 25th. Just send the updated version to Support and they'll update them in your online booking.

What is this GDPR all about?

The GDPR is all about securing some form of privacy for you and me and that puts some restraints on what and how companies can handle our data. Here you get four main areas in bullet form and then it's up to you to take over from therre.

Primary questions and user rights

  • Is the data relevant for the business? If answer 'No' then you cannot harvest/store them!
  • Do you really need the data? If answer 'No' then you cannot harvest/store them!
  • What's the time frame for storing the data?
  • What's the 'Death Date' for the data? And how will you ensure destruction when they are no longer needed?
  • The user might have to actively give consent (see below) - Even for public data
  • The user owns the data and has a right to access it. In practical terms this means a user can ask for the data and you have to deliver this in an easily readable way.
  • The user has a 'right to be forgotten'. That means destruction or anonymization of data upon request. Note that this can be overridden by other regulations like tax and bookkeeping (see below).

Legal grounds for lawful processing of data

Companies are often confused about this part and thereby seeks consent which is only one of six legal grounds for data processing - And the least attractive for the company (and sometimes even for the customer).

So let us establish a fact: You do NOT need consent if you fall under ANY of the other 5 legal grounds!

These are the 6 legal grounds ordered by relevance for the vast majority of our users

  1. Contractual necessity
  2. Legal obligations
  3. Legitimate interests
  4. Consent (usually only for unrelated marketing and in these cases only for sending and not for the actual data processed under one of the above grounds)
  5. Public interests (not relevant)
  6. Vital interests (not relevant)

Please find more detailed information elsewhere

What data are we talking about?

For most companies the GDPR is talking about two kinds of data: 'Personal' and 'Special'. If you can stick to 'Personal' data it will ease your work on preparing for the GDPR.

Usually companies have data collection on customers and staff but be sure you have included all possibilities. Also note that as a rule of thumb all health data is considered special and for instance registering a membership of a union on a staff member is considered special data.

Here follows examples of what should be Personal data (note where marked with * it can be both) and that this doesn't consider compliance to other regulations!

  • Sex
  • Name
  • Address
  • Birthday
  • IP4 address
  • Phone
  • Email
  • Credit card
  • Bank account
  • Family relations
  • Notes
  • Profile image
  • Contact persons
  • Absence/attendance
  • Contract*
  • Tax information*
  • Employee Development Program*

Where do you store/use data?

The fewer places you store data the easier to keep it under control

  • E-mail
  • Paper
  • PC's/LapTop's
  • In-house servers
  • Dropbox and other cloud storage
  • Google Drive
  • Smart phones
  • Third party with access control
  • Third party without access control
  • Website

Who is handling your data?

Make a list of everybody with access to your data

  • Management
  • Trusted staff
  • Staff
  • Public
  • Others?
  • Data owner him-/herself
  • Third parties
    • Salary
    • Bookkeeping
    • Auditing
    • Payments
    • CRM
    • External IT
    • Internal IT

DISCLAIMER

This article comes with absolutely no guarantee it's either correct or complete or in any way related to your business.

Always seek professional legal assistance on this topic.