Every organization that processes personal data has to comply with the General Data Protection Regulation (GDPR). Hereunder, we will explain how we, Castor EDC, will comply with all the relevant GDPR obligations.
We at Castor EDC, and of course all of our employees, are fully aware of the risks of the sensitive personal data we process on behalf of our customers. For this reason, we take security very seriously and have appointed a data protection officer (that’s me!). In addition, we have built our software in a way in which our customers can also fulfil their GDPR obligations
Information obligation & consent
Rights of the data subjects
Based on the GDPR, data subjects have several rights (for example, the right to access their personal data, or to rectification etc.). Because our services adhere to the ‘privacy by design’ principle, our customers are able to comply with requests from data subjects who are exercising their rights under the GDPR. Of course, our support desk is on standby should our customer need any support in fulfilling their data subject requests. Because of our strict internal procedures, our employees are able to quickly cooperate and properly respond to your request in a timely manner.
Records of processing activities
The GDPR also obligates organizations to have a record of its processing activities. Castor EDC has a comprehensive record of processing activities that not only contains all the legally obliged topics but also all the personal data flows of our customers and the different contributions provided by our suppliers. We chose to make explicitly clear what our relationships with our different customers and suppliers are, so we know exactly what our responsibilities and the responsibilities of our suppliers are, and we can monitor them strictly.
Data processing obligations
When we process personal data on behalf of our customers, we are obligated to lay down in writing our agreement with regards to the processing of such personal data. Our general terms and conditions contain the necessary rights and obligations to make sure both we and our customers comply with the GDPR. Depending on the type of services provided, a separate Data Processing Agreement (DPA) will be concluded where necessary in order to make sure the personal data is always processed with care and in line with the GDPR. Furthermore, some of our suppliers also (sub)process personal data of our customers. In such cases, we make sure to agree upon the necessary rights and obligations with those suppliers to ensure the GDPR is complied with.
Technical and organizational measures
Castor EDC takes security very seriously. We have implemented strict technical and organizational security measures and are ISO 27001 & ISO 9001 compliant. Based on internal security rules, all our employees use strong passwords and two-factor-authentication where possible. We also encrypt all communication to our services using TLS through HSTS. Besides that, our employees make sure to use their equipment securely (e.g. always locking their computers when they leave their desk). If by any chance things might go wrong (which of course we will do our absolute best to prevent) and a personal data breach occurs, we have strong procedures in place, both technical and organizational to respond rapidly. This provides us with the chance to resolve a personal data breach as soon as possible, to take rapid measures that minimize the consequences and to enable us to inform our customers in a time-efficient manner..
Regularly testing, assessing and evaluating security measures
One of the requirements regarding adequate security measures is that they have to be regularly tested, assessed and evaluated. Given the market in which Castor EDC operates, we are constantly working on upscaling our security and organization by obtaining (new) certificates and hiring the best professionals. The continuous cycle of testing and improving our security measures is also an integral part of our ISO 27001 and ISO 9001 certification.
Privacy impact assessments (PIA’s)
In the cases where we are willing to use new technologies to process our customers’ personal data, we will perform a PIA. In the case whereby one of our customers would be willing to perform a PIA on a service, we would also gladly assist by providing all the information they need. So, if you became curious about one of our services after reading this blog or wish to receive some more information, please let us know!