From 25 May 2018 onwards the General Data Protection Regulation (GDPR) goes into effect. The main goal of the GDPR is to regulate how organisations handle personal data and protect the privacy of citizens of the European Union. The GDPR applies to all companies that do business with EU citizens or process data of EU citizens regardless of the location of the company that is processing such data. The GDPR therefore applies to Bio-ITech B.V. (”Bio-ITech”) and we are committed to protect the privacy of our customers.
Bio-ITech as a Data Processor
Of all persons with a registered account in one of the Bio-ITech software applications, personal data is stored in our systems. The role of Bio-ITech as the supplier of software is dependent on the chosen hosting solution. For end-users using Bio-ITech software in the Cloud or in a Private Cloud, Bio-ITech is regarded as the Data Processor according to the GDPR. For organisations with the application hosted on a local server, so-called On-Premise installation, Bio-ITech acts as a sub-processor as it only provides software updates and support but does not have direct access to the data.
How we protect your personal data
As a Data Processor, Bio-ITech has taken strict measures and implemented the required procedures to guarantee the safety of data of its customers. As a proof of its effort, Bio-ITech has been IEC/ISO27001:2013 certified since 2016. A copy of the ISO27001:2013 certificate can be downloaded at www.bio-itech.nl/quality-assurance.
The most important measures that have been taken to ensure the protection of personal data as well as confidentiality, integrity and availability of services provided by Bio-ITech as a Data Processor are:
- Secured communication via SSL encryption
- Periodic off-site encrypted data back-ups (every 24 hours) for disaster recovery (kept up to 6 months)
- Disaster recovery procedures
- Real-time system monitoring and logging
- Firewall and network configuration such that servers are not directly connected to the internet
- System maintenance including the installation of security patches
- Security features to protect system access, such as two-factor authentication and IP restriction
- Privacy features to block storage of personal information by end-users
- Confidentiality agreements as part of all employee contracts
- Access to systems by Bio-ITech employees on need-to-access basis
Right to Access
The GDRP dictates that all EU citizens have the right to access the personal data that is stored by others. To provide full system functionality the following minimal set of personal data is stored in Bio-ITech’s software applications:
|Personal Data||Personal Data Type||Purpose|
|First Name||Regular||Together with the Last Name used as display name in the system|
|Last Name||Regular||Together with the First Name used as display name in the system|
|Organisation Email Address||Regular||Used to login and to provide system functionalities, such as forget password, receipt of invitations, messaging and notifications|
|Group||Regular||Research group or department a user works in|
|Organisation||Regular||The organisation the user works in|
|IP address||Regular||IP address used for logging purpose and various security purposes (e.g. hacking attempts, 2FA)|
|Password||Special||Password used for authentication purpose. Passwords are stored in a hashed (encrypted) format in the database|
Right to be Forgotten
The GDPR gives each citizen in Europe the right to be forgotten. Considering that an essential functionality of our software products is to provide full traceability of data, the removal of personal data from the system would counteract the possibility to track who stored data in the system. For that reason, our applications do not support a software function that can be operated by an end-user to delete an account including all personal data. To claim your right to be forgotten and to remove all personal data of your account, please contact our customer care team to guide you through our formal data removal procedure. During this procedure, approval of the organisation to which the system is licensed is requested so that Bio-ITech cannot be held accountable for any loss of data as a result of the data removal.
All Bio-ITech software applications offer the option to export data. Depending on the data, the software offers the option to end-users to export data as CSV, PDF or in HTML. To structure the data in any format, the software has a so-called Application Programming Interface (API) available.