General Data Protection Rules

3DPrinterOS cheat sheet v1.1

The latest update to this document was done on 16th of May 2018

Customer rights

Right to access their personal data

 

What you need to do: Clients have the right to get access to the data your organization is collecting and processing. Before providing data, however, clients must verify themselves.

How 3DPrinteros handles it: Clients can see all their data 3DPrinterOS has in in Profiles settings page(public data and general data) and Profile settings page -> Personal Data management block -> Change promotion data button.

Right to be forgotten

 

What you need to do: Clients have the right to request that organizations forget all their personal data that was collected, unless the company is obliged to keep the information in accordance with the law. For example, telecom companies have the obligation to keep data about SMS messages - who sent it, to what number, and what was the SMS content, for 5 years, as required under the EU Terrorism Prevention Act.

 

How 3DPrinterOS handles it: 3DPrinterOS users can take out of processing all personal data collected about them in user’s profile settings page by clicking "delete my personal data stored in system" button and select which personal data he/she wants to delete. In order to delete general personal data(email and IP addresses, which are used for security reasons) and account user should write to support.

Right to object to the processing of their personal data

 

What you need to do: Consent is required to provide services to clients and for any other associated activities. While consent may be revoked for certain activities (such as newsletters) the service provider still has a right to process data if the client resumes use of the service, but only to the extent that is needed to provide the service. If the client requires all data handling to be stopped, they need to be informed that in order to continue providing the service, processing is needed or no service will be given.

 

How 3DPrinterOS handles it: All information describing how and why we use personal data is noted in our Privacy Policy, Terms of Use, and Data Handling Policy. The client must review and accept the terms in these documents before using 3DPrinterOS services.

Right to export personal data

 

What you need to do: You must be able to verify the customer before providing data. When data is exported from your organization to another, it must be encrypted and moved through secure channels.

 

How 3DPrinterOS handles it: User can request all personal data 3DPrinterOS stores about him/her in Profile settings page->Personal Data management block-> Request my personal data stored in system button and automatic downloading of .csv file will start. (actual)

Organizations responsibilities

Protect personal data using appropriate security practices

What you need to do: Protect personal data using appropriate security practices. Make sure that all third-parties you are working with do the same and are compliant with GDPR.

 

How 3DPrinterOS handles it:

3DPrinterOS has:

 

Notify authorities within 72 hours of breaches

 

What you have to do: You must have appropriate monitoring tools in place to understand what is happening with your data and can notify the right people at the organization that a breach may have occurred. Firms have 72 hours between the time a breach occurs and authorities are notified.

 

How 3DPrinterOS handles it: We have built in detective and protective controls with alerting system, which provided a real time analysis of security alerts generated by applications and network hardware.

Receive consent before processing personal data

 

What you have to do: Be clear regarding the data collected, how and where it will be used, and the reasons for use while requesting consent. Consent defined under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes, or inactivity.

 

How 3DPrinterOS handles it: We are not using pre-ticked boxes, we have reviewed our Privacy Policy and Terms of Use. We will prompt our existing customers through the 3DPrinterOS to read our Terms of Use, Privacy Policy, Data Handling Policy and this document, show us that they understand them, and revoke consent to process data if they don’t want 3DPrinterOS to process their personal data.

Keep records detailing data processing

 

What you need to do: GDPR does not mandate that it be documented. Keeping records could be done in your head or notes jotted down somewhere. Although if auditors come, you must be able to demonstrate or explain your organizations data processing procedures.

 

How 3DPrinterOS handles it: 3DPrinterOS has a Data Handling Policy. It clearly states how data is processed and secured by the firm. Also, we have internal register of consents where logged all consents that user gives or revokes.

Provide clear notice of data collection and outline processing purposes and use cases

 

What you need to do: Clearly state in your cookie policy, privacy policy, and Terms of Use on how and what data is collected, and for what purposes it is used. (Whenever data is being collected.)

 

How 3DPrinterOS handles it: We have made it all crystal clear in our Privacy Policy, Terms of Use and Data Handling Policy.

Define data retention and deletion policies

 

What you need to do: Make clear in your privacy policy on how data is stored, when, and what data will be deleted when customer insists on it.

 

How 3DPrinterOS handles it: We have included it in our Privacy Policy. Data is stored for an indefinite period unless otherwise instructed by a customer.

Train privacy personnel & employees

 

What you need to do: Train your team on this topic. Elaborate on the current situation and what’s changing in May as well as how to behave in certain situations.

 

How 3DPrinterOS handles it: Our DPO attended several training on GDPR, consulted with several experts in the subject matter. Then we took one day out of the office with our entire team. We discussed compliance, with the compliance team providing an overview of the laws. The compliance team answered all questions, described the tools we use, impactful changes, and followed up with unanswered questions in the following weeks.

Audit and update data policies

 

What you need to do: Make sure that your Terms of Use, privacy policy, cookie policy, agreements, and other documents are in accordance with GDPR. (Check out 3DPrinterOS documents to get a better overview on 3dprinteros.com/GDPR)

 

How 3DPrinterOS handles it: We have made all needed change in our Privacy Policy, Terms of Use and other documents to to accordinate them with GDPR.

Employ a data protection officer (for larger organizations)

 

Let’s clarify the DPO: A data protection officer (DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. If you are a small company, then you do not need to hire someone to fill this role. The same job can be done by the CEO or someone with authority.

 

How 3DPrinterOS handles it: Our CTO, Anton Vedeshin, is also our DPO.

 

Create & manage vendor contracts

What you need to do: As your firm processes the data from the customers’ perspective, partner compliance is your responsibility. Understand if your partners are GDPR compliant, as it puts your firm at risk if they are not.

How 3DPrinterOS handles it: Our documents and contracts are created, improved on, and managed by our legal team.