Data protection and privacy
In May 2018 the GDPR entered into force, thus forcing all EU companies focus on ensuring safe and responsible handling of personal data. We at Twentyfour see this as a great change towards transparency and higher amounts of control for individuals in regards to their personal data.
The General Data Protection Regulation (GDPR) is EU’s initiative to protect its citizens’ personal data. It entered into force on May 25 2018. At first glance, GDPR might seem to generate an excessive amount of extra work for companies in order for them to comply to all these new rules, but the purpose of the GDPR is to ensure that the organization gets a better overview of the personal data being processed by the companies, as well as the purposes and legal basis for this processing.
That being said, the GDPR is nothing less than a jungle of rules. It’s complex, huge and a hassle. Many companies have a hard time grasping the scope of the new GDPR. This inspired us to create a simple overview of how we comply with the applicable data protection regulation, specifically after the introduction of GDPR and the new Danish Data Protection Act. This should make it easier for you, as a customer of Twentyfour, to understand and be comfortable with our approach.
Below, you’ll find a walkthrough of the important areas of how we handle data processing at Twentyfour.
When entering into an agreement with Twentyfour, which entails processing of personal data, you must accept the terms of our Data Processing Agreement.
The document containing the entire GDPR in full length can be found here: https://gdpr-info.eu/ and the guidelines from the Danish Data Protection Agency (Datatilsynet) can be found here https://www.datatilsynet.dk/generelt-om-databeskyttelse/vejledninger-og-skabeloner/.
As a Twentyfour customer
Twentyfour will always aim to develop according to GDPR standards (i.e. to comply with the “privacy by design”-requirement) and best practices for our customers, and to do our best to inform and help all customers to make the right decisions for their projects.
Our way of working with data can be divided into three areas
- Personal data handled on behalf of customers (E.g. when we host a website, run an integration or similar)
- Personal data about potential and existing customers, handled by us.
- Situations where we are asked for advice from customers on how they may consider data, security, GDPR and similar topics when buying a project or service from Twentyfour.
In the paragraphs below, you can read more about how we deal with #1 and #2 from the above list.
When it comes to #3 (Projects, where we’re hired as a contractor) and we are asked to give advice on security, regulation, GDPR or similar, you can expect us to always do our utmost to fulfil the task. We are, however, not able to provide legal counsel or to be liable for any damages or repercussions that might follow from a project, we’re building for a customer in accordance with the customer’s specifications and instructions, and we always recommend seeking legal counsel if a customer has questions relating to implementation of the GDPR, but we will of course contribute with technical input.
The responsibility for complying with relevant legislation is always the customer’s.
Data storage, services, and products
Twentyfour uses a Danish hosting company, Curanet A/S, as a subcontractor for most hosting services. Curanet’s servers are located in Denmark, meaning that Twentyfour’s customer data is placed and processed within the EU and Twentyfour has entered into a data processing agreement (a DPA) with Curanet in order to ensure that they comply with the GDPR whenever processing personal data on our behalf.
Exchange of data services
Twentyfour uses various systems integrations to exchange data on behalf of our customers and also for supporting internal business processes. Twentyfour keeps an overview of the systems involved in these integrations and ensures that the data flow between them is handled via a secure connection. When it comes to online systems Twentyfour, as a minimum, ensures that the integrated systems communicate via HTTPS, which is a transfer protocol encrypted by Secure Sockets Layer (SSL).
Twentyfour uses KOEBT, an integration platform used to exchange data between different systems, to handle most integrations. KOEBT is software that we have designed with privacy in mind and we strive to ensure that the data processed by the platform is secure.
Overview of Twentyfour’s products and services
Below is an overview of the most commonly products and services offered by Twentyfour.
|Product / service||Description|
|Hosting||Twentyfour offers hosting of their customer’s websites. Twentyfour’s servers are managed by a subcontractor – Curanet.|
|KOEBT||Twentyfour offers an integration platform called “KOEBT” which handles the exchange of data between various systems.|
|Update agreement||Twentyfour offers fixed maintenance agreements in order to keep customer’s website up to date and secure by minimizing potential security vulnerabilities.|
|Critical support agreement||Twentyfour offers critical support agreements to customer’s with business-critical solutions that require quick reaction times. Through such agreements, Twentyfour provides security and ensures business continuity for their customer’s.|
|Administration of third-party software and services||Twentyfour offers administration of third-party software and services related to the customer’s websites. This includes plugins, systems such as UniLogin, backup services and others.|
|Security packages||Twentyfour offers security optimization packages aimed at protection of customer’s solutions and any data associated with that. This is a recurring service where Twentyfour regularly checks on the state of security of customer’s solutions.|
Twentyfour uses a number of systems to support internal business processes and value creation for our customers. Some of the systems are acquired from third-party providers. The systems that Twentyfour uses to store data include, but are not limited to:
|Google Suite||E-mail service & document cloud storage|
|Pipedrive||Customer relationship management|
|Basecamp||Communication & project management|
|1Password||Secure password storage|
|TwentyFour||Project management & invoicing|
Read our Data Processing Agreement (DPA) for all details. Below, we’ve made a brief summary of how we handle data processing.
The data processing agreement is a part of our Terms and conditions.
Processing of personal data
When you start a project with Twentyfour, you agree to us processing your and your customers’ data when necessary. Twentyfour will only process the personal data, you are responsible for in accordance with your instructions.
At Twentyfour, the tasks are delegated to employees who are responsible for personal data while working on a project.
Storage and deletion of personal data
At Twentyfour, we ensure that personal data processed on behalf of the customer and is stored in a physically and digitally safe environment.
We ensure that any medium where personal data is kept is encrypted, password protected, protected from physical harm and theft by storing such mediums (e.g. servers) securely in locked rooms .
At Twentyfour, we further ensure that storage of personal data only takes place for as long as the personal data is relevant and necessary in accordance with the Data Processing Agreement in order to the perform the actions requested by our customer.
Further, all personal data processed by Twentyfour is secured by our backup-solution.
Access to personal data
Only employees whose tasks include processing of personal data have access to personal data.
We ensure that personal data is not disclosed or transferred to any third parties outside of Twentyfour. The employees at Twentyfour are obliged to comply with rules on non-disclosure in relation to third parties as well as other Twentyfour employees who have no work-related reason to know of the personal data.
All customers have the right to transfer all their data in a machine readable format (e.g. excel, .txt etc.) to another system if they so wish. Upon request, we will transfer all relevant data (that is not owned by Twentyfour) from our platforms to the customer.
Right to be forgotten
At Twentyfour it is always possible to use your right to be forgotten. Simply contact us on firstname.lastname@example.org if you are interested in having all data deleted.
The programs used at Twentyfour for deletion of personal data are carried out safely that ensure sufficient overwriting of the deleted data.
Privacy by design
The systems used at Twentyfour handles personal data securely. This means that all exchange of data are encrypted.
For instance, often developes data integration solutions through KOEBT (our integration platform) and to ensure security for our customers, data routed between the systems via KOEBT are encrypted.
Twentyfour will help you as much as possible in ensuring that the data is handled correctly and securely in all systems, but the customer is ultimately responsible for the design of and access to the system, as Twentyfour comply with the customer’s specifications.
In the majority of the cases, Twentyfour acts merely as the data processor for our customers in accordance with the Data Processing Agreement. Therefore, it is Twentyfour’s customers’ responsibility, as data controller, to carry out a risk assessment when the data processing is likely to result in a high risk to the rights and freedoms of natural persons. In some instances, a customer may be obligated to performing an impact assessment cf. art 35 of the GDPR, if the customer processes special categories of personal data (sensitive personal data) on a large scale.
If a customer is uncertain whether an impact assessment is necessary, we strongly advise that a legal expert is consulted.
In situations, where Twentyfour is the data controller, Twentyfour carries out a risk assessment in order to identify possible risks and establish necessary precautions aimed at personal data protection.
In case of a data breach, it is mandatory to inform the national personal data authority (Datatilsynet in Denmark) within 72 hours of becoming aware of the breach if the data breach entails a risk for the data subjects (e.g. your customers, employees, others) affected by the data breach. Further, the data subjects must also be informed directly without undue delay if at all possible, if a data breach results in risks that are not insubstantial for the data subject.
If Twenyfour discovers a data breach, Twentyfour will notify the relevant customers as fast as possible with as much relevant information as possible in order for you to assess the impact of the data breach for the data subjects.
SSL security and encryption
All systems used by Twentyfour run SSL to ensure secured and encrypted communication.
Secure communication from a web browser to a system is something you need to be aware of in your role as data controller. SSL (Secure Socket Layer) is shown as a little padlock in the browser when you visit websites secured with SSL. Without SSL, the padlock will be shown with a red line over, and the user will be shown a warning. Twentyfour will, if SSL has been bought, make sure to set up SSL, but you should ensure that all your other systems also use SSL as the weakest link in the chain decide the level of security in your set-up.
You are always welcome to contact us if you have any questions, concerns or thoughts in regards to data protection, regulation, GDPR or similar topics. We are here to help.
Feel free to contact us on email@example.com.