Den här artikeln finns även på Svenska
The GDPR (General Data Protection Regulation) is the law that replaces the Personal Data Act (PUL) that regulates the processing of personal information starting from 2018-05-25. Here is an animated page from the European Commission that summarizes GDPR. Perhaps the most important changes are the rights that a person who has registered their personal data has (you are welcome to email us if you need to invoke on one of those rights and do not know how to do it in our systems).
We have gathered some answers to the most common questions about GDPR that we get. At the bottom of this article you will find our policies, agreements and attachments. See also our user agreement and how we handle security.
Note that we will keep track of how, where and when your personal information is stored with us and our suppliers. Oderland will delete or anonymize any personal information that is stored with us and our suppliers when we no longer need them to be able to deliver our services.
Is Oderland a data processor or a data controller?
Oderland is data controller for the personal information we collect from you as a customer. However, for the personal information you store in our services you are personally responsible for and Oderland is a data processor for. You need to ensure that you meet your legal requirements for processing personal data.
Can Oderland sign our sub-processor agreement?
Unfortunately we do not have the opportunity to sign any unique sub-processor agreement with each customer. However, our lawyers have developed a DPA (Data Processing Agreement) (which is also formulated to serve as a sub-contract) which is now an integral part of our standard agreement and is adapted to GDPR and the services we offer. Together with this and our standard agreement, personal information policy, attachment with instructions and how we handle security in general, you can estimate if we meet your requirements.
How do I sign the agreement?
The DPA (Data Processing Agreement) is an integral part of our user agreement pursuant to section 13 of the user agreement and pursuant to section 1.1 of the DPA, so it applies to all of our customers automatically unless otherwise negotiated.
Can I give you instructions as a customer?
Yes, you have the legal right to replace the preprinted instructions, that we have developed, as an attachment to the DPA. However, our instructions usually cover the needs of our customers to comply with the GDPR. You can send your instructions to email@example.com, and we will look forward to creating a customized service for you. If the instructions need to be reviewed by lawyers, Oderland will be entitled to compensation for this. However, we will ask the customer first before sending them for review.
How do you handle logs, broken hard drives and backups?
Server logs for access, errors and firewall are automatically deleted after three months. We have confidentiality agreement that cover hard drives that need to be returned to suppliers and we also write over the data on the disk before it is shipped. Backups is retained for three months, in order to be able to proceed with our agreement with a customer, and then automatically deleted.
How is visitor statistics processed?
In our web hosting services, visitor statistics automatically store through functions in the cPanel. Some statistics are stored for a day and one other part, in a more anonymous form, is stored long term through AWstats.
Please note that you may need to inform your visitors about this. For more information regarding this, please refer to the Data Inspection.
Can I store any kind of personal information in your services?
We have done our best to meet the demands GDPR has put on us. You can read about this in our agreement that you will find at the bottom of this article as an attachment. What you choose to store in our services and how you store it is difficult for us to control, we only provide the platform that is GDPR-adapted.
It is still possible to store personal data incorrectly in our platform despite this. If you are unsure of the requirements for you and how to meet them in our services, we recommend that you contact the Data Inspectorate or lawyers who specialize in your industry. For example review our agreements and provide your with supplementary attachment with instructions, if this would be necessary.
How should I handle the storage of email?
Your email often contains personal information and should therefore also be treated in the same way as other personal information you store in our services. The Data Inspectorate has a good guide here on how to reason around this.
How can I follow GDPR in WordPress?
How do I encrypt personal information?
Encrypting information may mean different things and you must judge for yourself how you can use the technical capabilities our services offer to best protect your customers personal information.
- Encrypt the traffic to the page by enabling SSL/TLS.
- Get your customers and employees to use SSL/TLS in their email clients when they connect to the email server. How to enable SSL/TLS, please check the instructions for each email client. If you are using web mail, you only need to make sure that the page’s URL (web address) begins with
https://and has a padlock in the address bar. At Oderland, the right ports to use with SSL/TLS encrypted email traffic are: IMAP 993 | SMTP 465 | POP 995
- Consider encrypting your email further, with PGP for example. However, this can be technically difficult, and it might be easier to communicate with your customers through a CRM system they can login to on your site.
- We also support encryption in many other situations like SSH and SFTP.
- You can choose to use 2FA (Two-factor authentication) to login to the Client Area. You enable this through the security settings under your account, which allows you to use Google Authenticator (Android / iOS) to sign in. Do you combine this by consistently using the direct login from the Client Area to cPanel and switching to a secure password for the cPanel that is never used again, you have a subset for 2FA for the cPanel.
What do I need to do more to follow GDPR?
Great, you use Oderland that complies with GDPR through our policy, DPA and instructions for managing personal information, but that’s only part of the answer. You also need to think of a lot of other things:
- That you review the Data Inspection Checklist and read through the full summary of the basic principles of GDPR.
- Update your agreements and policies.
- Update your routines and systems.
- Keep your customers informed and protect their personal information.
Protecting personal information is a major issue and the Privacy Authority (formerly Data Inspection) has an excellent site where you can find answers to most common questions regarding GDPR.
Can I send my questions about GDPR to Oderland?
For questions concerning Oderland’s processing of personal data and adaptation to GDPR, please contact us at firstname.lastname@example.org, and we will answer your questions. These types of questions are better to discuss through email than over the phone, as it is sometimes necessary for us to go through our agreements and research the Data Inspections website to be able to give you the best answer possible.