How is my personal information handled?

The law regulating the processing of personal information is called  GDPR (General Data Protection Regulation).

We follow this law and in this support article, we summarize frequently asked questions and make available links to relevant documentation and terms. If you have further questions we accept these via mail to support@oderland.se

Documents

• Policy document regulating our role as data controller of our client’s personal information
• Data Processing Agreement regulating our role as a processor of your stored unstructured data in our services such as databases, mail, and files
• General Terms of Service (TOS)
• Our gernal security measures at Oderland

 Is Oderland a data processor or a data controller?

• We are data controllers － of the personal information we collect on you as a client.
• We are data processors － of the personal information in the form of data you store in our services such as files, databases, and mails. (Processing type is storing the data.)

Does Oderland store my credit card information?

No, we do not store that information but instead, it is stored with our world-leading credit card payment partner Stripe.

Can Oderland sign our sub-processor agreement?

No that should not be necessary because processing and sub-processing DPA (Data Processing Agreement) is integrated in our General Terms of Service (TOS) in §12. This DPA is designed to cover the extent of responsibility we can take for our clients in a standard hosting service.

Also, our experience is that clients with their own DPA have far-stretching demands on how to handle specific data they store in what we see as unstructured data in our services. Since much of the security on how this data is stored and accessed is outside of our control signing such a DPA as a general hosting company would not be feasible. You will have to use our documentation above and make your assessment and case that you meet the requirements of the GDPR law.

How do I sign the agreement? 

The DPA (Data Processing Agreement) is integrated into our General Terms of Service (TOS) in §13 and is accepted simultaneously as you accepted the TOS.

Can I give you instructions as a client? 

Yes, you have the legal right to demand we use your instructions instead of our preprinted instructions, that we have developed, as an attachment to the DPA. However, our instructions usually cover the needs of our clients to comply with the GDPR. Yet again extra instructions on the specific processing of personal information in your application hosted in our services are probably impossible for us to guarantee and most likely we cant offer the service you need. You are free to send your instructions you wish we honor to support@oderland.se. If the instructions need to be reviewed by lawyers, Oderland will be entitled to compensation for this. However, we will ask the client first before sending them for review.

How do you handle logs, broken hard drives and backups? 

Server logs for access, errors and firewall are automatically deleted after three months. We have confidentiality agreement that cover hard drives that need to be returned to suppliers and we also write over the data on the disk before it is shipped. Backups is retained for three months, in order to be able to proceed with our agreement with a customer, and then automatically deleted.

How is visitor statistics processed?

In our web hosting services, visitor statistics automatically store through functions in the cPanel. Some statistics are stored for a day and one other part, in a more anonymous form, is stored long term through AWstats.
Please note that you may need to inform your visitors about this. For more information regarding this, please refer to the The Swedish Authority for Privacy Protection (IMY).

Can I store any kind of personal information in your services?

We have done our best to meet the demands GDPR has put on us. You can read about this in our agreement that you will find at the bottom of this article as an attachment. What you choose to store in our services and how you store it is difficult for us to control, we only provide the platform that is GDPR-adapted.

It is still possible to store personal data incorrectly in our platform despite this. If you are unsure of the requirements for you and how to meet them in our services, we recommend that you contact the Data Inspectorate or lawyers who specialize in your industry. For example review our agreements and provide your with supplementary attachment with instructions, if this would be necessary.

How should I handle the storage of email?

Your email often contains personal information and should therefore also be treated in the same way as other personal information you store in our services. IMY has a good guide here on how to reason around this.

How can I follow GDPR in WordPress? 

Here are some layman low hanging GDPR fruits regarding WordPress:

• Use a hosting company with a Policy and DPA for handling personal data in accordance with GDPR. Like Oderland!
• WordPress includes a draft for a Privacy Policy you can complete in Pages and activate under Settings so it is displayed for visitors.
• WordPress has features to comply with the rights of the data subjects like exporting and deletion of personal information under Tools.
• Activate an SSL certificate for your site and make sure WordPress uses it. 
• Install a cookie policy plugin to inform and get consent for tracking.

How do I encrypt personal information? 

Encrypting information may mean different things and you must judge for yourself how you can use the technical capabilities our services offer to best protect your customers personal information.

• Encrypt the traffic to the page by enabling SSL/TLS.
• Get your customers and employees to use SSL/TLS in their email clients when they connect to the email server. How to enable SSL/TLS, please check the instructions for each email client. If you are using web mail, you only need to make sure that the page’s URL (web address) begins with https:// and has a padlock in the address bar. At Oderland, the right ports to use with SSL/TLS encrypted email traffic are: IMAP 993 | SMTP 465 | POP 995
• Consider encrypting your email further, with PGP for example. However, this can be technically difficult, and it might be easier to communicate with your customers through a CRM system they can login to on your site.
• We also support encryption in many other situations like SSH and SFTP.
• You can choose to use 2FA (Two-factor authentication) to login to the Client Area. You enable this through the security settings under your account, which allows you to use Google Authenticator (Android / iOS) to sign in. Do you combine this by consistently using the direct login from the Client Area to cPanel and switching to a secure password for the cPanel that is never used again, you have a subset for 2FA for the cPanel.

What do I need to do more to follow GDPR? 

Great, you use Oderland that complies with GDPR through our policy, DPA and instructions for managing personal information, but that’s only part of the answer. You also need to think of a lot of other things:

• That you review IMY’s Checklist and read through the full summary of the basic principles of GDPR.
• Update your agreements and policies.
• Update your routines and systems.
•  Keep your customers informed and protect their personal information.

Protecting personal information is a major issue and the Privacy Authority (formerly Data Inspection) has an excellent site where you can find answers to most common questions regarding GDPR.

Can I send my questions about GDPR to Oderland? 

For questions concerning Oderland’s processing of personal data and adaptation to GDPR, please contact us at support@oderland.se, and we will answer your questions. These types of questions are better to discuss through email than over the phone, as it is sometimes necessary for us to go through our agreements and research the Data Inspections website to be able to give you the best answer possible.