This is how we implement the new European General Data Protection Regulation, here at Boxcryptor.

Andrea Pfundmeier | CEO


Boxcryptor’s GDPR Journey Part 4: Dealing with Third Party Providers

Since May 25th 2018 the new General Data Protection (GDPR) applies for Boxcryptor and all companies, processing any personal data of EU citizens. This new provision of the European Union is fundamentally reshaping how personal data is processed within the EU. The amendment is demanding far-ranging changes and re-structuring of the companies. Surveys show that the GDPR is striking fear in many companies affected by this regulation.
We, at Boxcryptor decided to perceive the GDPR as a chance, rather than a threat. Therefore, Boxcryptor CEO Andrea Pfundmeier is going to report how the new GDPR is implemented and applied at Boxcryptor, in a multi-part series of articles.

Read the other parts of the series here:

Part 1 – Getting an overview (Steps 1-4)
Part 2 – Optimization of existing processes (Steps 5-8)
Part 3 – Internal implementation and external data protection officers
Part 5 – Encryption
Part 6 – Before GDPR is past GDPR

Step 9: Review of Third Party Providers

Third party providers are companies and services we depend on to manage our business. In the framework of the new GDPR, the term applies to all providers processing personal data on our account. Here are some examples:

  • Mailchimp – email newsletter distribution
  • Onapply – web-based job application processing
  • Salesforce – invoicing and customer retention management
  • Dropbox – storage of company data

As described in step 2 (documenting processes) I have already compiled a complete list of third party services. Now every one of them has to be checked for GDPR compliance.
For this reason, I did conducted research on the providers’ websites for information on the status of their GDPR-compliance measures. Some companies have been assiduously and are already providing extensive information on that matter, e.g. Mailchimp’s GDPR information page.
For the companies I was able to find all necessary information, I added a checkmark on my list. In all other cases I contacted the respective company and asked for a statement, following these questions:

  1. What is the current status of GDPR implementation?
  2. When will GDPR compliance be achieved?
  3. When will the company be able to send me the respective documents?

In some cases, the companies responded quite extensively, in others I simply got redirected to the law department or received a date, GDPR compliance is supposed to be achieved. The answers were put on my list and I created templates for further requests so I will not lose track in the future.

Third Party Providers and the External Data Protection Officer

In part 3 of our GDPR article series I also mentioned the installment of an external data protection officer (DPO) – despite being not legally obligated to do so. But as CEO, I am factually not allowed (by law) to take on this position. Furthermore, none of our employees has enough capacities to take on this responsibility. In addition, the necessary initial and following trainings would probably cause a collapse of our current start-up structures. I furthermore consider the fact that internal DPOs are nonredeemable - an interesting information for some employers.

Supervision of service providers and the implementation of guidelines for commissioned data processing are part of the DPO’s work. In recruiting a DPO for our company, industry knowledge was a crucial criterion for me. For us, as an IT company it is essential that our service providers know our internal processes and the tools we are working with. Further I need partners who are open-minded towards future innovations.

Apart from that I consciously choose a regional DPO, to keep personal contact as simple as possible. Short distances for trainings and other appointments are really important to me – as is mutual trust. To see whether this may develop throughout our collaboration, we agreed to a one-year contract duration, initially.

As it applies to many topics, having conversations with other entrepreneurs and exchanging experiences about external DPOs proves to be rather successful. By doing so, you will certainly receive valuable references.

Share this article

Related Articles

Ransomware 2

Recent Data Leaks at Uber And Rockstar Games' GTA6

Yet another series of cyber attacks on big player companies has drawn attention in September. Keep reading to find out what went wrong and what you can learn from their mistakes.

New Boxcryptor for macOS

The New Boxcryptor App for macOS is Here

The new Boxcryptor for macOS is finally released! Quite a lot has changed under the hood of our encryption software. Read about our motiviations, the benefits of this new version, and why it puts Boxcryptor in an excellent position for the future.

Microsoft 365 Checker

Microsoft 365 – Stay In Control!

For works councils: Perform an automatic TOMs check using Konverion's Microsoft 365 Checker to protect personal data . Test it now for 30 days, for free.